[El-errata] ELBA-2016-3611 Oracle Linux 7 docker-engine bug fix update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Sep 7 17:53:43 PDT 2016

Oracle Linux Bug Fix Advisory ELBA-2016-3611


The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:



Description of changes:

- Merged upstream patch https://github.com/docker/docker/pull/25592

- Enable configuration of Docker daemon via sysconfig [orabug 21804877]
- Require UEK4 for docker 1.9 [orabug 22235639 22235645]
- Add selinux policy per distro (Michael Crosby)
- Add Oracle Linux specific selinux file (Thomas Tanaka) [orabug 23733327]

- New HEALTHCHECK Dockerfile instruction to support user-defined 
healthchecks [#23218](https://github.com/docker/docker/pull/23218)
- New SHELL Dockerfile instruction to specify the default shell when 
using the shell form for commands in a Dockerfile 
- Add #escape= Dockerfile directive to support platform-specific parsing 
of file paths in Dockerfile 
- Add support for comments in .dockerignore 
- Support for UTF-8 in Dockerfiles 
- Skip UTF-8 BOM bytes from Dockerfile and .dockerignore if exist 
- Windows: support for ARG to match Linux 
- Fix error message when building using a daemon with the bridge network 
disabled [#22932](https://github.com/docker/docker/pull/22932)
- Enable seccomp for Centos 7 and Oracle Linux 7 
- Remove MountFlags in systemd unit to allow shared mount propagation 
- Add --max-concurrent-downloads and --max-concurrent-uploads daemon 
flags useful for situations where network connections don't support 
multiple downloads/uploads 
- Registry operations now honor the ALL_PROXY environment variable 
- Provide more information to the user on docker load 
- Always save registry digest metadata about images pushed and pulled 
- Syslog logging driver now supports DGRAM sockets 
- Add --details option to docker logs to also display log tags 
- Enable syslog logger to have access to env and labels 
- An additional syslog-format option rfc5424micro to allow microsecond 
resolution in syslog timestamp 
- Inherit the daemon log options when creating containers 
- Remove docker/ prefix from log messages tag and replace it with 
{{.DaemonName}} so that users have the option of changing the prefix 
- Built-in Virtual-IP based  internal and ingress load-balancing using 
IPVS [#23361](https://github.com/docker/docker/pull/23361)
- Routing Mesh using ingress overlay network 
- Secured multi-host overlay networking using encrypted control-plane 
and Data-plane [#23361](https://github.com/docker/docker/pull/23361)
- MacVlan driver is out of experimental 
- Add driver filter to network ls 
- Adding network filter to docker ps --filter 
- Add --link-local-ip flag to create, run and network connect to specify 
a container's link-local address 
- Add network label filter support 
- Removed dependency on external KV-Store for Overlay networking in 
Swarm-Mode  [#23361](https://github.com/docker/docker/pull/23361)
- Add container's short-id as default network alias 
- run options --dns and --net=host are no longer mutually exclusive 
- Fix DNS issue when renaming containers with generated names 
- Allow both network inspect -f {{.Id}} and network inspect -f {{.ID}} 
to address inconsistency with inspect output 
- New plugin command to manager plugins with install, enable, disable, 
rm, inspect, set subcommands 
- Split the binary into two: docker (client) and dockerd (daemon) 
- Add before and since filters to docker images --filter 
- Add --limit option to docker search 
- Add --filter option to docker search 
- Add security options to docker info output 
- Add insecure registries to docker info output 
- Extend Docker authorization with TLS user information 
- devicemapper: expose Mininum Thin Pool Free Space through docker info 
- API now returns a JSON object when an error occurs making it more 
consistent [#22880](https://github.com/docker/docker/pull/22880)
- Prevent docker run -i --restart from hanging on exit 
- Fix API/CLI discrepancy on hostname validation 
- Fix discrepancy in the format of sizes in stats from HumanSize to 
BytesSize [#21773](https://github.com/docker/docker/pull/21773)
- authz: when request is denied return forbbiden exit code (403) 
- Windows: fix tty-related displaying issues 
- Add --live-restore daemon flag to keep containers running when daemon 
shuts down, and regain control on startup 
- Ability to add OCI-compatible runtimes (via --add-runtime daemon flag) 
and select one with --runtime on create and run 
- New overlay2 graphdriver for Linux 4.0+ with multiple lower directory 
support [#22126](https://github.com/docker/docker/pull/22126)
- New load/save image events 
- Add support for reloading daemon configuration through systemd 
- Add disk quota support for btrfs 
- Add disk quota support for zfs 
- Add support for docker run --pid=container:<id> 
- Align default seccomp profile with selected capabilities 
- Add a daemon reload event when the daemon reloads its configuration 
- Add trace capability in the pprof profiler to show execution traces in 
binary form [#22715](https://github.com/docker/docker/pull/22715)
- Add a detach event [#22898](https://github.com/docker/docker/pull/22898)
- Add support for setting sysctls with --sysctl 
- Add --storage-opt flag to create and run allowing to set size on 
devicemapper [#19367](https://github.com/docker/docker/pull/19367)
- Add --oom-score-adjust daemon flag with a default value of -500 making 
the daemon less likely to be killed before containers 
- Undeprecate the -c short alias of --cpu-shares on run, build, create, 
update [#22621](https://github.com/docker/docker/pull/22621)
- Prevent from using aufs and overlay graphdrivers on an eCryptfs mount 
- Fix issues with tmpfs mount ordering 
- Created containers are no longer listed on docker ps -a -f exited=0 
- Fix an issue where containers are stuck in a "Removal In Progress" 
state [#22423](https://github.com/docker/docker/pull/22423)
- Fix bug that was returning an HTTP 500 instead of a 400 when not 
specifying a command on run/create 
- Fix bug with --detach-keys whereby input matching a prefix of the 
detach key was not preserved 
- SELinux labeling is now disabled when using --privileged mode 
- If volume-mounted into a container, /etc/hosts, /etc/resolv.conf, 
/etc/hostname are no longer SELinux-relabeled 
- Fix inconsistency in --tmpfs behavior regarding mount options 
- Fix an issue where daemon hangs at startup 
- Ignore SIGPIPE events to prevent journald restarts to crash docker in 
some cases [#22460](https://github.com/docker/docker/pull/22460)
- Containers are not removed from stats list on error 
- Fix on-failure restart policy when daemon restarts 
- Fix an issue with stats when a container is using another container's 
network [#21904](https://github.com/docker/docker/pull/21904)
- New swarm command to manage swarms with init, join, join-token, leave, 
update subcommands [#23361](https://github.com/docker/docker/pull/23361) 
- New service command to manage swarm-wide services with create, 
inspect, update, rm, ps subcommands 
- New node command to manage nodes with accept, promote, demote, 
inspect, update, ps, ls and rm subcommands 
- (experimental) New stack and deploy commands to manage and deploy 
multi-service applications 
- Add support for local and global volume scopes (analogous to network 
scopes) [#22077](https://github.com/docker/docker/pull/22077)
- Allow volume drivers to provide a Status field 
- Add name/driver filter support for volume 
- Mount/Unmount operations now receives an opaque ID to allow volume 
drivers to differentiate between two callers 
- Fix issue preventing to remove a volume in a corner case 
- Windows: Enable auto-creation of host-path to match Linux 
- Remove deprecated syslog-tag, gelf-tag, fluentd-tag log option in 
favor of the more generic tag one 
- Remove deprecated feature of passing HostConfig at API container start 
- Remove deprecated -f/--force flag on docker tag 
- Remove deprecated /containers/<id|name>/copy endpoint 
- Remove deprecated docker ps flags --since and --before 
- Deprecate the old 3-args form of docker import 

- Fix a stale endpoint issue on overlay networks during ungraceful 
restart ([#23015](https://github.com/docker/docker/pull/23015))
- Fix an issue where the wrong port could be reported by docker 
inspect/ps/port ([#22997](https://github.com/docker/docker/pull/22997))
- Fix a potential panic when running docker build 
- Fix interpretation of --user parameter 
- Fix a bug preventing container statistics to be correctly reported 
- Fix an issue preventing container to be restarted after daemon restart 
- Fix issues when running 32 bit binaries on Ubuntu 16.04 
- Fix a possible deadlock on image deletion and container attach 
- Fix an issue where containers fail to start after a daemon restart if 
they depend on a containerized cluster store 
- Fix an issue causing docker ps to hang on CentOS when using 
devicemapper ([#22168](https://github.com/docker/docker/pull/22168), 
- Fix a bug preventing to docker exec into a container when using 
devicemapper ([#22168](https://github.com/docker/docker/pull/22168), 

- Fix schema2 manifest media type to be of type 
- Add missing API documentation for changes introduced with 1.11.0 
- Append label passed to docker build as arguments as an implicit LABEL 
command at the end of the processed Dockerfile 
- Fix a panic that would occur when forwarding DNS query 
- Fix an issue where OS threads could end up within an incorrect network 
namespace when using user defined networks 
- Fix a bug preventing labels configuration to be reloaded via the 
config file ([#22299](https://github.com/docker/docker/pull/22299))
- Fix a regression where container mounting /var/run would prevent other 
containers from being removed 
- Fix an issue where it would be impossible to update both memory-swap 
and memory value together 
- Fix a regression from 1.11.0 where the /auth endpoint would not 
initialize serveraddress if it is not provided 
- Add missing cleanup of container temporary files when cancelling a 
schedule restart ([#22237](https://github.com/docker/docker/pull/22237))
- Remove scary error message when no restart policy is specified 
- Fix a panic that would occur when the plugins were activated via the 
json spec ([#22191](https://github.com/docker/docker/pull/22191))
- Fix restart backoff logic to correctly reset delay if container ran 
for at least 10secs ([#22125](https://github.com/docker/docker/pull/22125))
- Remove error message when a container restart get cancelled 
- Fix an issue where docker would not correctly clean up after docker 
exec ([#22121](https://github.com/docker/docker/pull/22121))
- Fix a panic that could occur when serving concurrent docker stats 
commands ([#22120](https://github.com/docker/docker/pull/22120))
- Revert deprecation of non-existent host directories auto-creation 
- Hide misleading rpc error on daemon shutdown 

- Fix a bug where Docker would not use the correct uid/gid when 
processing the WORKDIR command 
- Fix a bug where copy operations with userns would not use the proper 
uid/gid ([#20782](https://github.com/docker/docker/pull/20782), 
- Usage of the : separator for security option has been deprecated. = 
should be used instead 
- The client user agent is now passed to the registry on pull, build, 
push, login and search operations 
- Allow setting the Domainname and Hostname separately through the API 
- Docker info will now warn users if it can not detect the kernel 
version or the operating system 
- Fix an issue where docker stats --no-stream output could be all 0s 
- Fix a bug where some newly started container would not appear in a 
running docker stats command 
- Post processing is no longer enabled for linux-cgo terminals 
- Values to --hostname are now refused if they do not comply with 
- Docker learned how to use a SOCKS proxy 
- Docker now supports external credential stores 
- docker ps now supports displaying the list of volumes mounted inside a 
container ([#20017](https://github.com/docker/docker/pull/20017))
- docker info now also reports Docker's root directory location 
- Docker now prohibits login in with an empty username (spaces are 
trimmed) ([#19806](https://github.com/docker/docker/pull/19806))
- Docker events attributes are now sorted by key 
- docker ps no longer shows exported port for stopped containers 
- Docker now cleans after itself if a save/export command fails 
- Docker load learned how to display a progress bar 
- Fix a panic that occurred when pulling an image with 0 layers 
- Fix a panic that could occur on error while pushing to a registry with 
a misconfigured token service 
- All first-level delegation roles are now signed when doing a trusted 
push ([#21046](https://github.com/docker/docker/pull/21046))
- OAuth support for registries was added 
- docker login now handles token using the implementation found in 
- docker login will no longer prompt for an email 
- Docker will now fallback to registry V1 if no basic auth credentials 
are available ([#20241](https://github.com/docker/docker/pull/20241))
- Docker will now try to resume layer download where it left off after a 
network error/timeout 
- Fix generated manifest mediaType when pushing cross-repository 
- Fix docker requesting additional push credentials when pulling an 
image if Content Trust is enabled 
- Fix a race in the journald log driver 
- Docker syslog driver now uses the RFC-5424 format when emitting logs 
- Docker GELF log driver now allows to specify the compression algorithm 
and level via the gelf-compression-type and gelf-compression-level 
options ([#19831](https://github.com/docker/docker/pull/19831))
- Docker daemon learned to output uncolorized logs via the --raw-logs 
options ([#19794](https://github.com/docker/docker/pull/19794))
- Docker, on Windows platform, now includes an ETW (Event Tracing in 
Windows) logging driver named etwlogs 
- Journald log driver learned how to handle tags 
- The fluentd log driver learned the following options: fluentd-address, 
fluentd-buffer-limit, fluentd-retry-wait, fluentd-max-retries and 
- Docker learned to send log to Google Cloud via the new gcplogs logging 
driver. ([#18766](https://github.com/docker/docker/pull/18766))
- When saving linked images together with docker save a subsequent 
docker load will correctly restore their parent/child relationship 
- Support for building the Docker cli for OpenBSD was added 
- Labels can now be applied at network, volume and image creation 
- The dockremap is now created as a system user 
- Fix a few response body leaks 
- Docker, when run as a service with systemd, will now properly manage 
its processes cgroups 
- docker info now reports the value of cgroup KernelMemory or emits a 
warning if it is not supported 
- docker info now also reports the cgroup driver in use 
- Docker completion is now available on PowerShell 
- dockerinit is no more 
- Support for building Docker on arm64 was added 
- Experimental support for building docker.exe in a native Windows 
Docker installation ([#18348](https://github.com/docker/docker/pull/18348))
- Fix panic if a node is forcibly removed from the cluster 
- Fix "error creating vxlan interface" when starting a container in a 
Swarm cluster ([#21671](https://github.com/docker/docker/pull/21671))
- docker network inspect will now report all endpoints whether they have 
an active container or not 
- Experimental support for the MacVlan and IPVlan network drivers has 
been added ([#21122](https://github.com/docker/docker/pull/21122))
- Output of docker network ls is now sorted by network name 
- Fix a bug where Docker would allow a network to be created with the 
reserved default name 
- docker network inspect returns whether a network is internal or not 
- Control IPv6 via explicit option when creating a network (docker 
network create --ipv6). This shows up as a new EnableIPv6 field in 
docker network inspect 
- Support for AAAA Records (aka IPv6 Service Discovery) in embedded DNS 
Server ([#21396](https://github.com/docker/docker/pull/21396))
- Fix to not forward docker domain IPv6 queries to external servers 
- Multiple A/AAAA records from embedded DNS Server for DNS Round robin 
- Fix endpoint count inconsistency after an ungraceful dameon restart 
- Move the ownership of exposed ports and port-mapping options from 
Endpoint to Sandbox ([#21019](https://github.com/docker/docker/pull/21019))
- Fixed a bug which prevents docker reload when host is configured with 
ipv6.disable=1 ([#21019](https://github.com/docker/docker/pull/21019))
- Added inbuilt nil IPAM driver 
- Fixed bug in iptables.Exists() logic 
- Fixed a Veth interface leak when using overlay network 
- Fixed a bug which prevents docker reload after a network delete during 
shutdown ([#20214](https://github.com/docker/docker/pull/20214))
- Make sure iptables chains are recreated on firewalld reload 
- Allow to pass global datastore during config reload 
- For anonymous containers use the alias name for IP to name mapping, 
ie:DNS PTR record ([#21019](https://github.com/docker/docker/pull/21019))
- Fix a panic when deleting an entry from /etc/hosts file 
- Source the forwarded DNS queries from the container net namespace 
- Fix to retain the network internal mode config for bridge networks on 
daemon reload ([#21780] (https://github.com/docker/docker/pull/21780))
- Fix to retain IPAM driver option configs on daemon reload ([#21914] 
- Fix a file descriptor leak that would occur every time plugins were 
enumerated ([#20686](https://github.com/docker/docker/pull/20686))
- Fix an issue where Authz plugin would corrupt the payload body when 
faced with a large amount of data 
- Fix a panic that could occur when cleanup after a container started 
with invalid parameters 
- Fix a race with event timers stopping early 
- Fix race conditions in the layer store, potentially corrupting the map 
and crashing the process 
- Un-deprecate auto-creation of host directories for mounts. This 
feature was marked deprecated in 
- It is now possible for containers to share the NET and IPC namespaces 
when userns is enabled 
- docker inspect <image-id> will now expose the rootfs layers 
- Docker Windows gained a minimal top implementation 
- Docker learned to report the faulty exe when a container cannot be 
started due to its condition 
- Docker with device mapper will now refuse to run if udev sync is not 
available ([#21097](https://github.com/docker/docker/pull/21097))
- Fix a bug where Docker would not validate the config file upon 
configuration reload ([#21089](https://github.com/docker/docker/pull/21089))
- Fix a hang that would happen on attach if initial start was to fail 
- Fix an issue where registry service options in the daemon 
configuration file were not properly taken into account 
- Fix a race between the exec and resize operations 
- Fix an issue where nanoseconds were not correctly taken in account 
when filtering Docker events 
- Fix the handling of Docker command when passed a 64 bytes id 
- Docker will now return a 204 (i.e http.StatusNoContent) code when it 
successfully deleted a network 
- Fix a bug where the daemon would wait indefinitely in case the process 
it was about to killed had already exited on its own 
- The devmapper driver learned the dm.min_free_space option. If the 
mapped device free space reaches the passed value, new device creation 
will be prohibited. ([#20786](https://github.com/docker/docker/pull/20786))
- Docker can now prevent processes in container to gain new privileges 
via the --security-opt=no-new-privileges flag 
- Starting a container with the --device option will now correctly 
resolves symlinks ([#20684](https://github.com/docker/docker/pull/20684))
- Docker now relies on 
[containerd](https://github.com/docker/containerd) and 
[runc](https://github.com/opencontainers/runc) to spawn containers. 
- Fix docker configuration reloading to only alter value present in the 
given config file ([#20604](https://github.com/docker/docker/pull/20604))
- Docker now allows setting a container hostname via the --hostname flag 
when --net=host ([#20177](https://github.com/docker/docker/pull/20177))
- Docker now allows executing privileged container while running with 
--userns-remap if both --privileged and the new --userns=host flag are 
specified ([#20111](https://github.com/docker/docker/pull/20111))
- Fix Docker not cleaning up correctly old containers upon restarting 
after a crash ([#19679](https://github.com/docker/docker/pull/19679))
- Docker will now error out if it doesn't recognize a configuration key 
within the config file 
- Fix container loading, on daemon startup, when they depends on a 
plugin running within a container 
- docker update learned how to change a container restart policy 
- docker inspect now also returns a new State field containing the 
container state in a human readable way (i.e. one of created, 
restarting, running, paused, exited or 
- Docker learned to limit the number of active pids (i.e. processes) 
within the container via the pids-limit flags. NOTE: This requires 
CGROUP_PIDS=y to be in the kernel configuration. 
- docker load now has a --quiet option to suppress the load output 
- Fix a bug in neighbor discovery for IPv6 peers 
- Fix a panic during cleanup if a container was started with invalid 
options ([#21802](https://github.com/docker/docker/pull/21802))
- Fix a situation where a container cannot be stopped if the terminal is 
closed ([#21840](https://github.com/docker/docker/pull/21840))
- Object with the pcp_pmcd_t selinux type were given management access 
to /var/lib/docker(/.*)? 
- restart_syscall, copy_file_range, mlock2 joined the list of allowed 
calls in the default seccomp profile 
- send, recv and x32 were added to the list of allowed syscalls and arch 
in the default seccomp profile 
- Docker Content Trust now requests the server to perform snapshot 
signing ([#21046](https://github.com/docker/docker/pull/21046))
- Support for using YubiKeys for Content Trust signing has been moved 
out of experimental ([#21591](https://github.com/docker/docker/pull/21591))
- Output of docker volume ls is now sorted by volume name 
- Local volumes can now accept options similar to the unix mount tool 
- Fix an issue where one letter directory name could not be used as 
source for volumes ([#21106](https://github.com/docker/docker/pull/21106))
- docker run -v now accepts a new flag nocopy. This tells the runtime 
not to copy the container path content into the volume (which is the 
default behavior) ([#21223](https://github.com/docker/docker/pull/21223))

More information about the El-errata mailing list