RHBA-2015:1167 - Bug Fix Advisory

Topic

Updated docker packages that fix several bugs are now available for Red Hat
Enterprise Linux 7 Extras.

Description

Docker is an open-source engine that automates the deployment of any application
as a lightweight, portable, self-sufficient container that will run virtually
anywhere.

This update fixes the following bugs:

• Previously, if you had one image tagged in at least two repositories, running

the "docker rmi ID" command untagged the image from just one repository and the
other persisted. This bug has been fixed and "docker rmi ID" now untags all
associated images. (BZ#1222784)

• Previously, the docker service did not try to match short names against local

fully qualified images names while doing a push. As a consequence, the push
command reported that the image name could not be found and the user had to
fully qualify the argument and execute the push again. This bug has been fixed
and the docker service now tries to match short names against local images fully
qualified with the default registry (those added with the "--add-registry
flag"). Now, the user does not have to fully qualify the image name in order to
push it to one of the default registries. (BZ#1218639)

• During initialization of both the Docker client and daemon, the public Docker

registry was resolved, in order to check whether it was secured or not. This
happened regardless of the docker.io registry being blocked. Consequently,
docker was attempting to resolve docker.io to an IP address any time a Docker
client was run. This prolonged commands execution in environments without
external DNS lookups. After this update, docker no longer checks whether the
public Docker index is secure. As a result, no DNS lookups for docker.io are
done unless a public Docker registry is enabled and a pull, push, or search
operation is performed on it. (BZ#1224387)

• The default handling of SELinux labeling did not work correctly and the docker

service was unable to mount certain directories into containers. This bug has
been fixed and mounting a directory into a container now executes successfully.
(BZ#1209625)

• Previously, the docker service was labeling shared volumes as private by

default. As a consequence, other containers could not execute the content from
them. With this update, the underlying source code has been fixed to label
shared volumes correctly. As a result, shared volumes now work correctly with
SELinux in enforcing mode. (BZ#1226320, BZ#1225549)

• If a volume was specified with more than one object, the docker service did

not perform relabeling. As a consequence, you could not, for example, mount a
volume that is both read-only and needs relabeling at the same time. The
labeling check has been fixed, and docker now relabels correctly in the
described scenario. (BZ#1225556)

• Previously, the docker service and SELinux were blocking relabels of the /usr

directory, even if the user did not request relabeling. As a consequence,
certain volume mounts of content in /usr were blocked and a container could not
run. The check on relabeling has been fixed and volumes in /usr can now be
mounted into a container successfully. (BZ#1230192)

Users of docker are advised to upgrade to these updated packages, which fix
these bugs.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Server from RHUI 7 x86_64

Fixes

• BZ - 1209576 - can't remove image by specifying its ID
• BZ - 1209625 - docker-compose fails to build container when attempting to bind mount a file ("can't create volume there")
• BZ - 1214070 - [rhel-7.1.3] [docker-storage-setup] Create spec file dependency to require lvm2 version >= lvm2-2.02.112
• BZ - 1215667 - Cannot start httpd in container because of missing /run/httpd
• BZ - 1215819 - docker commit --change LABEL does not work
• BZ - 1218639 - docker push to dockerhub does not work (docker 1.16)
• BZ - 1222453 - Setting --icc=false and restarting creates the DROP rule in wrong place
• BZ - 1222784 - Removing an image via API removes just one repository
• BZ - 1225549 - docker relabel of volumes should use shared volumes by default
• BZ - 1225556 - docker relabel of volumes is buggy if the mode is "roz"
• BZ - 1225965 - Rebase docker to 1.6.2
• BZ - 1226320 - shipyard can't start with docker 1.6.0
• BZ - 1226989 - [rhel-7.1.3] docker: Location of docker-storage-setup conf file is wrong
• BZ - 1226990 - [rhel-7.1.3] docker: docker-storage-setup exits if growpart is not installed
• BZ - 1227040 - [rhel-7.1.3] docker: Pull in docker-storage-setup when docker is installed
• BZ - 1228167 - "Atomic" `labels` variable has no command keyword
• BZ - 1228397 - [rhel-7.1.3] docker: Install docker-storage-setup man page
• BZ - 1229374 - docker-storage-setup: Check if metadata volume already exist and use it
• BZ - 1231936 - Docker contaier can't access gluster (fuse) volumes

CVEs

• CVE-2015-3627
• CVE-2015-3629
• CVE-2015-3630
• CVE-2015-3631

References

(none)