UCP Release Notes

Here you can learn about new features, bug fixes, breaking changes and known issues for each UCP version. You can then use the upgrade instructions, to upgrade your installation to the latest release.

Version 1.1.3

Note: UCP 1.1.3 supports Docker Engine 1.12 but does not use the built-in orchestration capabilities provided by the Docker Engine with swarm mode enabled. When installing this UCP version on a Docker Engine 1.12 host, UCP creates a cluster using Docker Swarm v1.2.5.

Security Update

Fixes a security issue by which a malicious user with limited privileges can escalate their privileges to perform unauthorized actions on the cluster via the API.

This issue affects deployments of Universal Control Plane versions 1.1.2 or prior, and can only be used to gain access to the system by someone who already has a UCP account.

This issue was discovered by our development team during internal testing.

Features

  • Core
    • Upgraded Docker Swarm to 1.2.5
    • Non-admin users no longer have the ability to edit or delete UCP/DTR volumes and networks.
    • The Pull Image, Delete Image, Create Volume, Delete Volume, Create Network and Delete Network operations are now inaccessible to users with View Only default permissions or lower.

Bug Fixes

  • Improved system performance when large numbers of overlay networks are deployed on the cluster.
  • Fixed an issue which affected container rescheduling on clusters with overlay networks.
  • Fixed an issue which affected synchronizing organization owners (admins) in LDAP when migrating from DTR 1.4.3 to 2.0.x
  • Fixed an issue where UCP/DTR integration config was not loaded when UCP controller was restarted.
  • Fixed an issue in the GUI where the sidebar does not display when first logging into UCP.
  • Fixed an issue where volumes created through the UCP GUI did not correctly populate the labels field.

Known Issues

  • This version of UCP cannot be installed on Engine 1.12 host with swarm mode enabled, and is not compatible with swarm-mode based APIs, e.g. docker service.

Version 1.1.2

Note: UCP 1.1.2 supports Docker Engine 1.12 but doesn’t use the new clustering capabilities provided by the Docker swarm mode. When installing this UCP version on a Docker Engine 1.12, UCP creates a “classic” Docker Swarm 1.2.3 cluster.

Features

  • Core

    • Upgraded etcd to version 2.3.6.
    • Upgraded rethinkDB to version 2.3.4.
    • The support dump generated by dsinfo now provides more information about the UCP deployment, that can be used by Docker support.
  • docker/ucp image

    • It’s now possible to generate a support dump directly from the CLI using the support command.
    • It’s now possible to tune how often UCP’s key-value store takes snapshots using the docker/ucp install --kv-snapshot-count option. This can be used with the --kv-timeout flag to tune the performance of the key-value store. Learn more about tuning the key-value store
  • UI

    • The dashboard now notifies admin users when an update for UCP is available.
    • It’s now possible to see which specific controllers need to have root CAs inserted in order to achieve high-availability.
    • It’s now possible to filter images on the Images tab.

Bug Fixes

  • Fixed an issue in which UCP failed to install in machines where the hostname has more than 41 characters.
  • Fixed an issue in which ping requests caused a memory leak in the ucp-controller and ucp-kv containers.
  • When installing in the CLI, UCP now displays the specified ADMIN_USERNAME variable rather than just “admin”.
  • Fixed an issue where container owner label permissions took priority over access label permissions when displaying a list of containers.
  • Fixed an issue in which upgrading to UCP caused a user to still see an older version in the UI.

Known Issues

  • This version of UCP can’t be installed on Engine 1.12 swarm-mode based clusters, and is not compatible with swarm-mode based APIs, e.g. docker service.

Version 1.1.1

Features

  • Core

    • Upgraded Docker Swarm to version 1.2.3.
    • An administrator can now reset their password. Use the docker/ucp-auth passwd command for this.
  • docker/ucp image

    • It’s now possible to configure the election timeout of the UCP key-value store with the docker/ucp install --kv-timeout option. This is useful when running UCP across multiple regions. Note that the heartbeat interval will be 1/10th of the specified election timeout value. Learn more
    • It’s now possible to skip TLS verification when joining new nodes to the cluster, using the docker/ucp join --insecure-fingerprint option. However, to ensure your cluster is secure, don’t use this option for normal UCP deployments.
    • The restore operation now supports --interactive, -i flags, which require a backup file to be mounted in /backup.tar instead of streamed through stdin.
  • UI

    • When pulling images on the UCP UI, you can now provide login credentials for a private registry.
    • It’s now possible to disable a user account, to make it easier to switch from managed authentication to LDAP and vice-versa.
    • Added a setting to submit usage reports without anonymizing data.
    • When failing to pull an image on the UCP UI, a feedback message is now displayed.
    • The Containers page now allows showing and hiding columns.
    • The Containers page now allows filtering for running, stopped, and system containers.

Bug Fixes

  • Fixed an issue that prevented new nodes to be joined to a cluster, after upgrading UCP from an older version to 1.1.0.
  • Fixed an issue that prevented UCP from integrating with DTR for single-sign-on when pushing/pulling images.
  • When upgrading, configurations for user, teams, and organizations are now preserved.
  • When upgrading, version labels are correctly added to the containers.
  • Improved error logs generated by the UP key-value store.
  • The restore command now ensures the backup is not corrupt, that the UCP cluster is healthy and is running the same or later version of UCP before restoring.
  • The restore command now works correctly on a freshly installed instance of UCP, assuming the same host IP and a correct backup file.
  • LDAP domain names are now case-insensitive for easier syncing.
  • Fixed an issue that caused LDAP syncs to run every minute, after upgrading UCP from an older version to 1.1.0.
  • Fixed error by which user could get an “access denied” message when deploying a container from the UI due to cached permission labels.
  • Fixed issue where environment variables were not being passed to new containers when “Allow users to deploy containers on UCP controllers” setting was disabled.

Misc

  • Since container rescheduling has reached GA on Docker Swarm, you can use it without having to install UCP with the --swarm-experimental-flag.
  • UCP now requires a minimum of 2 GB of RAM per node, instead of 1.5 GB.
  • During installation, UCP now warns you to only restart the Docker Engine after joining all controller nodes to the cluster.

Known Issues

  • When using UCP with a Docker Engine prior to 1.11.1-cs2, containers with a restart policy set to restart=always and using an overlay network, may not resume properly when the Docker daemon is restarted. Upgrade the Docker Engine on your nodes to version 1.11.1-cs2 to fix this. This is especially important when running UCP and DTR on the same nodes, and with high-availability.
  • When attempting to restore a v1.1.0 backup on a new cluster installed with the fresh-install flag, the restore operation may fail due to engine-discovery configuration issues. You should create new backups after upgrading to v1.1.1.
  • UCP fails to install in machines where the hostname has more than 41 characters. This will be fixed in a future release. (Fixed in UCP 1.1.2)

Version 1.1.0

Features

  • Core

    • UCP and DTR are now using a unified authentication service.
    • Users and teams created in UCP are displayed in DTR under the ‘Datacenter’ organization.
    • All controllers joined to the cluster now have replicated CAs. For this, you need to copy the root key material to controllers joined to the cluster,
    • All UCP components were compiled with Go 1.5.4 and 1.6 to address a security vulnerability in Go.
    • When joining nodes to the cluster, UCP automatically runs ‘engine-discovery’ to configure the Docker Engine for multi-host networking.
    • If you’re using Docker Engine 1.11 with default configurations, when joining new nodes to the cluster multi-host networking is automatically configured without needing to restart the Docker daemon.
  • docker/ucp image

    • Added the ‘backup’ command to create backups of controller nodes.
    • Added the ‘restore’ command, to restore a controller node from a backup.
    • Added the ‘regen-certs’ command, to regenerate keys and certificates used on a controller node. You can use this for changing the SANS on the certificates or in case a CA is compromised.
    • Added the ‘stop’ and ‘restart’ commands, to stop and start UCP containers. ​
  • UI

    • Now you can deploy apps from the UI using a docker-compse.yml file.
    • There’s a new setting to prevent users from deploying containers to the UCP controller nodes.
    • Improved usability of LDAP configuration settings.
    • Images page no longer shows the sha256 id of each image ID.
    • User profiles now display default permissions.
    • Improved feedback when creating users and teams with invalid characters.
    • Added horizontal scrollbar to wide pages.

Bug Fixes

  • Improved messages when installing UCP on a host with firewall rules.
  • Images page no longer shows images generated from intermediate builds.
  • Images page no longer hangs when pulling an image.
  • Scaling a container from the UI now preserves parameters like ‘net’ and ‘privileged’.
  • Fixed docker ps --filter to filter containers correctly.

Misc

  • All UCP containers now have the ‘com.docker.ucp.version’ label with their upstream version or UCP version.
  • When running docker/ucp in interactive mode, the parameters and environment variables passed to the command are displayed.
  • Renamed ‘external-ucp-ca’ flag to ‘external-server-cert’ for clarity. The former name is deprecated but still available.
  • UCP is automatically configured to use overlay networking. Make sure ports 4789 and 7946 are open for this to work.
  • The new authentication service requires ports 12383-12386 to be open.

Known Issues

  • After upgrading to version 1.1.0, if you join new nodes to the cluster, a success message is displayed, but that node will not be part of the cluster. As a workaround, join new controller nodes before upgrading, or perform a fresh installation of UCP 1.1.0.
  • If you have an active login session in UCP and do an upgrade, you should force refresh the browser or you may run into UI errors.
  • When joining replicas to the cluster, you may be prompted to restart the Docker daemon on that node. For a faster installation, only restart the Docker daemon after joining all replicas.
  • When deploying applications from the UI, using the host network option might cause errors. If this happens, deploy the application from the CLI.
  • UCP 1.1.0 may not integrate correctly with DTR for purposes of single-sign-on for pushing/pulling images. It is recommended to upgrade to UCP 1.1.1 for this.

Component Versions

UCP 1.1.0 uses:

  • cfssl 1.2.0
  • Docker Compose 1.7.0
  • Docker Swarm: 1.1.3
  • etcd 2.2.5
  • RethinkDB 2.3.0

Version 1.0.4

Security update

Fixes a security issue by which a user can can obtain unauthorized access to UCP via LDAP authentication.

Version 1.0.3

Fixes a bug introduced by version 1.0.2 that was causing problems when a user navigated to their profile page.

Version 1.0.2

Security update

Fixes a security issue by which a non-admin user account can gain admin-level privileges via the UCP API.

Known Issues

Non-admin users might have an error when navigating to their profile page. This happens when the user is part of a team that has a label applied to it.

Version 1.0.1

Features

  • Core

    • Upgraded Swarm to 1.1.3
    • Improved support for docker cp
    • System CA pool fallback for secure DTR connections
    • Added --swarm-experimental option during UCP install
  • UI

    • Can provide one-time credentials to deploy a container from a private registry in UI
    • Added checkbox to select all containers in Containers screen
    • Removed click handlers from UI elements containing checkboxes
    • Usernames and team names now need to be url-compatible
    • Several usability improvements to Team screen
    • Messages now display team name, instead of Id
    • Added support for Growl style notifications
    • Improved usability of Applications page, when there are no applications deployed
    • Several improvements to form validations
    • Improved error messages displayed when users try to pull an image with no name
    • Don’t allow creating teams with the same name
    • Non-admin users can no longer see cluster overview in Dashboard screen
    • Page size control is no longer displayed when the list has few elements
    • Renamed ‘Roles’ to ‘Permissions’

Bug fixes

  • Users that are on a team and have permission set to ‘None’, can no longer see containers
  • Volume driver options are now being correctly sent to Docker Engine
  • Fix bug with visibility to User containers with the owner the same as a label

Version 1.0.0

Features

  • Core

    • License is now required to add nodes
    • Improved access control system
    • /_ping endpoint now checks the state of datastore and Swarm
    • Use mutual TLS in CFSSL
    • Improved access control for Docker Engine proxy
    • Added support for custom server certificates and user bundles
    • Users can now launch “private” containers if default permission is Restricted Control or greater
  • UI

    • Pages for Containers, Images, and Applications are now consistent
    • Improved usability of LDAP configuration page
    • Logs are displayed during LDAP configuration
    • Users can now see their permissions and teams on their profile page
    • Improved license configuration
    • Improved error messages for restricted operations
    • Support for enabling and disabling DTR integration

Bug fixes

  • Users only see volumes, images, and networks if they have permissions
  • User default role now setup properly with LDAP authentication
  • Fixed container privilege escalation in access control
  • Fixed UI issue that caused errors in Safari

Misc

  • UCP now uses a vendored UCP Swarm image
  • Removed timestamps from controller logs
  • Switched from ‘Full Control’ to ‘Restricted Control’ for managing non-container resources

Known issues

In version 1.0.0 it’s not possible to create containers on user-defined bridge networks, using the UCP web app. This happens because the UCP web app is using the <node>/<network_name> syntax, which is not supported.

As a workaround, create the containers using the CLI and:

  • Use only <network_name>, and let Swarm find the node with that network, or
  • Use the network ID instead.

Upgrade notes

It’s not possible to upgrade from previous versions to v1.0. If you’ve participated in the Docker UCP beta program, you need to uninstall the beta version, before installing v1.0.

To ensure a smooth transition process, start by uninstalling UCP from the regular nodes, followed by the controller nodes. Also, make sure you use ucp uninstall command from version 1.0:

docker run --rm -it --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:1.0.0 uninstall -i

After uninstalling, you can Install UCP on a sandbox, or Install UCP for production.


Комментарии:

Комментариев нет, желаете стать первым?

Пожалуйста, авторизуйтесь что бы оставлять комментарии.