UCP 2.1 release notes

Estimated reading time: 14 minutes

Here you can learn about new features, bug fixes, breaking changes, and known issues for the latest UCP version. You can then use the upgrade instructions, to upgrade your installation to the latest release.

Version 2.1.8 (2018-04-17)

  • Fixed an issue that allows users to incorrectly interact with local volumes.

Version 2.1.7

(13 February 2018)

Security Notice

The user must use --log-driver=none to disable the log driver for containers started by backup operations. This is a critical security fix for customers that rely on Universal Control Plane 2.1 and a log driver to capture logs from all containers across the platform.

Caution is advised: any sensitive information that has already been disclosed in the logs will NOT be removed by this update. Sensitive information needs to be purged manually from the logs. Use the backup encryption mechanism with the --passphrase option when running a UCP backup.

A full credentials re-generation and update transition procedure is available: https://success.docker.com/article/KB000623

This is a breaking change on UCP backup operation. It is now mandatory to specify --log-driver none option for docker run for all UCP backups.

Version 2.1.6

(16 January 2018)

Bug fixes

  • Security
    • Role-based access control is now enforced for volumes managed by 3rd party volume plugins (for example using the NetApp or other volume plugins). This is a critical security fix for customers that use 3rd party volume drivers and rely on Docker Universal Control Plane for tenant isolation of workloads and data. Caution is advised when applying this update because users or automated workflows may have come to rely on lack of access control enforcement when manipulating volumes created with 3rd party volume plugins.

Version 2.1.5

(20 July 2017)

Security Update

  • Remediated a privilege escalation where an authenticated user could obtain admin-level privileges

This issue affects UCP versions 2.0.0-2.0.3 and 2.1.0-2.1.4. It was discovered by our development team during internal testing

Bug Fixes

  • Core
    • Fixed an issue where clients misusing the events API (e.g. slowly reading or failing to read events) leads to unresponsive behavior from the cluster
    • Fixed an issue where app services pulling DTR private images using integrated single-sign-on would fail due to token expiration
    • UCP resource metrics now correctly display CPU utilization on newer Linux kernels
    • Fixed an issue where UCP incorrectly reported 100% memory usage on a node due to the usage of memory constraints on containers
    • Network and volume label filters now work correctly on UCP (for example when using docker volume ls --filter label="foo"="bar")
    • UCP can now be installed correctly when SELinux enforcement mode is enabled (e.g. --selinux-enabled)
    • Fixed an issue where rejoining (or demoting and promoting) a manager node caused ucp-kv to become unhealthy due to a stale KV cache
    • UCP now exposes a Registry field in docker info output, so that deploying with registry credentials (e.g. docker stack deploy --with-registry-auth now works correctly
    • UCP now reports percentage progress while pulling images
    • docker images -f dangling=true now correctly lists untagged <none> images instead of listing all images
    • Added a network diagnostic tool to ucp-dsinfo image to aid in troubleshooting issues related to overlay networks
    • Added additional diagnostic information about docker stacks to support dumps for troubleshooting purposes
    • UCP now provides a more informative warning banner and clearer logs when ucp-auth-store is unhealthy
    • Reduced the default cache size for ucp-auth-store to free up memory on the UCP manager. This cache can be adjusted via the RethinkDBCacheSize parameter in the UCP Config API
    • Various performance improvements made to ucp-auth-store to reduce overhead when the API is being repeatedly accessed in a short period of time
    • Fixed an issue where one ucp-auth-store instances would fail to join the HA cluster if started in the wrong order
    • Fixed an issue where a UCP manager might get stuck in a restart loop due to being unable to correctly access the root CA
    • Fixed an issue where users with view-only permissions received an access denied error when attempting to deploy stacks via the Compose UI, despite having been granted label access to do so

Version 2.1.4

(4 May 2017)

Bug Fixes

  • Core
    • Fixed an issue where updating the UCP server certificates, the web UI would report success, but not make any changes
    • UCP no longer shows an invalid memory address or nil pointer dereference panic when inspecting containers created with Docker 1.10 or older
    • It is no longer possible to create a service with the same published ingress port as the UCP controller’s port, thereby rendering UCP inaccessible
    • Fixed an issue where usernames with special language characters (such as ä) were unable to login to the system
    • Fixed an issue where a Compose stack deploy could not update an existing service due to access control conflicts with the com.docker.ucp.access.owner label
  • docker/ucp image
    • UCP support dumps now include docker stats output
  • UI/UX
    • Fixed an issue where an application deployed using docker stack deploy in the CLI did not show up in the web UI
    • Fixed an issue where deploying a Compose application via UI with a slow network connection might display a websocket error despite successful deployment

Version 2.1.3

(4 Apr 2017)

Known issues

In UCP 2.1.3, if you try to upload externally-signed controller certificates through the Admin Settings page on the UI, you see a “Success” message, but the certificates isn’t updated on any of the controller nodes.

The workaround is to update the contents of the ucp-controller-server-certs volume manually on each manager node with the new ca.pem, cert.pem, and key.pem contents. Update all three of these files approximately simultaneously, to avoid issues with reconciliation.

Bug fixes

  • Core
    • Fixed known issue where worker nodes would be left in a pending state after upgrading from UCP 1.1.z.
    • Nodes will no longer be reported as unhealthy if the ucp-reconcile container is removed.
    • Fixed an issue where nodes in the same subnet may report incorrect hostnames in the UCP node list.
  • UI/UX
    • UCP support dumps and client bundles can now be downloaded on IE10/11.
    • The task counter in the services page should now correctly omit tasks that have not been assigned to a node yet.

Version 2.1.2

(29 Mar 2017)

Known issues

There is known issue in UCP 2.1 where upgrading from UCP 1.1.z can cause swarm to leave worker nodes in a pending state with the message:

[Pending] Completing node registration

There are two workarounds for rectifying this issue:

  1. When upgrading from UCP 1.1.z, first upgrade to UCP 2.0.z, and then to UCP 2.1.z. This will prevent the issue from happening, and is the recommended upgrade path.
  2. If you have already upgraded from UCP 1.1.z directly to UCP 2.1.z, you can fix the issue by restarting the ucp-swarm-manager container on each of your UCP controller nodes.

This issue will be fixed in UCP 2.1.3.

Bug fixes

  • Core
    • ucp-reconcile service now correctly brings up ucp-kv container if it has stopped or become unreachable
    • Fixed known issue in which users are unable to log into UCP UI after upgrading from UCP 2.1.0 to 2.1.1 because the parameter for maximum concurrent users was incorrectly defaulted to 0
    • Fixed an issue where the UCP manager becomes unresponsive and requires a restart if docker ps or docker info calls to engine take a long time for a response
    • HTTP Routing Mesh now correctly provides httplog for debug logging of services
    • docker node ls -f now correctly filters when run against a UCP cluster
    • docker inspect task no longer returns errors when run against a UCP cluster
    • UCP now correctly reports progress when loading an image from CLI
  • docker/ucp image
    • UCP support dumps now include Docker Engine daemon logs
    • Host address IPs are now automatically added to SANs during install
    • UCP now reports its version number in the CLI after being installed
  • UI/UX
    • Deploying Compose-based applications in the GUI now works correctly when Docker Content Trust “Run Only Signed Images” is turned on
    • Fixed an issue where UI temporarily showed more tasks for a service than actually existed
    • Fixed an issue in which metrics incorrectly displayed 0% in the UI

Version 2.1.1

(14 Mar 2017)

Known issues

If you are currently running UCP 2.1.0 and previously customized the sessions lifetime parameter in the Authentication settings UI, upgrading to UCP 2.1.1 may cause users to not be able to log into UCP and DTR. This is caused by a faulty default value which sets maximum concurrent user sessions to zero.

You can either wait for UCP 2.1.2 to be released so that the problem is automatically fixed, or upgrade to 2.1.1, and use the following steps to fix the problem.

Start by getting the current configuration for user sessions by running:

curl -u admin "https://$UCP_HOST/enzi/v0/config/sessions"

The command will prompt for the admin user’s password and then return the current sessions config which should look something like:

{
  "lifetimeHours": 72,
  "renewalThresholdHours": 24,
  "perUserLimit": 0
}

If perUserLimit is set to 0, you need to set it to a value between 1 and 100. The recommended value is 5. You should also customize the command below with the lifetimeHours and perUserLimit values returned by the first command.

curl -u admin "https://$UCP_HOST/enzi/v0/config/sessions" \
  -X PUT \
  -H 'Content-Type: application/json' \
  -d '{"lifetimeHours": 72, "renewalThresholdHours": 24, "perUserLimit": 5}'

You can now log into UCP and DTR.

New features

  • Core
    • Administrators can now configure the frequency with which UCP polls metrics. Use docker service update --env-add METRICS_SCRAPE_INTERVAL=10m ucp-agent, and the frequency can be in s/m/h.
    • Administrators can now configure the frequency with which UCP gathers disk usage data. Use docker service update --env-add METRICS_DISK_USAGE_INTERVAL=12h ucp-agent, and the frequency can be in s/m/h.
    • Support for syncing users and teams from multiple LDAP servers/domains (e.g. a separate server to use for dc=domain2,dc=example,dc=com)
    • Support for limiting the number of maximum concurrent login sessions any user may have

Bug fixes

  • Core
    • Fixed an issue in which UCP manager would panic and be unable to return the right system status after the cluster became unhealthy
    • ucp-hrm container now provides debug logs through stdout
    • HTTP Routing Mesh now checks to ensure an ingress port is not already in use by UCP or DTR before becoming active
    • Fixed an issue in which UCP did not use swarm-mode node IDs, preventing usage of node constraints and other features when using cloned VMs as UCP nodes
    • Fixed an issue in which certain Docker API 1.26 commands were not correctly supported
    • Disk usage metrics no longer display 0% when using devicemapper filesystem
    • Disk usage metrics are now collected every 2 hours by default, and can be tunned
    • Fixed an issue causing Content Trust enforcement to ignore an optional tag for /images/create, causing some signed content to not run correctly
    • LDAP sync logs now take up less disk space on manager nodes
    • UCP support dumps are now correctly compressed to take up less disk space, and provide information on HTTP Routing Mesh and metrics
  • docker/ucp image
    • UCP install now correctly fails and presents an error when trying to specify host-address to an existing swarm-mode cluster
    • Clarified upgrade message to make it clear that the upgrade command now works at once for the entire cluster rather than needing to be run on every node
  • UI/UX
    • UI now displays a warning if there is significant latency or network issues in communications between UCP manager nodes
    • UI no longer incorrectly displays ‘No Services’ while still loading the Services tab
    • UI no longer displays errors when global tasks are removed due to node constraints
    • UI now displays a warning when underlying engines in the swarm-mode cluster are running different versions
    • UI now displays an error when ‘Load Image’ command fails
    • ‘KV Store Timeout’ option now displays correct units (milliseconds)
    • Dashboard now correctly displays errors when metrics are unavailable
    • The DTR deployment page now validates if a DTR replica ID is valid or not

Version 2.1.0

(9 Feb 2017)

This version of UCP extends the functionality provided by CS Docker Engine 1.13. Before installing or upgrading this version, you need to install CS Docker Engine 1.13 in the nodes that you plan to manage with UCP.

New features

  • Core
    • Support for managing secrets (e.g. sensitive information such as passwords or private keys) and using them when deploying services. You can store secrets securely on the cluster and configure who has access to them, all without having to give users access to the sensitive information directly
    • Support for Compose yml 3.1 to deploy stacks of services, networks, volumes, and secrets.
    • HTTP Routing Mesh now generally available. It now supports HTTPS passthrough where the TLS termination is performed by your services, Service Name Indication (SNI) extension of TLS, multiple networks for app isolation, and Sticky Sessions
    • Granular label-based access control for secrets and volumes (NOTE: unlike other resources controlled via label-based access control, a volume without a label is accessible by all UCP users with Restricted Control or higher default permissions)
  • UI/UX
    • You can now view and manage application stacks directly from the UI
    • You can now view cluster and node level resource usage metrics
    • When updating a service, the UI now shows more information about the service status
    • Rolling update for services now have failure-action which you can use to
    • Several improvements to service lifecycle management specify rollback, pausing, or continuing if the update fails for a task
    • LDAP synching has more configuration options for extra flexibility
    • UCP now warns when the cluster has nodes with different Docker Engine versions
    • The HTTP routing mesh settings page now lists all services using the routing mesh, with details on parameters and health status
    • Admins can now view team membership in a user’s details screen
    • You can now customize session timeouts in the authentication settings page
    • Can now mount tmpfs or existing local volumes to a service when deploying services from the UI
    • Added more tooltips to guide users on the above features

Bug fixes

  • Core
    • HTTP routing mesh can now be enabled or reconfigured when UCP is configured to only run images signed by specific teams
    • Fixed an error in which _ping calls were causing multiple TCP connections to open up on the cluster
    • Fixed an issue in which UCP install occasionally failed with the error “failed to change temp password”
    • Fixed an issue where multiple rapid updates of HTTP Routing Mesh configuration would not register correctly
    • Demoting a manager while in HA configuration no longer causes the ucp-auth-api container to provide errors
  • UI/UX
    • When creating a user, pressing enter on keyboard no longer causes problems
    • Fixed assorted icon and text visibility glitches
    • Installing DTR no longer fails when “Enable scheduling on UCP controllers and DTR nodes” is unchecked.
    • Publishing a port to both TCP and UDP in a service via UI now works correctly

Known issues

The docker stats command is sometimes wrongly reporting high CPU usage. Use the top command to confirm the real CPU usage of your node. Learn more.

Version compatibility

UCP 2.1 requires minimum versions of the following Docker components:

  • Docker Engine 1.13.0
  • Docker Remote API 1.25
  • Compose 1.9
Rate this page:

 
0
 
0