Home Explore Blog CI



docker
10th chunk of `content/manuals/engine/release-notes/20.10.md`
cba3a04eb9c223b56b2da89195e4a65a9bb00263e9eade39000000010000103a
- Update Golang runtime to Go 1.16.8, which contains fixes for [CVE-2021-36221](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36221)
  and [CVE-2021-39293](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39293)
- Update static binaries and containerd.io rpm and deb packages to containerd
  v1.4.11 and runc v1.0.2 to address [CVE-2021-41103](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41103).
- Update the bundled buildx version to v0.6.3 for rpm and deb packages.

## 20.10.8
2021-08-03

> [!IMPORTANT]
>
> Due to [net/http changes](https://github.com/golang/go/issues/40909) in [Go 1.16](https://golang.org/doc/go1.16#net/http), HTTP proxies configured through the `$HTTP_PROXY` environment variable are no longer used for TLS (`https://`) connections. Make sure you also set an `$HTTPS_PROXY` environment variable for handling requests to `https://` URLs. Refer to the [HTTP/HTTPS proxy section](/manuals/engine/daemon/proxy.md) to learn how to configure the Docker Daemon to use a proxy server.

### Deprecation

- Deprecate support for encrypted TLS private keys. Legacy PEM encryption as
  specified in RFC 1423 is insecure by design. Because it does not authenticate
  the ciphertext, it is vulnerable to padding oracle attacks that can let an
  attacker recover the plaintext. Support for encrypted TLS private keys is now
  marked as deprecated, and will be removed in an upcoming release. [docker/cli#3219](https://github.com/docker/cli/pull/3219)
- Deprecate Kubernetes stack support. Following the deprecation of [Compose on Kubernetes](https://github.com/docker/compose-on-kubernetes),
  support for Kubernetes in the `stack` and `context` commands in the Docker CLI
  is now marked as deprecated, and will be removed in an upcoming release [docker/cli#3174](https://github.com/docker/cli/pull/3174).

### Client

- Fix `Invalid standard handle identifier` errors on Windows [docker/cli#3132](https://github.com/docker/cli/pull/3132).

### Rootless

- Avoid `can't open lock file /run/xtables.lock: Permission denied` error on
  SELinux hosts [moby/moby#42462](https://github.com/moby/moby/pull/42462).
- Disable overlay2 when running with SELinux to prevent permission denied errors [moby/moby#42462](https://github.com/moby/moby/pull/42462).
- Fix `x509: certificate signed by unknown authority` error on openSUSE Tumbleweed [moby/moby#42462](https://github.com/moby/moby/pull/42462).

### Runtime

- Print a warning when using the `--platform` option to pull a single-arch image
  that does not match the specified architecture [moby/moby#42633](https://github.com/moby/moby/pull/42633).
- Fix incorrect `Your kernel does not support swap memory limit` warning when
  running with cgroups v2 [moby/moby#42479](https://github.com/moby/moby/pull/42479).
- Windows: Fix a situation where containers were not stopped if `HcsShutdownComputeSystem`
  returned an `ERROR_PROC_NOT_FOUND` error [moby/moby#42613](https://github.com/moby/moby/pull/42613) 

### Swarm

- Fix a possibility where overlapping IP addresses could exist as a result of the
  node failing to clean up its old loadbalancer IPs [moby/moby#42538](https://github.com/moby/moby/pull/42538)
- Fix a deadlock in log broker ("dispatcher is stopped") [moby/moby#42537](https://github.com/moby/moby/pull/42537)

### Packaging

> **Known issue**
>
> The `ctr` binary shipping with the static packages of this release is not
> statically linked, and will not run in Docker images using alpine as a base
> image. Users can install the `libc6-compat` package, or download a previous
> version of the `ctr` binary as a workaround. Refer to the containerd ticket
> related to this issue for more details: [containerd/containerd#5824](https://github.com/containerd/containerd/issues/5824).

- Remove packaging for Ubuntu 16.04 "Xenial" and Fedora 32, as they reached EOL [docker/docker-ce-packaging#560](https://github.com/docker/docker-ce-packaging/pull/560)
- Update Golang runtime to Go 1.16.6
- Update the bundled buildx version to v0.6.1 for rpm and deb packages [docker/docker-ce-packaging#562](https://github.com/docker/docker-ce-packaging/pull/562)
Title: Docker Engine Release Notes: 20.10.8 - Deprecations, Bug Fixes, and Packaging Updates
Summary
This section details the release notes for Docker Engine version 20.10.8, including deprecations of encrypted TLS private key support and Kubernetes stack support. It addresses client-side errors on Windows, rootless execution issues on SELinux hosts and openSUSE, and runtime issues like platform mismatch warnings and incorrect swap memory warnings. Bug fixes are also included for Swarm mode, addressing potential IP address overlaps and deadlocks in the log broker. The release also involves packaging updates such as removing support for Ubuntu 16.04 and Fedora 32, updating the Golang runtime to Go 1.16.6, and updating the bundled buildx version to v0.6.1. It also includes a reminder about HTTP/HTTPS proxy configuration changes in Go 1.16 and a known issue related to the ctr binary in static packages.