Merge pull request #9647 from fredlf/release-notes-edits

Fixed errors in release notes

docs/sources/release-notes.md

@@ -13,7 +13,7 @@ desired version from the drop-down list at the top right of this page.
 This release provides a number of new features, but is mainly focused on bug
 fixes and improvements to platform stability and security.
 
-For a complete list of patches, fixes, and other improvements, see <todo: link>
+For a complete list of patches, fixes, and other improvements, see the [merge PR on GitHub](https://github.com/docker/docker/pull/9345).
  
 *New Features*
 
@@ -57,371 +57,20 @@ were not sufficiently validated. This created a vulnerability to path traversal
 attacks wherein malicious images or repository spoofing could lead to graph
 corruption and manipulation.
 
-Note that the above CVE's are also in Docker 1.3.3, which was released
-concurrently with 1.4.0.
- 
+> **Note:** the above CVEs are also patched in Docker 1.3.3, which was released
+> concurrently with 1.4.0.
+
 *Runtime fixes*
- 
-* Fixed an issue that caused image archives to be read slowly.
- 
-*Client fixes*
- 
-* Fixed a regression related to STDIN redirection.
-* Fixed a regression involving `docker cp` when the current directory is the
-destination.
 
-> **Note**
-> Development history prior to version 1.0 can be found by
-> searching in [GitHub](https://github.com/docker/docker).
+* Fixed an issue that caused image archives to be read slowly.
 
-##Version 1.3.3
-(2014-12-11)
- 
-This release fixes several security issues. In order to encourage immediate
-upgrading, this release also patches some critical bugs. All users are highly
-encouraged to upgrade as soon as possible.
- 
-*Security fixes*
- 
-Patches and changes were made to address the following vulnerabilities:
- 
-* CVE-2014-9356: Path traversal during processing of absolute symlinks. 
-Absolute symlinks were not adequately checked for  traversal which created a
-vulnerability via image extraction and/or volume mounts.
-* CVE-2014-9357: Escalation of privileges during decompression of LZMA (.xz)
-archives. Docker 1.3.2 added `chroot` for archive extraction. This created a
-vulnerability that could allow malicious images or builds to write files to the
-host system and escape containerization, leading to privilege escalation.
-* CVE-2014-9358: Path traversal and spoofing opportunities via image
-identifiers. Image IDs passed either via `docker load` or registry communications
-were not sufficiently validated. This created a vulnerability to path traversal
-attacks wherein malicious images or repository spoofing could lead to graph
-corruption and manipulation.
- 
-*Runtime fixes*
- 
-* Fixed an issue that cause image archives to be read slowly.
- 
 *Client fixes*
  
 * Fixed a regression related to STDIN redirection.
 * Fixed a regression involving `docker cp` when the current directory is the
 destination.
 
-##Version 1.3.2
-(2014-11-24)
-
-This release fixes some bugs and addresses some security issues. We have also
-made improvements to aspects of `docker run`.
-
-*Security fixes*
-
-Patches and changes were made to address CVE-2014-6407 and CVE-2014-6408.
-Specifically, changes were made in order to:
-
-* Prevent host privilege escalation from an image extraction vulnerability (CVE-2014-6407).
-
-* Prevent container escalation from malicious security options applied to images (CVE-2014-6408).
-
-*Daemon fixes*
-
-The `--insecure-registry` flag of the `docker run` command has undergone
-several refinements and additions. For details, please see the
-[command-line reference](http://docs.docker.com/reference/commandline/cli/#run).
-
-* You can now specify a sub-net in order to set a range of registries which the Docker daemon will consider insecure.
-
-* By default, Docker now defines `localhost` as an insecure registry.
-
-* Registries can now be referenced using the Classless Inter-Domain Routing (CIDR) format.
-
-* When mirroring is enabled, the experimental registry v2 API is skipped.
-
-##Version 1.3.1
-(2014-10-28)
-
-This release fixes some bugs and addresses some security issues.
-
-*Security fixes*
-
-Patches and changes were made to address [CVE-2014-5277 and CVE-2014-3566](https://groups.google.com/forum/#!topic/docker-user/oYm0i3xShJU).
-Specifically, changes were made to:
-
-* Prevent fallback to SSL protocols < TLS 1.0 for client, daemon and registry
-* Secure HTTPS connection to registries with certificate verification and without HTTP fallback unless [`--insecure-registry`](/reference/commandline/cli/#run) is specified.
-
-*Runtime fixes*
-
-* Fixed issue where volumes would not be shared.
-
-*Client fixes*
-
-* Fixed issue with `--iptables=false` not automatically setting
-`--ip-masq=false`.
-* Fixed docker run output to non-TTY stdout.
-
-*Builder fixes*
-
-* Fixed escaping `$` for environment variables.
-* Fixed issue with lowercase `onbuild` instruction in a `Dockerfile`.
-* Restricted environment variable expansion to `ENV`, `ADD`, `COPY`, `WORKDIR`,
-`EXPOSE`, `VOLUME`, and `USER`
-
-##Version 1.3.0
-
-This version fixes a number of bugs and issues and adds new functions and other
-improvements. The [GitHub 1.3milestone](https://github.com/docker/docker/issues?q=milestone%3A1.3.0+) has
-more detailed information. Major additions and changes include:
-
-###New Features
-
-*New command: `docker exec`*
-
-The new `docker exec` command lets you run a process in an existing, active
-container. The command has APIs for both the daemon and the client. With `docker
-exec`, you'll be able to do things like add or remove devices from running
-containers, debug running containers, and run commands that are not part of the
-container's static specification. Details in the [command line reference](/reference/commandline/cli/#exec).
-
-*New command: `docker create`*
-
-Traditionally, the `docker run` command has been used to both create a container
-and spawn a process to run it. The new `docker create` command breaks this
-apart, letting you set up a container without actually starting it. This
-provides more control over management of the container lifecycle, giving you the
-ability to configure things like volumes or port mappings before the container
-is started. For example, in a rapid-response scaling situation, you could use
-`create` to prepare and stage ten containers in anticipation of heavy loads.
-Details in the [command line reference](/reference/commandline/cli/#create).
-
-*Tech preview of new provenance features*
-
-This release offers a sneak peek at new image signing capabilities that are
-currently under development. Soon, these capabilities will allow any image
-author to sign their images to certify they have not been tampered with. For
-this release, Official images are now signed by Docker, Inc. Not only does this
-demonstrate the new functionality, we hope it will improve your confidence in
-the security of Official images. Look for the blue ribbons denoting signed
-images on the [Docker Hub](https://hub.docker.com/). The Docker Engine has been
-updated to automatically verify that a given Official Repo has a current, valid
-signature. When pulling a signed image, you'll see a message stating `the image
-you are pulling has been verified`. If no valid signature is detected, Docker
-Engine will fall back to pulling a regular, unsigned image.
-
-###Other improvements & changes*
-
-* We've added a new security options flag to the `docker run` command,
-`--security-opt`, that lets you set SELinux and AppArmor labels and profiles.
-This means you'll  no longer have to use `docker run --privileged` on kernels
-that support SE Linux or AppArmor. For more information, see the [command line
-reference](/reference/commandline/cli/#run).
-
-* A new flag, `--add-host`, has been added to `docker run` that lets you add
-lines to `/etc/hosts`. This allows you to specify different name resolution for
-the container than it would get via DNS. For more information, see the [command
-line reference](/reference/commandline/cli/#run).
-
-* You can now set a `DOCKER_TLS_VERIFY` environment variable to secure
-connections by default (rather than having to pass the `--tlsverify` flag on
-every call). For more information, see the [https guide](/articles/https).
-
-* Three security issues have been addressed in this release: [CVE-2014-5280,
-CVE-2014-5270, and
-CVE-2014-5282](https://groups.google.com/forum/#!msg/docker-announce/aQoVmQlcE0A/smPuBNYf8VwJ).
-
-##Version 1.2.0
-
-This version fixes a number of bugs and issues and adds new functions and other
-improvements. These include:
-
-###New Features
-
-*New restart policies*
-
-We added a `--restart flag` to `docker run` to specify a restart policy for your
-container. Currently, there are three policies available:
-
-* `no` – Do not restart the container if it dies. (default) * `on-failure` –
-Restart the container if it exits with a non-zero exit code. This can also
-accept an optional maximum restart count (e.g. `on-failure:5`). * `always` –
-Always restart the container no matter what exit code is returned. This
-deprecates the `--restart` flag on the Docker daemon.
-
-*New flags for `docker run`: `--cap-add` and `--cap-drop`*
-
-In previous releases, Docker containers could either be given complete
-capabilities or they could all follow a whitelist of allowed capabilities while
-dropping all others. Further, using `--privileged` would grant all capabilities
-inside a container, rather than applying a whitelist. This was not recommended
-for production use because it’s really unsafe; it’s as if you were directly in
-the host.
-
-This release introduces two new flags for `docker run`, `--cap-add` and
-`--cap-drop`, that give you fine-grain control over the specific capabilities
-you want grant to a particular container.
-
-*New `--device` flag for `docker run`*
-
-Previously, you could only use devices inside your containers by bind mounting
-them (with `-v`) in a `--privileged` container. With this release, we introduce
-the `--device flag` to `docker run` which lets you use a device without
-requiring a privileged container.
-
-*Writable `/etc/hosts`, `/etc/hostname` and `/etc/resolv.conf`*
-
-You can now edit `/etc/hosts`, `/etc/hostname` and `/etc/resolve.conf` in a
-running container. This is useful if you need to install BIND or other services
-that might override one of those files.
-
-Note, however, that changes to these files are not saved when running `docker
-build` and so will not be preserved in the resulting image. The changes will
-only “stick” in a running container.
-
-*Docker proxy in a separate process*
-
-The Docker userland proxy that routes outbound traffic to your containers now
-has its own separate process (one process per connection). This greatly reduces
-the load on the daemon, which increases stability and efficiency.
-
-###Other improvements & changes
-
-* When using `docker rm -f`, Docker now kills the container (instead of stopping
-it) before removing it . If you intend to stop the container cleanly, you can
-use `docker stop`.
-
-* Added support for IPv6 addresses in `--dns`
-
-* Added search capability in private registries
-
-##Version 1.1.0
-
-###New Features
-
-*`.dockerignore` support*
-
-You can now add a `.dockerignore` file next to your `Dockerfile` and Docker will
-ignore files and directories specified in that file when sending the build
-context to the daemon. Example:
-https://github.com/docker/docker/blob/master/.dockerignore
-
-*Pause containers during commit*
-
-Doing a commit on a running container was not recommended because you could end
-up with files in an inconsistent state (for example, if they were being written
-during the commit). Containers are now paused when a commit is made to them. You
-can disable this feature by doing a `docker commit --pause=false <container_id>`
-
-*Tailing logs*
-
-You can now tail the logs of a container. For example, you can get the last ten
-lines of a log by using `docker logs --tail 10 <container_id>`. You can also
-follow the logs of a container without having to read the whole log file with
-`docker logs --tail 0 -f <container_id>`.
-
-*Allow a tar file as context for docker build*
-
-You can now pass a tar archive to `docker build` as context. This can be used to
-automate docker builds, for example: `cat context.tar | docker build -` or
-`docker run builder_image | docker build -`
-
-*Bind mounting your whole filesystem in a container*
-
-`/` is now allowed as source of `--volumes`. This means you can bind-mount your
-whole system in a container if you need to. For example: `docker run -v
-/:/my_host ubuntu:ro ls /my_host`. However, it is now forbidden to mount to /.
-
-
-###Other Improvements & Changes
-
-* Port allocation has been improved. In the previous release, Docker could
-prevent you from starting a container with previously allocated ports which
-seemed to be in use when in fact they were not. This has been fixed.
-
-* A bug in `docker save` was introduced in the last release. The `docker save`
-command could produce images with invalid metadata. The command now produces
-images with correct metadata.
-
-* Running `docker inspect` in a container now returns which containers it is
-linked to.
-
-* Parsing of the `docker commit` flag has improved validation, to better prevent
-you from committing an image with a name such as  `-m`. Image names with dashes
-in them potentially conflict with command line flags.
-
-* The API now has Improved status codes for  `start` and `stop`. Trying to start
-a running container will now return a 304 error.
-
-* Performance has been improved overall. Starting the daemon is faster than in
-previous releases. The daemon’s performance has also been improved when it is
-working with large numbers of images and containers.
-
-* Fixed an issue with white-spaces and multi-lines in Dockerfiles.
-
-##Version 1.1.0
-
-###New Features
-
-*`.dockerignore` support*
-
-You can now add a `.dockerignore` file next to your `Dockerfile` and Docker will
-ignore files and directories specified in that file when sending the build
-context to the daemon. Example:
-https://github.com/dotcloud/docker/blob/master/.dockerignore
-
-*Pause containers during commit*
-
-Doing a commit on a running container was not recommended because you could end
-up with files in an inconsistent state (for example, if they were being written
-during the commit). Containers are now paused when a commit is made to them. You
-can disable this feature by doing a `docker commit --pause=false <container_id>`
-
-*Tailing logs*
-
-You can now tail the logs of a container. For example, you can get the last ten
-lines of a log by using `docker logs --tail 10 <container_id>`. You can also
-follow the logs of a container without having to read the whole log file with
-`docker logs --tail 0 -f <container_id>`.
-
-*Allow a tar file as context for docker build*
-
-You can now pass a tar archive to `docker build` as context. This can be used to
-automate docker builds, for example: `cat context.tar | docker build -` or
-`docker run builder_image | docker build -`
-
-*Bind mounting your whole filesystem in a container*
-
-`/` is now allowed as source of `--volumes`. This means you can bind-mount your
-whole system in a container if you need to. For example: `docker run -v
-/:/my_host ubuntu:ro ls /my_host`. However, it is now forbidden to mount to /.
-
-
-###Other Improvements & Changes
-
-* Port allocation has been improved. In the previous release, Docker could
-prevent you from starting a container with previously allocated ports which
-seemed to be in use when in fact they were not. This has been fixed.
-
-* A bug in `docker save` was introduced in the last release. The `docker save`
-command could produce images with invalid metadata. The command now produces
-images with correct metadata.
-
-* Running `docker inspect` in a container now returns which containers it is
-linked to.
-
-* Parsing of the `docker commit` flag has improved validation, to better prevent
-you from committing an image with a name such as  `-m`. Image names with dashes
-in them potentially conflict with command line flags.
-
-* The API now has Improved status codes for  `start` and `stop`. Trying to start
-a running container will now return a 304 error.
-
-* Performance has been improved overall. Starting the daemon is faster than in
-previous releases. The daemon’s performance has also been improved when it is
-working with large numbers of images and containers.
-
-* Fixed an issue with white-spaces and multi-lines in Dockerfiles.
-
-##Version 1.0.0
+> **Note:**
+> Development history prior to version 1.0 can be found by
+> searching in the [Docker GitHub repo](https://github.com/docker/docker).
 
-First production-ready release. Prior development history can be found by
-searching in [GitHub](https://github.com/docker/docker).