Add note about mount-propagation and engine 18.09+

Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker · Jan 25, 2019 · dae7ec6 · dae7ec6
1 parent 96f548b
commit dae7ec6
Showing 1 changed file with 38 additions and 1 deletion.
diff --git a/engine/release-notes.md b/engine/release-notes.md
@@ -25,7 +25,25 @@ consistency and compatibility reasons.
 ## 18.09.1
 2019-01-09
 
-### Security fixes for Docker Engine EE and CE 
+#### Important notes about this release
+
+Docker Engine 18.09.0 and up install containerd as a separate systemd unit. Containerd
+therefore uses its own mount namespaces. The Docker Engine cannot run succesfully
+if you are running dockerd with a customized configuration that changes the mount
+propagation (for example, `MountFlags=slave` or `MountFlags=private`).
+
+Run the following command to get the current value of the `MountFlags` property
+for the `docker.service`:
+
+```bash
+sudo systemctl show --property=MountFlags docker.service
+MountFlags=
+```
+
+Update your configuration if this command prints a non-empty value for `MountFlags`,
+and restart the docker service.
+
+### Security fixes for Docker Engine EE and CE
 * Upgraded Go language to 1.10.6 to resolve [CVE-2018-16873](https://nvd.nist.gov/vuln/detail/CVE-2018-16873), [CVE-2018-16874](https://nvd.nist.gov/vuln/detail/CVE-2018-16874), and [CVE-2018-16875](https://nvd.nist.gov/vuln/detail/CVE-2018-16875).
 * Fixed authz plugin for 0-length content and path validation.
 * Added `/proc/asound` to masked paths [docker/engine#126](https://github.com/docker/engine/pull/126)
@@ -66,6 +84,25 @@ consistency and compatibility reasons.
 ## 18.09 
 2018-11-08
 
+#### Important notes about this release
+
+Docker Engine 18.09.0 and up install containerd as a separate systemd unit. Containerd
+therefore uses its own mount namespaces. The Docker Engine cannot run succesfully
+if you are running dockerd with a customized configuration that changes the mount
+propagation (for example, `MountFlags=slave` or `MountFlags=private`).
+
+Run the following command to get the current value of the `MountFlags` property
+for the `docker.service`:
+
+```bash
+sudo systemctl show --property=MountFlags docker.service
+MountFlags=
+```
+
+Update your configuration if this command prints a non-empty value for `MountFlags`,
+and restart the docker service.
+
+
 ### New features for Docker Engine EE 
 
 * [FIPS Compliance added for Windows Server 2016 and later](/install/windows/docker-ee)