Older Universal Control Plane (MKE) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.

An XCCDF Rule

Description

When upgrading either the UCP or DTR components of MKE, the newer images are pulled (or unpacked if offline) onto engine nodes in a cluster. Once the upgrade is complete, one must manually remove all old image version from the cluster nodes to meet the requirements of this control. When upgrading the Docker Engine - Enterprise component of MKE, the old package version is automatically replaced.

ID: SV-260944r966189_rule
Version: CNTR-MK-001600
Severity: Medium
References: CCI-002617
Updated: 13 days ago

Remediation Templates

Remove all outdated MKE and DTR container images from all nodes in the cluster:

Via CLI: As an MKE admin, execute the following commands using a client bundle:

docker rmi -f $(docker images --filter reference='mirantis/ucp*:[outdated_tags]' -q)
docker rmi -f $(docker images --filter reference='registry.mirantis.com/msr/[msr]*:[outdated_tags]' -q)

Older Universal Control Plane (MKE) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.

Description

Remediation Templates

A Manual Procedure