Docker Enterprise older Universal Control Plane (UCP) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.
An XCCDF Rule
Description
<VulnDiscussion>When upgrading either the UCP or DTR components of Docker Enterprise, the newer images are pulled (or unpacked if offline) onto Engine nodes in a cluster. Once the upgrade is complete, one must manually remove all old image version from the cluster nodes to meet the requirements of this control. When upgrading the Docker Engine - Enterprise component of Docker Enterprise, the old package version is automatically replaced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-235845r627662_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Remove all outdated UCP and DTR container images from all nodes in the cluster:
via CLI: As a Docker EE admin, execute the following commands using a client bundle:
docker rmi -f $(docker images --filter reference='docker/ucp*:[outdated_tags]' -q)
docker rmi -f $(docker images --filter reference='docker/dtr*:[outdated_tags]' -q)