Docker Enterprise older Universal Control Plane (UCP) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.

An XCCDF Rule

Description

When upgrading either the UCP or DTR components of Docker Enterprise, the newer images are pulled (or unpacked if offline) onto Engine nodes in a cluster. Once the upgrade is complete, one must manually remove all old image version from the cluster nodes to meet the requirements of this control. When upgrading the Docker Engine - Enterprise component of Docker Enterprise, the old package version is automatically replaced.

ID: SV-235845r627662_rule
Version: DKER-EE-004130
Severity: Medium
References: CCI-002617
Updated: 15 days ago

Remediation Templates

Remove all outdated UCP and DTR container images from all nodes in the cluster:

via CLI: As a Docker EE admin, execute the following commands using a client bundle:

docker rmi -f $(docker images --filter reference='docker/ucp*:[outdated_tags]' -q)
docker rmi -f $(docker images --filter reference='docker/dtr*:[outdated_tags]' -q)

Docker Enterprise older Universal Control Plane (UCP) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.

Description

Remediation Templates

A Manual Procedure