Docker 2.1.0 Release with MarkLogic 11.3.1 and 10.0-11

This release includes the following updates

• Updated images with MarkLogic 11.3.1
• Implement hardening on rootless image based on Red Hat CIS policy
• Support MarkLogic Red Hat 9 builds with images based on UBI9-minimal
• Enable FIPS in all images
• Security fixes

Known Issues and Limitations

1. The standard image must be run in privileged mode. If the image isn't run as privileged, the calls that use sudo in the startup script will fail due to lack of required permissions as the image will not be able to create a user with the required permissions. To run in non-privileged mode, use one of the “rootless” image options.
2. Using the "leave" button in the Admin interface to remove a node from a cluster may not succeed, depending on your network configuration. Use the Management API to remove a node from a cluster. See: https://docs.marklogic.com/REST/DELETE/admin/v1/host-config.
3. Rejoining a node to a cluster, that had previously left that cluster, may not succeed.
4. MarkLogic Server will default to the UTC timezone.
5. The latest released version of RedHat UBI images have known security vulnerabilities.
   • CVE-2024-6602, CVE-2024-34397, CVE-2024-2236, CVE-2023-7207, CVE-2023-51764, CVE-2023-37920, CVE-2023-32636, CVE-2023-29499, CVE-2023-2650, CVE-2022-4899, CVE-2021-42694, CVE-2021-3997, CVE-2020-35512, CVE-2020-15945, CVE-2019-9937, CVE-2019-9936, CVE-2019-9705, CVE-2019-19244, CVE-2019-17543, CVE-2019-12904, CVE-2019-12900, CVE-2018-20839, CVE-2024-6602, CVE-2024-6119, CVE-2024-26462, CVE-2024-2236, CVE-2023-7207, CVE-2023-37920, CVE-2023-2953, CVE-2022-4899, CVE-2021-3997, CVE-2024-10041

These libraries are included in the RedHat UBI base images but, to-date, no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself, hence there is no impact or mitigation required.

6. As part of the hardening process, the following packages are removed from the image: vim-minimal, cups-client, cups-libs, tar, python3-pip-wheel, platform-python, python3-libs, platform-python-setuptools, avahi-libs, binutils, expat, libarchive, python3, python3-libs, python-unversioned-command. These packages are not required for the operation of MarkLogic Server and are removed to reduce the attack surface of the image. If you require any of these packages, you can install them in your own Dockerfile.

Docker 2.0.1 Release with MarkLogic 11.3.0 and 10.0-11

This release includes the following updates

• Updated images with MarkLogic 11.3.0
• Use specific UBI 8 tag for build stability
• Add notices file to Docker images
• Add contributors file the repository
• Update docker repository references to point to the new official Progress repository
• The CentOS 7 base image is no longer published as RHEL7 is EOL as of June 30

Known Issues and Limitations

RedHat UBI (non-rootless) docker image

1. The image must be run in privileged mode. If the image isn't run as privileged, the calls that use sudo in the startup script will fail due to lack of required permissions as the image will not be able to create a user with the required permissions. To run in non-privileged mode, use one of the “rootless” image options.
2. Using the "leave" button in the Admin interface to remove a node from a cluster may not succeed, depending on your network configuration. Use the Management API to remove a node from a cluster. See: https://docs.marklogic.com/REST/DELETE/admin/v1/host-config.
3. Rejoining a node to a cluster, that had previously left that cluster, may not succeed.
4. MarkLogic Server will default to the UTC timezone.
5. The latest released version of RedHat UBI 8 has known security vulnerabilities :

• glibc (CVE-2019-1010022) for which RedHat does not consider to be a vulnerability.
• kernel-headers (CVE-2023-6546).
• pip (GHSA-gpvv-69j7-gwj8) and setuptools (GHSA-r9hx-vwmv-q579).
• less (CVE-2024-32487).

These libraries are included in the RedHat UBI 8 base image but, to-date, no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself, hence there is no impact or mitigation required.

Docker 2.0.0 Release

This release includes the following updates

• Added a new Docker image based on RedHat Universal Base Image (UBI) and added support for running MarkLogic in rootless mode. (latest tags now point to UBI-rootless images)
• Added a new startup script to support running MarkLogic in rootless mode.
• Updated tagging strategy to exclude Docker release version from the tags.
• Updated README document Docker image upgrade from root to rootless.
• Documented how to set the sysctl parameters when running containers.
• Updated Docker tests for new UBI/rootless images.
• Updated pipeline to build and test MarkLogic Docker images with RedHat Universal Base Image (UBI) as the base image.
• Added tests for upgrade and converter installation.
• Fixed bugs in startup logic to improve compatibility.

Known Issues and Limitations

CentOS base docker image

1. The image must be run in privileged mode. At the moment if the image isn't run as privileged many calls that use sudo during the supporting script will fail due to lack of required permissions as the image will not be able to create a user with the required permissions.
2. Using the "leave" button in the Admin interface to remove a node from a cluster may not succeed, depending on your network configuration. Use the Management API to remove a node from a cluster. See: https://docs.marklogic.com/REST/DELETE/admin/v1/host-config.
3. Rejoining a node to a cluster, that had previously left that cluster, may not succeed.
4. MarkLogic Server will default to the UTC timezone.
5. The latest released version of CentOS 7 has known security vulnerabilities with respect to glib2 (CVE-2015-8387, CVE-2015-8390, CVE-2015-8394), glibc (CVE-2019-1010022), pcre (CVE-2015-8380, CVE-2015-8387, CVE-2015-8390, CVE-2015-8393, CVE-2015-8394), SQLite (CVE-2019-5827), nss (CVE-2014-3566), and bind-license (CVE-2023-6516, CVE-2023-5679, CVE-2023-5517, CVE-2023-50868, CVE-2023-50387, CVE-2023-4408). These libraries are included in the CentOS base image but, to-date, no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself, hence there is no impact or mitigation required.

RedHat UBI base docker image

1. The image must be run in privileged mode. If the image isn't run as privileged, the calls that use sudo in the startup script will fail due to lack of required permissions as the image will not be able to create a user with the required permissions. To run in non-privileged mode, use one of the “rootless” image options.
2. Using the "leave" button in the Admin interface to remove a node from a cluster may not succeed, depending on your network configuration. Use the Management API to remove a node from a cluster. See: https://docs.marklogic.com/REST/DELETE/admin/v1/host-config.
3. Rejoining a node to a cluster, that had previously left that cluster, may not succeed.
4. MarkLogic Server will default to the UTC timezone.
5. The latest released version of RedHat UBI 8 has known security vulnerabilities :

• glibc (CVE-2019-1010022) for which RedHat does not consider to be a vulnerability.
• kernel-headers (CVE-2023-6546).
• pip (GHSA-gpvv-69j7-gwj8) and setuptools (GHSA-r9hx-vwmv-q579).
• less (CVE-2024-32487).

These libraries are included in the RedHat UBI 8 base image but, to-date, no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself, hence there is no impact or mitigation required.

Docker 1.1.2 Release with MarkLogic 11.1.0 and 10.0-10.2

This release includes the following updates

• Startup script updates to improve bootstrapping logic
• Add missing dependencies for MarkLogic converters package

Known Issues and Limitations

1. The image must be run in privileged mode. At the moment if the image isn't run as privileged many calls that use sudo during the supporting script will fail due to lack of required permissions as the image will not be able to create a user with the required permissions.
2. Using the "leave" button in the Admin interface to remove a node from a cluster may not succeed, depending on your network configuration. Use the Management API to remove a node from a cluster. See: https://docs.marklogic.com/REST/DELETE/admin/v1/host-config.
3. Rejoining a node to a cluster, that had previously left that cluster, may not succeed.
4. MarkLogic Server will default to the UTC timezone.
5. The latest released version of CentOS 7 has known security vulnerabilities with respect to glib2 (CVE-2015-8387, CVE-2015-8390, CVE-2015-8394), glibc (CVE-2019-1010022), pcre (CVE-2015-8380, CVE-2015-8387, CVE-2015-8390, CVE-2015-8393, CVE-2015-8394), SQLite (CVE-2019-5827), nss (CVE-2014-3566), and bind-license (CVE-2023-6516, CVE-2023-5679, CVE-2023-5517, CVE-2023-50868, CVE-2023-50387, CVE-2023-4408). These libraries are included in the CentOS base image but, to-date, no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself, hence there is no impact or mitigation required.

Docker 1.1.1 Release with MarkLogic 11.1.0 and 10.0-10.2

This release includes MarkLogic 11.1.0 images and resolves a bug that caused unexpected output from the start up script.

Known Issues and Limitations

• The image must be run in privileged mode. At the moment if the image isn't run as privileged many calls that use sudo during the startup script will fail due to lack of required permissions as the image will not be able to create a user with the required permissions.
• Using the "leave" button in the Admin interface to remove a node from a cluster may not succeed, depending on your network configuration. Use the Management API to remove a node from a cluster. See: https://docs.marklogic.com/REST/DELETE/admin/v1/host-config.
• Rejoining a node to a cluster, that had previously left that cluster, may not succeed.
• MarkLogic Server will default to the UTC timezone.
• The latest released version of CentOS 7 has known security vulnerabilities with respect to glib2 CVE-2016-3191, CVE-2015-8385, CVE-2015-8387, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191, glibc CVE-2019-1010022, pcre CVE-2015-8380, CVE-2015-8387, CVE-2015-8390, CVE-2015-8393, CVE-2015-8394, SQLite CVE-2019-5827. These libraries are included in the CentOS base image but, to-date, no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself, hence there is no impact or mitigation required.

Docker 1.1.0 Release with MarkLogic 11.0.3 and 10.0-10.2

• Added support for joining containers over TLS (HTTPS)
• Updated README with TLS instructions and image tag explanation
• Removed eval from startup script to improve security and stability
• Enhanced tests

Known Issues and Limitations

• The image must be run in privileged mode. At the moment if the image isn't run as privileged many calls that use sudo during the startup script will fail due to lack of required permissions as the image will not be able to create a user with the required permissions.
• Using the "leave" button in the Admin interface to remove a node from a cluster may not succeed, depending on your network configuration. Use the Management API to remove a node from a cluster. See: https://docs.marklogic.com/REST/DELETE/admin/v1/host-config.
• Rejoining a node to a cluster, that had previously left that cluster, may not succeed.
• MarkLogic Server will default to the UTC timezone.
• The latest released version of CentOS 7 has known security vulnerabilities with respect to glib2 CVE-2016-3191, CVE-2015-8385, CVE-2015-8387, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191, glibc CVE-2019-1010022, pcre CVE-2015-8380, CVE-2015-8387, CVE-2015-8390, CVE-2015-8393, CVE-2015-8394, SQLite CVE-2019-5827. These libraries are included in the CentOS base image but, to-date, no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself, hence there is no impact or mitigation required.

Docker 1.0.2 Release with MarkLogic 11.0.2 and 10.0-9.5

This release addresses the following issues:

• Fix bootstrap host detection in docker start up script
• Updated to address security vulnerabilities in the base image
• NTP and Network configuration are not needed at container level

Known Issues and Limitations

• The image must be run in privileged mode. At the moment if the image isn't run as privileged many calls that use sudo during the startup script will fail due to lack of required permissions as the image will not be able to create a user with the required permissions.
• Using the "leave" button in the Admin interface to remove a node from a cluster may not succeed, depending on your network configuration. Use the Management API to remove a node from a cluster. See: https://docs.marklogic.com/REST/DELETE/admin/v1/host-config.
• Rejoining a node to a cluster, that had previously left that cluster, may not succeed.
• MarkLogic Server will default to the UTC timezone.
• The latest released version of CentOS 7 has known security vulnerabilities with respect to glib2 CVE-2016-3191, CVE-2015-8385, CVE-2015-8387, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191, glibc CVE-2019-1010022, pcre CVE-2015-8380, CVE-2015-8387, CVE-2015-8390, CVE-2015-8393, CVE-2015-8394, SQLite CVE-2019-5827. These libraries are included in the CentOS base image but, to-date, no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself, hence there is no impact or mitigation required.

1.0.1 Release

Docker 1.0.1 Release with MarkLogic 11.0.0 and 10.0-9.5

This release addresses the following issues:

* Update startup scripts for more stable initialization and better password parameter handling
* Jenkins pipeline fixes
* Add new tests
* Clean up README

Known Issues and Limitations

1. The image must be run in privileged mode. At the moment if the image isn't run as privileged many calls that use sudo during the startup script will fail due to lack of required permissions as the image will not be able to create a user with the required permissions.
2. Using the "leave" button in the Admin interface to remove a node from a cluster may not succeed, depending on your network configuration. Use the Management API to remove a node from a cluster. See: https://docs.marklogic.com/REST/DELETE/admin/v1/host-config.
3. Rejoining a node to a cluster, that had previously left that cluster, may not succeed.
4. MarkLogic Server will default to the UTC timezone.
5. The latest released version of CentOS 7 has known security vulnerabilities with respect to glib2 CVE-2016-3191, CVE-2015-8385 and SQLite CVE-2019-5827. These libraries are included in the CentOS base image and to-date no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself, hence there is no impact or mitigation required.

1.0.0 Release

Docker 1.0.0 Release with MarkLogic 10.0-9.5

Docker images are maintained by MarkLogic. Send feedback to the MarkLogic Docker team: [email protected]
Supported Docker architectures: x86_64
Base OS: CentOS
Latest supported MarkLogic Server version: 10.0-9.5
Published image artifact details: https://github.com/marklogic/marklogic-docker, https://hub.docker.com/r/marklogicdb/marklogic-db

Known Issues and Limitations

10.0-9.5-centos-1.0.0

1. Enabling huge pages for clusters containing single-host, multi-container configurations may lead to failure, due to incorrect memory allocation. MarkLogic recommends that you disable huge pages in such architectures.
2. Database replication will only work for configurations having a single container per host, with matching hostname.
3. Using the "leave" button in the Admin interface to remove a node from a cluster may not succeed, depending on your network configuration. Use the Management API to remove a node from a cluster. See: https://docs.marklogic.com/REST/DELETE/admin/v1/host-config.
4. Rejoining a node to a cluster, that had previously left that cluster, may not succeed.
5. MarkLogic Server will default to the UTC timezone.
6. By default, MarkLogic Server runs as the root user. To run MarkLogic Server as a non-root user, see the following references:
   1. https://help.marklogic.com/Knowledgebase/Article/View/start-and-stop-marklogic-server-as-non-root-user
   2. https://help.marklogic.com/Knowledgebase/Article/View/306/0/pitfalls-running-marklogic-process-as-non-root-user
7. The latest released version of CentOS 7 has known security vulnerabilities with respect to glib2 CVE-2016-3191, CVE-2015-8385 and SQLite CVE-2019-5827. These libraries are included in the CentOS base image and to-date no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server iteself, hence there is no impact or mitigation required.

1.0.0 EA4 Release

Early Access Release for MarkLogic 10.0-9 Docker

Docker images are maintained by MarkLogic. Send feedback to the MarkLogic Docker team: [email protected]
Supported Docker architectures: x86_64
Base OS: CentOS
Latest supported MarkLogic Server version: 10.0-9
DockerHub: https://hub.docker.com/_/marklogic

Known Issues and Limitations

10.0-9-centos-1.0.0-ea4

1. Enabling huge pages for clusters containing single-host, multi-container configurations may lead to failure, due to incorrect memory allocation. MarkLogic recommends that you disable huge pages in such architectures.
2. Database replication will only work for configurations having a single container per host, with matching hostname.
3. Using the "leave" button in the Admin interface to remove a node from a cluster may not succeed, depending on your network configuration. Use the Management API to remove a node from a cluster. See: https://docs.marklogic.com/REST/DELETE/admin/v1/host-config.
4. Rejoining a node to a cluster, that had previously left that cluster, may not succeed.
5. MarkLogic Server will default to the UTC timezone.
6. By default, MarkLogic Server runs as the root user. To run MarkLogic Server as a non-root user, see the following references:
   1. https://help.marklogic.com/Knowledgebase/Article/View/start-and-stop-marklogic-server-as-non-root-user
   2. https://help.marklogic.com/Knowledgebase/Article/View/306/0/pitfalls-running-marklogic-process-as-non-root-user