Rancher Release - v1.6.13

Release v1.6.13


Supported Docker Versions

  • Docker 1.12.3-1.12.6
  • Docker 1.13.1
  • Docker 17.03-ce/ee
  • Docker 17.06-ce/ee
  • Docker 17.09-ce/ee

Note: Kubernetes 1.8 supports Docker 1.12.6, 1.13.1 and 17.03.2. Kubernetes 1.7 supports up to Docker 1.12.6

Kubernetes Versions

List of images required to launch Kubernetes template:

  • rancher/k8s:v1.8.5-rancher3
  • rancher/etcd:v2.3.7-13
  • rancher/kubectld:v0.8.5
  • rancher/etc-host-updater:v0.0.3
  • rancher/kubernetes-agent:v0.6.6
  • rancher/kubernetes-auth:v0.0.8
  • rancher/lb-service-rancher:v0.7.17
  • busybox

For the list of versions for the Kubernetes add-ons embedded in the Rancher Kubernetes images, please refer to the kubernetes-package repo for the specific images and versions.

Rancher Server Tags

Rancher server has 2 different tags. For each major release tag, we will provide documentation for the specific version.

  • rancher/server:latest tag will be our latest development builds. These builds will have been validated through our CI automation framework. These releases are not meant for deployment in production.
  • rancher/server:stable tag will be our latest stable release builds. This tag is the version that we recommend for production.

Please do not use releases with a rc{n} suffix. These rc builds are meant for the Rancher team to test builds.

Beta - v1.6.13 - rancher/server:latest

Stable - v1.6.12 - rancher/server:stable

Important - Upgrade

  • Users on a version prior to Rancher v1.5.0: We will automatically upgrade the network-services infrastructure stack as without this upgrade, your release will not work.

  • Users on a version prior to Rancher v1.6.0: If you make any changes to the default Rancher library setting for your catalogs and then roll back, you will need to reset the branch used for the default Rancher library under AdminSettingsCatalog. The current default branch is v1.6-release, but the old default branch is master.

  • Rollback Versions: We support rolling back to Rancher v1.6.12 from Rancher v1.6.13.

    • Steps to Rollback:
      1. In the upgraded version the AdminAdvanced Settings → API values, update the upgrade.manager value to all.
      2. “Upgrade” Rancher server but pointing to the older version of Rancher (v1.6.12). This should include backing up your database and launching Rancher to point to your current database.
      3. Once Rancher starts up again, all infrastructure stacks will automatically rollback to the applicable version in v1.6.12.
      4. After your setup is back to its original state, update the upgrade.manager value back to the original value that you had (either mandatory or none).

Note on Rollback: If you are rolling back and have authentication enabled using Active Directory, any new users/groups added to site access on the Access Control page after the upgrade will not be retained upon rolling back. Any users added before the upgrade will continue to remain. [#9850]

Important - Please read if you currently have authentication enabled using Active Directory with TLS enabled prior to upgrading to v1.6.10.

Starting with v1.6.8, Rancher has updated the Active Directory auth plugin and moved it into the new authentication framework. We have also further secured the AD+TLS option by ensuring that the hostname/IP of the AD server matches with the hostname/IP of the TLS certificate. Please see [#9459] for details.

Due to this new check, you should be aware that if the hostname/IP does not match your TLS certificate, you will be locked out of your Rancher server if you do not correct this prior to upgrading. To ensure you have no issues with the upgrade, please execute the following to verify your configuration is correct.

  • Verify the hostname/IP you used for your AD configuration. To do this, log into Rancher using a web browser as an admin and click AdminAccess Control. Note the server field to determine your configured hostname/IP for your AD server.
  • To verify your the configure hostname/IP for your TLS cert, you can execute the following command to determine the CN attribute:
    openssl s_client -showcerts -connect domain.example.com:443
    You should see something like:
    subject=/OU=Domain Control Validated/CN=domain.example.com
    Verify that the CN attribute matches with your configured server field from the above step.

If the fields match, you are good to go. Nothing else is required.

If the fields do not match, please execute the following steps to correct it.

  • Open a web browser and go to Rancher’s settings URL. This can be done by logging into Rancher as an admin and click APIKeys. You should see an Endpoint (v2-beta) field. Take the value of that field and append /settings. The final URL should look something like my.rancher.url:8080/v2-beta/settings. Launch this URL in your browser and you should see Rancher’s API browser.
  • Search for api.auth.ldap.server and click that setting to edit it. On the top right, you should be able to click an edit button. Change the value of that to match the hostname/IP of the value found in your cert as identified by the CN attribute and click Show RequestSend Request to persist the value into Rancher’s DB. The response should show your new value.

Once this is completed and the hostname/IP matches your certs’ CN attribute, you should have no issues with AD login after upgrading to 1.6.8.


  • Windows Server 2016 Support v2 - Experimental [#10442]- Rancher has updated the current Windows support to now include the following:
    • Support for Cattle orchestration. This updated version will allow you to leverage all the existing cattle orchestration features such as stacks and service management, metadata service, container scheduling, and DNS service discovery. Load balancer and health checks are not currently supported.
    • V2 has now changed the Windows networking mode from transparent to host subnet. Rather than requiring an external router for the host network, users define a unique subnet per host and ip traffic will be automatically routed by Rancher’s network services.
  • Vault Secrets Bridge v2 - Experimental - Rancher has updated the original version of its support for Vault by adding introducing a couple of enhancements:
    • V2 is now implemented as a volume driver, thus ensuring that the Vault token is available at the time the container starts.
    • Requests to Vault now use the RSA Key Pair to securely transmit the token over the wire.

Infrastructure Service Updates

When upgrading infrastructure services, please make sure to upgrade in the recommended order.

  • Kubernetes 1.8.5 - v1.8.5-rancher3

    • New images: rancher/k8s:v1.8.5-rancher3
    • Added open-iscsi package to kubelet [#9685]
    • Added ability to check the versions of add-ons so they are not upgraded if the add-on is running a later version [#10045]
    • Added ability to keep config map for SkyDNS if it was set when upgrading add-ons [#10045]
    • Added ability to configure dashboard resource limits. [#10493]
    • Added support for Azure vnet in another resource group.

    Note: If upgrading from a k8s version prior to k8s v1.6, then you will need to re-generate any remote kubeconfig due to RBAC support.

  • Network Services - v0.2.8

    • New image: rancher/network-manager:v0.7.19
    • Fixed an issue with a new host added takes time to be active [#10392]
  • IPSec - 0.2.2

    • New image: rancher/net:v0.13.7
    • Introduced connectivity check for ipsec [#10326]
    • Fixed an issue where scheduler IPs could be picked up as the IP for the ipsec service for ports 500 and 4500, which would cause cross host communication to no longer work for that host [#9855]
  • Healthcheck - v0.3.3-1

    • Fixed an issue where health check service could get stuck in re-initializing [#10556]
  • Scheduler - v0.8.3

    • New image: rancher/scheduler:v0.8.3
    • Fixed an issue where a panic would occur in scheduler if metadata was unavailable [#10363]
  • ECR Updater - v2.0.1

    • New image: rancher/rancher-ecr-credentials:v2.0.1
    • Added retry logic for AWS and Rancher API calls
    • Added support to update AWS registries in a different environment [#10329]
  • Route 53 - v0.7.9

    • New image: rancher/external-dns:v0.7.9
    • Fixed an issue where modifying an environment name was not being reflected in external DNS [#10077]
    • Skip Traffic Policy records when traversing zone

Known Major Issues

Major Bug Fixes since v1.6.12

  • Fixed an issue where an unexpected response on aliyun cloud provider metadata would make Rancher agents crash [#10474]
  • Fixed an issue where you couldn’t log in after adding users/orgs when using Github Enterprise [#10434]
  • Fixed an issue where an invalid memory address would be seen if Route 53 zone contains a traffic policy record [#10377]
  • Fixed an issue where authentication fails for active AD users if a user was added as a restricted role in the environment and later disabled in AD [#10224]
  • Fixed an issue where you were unable to add a stack description using rancher CLI [#10192]
  • Fixed an issue where Infoblox provider would error if the result set was too large [#10117]
  • Fixed an issue where invalid non-IPs were not being error-ed out when adding Rancher agents [#8816]

Rancher CLI Downloads

Rancher-Compose Downloads