Rule ID
SV-235845r961677_rule
Version
V2R2
CCIs
When upgrading either the UCP or DTR components of Docker Enterprise, the newer images are pulled (or unpacked if offline) onto Engine nodes in a cluster. Once the upgrade is complete, one must manually remove all old image version from the cluster nodes to meet the requirements of this control. When upgrading the Docker Engine - Enterprise component of Docker Enterprise, the old package version is automatically replaced.
Verify that all outdated UCP and DTR container images have been removed from all nodes in the cluster. via CLI: As a Docker EE admin, execute the following command using a client bundle: docker images --filter reference='docker/[ucp|dtr]*' Verify that there are no tags listed that are older than the currently installed versions of UCP and DTR. If any of the tags listed are older than the currently installed versions of UCP and DTR, then this is a finding.
Remove all outdated UCP and DTR container images from all nodes in the cluster: via CLI: As a Docker EE admin, execute the following commands using a client bundle: docker rmi -f $(docker images --filter reference='docker/ucp*:[outdated_tags]' -q) docker rmi -f $(docker images --filter reference='docker/dtr*:[outdated_tags]' -q)