Docker was updated to version 1.9.0, bringing features and bugfixes (bnc#954812):

* Runtime:
- `docker stats` now returns block IO metrics (#15005)
- `docker stats` now details network stats per interface (#15786)
- Add `ancestor=` filter to `docker ps --filter` flag to filter
containers based on their ancestor images (#14570)
- Add `label=` filter to `docker ps --filter` to filter containers
based on label (#16530)
- Add `--kernel-memory` flag to `docker run` (#14006)
- Add `--message` flag to `docker import` allowing to specify an optional
message (#15711)
- Add `--privileged` flag to `docker exec` (#14113)
- Add `--stop-signal` flag to `docker run` allowing to replace the container
process stopping signal (#15307)
- Add a new `unless-stopped` restart policy (#15348)
- Inspecting an image now returns tags (#13185)
- Add container size information to `docker inspect` (#15796)
- Add `RepoTags` and `RepoDigests` field to `/images/{name:.*}/json` (#17275)
- Remove the deprecated `/container/ps` endpoint from the API (#15972)
- Send and document correct HTTP codes for `/exec//start` (#16250)
- Share shm and mqueue between containers sharing IPC namespace (#15862)
- Event stream now shows OOM status when `--oom-kill-disable` is set (#16235)
- Ensure special network files (/etc/hosts etc.) are read-only if bind-mounted
with `ro` option (#14965)
- Improve `rmi` performance (#16890)
- Do not update /etc/hosts for the default bridge network, except for links (#17325)
- Fix conflict with duplicate container names (#17389)
- Fix an issue with incorrect template execution in `docker inspect` (#17284)
- DEPRECATE `-c` short flag variant for `--cpu-shares` in docker run (#16271)
* Client:
- Allow `docker import` to import from local files (#11907)
* Builder:
- Add a `STOPSIGNAL` Dockerfile instruction allowing to set a different
stop-signal for the container process (#15307)
- Add an `ARG` Dockerfile instruction and a `--build-arg` flag to `docker build`
that allows to add build-time environment variables (#15182)
- Improve cache miss performance (#16890)
* Storage:
- devicemapper: Implement deferred deletion capability (#16381)
* Networking:
- `docker network` exits experimental and is part of standard release (#16645)
- New network top-level concept, with associated subcommands and API (#16645)
WARNING: the API is different from the experimental API
- Support for multiple isolated/micro-segmented networks (#16645)
- Built-in multihost networking using VXLAN based overlay driver (#14071)
- Support for third-party network plugins (#13424)
- Ability to dynamically connect containers to multiple networks (#16645)
- Support for user-defined IP address management via pluggable IPAM drivers (#16910)
- Add daemon flags `--cluster-store` and `--cluster-advertise` for built-in nodes discovery (#16229)
- Add `--cluster-store-opt` for setting up TLS settings (#16644)
- Add `--dns-opt` to the daemon (#16031)
- DEPRECATE following container `NetworkSettings` fields in API v1.21: `EndpointID`, `Gateway`,
`GlobalIPv6Address`, `GlobalIPv6PrefixLen`, `IPAddress`, `IPPrefixLen`, `IPv6Gateway` and `MacAddress`.
Those are now specific to the `bridge` network. Use `NetworkSettings.Networks` to inspect
the networking settings of a container per network.
* Volumes:
- New top-level `volume` subcommand and API (#14242)
- Move API volume driver settings to host-specific config (#15798)
- Print an error message if volume name is not unique (#16009)
- Ensure volumes created from Dockerfiles always use the local volume driver
(#15507)
- DEPRECATE auto-creating missing host paths for bind mounts (#16349)
* Logging:
- Add `awslogs` logging driver for Amazon CloudWatch (#15495)
- Add generic `tag` log option to allow customizing container/image
information passed to driver (e.g. show container names) (#15384)
- Implement the `docker logs` endpoint for the journald driver (#13707)
- DEPRECATE driver-specific log tags (e.g. `syslog-tag`, etc.) (#15384)
* Distribution:
- `docker search` now works with partial names (#16509)
- Push optimization: avoid buffering to file (#15493)
- The daemon will display progress for images that were already being pulled
by another client (#15489)
- Only permissions required for the current action being performed are requested (#)
- Renaming trust keys (and respective environment variables) from `offline` to
`root` and `tagging` to `repository` (#16894)
- DEPRECATE trust key environment variables
`DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and
`DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` (#16894)
* Security:
- Add SELinux profiles to the rpm package (#15832)
- Fix various issues with AppArmor profiles provided in the deb package
(#14609)
- Add AppArmor policy that prevents writing to /proc (#15571)

* Change systemd unit file to no longer use the deprecated "-d" option (bnc#954737)

- Also docker was updated to the 1.8.3 version that fixes security issues:
* Fix layer IDs lead to local graph poisoning (CVE-2014-8178) (bnc#949660)
* Fix manifest validation and parsing logic errors allow pull-by-digest validation bypass (CVE-2014-8179)
* Add `--disable-legacy-registry` to prevent a daemon from using a v1 registry