This document describes the latest changes, additions, known issues, and fixes for Docker Engine.
Note: The client and container runtime are now in separate packages from the daemon in Docker Engine 18.09. Users should install and update all three packages at the same time to get the latest patch releases. For example, on Ubuntu:
sudo apt install docker-ce docker-ce-cli containerd.io
. See the install instructions for the corresponding linux distro for details.
1. Version 20.10
1.1. 20.10.6
2021-04-12
1.1.1. Client
- Apple Silicon (darwin/arm64) support for Docker CLI docker/cli#3042
- config: print deprecation warning when falling back to pre-v1.7.0 config file
~/.dockercfg
. Support for this file will be removed in a future release docker/cli#3000
1.1.2. Builder
- Fix classic builder silently ignoring unsupported Dockerfile options and prompt to enable BuildKit instead moby/moby#42197
1.1.3. Logging
- json-file: fix sporadic unexpected EOF errors moby/moby#42174
1.1.4. Networking
- Fix a regression in docker 20.10, causing IPv6 addresses no longer to be bound by default when mapping ports moby/moby#42205
- Fix implicit IPv6 port-mappings not included in API response. Before docker 20.10, published ports were accessible through both IPv4 and IPv6 by default, but the API only included information about the IPv4 (0.0.0.0) mapping moby/moby#42205
- Fix a regression in docker 20.10, causing the docker-proxy to not be terminated in all cases moby/moby#42205
- Fix iptables forwarding rules not being cleaned up upon container removal moby/moby#42205
1.1.5. Packaging
- Update containerd to v1.4.4 for static binaries. The containerd.io package on apt/yum repos already had this update out of band. Includes a fix for CVE-2021-21334. moby/moby#42124
- Packages for Debian/Raspbian 11 Bullseye, Ubuntu 21.04 Hirsute Hippo and Fedora 34 docker/docker-ce-packaging#521 docker/docker-ce-packaging#522 docker/docker-ce-packaging#533
- Provide the Docker Scan CLI plugin on Linux amd64 via a
docker-scan-plugin
package as a recommended dependency for thedocker-ce-cli
package docker/docker-ce-packaging#537 - Include VPNKit binary for arm64 moby/moby#42141
1.1.6. Plugins
- Fix docker plugin create making plugins that were incompatible with older versions of Docker moby/moby#42256
1.1.7. Rootless
- Update RootlessKit to v0.14.1 (see also v0.14.0 v0.13.2) moby/moby#42186 moby/moby#42232
- dockerd-rootless-setuptool.sh: create CLI context "rootless" moby/moby#42109
- dockerd-rootless.sh: prohibit running as root moby/moby#42072
- Fix "operation not permitted" when bind mounting existing mounts moby/moby#42233
- overlay2: fix "createDirWithOverlayOpaque(...) ... input/output error" moby/moby#42235
- overlay2: support "userxattr" option (kernel 5.11) moby/moby#42168
- btrfs: allow unprivileged user to delete subvolumes (kernel >= 4.18) moby/moby#42253
- cgroup2: Move cgroup v2 out of experimental moby/moby#42263
1.2. 20.10.5
2021-03-02
1.2.1. Client
- Revert docker/cli#2960 to fix hanging in
docker start --attach
and remove spuriousUnsupported signal: <nil>. Discarding
messages. docker/cli#2987.
1.3. 20.10.4
2021-02-26
1.3.1. Builder
- Fix incorrect cache match for inline cache import with empty layers moby/moby#42061
Update BuildKit to v0.8.2 moby/moby#42061
- resolver: avoid error caching on token fetch
- fileop: fix checksum to contain indexes of inputs preventing certain cache misses
- Fix reference count issues on typed errors with mount references (fixing
invalid mutable ref
errors) - git: set token only for main remote access allowing cloning submodules with different credentials
Ensure blobs get deleted in /var/lib/docker/buildkit/content/blobs/sha256 after pull. To clean up old state run
builder prune
moby/moby#42065- Fix parallel pull synchronization regression moby/moby#42049
- Ensure libnetwork state files do not leak moby/moby#41972
1.3.2. Client
- Fix a panic on
docker login
if no config file is present docker/cli#2959 - Fix
WARNING: Error loading config file: .dockercfg: $HOME is not defined
docker/cli#2958
1.3.3. Runtime
- docker info: silence unhandleable warnings moby/moby#41958
- Avoid creating parent directories for XGlobalHeader moby/moby#42017
- Use 0755 permissions when creating missing directories moby/moby#42017
- Fallback to manifest list when no platform matches in image config moby/moby#42045 moby/moby#41873
- Fix a daemon panic on setups with a custom default runtime configured moby/moby#41974
- Fix a panic when daemon configuration is empty moby/moby#41976
- Fix daemon panic when starting container with invalid device cgroup rule moby/moby#42001
- Fix userns-remap option when username & UID match moby/moby#42013
- static: update runc binary to v1.0.0-rc93 moby/moby#42014
1.3.4. Logger
- Honor
labels-regex
config even iflabels
is not set moby/moby#42046 - Handle long log messages correctly preventing awslogs in non-blocking mode to split events bigger than 16kB mobymoby#41975
1.3.5. Rootless
- Prevent the service hanging when stopping by setting systemd KillMode to mixed moby/moby#41956
- dockerd-rootless.sh: add typo guard moby/moby#42070
- Update rootlesskit to v0.13.1 to fix handling of IPv6 addresses moby/moby#42025
- allow mknodding FIFO inside userns moby/moby#41957
1.3.6. Security
- profiles: seccomp: update to Linux 5.11 syscall list moby/moby#41971
1.3.7. Swarm
- Fix issue with heartbeat not persisting upon restart moby/moby#42060
- Fix potential stalled tasks moby/moby#42060
- Fix
--update-order
and--rollback-order
flags when only--update-order
or--rollback-order
is provided docker/cli#2963 - Fix
docker service rollback
returning a non-zero exit code in some situations docker/cli#2964 - Fix inconsistent progress-bar direction on
docker service rollback
docker/cli#2964
1.4. 20.10.3
2021-02-01
1.4.1. Security
- CVE-2021-21285 Prevent an invalid image from crashing docker daemon
- CVE-2021-21284 Lock down file permissions to prevent remapped root from accessing docker state
- Ensure AppArmor and SELinux profiles are applied when building with BuildKit
1.4.2. Client
- Check contexts before importing them to reduce risk of extracted files escaping context store
- Windows: prevent executing certain binaries from current directory docker/cli#2950
1.5. 20.10.2
2021-01-04
1.5.1. Runtime
- Fix a daemon start up hang when restoring containers with restart policies but that keep failing to start moby/moby#41729
- overlay2: fix an off-by-one error preventing to build or run containers when data-root is 24-bytes long moby/moby#41830
- systemd: send
sd_notify STOPPING=1
when shutting down moby/moby#41832
1.5.2. Networking
- Fix IPv6 port forwarding moby/moby#41805 moby/libnetwork#2604
1.5.3. Swarm
- Fix filtering for
replicated-job
andglobal-job
service modes moby/moby#41806
1.5.4. Packaging
- buildx updated to v0.5.1 docker/docker-ce-packaging#516
1.6. 20.10.1
2020-12-14
1.6.1. Builder
- buildkit: updated to v0.8.1 with various bugfixes moby/moby#41793
1.6.2. Packaging
- Revert a change in the systemd unit that could prevent docker from starting due to a startup order conflict docker/docker-ce-packaging#514
- buildx updated to v0.5.0 docker/docker-ce-packaging#515
1.7. 20.10.0
2020-12-08
1.7.1. Deprecation / Removal
For an overview of all deprecated features, refer to the Deprecated Engine Features page.
- Warnings and deprecation notice when
docker pull
-ing from non-compliant registries not supporting pull-by-digest docker/cli#2872 - Sterner warnings and deprecation notice for unauthenticated tcp access moby/moby#41285
- Deprecate KernelMemory (
docker run --kernel-memory
) moby/moby#41254 docker/cli#2652 - Deprecate
aufs
storage driver docker/cli#1484 - Deprecate host-discovery and overlay networks with external k/v stores moby/moby#40614 moby/moby#40510
- Deprecate Dockerfile legacy 'ENV name value' syntax, use
ENV name=value
instead docker/cli#2743 - Remove deprecated "filter" parameter for API v1.41 and up moby/moby#40491
- Disable distribution manifest v2 schema 1 on push moby/moby#41295
- Remove hack MalformedHostHeaderOverride breaking old docker clients (<= 1.12) in which case, set
DOCKER_API_VERSION
moby/moby#39076 - Remove "docker engine" subcommands docker/cli#2207
- Remove experimental "deploy" from "dab" files docker/cli#2216
- Remove deprecated
docker search --automated
and--stars
flags docker/cli#2338 - No longer allow reserved namespaces in engine labels docker/cli#2326
1.7.2. API
- Update API version to v1.41
- Do not require "experimental" for metrics API moby/moby#40427
GET /events
now returnsprune
events after pruning resources have completed moby/moby#41259- Prune events are returned for
container
,network
,volume
,image
, andbuilder
, and have areclaimed
attribute, indicating the amount of space reclaimed (in bytes)
- Prune events are returned for
Add
one-shot
stats option to not prime the stats moby/moby#40478- Adding OS version info to the system info's API (
/info
) moby/moby#38349 - Add DefaultAddressPools to docker info moby/moby#40714
- Add API support for PidsLimit on services moby/moby#39882
1.7.3. Builder
- buildkit,dockerfile: Support for
RUN --mount
options without needing to specify experimental dockerfile#syntax
directive. moby/buildkit#1717 - dockerfile:
ARG
command now supports defining multiple build args on the same line similarly toENV
moby/buildkit#1692 - dockerfile:
--chown
flag inADD
now allows parameter expansion moby/buildkit#1473 - buildkit: Fetching authorization tokens has been moved to client-side (if the client supports it). Passwords do not leak into the build daemon anymore and users can see from build output when credentials or tokens are accessed. moby/buildkit#1660
- buildkit: Connection errors while communicating with the registry for push and pull now trigger a retry moby/buildkit#1791
- buildkit: Git source now supports token authentication via build secrets moby/moby#41234 docker/cli#2656 moby/buildkit#1533
- buildkit: Building from git source now supports forwarding SSH socket for authentication moby/buildkit#1782
- buildkit: Avoid builds that generate excessive logs to cause a crash or slow down the build. Clipping is performed if needed. moby/buildkit#1754
- buildkit: Change default Seccomp profile to the one provided by Docker moby/buildkit#1807
- buildkit: Support for exposing SSH agent socket on Windows has been improved moby/buildkit#1695
- buildkit: Disable truncating by default when using --progress=plain moby/buildkit#1435
- buildkit: Allow better handling client sessions dropping while it is being shared by multiple builds moby/buildkit#1551
buildkit: secrets: allow providing secrets with env moby/moby#41234 docker/cli#2656 moby/buildkit#1534
- Support
--secret id=foo,env=MY_ENV
as an alternative for storing a secret value to a file. --secret id=GIT_AUTH_TOKEN
will load env if it exists and the file does not.
- Support
buildkit: Support for mirrors fallbacks, insecure TLS and custom TLS config moby/moby#40814
buildkit: remotecache: Only visit each item once when walking results moby/moby#41234 moby/buildkit#1577
- Improves performance and CPU use on bigger graphs
buildkit: Check remote when local image platform doesn't match moby/moby#40629
- buildkit: image export: Use correct media type when creating new layer blobs moby/moby#41234 moby/buildkit#1541
- buildkit: progressui: fix logs time formatting moby/moby#41234 docker/cli#2656 moby/buildkit#1549
- buildkit: mitigate containerd issue on parallel push moby/moby#41234 moby/buildkit#1548
buildkit: inline cache: fix handling of duplicate blobs moby/moby#41234 moby/buildkit#1568
- Fixes https://github.com/moby/buildkit/issues/1388 cache-from working unreliably
- Fixes https://github.com/moby/moby/issues/41219 Image built from cached layers is missing data
Allow ssh:// for remote context URLs moby/moby#40179
- builder: remove legacy build's session handling (was experimental) moby/moby#39983
1.7.4. Client
- Add swarm jobs support to CLI docker/cli#2262
- Add
-a/--all-tags
to docker push docker/cli#2220 - Add support for Kubernetes username/password auth docker/cli#2308
- Add
--pull=missing|always|never
torun
andcreate
commands docker/cli#1498 - Add
--env-file
flag todocker exec
for parsing environment variables from a file docker/cli#2602 - Add shorthand
-n
for--tail
option docker/cli#2646 - Add log-driver and options to service inspect "pretty" format docker/cli#1950
- docker run: specify cgroup namespace mode with
--cgroupns
docker/cli#2024 docker manifest rm
command to remove manifest list draft from local storage docker/cli#2449- Add "context" to "docker version" and "docker info" docker/cli#2500
- Propagate platform flag to container create API docker/cli#2551
- The
docker ps --format
flag now has a.State
placeholder to print the container's state without additional details about uptime and health check docker/cli#2000 - Add support for docker-compose schema v3.9 docker/cli#2073
- Add support for docker push
--quiet
docker/cli#2197 - Hide flags that are not supported by BuildKit, if BuildKit is enabled docker/cli#2123
- Update flag description for
docker rm -v
to clarify the option only removes anonymous (unnamed) volumes docker/cli#2289 - Improve tasks printing for docker services docker/cli#2341
- docker info: list CLI plugins alphabetically docker/cli#2236
- Fix order of processing of
--label-add/--label-rm
,--container-label-add/--container-label-rm
, and--env-add/--env-rm
flags ondocker service update
to allow replacing existing values docker/cli#2668 - Fix
docker rm --force
returning a non-zero exit code if one or more containers did not exist docker/cli#2678 - Improve memory stats display by using
total_inactive_file
instead ofcache
docker/cli#2415 - Mitigate against YAML files that has excessive aliasing docker/cli#2117
- Allow using advanced syntax when setting a config or secret with only the source field docker/cli#2243
- Fix reading config files containing
username
andpassword
auth even ifauth
is empty docker/cli#2122 - docker cp: prevent NPE when failing to stat destination docker/cli#2221
- config: preserve ownership and permissions on configfile docker/cli#2228
1.7.5. Logging
- Support reading
docker logs
with all logging drivers (best effort) moby/moby#40543 - Add
splunk-index-acknowledgment
log option to work with Splunk HECs with index acknowledgment enabled moby/moby#39987 - Add partial metadata to journald logs moby/moby#41407
- Reduce allocations for logfile reader moby/moby#40796
- Fluentd: add fluentd-async, fluentd-request-ack, and deprecate fluentd-async-connect moby/moby#39086
1.7.6. Runtime
- Support cgroup2 moby/moby#40174 moby/moby#40657 moby/moby#40662
- cgroup2: use "systemd" cgroup driver by default when available moby/moby#40846
- new storage driver: fuse-overlayfs moby/moby#40483
- Update containerd binary to v1.4.3 moby/moby#41732
docker push
now defaults tolatest
tag instead of all tags moby/moby#40302- Added ability to change the number of reconnect attempts during connection loss while pulling an image by adding max-download-attempts to the config file moby/moby#39949
- Add support for containerd v2 shim by using the now default
io.containerd.runc.v2
runtime moby/moby#41182 - cgroup v1: change the default runtime to io.containerd.runc.v2. Requires containerd v1.3.0 or later. v1.3.5 or later is recommended moby/moby#41210
- Start containers in their own cgroup namespaces moby/moby#38377
- Enable DNS Lookups for CIFS Volumes moby/moby#39250
- Use MemAvailable instead of MemFree to estimate actual available memory moby/moby#39481
- The
--device
flag indocker run
will now be honored when the container is started in privileged mode moby/moby#40291 - Enforce reserved internal labels moby/moby#40394
- Raise minimum memory limit to 6M, to account for higher memory use by runtimes during container startup moby/moby#41168
- Add support for
CAP_PERFMON
,CAP_BPF
, andCAP_CHECKPOINT_RESTORE
on supported kernels moby/moby#41460 - vendor runc v1.0.0-rc92 moby/moby#41344 moby/moby#41317
- info: add warnings about missing blkio cgroup support moby/moby#41083
- Accept platform spec on container create moby/moby#40725
- Fix handling of looking up user- and group-names with spaces moby/moby#41377
1.7.7. Networking
- Support host.docker.internal in dockerd on Linux moby/moby#40007
- Include IPv6 address of linked containers in /etc/hosts moby/moby#39837
--ip6tables
enables IPv6 iptables rules (only if experimental) moby/moby#41622- Add alias for hostname if hostname != container name moby/moby#39204
- Better selection of DNS server (with systemd) moby/moby#41022
Add docker interfaces to firewalld docker zone moby/moby#41189 moby/libnetwork#2548
- Fixes DNS issue on CentOS8 docker/for-linux#957
- Fixes Port Forwarding on RHEL 8 with Firewalld running with FirewallBackend=nftables moby/libnetwork#2496
Fix an issue reporting 'failed to get network during CreateEndpoint' moby/moby#41189 moby/libnetwork#2554
- Log error instead of disabling IPv6 router advertisement failed moby/moby#41189 moby/libnetwork#2563
- No longer ignore
--default-address-pool
option in certain cases moby/moby#40711 - Produce an error with invalid address pool moby/moby#40808 moby/libnetwork#2538
- Fix
DOCKER-USER
chain not created when IPTableEnable=false moby/moby#40808 moby/libnetwork#2471 - Fix panic on startup in systemd environments moby/moby#40808 moby/libnetwork#2544
- Fix issue preventing containers to communicate over macvlan internal network moby/moby#40596 moby/libnetwork#2407
- Fix InhibitIPv4 nil panic moby/moby#40596
- Fix VFP leak in Windows overlay network deletion moby/moby#40596 moby/libnetwork#2524
1.7.8. Packaging
- docker.service: Add multi-user.target to After= in unit file moby/moby#41297
- docker.service: Allow socket activation moby/moby#37470
- seccomp: Remove dependency in dockerd on libseccomp moby/moby#41395
1.7.9. Rootless
- rootless: graduate from experimental moby/moby#40759
- Add dockerd-rootless-setuptool.sh moby/moby#40950
- Support
--exec-opt native.cgroupdriver=systemd
moby/moby#40486
1.7.10. Security
- Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc moby/moby#39612
- seccomp: Whitelist
clock_adjtime
.CAP_SYS_TIME
is still required for time adjustment moby/moby#40929 - seccomp: Add openat2 and faccessat2 to default seccomp profile moby/moby#41353
- seccomp: allow 'rseq' syscall in default seccomp profile moby/moby#41158
- seccomp: allow syscall membarrier moby/moby#40731
- seccomp: whitelist io-uring related system calls moby/moby#39415
- Add default sysctls to allow ping sockets and privileged ports with no capabilities moby/moby#41030
- Fix seccomp profile for clone syscall moby/moby#39308
1.7.11. Swarm
- Add support for swarm jobs moby/moby#40307
- Add capabilities support to stack/service commands docker/cli#2687 docker/cli#2709 moby/moby#39173 moby/moby#41249
- Add support for sending down service Running and Desired task counts moby/moby#39231
- service: support
--mount type=bind,bind-nonrecursive
moby/moby#38788 - Support ulimits on Swarm services. moby/moby#41284 docker/cli#2712
- Fixed an issue where service logs could leak goroutines on the worker moby/moby#40426