Version 20.10
- 20.10.6
  - Client
  - Builder
  - Logging
  - Networking
  - Packaging
  - Plugins
  - Rootless
- 20.10.5
  - Client
- 20.10.4
  - Builder
  - Client
  - Runtime
  - Logger
  - Rootless
  - Security
  - Swarm
- 20.10.3
  - Security
  - Client
- 20.10.2
  - Runtime
  - Networking
  - Swarm
  - Packaging
- 20.10.1
  - Builder
  - Packaging
- 20.10.0
  - Deprecation / Removal
  - API
  - Builder
  - Client
  - Logging
  - Runtime
  - Networking
  - Packaging
  - Rootless
  - Security
  - Swarm

This document describes the latest changes, additions, known issues, and fixes for Docker Engine.

Note: The client and container runtime are now in separate packages from the daemon in Docker Engine 18.09. Users should install and update all three packages at the same time to get the latest patch releases. For example, on Ubuntu: sudo apt install docker-ce docker-ce-cli containerd.io. See the install instructions for the corresponding linux distro for details.

1. Version 20.10

1.1. 20.10.6

2021-04-12

1.1.1. Client

Apple Silicon (darwin/arm64) support for Docker CLI docker/cli#3042
config: print deprecation warning when falling back to pre-v1.7.0 config file ~/.dockercfg. Support for this file will be removed in a future release docker/cli#3000

1.1.2. Builder

Fix classic builder silently ignoring unsupported Dockerfile options and prompt to enable BuildKit instead moby/moby#42197

1.1.3. Logging

json-file: fix sporadic unexpected EOF errors moby/moby#42174

1.1.4. Networking

Fix a regression in docker 20.10, causing IPv6 addresses no longer to be bound by default when mapping ports moby/moby#42205
Fix implicit IPv6 port-mappings not included in API response. Before docker 20.10, published ports were accessible through both IPv4 and IPv6 by default, but the API only included information about the IPv4 (0.0.0.0) mapping moby/moby#42205
Fix a regression in docker 20.10, causing the docker-proxy to not be terminated in all cases moby/moby#42205
Fix iptables forwarding rules not being cleaned up upon container removal moby/moby#42205

1.1.5. Packaging

Update containerd to v1.4.4 for static binaries. The containerd.io package on apt/yum repos already had this update out of band. Includes a fix for CVE-2021-21334. moby/moby#42124
Packages for Debian/Raspbian 11 Bullseye, Ubuntu 21.04 Hirsute Hippo and Fedora 34 docker/docker-ce-packaging#521 docker/docker-ce-packaging#522 docker/docker-ce-packaging#533
Provide the Docker Scan CLI plugin on Linux amd64 via a docker-scan-plugin package as a recommended dependency for the docker-ce-cli package docker/docker-ce-packaging#537
Include VPNKit binary for arm64 moby/moby#42141

1.1.6. Plugins

Fix docker plugin create making plugins that were incompatible with older versions of Docker moby/moby#42256

1.1.7. Rootless

Update RootlessKit to v0.14.1 (see also v0.14.0 v0.13.2) moby/moby#42186 moby/moby#42232
dockerd-rootless-setuptool.sh: create CLI context "rootless" moby/moby#42109
dockerd-rootless.sh: prohibit running as root moby/moby#42072
Fix "operation not permitted" when bind mounting existing mounts moby/moby#42233
overlay2: fix "createDirWithOverlayOpaque(...) ... input/output error" moby/moby#42235
overlay2: support "userxattr" option (kernel 5.11) moby/moby#42168
btrfs: allow unprivileged user to delete subvolumes (kernel >= 4.18) moby/moby#42253
cgroup2: Move cgroup v2 out of experimental moby/moby#42263

1.2. 20.10.5

2021-03-02

1.2.1. Client

Revert docker/cli#2960 to fix hanging in docker start --attach and remove spurious Unsupported signal: <nil>. Discarding messages. docker/cli#2987.

1.3. 20.10.4

2021-02-26

1.3.1. Builder

Fix incorrect cache match for inline cache import with empty layers moby/moby#42061
Update BuildKit to v0.8.2 moby/moby#42061
- resolver: avoid error caching on token fetch
- fileop: fix checksum to contain indexes of inputs preventing certain cache misses
- Fix reference count issues on typed errors with mount references (fixing invalid mutable ref errors)
- git: set token only for main remote access allowing cloning submodules with different credentials
Ensure blobs get deleted in /var/lib/docker/buildkit/content/blobs/sha256 after pull. To clean up old state run builder prune moby/moby#42065
Fix parallel pull synchronization regression moby/moby#42049
Ensure libnetwork state files do not leak moby/moby#41972

1.3.2. Client

Fix a panic on docker login if no config file is present docker/cli#2959
Fix WARNING: Error loading config file: .dockercfg: $HOME is not defined docker/cli#2958

1.3.3. Runtime

docker info: silence unhandleable warnings moby/moby#41958
Avoid creating parent directories for XGlobalHeader moby/moby#42017
Use 0755 permissions when creating missing directories moby/moby#42017
Fallback to manifest list when no platform matches in image config moby/moby#42045 moby/moby#41873
Fix a daemon panic on setups with a custom default runtime configured moby/moby#41974
Fix a panic when daemon configuration is empty moby/moby#41976
Fix daemon panic when starting container with invalid device cgroup rule moby/moby#42001
Fix userns-remap option when username & UID match moby/moby#42013
static: update runc binary to v1.0.0-rc93 moby/moby#42014

1.3.4. Logger

Honor labels-regex config even if labels is not set moby/moby#42046
Handle long log messages correctly preventing awslogs in non-blocking mode to split events bigger than 16kB mobymoby#41975

1.3.5. Rootless

Prevent the service hanging when stopping by setting systemd KillMode to mixed moby/moby#41956
dockerd-rootless.sh: add typo guard moby/moby#42070
Update rootlesskit to v0.13.1 to fix handling of IPv6 addresses moby/moby#42025
allow mknodding FIFO inside userns moby/moby#41957

1.3.6. Security

profiles: seccomp: update to Linux 5.11 syscall list moby/moby#41971

1.3.7. Swarm

Fix issue with heartbeat not persisting upon restart moby/moby#42060
Fix potential stalled tasks moby/moby#42060
Fix --update-order and --rollback-order flags when only --update-order or --rollback-order is provided docker/cli#2963
Fix docker service rollback returning a non-zero exit code in some situations docker/cli#2964
Fix inconsistent progress-bar direction on docker service rollback docker/cli#2964

1.4. 20.10.3

2021-02-01

1.4.1. Security

CVE-2021-21285 Prevent an invalid image from crashing docker daemon
CVE-2021-21284 Lock down file permissions to prevent remapped root from accessing docker state
Ensure AppArmor and SELinux profiles are applied when building with BuildKit

1.4.2. Client

Check contexts before importing them to reduce risk of extracted files escaping context store
Windows: prevent executing certain binaries from current directory docker/cli#2950

1.5. 20.10.2

2021-01-04

1.5.1. Runtime

Fix a daemon start up hang when restoring containers with restart policies but that keep failing to start moby/moby#41729
overlay2: fix an off-by-one error preventing to build or run containers when data-root is 24-bytes long moby/moby#41830
systemd: send sd_notify STOPPING=1 when shutting down moby/moby#41832

1.5.2. Networking

Fix IPv6 port forwarding moby/moby#41805 moby/libnetwork#2604

1.5.3. Swarm

Fix filtering for replicated-job and global-job service modes moby/moby#41806

1.5.4. Packaging

buildx updated to v0.5.1 docker/docker-ce-packaging#516

1.6. 20.10.1

2020-12-14

1.6.1. Builder

buildkit: updated to v0.8.1 with various bugfixes moby/moby#41793

1.6.2. Packaging

Revert a change in the systemd unit that could prevent docker from starting due to a startup order conflict docker/docker-ce-packaging#514
buildx updated to v0.5.0 docker/docker-ce-packaging#515

1.7. 20.10.0

2020-12-08

1.7.1. Deprecation / Removal

For an overview of all deprecated features, refer to the Deprecated Engine Features page.

Warnings and deprecation notice when docker pull-ing from non-compliant registries not supporting pull-by-digest docker/cli#2872
Sterner warnings and deprecation notice for unauthenticated tcp access moby/moby#41285
Deprecate KernelMemory (docker run --kernel-memory) moby/moby#41254 docker/cli#2652
Deprecate aufs storage driver docker/cli#1484
Deprecate host-discovery and overlay networks with external k/v stores moby/moby#40614 moby/moby#40510
Deprecate Dockerfile legacy 'ENV name value' syntax, use ENV name=value instead docker/cli#2743
Remove deprecated "filter" parameter for API v1.41 and up moby/moby#40491
Disable distribution manifest v2 schema 1 on push moby/moby#41295
Remove hack MalformedHostHeaderOverride breaking old docker clients (<= 1.12) in which case, set DOCKER_API_VERSION moby/moby#39076
Remove "docker engine" subcommands docker/cli#2207
Remove experimental "deploy" from "dab" files docker/cli#2216
Remove deprecated docker search --automated and --stars flags docker/cli#2338
No longer allow reserved namespaces in engine labels docker/cli#2326

1.7.2. API

Update API version to v1.41
Do not require "experimental" for metrics API moby/moby#40427
GET /events now returns prune events after pruning resources have completed moby/moby#41259
- Prune events are returned for container, network, volume, image, and builder, and have a reclaimed attribute, indicating the amount of space reclaimed (in bytes)
Add one-shot stats option to not prime the stats moby/moby#40478
Adding OS version info to the system info's API (/info) moby/moby#38349
Add DefaultAddressPools to docker info moby/moby#40714
Add API support for PidsLimit on services moby/moby#39882

1.7.3. Builder

buildkit,dockerfile: Support for RUN --mount options without needing to specify experimental dockerfile #syntax directive. moby/buildkit#1717
dockerfile: ARG command now supports defining multiple build args on the same line similarly to ENV moby/buildkit#1692
dockerfile: --chown flag in ADD now allows parameter expansion moby/buildkit#1473
buildkit: Fetching authorization tokens has been moved to client-side (if the client supports it). Passwords do not leak into the build daemon anymore and users can see from build output when credentials or tokens are accessed. moby/buildkit#1660
buildkit: Connection errors while communicating with the registry for push and pull now trigger a retry moby/buildkit#1791
buildkit: Git source now supports token authentication via build secrets moby/moby#41234 docker/cli#2656 moby/buildkit#1533
buildkit: Building from git source now supports forwarding SSH socket for authentication moby/buildkit#1782
buildkit: Avoid builds that generate excessive logs to cause a crash or slow down the build. Clipping is performed if needed. moby/buildkit#1754
buildkit: Change default Seccomp profile to the one provided by Docker moby/buildkit#1807
buildkit: Support for exposing SSH agent socket on Windows has been improved moby/buildkit#1695
buildkit: Disable truncating by default when using --progress=plain moby/buildkit#1435
buildkit: Allow better handling client sessions dropping while it is being shared by multiple builds moby/buildkit#1551
buildkit: secrets: allow providing secrets with env moby/moby#41234 docker/cli#2656 moby/buildkit#1534
- Support --secret id=foo,env=MY_ENV as an alternative for storing a secret value to a file.
- --secret id=GIT_AUTH_TOKEN will load env if it exists and the file does not.
buildkit: Support for mirrors fallbacks, insecure TLS and custom TLS config moby/moby#40814
buildkit: remotecache: Only visit each item once when walking results moby/moby#41234 moby/buildkit#1577
- Improves performance and CPU use on bigger graphs
buildkit: Check remote when local image platform doesn't match moby/moby#40629
buildkit: image export: Use correct media type when creating new layer blobs moby/moby#41234 moby/buildkit#1541
buildkit: progressui: fix logs time formatting moby/moby#41234 docker/cli#2656 moby/buildkit#1549
buildkit: mitigate containerd issue on parallel push moby/moby#41234 moby/buildkit#1548
buildkit: inline cache: fix handling of duplicate blobs moby/moby#41234 moby/buildkit#1568
- Fixes https://github.com/moby/buildkit/issues/1388 cache-from working unreliably
- Fixes https://github.com/moby/moby/issues/41219 Image built from cached layers is missing data
Allow ssh:// for remote context URLs moby/moby#40179
builder: remove legacy build's session handling (was experimental) moby/moby#39983

1.7.4. Client

Add swarm jobs support to CLI docker/cli#2262
Add -a/--all-tags to docker push docker/cli#2220
Add support for Kubernetes username/password auth docker/cli#2308
Add --pull=missing|always|never to run and create commands docker/cli#1498
Add --env-file flag to docker exec for parsing environment variables from a file docker/cli#2602
Add shorthand -n for --tail option docker/cli#2646
Add log-driver and options to service inspect "pretty" format docker/cli#1950
docker run: specify cgroup namespace mode with --cgroupns docker/cli#2024
docker manifest rm command to remove manifest list draft from local storage docker/cli#2449
Add "context" to "docker version" and "docker info" docker/cli#2500
Propagate platform flag to container create API docker/cli#2551
The docker ps --format flag now has a .State placeholder to print the container's state without additional details about uptime and health check docker/cli#2000
Add support for docker-compose schema v3.9 docker/cli#2073
Add support for docker push --quiet docker/cli#2197
Hide flags that are not supported by BuildKit, if BuildKit is enabled docker/cli#2123
Update flag description for docker rm -v to clarify the option only removes anonymous (unnamed) volumes docker/cli#2289
Improve tasks printing for docker services docker/cli#2341
docker info: list CLI plugins alphabetically docker/cli#2236
Fix order of processing of --label-add/--label-rm, --container-label-add/--container-label-rm, and --env-add/--env-rm flags on docker service update to allow replacing existing values docker/cli#2668
Fix docker rm --force returning a non-zero exit code if one or more containers did not exist docker/cli#2678
Improve memory stats display by using total_inactive_file instead of cache docker/cli#2415
Mitigate against YAML files that has excessive aliasing docker/cli#2117
Allow using advanced syntax when setting a config or secret with only the source field docker/cli#2243
Fix reading config files containing username and password auth even if auth is empty docker/cli#2122
docker cp: prevent NPE when failing to stat destination docker/cli#2221
config: preserve ownership and permissions on configfile docker/cli#2228

1.7.5. Logging

Support reading docker logs with all logging drivers (best effort) moby/moby#40543
Add splunk-index-acknowledgment log option to work with Splunk HECs with index acknowledgment enabled moby/moby#39987
Add partial metadata to journald logs moby/moby#41407
Reduce allocations for logfile reader moby/moby#40796
Fluentd: add fluentd-async, fluentd-request-ack, and deprecate fluentd-async-connect moby/moby#39086

1.7.6. Runtime

Support cgroup2 moby/moby#40174 moby/moby#40657 moby/moby#40662
cgroup2: use "systemd" cgroup driver by default when available moby/moby#40846
new storage driver: fuse-overlayfs moby/moby#40483
Update containerd binary to v1.4.3 moby/moby#41732
docker push now defaults to latest tag instead of all tags moby/moby#40302
Added ability to change the number of reconnect attempts during connection loss while pulling an image by adding max-download-attempts to the config file moby/moby#39949
Add support for containerd v2 shim by using the now default io.containerd.runc.v2 runtime moby/moby#41182
cgroup v1: change the default runtime to io.containerd.runc.v2. Requires containerd v1.3.0 or later. v1.3.5 or later is recommended moby/moby#41210
Start containers in their own cgroup namespaces moby/moby#38377
Enable DNS Lookups for CIFS Volumes moby/moby#39250
Use MemAvailable instead of MemFree to estimate actual available memory moby/moby#39481
The --device flag in docker run will now be honored when the container is started in privileged mode moby/moby#40291
Enforce reserved internal labels moby/moby#40394
Raise minimum memory limit to 6M, to account for higher memory use by runtimes during container startup moby/moby#41168
Add support for CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE on supported kernels moby/moby#41460
vendor runc v1.0.0-rc92 moby/moby#41344 moby/moby#41317
info: add warnings about missing blkio cgroup support moby/moby#41083
Accept platform spec on container create moby/moby#40725
Fix handling of looking up user- and group-names with spaces moby/moby#41377

1.7.7. Networking

Support host.docker.internal in dockerd on Linux moby/moby#40007
Include IPv6 address of linked containers in /etc/hosts moby/moby#39837
--ip6tables enables IPv6 iptables rules (only if experimental) moby/moby#41622
Add alias for hostname if hostname != container name moby/moby#39204
Better selection of DNS server (with systemd) moby/moby#41022
Add docker interfaces to firewalld docker zone moby/moby#41189 moby/libnetwork#2548
- Fixes DNS issue on CentOS8 docker/for-linux#957
- Fixes Port Forwarding on RHEL 8 with Firewalld running with FirewallBackend=nftables moby/libnetwork#2496
Fix an issue reporting 'failed to get network during CreateEndpoint' moby/moby#41189 moby/libnetwork#2554
Log error instead of disabling IPv6 router advertisement failed moby/moby#41189 moby/libnetwork#2563
No longer ignore --default-address-pool option in certain cases moby/moby#40711
Produce an error with invalid address pool moby/moby#40808 moby/libnetwork#2538
Fix DOCKER-USER chain not created when IPTableEnable=false moby/moby#40808 moby/libnetwork#2471
Fix panic on startup in systemd environments moby/moby#40808 moby/libnetwork#2544
Fix issue preventing containers to communicate over macvlan internal network moby/moby#40596 moby/libnetwork#2407
Fix InhibitIPv4 nil panic moby/moby#40596
Fix VFP leak in Windows overlay network deletion moby/moby#40596 moby/libnetwork#2524

1.7.8. Packaging

docker.service: Add multi-user.target to After= in unit file moby/moby#41297
docker.service: Allow socket activation moby/moby#37470
seccomp: Remove dependency in dockerd on libseccomp moby/moby#41395

1.7.9. Rootless

rootless: graduate from experimental moby/moby#40759
Add dockerd-rootless-setuptool.sh moby/moby#40950
Support --exec-opt native.cgroupdriver=systemd moby/moby#40486

1.7.10. Security

Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc moby/moby#39612
seccomp: Whitelist clock_adjtime. CAP_SYS_TIME is still required for time adjustment moby/moby#40929
seccomp: Add openat2 and faccessat2 to default seccomp profile moby/moby#41353
seccomp: allow 'rseq' syscall in default seccomp profile moby/moby#41158
seccomp: allow syscall membarrier moby/moby#40731
seccomp: whitelist io-uring related system calls moby/moby#39415
Add default sysctls to allow ping sockets and privileged ports with no capabilities moby/moby#41030
Fix seccomp profile for clone syscall moby/moby#39308

1.7.11. Swarm

Add support for swarm jobs moby/moby#40307
Add capabilities support to stack/service commands docker/cli#2687 docker/cli#2709 moby/moby#39173 moby/moby#41249
Add support for sending down service Running and Desired task counts moby/moby#39231
service: support --mount type=bind,bind-nonrecursive moby/moby#38788
Support ulimits on Swarm services. moby/moby#41284 docker/cli#2712
Fixed an issue where service logs could leak goroutines on the worker moby/moby#40426