Releases: moby/moby
v26.0.0
26.0.0
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 26.0.0 milestone
- moby/moby, 26.0.0 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Security
This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
New
- Add
Subpath
field to theVolumeOptions
making it possible to mount a subpath of a volume. moby/moby#45687 - Add
volume-subpath
support to the mount flag (--mount type=volume,...,volume-subpath=<subpath>
). docker/cli#4331 - Accept
=
separators and[ipv6]
in compose files fordocker stack deploy
. docker/cli#4860 - rootless: Add support for enabling host loopback by setting the
DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK
environment variable tofalse
(defaults totrue
). This lets containers connect to the host by using IP address10.0.2.2
. moby/moby#47352 - containerd image store:
docker image ls
no longer creates duplicates entries for multi-platform images. moby/moby#45967 - containerd image store: Send Prometheus metrics. moby/moby#47555
Bug fixes and enhancements
- CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
- Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47233
Warning
Containers created using Docker Engine 25.0.0 may have duplicate MAC addresses, they must be re-created.
Containers created using version 25.0.0 or 25.0.1 with user-defined MAC addresses will get generated MAC addresses when they are started using 25.0.2. They must also be re-created.
- Always attempt to enable IPv6 on a container's loopback interface, and only include IPv6 in
/etc/hosts
if successful. moby/moby#47062
Note
By default, IPv6 will remain enabled on a container's loopback interface when the container is not connected to an IPv6-enabled network.
For example, containers that are only connected to an IPv4-only network now have the ::1
address on their loopback interface.
To disable IPv6 in a container,
use option --sysctl net.ipv6.conf.all.disable_ipv6=1
in the create
or run
command,
or the equivalent sysctls
option in the service configuration section of a Compose file.
If IPv6 is not available in a container because it has been explicitly disabled for the container,
or the host's networking stack does not have IPv6 enabled (or for any other reason)
the container's /etc/hosts
file will not include IPv6 entries.
- Fix
ADD
Dockerfile instruction failing withlsetxattr <file>: operation not supported
when unpacking archive with xattrs onto a filesystem that doesn't support them. moby/moby#47175 - Fix
docker container start
failing when used with--checkpoint
. moby/moby#47456 - Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47356
- Do not enforce new validation rules for existing swarm networks. moby/moby#47361
- Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47375
- Print hint when invoking
docker image ls
with ambiguous argument. docker/cli#4849 - Cleanup
@docker_cli_[UUID]
files on OpenBSD. docker/cli#4862 - Add explicit deprecation notice message when using remote TCP connections without TLS. docker/cli#4928, moby/moby#47556
- Use IPv6 nameservers from the host's
resolv.conf
as upstream resolvers for Docker Engine's internal DNS, rather than listing them in the container'sresolv.conf
. moby/moby#47512 - containerd image store: Isolate images with different containerd namespaces when
--userns-remap
option is used. moby/moby#46786 - containerd image store: Fix image pull not emitting
Pulling fs layer
status. moby/moby#47432
API
- To preserve backwards compatibility, read-only mounts are not recursive by default when using older clients (API version < v1.44). moby/moby#47391
GET /images/{id}/json
omits theCreated
field (previously it was0001-01-01T00:00:00Z
) if theCreated
field is missing from the image config. moby/moby#47451- Populate a missing
Created
field inGET /images/{id}/json
with0001-01-01T00:00:00Z
for API version <= 1.43. moby/moby#47387 - The
is_automated
field in thePOST /images/search
endpoint results is alwaysfalse
now. Consequently, searching foris-automated=true
will yield no results, whileis-automated=false
will be a no-op. moby/moby#47465 - Remove
Container
andContainerConfig
fields from theGET /images/{name}/json
response. moby/moby#47430
Packaging updates
- Update API to v1.45. moby#47582
- Update BuildKit to v0.13.1. moby/moby#47582
- Update Buildx to v0.13.1. docker/docker-ce-packaging#1000
- Update Compose to v2.25.0. docker/docker-ce-packaging#1002
- Update Go runtime to 1.21.8. moby/moby#47502
- Update RootlessKit to v2.0.2. moby/moby#47508
- Update containerd to v1.7.13 (static binaries only) moby/moby#47278
- Update runc binary to v1.1.12 moby/moby#47268
- Update OTel to v0.46.1 / v1.21.0 moby/moby#47245
Removed
- Remove
Container
andContainerConfig
fields from theGET /images/{name}/json
response. moby/moby#47430 - Deprecate the ability to accept remote TCP connections without TLS. Deprecation notice docker/cli#4928 moby/moby#47556.
- Remove deprecated API versions (API < v1.24) moby/moby#47155
- Disable pulling of deprecated image formats by default. These image formats are deprecated, and support will be removed in a future version. moby/moby#47459
- image: remove deprecated IDFromDigest moby/moby#47198
- Remove the deprecated
github.com/docker/docker/pkg/loopback
package. moby/moby#47128 - pkg/system: remove deprecated
ErrNotSupportedOperatingSystem
,IsOSSupported
moby/moby#47129 - pkg/homedir: remove deprecated Key() and GetShortcutString() moby/moby#47130
- pkg/containerfs: remove deprecated ResolveScopedPath moby/moby#47131
- The daemon flag
--oom-score-adjust
was deprecated in v24.0 and is now removed. moby/moby#46113 - Remove deprecated aliases from the api/types package. These types were deprecated in v25.0.0, which provided temporary aliases. moby/moby#47148
These aliases are now removed:types.Info
,types.Commit
,types.PluginsInfo
,types.NetworkAddressPool
,types.Runtime
,types.SecurityOpt
,types.KeyValue
,types.DecodeSecurityOptions
,types.CheckpointCreateOptions
,types.CheckpointListOptions
,types.CheckpointDeleteOptions
,types.Checkpoint
,types.ImageDeleteResponseItem
,types.ImageSummary
,types.ImageMetadata
,types.ServiceUpdateResponse
,types.ServiceCreateResponse
, `types.Resize...
v26.0.0-rc3
26.0.0-rc3
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 26.0.0 milestone
- moby/moby, 26.0.0 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Security
This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
New
- containerd image store: Implement prometheus metrics moby/moby#47555
Bug fixes and enhancements
- CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
- containerd image store: Improve
docker images
performance. moby/moby#47580 - Add explicit deprecation notice message when using remote TCP connections without TLS. Deprecation notice docker/cli#4928. moby/moby#47556
- Use IPv6 nameservers from the host's
resolv.conf
as upstream resolvers for Docker Engine's internal DNS, rather than listing them in the container'sresolv.conf
. moby/moby#47512 - rc2 regression: containerd image store: Fix
image list
not showing images when an image that has no locally available platforms is encountered. - rootless: fix
open /etc/docker/plugins: permission denied
moby/moby#47559 - plugin: fix mounting /etc/hosts when running in UserNS moby/moby#47558
API
- Remove
Container
andContainerConfig
fields from theGET /images/{name}/json
response. moby/moby#47430
Packaging updates
- Update Buildx to v0.13.1. docker/docker-ce-packaging#1000
- Update Buildkit to v0.13.1. moby/moby#47582
- Update Compose to v2.25.0. docker/docker-ce-packaging#1002
- Add Ubuntu Noble packages. docker/docker-ce-packaging#1006
- Add Fedora 40 packages. docker/docker-ce-packaging#1005
v25.0.5
25.0.5
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 25.0.5 milestone
- moby/moby, 25.0.5 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Security
This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
Bug fixes and enhancements
- CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
- plugin: fix mounting /etc/hosts when running in UserNS. moby/moby#47588
- rootless: fix
open /etc/docker/plugins: permission denied
. moby/moby#47587 - Fix multiple parallel
docker build
runs leaking disk space. moby/moby#47527
v26.0.0-rc2
26.0.0-rc2
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 26.0.0 milestone
- moby/moby, 26.0.0 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
New
- Allow to enable host loopback by setting
DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK
to false, defaults true. It allows to connect to host by using 10.0.2.2 IP moby/moby#47352
Bug fixes and enhancements
- Fix multiple parallel
docker build
runs leaking disk space. moby/moby#47523 - rc1 regression: Fix
docker pull
regression introduced in rc1 causing a wrong pull progress message moby/moby#47475 - rc1 regression: Do not attempt to configure an IPv6 address or gateway in a container that's got IPv6 disabled.
- rc1 regression: Fix build sometimes ending with
ERROR: failed to solve: unknown blob <digest> in history
. moby/moby#47520
API
- The
is_automated
field in thePOST /images/search
endpoint results is alwaysfalse
now. Consequently, searching foris-automated=true
will yield no results, whileis-automated=false
will be a no-op. moby/moby#47465
Packaging updates
- Upgrade Go runtime to 1.21.8. moby/moby#47502
- Update Buildkit to v0.13.0. moby/moby#47511
- Update RootlessKit to v2.0.2. moby/moby#47508
- Update Compose to v2.24.7. docker/docker-ce-packaging#998
- Update Buildx to v0.13.0. docker/docker-ce-packaging#997
v25.0.4
25.0.4
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 25.0.4 milestone
- moby/moby, 25.0.4 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Bug fixes and enhancements
- Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47490
- Fix
docker start
failing when used with--checkpoint
moby/moby#47466 - Don't enforce new validation rules for existing swarm networks moby/moby#47482
- Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47481
- Fix a regression introduced in v25.0 that prevented the classic builder from ADDing a tar archive with xattrs created on a non-Linux OS moby/moby#47483
- containerd image store: Fix image pull not emitting
Pulling fs layer
status moby/moby#47484
API
- To preserve backwards compatibility, make read-only mounts not recursive by default when using older clients (API version < v1.44). moby/moby#47393
GET /images/{id}/json
omits theCreated
field (previously it was0001-01-01T00:00:00Z
) if theCreated
field is missing from the image config. moby/moby#47451- Populate a missing
Created
field inGET /images/{id}/json
with0001-01-01T00:00:00Z
for API version <= 1.43. moby/moby#47387 - Fix a regression that caused API socket connection failures to report an API version negotiation failure instead. moby/moby#47470
- Preserve supplied endpoint configuration in a container-create API request, when a container-wide MAC address is specified, but
NetworkMode
name-or-id is not the same as the name-or-id used inNetworkSettings.Networks
. moby/moby#47510
Packaging updates
- Upgrade Go runtime to 1.21.8. moby/moby#47503
- Upgrade RootlessKit to v2.0.2. moby/moby#47508
- Upgrade Compose to v2.24.7. docker/docker-ce-packaging#998
- Upgrade Buildx to v0.13.0. docker/docker-ce-packaging#997
Full Changelog: v25.0.3...v25.0.4
v26.0.0-rc1
26.0.0-rc1
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 26.0.0 milestone
- moby/moby, 26.0.0 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
New
- Add
Subpath
field to theVolumeOptions
making it possible to mount a subpath of a volume. moby/moby#45687 - Add
volume-subpath
option to mount flag (--mount type=volume,...,volume-subpath=<subpath>
) docker/cli#4331 - containerd image store:
image list
will no longer produce multiple duplicates image entries for multi-platform images moby/moby#45967 - Accept
=
separators and[ipv6]
in compose files fordocker stack deploy
docker/cli#4860
Bug fixes and enhancements
- Fix
ADD
Dockerfile instruction failing withlsetxattr <file>: operation not supported
when unpacking archive with xattrs onto a filesystem that doesn't support them. moby/moby#47175 - Fix
docker start
failing when used with--checkpoint
moby/moby#47456 - Always try to enable IPv6 on a container's loopback interface, and only include IPv6 in '/etc/hosts' if successful. moby/moby#47062
- Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47356
- Do not enforce new validation rules for existing swarm networks moby/moby#47361
- Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47375
- Print hint when invoking "docker images" with ambiguous argument docker/cli#4849
- Cleanup
@docker_cli_[UUID]
files on OpenBSD docker/cli#4862 - containerd image store: Isolate images with different containerd namespaces when
--userns-remap
option is used moby/moby#46786 - containerd image store: Fix image pull not emitting
Pulling fs layer
status moby/moby#47432 - Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47233
Note
Containers created using 25.0.0 may have duplicate MAC addresses, they must be re-created.
Containers created using 25.0.0 or 25.0.1 with user-defined MAC addresses will get generated MAC addresses when they are started using 25.0.2. They must also be re-created.
API
- To preserve backwards compatibility, read-only mounts are not recursive by default when using older clients (API version < v1.44). moby/moby#47391
GET /images/{id}/json
omits theCreated
field (previously it was0001-01-01T00:00:00Z
) if theCreated
field is missing from the image config. moby/moby#47451- Populate a missing
Created
field inGET /images/{id}/json
with0001-01-01T00:00:00Z
for API version <= 1.43. moby/moby#47387
Packaging updates
- Upgrade Go runtime to 1.21.7. moby/moby#47385
- Update BuildKit to v0.13.0-rc3 moby/moby#47364
- Update containerd binary to v1.7.13 moby/moby#47278
- Update runc binary to v1.1.12 moby/moby#47268
- Update Rootlesskit to v2.0.1 moby/moby#47332
- Update OTEL to v0.46.1 / v1.21.0 moby/moby#47245
Removed
- Disable pulling of deprecated image formats by default. These image formats are deprecated, and support will be removed in a future version. moby/moby#47459
- image: remove deprecated IDFromDigest moby/moby#47198
- Removed the deprecated
github.com/docker/docker/pkg/loopback
package. moby/moby#47128 - pkg/system: remove deprecated
ErrNotSupportedOperatingSystem
,IsOSSupported
moby/moby#47129 - pkg/homedir: remove deprecated Key() and GetShortcutString() moby/moby#47130
- pkg/containerfs: remove deprecated ResolveScopedPath moby/moby#47131
- The daemon flag
--oom-score-adjust
has been deprecated in v24.0 and is now removed. moby/moby#46113 - API: remove deprecated API versions (API < v1.24) moby/moby#47155
- Remove deprecated aliases from the api/types package. These types were deprecated in v25.0.0, which provided temporary aliases. moby/moby#47148
These aliases are now removed:types.Info
,types.Commit
,types.PluginsInfo
,types.NetworkAddressPool
,types.Runtime
,types.SecurityOpt
,types.KeyValue
,types.DecodeSecurityOptions
,types.CheckpointCreateOptions
,types.CheckpointListOptions
,types.CheckpointDeleteOptions
,types.Checkpoint
,types.ImageDeleteResponseItem
,types.ImageSummary
,types.ImageMetadata
,types.ServiceUpdateResponse
,types.ServiceCreateResponse
,types.ResizeOptions
,types.ContainerAttachOptions
,types.ContainerCommitOptions
,types.ContainerRemoveOptions
,types.ContainerStartOptions
,types.ContainerListOptions
,types.ContainerLogsOptions
- cli/command/container: remove deprecated
NewStartOptions()
docker/cli#4811 - cli/command: remove deprecated
DockerCliOption
,InitializeOpt
docker/cli#4810
v25.0.3
25.0.3
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
-
containerd image store: Fix a bug where
docker image history
would fail if a manifest wasn't found in the content store. moby/moby#47348 -
Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47304
Note
- Containers created with Docker Engine version 25.0.0 may have duplicate MAC addresses.
They must be re-created. - Containers with user-defined MAC addresses created with Docker Engine versions 25.0.0 or 25.0.1
receive new MAC addresses when started using Docker Engine version 25.0.2.
They must also be re-created.
- Containers created with Docker Engine version 25.0.0 may have duplicate MAC addresses.
- Fix
docker save <image>@<digest>
producing an OCI archive with index without manifests. moby/moby#47294 - Fix a bug preventing bridge networks from being created with an MTU higher than 1500 on RHEL and CentOS 7. moby/moby#47308, moby/moby#47311
- Fix a bug where containers are unable to communicate over an
internal
network. moby/moby#47303 - Fix a bug where the value of the
ipv6
daemon option was ignored. moby/moby#47310 - Fix a bug where trying to install a pulling using a digest revision would cause a panic. moby/moby#47323
- Fix a potential race condition in the managed containerd supervisor. moby/moby#47313
- Fix an issue with the
journald
log driver preventing container logs from being followed correctly with systemd version 255. moby/moby47243 - seccomp: Update the builtin seccomp profile to include syscalls added in kernel v5.17 - v6.7 to align the profile with the profile used by containerd. moby/moby#47341
- Windows: Fix cache not being used when building images based on Windows versions older than the host's version. moby/moby#47307, moby/moby#47337
Packaging updates
- Removed support for Ubuntu Lunar (23.04). docker/ce-packaging#986
v25.0.2
25.0.2
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Security
This release contains security fixes for the following CVEs
affecting Docker Engine and its components.
CVE | Component | Fix version | Severity |
---|---|---|---|
CVE-2024-21626 | runc | 1.1.12 | High, CVSS 8.6 |
CVE-2024-23651 | BuildKit | 1.12.5 | High, CVSS 8.7 |
CVE-2024-23652 | BuildKit | 1.12.5 | High, CVSS 8.7 |
CVE-2024-23653 | BuildKit | 1.12.5 | High, CVSS 7.7 |
CVE-2024-23650 | BuildKit | 1.12.5 | Medium, CVSS 5.5 |
CVE-2024-24557 | Docker Engine | 25.0.2 | Medium, CVSS 6.9 |
The potential impacts of the above vulnerabilities include:
- Unauthorized access to the host filesystem
- Compromising the integrity of the build cache
- In the case of CVE-2024-21626, a scenario that could lead to full container escape
For more information about the security issues addressed in this release,
refer to the blog post.
For details about each vulnerability, see the relevant security advisory:
Packaging updates
- Upgrade containerd to v1.6.28.
- Upgrade containerd to v1.7.13 (static binaries only). moby/moby#47280
- Upgrade runc to v1.1.12. moby/moby#47269
- Upgrade Compose to v2.24.5. docker/docker-ce-packaging#985
- Upgrade BuildKit to v0.12.5. moby/moby#47273
v24.0.9
24.0.9
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Security
This release contains security fixes for the following CVEs affecting Docker Engine and its components.
CVE | Component | Fix version | Severity |
---|---|---|---|
CVE-2024-21626 | runc | 1.1.12 | High, CVSS 8.6 |
CVE-2024-24557 | Docker Engine | 24.0.9 | Medium, CVSS 6.9 |
Important
⚠️ Note that this release of Docker Engine doesn't include fixes for the following known vulnerabilities in BuildKit:
To address these vulnerabilities, upgrade to Docker Engine v25.0.2.
For more information about the security issues addressed in this release, and the unaddressed vulnerabilities in BuildKit, refer to the
blog post. For details about each vulnerability, see the relevant security advisory:
Packaging updates
- Upgrade runc to v1.1.12. moby/moby#47269
- Upgrade containerd to v1.7.13 (static binaries only). moby/moby#47280
v23.0.9
23.0.9
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: