26.0.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.0.2 milestone
• moby/moby, 26.0.2 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Security

This release contains a security fix for CVE-2024-32473, an unexpected configuration of IPv6 on IPv4-only interfaces.

Bug fixes and enhancements

• CVE-2024-32473: Ensure IPv6 is disabled on interfaces only allocated an IPv4 address by the engine. moby#GHSA-x84c-p2g9-rqv9

26.0.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.0.1 milestone
• moby/moby, 26.0.1 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Fix a regression that meant network interface specific --sysctl options prevented container startup. moby/moby#47646
• Remove erroneous platform from image config OCI descriptor in docker save output. moby/moby#47694
• containerd image store: OCI archives produced by docker save will now have a non-empty mediaType field in index.json moby/moby#47701
• Fix a regression that prevented the internal resolver from forwarding requests from IPvlan L3 networks to external resolvers. moby/moby#47705
• Prevent the use of external resolvers in IPvlan and Macvlan networks created with no parent interface specified. moby/moby#47705

Packaging updates

• Update Go runtime to 1.21.9 moby/moby#47671, docker/cli#4987
• Update Compose to v1.26.1 , docker/docker-ce-packaging#1009
• Update containerd to v1.7.15 (static binaries only) moby/moby#47692

23.0.10

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 23.0.10 milestone
• moby/moby, 23.0.10 milestone

26.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.0.0 milestone
• moby/moby, 26.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Security

This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.

New

• Add Subpath field to the VolumeOptions making it possible to mount a subpath of a volume. moby/moby#45687
• Add volume-subpath support to the mount flag (--mount type=volume,...,volume-subpath=<subpath>). docker/cli#4331
• Accept = separators and [ipv6] in compose files for docker stack deploy. docker/cli#4860
• rootless: Add support for enabling host loopback by setting the DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK environment variable to false (defaults to true). This lets containers connect to the host by using IP address 10.0.2.2. moby/moby#47352
• containerd image store: docker image ls no longer creates duplicates entries for multi-platform images. moby/moby#45967
• containerd image store: Send Prometheus metrics. moby/moby#47555

Bug fixes and enhancements

• CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
• Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47233

• Always attempt to enable IPv6 on a container's loopback interface, and only include IPv6 in /etc/hosts if successful. moby/moby#47062

• Fix ADD Dockerfile instruction failing with lsetxattr <file>: operation not supported when unpacking archive with xattrs onto a filesystem that doesn't support them. moby/moby#47175
• Fix docker container start failing when used with --checkpoint. moby/moby#47456
• Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47356
• Do not enforce new validation rules for existing swarm networks. moby/moby#47361
• Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47375
• Print hint when invoking docker image ls with ambiguous argument. docker/cli#4849
• Cleanup @docker_cli_[UUID] files on OpenBSD. docker/cli#4862
• Add explicit deprecation notice message when using remote TCP connections without TLS. docker/cli#4928, moby/moby#47556
• Use IPv6 nameservers from the host's resolv.conf as upstream resolvers for Docker Engine's internal DNS, rather than listing them in the container's resolv.conf. moby/moby#47512
• containerd image store: Isolate images with different containerd namespaces when --userns-remap option is used. moby/moby#46786
• containerd image store: Fix image pull not emitting Pulling fs layer status. moby/moby#47432

API

• To preserve backwards compatibility, read-only mounts are not recursive by default when using older clients (API version < v1.44). moby/moby#47391
• GET /images/{id}/json omits the Created field (previously it was 0001-01-01T00:00:00Z) if the Created field is missing from the image config. moby/moby#47451
• Populate a missing Created field in GET /images/{id}/json with 0001-01-01T00:00:00Z for API version <= 1.43. moby/moby#47387
• The is_automated field in the POST /images/search endpoint results is always false now. Consequently, searching for is-automated=true will yield no results, while is-automated=false will be a no-op. moby/moby#47465
• Remove Container and ContainerConfig fields from the GET /images/{name}/json response. moby/moby#47430

Packaging updates

• Update API to v1.45. moby#47582
• Update BuildKit to v0.13.1. moby/moby#47582
• Update Buildx to v0.13.1. docker/docker-ce-packaging#1000
• Update Compose to v2.25.0. docker/docker-ce-packaging#1002
• Update Go runtime to 1.21.8. moby/moby#47502
• Update RootlessKit to v2.0.2. moby/moby#47508
• Update containerd to v1.7.13 (static binaries only) moby/moby#47278
• Update runc binary to v1.1.12 moby/moby#47268
• Update OTel to v0.46.1 / v1.21.0 moby/moby#47245

Removed

• Remove Container and ContainerConfig fields from the GET /images/{name}/json response. moby/moby#47430
• Deprecate the ability to accept remote TCP connections without TLS. Deprecation notice docker/cli#4928 moby/moby#47556.
• Remove deprecated API versions (API < v1.24) moby/moby#47155
• Disable pulling of deprecated image formats by default. These image formats are deprecated, and support will be removed in a future version. moby/moby#47459
• image: remove deprecated IDFromDigest moby/moby#47198
• Remove the deprecated github.com/docker/docker/pkg/loopback package. moby/moby#47128
• pkg/system: remove deprecated ErrNotSupportedOperatingSystem, IsOSSupported moby/moby#47129
• pkg/homedir: remove deprecated Key() and GetShortcutString() moby/moby#47130
• pkg/containerfs: remove deprecated ResolveScopedPath moby/moby#47131
• The daemon flag --oom-score-adjust was deprecated in v24.0 and is now removed. moby/moby#46113
• Remove deprecated aliases from the api/types package. These types were deprecated in v25.0.0, which provided temporary aliases. moby/moby#47148
  These aliases are now removed: types.Info, types.Commit, types.PluginsInfo, types.NetworkAddressPool, types.Runtime, types.SecurityOpt, types.KeyValue, types.DecodeSecurityOptions, types.CheckpointCreateOptions, types.CheckpointListOptions, types.CheckpointDeleteOptions, types.Checkpoint, types.ImageDeleteResponseItem, types.ImageSummary, types.ImageMetadata, types.ServiceUpdateResponse, types.ServiceCreateResponse, `types.Resize...

26.0.0-rc3

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.0.0 milestone
• moby/moby, 26.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Security

This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.

New

• containerd image store: Implement prometheus metrics moby/moby#47555

Bug fixes and enhancements

• CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
• containerd image store: Improve docker images performance. moby/moby#47580
• Add explicit deprecation notice message when using remote TCP connections without TLS. Deprecation notice docker/cli#4928. moby/moby#47556
• Use IPv6 nameservers from the host's resolv.conf as upstream resolvers for Docker Engine's internal DNS, rather than listing them in the container's resolv.conf. moby/moby#47512
• rc2 regression: containerd image store: Fix image list not showing images when an image that has no locally available platforms is encountered.
• rootless: fix open /etc/docker/plugins: permission denied moby/moby#47559
• plugin: fix mounting /etc/hosts when running in UserNS moby/moby#47558

API

• Remove Container and ContainerConfig fields from the GET /images/{name}/json response. moby/moby#47430

Packaging updates

• Update Buildx to v0.13.1. docker/docker-ce-packaging#1000
• Update Buildkit to v0.13.1. moby/moby#47582
• Update Compose to v2.25.0. docker/docker-ce-packaging#1002
• Add Ubuntu Noble packages. docker/docker-ce-packaging#1006
• Add Fedora 40 packages. docker/docker-ce-packaging#1005

25.0.5

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 25.0.5 milestone
• moby/moby, 25.0.5 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Security

This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.

Bug fixes and enhancements

• CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
• plugin: fix mounting /etc/hosts when running in UserNS. moby/moby#47588
• rootless: fix open /etc/docker/plugins: permission denied. moby/moby#47587
• Fix multiple parallel docker build runs leaking disk space. moby/moby#47527

26.0.0-rc2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.0.0 milestone
• moby/moby, 26.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• Allow to enable host loopback by setting DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK to false, defaults true. It allows to connect to host by using 10.0.2.2 IP moby/moby#47352

Bug fixes and enhancements

• Fix multiple parallel docker build runs leaking disk space. moby/moby#47523
• rc1 regression: Fix docker pull regression introduced in rc1 causing a wrong pull progress message moby/moby#47475
• rc1 regression: Do not attempt to configure an IPv6 address or gateway in a container that's got IPv6 disabled.
• rc1 regression: Fix build sometimes ending with ERROR: failed to solve: unknown blob <digest> in history. moby/moby#47520

API

• The is_automated field in the POST /images/search endpoint results is always false now. Consequently, searching for is-automated=true will yield no results, while is-automated=false will be a no-op. moby/moby#47465

Packaging updates

• Upgrade Go runtime to 1.21.8. moby/moby#47502
• Update Buildkit to v0.13.0. moby/moby#47511
• Update RootlessKit to v2.0.2. moby/moby#47508
• Update Compose to v2.24.7. docker/docker-ce-packaging#998
• Update Buildx to v0.13.0. docker/docker-ce-packaging#997

25.0.4

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 25.0.4 milestone
• moby/moby, 25.0.4 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47490
• Fix docker start failing when used with --checkpoint moby/moby#47466
• Don't enforce new validation rules for existing swarm networks moby/moby#47482
• Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47481
• Fix a regression introduced in v25.0 that prevented the classic builder from ADDing a tar archive with xattrs created on a non-Linux OS moby/moby#47483
• containerd image store: Fix image pull not emitting Pulling fs layer status moby/moby#47484

API

• To preserve backwards compatibility, make read-only mounts not recursive by default when using older clients (API version < v1.44). moby/moby#47393
• GET /images/{id}/json omits the Created field (previously it was 0001-01-01T00:00:00Z) if the Created field is missing from the image config. moby/moby#47451
• Populate a missing Created field in GET /images/{id}/json with 0001-01-01T00:00:00Z for API version <= 1.43. moby/moby#47387
• Fix a regression that caused API socket connection failures to report an API version negotiation failure instead. moby/moby#47470
• Preserve supplied endpoint configuration in a container-create API request, when a container-wide MAC address is specified, but NetworkMode name-or-id is not the same as the name-or-id used in NetworkSettings.Networks. moby/moby#47510

Packaging updates

• Upgrade Go runtime to 1.21.8. moby/moby#47503
• Upgrade RootlessKit to v2.0.2. moby/moby#47508
• Upgrade Compose to v2.24.7. docker/docker-ce-packaging#998
• Upgrade Buildx to v0.13.0. docker/docker-ce-packaging#997

Full Changelog: v25.0.3...v25.0.4

26.0.0-rc1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.0.0 milestone
• moby/moby, 26.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• Add Subpath field to the VolumeOptions making it possible to mount a subpath of a volume. moby/moby#45687
• Add volume-subpath option to mount flag (--mount type=volume,...,volume-subpath=<subpath>) docker/cli#4331
• containerd image store: image list will no longer produce multiple duplicates image entries for multi-platform images moby/moby#45967
• Accept = separators and [ipv6] in compose files for docker stack deploy docker/cli#4860

Bug fixes and enhancements

• Fix ADD Dockerfile instruction failing with lsetxattr <file>: operation not supported when unpacking archive with xattrs onto a filesystem that doesn't support them. moby/moby#47175
• Fix docker start failing when used with --checkpoint moby/moby#47456
• Always try to enable IPv6 on a container's loopback interface, and only include IPv6 in '/etc/hosts' if successful. moby/moby#47062
• Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47356
• Do not enforce new validation rules for existing swarm networks moby/moby#47361
• Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47375
• Print hint when invoking "docker images" with ambiguous argument docker/cli#4849
• Cleanup @docker_cli_[UUID] files on OpenBSD docker/cli#4862
• containerd image store: Isolate images with different containerd namespaces when --userns-remap option is used moby/moby#46786
• containerd image store: Fix image pull not emitting Pulling fs layer status moby/moby#47432
• Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47233

API

• To preserve backwards compatibility, read-only mounts are not recursive by default when using older clients (API version < v1.44). moby/moby#47391
• GET /images/{id}/json omits the Created field (previously it was 0001-01-01T00:00:00Z) if the Created field is missing from the image config. moby/moby#47451
• Populate a missing Created field in GET /images/{id}/json with 0001-01-01T00:00:00Z for API version <= 1.43. moby/moby#47387

Packaging updates

• Upgrade Go runtime to 1.21.7. moby/moby#47385
• Update BuildKit to v0.13.0-rc3 moby/moby#47364
• Update containerd binary to v1.7.13 moby/moby#47278
• Update runc binary to v1.1.12 moby/moby#47268
• Update Rootlesskit to v2.0.1 moby/moby#47332
• Update OTEL to v0.46.1 / v1.21.0 moby/moby#47245

Removed

• Disable pulling of deprecated image formats by default. These image formats are deprecated, and support will be removed in a future version. moby/moby#47459
• image: remove deprecated IDFromDigest moby/moby#47198
• Removed the deprecated github.com/docker/docker/pkg/loopback package. moby/moby#47128
• pkg/system: remove deprecated ErrNotSupportedOperatingSystem, IsOSSupported moby/moby#47129
• pkg/homedir: remove deprecated Key() and GetShortcutString() moby/moby#47130
• pkg/containerfs: remove deprecated ResolveScopedPath moby/moby#47131
• The daemon flag --oom-score-adjust has been deprecated in v24.0 and is now removed. moby/moby#46113
• API: remove deprecated API versions (API < v1.24) moby/moby#47155
• Remove deprecated aliases from the api/types package. These types were deprecated in v25.0.0, which provided temporary aliases. moby/moby#47148
  These aliases are now removed: types.Info, types.Commit, types.PluginsInfo, types.NetworkAddressPool, types.Runtime, types.SecurityOpt, types.KeyValue, types.DecodeSecurityOptions, types.CheckpointCreateOptions, types.CheckpointListOptions, types.CheckpointDeleteOptions, types.Checkpoint, types.ImageDeleteResponseItem, types.ImageSummary, types.ImageMetadata, types.ServiceUpdateResponse, types.ServiceCreateResponse, types.ResizeOptions, types.ContainerAttachOptions, types.ContainerCommitOptions, types.ContainerRemoveOptions, types.ContainerStartOptions, types.ContainerListOptions, types.ContainerLogsOptions
• cli/command/container: remove deprecated NewStartOptions() docker/cli#4811
• cli/command: remove deprecated DockerCliOption, InitializeOptdocker/cli#4810

25.0.3

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 25.0.3 milestone
• moby/moby, 25.0.3 milestone

Bug fixes and enhancements

• containerd image store: Fix a bug where docker image history would fail if a manifest wasn't found in the content store. moby/moby#47348

• Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47304

  Note

  • Containers created with Docker Engine version 25.0.0 may have duplicate MAC addresses.
    They must be re-created.
  • Containers with user-defined MAC addresses created with Docker Engine versions 25.0.0 or 25.0.1
    receive new MAC addresses when started using Docker Engine version 25.0.2.
    They must also be re-created.

• Fix docker save <image>@<digest> producing an OCI archive with index without manifests. moby/moby#47294
• Fix a bug preventing bridge networks from being created with an MTU higher than 1500 on RHEL and CentOS 7. moby/moby#47308, moby/moby#47311
• Fix a bug where containers are unable to communicate over an internal network. moby/moby#47303
• Fix a bug where the value of the ipv6 daemon option was ignored. moby/moby#47310
• Fix a bug where trying to install a pulling using a digest revision would cause a panic. moby/moby#47323
• Fix a potential race condition in the managed containerd supervisor. moby/moby#47313
• Fix an issue with the journald log driver preventing container logs from being followed correctly with systemd version 255. moby/moby47243
• seccomp: Update the builtin seccomp profile to include syscalls added in kernel v5.17 - v6.7 to align the profile with the profile used by containerd. moby/moby#47341
• Windows: Fix cache not being used when building images based on Windows versions older than the host's version. moby/moby#47307, moby/moby#47337

Packaging updates

• Removed support for Ubuntu Lunar (23.04). docker/ce-packaging#986