Releases: moby/moby
v26.0.2
26.0.2
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 26.0.2 milestone
- moby/moby, 26.0.2 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Security
This release contains a security fix for CVE-2024-32473, an unexpected configuration of IPv6 on IPv4-only interfaces.
Bug fixes and enhancements
- CVE-2024-32473: Ensure IPv6 is disabled on interfaces only allocated an IPv4 address by the engine. moby#GHSA-x84c-p2g9-rqv9
v26.0.1
26.0.1
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 26.0.1 milestone
- moby/moby, 26.0.1 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Bug fixes and enhancements
- Fix a regression that meant network interface specific
--sysctl
options prevented container startup. moby/moby#47646 - Remove erroneous
platform
from imageconfig
OCI descriptor indocker save
output. moby/moby#47694 - containerd image store: OCI archives produced by
docker save
will now have a non-emptymediaType
field inindex.json
moby/moby#47701 - Fix a regression that prevented the internal resolver from forwarding requests from IPvlan L3 networks to external resolvers. moby/moby#47705
- Prevent the use of external resolvers in IPvlan and Macvlan networks created with no parent interface specified. moby/moby#47705
Packaging updates
- Update Go runtime to 1.21.9 moby/moby#47671, docker/cli#4987
- Update Compose to v1.26.1 , docker/docker-ce-packaging#1009
- Update containerd to v1.7.15 (static binaries only) moby/moby#47692
v23.0.10
23.0.10
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
v26.0.0
26.0.0
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 26.0.0 milestone
- moby/moby, 26.0.0 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Security
This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
New
- Add
Subpath
field to theVolumeOptions
making it possible to mount a subpath of a volume. moby/moby#45687 - Add
volume-subpath
support to the mount flag (--mount type=volume,...,volume-subpath=<subpath>
). docker/cli#4331 - Accept
=
separators and[ipv6]
in compose files fordocker stack deploy
. docker/cli#4860 - rootless: Add support for enabling host loopback by setting the
DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK
environment variable tofalse
(defaults totrue
). This lets containers connect to the host by using IP address10.0.2.2
. moby/moby#47352 - containerd image store:
docker image ls
no longer creates duplicates entries for multi-platform images. moby/moby#45967 - containerd image store: Send Prometheus metrics. moby/moby#47555
Bug fixes and enhancements
- CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
- Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47233
Warning
Containers created using Docker Engine 25.0.0 may have duplicate MAC addresses, they must be re-created.
Containers created using version 25.0.0 or 25.0.1 with user-defined MAC addresses will get generated MAC addresses when they are started using 25.0.2. They must also be re-created.
- Always attempt to enable IPv6 on a container's loopback interface, and only include IPv6 in
/etc/hosts
if successful. moby/moby#47062
Note
By default, IPv6 will remain enabled on a container's loopback interface when the container is not connected to an IPv6-enabled network.
For example, containers that are only connected to an IPv4-only network now have the ::1
address on their loopback interface.
To disable IPv6 in a container,
use option --sysctl net.ipv6.conf.all.disable_ipv6=1
in the create
or run
command,
or the equivalent sysctls
option in the service configuration section of a Compose file.
If IPv6 is not available in a container because it has been explicitly disabled for the container,
or the host's networking stack does not have IPv6 enabled (or for any other reason)
the container's /etc/hosts
file will not include IPv6 entries.
- Fix
ADD
Dockerfile instruction failing withlsetxattr <file>: operation not supported
when unpacking archive with xattrs onto a filesystem that doesn't support them. moby/moby#47175 - Fix
docker container start
failing when used with--checkpoint
. moby/moby#47456 - Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47356
- Do not enforce new validation rules for existing swarm networks. moby/moby#47361
- Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47375
- Print hint when invoking
docker image ls
with ambiguous argument. docker/cli#4849 - Cleanup
@docker_cli_[UUID]
files on OpenBSD. docker/cli#4862 - Add explicit deprecation notice message when using remote TCP connections without TLS. docker/cli#4928, moby/moby#47556
- Use IPv6 nameservers from the host's
resolv.conf
as upstream resolvers for Docker Engine's internal DNS, rather than listing them in the container'sresolv.conf
. moby/moby#47512 - containerd image store: Isolate images with different containerd namespaces when
--userns-remap
option is used. moby/moby#46786 - containerd image store: Fix image pull not emitting
Pulling fs layer
status. moby/moby#47432
API
- To preserve backwards compatibility, read-only mounts are not recursive by default when using older clients (API version < v1.44). moby/moby#47391
GET /images/{id}/json
omits theCreated
field (previously it was0001-01-01T00:00:00Z
) if theCreated
field is missing from the image config. moby/moby#47451- Populate a missing
Created
field inGET /images/{id}/json
with0001-01-01T00:00:00Z
for API version <= 1.43. moby/moby#47387 - The
is_automated
field in thePOST /images/search
endpoint results is alwaysfalse
now. Consequently, searching foris-automated=true
will yield no results, whileis-automated=false
will be a no-op. moby/moby#47465 - Remove
Container
andContainerConfig
fields from theGET /images/{name}/json
response. moby/moby#47430
Packaging updates
- Update API to v1.45. moby#47582
- Update BuildKit to v0.13.1. moby/moby#47582
- Update Buildx to v0.13.1. docker/docker-ce-packaging#1000
- Update Compose to v2.25.0. docker/docker-ce-packaging#1002
- Update Go runtime to 1.21.8. moby/moby#47502
- Update RootlessKit to v2.0.2. moby/moby#47508
- Update containerd to v1.7.13 (static binaries only) moby/moby#47278
- Update runc binary to v1.1.12 moby/moby#47268
- Update OTel to v0.46.1 / v1.21.0 moby/moby#47245
Removed
- Remove
Container
andContainerConfig
fields from theGET /images/{name}/json
response. moby/moby#47430 - Deprecate the ability to accept remote TCP connections without TLS. Deprecation notice docker/cli#4928 moby/moby#47556.
- Remove deprecated API versions (API < v1.24) moby/moby#47155
- Disable pulling of deprecated image formats by default. These image formats are deprecated, and support will be removed in a future version. moby/moby#47459
- image: remove deprecated IDFromDigest moby/moby#47198
- Remove the deprecated
github.com/docker/docker/pkg/loopback
package. moby/moby#47128 - pkg/system: remove deprecated
ErrNotSupportedOperatingSystem
,IsOSSupported
moby/moby#47129 - pkg/homedir: remove deprecated Key() and GetShortcutString() moby/moby#47130
- pkg/containerfs: remove deprecated ResolveScopedPath moby/moby#47131
- The daemon flag
--oom-score-adjust
was deprecated in v24.0 and is now removed. moby/moby#46113 - Remove deprecated aliases from the api/types package. These types were deprecated in v25.0.0, which provided temporary aliases. moby/moby#47148
These aliases are now removed:types.Info
,types.Commit
,types.PluginsInfo
,types.NetworkAddressPool
,types.Runtime
,types.SecurityOpt
,types.KeyValue
,types.DecodeSecurityOptions
,types.CheckpointCreateOptions
,types.CheckpointListOptions
,types.CheckpointDeleteOptions
,types.Checkpoint
,types.ImageDeleteResponseItem
,types.ImageSummary
,types.ImageMetadata
,types.ServiceUpdateResponse
,types.ServiceCreateResponse
, `types.Resize...
v26.0.0-rc3
26.0.0-rc3
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 26.0.0 milestone
- moby/moby, 26.0.0 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Security
This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
New
- containerd image store: Implement prometheus metrics moby/moby#47555
Bug fixes and enhancements
- CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
- containerd image store: Improve
docker images
performance. moby/moby#47580 - Add explicit deprecation notice message when using remote TCP connections without TLS. Deprecation notice docker/cli#4928. moby/moby#47556
- Use IPv6 nameservers from the host's
resolv.conf
as upstream resolvers for Docker Engine's internal DNS, rather than listing them in the container'sresolv.conf
. moby/moby#47512 - rc2 regression: containerd image store: Fix
image list
not showing images when an image that has no locally available platforms is encountered. - rootless: fix
open /etc/docker/plugins: permission denied
moby/moby#47559 - plugin: fix mounting /etc/hosts when running in UserNS moby/moby#47558
API
- Remove
Container
andContainerConfig
fields from theGET /images/{name}/json
response. moby/moby#47430
Packaging updates
- Update Buildx to v0.13.1. docker/docker-ce-packaging#1000
- Update Buildkit to v0.13.1. moby/moby#47582
- Update Compose to v2.25.0. docker/docker-ce-packaging#1002
- Add Ubuntu Noble packages. docker/docker-ce-packaging#1006
- Add Fedora 40 packages. docker/docker-ce-packaging#1005
v25.0.5
25.0.5
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 25.0.5 milestone
- moby/moby, 25.0.5 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Security
This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
Bug fixes and enhancements
- CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
- plugin: fix mounting /etc/hosts when running in UserNS. moby/moby#47588
- rootless: fix
open /etc/docker/plugins: permission denied
. moby/moby#47587 - Fix multiple parallel
docker build
runs leaking disk space. moby/moby#47527
v26.0.0-rc2
26.0.0-rc2
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 26.0.0 milestone
- moby/moby, 26.0.0 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
New
- Allow to enable host loopback by setting
DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK
to false, defaults true. It allows to connect to host by using 10.0.2.2 IP moby/moby#47352
Bug fixes and enhancements
- Fix multiple parallel
docker build
runs leaking disk space. moby/moby#47523 - rc1 regression: Fix
docker pull
regression introduced in rc1 causing a wrong pull progress message moby/moby#47475 - rc1 regression: Do not attempt to configure an IPv6 address or gateway in a container that's got IPv6 disabled.
- rc1 regression: Fix build sometimes ending with
ERROR: failed to solve: unknown blob <digest> in history
. moby/moby#47520
API
- The
is_automated
field in thePOST /images/search
endpoint results is alwaysfalse
now. Consequently, searching foris-automated=true
will yield no results, whileis-automated=false
will be a no-op. moby/moby#47465
Packaging updates
- Upgrade Go runtime to 1.21.8. moby/moby#47502
- Update Buildkit to v0.13.0. moby/moby#47511
- Update RootlessKit to v2.0.2. moby/moby#47508
- Update Compose to v2.24.7. docker/docker-ce-packaging#998
- Update Buildx to v0.13.0. docker/docker-ce-packaging#997
v25.0.4
25.0.4
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 25.0.4 milestone
- moby/moby, 25.0.4 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Bug fixes and enhancements
- Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47490
- Fix
docker start
failing when used with--checkpoint
moby/moby#47466 - Don't enforce new validation rules for existing swarm networks moby/moby#47482
- Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47481
- Fix a regression introduced in v25.0 that prevented the classic builder from ADDing a tar archive with xattrs created on a non-Linux OS moby/moby#47483
- containerd image store: Fix image pull not emitting
Pulling fs layer
status moby/moby#47484
API
- To preserve backwards compatibility, make read-only mounts not recursive by default when using older clients (API version < v1.44). moby/moby#47393
GET /images/{id}/json
omits theCreated
field (previously it was0001-01-01T00:00:00Z
) if theCreated
field is missing from the image config. moby/moby#47451- Populate a missing
Created
field inGET /images/{id}/json
with0001-01-01T00:00:00Z
for API version <= 1.43. moby/moby#47387 - Fix a regression that caused API socket connection failures to report an API version negotiation failure instead. moby/moby#47470
- Preserve supplied endpoint configuration in a container-create API request, when a container-wide MAC address is specified, but
NetworkMode
name-or-id is not the same as the name-or-id used inNetworkSettings.Networks
. moby/moby#47510
Packaging updates
- Upgrade Go runtime to 1.21.8. moby/moby#47503
- Upgrade RootlessKit to v2.0.2. moby/moby#47508
- Upgrade Compose to v2.24.7. docker/docker-ce-packaging#998
- Upgrade Buildx to v0.13.0. docker/docker-ce-packaging#997
Full Changelog: v25.0.3...v25.0.4
v26.0.0-rc1
26.0.0-rc1
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 26.0.0 milestone
- moby/moby, 26.0.0 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
New
- Add
Subpath
field to theVolumeOptions
making it possible to mount a subpath of a volume. moby/moby#45687 - Add
volume-subpath
option to mount flag (--mount type=volume,...,volume-subpath=<subpath>
) docker/cli#4331 - containerd image store:
image list
will no longer produce multiple duplicates image entries for multi-platform images moby/moby#45967 - Accept
=
separators and[ipv6]
in compose files fordocker stack deploy
docker/cli#4860
Bug fixes and enhancements
- Fix
ADD
Dockerfile instruction failing withlsetxattr <file>: operation not supported
when unpacking archive with xattrs onto a filesystem that doesn't support them. moby/moby#47175 - Fix
docker start
failing when used with--checkpoint
moby/moby#47456 - Always try to enable IPv6 on a container's loopback interface, and only include IPv6 in '/etc/hosts' if successful. moby/moby#47062
- Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47356
- Do not enforce new validation rules for existing swarm networks moby/moby#47361
- Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47375
- Print hint when invoking "docker images" with ambiguous argument docker/cli#4849
- Cleanup
@docker_cli_[UUID]
files on OpenBSD docker/cli#4862 - containerd image store: Isolate images with different containerd namespaces when
--userns-remap
option is used moby/moby#46786 - containerd image store: Fix image pull not emitting
Pulling fs layer
status moby/moby#47432 - Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47233
Note
Containers created using 25.0.0 may have duplicate MAC addresses, they must be re-created.
Containers created using 25.0.0 or 25.0.1 with user-defined MAC addresses will get generated MAC addresses when they are started using 25.0.2. They must also be re-created.
API
- To preserve backwards compatibility, read-only mounts are not recursive by default when using older clients (API version < v1.44). moby/moby#47391
GET /images/{id}/json
omits theCreated
field (previously it was0001-01-01T00:00:00Z
) if theCreated
field is missing from the image config. moby/moby#47451- Populate a missing
Created
field inGET /images/{id}/json
with0001-01-01T00:00:00Z
for API version <= 1.43. moby/moby#47387
Packaging updates
- Upgrade Go runtime to 1.21.7. moby/moby#47385
- Update BuildKit to v0.13.0-rc3 moby/moby#47364
- Update containerd binary to v1.7.13 moby/moby#47278
- Update runc binary to v1.1.12 moby/moby#47268
- Update Rootlesskit to v2.0.1 moby/moby#47332
- Update OTEL to v0.46.1 / v1.21.0 moby/moby#47245
Removed
- Disable pulling of deprecated image formats by default. These image formats are deprecated, and support will be removed in a future version. moby/moby#47459
- image: remove deprecated IDFromDigest moby/moby#47198
- Removed the deprecated
github.com/docker/docker/pkg/loopback
package. moby/moby#47128 - pkg/system: remove deprecated
ErrNotSupportedOperatingSystem
,IsOSSupported
moby/moby#47129 - pkg/homedir: remove deprecated Key() and GetShortcutString() moby/moby#47130
- pkg/containerfs: remove deprecated ResolveScopedPath moby/moby#47131
- The daemon flag
--oom-score-adjust
has been deprecated in v24.0 and is now removed. moby/moby#46113 - API: remove deprecated API versions (API < v1.24) moby/moby#47155
- Remove deprecated aliases from the api/types package. These types were deprecated in v25.0.0, which provided temporary aliases. moby/moby#47148
These aliases are now removed:types.Info
,types.Commit
,types.PluginsInfo
,types.NetworkAddressPool
,types.Runtime
,types.SecurityOpt
,types.KeyValue
,types.DecodeSecurityOptions
,types.CheckpointCreateOptions
,types.CheckpointListOptions
,types.CheckpointDeleteOptions
,types.Checkpoint
,types.ImageDeleteResponseItem
,types.ImageSummary
,types.ImageMetadata
,types.ServiceUpdateResponse
,types.ServiceCreateResponse
,types.ResizeOptions
,types.ContainerAttachOptions
,types.ContainerCommitOptions
,types.ContainerRemoveOptions
,types.ContainerStartOptions
,types.ContainerListOptions
,types.ContainerLogsOptions
- cli/command/container: remove deprecated
NewStartOptions()
docker/cli#4811 - cli/command: remove deprecated
DockerCliOption
,InitializeOpt
docker/cli#4810
v25.0.3
25.0.3
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
-
containerd image store: Fix a bug where
docker image history
would fail if a manifest wasn't found in the content store. moby/moby#47348 -
Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47304
Note
- Containers created with Docker Engine version 25.0.0 may have duplicate MAC addresses.
They must be re-created. - Containers with user-defined MAC addresses created with Docker Engine versions 25.0.0 or 25.0.1
receive new MAC addresses when started using Docker Engine version 25.0.2.
They must also be re-created.
- Containers created with Docker Engine version 25.0.0 may have duplicate MAC addresses.
- Fix
docker save <image>@<digest>
producing an OCI archive with index without manifests. moby/moby#47294 - Fix a bug preventing bridge networks from being created with an MTU higher than 1500 on RHEL and CentOS 7. moby/moby#47308, moby/moby#47311
- Fix a bug where containers are unable to communicate over an
internal
network. moby/moby#47303 - Fix a bug where the value of the
ipv6
daemon option was ignored. moby/moby#47310 - Fix a bug where trying to install a pulling using a digest revision would cause a panic. moby/moby#47323
- Fix a potential race condition in the managed containerd supervisor. moby/moby#47313
- Fix an issue with the
journald
log driver preventing container logs from being followed correctly with systemd version 255. moby/moby47243 - seccomp: Update the builtin seccomp profile to include syscalls added in kernel v5.17 - v6.7 to align the profile with the profile used by containerd. moby/moby#47341
- Windows: Fix cache not being used when building images based on Windows versions older than the host's version. moby/moby#47307, moby/moby#47337
Packaging updates
- Removed support for Ubuntu Lunar (23.04). docker/ce-packaging#986