Docker Engine 20.10 release notes

This document describes the latest changes, additions, known issues, and fixes for Docker Engine version 20.10.

20.10.24

2023-04-04

Updates

Bug fixes and enhancements

  • Fixed a number of issues that can cause Swarm encrypted overlay networks to fail to uphold their guarantees, addressing CVE-2023-28841open_in_new, CVE-2023-28840open_in_new, and CVE-2023-28842open_in_new.
    • A lack of kernel support for encrypted overlay networks now reports as an error.
    • Encrypted overlay networks are eagerly set up, rather than waiting for multiple nodes to attach.
    • Encrypted overlay networks are now usable on Red Hat Enterprise Linux 9 through the use of the xt_bpf kernel module.
    • Users of Swarm overlay networks should review GHSA-vwm3-crmr-xfxwopen_in_new to ensure that unintentional exposure has not occurred.
  • Upgrade github.com/containerd/fifo to v1.1.0 to fix a potential panic moby/moby#45216open_in_new.
  • Fix missing Bash completion for installed cli-plugins docker/cli#4091open_in_new.

20.10.23

2023-01-19

This release of Docker Engine contains updated versions of Docker Compose, Docker Buildx, containerd, and some minor bug fixes and enhancements.

Updates

Bug fixes and enhancements

  • Fix an issue where docker build would fail when using --add-host=host.docker.internal:host-gateway with BuildKit enabled moby/moby#44650open_in_new.

  • Revert seccomp: block socket calls to AF_VSOCK in default profile moby/moby#44712open_in_new.

    This change, while favorable from a security standpoint, caused a change in behavior for some use-cases. As such, we are reverting it to ensure stability and compatibility for the affected users.

    However, users of AF_VSOCK in containers should recognize that this (special) address family is not currently namespaced in any version of the Linux kernel, and may result in unexpected behavior, like containers communicating directly with host hypervisors.

    Future releases, will filter AF_VSOCK. Users who need to allow containers to communicate over the unnamespaced AF_VSOCK will need to turn off seccomp confinement or set a custom seccomp profile.

20.10.22

2022-12-16

This release of Docker Engine contains updated versions of Docker Compose, Docker Scan, containerd, and some minor bug fixes and enhancements.

Updates

Bug fixes and enhancements

20.10.21

2022-10-25

This release of Docker Engine contains updated versions of Docker Compose, Docker Scan, containerd, added packages for Ubuntu 22.10, and some minor bug fixes and enhancements.

New

  • Provide packages for Ubuntu 22.10 (Kinetic Kudu).
  • Add support for allow-nondistributable-artifacts towards Docker Hub moby/moby#44313open_in_new.

Updates

Bug fixes and enhancements

20.10.20

2022-10-18

This release of Docker Engine contains partial mitigations for a Git vulnerability ( CVE-2022-39253open_in_new), and has updated handling of image:tag@digest image references.

The Git vulnerability allows a maliciously crafted Git repository, when used as a build context, to copy arbitrary filesystem paths into resulting containers/images; this can occur in both the daemon, and in API clients, depending on the versions and tools in use.

The mitigations available in this release and in other consumers of the daemon API are partial and only protect users who build a Git URL context (e.g. git+protocol://). As the vulnerability could still be exploited by manually run Git commands that interact with and check out submodules, users should immediately upgrade to a patched version of Git to protect against this vulnerability. Further details are available from the GitHub blog ( "Git security vulnerabilities announced"open_in_new).

Updates

  • Update Docker Compose to v2.12.0open_in_new.
  • Updated handling of image:tag@digest references. When pulling an image using the image:tag@digest ("pull by digest"), image resolution happens through the content-addressable digest and the image and tag are not used. While this is expected, this could lead to confusing behavior, and could potentially be exploited through social engineering to run an image that is already present in the local image store. Docker now checks if the digest matches the repository name used to pull the image, and otherwise will produce an error.
  • Updated handling of image:tag@digest references. Refer to the "Daemon" section above for details.

Bug fixes and enhancements

20.10.19

2022-10-14

This release of Docker Engine comes with some bug-fixes, and an updated version of Docker Compose.

Updates

Bug fixes and enhancements

  • Fix an issue that could result in a panic during docker builder prune or docker system prune moby/moby#44122open_in_new.
  • Fix a bug where using docker volume prune would remove volumes that were still in use if the daemon was running with "live restore" and was restarted moby/moby#44238open_in_new.

20.10.18

2022-09-09

This release of Docker Engine comes with a fix for a low-severity security issue, some minor bug fixes, and updated versions of Docker Compose, Docker Buildx, containerd, and runc.

Updates

Bug fixes and enhancements

20.10.17

2022-06-06

This release of Docker Engine comes with updated versions of Docker Compose and the containerd, and runc components, as well as some minor bug fixes.

Updates

Bug fixes and enhancements

20.10.16

2022-05-12

This release of Docker Engine fixes a regression in the Docker CLI builds for macOS, fixes an issue with docker stats when using containerd 1.5 and up, and updates the Go runtime to include a fix for CVE-2022-29526open_in_new.

Updates

Bug fixes and enhancements

20.10.15

2022-05-05

This release of Docker Engine comes with updated versions of the compose, buildx, containerd, and runc components, as well as some minor bug fixes.

Updates

Bug fixes and enhancements

  • Use a RWMutex for stateCounter to prevent potential locking congestion moby/moby#43426open_in_new.
  • Prevent an issue where the daemon was unable to find an available IP-range in some conditions moby/moby#43360open_in_new
  • Add packages for CentOS 9 stream and Fedora 36.

Known issues

20.10.14

2022-03-23

This release of Docker Engine updates the default inheritable capabilities for containers to address CVE-2022-24769open_in_new, a new version of the containerd.io runtime is also included to address the same issue.

Updates

  • Update the default inheritable capabilities.
  • Update the default inheritable capabilities for containers used during build.
  • Update containerd (containerd.io package) to v1.5.11open_in_new.
  • Update docker buildx to v0.8.1open_in_new.

20.10.13

2022-03-10

This release of Docker Engine contains some bug-fixes and packaging changes, updates to the docker scan and docker buildx commands, an updated version of the Go runtime, and new versions of the containerd.io runtime. Together with this release, we now also provide .deb and .rpm packages of Docker Compose V2, which can be installed using the (optional) docker-compose-plugin package.

New

Updates

Bug fixes and enhancements

20.10.12

2021-12-13

This release of Docker Engine contains changes in packaging only, and provides updates to the docker scan and docker buildx commands. Versions of docker scan before v0.11.0 are not able to detect the Log4j 2 CVE-2021-44228open_in_new. We are shipping an updated version of docker scan in this release to help you scan your images for this vulnerability.

Note

The docker scan command on Linux is currently only supported on x86 platforms. We do not yet provide a package for other hardware architectures on Linux.

The docker scan feature is provided as a separate package and, depending on your upgrade or installation method, 'docker scan' may not be updated automatically to the latest version. Use the instructions below to update docker scan to the latest version. You can also use these instructions to install, or upgrade the docker scan package without upgrading the Docker Engine:

On .deb based distros, such as Ubuntu and Debian:

$ apt-get update && apt-get install docker-scan-plugin

On rpm-based distros, such as CentOS or Fedora:

$ yum install docker-scan-plugin

After upgrading, verify you have the latest version of docker scan installed:

$ docker scan --accept-license --version
Version:    v0.12.0
Git commit: 1074dd0
Provider:   Snyk (1.790.0 (standalone))

Read our blog post on CVE-2021-44228open_in_new to learn how to use the docker scan command to check if images are vulnerable.

Packaging

20.10.11

2021-11-17

IMPORTANT

Due to net/http changesopen_in_new in Go 1.16open_in_new, HTTP proxies configured through the $HTTP_PROXY environment variable are no longer used for TLS (https://) connections. Make sure you also set an $HTTPS_PROXY environment variable for handling requests to https:// URLs.

Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.

Distribution

Windows

Packaging

20.10.10

2021-10-25

IMPORTANT

Due to net/http changesopen_in_new in Go 1.16open_in_new, HTTP proxies configured through the $HTTP_PROXY environment variable are no longer used for TLS (https://) connections. Make sure you also set an $HTTPS_PROXY environment variable for handling requests to https:// URLs.

Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.

Builder

  • Fix platform-matching logic to fix docker build using not finding images in the local image cache on Arm machines when using BuildKit moby/moby#42954open_in_new

Runtime

  • Add support for clone3 syscall in the default seccomp policy to support running containers based on recent versions of Fedora and Ubuntu. moby/moby/#42836open_in_new.
  • Windows: update hcsshim library to fix a bug in sparse file handling in container layers, which was exposed by recent changes in Windows moby/moby#42944open_in_new.
  • Fix some situations where docker stop could hang forever moby/moby#42956open_in_new.

Swarm

Packaging

  • Add packages for Ubuntu 21.10 "Impish Indri" and Fedora 35.
  • Update docker scan to v0.9.0
  • Update Golang runtime to Go 1.16.9.

20.10.9

2021-10-04

This release is a security release with security fixes in the CLI, runtime, as well as updated versions of the containerd.io package.

IMPORTANT

Due to net/http changesopen_in_new in Go 1.16open_in_new, HTTP proxies configured through the $HTTP_PROXY environment variable are no longer used for TLS (https://) connections. Make sure you also set an $HTTPS_PROXY environment variable for handling requests to https:// URLs.

Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.

Client

  • CVE-2021-41092open_in_new Ensure default auth config has address field set, to prevent credentials being sent to the default registry.

Runtime

  • CVE-2021-41089open_in_new Create parent directories inside a chroot during docker cp to prevent a specially crafted container from changing permissions of existing files in the host’s filesystem.
  • CVE-2021-41091open_in_new Lock down file permissions to prevent unprivileged users from discovering and executing programs in /var/lib/docker.

Packaging

Known issue

The ctr binary shipping with the static packages of this release is not statically linked, and will not run in Docker images using alpine as a base image. Users can install the libc6-compat package, or download a previous version of the ctr binary as a workaround. Refer to the containerd ticket related to this issue for more details: containerd/containerd#5824open_in_new.

20.10.8

2021-08-03

IMPORTANT

Due to net/http changesopen_in_new in Go 1.16open_in_new, HTTP proxies configured through the $HTTP_PROXY environment variable are no longer used for TLS (https://) connections. Make sure you also set an $HTTPS_PROXY environment variable for handling requests to https:// URLs.

Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.

Deprecation

  • Deprecate support for encrypted TLS private keys. Legacy PEM encryption as specified in RFC 1423 is insecure by design. Because it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext. Support for encrypted TLS private keys is now marked as deprecated, and will be removed in an upcoming release. docker/cli#3219open_in_new
  • Deprecate Kubernetes stack support. Following the deprecation of Compose on Kubernetesopen_in_new, support for Kubernetes in the stack and context commands in the Docker CLI is now marked as deprecated, and will be removed in an upcoming release docker/cli#3174open_in_new.

Client

Rootless

Runtime

  • Print a warning when using the --platform option to pull a single-arch image that does not match the specified architecture moby/moby#42633open_in_new.
  • Fix incorrect Your kernel does not support swap memory limit warning when running with cgroups v2 moby/moby#42479open_in_new.
  • Windows: Fix a situation where containers were not stopped if HcsShutdownComputeSystem returned an ERROR_PROC_NOT_FOUND error moby/moby#42613open_in_new

Swarm

Packaging

Known issue

The ctr binary shipping with the static packages of this release is not statically linked, and will not run in Docker images using alpine as a base image. Users can install the libc6-compat package, or download a previous version of the ctr binary as a workaround. Refer to the containerd ticket related to this issue for more details: containerd/containerd#5824open_in_new.

20.10.7

2021-06-02

Client

  • Suppress warnings for deprecated cgroups docker/cli#3099open_in_new.
  • Prevent sending SIGURG signals to container on Linux and macOS. The Go runtime (starting with Go 1.14) uses SIGURG signals internally as an interrupt to support preemptable syscalls. In situations where the Docker CLI was attached to a container, these interrupts were forwarded to the container. This fix changes the Docker CLI to ignore SIGURG signals docker/cli#3107open_in_new, moby/moby#42421open_in_new.

Builder

Logging

Rootless

Networking

  • Update libnetwork to fix publishing ports on environments with kernel boot parameter ipv6.disable=1, and to fix a deadlock causing internal DNS lookups to fail moby/moby#42413open_in_new.

Contrib

Packaging

20.10.6

2021-04-12

Client

Builder

  • Fix classic builder silently ignoring unsupported Dockerfile options and prompt to enable BuildKit instead moby/moby#42197open_in_new

Logging

Networking

  • Fix a regression in docker 20.10, causing IPv6 addresses no longer to be bound by default when mapping ports moby/moby#42205open_in_new
  • Fix implicit IPv6 port-mappings not included in API response. Before docker 20.10, published ports were accessible through both IPv4 and IPv6 by default, but the API only included information about the IPv4 (0.0.0.0) mapping moby/moby#42205open_in_new
  • Fix a regression in docker 20.10, causing the docker-proxy to not be terminated in all cases moby/moby#42205open_in_new
  • Fix iptables forwarding rules not being cleaned up upon container removal moby/moby#42205open_in_new

Packaging

Plugins

Rootless

20.10.5

2021-03-02

Client

20.10.4

2021-02-26

Builder

  • Fix incorrect cache match for inline cache import with empty layers moby/moby#42061open_in_new
  • Update BuildKit to v0.8.2 moby/moby#42061open_in_new
    • resolver: avoid error caching on token fetch
    • fileop: fix checksum to contain indexes of inputs preventing certain cache misses
    • Fix reference count issues on typed errors with mount references (fixing invalid mutable ref errors)
    • git: set token only for main remote access allowing cloning submodules with different credentials
  • Ensure blobs get deleted in /var/lib/docker/buildkit/content/blobs/sha256 after pull. To clean up old state run builder prune moby/moby#42065open_in_new
  • Fix parallel pull synchronization regression moby/moby#42049open_in_new
  • Ensure libnetwork state files do not leak moby/moby#41972open_in_new

Client

Runtime

Logger

Rootless

Security

Swarm

20.10.3

2021-02-01

Security

  • CVE-2021-21285open_in_new Prevent an invalid image from crashing docker daemon
  • CVE-2021-21284open_in_new Lock down file permissions to prevent remapped root from accessing docker state
  • Ensure AppArmor and SELinux profiles are applied when building with BuildKit

Client

  • Check contexts before importing them to reduce risk of extracted files escaping context store
  • Windows: prevent executing certain binaries from current directory docker/cli#2950open_in_new

20.10.2

2021-01-04

Runtime

Networking

Swarm

Packaging

20.10.1

2020-12-14

Builder

Packaging

20.10.0

2020-12-08

Deprecation / Removal

For an overview of all deprecated features, refer to the Deprecated Engine Features page.

API

Builder

Client

Logging

Runtime

Networking

Packaging

Rootless

Security

Swarm