Docker Engine 20.10 release notes

This document describes the latest changes, additions, known issues, and fixes for Docker Engine version 20.10.

20.10.24

Updates

• Update Go runtime to 1.19.7open_in_new.
• Update Docker Buildx to v0.10.4open_in_new.
• Update containerd to v1.6.20open_in_new.
• Update runc to v1.1.5open_in_new.

Bug fixes and enhancements

• Fixed a number of issues that can cause Swarm encrypted overlay networks to fail to uphold their guarantees, addressing CVE-2023-28841open_in_new, CVE-2023-28840open_in_new, and CVE-2023-28842open_in_new.
  • A lack of kernel support for encrypted overlay networks now reports as an error.
  • Encrypted overlay networks are eagerly set up, rather than waiting for multiple nodes to attach.
  • Encrypted overlay networks are now usable on Red Hat Enterprise Linux 9 through the use of the xt_bpf kernel module.
  • Users of Swarm overlay networks should review GHSA-vwm3-crmr-xfxwopen_in_new to ensure that unintentional exposure has not occurred.
• Upgrade github.com/containerd/fifo to v1.1.0 to fix a potential panic moby/moby#45216open_in_new.
• Fix missing Bash completion for installed cli-plugins docker/cli#4091open_in_new.

20.10.23

This release of Docker Engine contains updated versions of Docker Compose, Docker Buildx, containerd, and some minor bug fixes and enhancements.

Updates

• Update Docker Compose to v2.15.1open_in_new.
• Update Docker Buildx to v0.10.0open_in_new.
• Update containerd (containerd.io package) to v1.6.15open_in_new.
• Update the package versioning format for docker-compose-cli to allow distro version updates docker/docker-ce-packaging#822open_in_new.
• Update Go runtime to 1.18.10open_in_new,

Bug fixes and enhancements

• Fix an issue where docker build would fail when using --add-host=host.docker.internal:host-gateway with BuildKit enabled moby/moby#44650open_in_new.

• Revert seccomp: block socket calls to AF_VSOCK in default profile moby/moby#44712open_in_new.

  This change, while favorable from a security standpoint, caused a change in behavior for some use-cases. As such, we are reverting it to ensure stability and compatibility for the affected users.

  However, users of AF_VSOCK in containers should recognize that this (special) address family is not currently namespaced in any version of the Linux kernel, and may result in unexpected behavior, like containers communicating directly with host hypervisors.

  Future releases, will filter AF_VSOCK. Users who need to allow containers to communicate over the unnamespaced AF_VSOCK will need to turn off seccomp confinement or set a custom seccomp profile.

20.10.22

This release of Docker Engine contains updated versions of Docker Compose, Docker Scan, containerd, and some minor bug fixes and enhancements.

Updates

• Update Docker Compose to v2.14.1open_in_new.
• Update Docker Scan to v0.23.0open_in_new.
• Update containerd (containerd.io package) to v1.6.13open_in_new, to include a fix for CVE-2022-23471open_in_new.
• Update Go runtime to 1.18.9open_in_new, to include fixes for CVE-2022-41716open_in_new, CVE-2022-41717open_in_new, and CVE-2022-41720open_in_new.

Bug fixes and enhancements

• Improve error message when attempting to pull an unsupported image format or OCI artifact moby/moby#44413open_in_new, moby/moby#44569open_in_new.
• Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers moby/moby#44476open_in_new.
• Fix ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above moby/moby#3862open_in_new.
• seccomp: block socket calls to AF_VSOCK in default profile moby/moby#44564open_in_new.

20.10.21

This release of Docker Engine contains updated versions of Docker Compose, Docker Scan, containerd, added packages for Ubuntu 22.10, and some minor bug fixes and enhancements.

New

• Provide packages for Ubuntu 22.10 (Kinetic Kudu).
• Add support for allow-nondistributable-artifacts towards Docker Hub moby/moby#44313open_in_new.

Updates

• Update Docker Compose to v2.12.2open_in_new.
• Update Docker Scan to v0.21.0open_in_new.
• Update containerd (containerd.io package) to v1.6.9open_in_new.
• Update bundled BuildKit version to to fix output clipped, log limit 1MiB reached errors moby/moby#44339open_in_new.

Bug fixes and enhancements

• Remove experimental gate for --platform in bash completion docker/cli#3824open_in_new.
• Fix an Invalid standard handle identifier panic when registering the Docker Engine as a service from a legacy CLI on Windows moby/moby#44326open_in_new.
• Fix running Git commands in Cygwin on Windows moby/moby#44332open_in_new.

20.10.20

This release of Docker Engine contains partial mitigations for a Git vulnerability ( CVE-2022-39253open_in_new), and has updated handling of image:tag@digest image references.

The Git vulnerability allows a maliciously crafted Git repository, when used as a build context, to copy arbitrary filesystem paths into resulting containers/images; this can occur in both the daemon, and in API clients, depending on the versions and tools in use.

The mitigations available in this release and in other consumers of the daemon API are partial and only protect users who build a Git URL context (e.g. git+protocol://). As the vulnerability could still be exploited by manually run Git commands that interact with and check out submodules, users should immediately upgrade to a patched version of Git to protect against this vulnerability. Further details are available from the GitHub blog ( "Git security vulnerabilities announced"open_in_new).

Updates

• Update Docker Compose to v2.12.0open_in_new.
• Updated handling of image:tag@digest references. When pulling an image using the image:tag@digest ("pull by digest"), image resolution happens through the content-addressable digest and the image and tag are not used. While this is expected, this could lead to confusing behavior, and could potentially be exploited through social engineering to run an image that is already present in the local image store. Docker now checks if the digest matches the repository name used to pull the image, and otherwise will produce an error.
• Updated handling of image:tag@digest references. Refer to the "Daemon" section above for details.

Bug fixes and enhancements

• Added a mitigation for CVE-2022-39253open_in_new, when using the classic Builder with a Git URL as the build context.
• Added a mitigation to the classic Builder and updated BuildKit to v0.8.3-31-gc0149372open_in_new, for CVE-2022-39253open_in_new.

20.10.19

This release of Docker Engine comes with some bug-fixes, and an updated version of Docker Compose.

Updates

• Update Docker Compose to v2.11.2open_in_new.
• Update Go runtime to 1.18.7open_in_new, which contains fixes for CVE-2022-2879open_in_new, CVE-2022-2880open_in_new, and CVE-2022-41715open_in_new.

Bug fixes and enhancements

• Fix an issue that could result in a panic during docker builder prune or docker system prune moby/moby#44122open_in_new.
• Fix a bug where using docker volume prune would remove volumes that were still in use if the daemon was running with "live restore" and was restarted moby/moby#44238open_in_new.

20.10.18

This release of Docker Engine comes with a fix for a low-severity security issue, some minor bug fixes, and updated versions of Docker Compose, Docker Buildx, containerd, and runc.

Updates

• Update Docker Buildx to v0.9.1open_in_new.
• Update Docker Compose to v2.10.2open_in_new.
• Update containerd (containerd.io package) to v1.6.8open_in_new.
• Update runc version to v1.1.4open_in_new.
• Update Go runtime to 1.18.6open_in_new, which contains fixes for CVE-2022-27664open_in_new and CVE-2022-32190open_in_new.

Bug fixes and enhancements

• Add Bash completion for Docker Compose docker/cli#3752open_in_new.
• Fix an issue where file-capabilities were not preserved during build moby/moby#43876open_in_new.
• Fix an issue that could result in a panic caused by a concurrent map read and map write moby/moby#44067open_in_new.
• Fix a security vulnerability relating to supplementary group permissions, which could allow a container process to bypass primary group restrictions within the container CVE-2022-36109open_in_new, GHSA-rc4r-wh2q-q6c4open_in_new.
• seccomp: add support for Landlock syscalls in default policy moby/moby#43991open_in_new.
• seccomp: update default policy to support new syscalls introduced in kernel 5.12 - 5.16 moby/moby#43991open_in_new.
• Fix an issue where cache lookup for image manifests would fail, resulting in a redundant round-trip to the image registry moby/moby#44109open_in_new.
• Fix an issue where exec processes and healthchecks were not terminated when they timed out moby/moby#44018open_in_new.

20.10.17

This release of Docker Engine comes with updated versions of Docker Compose and the containerd, and runc components, as well as some minor bug fixes.

Updates

• Update Docker Compose to v2.6.0open_in_new.
• Update containerd (containerd.io package) to v1.6.6open_in_new, which contains a fix for CVE-2022-31030open_in_new
• Update runc version to v1.1.2open_in_new, which contains a fix for CVE-2022-29162open_in_new.
• Update Go runtime to 1.17.11open_in_new, which contains fixes for CVE-2022-30634open_in_new, CVE-2022-30629open_in_new, CVE-2022-30580open_in_new and CVE-2022-29804open_in_new

Bug fixes and enhancements

• Remove asterisk from docker commands in zsh completion script docker/cli#3648open_in_new.
• Fix Windows port conflict with published ports in host mode for overlay moby/moby#43644open_in_new.
• Ensure performance tuning is always applied to libnetwork sandboxes moby/moby#43683open_in_new.

20.10.16

This release of Docker Engine fixes a regression in the Docker CLI builds for macOS, fixes an issue with docker stats when using containerd 1.5 and up, and updates the Go runtime to include a fix for CVE-2022-29526open_in_new.

Updates

• Update golang.org/x/sys dependency which contains a fix for CVE-2022-29526open_in_new.
• Updated the golang.org/x/sys build-time dependency which contains a fix for CVE-2022-29526open_in_new.
• Updated Go runtime to 1.17.10open_in_new, which contains a fix for CVE-2022-29526open_in_new.

Bug fixes and enhancements

• Fixed a regression in binaries for macOS introduced in 20.10.15, which resulted in a panic docker/cli#43426open_in_new.
• Fixed an issue where docker stats was showing empty stats when running with containerd 1.5.0 or up moby/moby#43567open_in_new.
• Used "weak" dependencies for the docker scan CLI plugin, to prevent a "conflicting requests" error when users performed an off-line installation from downloaded RPM packages docker/docker-ce-packaging#659open_in_new.

20.10.15

This release of Docker Engine comes with updated versions of the compose, buildx, containerd, and runc components, as well as some minor bug fixes.

Updates

• Update Docker Compose to v2.5.0open_in_new.
• Update Docker Buildx to v0.8.2open_in_new.
• Update Go runtime to 1.17.9open_in_new.
• Update containerd (containerd.io package) to v1.6.4open_in_new.
• Update runc version to v1.1.1open_in_new.

Bug fixes and enhancements

• Use a RWMutex for stateCounter to prevent potential locking congestion moby/moby#43426open_in_new.
• Prevent an issue where the daemon was unable to find an available IP-range in some conditions moby/moby#43360open_in_new
• Add packages for CentOS 9 stream and Fedora 36.

Known issues

• We've identified an issue with the macOS CLI binariesopen_in_new in the 20.10.15 release. This issue has been resolved in the 20.10.16 release.

20.10.14

This release of Docker Engine updates the default inheritable capabilities for containers to address CVE-2022-24769open_in_new, a new version of the containerd.io runtime is also included to address the same issue.

Updates

• Update the default inheritable capabilities.
• Update the default inheritable capabilities for containers used during build.
• Update containerd (containerd.io package) to v1.5.11open_in_new.
• Update docker buildx to v0.8.1open_in_new.

20.10.13

This release of Docker Engine contains some bug-fixes and packaging changes, updates to the docker scan and docker buildx commands, an updated version of the Go runtime, and new versions of the containerd.io runtime. Together with this release, we now also provide .deb and .rpm packages of Docker Compose V2, which can be installed using the (optional) docker-compose-plugin package.

New

• Provide .deb and .rpm packages for Docker Compose V2. Docker Compose v2.3.3open_in_new can now be installed on Linux using the docker-compose-plugin packages, which provides the docker compose subcommand on the Docker CLI. The Docker Compose plugin can also be installed and run standalone to be used as a drop-in replacement for docker-compose (Docker Compose V1) docker/docker-ce-packaging#638open_in_new. The compose-cli-plugin package can also be used on older version of the Docker CLI with support for CLI plugins (Docker CLI 18.09 and up).
• Provide packages for the upcoming Ubuntu 22.04 "Jammy Jellyfish" LTS release docker/docker-ce-packaging#645open_in_new, docker/containerd-packaging#271open_in_new.

Updates

• Updated the bundled version of buildx to v0.8.0open_in_new.
• Update docker buildx to v0.8.0open_in_new.
• Update docker scan (docker-scan-plugin) to v0.17.0open_in_new.
• Update containerd (containerd.io package) to v1.5.10open_in_new.
• Update the bundled runc version to v1.0.3open_in_new.
• Update Golang runtime to Go 1.16.15.
• Updates the fluentd log driver to prevent a potential daemon crash, and prevent containers from hanging when using the fluentd-async-connect=true and the remote server is unreachable moby/moby#43147open_in_new.

Bug fixes and enhancements

• Fix a race condition when updating the container's state moby/moby#43166open_in_new.
• Update the etcd dependency to prevent the daemon from incorrectly holding file locks moby/moby#43259open_in_new
• Fix detection of user-namespaces when configuring the default net.ipv4.ping_group_range sysctl moby/moby#43084open_in_new.
• Retry downloading image-manifests if a connection failure happens during image pull moby/moby#43333open_in_new.
• Various fixes in command-line reference and API documentation.
• Prevent an OOM when using the "local" logging driver with containers that produce a large amount of log messages moby/moby#43165open_in_new.

20.10.12

2021-12-13

This release of Docker Engine contains changes in packaging only, and provides updates to the docker scan and docker buildx commands. Versions of docker scan before v0.11.0 are not able to detect the Log4j 2 CVE-2021-44228open_in_new. We are shipping an updated version of docker scan in this release to help you scan your images for this vulnerability.

Note

The docker scan command on Linux is currently only supported on x86 platforms. We do not yet provide a package for other hardware architectures on Linux.

The docker scan feature is provided as a separate package and, depending on your upgrade or installation method, 'docker scan' may not be updated automatically to the latest version. Use the instructions below to update docker scan to the latest version. You can also use these instructions to install, or upgrade the docker scan package without upgrading the Docker Engine:

On .deb based distros, such as Ubuntu and Debian:

$ apt-get update && apt-get install docker-scan-plugin

On rpm-based distros, such as CentOS or Fedora:

$ yum install docker-scan-plugin

After upgrading, verify you have the latest version of docker scan installed:

$ docker scan --accept-license --version
Version:    v0.12.0
Git commit: 1074dd0
Provider:   Snyk (1.790.0 (standalone))

Read our blog post on CVE-2021-44228open_in_new to learn how to use the docker scan command to check if images are vulnerable.

Packaging

• Update docker scan to v0.12.0open_in_new.
• Update docker buildx to v0.7.1open_in_new.
• Update Golang runtime to Go 1.16.12.

20.10.11

2021-11-17

IMPORTANT

Due to net/http changesopen_in_new in Go 1.16open_in_new, HTTP proxies configured through the $HTTP_PROXY environment variable are no longer used for TLS (https://) connections. Make sure you also set an $HTTPS_PROXY environment variable for handling requests to https:// URLs.

Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.

Distribution

• Handle ambiguous OCI manifest parsing to mitigate CVE-2021-41190open_in_new / GHSA-mc8v-mgrf-8f4mopen_in_new. See GHSA-xmmx-7jpf-fx42open_in_new for details.

Windows

• Fix panic.log file having read-only attribute set moby/moby#42987open_in_new.

Packaging

• Update containerd to v1.4.12open_in_new to mitigate CVE-2021-41190open_in_new.
• Update Golang runtime to Go 1.16.10.

20.10.10

2021-10-25

IMPORTANT

Due to net/http changesopen_in_new in Go 1.16open_in_new, HTTP proxies configured through the $HTTP_PROXY environment variable are no longer used for TLS (https://) connections. Make sure you also set an $HTTPS_PROXY environment variable for handling requests to https:// URLs.

Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.

Builder

• Fix platform-matching logic to fix docker build using not finding images in the local image cache on Arm machines when using BuildKit moby/moby#42954open_in_new

Runtime

• Add support for clone3 syscall in the default seccomp policy to support running containers based on recent versions of Fedora and Ubuntu. moby/moby/#42836open_in_new.
• Windows: update hcsshim library to fix a bug in sparse file handling in container layers, which was exposed by recent changes in Windows moby/moby#42944open_in_new.
• Fix some situations where docker stop could hang forever moby/moby#42956open_in_new.

Swarm

• Fix an issue where updating a service did not roll back on failure moby/moby#42875open_in_new.

Packaging

• Add packages for Ubuntu 21.10 "Impish Indri" and Fedora 35.
• Update docker scan to v0.9.0
• Update Golang runtime to Go 1.16.9.

20.10.9

2021-10-04

This release is a security release with security fixes in the CLI, runtime, as well as updated versions of the containerd.io package.

IMPORTANT

Due to net/http changesopen_in_new in Go 1.16open_in_new, HTTP proxies configured through the $HTTP_PROXY environment variable are no longer used for TLS (https://) connections. Make sure you also set an $HTTPS_PROXY environment variable for handling requests to https:// URLs.

Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.

Client

• CVE-2021-41092open_in_new Ensure default auth config has address field set, to prevent credentials being sent to the default registry.

Runtime

• CVE-2021-41089open_in_new Create parent directories inside a chroot during docker cp to prevent a specially crafted container from changing permissions of existing files in the host’s filesystem.
• CVE-2021-41091open_in_new Lock down file permissions to prevent unprivileged users from discovering and executing programs in /var/lib/docker.

Packaging

Known issue

The ctr binary shipping with the static packages of this release is not statically linked, and will not run in Docker images using alpine as a base image. Users can install the libc6-compat package, or download a previous version of the ctr binary as a workaround. Refer to the containerd ticket related to this issue for more details: containerd/containerd#5824open_in_new.

• Update Golang runtime to Go 1.16.8, which contains fixes for CVE-2021-36221open_in_new and CVE-2021-39293open_in_new
• Update static binaries and containerd.io rpm and deb packages to containerd v1.4.11 and runc v1.0.2 to address CVE-2021-41103open_in_new.
• Update the bundled buildx version to v0.6.3 for rpm and deb packages.

20.10.8

2021-08-03

IMPORTANT

Due to net/http changesopen_in_new in Go 1.16open_in_new, HTTP proxies configured through the $HTTP_PROXY environment variable are no longer used for TLS (https://) connections. Make sure you also set an $HTTPS_PROXY environment variable for handling requests to https:// URLs.

Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.

Deprecation

• Deprecate support for encrypted TLS private keys. Legacy PEM encryption as specified in RFC 1423 is insecure by design. Because it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext. Support for encrypted TLS private keys is now marked as deprecated, and will be removed in an upcoming release. docker/cli#3219open_in_new
• Deprecate Kubernetes stack support. Following the deprecation of Compose on Kubernetesopen_in_new, support for Kubernetes in the stack and context commands in the Docker CLI is now marked as deprecated, and will be removed in an upcoming release docker/cli#3174open_in_new.

Client

• Fix Invalid standard handle identifier errors on Windows docker/cli#3132open_in_new.

Rootless

• Avoid can't open lock file /run/xtables.lock: Permission denied error on SELinux hosts moby/moby#42462open_in_new.
• Disable overlay2 when running with SELinux to prevent permission denied errors moby/moby#42462open_in_new.
• Fix x509: certificate signed by unknown authority error on openSUSE Tumbleweed moby/moby#42462open_in_new.

Runtime

• Print a warning when using the --platform option to pull a single-arch image that does not match the specified architecture moby/moby#42633open_in_new.
• Fix incorrect Your kernel does not support swap memory limit warning when running with cgroups v2 moby/moby#42479open_in_new.
• Windows: Fix a situation where containers were not stopped if HcsShutdownComputeSystem returned an ERROR_PROC_NOT_FOUND error moby/moby#42613open_in_new

Swarm

• Fix a possibility where overlapping IP addresses could exist as a result of the node failing to clean up its old loadbalancer IPs moby/moby#42538open_in_new
• Fix a deadlock in log broker ("dispatcher is stopped") moby/moby#42537open_in_new

Packaging

Known issue

The ctr binary shipping with the static packages of this release is not statically linked, and will not run in Docker images using alpine as a base image. Users can install the libc6-compat package, or download a previous version of the ctr binary as a workaround. Refer to the containerd ticket related to this issue for more details: containerd/containerd#5824open_in_new.

• Remove packaging for Ubuntu 16.04 "Xenial" and Fedora 32, as they reached EOL docker/docker-ce-packaging#560open_in_new
• Update Golang runtime to Go 1.16.6
• Update the bundled buildx version to v0.6.1 for rpm and deb packages docker/docker-ce-packaging#562open_in_new
• Update static binaries and containerd.io rpm and deb packages to containerd v1.4.9 and runc v1.0.1: docker/containerd-packaging#241open_in_new, docker/containerd-packaging#245open_in_new, docker/containerd-packaging#247open_in_new.

20.10.7

2021-06-02

Client

• Suppress warnings for deprecated cgroups docker/cli#3099open_in_new.
• Prevent sending SIGURG signals to container on Linux and macOS. The Go runtime (starting with Go 1.14) uses SIGURG signals internally as an interrupt to support preemptable syscalls. In situations where the Docker CLI was attached to a container, these interrupts were forwarded to the container. This fix changes the Docker CLI to ignore SIGURG signals docker/cli#3107open_in_new, moby/moby#42421open_in_new.

Builder

• Update BuildKit to version v0.8.3-3-g244e8cde moby/moby#42448open_in_new:
  • Transform relative mountpoints for exec mounts in the executor to work around a breaking change in runc v1.0.0-rc94 and up. moby/buildkit#2137open_in_new.
  • Add retry on image push 5xx errors. moby/buildkit#2043open_in_new.
  • Fix build-cache not being invalidated when renaming a file that is copied using a COPY command with a wildcard. Note that this change invalidates existing build caches for copy commands that use a wildcard. moby/buildkit#2018open_in_new.
  • Fix build-cache not being invalidated when using mounts moby/buildkit#2076open_in_new.
• Fix build failures when FROM image is not cached when using legacy schema 1 images moby/moby#42382open_in_new.

Logging

• Update the hcsshim SDK to make daemon logs on Windows less verbose moby/moby#42292open_in_new.

Rootless

• Fix capabilities not being honored when an image was built on a daemon with user-namespaces enabled moby/moby#42352open_in_new.

Networking

• Update libnetwork to fix publishing ports on environments with kernel boot parameter ipv6.disable=1, and to fix a deadlock causing internal DNS lookups to fail moby/moby#42413open_in_new.

Contrib

• Update rootlesskit to v0.14.2 to fix a timeout when starting the userland proxy with the slirp4netns port driver moby/moby#42294open_in_new.
• Fix "Device or resource busy" errors when running docker-in-docker on a rootless daemon moby/moby#42342open_in_new.

Packaging

• Update containerd to v1.4.6, runc v1.0.0-rc95 to address CVE-2021-30465open_in_new moby/moby#42398open_in_new, moby/moby#42395open_in_new, docker/containerd-packaging#234open_in_new
• Update containerd to v1.4.5, runc v1.0.0-rc94 moby/moby#42372open_in_new, moby/moby#42388open_in_new, docker/containerd-packaging#232open_in_new.
• Update Docker Scan plugin packages (docker-scan-plugin) to v0.8 docker/docker-ce-packaging#545open_in_new.

20.10.6

2021-04-12

Client

• Apple Silicon (darwin/arm64) support for Docker CLI docker/cli#3042open_in_new
• config: print deprecation warning when falling back to pre-v1.7.0 config file ~/.dockercfg. Support for this file will be removed in a future release docker/cli#3000open_in_new

Builder

• Fix classic builder silently ignoring unsupported Dockerfile options and prompt to enable BuildKit instead moby/moby#42197open_in_new

Logging

• json-file: fix sporadic unexpected EOF errors moby/moby#42174open_in_new

Networking

• Fix a regression in docker 20.10, causing IPv6 addresses no longer to be bound by default when mapping ports moby/moby#42205open_in_new
• Fix implicit IPv6 port-mappings not included in API response. Before docker 20.10, published ports were accessible through both IPv4 and IPv6 by default, but the API only included information about the IPv4 (0.0.0.0) mapping moby/moby#42205open_in_new
• Fix a regression in docker 20.10, causing the docker-proxy to not be terminated in all cases moby/moby#42205open_in_new
• Fix iptables forwarding rules not being cleaned up upon container removal moby/moby#42205open_in_new

Packaging

• Update containerd to v1.4.4open_in_new for static binaries. The containerd.io package on apt/yum repos already had this update out of band. Includes a fix for CVE-2021-21334open_in_new. moby/moby#42124open_in_new
• Packages for Debian/Raspbian 11 Bullseye, Ubuntu 21.04 Hirsute Hippo and Fedora 34 docker/docker-ce-packaging#521open_in_new docker/docker-ce-packaging#522open_in_new docker/docker-ce-packaging#533open_in_new
• Provide the Docker Scan CLIopen_in_new plugin on Linux amd64 via a docker-scan-plugin package as a recommended dependency for the docker-ce-cli package docker/docker-ce-packaging#537open_in_new
• Include VPNKit binary for arm64 moby/moby#42141open_in_new

Plugins

• Fix docker plugin create making plugins that were incompatible with older versions of Docker moby/moby#42256open_in_new

Rootless

• Update RootlessKit to v0.14.1open_in_new (see also v0.14.0open_in_new v0.13.2open_in_new) moby/moby#42186open_in_new moby/moby#42232open_in_new
• dockerd-rootless-setuptool.sh: create CLI context "rootless" moby/moby#42109open_in_new
• dockerd-rootless.sh: prohibit running as root moby/moby#42072open_in_new
• Fix "operation not permitted" when bind mounting existing mounts moby/moby#42233open_in_new
• overlay2: fix "createDirWithOverlayOpaque(...) ... input/output error" moby/moby#42235open_in_new
• overlay2: support "userxattr" option (kernel 5.11) moby/moby#42168open_in_new
• btrfs: allow unprivileged user to delete subvolumes (kernel >= 4.18) moby/moby#42253open_in_new
• cgroup2: Move cgroup v2 out of experimental moby/moby#42263open_in_new

20.10.5

2021-03-02

Client

• Revert docker/cli#2960open_in_new to fix hanging in docker start --attach and remove spurious Unsupported signal: <nil>. Discarding messages. docker/cli#2987open_in_new.

20.10.4

2021-02-26

Builder

• Fix incorrect cache match for inline cache import with empty layers moby/moby#42061open_in_new
• Update BuildKit to v0.8.2 moby/moby#42061open_in_new
  • resolver: avoid error caching on token fetch
  • fileop: fix checksum to contain indexes of inputs preventing certain cache misses
  • Fix reference count issues on typed errors with mount references (fixing invalid mutable ref errors)
  • git: set token only for main remote access allowing cloning submodules with different credentials
• Ensure blobs get deleted in /var/lib/docker/buildkit/content/blobs/sha256 after pull. To clean up old state run builder prune moby/moby#42065open_in_new
• Fix parallel pull synchronization regression moby/moby#42049open_in_new
• Ensure libnetwork state files do not leak moby/moby#41972open_in_new

Client

• Fix a panic on docker login if no config file is present docker/cli#2959open_in_new
• Fix WARNING: Error loading config file: .dockercfg: $HOME is not defined docker/cli#2958open_in_new

Runtime

• docker info: silence unhandleable warnings moby/moby#41958open_in_new
• Avoid creating parent directories for XGlobalHeader moby/moby#42017open_in_new
• Use 0755 permissions when creating missing directories moby/moby#42017open_in_new
• Fallback to manifest list when no platform matches in image config moby/moby#42045open_in_new moby/moby#41873open_in_new
• Fix a daemon panic on setups with a custom default runtime configured moby/moby#41974open_in_new
• Fix a panic when daemon configuration is empty moby/moby#41976open_in_new
• Fix daemon panic when starting container with invalid device cgroup rule moby/moby#42001open_in_new
• Fix userns-remap option when username & UID match moby/moby#42013open_in_new
• static: update runc binary to v1.0.0-rc93 moby/moby#42014open_in_new

Logger

• Honor labels-regex config even if labels is not set moby/moby#42046open_in_new
• Handle long log messages correctly preventing awslogs in non-blocking mode to split events bigger than 16kB mobymoby#41975open_in_new

Rootless

• Prevent the service hanging when stopping by setting systemd KillMode to mixed moby/moby#41956open_in_new
• dockerd-rootless.sh: add typo guard moby/moby#42070open_in_new
• Update rootlesskit to v0.13.1 to fix handling of IPv6 addresses moby/moby#42025open_in_new
• allow mknodding FIFO inside userns moby/moby#41957open_in_new

Security

• profiles: seccomp: update to Linux 5.11 syscall list moby/moby#41971open_in_new

Swarm

• Fix issue with heartbeat not persisting upon restart moby/moby#42060open_in_new
• Fix potential stalled tasks moby/moby#42060open_in_new
• Fix --update-order and --rollback-order flags when only --update-order or --rollback-order is provided docker/cli#2963open_in_new
• Fix docker service rollback returning a non-zero exit code in some situations docker/cli#2964open_in_new
• Fix inconsistent progress-bar direction on docker service rollback docker/cli#2964open_in_new

20.10.3

2021-02-01

Security

• CVE-2021-21285open_in_new Prevent an invalid image from crashing docker daemon
• CVE-2021-21284open_in_new Lock down file permissions to prevent remapped root from accessing docker state
• Ensure AppArmor and SELinux profiles are applied when building with BuildKit

Client

• Check contexts before importing them to reduce risk of extracted files escaping context store
• Windows: prevent executing certain binaries from current directory docker/cli#2950open_in_new

20.10.2

2021-01-04

Runtime

• Fix a daemon start up hang when restoring containers with restart policies but that keep failing to start moby/moby#41729open_in_new
• overlay2: fix an off-by-one error preventing to build or run containers when data-root is 24-bytes long moby/moby#41830open_in_new
• systemd: send sd_notify STOPPING=1 when shutting down moby/moby#41832open_in_new

Networking

• Fix IPv6 port forwarding moby/moby#41805open_in_new moby/libnetwork#2604open_in_new

Swarm

• Fix filtering for replicated-job and global-job service modes moby/moby#41806open_in_new

Packaging

• buildx updated to v0.5.1open_in_new docker/docker-ce-packaging#516open_in_new

20.10.1

2020-12-14

Builder

• buildkit: updated to v0.8.1open_in_new with various bugfixes moby/moby#41793open_in_new

Packaging

• Revert a change in the systemd unit that could prevent docker from starting due to a startup order conflict docker/docker-ce-packaging#514open_in_new
• buildx updated to v0.5.0open_in_new docker/docker-ce-packaging#515open_in_new

20.10.0

2020-12-08

Deprecation / Removal

For an overview of all deprecated features, refer to the Deprecated Engine Features page.

• Warnings and deprecation notice when docker pull-ing from non-compliant registries not supporting pull-by-digest docker/cli#2872open_in_new
• Sterner warnings and deprecation notice for unauthenticated tcp access moby/moby#41285open_in_new
• Deprecate KernelMemory (docker run --kernel-memory) moby/moby#41254open_in_new docker/cli#2652open_in_new
• Deprecate aufs storage driver docker/cli#1484open_in_new
• Deprecate host-discovery and overlay networks with external k/v stores moby/moby#40614open_in_new moby/moby#40510open_in_new
• Deprecate Dockerfile legacy 'ENV name value' syntax, use ENV name=value instead docker/cli#2743open_in_new
• Remove deprecated "filter" parameter for API v1.41 and up moby/moby#40491open_in_new
• Disable distribution manifest v2 schema 1 on push moby/moby#41295open_in_new
• Remove hack MalformedHostHeaderOverride breaking old docker clients (<= 1.12) in which case, set DOCKER_API_VERSION moby/moby#39076open_in_new
• Remove "docker engine" subcommands docker/cli#2207open_in_new
• Remove experimental "deploy" from "dab" files docker/cli#2216open_in_new
• Remove deprecated docker search --automated and --stars flags docker/cli#2338open_in_new
• No longer allow reserved namespaces in engine labels docker/cli#2326open_in_new

API

• Update API version to v1.41
• Do not require "experimental" for metrics API moby/moby#40427open_in_new
• GET /events now returns prune events after pruning resources have completed moby/moby#41259open_in_new
  • Prune events are returned for container, network, volume, image, and builder, and have a reclaimed attribute, indicating the amount of space reclaimed (in bytes)
• Add one-shot stats option to not prime the stats moby/moby#40478open_in_new
• Adding OS version info to the system info's API (/info) moby/moby#38349open_in_new
• Add DefaultAddressPools to docker info moby/moby#40714open_in_new
• Add API support for PidsLimit on services moby/moby#39882open_in_new

Builder

• buildkit,dockerfile: Support for RUN --mount options without needing to specify experimental dockerfile #syntax directive. moby/buildkit#1717open_in_new
• dockerfile: ARG command now supports defining multiple build args on the same line similarly to ENV moby/buildkit#1692open_in_new
• dockerfile: --chown flag in ADD now allows parameter expansion moby/buildkit#1473open_in_new
• buildkit: Fetching authorization tokens has been moved to client-side (if the client supports it). Passwords do not leak into the build daemon anymore and users can see from build output when credentials or tokens are accessed. moby/buildkit#1660open_in_new
• buildkit: Connection errors while communicating with the registry for push and pull now trigger a retry moby/buildkit#1791open_in_new
• buildkit: Git source now supports token authentication via build secrets moby/moby#41234open_in_new docker/cli#2656open_in_new moby/buildkit#1533open_in_new
• buildkit: Building from git source now supports forwarding SSH socket for authentication moby/buildkit#1782open_in_new
• buildkit: Avoid builds that generate excessive logs to cause a crash or slow down the build. Clipping is performed if needed. moby/buildkit#1754open_in_new
• buildkit: Change default Seccomp profile to the one provided by Docker moby/buildkit#1807open_in_new
• buildkit: Support for exposing SSH agent socket on Windows has been improved moby/buildkit#1695open_in_new
• buildkit: Disable truncating by default when using --progress=plain moby/buildkit#1435open_in_new
• buildkit: Allow better handling client sessions dropping while it is being shared by multiple builds moby/buildkit#1551open_in_new
• buildkit: secrets: allow providing secrets with env moby/moby#41234open_in_new docker/cli#2656open_in_new moby/buildkit#1534open_in_new
  • Support --secret id=foo,env=MY_ENV as an alternative for storing a secret value to a file.
  • --secret id=GIT_AUTH_TOKEN will load env if it exists and the file does not.
• buildkit: Support for mirrors fallbacks, insecure TLS and custom TLS config moby/moby#40814open_in_new
• buildkit: remotecache: Only visit each item once when walking results moby/moby#41234open_in_new moby/buildkit#1577open_in_new
  • Improves performance and CPU use on bigger graphs
• buildkit: Check remote when local image platform doesn't match moby/moby#40629open_in_new
• buildkit: image export: Use correct media type when creating new layer blobs moby/moby#41234open_in_new moby/buildkit#1541open_in_new
• buildkit: progressui: fix logs time formatting moby/moby#41234open_in_new docker/cli#2656open_in_new moby/buildkit#1549open_in_new
• buildkit: mitigate containerd issue on parallel push moby/moby#41234open_in_new moby/buildkit#1548open_in_new
• buildkit: inline cache: fix handling of duplicate blobs moby/moby#41234open_in_new moby/buildkit#1568open_in_new
  • Fixes https://github.com/moby/buildkit/issues/1388open_in_new cache-from working unreliably
  • Fixes https://github.com/moby/moby/issues/41219open_in_new Image built from cached layers is missing data
• Allow ssh:// for remote context URLs moby/moby#40179open_in_new
• builder: remove legacy build's session handling (was experimental) moby/moby#39983open_in_new

Client

• Add swarm jobs support to CLI docker/cli#2262open_in_new
• Add -a/--all-tags to docker push docker/cli#2220open_in_new
• Add support for Kubernetes username/password auth docker/cli#2308open_in_new
• Add --pull=missing|always|never to run and create commands docker/cli#1498open_in_new
• Add --env-file flag to docker exec for parsing environment variables from a file docker/cli#2602open_in_new
• Add shorthand -n for --tail option docker/cli#2646open_in_new
• Add log-driver and options to service inspect "pretty" format docker/cli#1950open_in_new
• docker run: specify cgroup namespace mode with --cgroupns docker/cli#2024open_in_new
• docker manifest rm command to remove manifest list draft from local storage docker/cli#2449open_in_new
• Add "context" to "docker version" and "docker info" docker/cli#2500open_in_new
• Propagate platform flag to container create API docker/cli#2551open_in_new
• The docker ps --format flag now has a .State placeholder to print the container's state without additional details about uptime and health check docker/cli#2000open_in_new
• Add support for docker-compose schema v3.9 docker/cli#2073open_in_new
• Add support for docker push --quiet docker/cli#2197open_in_new
• Hide flags that are not supported by BuildKit, if BuildKit is enabled docker/cli#2123open_in_new
• Update flag description for docker rm -v to clarify the option only removes anonymous (unnamed) volumes docker/cli#2289open_in_new
• Improve tasks printing for docker services docker/cli#2341open_in_new
• docker info: list CLI plugins alphabetically docker/cli#2236open_in_new
• Fix order of processing of --label-add/--label-rm, --container-label-add/--container-label-rm, and --env-add/--env-rm flags on docker service update to allow replacing existing values docker/cli#2668open_in_new
• Fix docker rm --force returning a non-zero exit code if one or more containers did not exist docker/cli#2678open_in_new
• Improve memory stats display by using total_inactive_file instead of cache docker/cli#2415open_in_new
• Mitigate against YAML files that has excessive aliasing docker/cli#2117open_in_new
• Allow using advanced syntax when setting a config or secret with only the source field docker/cli#2243open_in_new
• Fix reading config files containing username and password auth even if auth is empty docker/cli#2122open_in_new
• docker cp: prevent NPE when failing to stat destination docker/cli#2221open_in_new
• config: preserve ownership and permissions on configfile docker/cli#2228open_in_new

Logging

• Support reading docker logs with all logging drivers (best effort) moby/moby#40543open_in_new
• Add splunk-index-acknowledgment log option to work with Splunk HECs with index acknowledgment enabled moby/moby#39987open_in_new
• Add partial metadata to journald logs moby/moby#41407open_in_new
• Reduce allocations for logfile reader moby/moby#40796open_in_new
• Fluentd: add fluentd-async, fluentd-request-ack, and deprecate fluentd-async-connect moby/moby#39086open_in_new

Runtime

• Support cgroup2 moby/moby#40174open_in_new moby/moby#40657open_in_new moby/moby#40662open_in_new
• cgroup2: use "systemd" cgroup driver by default when available moby/moby#40846open_in_new
• new storage driver: fuse-overlayfs moby/moby#40483open_in_new
• Update containerd binary to v1.4.3 moby/moby#41732open_in_new
• docker push now defaults to latest tag instead of all tags moby/moby#40302open_in_new
• Added ability to change the number of reconnect attempts during connection loss while pulling an image by adding max-download-attempts to the config file moby/moby#39949open_in_new
• Add support for containerd v2 shim by using the now default io.containerd.runc.v2 runtime moby/moby#41182open_in_new
• cgroup v1: change the default runtime to io.containerd.runc.v2. Requires containerd v1.3.0 or later. v1.3.5 or later is recommended moby/moby#41210open_in_new
• Start containers in their own cgroup namespaces moby/moby#38377open_in_new
• Enable DNS Lookups for CIFS Volumes moby/moby#39250open_in_new
• Use MemAvailable instead of MemFree to estimate actual available memory moby/moby#39481open_in_new
• The --device flag in docker run will now be honored when the container is started in privileged mode moby/moby#40291open_in_new
• Enforce reserved internal labels moby/moby#40394open_in_new
• Raise minimum memory limit to 6M, to account for higher memory use by runtimes during container startup moby/moby#41168open_in_new
• vendor runc v1.0.0-rc92 moby/moby#41344open_in_new moby/moby#41317open_in_new
• info: add warnings about missing blkio cgroup support moby/moby#41083open_in_new
• Accept platform spec on container create moby/moby#40725open_in_new
• Fix handling of looking up user- and group-names with spaces moby/moby#41377open_in_new

Networking

• Support host.docker.internal in dockerd on Linux moby/moby#40007open_in_new
• Include IPv6 address of linked containers in /etc/hosts moby/moby#39837open_in_new
• --ip6tables enables IPv6 iptables rules (only if experimental) moby/moby#41622open_in_new
• Add alias for hostname if hostname != container name moby/moby#39204open_in_new
• Better selection of DNS server (with systemd) moby/moby#41022open_in_new
• Add docker interfaces to firewalld docker zone moby/moby#41189open_in_new moby/libnetwork#2548open_in_new
  • Fixes DNS issue on CentOS8 docker/for-linux#957open_in_new
  • Fixes Port Forwarding on RHEL 8 with Firewalld running with FirewallBackend=nftables moby/libnetwork#2496open_in_new
• Fix an issue reporting 'failed to get network during CreateEndpoint' moby/moby#41189open_in_new moby/libnetwork#2554open_in_new
• Log error instead of disabling IPv6 router advertisement failed moby/moby#41189open_in_new moby/libnetwork#2563open_in_new
• No longer ignore --default-address-pool option in certain cases moby/moby#40711open_in_new
• Produce an error with invalid address pool moby/moby#40808open_in_new moby/libnetwork#2538open_in_new
• Fix DOCKER-USER chain not created when IPTableEnable=false moby/moby#40808open_in_new moby/libnetwork#2471open_in_new
• Fix panic on startup in systemd environments moby/moby#40808open_in_new moby/libnetwork#2544open_in_new
• Fix issue preventing containers to communicate over macvlan internal network moby/moby#40596open_in_new moby/libnetwork#2407open_in_new
• Fix InhibitIPv4 nil panic moby/moby#40596open_in_new
• Fix VFP leak in Windows overlay network deletion moby/moby#40596open_in_new moby/libnetwork#2524open_in_new

Packaging

• docker.service: Add multi-user.target to After= in unit file moby/moby#41297open_in_new
• docker.service: Allow socket activation moby/moby#37470open_in_new
• seccomp: Remove dependency in dockerd on libseccomp moby/moby#41395open_in_new

Rootless

• rootless: graduate from experimental moby/moby#40759open_in_new
• Add dockerd-rootless-setuptool.sh moby/moby#40950open_in_new
• Support --exec-opt native.cgroupdriver=systemd moby/moby#40486open_in_new

Security

• Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc moby/moby#39612open_in_new
• seccomp: Whitelist clock_adjtime. CAP_SYS_TIME is still required for time adjustment moby/moby#40929open_in_new
• seccomp: Add openat2 and faccessat2 to default seccomp profile moby/moby#41353open_in_new
• seccomp: allow 'rseq' syscall in default seccomp profile moby/moby#41158open_in_new
• seccomp: allow syscall membarrier moby/moby#40731open_in_new
• seccomp: whitelist io-uring related system calls moby/moby#39415open_in_new
• Add default sysctls to allow ping sockets and privileged ports with no capabilities moby/moby#41030open_in_new
• Fix seccomp profile for clone syscall moby/moby#39308open_in_new

Swarm

• Add support for swarm jobs moby/moby#40307open_in_new
• Add capabilities support to stack/service commands docker/cli#2687open_in_new docker/cli#2709open_in_new moby/moby#39173open_in_new moby/moby#41249open_in_new
• Add support for sending down service Running and Desired task counts moby/moby#39231open_in_new
• service: support --mount type=bind,bind-nonrecursive moby/moby#38788open_in_new
• Support ulimits on Swarm services. moby/moby#41284open_in_new docker/cli#2712open_in_new
• Fixed an issue where service logs could leak goroutines on the worker moby/moby#40426open_in_new