Docker Engine 24.0 release notes

This page describes the latest changes, additions, known issues, and fixes for Docker Engine version 24.0.

For more information about:

• Deprecated and removed features, see Deprecated Engine Features.
• Changes to the Engine API, see Engine API version history.

24.0.7

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 24.0.7 milestoneopen_in_new
• moby/moby, 24.0.7 milestoneopen_in_new

Bug fixes and enhancements

• Write overlay2 layer metadata atomically. moby/moby#46703open_in_new
• Fix "Rootful-in-Rootless" Docker-in-Docker on systemd version 250 and later. moby/moby#46626open_in_new
• Fix dockerd-rootless-setuptools.sh when username contains a backslash. moby/moby#46407open_in_new
• Fix a bug that would prevent network sandboxes to be fully deleted when stopping containers with no network attachments and when dockerd --bridge=none is used. moby/moby#46702open_in_new
• Fix a bug where cancelling an API request could interrupt container restart. moby/moby#46697open_in_new
• Fix an issue where containers would fail to start when providing --ip-range with a range larger than the subnet. docker/for-mac#6870open_in_new
• Fix data corruption with zstd output. moby/moby#46709open_in_new
• Fix the conditions under which the container's MAC address is applied. moby/moby#46478open_in_new
• Improve the performance of the stats collector. moby/moby#46448open_in_new
• Fix an issue with source policy rules ending up in the wrong order. moby/moby#46441open_in_new

Packaging updates

• Add support for Fedora 39 and Ubuntu 23.10. docker/docker-ce-packaging#940open_in_new, docker/docker-ce-packaging#955open_in_new
• Fix docker.socket not getting disabled when uninstalling the docker-ce RPM package. docker/docker-ce-packaging#852open_in_new
• Upgrade Go to go1.20.10. docker/docker-ce-packaging#951open_in_new
• Upgrade containerd to v1.7.6 (static binaries only). moby/moby#46103open_in_new
• Upgrade the containerd.io package to v1.6.24open_in_new.

Security

• Deny containers access to /sys/devices/virtual/powercap by default. This change hardens against CVE-2020-8694open_in_new, CVE-2020-8695open_in_new, and CVE-2020-12912open_in_new, and an attack known as the PLATYPUS attackopen_in_new.

  For more details, see advisoryopen_in_new, commitopen_in_new.

24.0.6

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 24.0.6 milestoneopen_in_new
• moby/moby, 24.0.6 milestoneopen_in_new

Bug fixes and enhancements

• containerd storage backend: Fix docker ps failing when a container image is no longer present in the content store. moby/moby#46095open_in_new
• containerd storage backend: Fix docker ps -s -a and docker container prune failing when a container image config is no longer present in the content store. moby/moby#46097open_in_new
• containerd storage backend: Fix docker inspect failing when a container image config is no longer (or was never) present in the content store. moby/moby#46244open_in_new
• containerd storage backend: Fix diff and export with the overlayfs snapshotter by using reference-counted rootfs mounts. moby/moby#46266open_in_new
• containerd storage backend: Fix a misleading error message when the image platforms available locally do not match the desired platform. moby/moby#46300open_in_new
• containerd storage backend: Fix the FROM scratch Dockerfile instruction with the classic builder. moby/moby#46302open_in_new
• containerd storage backend: Fix mismatched image rootfs and manifest layers errors with the classic builder. moby/moby#46310open_in_new
• Warn when pulling Docker Image Format v1, and Docker Image manifest version 2, schema 1 images from all registries. moby/moby#46290open_in_new
• Fix live-restore of volumes with custom volume options. moby/moby#46366open_in_new
• Fix incorrectly dropping capabilities bits when running a container as a non-root user (note: this change was already effectively present due to a regression). moby/moby#46221open_in_new
• Fix network isolation iptables rules preventing IPv6 Neighbor Solicitation packets from being exchanged between containers. moby/moby#46214open_in_new
• Fix dockerd.exe --register-service not working when the binary is in the current directory on Windows. moby/moby#46215open_in_new
• Add a hint suggesting the use of a PAT to docker login against Docker Hub. docker/cli#4500open_in_new
• Improve shell startup time for users of Bash completion for the CLI. docker/cli#4517open_in_new
• Improve the speed of some commands by skipping GET /_ping when possible. docker/cli#4508open_in_new
• Fix credential scopes when using a PAT to docker manifest inspect an image on Docker Hub. docker/cli#4512open_in_new
• Fix docker events not supporting --format=json. docker/cli#4544open_in_new

Packaging updates

• Upgrade Go to go1.20.7. moby/moby#46140open_in_new, docker/cli#4476open_in_new, docker/docker-ce-packaging#932open_in_new
• Upgrade containerd to v1.7.3 (static binaries only). moby/moby#46103open_in_new
• Upgrade Compose to v2.21.0. docker/docker-ce-packaging#936open_in_new

24.0.5

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 24.0.5 milestoneopen_in_new
• moby/moby, 24.0.5 milestoneopen_in_new

Bug fixes and enhancements

• The Go client now avoids using UNIX socket paths in the HTTP Host: header, in order to be compatible with changes introduced in go1.20.6. moby/moby#45962open_in_new, moby/moby#45990open_in_new
• containerd storage backend: Fix Variant not being included in docker image inspect and GET /images/{name}/json. moby/moby#46025open_in_new
• containerd storage backend: Prevent potential garbage collection of content during image export. moby/moby#46021open_in_new
• containerd storage backend: Prevent duplicate digest entries in RepoDigests. moby/moby#46014open_in_new
• containerd storage backend: Fix operations taking place against the incorrect tag when working with an image referenced by tag and digest. moby/moby#46013open_in_new
• containerd storage backend: Fix a panic caused by EXPOSE when building containers with the legacy builder. moby/moby#45921open_in_new
• Fix a regression causing unintuitive errors to be returned when attempting to create an overlay network on a non-Swarm node. moby/moby#45974open_in_new
• Properly report errors parsing volume specifications from the command line. docker/cli#4423open_in_new
• Fix a panic caused when auths: null is found in the CLI config file. docker/cli#4450open_in_new

Packaging updates

• Use init scripts as provided by in moby/moby contrib/init. docker/docker-ce-packaging#914open_in_new, docker/docker-ce-packaging#926open_in_new
• Drop Upstart from contrib/init. moby/moby#46044open_in_new
• Upgrade Go to go1.20.6. docker/cli#4428open_in_new, moby/moby#45970open_in_new, docker/docker-ce-packaging#921open_in_new
• Upgrade Compose to v2.20.2. docker/docker-ce-packaging#924open_in_new
• Upgrade buildx to v0.11.2. docker/docker-ce-packaging#922open_in_new

24.0.4

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 24.0.4 milestoneopen_in_new
• moby/moby, 24.0.4 milestoneopen_in_new

Bug fixes and enhancements

• Fix a regression introduced during 24.0.3 that causes a panic during live-restore of containers with bind mounts. moby/moby#45903open_in_new

24.0.3

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 24.0.3 milestoneopen_in_new
• moby/moby, 24.0.3 milestoneopen_in_new

Bug fixes and enhancements

• containerd image store: Fix an issue where multi-platform images that did not include a manifest for the default platform could not be interacted with. moby/moby#45849open_in_new
• containerd image store: Fix specious attempts to cache FROM scratch in container builds. moby/moby#45822open_in_new
• containerd image store: Fix docker cp with snapshotters that cannot mount the same content multiple times. moby/moby#45780open_in_new, moby/moby#45786open_in_new
• containerd image store: Fix builds with type=image not being correctly unpacked/stored. moby/moby#45692open_in_new
• containerd image store: Fix incorrectly attempting to unpack pseudo-images (including attestations) in docker load. moby/moby#45688open_in_new
• containerd image store: Correctly set the user agent, and include additional information like the snapshotter when interacting with registries. moby/moby#45671open_in_new, moby/moby#45684open_in_new
• containerd image store: Fix a failure to unpack already-pulled content after switching between snapshotters. moby/moby#45678open_in_new
• containerd image store: Fix images that have been re-tagged or with all tags removed being pruned while still in use. moby/moby#45857open_in_new
• Fix a Swarm CSI issue where the Topology field was not propagated into NodeCSIInfo. moby/moby#45810open_in_new
• Fix failures to add new Swarm managers caused by a very large raft log. moby/moby#45703open_in_new, moby/swarmkit#3122open_in_new, moby/swarmkit#3128open_in_new
• name_to_handle_at(2) is now always allowed in the default seccomp profile. moby/moby#45833open_in_new
• Fix an issue that prevented encrypted Swarm overlay networks from working on ports other than the default (4789). moby/moby#45637open_in_new
• Fix a failure to restore mount reference-counts during live-restore. moby/moby#45824open_in_new
• Fix various networking-related failures during live-restore. moby/moby#45658open_in_new, moby/moby#45659open_in_new
• Fix running containers restoring with a zero (successful) exit status when the daemon is unexpectedly terminated. moby/moby#45801open_in_new
• Fix a potential panic while executing healthcheck probes. moby/moby#45798open_in_new
• Fix a panic caused by a race condition in container exec start. moby/moby#45794open_in_new
• Fix an exception caused by attaching a terminal to an exec with a non-existent command. moby/moby#45643open_in_new
• Fix host-gateway with BuildKit by passing the IP as a label (also requires docker/buildx#1894open_in_new). moby/moby#45790open_in_new
• Fix an issue where POST /containers/{id}/stop would forcefully terminate the container when the request was canceled, instead of waiting until the specified timeout for a 'graceful' stop. moby/moby#45774open_in_new
• Fix an issue where docker cp -a from the root (/) directory would fail. moby/moby#45748open_in_new
• Improve compatibility with non-runc container runtimes by more correctly setting resource constraint parameters in the OCI config. moby/moby#45746open_in_new
• Fix an issue caused by overlapping subuid/subgid ranges in certain configurations (e.g. LDAP) in rootless mode. moby/moby#45747open_in_new, rootless-containers/rootlesskit#369open_in_new
• Greatly reduce CPU and memory usage while populating the Debug section of GET /info. moby/moby#45856open_in_new
• Fix an issue where debug information was not correctly printed during docker info when only the client is in debug mode. docker/cli#4393open_in_new
• Fix issues related to hung connections when connecting to hosts over a SSH connection. docker/cli#4395open_in_new

Packaging updates

• Upgrade Go to go1.20.5. moby/moby#45745open_in_new, docker/cli#4351open_in_new, docker/docker-ce-packaging#904open_in_new
• Upgrade Compose to v2.19.1. docker/docker-ce-packaging#916open_in_new
• Upgrade buildx to v0.11.1. docker/docker-ce-packaging#918open_in_new

24.0.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 24.0.2 milestoneopen_in_new
• moby/moby, 24.0.2 milestoneopen_in_new

Bug fixes and enhancements

• Fix a panic during build when referencing locally tagged images. moby/buildkit#3899open_in_new, moby/moby#45582open_in_new
• Fix builds potentially failing with exit code: 4294967295 when performing many concurrent build stages. moby/moby#45620open_in_new
• Fix DNS resolution on Windows ignoring etc/hosts (%WINDIR%\System32\Drivers\etc\hosts), including resolution of localhost. moby/moby#45562open_in_new
• Apply a workaround for a containerd bug that causes concurrent docker exec commands to take significantly longer than expected. moby/moby#45625open_in_new
• containerd image store: Fix an issue where the image Created field would contain an incorrect value. moby/moby#45623open_in_new
• containerd image store: Adjust the output of image pull progress so that the output has the same format regardless of whether the containerd image store is enabled. moby/moby#45602open_in_new
• containerd image store: Switching between the default and containerd image store now requires a daemon restart. moby/moby#45616open_in_new

Packaging updates

• Upgrade Buildx to v0.10.5. docker/docker-ce-packaging#900open_in_new

24.0.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 24.0.1 milestoneopen_in_new
• moby/moby, 24.0.1 milestoneopen_in_new

Removed

• Remove CLI completions for storage drivers removed in the 24.0 major release. docker/cli#4302open_in_new

Bug fixes and enhancements

• Fix an issue where DNS query NXDOMAIN replies from external servers were forwarded to the client as SERVFAIL. moby/moby#45573open_in_new
• Fix an issue where docker pull --platform would report No such image regarding another tag pointing to the same image. moby/moby#45562open_in_new
• Fix an issue where insecure registry configuration would be forgotten during config reload. moby/moby#45571open_in_new
• containerd image store: Fix an issue where images which have no layers would not be listed in docker images -a moby/moby#45588open_in_new
• API: Fix an issue where GET /images/{id}/json would return null instead of empty RepoTags and RepoDigests. moby/moby#45564open_in_new
• API: Fix an issue where POST /commit did not accept an empty request body. moby/moby#45568open_in_new

Packaging updates

• Upgrade Compose to v2.18.1. docker/docker-ce-packaging#896open_in_new

24.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 24.0.0 milestoneopen_in_new
• moby/moby, 24.0.0 milestoneopen_in_new

New

• Introduce experimental support for containerd as the content store (replacing the existing storage drivers). moby/moby#43735open_in_new, other moby/moby pull requestsopen_in_new
• The --host CLI flag now supports a path component in a ssh:// host address, allowing use of an alternate socket path without configuration on the remote host. docker/cli#4073open_in_new
• The docker info CLI command now reports a version and platform field. docker/cli#4180open_in_new
• Introduce the daemon flag --default-network-opt to configure options for newly created networks. moby/moby#43197open_in_new
• Restrict access to AF_VSOCK in the socket(2) family of syscalls in the default seccomp profile. moby/moby#44562open_in_new
• Introduce support for setting OCI runtime annotations on containers. docker/cli#45025open_in_new, moby/moby#45025open_in_new
• Alternative runtimes can now be configured in daemon.json, enabling runtime names to be aliased and options to be passed. moby/moby#45032open_in_new
• The docker-init binary will now be discovered in FHS-compliant libexec directories, in addition to the PATH. moby/moby#45198open_in_new
• API: Surface the daemon-level --no-new-privileges in GET /info. moby/moby#45320open_in_new

Removed

• docker info no longer reports IndexServiceAddress. docker/cli#4204open_in_new
• libnetwork: Remove fallback code for obsolete kernel versions. moby/moby#44684open_in_new, moby/moby#44802open_in_new
• libnetwork: Remove unused code related to classic Swarm. moby/moby#44965open_in_new
• libnetwork: Remove usage of the xt_u32 kernel module from encrypted Swarm overlay networks. moby/moby#45281open_in_new
• Remove support for BuildKit's deprecated buildinfo in favor of standard provenance attestations. moby/moby#45097open_in_new
• Remove the deprecated AUFS and legacy overlay storage drivers. moby/moby#45342open_in_new, moby/moby#45359open_in_new
• Remove the deprecated overlay2.override_kernel_check storage driver option. moby/moby#45368open_in_new
• Remove workarounds for obsolete versions of apparmor_parser from the AppArmor profiles. moby/moby#45500open_in_new
• API: GET /images/json no longer represents empty RepoTags and RepoDigests as<none>:<none>/<none>@<none>. Empty arrays are returned instead on API >= 1.43. moby/moby#45068open_in_new

Deprecated

• Deprecate the --oom-score-adjust daemon option. moby/moby#45315open_in_new
• API: Deprecate the VirtualSize field in GET /images/json and GET /images/{id}/json. moby/moby#45346open_in_new

Bug fixes and enhancements

• The docker stack command no longer validates the build section of Compose files. docker/cli#4214open_in_new
• Fix lingering healthcheck processes after the timeout is reached. moby/moby#43739open_in_new
• Reduce the overhead of container startup when using the overlay2 storage driver. moby/moby#44285open_in_new
• API: Handle multiple before= and since= filters in GET /images. moby/moby#44503open_in_new
• Fix numerous bugs in the embedded DNS resolver implementation used by user-defined networks. moby/moby#44664open_in_new
• Add execDuration field to the map of event attributes. moby/moby#45494open_in_new
• Swarm-level networks can now be created with the Windows internal, l2bridge, and nat drivers. moby/swarmkit#3121open_in_new, moby/moby#45291open_in_new

Packaging updates

• Update Go to 1.20.4. docker/cli#4253open_in_new, moby/moby#45456open_in_new, docker/docker-ce-packaging#888open_in_new
• Update containerd to v1.7.1open_in_new. moby/moby#45537open_in_new
• Update buildkit to v0.11.6open_in_new. moby/moby#45367open_in_new