Docker Engine 24.0 release notes
This page describes the latest changes, additions, known issues, and fixes for Docker Engine version 24.0.
For more information about:
- Deprecated and removed features, see Deprecated Engine Features.
- Changes to the Engine API, see Engine API version history.
24.0.7
2023-10-27For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
- Write overlay2 layer metadata atomically. moby/moby#46703open_in_new
- Fix "Rootful-in-Rootless" Docker-in-Docker on systemd version 250 and later. moby/moby#46626open_in_new
- Fix
dockerd-rootless-setuptools.sh
when username contains a backslash. moby/moby#46407open_in_new - Fix a bug that would prevent network sandboxes to be fully deleted when stopping containers with no network attachments and when
dockerd --bridge=none
is used. moby/moby#46702open_in_new - Fix a bug where cancelling an API request could interrupt container restart. moby/moby#46697open_in_new
- Fix an issue where containers would fail to start when providing
--ip-range
with a range larger than the subnet. docker/for-mac#6870open_in_new - Fix data corruption with zstd output. moby/moby#46709open_in_new
- Fix the conditions under which the container's MAC address is applied. moby/moby#46478open_in_new
- Improve the performance of the stats collector. moby/moby#46448open_in_new
- Fix an issue with source policy rules ending up in the wrong order. moby/moby#46441open_in_new
Packaging updates
- Add support for Fedora 39 and Ubuntu 23.10. docker/docker-ce-packaging#940open_in_new, docker/docker-ce-packaging#955open_in_new
- Fix
docker.socket
not getting disabled when uninstalling thedocker-ce
RPM package. docker/docker-ce-packaging#852open_in_new - Upgrade Go to
go1.20.10
. docker/docker-ce-packaging#951open_in_new - Upgrade containerd to
v1.7.6
(static binaries only). moby/moby#46103open_in_new - Upgrade the
containerd.io
package tov1.6.24
open_in_new.
Security
Deny containers access to
/sys/devices/virtual/powercap
by default. This change hardens against CVE-2020-8694open_in_new, CVE-2020-8695open_in_new, and CVE-2020-12912open_in_new, and an attack known as the PLATYPUS attackopen_in_new.For more details, see advisoryopen_in_new, commitopen_in_new.
24.0.6
2023-09-05For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
- containerd storage backend: Fix
docker ps
failing when a container image is no longer present in the content store. moby/moby#46095open_in_new - containerd storage backend: Fix
docker ps -s -a
anddocker container prune
failing when a container image config is no longer present in the content store. moby/moby#46097open_in_new - containerd storage backend: Fix
docker inspect
failing when a container image config is no longer (or was never) present in the content store. moby/moby#46244open_in_new - containerd storage backend: Fix diff and export with the
overlayfs
snapshotter by using reference-counted rootfs mounts. moby/moby#46266open_in_new - containerd storage backend: Fix a misleading error message when the image platforms available locally do not match the desired platform. moby/moby#46300open_in_new
- containerd storage backend: Fix the
FROM scratch
Dockerfile instruction with the classic builder. moby/moby#46302open_in_new - containerd storage backend: Fix
mismatched image rootfs and manifest layers
errors with the classic builder. moby/moby#46310open_in_new - Warn when pulling Docker Image Format v1, and Docker Image manifest version 2, schema 1 images from all registries. moby/moby#46290open_in_new
- Fix live-restore of volumes with custom volume options. moby/moby#46366open_in_new
- Fix incorrectly dropping capabilities bits when running a container as a non-root user (note: this change was already effectively present due to a regression). moby/moby#46221open_in_new
- Fix network isolation iptables rules preventing IPv6 Neighbor Solicitation packets from being exchanged between containers. moby/moby#46214open_in_new
- Fix
dockerd.exe --register-service
not working when the binary is in the current directory on Windows. moby/moby#46215open_in_new - Add a hint suggesting the use of a PAT to
docker login
against Docker Hub. docker/cli#4500open_in_new - Improve shell startup time for users of Bash completion for the CLI. docker/cli#4517open_in_new
- Improve the speed of some commands by skipping
GET /_ping
when possible. docker/cli#4508open_in_new - Fix credential scopes when using a PAT to
docker manifest inspect
an image on Docker Hub. docker/cli#4512open_in_new - Fix
docker events
not supporting--format=json
. docker/cli#4544open_in_new
Packaging updates
- Upgrade Go to
go1.20.7
. moby/moby#46140open_in_new, docker/cli#4476open_in_new, docker/docker-ce-packaging#932open_in_new - Upgrade containerd to
v1.7.3
(static binaries only). moby/moby#46103open_in_new - Upgrade Compose to
v2.21.0
. docker/docker-ce-packaging#936open_in_new
24.0.5
2023-07-24For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
- The Go client now avoids using UNIX socket paths in the HTTP
Host:
header, in order to be compatible with changes introduced ingo1.20.6
. moby/moby#45962open_in_new, moby/moby#45990open_in_new - containerd storage backend: Fix
Variant
not being included indocker image inspect
andGET /images/{name}/json
. moby/moby#46025open_in_new - containerd storage backend: Prevent potential garbage collection of content during image export. moby/moby#46021open_in_new
- containerd storage backend: Prevent duplicate digest entries in
RepoDigests
. moby/moby#46014open_in_new - containerd storage backend: Fix operations taking place against the incorrect tag when working with an image referenced by tag and digest. moby/moby#46013open_in_new
- containerd storage backend: Fix a panic caused by
EXPOSE
when building containers with the legacy builder. moby/moby#45921open_in_new - Fix a regression causing unintuitive errors to be returned when attempting to create an
overlay
network on a non-Swarm node. moby/moby#45974open_in_new - Properly report errors parsing volume specifications from the command line. docker/cli#4423open_in_new
- Fix a panic caused when
auths: null
is found in the CLI config file. docker/cli#4450open_in_new
Packaging updates
- Use init scripts as provided by in moby/moby
contrib/init
. docker/docker-ce-packaging#914open_in_new, docker/docker-ce-packaging#926open_in_new - Drop Upstart from
contrib/init
. moby/moby#46044open_in_new - Upgrade Go to
go1.20.6
. docker/cli#4428open_in_new, moby/moby#45970open_in_new, docker/docker-ce-packaging#921open_in_new - Upgrade Compose to
v2.20.2
. docker/docker-ce-packaging#924open_in_new - Upgrade buildx to
v0.11.2
. docker/docker-ce-packaging#922open_in_new
24.0.4
2023-07-07For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
- Fix a regression introduced during 24.0.3 that causes a panic during live-restore of containers with bind mounts. moby/moby#45903open_in_new
24.0.3
2023-07-06For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
- containerd image store: Fix an issue where multi-platform images that did not include a manifest for the default platform could not be interacted with. moby/moby#45849open_in_new
- containerd image store: Fix specious attempts to cache
FROM scratch
in container builds. moby/moby#45822open_in_new - containerd image store: Fix
docker cp
with snapshotters that cannot mount the same content multiple times. moby/moby#45780open_in_new, moby/moby#45786open_in_new - containerd image store: Fix builds with
type=image
not being correctly unpacked/stored. moby/moby#45692open_in_new - containerd image store: Fix incorrectly attempting to unpack pseudo-images (including attestations) in
docker load
. moby/moby#45688open_in_new - containerd image store: Correctly set the user agent, and include additional information like the snapshotter when interacting with registries. moby/moby#45671open_in_new, moby/moby#45684open_in_new
- containerd image store: Fix a failure to unpack already-pulled content after switching between snapshotters. moby/moby#45678open_in_new
- containerd image store: Fix images that have been re-tagged or with all tags removed being pruned while still in use. moby/moby#45857open_in_new
- Fix a Swarm CSI issue where the Topology field was not propagated into NodeCSIInfo. moby/moby#45810open_in_new
- Fix failures to add new Swarm managers caused by a very large raft log. moby/moby#45703open_in_new, moby/swarmkit#3122open_in_new, moby/swarmkit#3128open_in_new
name_to_handle_at(2)
is now always allowed in the default seccomp profile. moby/moby#45833open_in_new- Fix an issue that prevented encrypted Swarm overlay networks from working on ports other than the default (4789). moby/moby#45637open_in_new
- Fix a failure to restore mount reference-counts during live-restore. moby/moby#45824open_in_new
- Fix various networking-related failures during live-restore. moby/moby#45658open_in_new, moby/moby#45659open_in_new
- Fix running containers restoring with a zero (successful) exit status when the daemon is unexpectedly terminated. moby/moby#45801open_in_new
- Fix a potential panic while executing healthcheck probes. moby/moby#45798open_in_new
- Fix a panic caused by a race condition in container exec start. moby/moby#45794open_in_new
- Fix an exception caused by attaching a terminal to an exec with a non-existent command. moby/moby#45643open_in_new
- Fix
host-gateway
with BuildKit by passing the IP as a label (also requires docker/buildx#1894open_in_new). moby/moby#45790open_in_new - Fix an issue where
POST /containers/{id}/stop
would forcefully terminate the container when the request was canceled, instead of waiting until the specified timeout for a 'graceful' stop. moby/moby#45774open_in_new - Fix an issue where
docker cp -a
from the root (/
) directory would fail. moby/moby#45748open_in_new - Improve compatibility with non-runc container runtimes by more correctly setting resource constraint parameters in the OCI config. moby/moby#45746open_in_new
- Fix an issue caused by overlapping subuid/subgid ranges in certain configurations (e.g. LDAP) in rootless mode. moby/moby#45747open_in_new, rootless-containers/rootlesskit#369open_in_new
- Greatly reduce CPU and memory usage while populating the Debug section of
GET /info
. moby/moby#45856open_in_new - Fix an issue where debug information was not correctly printed during
docker info
when only the client is in debug mode. docker/cli#4393open_in_new - Fix issues related to hung connections when connecting to hosts over a SSH connection. docker/cli#4395open_in_new
Packaging updates
- Upgrade Go to
go1.20.5
. moby/moby#45745open_in_new, docker/cli#4351open_in_new, docker/docker-ce-packaging#904open_in_new - Upgrade Compose to
v2.19.1
. docker/docker-ce-packaging#916open_in_new - Upgrade buildx to
v0.11.1
. docker/docker-ce-packaging#918open_in_new
24.0.2
2023-05-26For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
- Fix a panic during build when referencing locally tagged images. moby/buildkit#3899open_in_new, moby/moby#45582open_in_new
- Fix builds potentially failing with
exit code: 4294967295
when performing many concurrent build stages. moby/moby#45620open_in_new - Fix DNS resolution on Windows ignoring
etc/hosts
(%WINDIR%\System32\Drivers\etc\hosts
), including resolution oflocalhost
. moby/moby#45562open_in_new - Apply a workaround for a containerd bug that causes concurrent
docker exec
commands to take significantly longer than expected. moby/moby#45625open_in_new - containerd image store: Fix an issue where the image
Created
field would contain an incorrect value. moby/moby#45623open_in_new - containerd image store: Adjust the output of image pull progress so that the output has the same format regardless of whether the containerd image store is enabled. moby/moby#45602open_in_new
- containerd image store: Switching between the default and containerd image store now requires a daemon restart. moby/moby#45616open_in_new
Packaging updates
- Upgrade Buildx to
v0.10.5
. docker/docker-ce-packaging#900open_in_new
24.0.1
2023-05-19For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Removed
- Remove CLI completions for storage drivers removed in the 24.0 major release. docker/cli#4302open_in_new
Bug fixes and enhancements
- Fix an issue where DNS query NXDOMAIN replies from external servers were forwarded to the client as SERVFAIL. moby/moby#45573open_in_new
- Fix an issue where
docker pull --platform
would reportNo such image
regarding another tag pointing to the same image. moby/moby#45562open_in_new - Fix an issue where insecure registry configuration would be forgotten during config reload. moby/moby#45571open_in_new
- containerd image store: Fix an issue where images which have no layers would not be listed in
docker images -a
moby/moby#45588open_in_new - API: Fix an issue where
GET /images/{id}/json
would returnnull
instead of emptyRepoTags
andRepoDigests
. moby/moby#45564open_in_new - API: Fix an issue where
POST /commit
did not accept an empty request body. moby/moby#45568open_in_new
Packaging updates
- Upgrade Compose to
v2.18.1
. docker/docker-ce-packaging#896open_in_new
24.0.0
2023-05-16For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
New
- Introduce experimental support for containerd as the content store (replacing the existing storage drivers). moby/moby#43735open_in_new, other moby/moby pull requestsopen_in_new
- The
--host
CLI flag now supports a path component in assh://
host address, allowing use of an alternate socket path without configuration on the remote host. docker/cli#4073open_in_new - The
docker info
CLI command now reports a version and platform field. docker/cli#4180open_in_new - Introduce the daemon flag
--default-network-opt
to configure options for newly created networks. moby/moby#43197open_in_new - Restrict access to
AF_VSOCK
in thesocket(2)
family of syscalls in the default seccomp profile. moby/moby#44562open_in_new - Introduce support for setting OCI runtime annotations on containers. docker/cli#45025open_in_new, moby/moby#45025open_in_new
- Alternative runtimes can now be configured in
daemon.json
, enabling runtime names to be aliased and options to be passed. moby/moby#45032open_in_new - The
docker-init
binary will now be discovered in FHS-compliant libexec directories, in addition to thePATH
. moby/moby#45198open_in_new - API: Surface the daemon-level
--no-new-privileges
inGET /info
. moby/moby#45320open_in_new
Removed
docker info
no longer reportsIndexServiceAddress
. docker/cli#4204open_in_new- libnetwork: Remove fallback code for obsolete kernel versions. moby/moby#44684open_in_new, moby/moby#44802open_in_new
- libnetwork: Remove unused code related to classic Swarm. moby/moby#44965open_in_new
- libnetwork: Remove usage of the
xt_u32
kernel module from encrypted Swarm overlay networks. moby/moby#45281open_in_new - Remove support for BuildKit's deprecated
buildinfo
in favor of standard provenance attestations. moby/moby#45097open_in_new - Remove the deprecated AUFS and legacy
overlay
storage drivers. moby/moby#45342open_in_new, moby/moby#45359open_in_new - Remove the deprecated
overlay2.override_kernel_check
storage driver option. moby/moby#45368open_in_new - Remove workarounds for obsolete versions of
apparmor_parser
from the AppArmor profiles. moby/moby#45500open_in_new - API:
GET /images/json
no longer represents empty RepoTags and RepoDigests as<none>:<none>
/<none>@<none>
. Empty arrays are returned instead on API >= 1.43. moby/moby#45068open_in_new
Deprecated
- Deprecate the
--oom-score-adjust
daemon option. moby/moby#45315open_in_new - API: Deprecate the
VirtualSize
field inGET /images/json
andGET /images/{id}/json
. moby/moby#45346open_in_new
Bug fixes and enhancements
- The
docker stack
command no longer validates thebuild
section of Compose files. docker/cli#4214open_in_new - Fix lingering healthcheck processes after the timeout is reached. moby/moby#43739open_in_new
- Reduce the overhead of container startup when using the
overlay2
storage driver. moby/moby#44285open_in_new - API: Handle multiple
before=
andsince=
filters inGET /images
. moby/moby#44503open_in_new - Fix numerous bugs in the embedded DNS resolver implementation used by user-defined networks. moby/moby#44664open_in_new
- Add
execDuration
field to the map of event attributes. moby/moby#45494open_in_new - Swarm-level networks can now be created with the Windows
internal
,l2bridge
, andnat
drivers. moby/swarmkit#3121open_in_new, moby/moby#45291open_in_new
Packaging updates
- Update Go to
1.20.4
. docker/cli#4253open_in_new, moby/moby#45456open_in_new, docker/docker-ce-packaging#888open_in_new - Update
containerd
tov1.7.1
open_in_new. moby/moby#45537open_in_new - Update
buildkit
tov0.11.6
open_in_new. moby/moby#45367open_in_new