Docker Engine 24.0 release notes

This page describes the latest changes, additions, known issues, and fixes for Docker Engine version 24.0.

For more information about:

24.0.9

2024-01-31

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Security

This release contains security fixes for the following CVEs affecting Docker Engine and its components.

CVEComponentFix versionSeverity
CVE-2024-21626runc1.1.12High, CVSS 8.6
CVE-2024-24557Docker Engine24.0.9Medium, CVSS 6.9

Important

Note that this release of Docker Engine doesn't include fixes for the following known vulnerabilities in BuildKit:

To address these vulnerabilities, upgrade to Docker Engine v25.0.2.

For more information about the security issues addressed in this release, and the unaddressed vulnerabilities in BuildKit, refer to the blog post.

For details about each vulnerability, see the relevant security advisory:

Packaging updates

24.0.8

2024-01-25

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • Live restore: Containers with auto remove (docker run --rm) are no longer forcibly removed on engine restart. moby/moby#46857

Packaging updates

24.0.7

2023-10-27

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • Write overlay2 layer metadata atomically. moby/moby#46703
  • Fix "Rootful-in-Rootless" Docker-in-Docker on systemd version 250 and later. moby/moby#46626
  • Fix dockerd-rootless-setuptools.sh when username contains a backslash. moby/moby#46407
  • Fix a bug that would prevent network sandboxes to be fully deleted when stopping containers with no network attachments and when dockerd --bridge=none is used. moby/moby#46702
  • Fix a bug where cancelling an API request could interrupt container restart. moby/moby#46697
  • Fix an issue where containers would fail to start when providing --ip-range with a range larger than the subnet. docker/for-mac#6870
  • Fix data corruption with zstd output. moby/moby#46709
  • Fix the conditions under which the container's MAC address is applied. moby/moby#46478
  • Improve the performance of the stats collector. moby/moby#46448
  • Fix an issue with source policy rules ending up in the wrong order. moby/moby#46441

Packaging updates

Security

24.0.6

2023-09-05

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • containerd storage backend: Fix docker ps failing when a container image is no longer present in the content store. moby/moby#46095
  • containerd storage backend: Fix docker ps -s -a and docker container prune failing when a container image config is no longer present in the content store. moby/moby#46097
  • containerd storage backend: Fix docker inspect failing when a container image config is no longer (or was never) present in the content store. moby/moby#46244
  • containerd storage backend: Fix diff and export with the overlayfs snapshotter by using reference-counted rootfs mounts. moby/moby#46266
  • containerd storage backend: Fix a misleading error message when the image platforms available locally do not match the desired platform. moby/moby#46300
  • containerd storage backend: Fix the FROM scratch Dockerfile instruction with the classic builder. moby/moby#46302
  • containerd storage backend: Fix mismatched image rootfs and manifest layers errors with the classic builder. moby/moby#46310
  • Warn when pulling Docker Image Format v1, and Docker Image manifest version 2, schema 1 images from all registries. moby/moby#46290
  • Fix live-restore of volumes with custom volume options. moby/moby#46366
  • Fix incorrectly dropping capabilities bits when running a container as a non-root user (note: this change was already effectively present due to a regression). moby/moby#46221
  • Fix network isolation iptables rules preventing IPv6 Neighbor Solicitation packets from being exchanged between containers. moby/moby#46214
  • Fix dockerd.exe --register-service not working when the binary is in the current directory on Windows. moby/moby#46215
  • Add a hint suggesting the use of a PAT to docker login against Docker Hub. docker/cli#4500
  • Improve shell startup time for users of Bash completion for the CLI. docker/cli#4517
  • Improve the speed of some commands by skipping GET /_ping when possible. docker/cli#4508
  • Fix credential scopes when using a PAT to docker manifest inspect an image on Docker Hub. docker/cli#4512
  • Fix docker events not supporting --format=json. docker/cli#4544

Packaging updates

24.0.5

2023-07-24

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • The Go client now avoids using UNIX socket paths in the HTTP Host: header, in order to be compatible with changes introduced in go1.20.6. moby/moby#45962, moby/moby#45990
  • containerd storage backend: Fix Variant not being included in docker image inspect and GET /images/{name}/json. moby/moby#46025
  • containerd storage backend: Prevent potential garbage collection of content during image export. moby/moby#46021
  • containerd storage backend: Prevent duplicate digest entries in RepoDigests. moby/moby#46014
  • containerd storage backend: Fix operations taking place against the incorrect tag when working with an image referenced by tag and digest. moby/moby#46013
  • containerd storage backend: Fix a panic caused by EXPOSE when building containers with the legacy builder. moby/moby#45921
  • Fix a regression causing unintuitive errors to be returned when attempting to create an overlay network on a non-Swarm node. moby/moby#45974
  • Properly report errors parsing volume specifications from the command line. docker/cli#4423
  • Fix a panic caused when auths: null is found in the CLI config file. docker/cli#4450

Packaging updates

24.0.4

2023-07-07

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • Fix a regression introduced during 24.0.3 that causes a panic during live-restore of containers with bind mounts. moby/moby#45903

24.0.3

2023-07-06

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • containerd image store: Fix an issue where multi-platform images that did not include a manifest for the default platform could not be interacted with. moby/moby#45849
  • containerd image store: Fix specious attempts to cache FROM scratch in container builds. moby/moby#45822
  • containerd image store: Fix docker cp with snapshotters that cannot mount the same content multiple times. moby/moby#45780, moby/moby#45786
  • containerd image store: Fix builds with type=image not being correctly unpacked/stored. moby/moby#45692
  • containerd image store: Fix incorrectly attempting to unpack pseudo-images (including attestations) in docker load. moby/moby#45688
  • containerd image store: Correctly set the user agent, and include additional information like the snapshotter when interacting with registries. moby/moby#45671, moby/moby#45684
  • containerd image store: Fix a failure to unpack already-pulled content after switching between snapshotters. moby/moby#45678
  • containerd image store: Fix images that have been re-tagged or with all tags removed being pruned while still in use. moby/moby#45857
  • Fix a Swarm CSI issue where the Topology field was not propagated into NodeCSIInfo. moby/moby#45810
  • Fix failures to add new Swarm managers caused by a very large raft log. moby/moby#45703, moby/swarmkit#3122, moby/swarmkit#3128
  • name_to_handle_at(2) is now always allowed in the default seccomp profile. moby/moby#45833
  • Fix an issue that prevented encrypted Swarm overlay networks from working on ports other than the default (4789). moby/moby#45637
  • Fix a failure to restore mount reference-counts during live-restore. moby/moby#45824
  • Fix various networking-related failures during live-restore. moby/moby#45658, moby/moby#45659
  • Fix running containers restoring with a zero (successful) exit status when the daemon is unexpectedly terminated. moby/moby#45801
  • Fix a potential panic while executing healthcheck probes. moby/moby#45798
  • Fix a panic caused by a race condition in container exec start. moby/moby#45794
  • Fix an exception caused by attaching a terminal to an exec with a non-existent command. moby/moby#45643
  • Fix host-gateway with BuildKit by passing the IP as a label (also requires docker/buildx#1894). moby/moby#45790
  • Fix an issue where POST /containers/{id}/stop would forcefully terminate the container when the request was canceled, instead of waiting until the specified timeout for a 'graceful' stop. moby/moby#45774
  • Fix an issue where docker cp -a from the root (/) directory would fail. moby/moby#45748
  • Improve compatibility with non-runc container runtimes by more correctly setting resource constraint parameters in the OCI config. moby/moby#45746
  • Fix an issue caused by overlapping subuid/subgid ranges in certain configurations (e.g. LDAP) in rootless mode. moby/moby#45747, rootless-containers/rootlesskit#369
  • Greatly reduce CPU and memory usage while populating the Debug section of GET /info. moby/moby#45856
  • Fix an issue where debug information was not correctly printed during docker info when only the client is in debug mode. docker/cli#4393
  • Fix issues related to hung connections when connecting to hosts over a SSH connection. docker/cli#4395

Packaging updates

24.0.2

2023-05-26

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • Fix a panic during build when referencing locally tagged images. moby/buildkit#3899, moby/moby#45582
  • Fix builds potentially failing with exit code: 4294967295 when performing many concurrent build stages. moby/moby#45620
  • Fix DNS resolution on Windows ignoring etc/hosts (%WINDIR%\System32\Drivers\etc\hosts), including resolution of localhost. moby/moby#45562
  • Apply a workaround for a containerd bug that causes concurrent docker exec commands to take significantly longer than expected. moby/moby#45625
  • containerd image store: Fix an issue where the image Created field would contain an incorrect value. moby/moby#45623
  • containerd image store: Adjust the output of image pull progress so that the output has the same format regardless of whether the containerd image store is enabled. moby/moby#45602
  • containerd image store: Switching between the default and containerd image store now requires a daemon restart. moby/moby#45616

Packaging updates

24.0.1

2023-05-19

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Removed

  • Remove CLI completions for storage drivers removed in the 24.0 major release. docker/cli#4302

Bug fixes and enhancements

  • Fix an issue where DNS query NXDOMAIN replies from external servers were forwarded to the client as SERVFAIL. moby/moby#45573
  • Fix an issue where docker pull --platform would report No such image regarding another tag pointing to the same image. moby/moby#45562
  • Fix an issue where insecure registry configuration would be forgotten during config reload. moby/moby#45571
  • containerd image store: Fix an issue where images which have no layers would not be listed in docker images -a moby/moby#45588
  • API: Fix an issue where GET /images/{id}/json would return null instead of empty RepoTags and RepoDigests. moby/moby#45564
  • API: Fix an issue where POST /commit did not accept an empty request body. moby/moby#45568

Packaging updates

24.0.0

2023-05-16

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

New

  • Introduce experimental support for containerd as the content store (replacing the existing storage drivers). moby/moby#43735, other moby/moby pull requests
  • The --host CLI flag now supports a path component in a ssh:// host address, allowing use of an alternate socket path without configuration on the remote host. docker/cli#4073
  • The docker info CLI command now reports a version and platform field. docker/cli#4180
  • Introduce the daemon flag --default-network-opt to configure options for newly created networks. moby/moby#43197
  • Restrict access to AF_VSOCK in the socket(2) family of syscalls in the default seccomp profile. moby/moby#44562
  • Introduce support for setting OCI runtime annotations on containers. docker/cli#45025, moby/moby#45025
  • Alternative runtimes can now be configured in daemon.json, enabling runtime names to be aliased and options to be passed. moby/moby#45032
  • The docker-init binary will now be discovered in FHS-compliant libexec directories, in addition to the PATH. moby/moby#45198
  • API: Surface the daemon-level --no-new-privileges in GET /info. moby/moby#45320

Removed

  • docker info no longer reports IndexServiceAddress. docker/cli#4204
  • libnetwork: Remove fallback code for obsolete kernel versions. moby/moby#44684, moby/moby#44802
  • libnetwork: Remove unused code related to classic Swarm. moby/moby#44965
  • libnetwork: Remove usage of the xt_u32 kernel module from encrypted Swarm overlay networks. moby/moby#45281
  • Remove support for BuildKit's deprecated buildinfo in favor of standard provenance attestations. moby/moby#45097
  • Remove the deprecated AUFS and legacy overlay storage drivers. moby/moby#45342, moby/moby#45359
  • Remove the deprecated overlay2.override_kernel_check storage driver option. moby/moby#45368
  • Remove workarounds for obsolete versions of apparmor_parser from the AppArmor profiles. moby/moby#45500
  • API: GET /images/json no longer represents empty RepoTags and RepoDigests as<none>:<none>/<none>@<none>. Empty arrays are returned instead on API >= 1.43. moby/moby#45068

Deprecated

  • Deprecate the --oom-score-adjust daemon option. moby/moby#45315
  • API: Deprecate the VirtualSize field in GET /images/json and GET /images/{id}/json. moby/moby#45346

Bug fixes and enhancements

  • The docker stack command no longer validates the build section of Compose files. docker/cli#4214
  • Fix lingering healthcheck processes after the timeout is reached. moby/moby#43739
  • Reduce the overhead of container startup when using the overlay2 storage driver. moby/moby#44285
  • API: Handle multiple before= and since= filters in GET /images. moby/moby#44503
  • Fix numerous bugs in the embedded DNS resolver implementation used by user-defined networks. moby/moby#44664
  • Add execDuration field to the map of event attributes. moby/moby#45494
  • Swarm-level networks can now be created with the Windows internal, l2bridge, and nat drivers. moby/swarmkit#3121, moby/moby#45291

Packaging updates