Docker Engine version 27 release notes
This page describes the latest changes, additions, known issues, and fixes for Docker Engine version 27.
For more information about:
- Deprecated and removed features, see Deprecated Engine Features.
- Changes to the Engine API, see Engine API version history.
27.2
Release notes for Docker Engine version 27.2 releases.
27.2.1
2024-09-09Bug fixes and enhancements
- containerd image store: Fix non-container images being hidden in the
docker image ls
output. moby/moby#48402 - containerd image store: Improve
docker pull
error message when the image platform doesn't match. moby/moby#48415 - CLI: Fix issue causing
docker login
to not remove repository names from passed in registry addresses, resulting in credentials being stored under the wrong key. docker/cli#5385 - CLI: Fix issue that will sometimes cause the browser-login flow to fail if the CLI process is suspended and then resumed while waiting for the user to authenticate. docker/cli#5376
- CLI:
docker login
now returns an error instead of hanging if called non-interactively with--password
or--password-stdin
but without--user
. docker/cli#5402
Packaging updates
- Update runc to v1.1.14, which contains a fix for CVE-2024-45310. moby/moby#48426
- Update Go runtime to 1.22.7. moby/moby#48433, docker/cli#5411, docker/docker-ce-packaging#1068
27.2.0
2024-08-27For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 27.2.0 milestone
- moby/moby, 27.2.0 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
New
The new features in this release are:
Device code login
This release adds support for using device code login when authenticating to Docker Hub.
You can still use the old method of logging in with a username and password or access token, but device code login is more secure and doesn't require you to enter your password in the CLI.
To use the old method, use docker login -u <username>
.
Multi-platform support for docker image ls
Experimental
This is experimental and may change at any time without any backward compatibility.With the containerd image store enabled, the docker image ls
command (or
docker images
shorthand) now supports a --tree
flag that now shows
if an image is a multi-platform image.
API
GET /images/json
response now includesManifests
field, which contains information about the sub-manifests included in the image index. This includes things like platform-specific manifests and build attestations.The new field will only be populated if the request also sets the
manifests
query parameter totrue
.Experimental
This is experimental and may change at any time without any backward compatibility.
Bug fixes and enhancements
- CLI: Fix issue with remote contexts over SSH where the CLI would allocate a pseudo-TTY when connecting to the remote host, which causes issues in rare situations. docker/cli#5351
- Fix an issue that prevented network creation with a
--ip-range
ending on a 64-bit boundary. moby/moby#48326 - CLI: IPv6 addresses shown by
docker ps
in port bindings are now bracketed. docker/cli#5365 - containerd image store: Fix early error exit from
docker load
in cases where unpacking the image would fail. moby/moby#48376 - containerd image store: Fix the previous image not being persisted as dangling after
docker pull
. moby/moby#48380
Packaging updates
- Update BuildKit to v0.15.2. moby/moby#48341
- Update Compose to v2.29.2. docker/docker-ce-packaging#1050
- Update containerd to v1.7.21. moby/moby#48383, docker/containerd-packaging#389
Known Issues
- There is a known issue when authenticating against a registry in the Docker CLI (
docker login [registry address]
) where, if the provided registry address includes a repository/image name (such asdocker login index.docker.io/docker/welcome-to-docker
), the repository part (docker/welcome-to-docker
) is not normalized and results in credentials being stored incorrectly, which causes subsequent pulls from the registry (docker pull index.docker.io/docker/welcome-to-docker
) to not be authenticated. To prevent this, don't include any extraneous suffix in the registry address when runningdocker login
.Note
Using
docker login
with an address that includes URL path segments is not a documented use case and is considered unsupported. The recommended usage is to specify only a registry hostname, and optionally a port, as the address fordocker login
.
27.1
Release notes for Docker Engine version 27.1 releases.
27.1.2
2024-08-13For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 27.1.2 milestone
- moby/moby, 27.1.2 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Bug fixes and enhancements
- Fix a regression that could result in a
ResourceExhausted desc = grpc: received message larger than max
error when building from a large Dockerfile. moby/moby#48245 - CLI: Fix
docker attach
printing a spuriouscontext cancelled
error message. docker/cli#5296 - CLI: Fix
docker attach
exiting onSIGINT
instead of forwarding the signal to the container and waiting for it to exit. docker/cli#5302 - CLI: Fix
--device-read-bps
and--device-write-bps
options not taking effect. docker/cli#5339 - CLI: Fix a panic happening in some cases while running a plugin. docker/cli#5337
Packaging updates
- Update BuildKit to v0.15.1. moby/moby#48246
- Update Buildx to v0.16.2. docker/docker-ce-packaging#1043
- Update Go runtime to 1.21.13. moby/moby#48301, docker/cli#5325, docker/docker-ce-packaging#1046
- Remove unused
docker-proxy.exe
binary from Windows packages. docker/docker-ce-packaging#1045
27.1.1
2024-07-23Security
This release contains a fix for CVE-2024-41110 / GHSA-v23v-6jw2-98fq that impacted setups using authorization plugins (AuthZ) for access control. No other changes are included in this release, and this release is otherwise identical for users not using AuthZ plugins.
Packaging updates
- Update Compose to v2.29.1. moby/docker-ce-packaging#1041
27.1.0
2024-07-22For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 27.1.0 milestone
- moby/moby, 27.1.0 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Bug fixes and enhancements
- rootless: add
Requires=dbus.socket
to prevent errors when starting the daemon on a cgroup v2 host with systemd moby/moby#48141 - containerd integration:
image tag
event is now properly emitted when building images with BuildKit moby/moby#48182 - CLI: enable shell completion for
docker image rm
,docker image history
, anddocker image inspect
moby/moby#5261 - CLI: add and improve shell completions for various flags moby/moby#5261
- CLI: add OOMScoreAdj to
docker service create
anddocker stack
docker/cli#5274 - CLI: add support for
DOCKER_CUSTOM_HEADERS
environment variable (experimental) docker/cli#5271 - CLI: containerd-integration: Fix
docker push
defaulting the--platform
flag to a value ofDOCKER_DEFAULT_PLATFORM
environment variable on unsupported API versions docker/cli#5248 - CLI: fix: context cancellation on
login
prompt docker/cli#5260 - CLI: fix: wait for the container to exit before closing the stream when sending a termination request to the CLI while attached to a container docker/cli#5250
Deprecated
- The
pkg/rootless/specconv
package is deprecated, and will be removed in the next release moby/moby#48185 - The
pkg/containerfs
package is deprecated, and will be removed in the next release moby/moby#48185 - The
pkg/directory
package is deprecated, and will be removed in the next release moby/moby#48185 api/types/system
: remove deprecatedInfo.ExecutionDriver
moby/moby#48184
Packaging updates
- Update Buildx to v0.16.1. moby/docker-ce-packaging#1039
- Update Compose to v2.29.0. moby/docker-ce-packaging#1038
- Update Containerd (static binaries only) to v1.7.20. moby/moby#48191
- Update BuildKit to v0.15.0. moby/moby#48175
- Update Go runtime to 1.21.12, which contains security fixes for CVE-2024-24791 moby/moby#48120
27.0
Release notes for Docker Engine 27.0.
27.0.3
2024-07-01For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 27.0.3 milestone
- moby/moby, 27.0.3 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Bug fixes and enhancements
- Fix a regression that incorrectly reported a port mapping from a host IPv6 address to an IPv4-only container as an error. moby/moby#48090
- Fix a regression that caused duplicate subnet allocations when creating networks. moby/moby#48089
- Fix a regression resulting in
fail to register layer: failed to Lchown
errors when trying to pull an image with rootless enabled on a system that supports native overlay with user-namespaces. moby/moby#48086
27.0.2
2024-06-27For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 27.0.2 milestone
- moby/moby, 27.0.2 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
Bug fixes and enhancements
- Fix a regression that caused port numbers to be ignored when parsing a Docker registry URL. docker/cli#5197, docker/cli#5198
Removed
- api/types: deprecate
ContainerJSONBase.Node
field andContainerNode
type. These definitions were used by the standalone ("classic") Swarm API, but never implemented in the Docker Engine itself. moby/moby#48055
27.0.1
2024-06-24For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
- docker/cli, 27.0.0 milestone
- moby/moby, 27.0.0 milestone
- Deprecated and removed features, see Deprecated Features.
- Changes to the Engine API, see API version history.
New
- containerd image store: Add
--platform
flag todocker image push
and improve the default behavior when not all platforms of the multi-platform image are available locally. docker/cli#4984, moby/moby#47679 - Add support to
docker stack deploy
fordriver_opts
in a service's networks. docker/cli#5125 - Consider additional
/usr/local/libexec
and/usr/libexec
paths when looking up the userland proxy binaries by a name with adocker-
prefix. moby/moby#47804
Bug fixes and enhancements
*client.Client
instances are now always safe for concurrent use by multiple goroutines. Previously, this could lead to data races when theWithAPIVersionNegotiation()
option is used. moby/moby#47961- Fix a bug causing the Docker CLI to leak Unix sockets in
$TMPDIR
in some cases. docker/cli#5146 - Don't ignore a custom seccomp profile when used in conjunction with
--privileged
. moby/moby#47500 - rootless: overlay2: support native overlay diff when using rootless-mode with Linux kernel version 5.11 and later. moby/moby#47605
- Fix the
StartInterval
default value of healthcheck to reflect the documented value of 5s. moby/moby#47799 - Fix
docker save
anddocker load
not ending on the daemon side when the operation was cancelled by the user, for example with Ctrl+C. moby/moby#47629 - The
StartedAt
property of containers is now recorded before container startup, guaranteeing that theStartedAt
is always beforeFinishedAt
. moby/moby#47003 - The internal DNS resolver used by Windows containers on Windows now forwards requests to external DNS servers by default. This enables
nslookup
to resolve external hostnames. This behaviour can be disabled viadaemon.json
, using"features": { "windows-dns-proxy": false }
. The configuration option will be removed in a future release. moby/moby#47826 - Print a warning when the CLI does not have permissions to read the configuration file. docker/cli#5077
- Fix a goroutine and file-descriptor leak on container attach. moby/moby#45052
- Clear the networking state of all stopped or dead containers during daemon start-up. moby/moby#47984
- Write volume options JSON atomically to avoid "invalid JSON" errors after system crash. moby/moby#48034
- Allow multiple macvlan networks with the same parent. moby/moby#47318
- Allow BuildKit to be used on Windows daemons that advertise it. docker/cli#5178
Networking
- Allow sysctls to be set per-interface during container creation and network connection.
moby/moby#47686
- In a future release, this will be the only way to set per-interface sysctl options.
For example, on the command line in a
docker run
command,--network mynet --sysctl net.ipv4.conf.eth0.log_martians=1
will be rejected. Instead, you must use--network name=mynet,driver-opt=com.docker.network.endpoint.sysctls=net.ipv4.conf.IFNAME.log_martians=1
.
- In a future release, this will be the only way to set per-interface sysctl options.
For example, on the command line in a
IPv6
ip6tables
is no longer experimental. You may remove theexperimental
configuration option and continue to use IPv6, if it is not required by any other features.ip6tables
is now enabled for Linux bridge networks by default. moby/moby#47747- This makes IPv4 and IPv6 behaviors consistent with each other, and reduces the risk that IPv6-enabled containers are inadvertently exposed to the network.
- There is no impact if you are running Docker Engine with
ip6tables
enabled (new default). - If you are using an IPv6-enabled bridge network without
ip6tables
, this is likely a breaking change. Only published container ports (-p
or--publish
) are accessible from outside the Docker bridge network, and outgoing connections masquerade as the host. - To restore the behavior of earlier releases, no
ip6tables
at all, set"ip6tables": false
indaemon.json
, or use the CLI option--ip6tables=false
. Alternatively, leaveip6tables
enabled, publish ports, and enable direct routing. - With
ip6tables
enabled, ifip6tables
is not functional on your host, Docker Engine will start but it will not be possible to create an IPv6-enabled network.
IPv6 network configuration improvements
- A Unique Local Address (ULA) base prefix is automatically added to
default-address-pools
if this parameter wasn't manually configured, or if it contains no IPv6 prefixes. moby/moby#47853- Prior to this release, to create an IPv6-enabled network it was necessary to use the
--subnet
option to specify an IPv6 subnet, or add IPv6 ranges todefault-address-pools
indaemon.json
. - Starting in this release, when a bridge network is created with
--ipv6
and no IPv6 subnet is defined by those options, an IPv6 Unique Local Address (ULA) base prefix is used. - The ULA prefix is derived from the Engine host ID such that it's unique across hosts and over time.
- Prior to this release, to create an IPv6-enabled network it was necessary to use the
- IPv6 address pools of any size can now be added to
default-address-pools
. moby/moby#47768 - IPv6 can now be enabled by default on all custom bridge networks using
"default-network-opts": { "bridge": {"com.docker.network.enable_ipv6": "true"}}
indaemon.json
, ordockerd --default-network-opt=bridge=com.docker.network.enable_ipv6=true
on the comand line. moby/moby#47867 - Direct routing for IPv6 networks, with
ip6tables
enabled. moby/moby#47871- Added bridge driver option
com.docker.network.bridge.gateway_mode_ipv6=<nat|routed>
. - The default behavior,
nat
, is unchanged from previous releases running withip6tables
enabled. NAT and masquerading rules are set up for each published container port. - When set to
routed
, no NAT or masquerading rules are configured for published ports. This enables direct IPv6 access to the container, if the host's network can route packets for the container's address to the host. Published ports will be opened in the container's firewall. - When a port mapping only applies to
routed
mode, only addresses0.0.0.0
or::
are allowed and a host port must not be given. - Note that published container ports, in
nat
orrouted
mode, are accessible from any remote address if routing is set up in the network, unless the Docker host's firewall has additional restrictions. For example:docker network create --ipv6 -o com.docker.network.bridge.gateway_mode_ipv6=routed mynet
. - The option
com.docker.network.bridge.gateway_mode_ipv4=<nat|routed>
is also available, with the same behavior but for IPv4.
- Added bridge driver option
- If firewalld is running on the host, Docker creates policy
docker-forwarding
to allow forwarding from any zone to thedocker
zone. This makes it possible to configure a bridge network with a routable IPv6 address, and no NAT or masquerading. moby/moby#47745 - When a port is published with no host port specified, or a host port range is given, the same port will be allocated for IPv4 and IPv6.
moby/moby#47871
- For example
-p 80
will result in the same ephemeral port being allocated for0.0.0.0
and::
, and-p 8080-8083:80
will pick the same port from the range for both address families. - Similarly, ports published to specific addresses will be allocated the same port. For example,
-p 127.0.0.1::80 -p '[::1]::80'
. - If no port is available on all required addresses, container creation will fail.
- For example
- Environment variable
DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE
, introduced in release 26.1.1, no longer has any effect. moby/moby#47963- If IPv6 could not be disabled on an interface because of a read-only
/proc/sys/net
, the environment variable allowed the container to start anyway. - In this release, if IPv4 cannot be disabled for an interface, IPv6 can be explicitly enabled for the network simply by using
--ipv6
when creating it. Other workarounds are to configure the OS to disable IPv6 by default on new interfaces, mount/proc/sys/net
read-write, or use a kernel with no IPv6 support.
- If IPv6 could not be disabled on an interface because of a read-only
- For IPv6-enabled bridge networks, do not attempt to replace the bridge's kernel-assigned link local address with
fe80::1
. moby/moby#47787
Removed
- Deprecate experimental GraphDriver plugins. moby/moby#48050, docker/cli#5172
- pkg/archive: deprecate
NewTempArchive
andTempArchive
. These types were only used in tests and will be removed in the next release. moby/moby#48002 - pkg/archive: deprecate
CanonicalTarNameForPath
moby/moby#48001 - Deprecate pkg/dmesg. This package was no longer used, and will be removed in the next release. moby/moby#47999
- Deprecate
pkg/stringid.ValidateID
andpkg/stringid.IsShortID
moby/moby#47995 - runconfig: deprecate
SetDefaultNetModeIfBlank
and moveContainerConfigWrapper
toapi/types/container
moby/moby#48007 - runconfig: deprecate
DefaultDaemonNetworkMode
and move todaemon/network
moby/moby#48008 - runconfig: deprecate
opts.ConvertKVStringsToMap
. This utility is no longer used, and will be removed in the next release. moby/moby#48016 - runconfig: deprecate
IsPreDefinedNetwork
. moby/moby#48011
API
- containerd image store:
POST /images/{name}/push
now supports aplatform
parameter (JSON encoded OCI Platform type) that allows selecting a specific platform-manifest from the multi-platform image. This is experimental and may change in future API versions. moby/moby#47679 POST /services/create
andPOST /services/{id}/update
now supportOomScoreAdj
. moby/moby#47950ContainerList
api returns container annotations. moby/moby#47866POST /containers/create
andPOST /services/create
now takeOptions
as part ofHostConfig.Mounts.TmpfsOptions
allowing to set options for tmpfs mounts. moby/moby#46809- The
Healthcheck.StartInterval
property is now correctly ignored when updating a Swarm service using API versions less than v1.44. moby/moby#47991 GET /events
now supports imagecreate
event that is emitted when a new image is built regardless if it was tagged or not. moby/moby#47929GET /info
now includes aContainerd
field containing information about the location of the containerd API socket and containerd namespaces used by the daemon to run containers and plugins. moby/moby#47239- Deprecate non-standard (config) fields in image inspect output. The
Config
field returned by this endpoint (used fordocker image inspect
) returned additional fields that are not part of the image's configuration and not part of the Docker Image Spec and the OCI Image Spec. These fields are never set (and always return the default value for the type), but are not omitted in the response when left empty. As these fields were not intended to be part of the image configuration response, they are deprecated, and will be removed in the future API versions. - Deprecate the daemon flag
--api-cors-header
and the correspondingdaemon.json
configuration option. These will be removed in the next major release. moby/moby#45313
The following deprecated fields are currently included in the API response, but are not part of the underlying image's Config
:
moby/moby#47941
Hostname
Domainname
AttachStdin
AttachStdout
AttachStderr
Tty
OpenStdin
StdinOnce
Image
NetworkDisabled
(already omitted unless set)MacAddress
(already omitted unless set)StopTimeout
(already omitted unless set)
Go SDK changes
- Client API callback for the following functions now require a context parameter.
moby/moby#47536
client.RequestPrivilegeFunc
client.ImageSearchOptions.AcceptPermissionsFunc
image.ImportOptions.PrivilegeFunc
- Remove deprecated aliases for Image types.
moby/moby#47900
ImageImportOptions
ImageCreateOptions
ImagePullOptions
ImagePushOptions
ImageListOptions
ImageRemoveOptions
- Introduce
Ulimit
type alias forgithub.com/docker/go-units.Ulimit
. TheUlimit
type as used in the API is defined in a Go module that will transition to a new location in future. A type alias is added to reduce the friction that comes with moving the type to a new location. The alias makes sure that existing code continues to work, but its definition may change in future. Users are recommended to use this alias instead of theunits.Ulimit
directly. moby/moby#48023
Move and rename types, changing their import paths and exported names. moby/moby#47936, moby/moby#47873, moby/moby#47887, moby/moby#47882, moby/moby#47921, moby/moby#48040
- Move the following types to
api/types/container
:BlkioStatEntry
BlkioStats
CPUStats
CPUUsage
ContainerExecInspect
ContainerPathStat
ContainerStats
ContainersPruneReport
CopyToContainerOptions
ExecConfig
ExecStartCheck
MemoryStats
NetworkStats
PidsStats
StatsJSON
Stats
StorageStats
ThrottlingData
- Move the following types to
api/types/image
:ImagesPruneReport
ImageImportSource
ImageLoadResponse
- Move the
ExecStartOptions
type toapi/types/backend
. - Move the
VolumesPruneReport
type toapi/types/volume
. - Move the
EventsOptions
type toapi/types/events
. - Move the
ImageSearchOptions
type toapi/types/registry
. - Drop
Network
prefix and move the following types toapi/types/network
:NetworkCreateResponse
NetworkConnect
NetworkDisconnect
NetworkInspectOptions
EndpointResource
NetworkListOptions
NetworkCreateOptions
NetworkCreateRequest
NetworksPruneReport
- Move
NetworkResource
toapi/types/network
.
Packaging updates
- Update Buildx to v0.15.1. docker/docker-ce-packaging#1029
- Update BuildKit to v0.14.1. moby/moby#48028
- Update runc to v1.1.13 moby/moby#47976
- Update Compose to v2.28.1. moby/docker-ce-packaging#1032
27.0.0
There's no 27.0.0 release due to a mistake during the pre-release of 27.0.0-rc.1 on GitHub which resulted in the v27.0.0 tag being created. Unfortunately the tag was already picked up by the Go Module Mirror so it's not possible to cleanly change the v27.0.0. To workaround this, the 27.0.1 will be the first release of the 27.0.