Docker Engine version 28 release notes

Table of contents

This page describes the latest changes, additions, known issues, and fixes for Docker Engine version 28.

For more information about:

28.5.1

2025-10-08

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

Deprecations

  • api/types/image: InspectResponse: deprecate Parent and DockerVersion fields. moby/moby#51105
  • api/types/plugin: deprecate Config.DockerVersion field. moby/moby#51110

28.5.0

2025-10-02

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Warning

Raspberry Pi OS 32-bit (armhf) Deprecation

Docker Engine v28 will be the last major version to support Raspberry Pi OS 32-bit (armhf). Starting with Docker Engine v29, new major versions will no longer provide packages for Raspberry Pi OS 32-bit (armhf).

Migration options

  • 64-bit ARM: Install the Debian arm64 packages (fully supported).
  • 32-bit ARM (v7): Install the Debian armhf packages (targets ARMv7 CPUs).

Note: Older devices based on the ARMv6 architecture are no longer supported by official packages, including:

  • Raspberry Pi 1 (Model A/B/A+/B+)
  • Raspberry Pi Zero and Zero W

Bug fixes and enhancements

  • Don't print warnings in docker info for broken symlinks in CLI-plugin directories. docker/cli#6476
  • Fix a panic during stats on empty event Actor.ID. docker/cli#6471

Packaging updates

Networking

  • Eliminated harmless warning about deletion of endpoint_count from the data store. moby/moby#51064
  • Fix a bug causing IPAM plugins to not be loaded on Windows. moby/moby#51035

API

  • Deprecate support for kernel memory TCP accounting (KernelMemoryTCP). moby/moby#51067
  • Fix GET containers/{name}/checkpoints returning null instead of empty JSON array when there are no checkpoints. moby/moby#51052

Go SDK

Deprecations

  • Go-SDK: cli/command: deprecate DockerCli.Apply. This method is no longer used and will be removed in the next release if there are no remaining uses. docker/cli#6497
  • Go-SDK: cli/command: deprecate DockerCli.ContentTrustEnabled. This method is no longer used and will be removed in the next release. docker/cli#6495
  • Go-SDK: cli/command: deprecate DockerCli.DefaultVersion. This method is no longer used and will be removed in the next release. docker/cli#6491
  • Go-SDK: cli/command: deprecate ResolveDefaultContext utility. docker/cli#6529
  • Go-SDK: cli/command: deprecate WithContentTrustFromEnv, WithContentTrust options. These options were used internally, and will be removed in the next release.. docker/cli#6489
  • Go-SDK: cli/manifest/store: deprecate IsNotFound(). docker/cli#6514
  • Go-SDK: templates: deprecate NewParse() function. docker/cli#6469

28.4.0

2025-09-03

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

New

  • Allow Docker CLI to set the GODEBUG environment variable when the key-value pair ("GODEBUG":"...") exists inside the docker context metadata. docker/cli#6399

Bug fixes and enhancements

  • Add shell completion for docker pull and docker image pull. docker/cli#6420
  • Fix a regression in v28.3.3 that could cause a panic on docker push if the client did not send an X-Registry-Auth header. moby/moby#50738
  • Windows: Potentially fix an issue with "access denied" error when pulling images. moby/moby#50871
  • containerd image store: Fix docker history failing with snapshot X does not exist when calling on a non-native image that was built locally. moby/moby#50875
  • containerd image store: Fix docker image prune to emit correct untag and delete events and list only the deleted images root digests instead of every blob. moby/moby#50837
  • Remove interactive login prompt from docker push and docker pull after a failure caused by missing authentication. docker/cli#6256

Packaging updates

Networking

  • Fix an issue that could cause slow container restart on live-restore. moby/moby#50829

API

Go SDK

Deprecations

  • Deprecate special handling for quoted values for the --tlscacert, --tlscert, and --tlskey command-line flags. docker/cli#6291
  • Mark legacy links environment variables (DOCKER_KEEP_DEPRECATED_LEGACY_LINKS_ENV_VARS) as deprecated in v28.4 and set for removal in v30.0. docker/cli#6309
  • Go-SDK: Deprecate field NetworkSettingsBase.Bridge, struct NetworkSettingsBase, all the fields of DefaultNetworkSettings, and struct DefaultNetworkSettings. moby/moby#50839
  • Go-SDK: api/types: build.CacheDiskUsage, container.DiskUsage, images.DiskUsage and volumes.DiskUsage are now deprecated and will be removed in the next major release. moby/moby#50768
  • Go-SDK: cli-plugins/manager: deprecate ReexecEnvvar. docker/cli#6411
  • Go-SDK: cli-plugins/manager: deprecate annotation aliases (CommandAnnotationPlugin, CommandAnnotationPluginVendor, CommandAnnotationPluginVersion, CommandAnnotationPluginInvalid, CommandAnnotationPluginCommandPath) in favor of their equivalent in cli-plugins/manager/metadata. docker/cli#6298
  • Go-SDK: cli-plugins/manager: deprecate metadata aliases (NamePrefix, MetadataSubcommandName, HookSubcommandName, Metadata, ReexecEnvvar) in favor of their equivalent in cli-plugins/manager/metadata. docker/cli#6269
  • Go-SDK: cli-plugins/manager: remove Candidate interface, which was only for internal use. docker/cli#6269
  • Go-SDK: cli-plugins/manager: remove NewPluginError function, which was only for internal use. docker/cli#6269
  • Go-SDK: cli-plugins/manager: remove deprecated ResourceAttributesEnvvar const. docker/cli#6269
  • Go-SDK: cli/command/builder: deprecate NewBuilderCommand and NewBakeStubCommand. These functions will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/builder: deprecate NewPruneCommand. docker/cli#6343
  • Go-SDK: cli/command/checkpoint: deprecate NewCheckpointCommand. This function will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/checkpoint: deprecate NewFormat, FormatWrite. docker/cli#6341
  • Go-SDK: cli/command/completion: deprecate NoComplete. docker/cli#6405
  • Go-SDK: cli/command/completion: remove deprecated ValidArgsFn. docker/cli#6259
  • Go-SDK: cli/command/config: deprecate NewConfigCommand. This function will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/config: deprecate NewFormat, FormatWrite, InspectFormatWrite. docker/cli#6341
  • Go-SDK: cli/command/config: deprecate RunConfigCreate, CreateOptions, RunConfigInspect, InspectOptions, RunConfigList, ListOptions, RunConfigRemove, and RemoveOptions. docker/cli#6369
  • Go-SDK: cli/command/container: deprecate NewBuildCommand, NewPullCommand, NewPushCommand, NewImagesCommand, NewImageCommand, NewHistoryCommand, NewImportCommand, NewLoadCommand, NewRemoveCommand, NewSaveCommand, NewTagCommand, NewPruneCommand. These functions will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/container: deprecate NewDiffFormat, DiffFormatWrite. These functions were only used internally and will be removed in the next release. docker/cli#6341
  • Go-SDK: cli/command/container: deprecate NewRunCommand, NewExecCommand, NewPsCommand, NewContainerCommand, NewAttachCommand, NewCommitCommand, NewCopyCommand, NewCreateCommand, NewDiffCommand, NewExportCommand, NewKillCommand, NewLogsCommand, NewPauseCommand, NewPortCommand, NewRenameCommand, NewRestartCommand, NewRmCommand, NewStartCommand, NewStatsCommand, NewStopCommand, NewTopCommand, NewUnpauseCommand, NewUpdateCommand, NewWaitCommand, NewPruneCommand. These functions will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/context: deprecate NewContextCommand. This function will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/context: deprecate RunCreate and CreateOptions. docker/cli#6403
  • Go-SDK: cli/command/context: deprecate RunExport and ExportOptions. docker/cli#6403
  • Go-SDK: cli/command/context: deprecate RunImport. docker/cli#6403
  • Go-SDK: cli/command/context: deprecate RunRemove and RemoveOptions. docker/cli#6403
  • Go-SDK: cli/command/context: deprecate RunUpdate and UpdateOptions. docker/cli#6403
  • Go-SDK: cli/command/context: deprecate RunUse. docker/cli#6403
  • Go-SDK: cli/command/image: deprecate AuthResolver utility. docker/cli#6357
  • Go-SDK: cli/command/image: deprecate NewHistoryFormat, HistoryWrite. docker/cli#6341, docker/cli#6341
  • Go-SDK: cli/command/manifest: deprecate NewManifestCommand. This functions will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/network: deprecate NewFormat, FormatWrite. docker/cli#6341
  • Go-SDK: cli/command/network: deprecate NewNetworkCommand. These functions will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/node: deprecate NewFormat, FormatWrite, InspectFormatWrite. docker/cli#6341
  • Go-SDK: cli/command/node: deprecate NewNodeCommand. This functions will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/plugin: deprecate NewFormat, FormatWrite. docker/cli#6341
  • Go-SDK: cli/command/plugin: deprecate NewPluginCommand. This function will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/registry: deprecate NewLoginCommand, NewLogoutCommand, NewSearchCommand. These functions will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/registry: deprecate NewSearchFormat, SearchWrite. docker/cli#6341
  • Go-SDK: cli/command/registry: deprecate OauthLoginEscapeHatchEnvVar const. docker/cli#6413
  • Go-SDK: cli/command/secret: deprecate NewFormat, FormatWrite, InspectFormatWrite. docker/cli#6341
  • Go-SDK: cli/command/secret: deprecate NewSecretCommand. This functions will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/service: deprecate NewFormat, InspectFormatWrite. docker/cli#6341
  • Go-SDK: cli/command/service: deprecate NewServiceCommand. This function will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/stack: deprecate NewStackCommand. This function will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/stack: deprecate RunList, RunServices. docker/cli#6391
  • Go-SDK: cli/command/swarm: deprecate NewSwarmCommand. This function will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/system: deprecate NewVersionCommand, NewInfoCommand, NewSystemCommand, NewEventsCommand, NewInspectCommand. These functions will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/task: deprecate NewTaskFormat, FormatWrite. docker/cli#6341
  • Go-SDK: cli/command/trust: deprecate NewTrustCommand. This function will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command/trust: deprecate SignedTagInfo, SignerInfo, NewTrustTagFormat, NewSignerInfoFormat, TagWrite, SignerInfoWrite. docker/cli#6341
  • Go-SDK: cli/command/volume: deprecate NewVolumeCommand, NewPruneCommand. These functions will be removed in the next release. docker/cli#6312
  • Go-SDK: cli/command: remove AddTrustSigningFlags, AddTrustVerificationFlags, and AddPlatformFlag utilities, which were only used internally. docker/cli#6311
  • Go-SDK: cli/command: remove deprecated ConfigureAuth utility. docker/cli#6257
  • Go-SDK: cli/command: remove deprecated CopyToFile utility. docker/cli#6257
  • Go-SDK: cli/config/types: update deprecation message for AuthConfig.Email field. docker/cli#6392
  • Go-SDK: cli: deprecate VisitAll, DisableFlagsInUseLine utilities. These utilities were only used internally and will be removed in the next release. docker/cli#6276
  • Go-SDK: cli: remove HasCompletionArg utility. This utility was only used internally. docker/cli#6276
  • Go-SDK: deprecate cli/command.RegistryAuthenticationPrivilegedFunc. docker/cli#6256
  • Go-SDK: deprecate cli/command/stack/formatter. docker/cli#6391
  • Go-SDK: deprecate cli/command/stack/loader. docker/cli#6391
  • Go-SDK: deprecate cli/command/stack/options. docker/cli#6391
  • Go-SDK: deprecate cli/command/stack/swarm. docker/cli#6391
  • Go-SDK: opts: deprecate NewNamedListOptsRef, NewNamedMapOpts, NamedListOpts, NamedMapOpts, and NamedOption. These types and functions are no longer used and will be removed in the next release. docker/cli#6292
  • Go-SDK: opts: deprecate ParseEnvFile in favor of kvfile.Parse. docker/cli#6381
  • Go-SDK: opts: deprecate QuotedString. This utility is no longer used, and will be removed in the next release. docker/cli#6275
  • Go-SDK: opts: deprecate ValidateHost utility. This function is no longer used, and will be removed in the next release. docker/cli#6280
  • Go-SDK: pkg/jsonmessage: deprecate the JSONMessage.From, JSONMessage.Time, and JSONMessage.TimeNano fields, as they are no longer returned by the API for progress messages. Use the events.Message type instead to unmarshal the /events response. moby/moby#50762
  • Go-SDK: the cli/registry/client package is deprecated and will be removed in the next release. docker/cli#6313

28.3.3

2025-07-29

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Security

This release fixes an issue where, after a firewalld reload, published container ports could be accessed directly from the local network, even when they were intended to be accessible only via a loopback address. CVE-2025-54388 / GHSA-x4rx-4gw3-53p4 / moby/moby#50506.

Packaging updates

28.3.2

2025-07-09

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • Fix --use-api-socket not working correctly when targeting a remote daemon. docker/cli#6157
  • Fix stray "otel error" logs being printed if debug logging is enabled. docker/cli#6160
  • Quote SSH arguments when connecting to a remote daemon over an SSH connection to avoid unexpected expansion. docker/cli#6147
  • Warn when DOCKER_AUTH_CONFIG is set during docker login and docker logout. docker/cli#6163

Packaging updates

28.3.1

2025-07-02

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Packaging updates

28.3.0

2025-06-24

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

New

Bug fixes and enhancements

  • Ensure that the state of the container in the daemon database (used by /containers/json API) is up to date when the container is stopped using the /containers/{id}/stop API (before response of API). moby/moby#50136
  • Fix docker image inspect inspect omitting empty fields. moby/moby#50135
  • Fix docker images --tree not marking images as in-use when the containerd image store is disabled. docker/cli#6140
  • Fix docker pull/push hang in non-interactive when authentication is required caused by prompting for login credentials. docker/cli#6141
  • Fix a potential resource leak when a node leaves a Swarm. moby/moby#50115
  • Fix a regression where a login prompt on docker pull would show Docker Hub-specific hints when logging in on other registries. docker/cli#6135
  • Fix an issue where all new tasks in the Swarm could get stuck in the PENDING state forever after scaling up a service with placement preferences. moby/moby#50211
  • Remove an undocumented, hidden, top-level docker remove command that was accidentally introduced in Docker 23.0. docker/cli#6144
  • Validate registry-mirrors configuration as part of dockerd --validate and improve error messages for invalid mirrors. moby/moby#50240
  • dockerd-rootless-setuptool.sh: Fix the script from silently returning with no error message when subuid/subgid system requirements are not satisfied. moby/moby#50059
  • containerd image store: Fix docker push not creating a tag on the remote repository. moby/moby#50199
  • containerd image store: Improve handling of errors returned by the token server during docker pull/push. moby/moby#50176

Packaging updates

Networking

API

  • Update API version to 1.51. moby/moby#50145
  • GET /images/json now sets the value of the Containers field for all images to the count of containers using the image. moby/moby#50146

Deprecations

  • Empty/nil image config fields in the GET /images/{name}/json response are now deprecated and will be removed in v29.0. docker/cli#6129
  • api/types/container: deprecate ExecOptions.Detach. This field is not used, and will be removed in a future release. moby/moby#50219
  • pkg/idtools: deprecate IdentityMapping and Identity.Chown. moby/moby#50210

28.2.2

2025-05-30

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • containerd image store: Fix a regression causing docker build --push to fail. This reverts the fix for docker build not persisting overridden images as dangling. moby/moby#50105

Networking

  • When creating the iptables DOCKER-USER chain, do not add an explicit RETURN rule, allowing users to append as well as insert their own rules. Existing rules are not removed on upgrade, but it won't be replaced after a reboot. moby/moby#50098

28.2.1

2025-05-29

Packaging updates

28.2.0

2025-05-28

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Note

RHEL packages are currently not available and will be released later.

New

  • Add {{.Platform}} as formatting option for docker ps to show the platform of the image the container is running. docker/cli#6042
  • Add support for relative parent paths (../) on bind mount sources when using docker run/create with -v/--volume or --mount type=bind options. docker/cli#4966
  • CDI is now enabled by default. moby/moby#49963
  • Show discovered CDI devices in docker info. docker/cli#6078
  • docker image rm: add --platform option to remove a variant from multi-platform images. docker/cli#6109
  • containerd image store: Initial BuildKit support for building Windows container images on Windows (requires an opt-in with DOCKER_BUILDKIT=1). moby/moby#49740

Bug fixes and enhancements

  • Add a new log option for fluentd log driver (fluentd-write-timeout), which enables specifying write timeouts for fluentd connections. moby/moby#49911
  • Add support for DOCKER_AUTH_CONFIG for the experimental --use-api-socket option. docker/cli#6019
  • Fix docker exec waiting for 10 seconds if a non-existing user or group was specified. moby/moby#49868
  • Fix docker swarm init ignoring cacert option of --external-ca. docker/cli#5995
  • Fix an issue where the CLI would not correctly save the configuration file (~/.docker/config.json) if it was a relative symbolic link. docker/cli#5282
  • Fix containers with --restart always policy using CDI devices failing to start on daemon restart. moby/moby#49990
  • Fix shell-completion to only complete some flags once, even though they can be set multiple times. docker/cli#6030
  • Fix the plugin does not implement PluginAddr interface error for Swarm CSI drivers. moby/moby#49961
  • Improve docker login error messages for invalid options. docker/cli#6036
  • Make sure the terminal state is restored if the CLI is forcefully terminated. docker/cli#6058
  • Update the default seccomp profile to match the libseccomp v2.6.0. The new syscalls are: listmount, statmount, lsm_get_self_attr, lsm_list_modules, lsm_set_self_attr, mseal, uretprobe, riscv_hwprobe, getxattrat, listxattrat, removexattrat, and setxattrat. This prevents containers from receiving EPERM errors when using them. moby/moby#50077
  • docker inspect: add shell completion, improve flag-description for --type and improve validation. docker/cli#6052
  • containerd image store: Enable BuildKit garbage collector by default. moby/moby#49899
  • containerd image store: Fix docker build not persisting overridden images as dangling. moby/moby#49702
  • containerd image store: Fix docker system df reporting a negative reclaimable space amount. moby/moby#49707
  • containerd image store: Fix duplicate PUT requests when pushing a multi-platform image. moby/moby#49949

Packaging updates

Networking

  • Add bridge network option "com.docker.network.bridge.trusted_host_interfaces", accepting a colon-separated list of interface names. These interfaces have direct access to published ports on container IP addresses. moby/moby#49832
  • Add daemon option "allow-direct-routing" to disable filtering of packets from outside the host addressed directly to containers. moby/moby#49832
  • Do not display network options com.docker.network.enable_ipv4 or com.docker.network.enable_ipv6 in inspect output if they have been overridden by EnableIPv4 or EnableIPv6 in the network create request. moby/moby#49866
  • Fix an issue that could cause network deletion to fail after a daemon restart, with error "has active endpoints" listing empty endpoint names. moby/moby#49901
  • Fix an issue where docker network inspect --verbose could sometimes crash the daemon. moby/moby#49937
  • Fix an issue where the load-balancer IP address for an overlay network would not be released in certain cases if the Swarm was lacking an ingress network. moby/moby#49948
  • Improve the reliability of NetworkDB in busy clusters and lossy networks. moby/moby#49932
  • Improvements to the reliability and convergence speed of NetworkDB. moby/moby#49939

API

  • DELETE /images/{name} now supports a platforms query parameter. It accepts an array of JSON-encoded OCI Platform objects, allowing for selecting a specific platforms to delete content for. moby/moby#49982
  • GET /info now includes a DiscoveredDevices field. This is an array of DeviceInfo objects, each providing details about a device discovered by a device driver. moby/moby#49980

Go SDK

  • api/types/container: add ContainerState and constants for container state. moby/moby#49965
  • api/types/container: change Summary.State to a ContainerState. moby/moby#49991
  • api/types/container: define HealthStatus type for health-status constants. moby/moby#49876
  • api/types: deprecate BuildResult, ImageBuildOptions, ImageBuildOutput, ImageBuildResponse, BuilderVersion, BuilderV1, and BuilderBuildKi which were moved to api/types/build. moby/moby#50025

Deprecations

  • API: Deprecated: GET /images/{name}/json no longer returns the following fields: Config, Hostname, Domainname, AttachStdin, AttachStdout, AttachStderr, Tty, OpenStdin, StdinOnce, Image, NetworkDisabled (already omitted unless set), MacAddress (already omitted unless set), StopTimeout (already omitted unless set). These additional fields were included in the response due to an implementation detail but not part of the image's Configuration, were marked deprecated in API v1.46, and are now omitted. moby/moby#48457
  • Go-SDK: Deprecate builder/remotecontext.Rel(). This function was needed on older versions of Go, but can now be replaced by filepath.Rel(). moby/moby#49843
  • Go-SDK: api/types: deprecate BuildCachePruneOptions in favor of api/types/builder.CachePruneOptions. moby/moby#50015
  • Go-SDK: api/types: deprecate BuildCachePruneReport in favor of api/types/builder.CachePruneReport. moby/moby#50015
  • Go-SDK: api/types: deprecate NodeListOptions, NodeRemoveOptions, ServiceCreateOptions, ServiceUpdateOptions, RegistryAuthFromSpec, RegistryAuthFromPreviousSpec, ServiceListOptions, ServiceInspectOptions, and SwarmUnlockKeyResponse which were moved to api/types/swarm. moby/moby#50027
  • Go-SDK: api/types: deprecate SecretCreateResponse, SecretListOptions, ConfigCreateResponse, ConfigListOptions which were moved to api/types/swarm. moby/moby#50024
  • Go-SDK: client: deprecate IsErrNotFound. moby/moby#50012
  • Go-SDK: container: deprecate IsValidHealthString in favor of api/types/container.ValidateHealthStatus. moby/moby#49893
  • Go-SDK: container: deprecate StateStatus, WaitCondition, and the related WaitConditionNotRunning, WaitConditionNextExit, and WaitConditionRemoved consts in favor of their equivalents in api/types/container. moby/moby#49874
  • Go-SDK: opts: deprecate ListOpts.GetAll in favor of ListOpts.GetSlice. docker/cli#6032
  • Remove deprecated IsAutomated formatting placeholder from docker search. docker/cli#6091
  • Remove fallback for pulling images from non-OCI-compliant docker.pkg.github.com registry. moby/moby#50094
  • Remove support for pulling legacy v2, schema 1 images and remove DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE environment-variable. moby/moby#50036, moby/moby#42300
  • The BridgeNfIptables and BridgeNfIp6tables fields in the GET /info response were deprecated in API v1.48, and are now omitted in API v1.50. moby/moby#49904
  • errdefs: Deprecate errdefs.FromStatusCode. Use containerd's errhttp.ToNative instead. moby/moby#50030

28.1.1

2025-04-18

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • Fix dockerd-rootless-setuptool.sh incorrectly reporting missing iptables. moby/moby#49833
  • containerd image store: Fix a potential daemon crash when using docker load with archives containing zero-size tar headers. moby/moby#49837

Packaging updates

Networking

  • Add a warning to a container's /etc/resolv.conf when no upstream DNS servers were found. moby/moby#49827

28.1.0

2025-04-17

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

New

  • Add docker bake sub-command as alias for docker buildx bake. docker/cli#5947
  • Experimental: add a new --use-api-socket flag on docker run and docker create to enable access to Docker socket from inside a container and to share credentials from the host with the container. docker/cli#5858
  • docker image inspect now supports a --platform flag to inspect a specific platform of a multi-platform image. docker/cli#5934

Bug fixes and enhancements

  • Add CLI shell-completion for context names. docker/cli#6016
  • Fix docker images --tree not including non-container images content size in the total image content size. docker/cli#6000
  • Fix docker load not preserving replaced images. moby/moby#49650
  • Fix docker login hints when logging in to a custom registry. docker/cli#6015
  • Fix docker stats not working properly on machines with high CPU core count. moby/moby#49734
  • Fix a regression causing docker pull/push to fail when interacting with a private repository. docker/cli#5964
  • Fix an issue preventing rootless Docker setup on a host with no ip_tables kernel module. moby/moby#49727
  • Fix an issue that could lead to unwanted iptables rules being restored and never deleted following a firewalld reload. moby/moby#49728
  • Improve CLI completion of docker service scale. docker/cli#5968
  • docker images --tree now hides both untagged and dangling images by default. docker/cli#5924
  • docker system info will provide an exit code if a connection cannot be established to the Docker daemon. docker/cli#5918
  • containerd image store: Fix image tag event not being emitted when building with BuildKit. moby/moby#49678
  • containerd image store: Improve docker push/pull handling of remote registry errors. moby/moby#49770
  • containerd image store: Show pull progress for non-layer image blobs. moby/moby#49746

Packaging updates

Networking

  • Fix a bug causing host port-mappings on Swarm containers to be duplicated on docker ps and docker inspect. moby/moby#49724
  • Fix an issue that caused container network attachment to fail with error "Bridge port not forwarding". moby/moby#49705
  • Fix an issue with removal of a --link from a container in the default bridge network. moby/moby#49778
  • Improve how network-endpoint relationships are tracked to reduce the chance of the "has active endpoints" error to be wrongfully returned. moby/moby#49736
  • Improve the "has active endpoints" error message by including the name of endpoints still connected to the network being deleted. moby/moby#49773

API

  • Update API version to v1.49. moby/moby#49718
  • GET /image/{name}/json now supports a platform parameter allowing to specify which platform variant of a multi-platform image to inspect. moby/moby#49586
  • GET /info now returns a FirewallBackend containing information about the daemon's firewalling configuration. moby/moby#49761

Go SDK

  • Update minimum required Go version to go1.23. docker/cli#5868
  • cli/command/context: remove temporary ContextType field from JSON output. docker/cli#5981
  • client: Keep image references in canonical format where possible. moby/moby#49609

Deprecations

  • API: Deprecated AllowNondistributableArtifactsCIDRs and AllowNondistributableArtifactsHostnames fields in the RegistryConfig struct in the GET /info response are omitted in API v1.49. moby/moby#49749
  • API: Deprecated: The ContainerdCommit.Expected, RuncCommit.Expected, and InitCommit.Expected fields in the GET /info endpoint were deprecated in API v1.48, and are now omitted in API v1.49. moby/moby#48556
  • Go-SDK: cli/command/image: Deprecate RunPull: this function was only used internally and will be removed in the next release. docker/cli#5975
  • Go-SDK: cli/config/configfile: deprecate ConfigFile.Experimental field. Experimental CLI features are always enabled since version v20.10 and this field is no longer used. Use ConfigFile.Features instead for optional features. This field will be removed in a future release. docker/cli#5977
  • Go-SDK: deprecate pkg/archive, which was migrated to github.com/moby/go-archive. moby/moby#49743
  • Go-SDK: deprecate pkg/atomicwriter, which was migrated to github.com/moby/sys/atomicwriter. moby/moby#49748
  • Go-SDK: opts: remove deprecated PortOpt, ConfigOpt, SecretOpt aliases. docker/cli#5953
  • Go-SDK: registry: deprecate APIEndpoint.Official field. moby/moby#49706

28.0.4

2025-03-25

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • Fix a regression causing docker pull/push to fail when interacting with a private repository. docker/cli#5964

28.0.3

2025-03-25

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • Fix docker run truncating the STDOUT/STDERR prematurely when the container exits before the data is consumed. docker/cli#5957

Packaging updates

28.0.2

2025-03-19

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • Fix CLI-specific attributes (docker.cli.*) being unintentionally passed to downstream OTel services. docker/cli#5842
  • Fix an issue where user-specified OTEL_RESOURCE_ATTRIBUTES were being overridden by CLI's internal telemetry attributes. The CLI now properly merges user-specified attributes with internal ones, allowing both to coexist. docker/cli#5842
  • Fix the daemon failing to start on Windows when a container created before v28.0.0 was present. moby/moby#49626
  • Fix possible error on docker buildx prune with --min-free-space. moby/moby#49623
  • Fix spurious io: read/write on closed pipe error in the daemon log when closing a container. moby/moby#49590
  • Fix the Docker daemon failing too early if the containerd socket isn't immediately available. moby/moby#49603
  • Mask Linux thermal interrupt info in a container's /proc and /sys by default. moby/moby#49560
  • Update contrib/check-config.sh to check for more kernel modules related to iptables. moby/moby#49622
  • containerd image store: Fix integer overflow in User ID handling passed via --user. moby/moby#49652
  • containerd image store: Fix spurious reference for unknown type: application/vnd.in-toto+json warning being logged to the daemon's log. moby/moby#49652
  • containerd image store: Improve performance of docker ps when running a large number of containers. moby/moby#49365

Packaging updates

Networking

  • Add the environment variable DOCKER_INSECURE_NO_IPTABLES_RAW=1 to allow Docker to run on systems where the Linux kernel can't provide CONFIG_IP_NF_RAW support. When enabled, Docker will not create rules in the iptables raw table. Warning: This is not recommended for production environments as it reduces security by allowing other hosts on the local network to route to ports published to host addresses, even when they are published to 127.0.0.1. This option bypasses some of the security hardening introduced in Docker Engine 28.0.0. moby/moby#49621
  • Allow container startup when an endpoint is attached to a macvlan network driver where the parent interface is down. moby/moby#49630
  • Do not skip DNAT for packets originating in a gateway_mode=routed network. moby/moby#49577
  • Fix a bug causing docker ps to inconsistently report dual-stack port mappings. moby/moby#49657
  • Fix a bug that could cause docker-proxy to stop forwarding UDP datagrams to containers. moby/moby#49649
  • Fix a bug that was causing docker-proxy to close UDP connections to containers eagerly and resulting in the source address to change needlessly. moby/moby#49649

Go SDK

  • Move various types and consts from cli-plugins/manager to a separate package. docker/cli#5902
  • Update minimum required Go version to go1.23. moby/moby#49541
  • cli/command: Move PrettyPrint utility to cli/command/formatter. docker/cli#5916
  • runconfig/errors: split ErrConflictHostNetwork into ErrConflictConnectToHostNetwork and ErrConflictDisconnectFromHostNetwork. moby/moby#49605

Deprecations

  • Go-SDK: Deprecate cli-plugins/manager.ResourceAttributesEnvvar constant. It was used internally, but holds the OTEL_RESOURCE_ATTRIBUTES name, which is part of the OpenTelemetry specification. Users of this constant should define their own. It will be removed in the next release. docker/cli#5881
  • Go-SDK: Deprecate opts.PortOpt, opts.ConfigOpt and opts.SecretOpt. These types were moved to the opts/swarmopts package. docker/cli#5907
  • Go-SDK: Remove service/logs package. docker/cli#5910
  • Go-SDK: cli/command/image: Deprecate PushTrustedReference and move to cli/trust. docker/cli#5894
  • Go-SDK: cli/command/image: Deprecate and internalize TrustedPush. docker/cli#5894
  • Go-SDK: cli/command: deprecate Cli.NotaryClient: use trust.GetNotaryRepository instead. This method is no longer used and will be removed in the next release. docker/cli#5885
  • Go-SDK: cli/command: deprecate Cli.RegistryClient. This method was only used internally and will be removed in the next release. Use client.NewRegistryClient instead. docker/cli#5889, docker/cli#5889
  • Go-SDK: registry: Deprecate RepositoryInfo.Official field. moby/moby#49567
  • Go-SDK: registry: deprecate HostCertsDir: this function was only used internally and will be removed in the next release. moby/moby#49612
  • Go-SDK: registry: deprecate SetCertsDir: the cert-directory is now automatically selected when running with RootlessKit, and should no longer be set manually. moby/moby#49612

28.0.1

2025-02-26

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Networking

  • Remove dependency on kernel modules ip_set, ip_set_hash_net and netfilter_xt_set.
    • The dependency was introduced in release 28.0.0 but proved too disruptive. The iptables rules using these modules have been replaced. moby/moby#49530
  • Allow daemon startup on a host with IPv6 disabled without requiring --ip6tables=false. moby/moby#49525
  • Fix a bug that was causing containers with --restart=always and a published port already in use to restart in a tight loop. moby/moby#49507
  • Fix an issue with Swarm ingress, caused by incorrect ordering of iptables rules. moby/moby#49538
  • Fix creation of a swarm-scoped network from a --config-only network. moby/moby#49521
  • Fix docker network inspect reporting an IPv6 gateway with CIDR suffix for a newly created network with no specific IPAM config, until a daemon restart. moby/moby#49520
  • Improve the error reported when kernel modules ip_set, ip_set_hash_net and netilter_xt_set are not available. moby/moby#49524
  • Move most of Docker's iptables rules out of the filter-FORWARD chain, so that other applications are free to append rules that must follow Docker's rules. moby/moby#49518
  • Update --help output and man page lo state which options only apply to the default bridge network. moby/moby#49522

Bug fixes and enhancements

  • Fix docker context create always returning an error when using the "skip-tls-verify" option. docker/cli#5850
  • Fix shell completion suggesting IDs instead of names for services and nodes. docker/cli#5848
  • Fix unintentionally printing exit status to standard error output when docker exec/run returns a non-zero status. docker/cli#5854
  • Fix regression protocol "tcp" is not supported by the RootlessKit port driver "slirp4netns". moby/moby#49514
  • containerd image store: Fix docker inspect not being able to show multi-platform images with missing layers for all platforms. moby/moby#49533
  • containerd image store: Fix docker images --tree reporting wrong content size. moby/moby#49535
  • Fix compilation on i386 moby/moby#49526

Packaging updates

API

  • containerd image store: Fix GET /images/json?manifests=1 not filling Manifests for index-only images moby/moby#49533
  • containerd image store: Fix GET /images/json and /images/<name>/json Size.Content field including the size of content that's not available locally moby/moby#49535

28.0.0

2025-02-19

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

New

  • Add ability to mount an image inside a container via --mount type=image. moby/moby#48798
    • You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755
  • docker images --tree now shows metadata badges docker/cli#5744
  • docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331
  • Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145
  • docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720
  • Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955

Networking

  • The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132
    • Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.
    • The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.
  • DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290
    • When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.
  • Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808
    • Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.
    • IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.
  • The deprecated OCI prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406
  • Add a new gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664
  • Add a new netlabel com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155
    • When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names, for example eth, the container might fail to start.
    • The recommended practice is to use a different prefix, for example en0, or a numerical suffix high enough to never collide, for example eth100.
    • This label can be specified on docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….
    • Or via the long-form --network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …
  • If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372

Port publishing in bridge networks

  • dockerd now requires ipset support in the Linux kernel. moby/moby#48596
    • The iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815
    • If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:
      • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER
      • If you were previously running with the iptables filter-FORWARD policy set to ACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.
  • Fix a security issue that was allowing remote hosts to connect directly to a container on its published ports. moby/moby#49325
  • Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. moby/moby#49325
  • Fix an issue that prevented port publishing to link-local addresses. moby/moby#48570
  • UDP ports published by a container are now reliably accessible by containers on other networks, via the host's public IP address. moby/moby#48571
  • Docker will now only set the ip6tables policy for the FORWARD chain in the filter table to DROP if it enables IP forwarding on the host itself (sysctls net.ipv6.conf.all.forwarding and net.ipv6.conf.default.forwarding). This is now aligned with existing IPv4 behaviour. moby/moby#48594
    • If IPv6 forwarding is enabled on your host, but you were depending on Docker to set the ip6tables filter-FORWARD policy to DROP, you may need to update your host's configuration to make sure it is secure.
  • Direct routed access to container ports that are not exposed using p/-publish is now blocked in the DOCKER iptables chain. moby/moby#48724
    • If the default iptables filter-FORWARD policy was previously left at ACCEPT on your host, and direct routed access to a container's unpublished ports from a remote host is still required, options are:
      • Publish the ports you need.
      • Use the new gateway_mode_ipv[46]=nat-unprotected, described below.
    • Container ports published to host addresses will continue to be accessible via those host addresses, using NAT or the userland proxy.
    • Unpublished container ports continue to be directly accessible from the Docker host via the container's IP address.
  • Networks created with gateway_mode_ipv[46]=routed are now accessible from other bridge networks running on the same Docker host, as well as from outside the host. moby/moby#48596
  • Bridge driver options com.docker.network.bridge.gateway_mode_ipv4 and com.docker.network.bridge.gateway_mode_ipv6 now accept mode nat-unprotected. moby/moby#48597
    • nat-unprotected is similar to the default nat mode, but no per port/protocol rules are set up. This means any port on a container can be accessed by direct-routing from a remote host.
  • Bridge driver options com.docker.network.bridge.gateway_mode_ipv4 and com.docker.network.bridge.gateway_mode_ipv6 now accept mode isolated, when the network is also internal. moby/moby#49262
    • An address is normally assigned to the bridge device in an internal network. So, processes on the Docker host can access the network, and containers in the network can access host services listening on that bridge address (including services listening on "any" host address, 0.0.0.0 or ::).
    • An internal bridge network created with gateway mode isolated does not have an address on the Docker host.
  • When a port mapping includes a host IP address or port number that cannot be used because NAT from the host is disabled using --gateway_mode_ipv[46], container creation will no longer fail. The unused fields may be needed if the gateway endpoint changes when networks are connected or disconnected. A message about the unused fields will be logged. moby/moby#48575
  • Do not create iptables nat-POSTROUTING masquerade rules for a container's own published ports, when the userland proxy is enabled. moby/moby#48854

IPv6

  • Add docker network create option --ipv4. To disable IPv4 address assignment for a network, use docker network create --ipv4=false [...]. docker/cli#5599
  • Daemon option --ipv6 ("ipv6": true in daemon.json) can now be used without fixed-cidr-v6. moby/moby#48319
  • IPAM now handles subnets bigger than "/64". moby/moby#49223
  • Duplicate address detection (DAD) is now disabled for addresses assigned to the bridges belonging to bridge networks. moby/moby#48609
  • Modifications to host-gateway, for compatibility with IPv6-only networks. moby/moby#48807
    • When special value host-gateway is used in an --add-host option in place of an address, it's replaced by an address on the Docker host to make it possible to refer to the host by name. The address used belongs to the default bridge (normally docker0). Until now it's always been an IPv4 address, because all containers on bridge networks had IPv4 addresses.
    • Now, if IPv6 is enabled on the default bridge network, /etc/hosts entries will be created for IPv4 and IPv6 addresses. So, a container that's only connected to IPv6-only networks can access the host by name.
    • The --host-gateway-ip option overrides the address used to replace host-gateway. Two of these options are now allowed on the command line, for one IPv4 gateway and one IPv6.
    • In the daemon.json file, to provide two addresses, use "host-gateway-ips". For example, "host-gateway-ips": ["192.0.2.1", "2001:db8::1111"].

Bug fixes and enhancements

  • Add IPv6 loopback address as an insecure registry by default. moby/moby#48540
  • Add support for Cobra-generated completion scripts for dockerd. moby/moby#49339
  • Fix DNS queries failing when containers are launched via systemd auto-start on boot moby/moby#48812
  • Fix Docker Swarm mode ignoring volume.subpath docker/cli#5833
  • Fix docker export continuing the export after the operation is canceled. moby/moby#49265
  • Fix docker export not releasing the container's writable layer after a failure. moby/moby#48517
  • Fix docker images --tree unnecessary truncating long image names when multiple names are available docker/cli#5757
  • Fix a bug where a container with a name matching another container's ID is not restored on daemon startup. moby/moby#48669
  • Fix an issue preventing some IPv6 addresses shown by docker ps to be properly bracketed docker/cli#5468
  • Fix bug preventing image pulls from being cancelled during docker run. docker/cli#5645
  • Fix error-handling when running the daemon as a Windows service to prevent unclean exits. moby/moby#48518
  • Fix issue causing output of docker run to be inconsistent when using --attach stdout or --attach stderr versus stdin. docker run --attach stdin now exits if the container exits. docker/cli#5662
  • Fix rootless Docker setup with subid backed by NSS modules. moby/moby#49036
  • Generated completion scripts from the CLI now show descriptions next to each command/flag suggestion. docker/cli#5756
  • IPv6 addresses shown by docker ps in port bindings are now bracketed docker/cli#5363
  • Implement the ports validation method for Compose docker/cli#5524
  • Improve error-output for invalid flags on the command line. docker/cli#5233
  • Improve errors when failing to start a container using anther container's network namespace. moby/moby#49367
  • Improve handling of invalid API errors that could result in an empty error message being shown. moby/moby#49373
  • Improve output and consistency for unknown (sub)commands and invalid arguments docker/cli#5234
  • Improve validation of exec-opts in daemon configuration. moby/moby#48979
  • Update the handling of the --gpus=0 flag to be consistent with the NVIDIA Container Runtime. moby/moby#48482
  • client.ContainerCreate now normalizes CapAdd and CapDrop fields in HostConfig to their canonical form. moby/moby#48551
  • docker image save now produces stable timestamps. moby/moby#48611
  • docker inspect now lets you inspect Swarm configs docker/cli#5573
  • containerd image store: Add support for Extracting layer status in docker pull. moby/moby#49064
  • containerd image store: Fix commit, import, and build not preserving a replaced image as a dangling image. moby/moby#48316
  • containerd image store: Make docker load --platform return an error when the requested platform isn't loaded. moby/moby#48718
  • Fix validation of --link option. docker/cli#5739
  • Add validation of network-diagnostic-port daemon configuration option. moby/moby#49305
  • Unless explicitly configured, an IP address is no longer reserved for a gateway in cases where it is not required. Namely, “internal” bridge networks with option com.docker.network.bridge.inhibit_ipv4, ipvlan or macvlan networks with no parent interface, and L3 IPvlan modes. moby/moby#49261
  • If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372
  • Fixed an issue that meant a container could not be attached to an L3 IPvlan at the same time as other network types. moby/moby#49130
  • Remove the correct /etc/hosts entries when disconnecting a container from a network. moby/moby#48857
  • Fix duplicate network disconnect events. moby/moby#48800
  • Resolve issues related to changing fixed-cidr for docker0, and inferring configuration from a user-managed default bridge (--bridge). moby/moby#48319
  • Remove feature flag windows-dns-proxy, introduced in release 26.1.0 to control forwarding to external DNS resolvers from Windows containers, to make nslookup work. It was enabled by default in release 27.0.0. moby/moby#48738
  • Remove an iptables mangle rule for checksumming SCTP. The rule can be re-enabled by setting DOCKER_IPTABLES_SCTP_CHECKSUM=1 in the daemon's environment. This override will be removed in a future release. moby/moby#48149
  • Faster connection to bridge networks, in most cases. moby/moby#49302

Packaging updates

Go SDK

  • Improve validation of empty object IDs. The client now returns an "Invalid Parameter" error when trying to use an empty ID or name. This changes the error returned by some "Inspect" functions from a "Not found" error to an "Invalid Parameter". moby/moby#49381
  • Client.ImageBuild() now omits default values from the API request's query string. moby/moby#48651
  • api/types/container: Merge Stats and StatsResponse moby/moby#49287
  • client.WithVersion: Strip v-prefix when setting API version moby/moby#49352
  • client: Add WithTraceOptions allowing to specify custom OTe1 trace options. moby/moby#49415
  • client: Add HijackDialer interface. moby/moby#49388
  • client: Add SwarmManagementAPIClient interface to describe all API client methods related to Swarm-specific objects. moby/moby#49388
  • client: Add WithTraceOptions allowing to specify custom OTel trace options. moby/moby#49415
  • client: ImageHistory, ImageLoad and ImageSave now use variadic functional options moby/moby#49466
  • pkg/containerfs: Move to internal moby/moby#48097
  • pkg/reexec: Can now be used on platforms other than Linux, Windows, macOS and FreeBSD moby/moby#49118
  • api/types/container: introduce CommitResponse type. This is currently an alias for IDResponse, but may become a distinct type in a future release. moby/moby#49444
  • api/types/container: introduce ExecCreateResponse type. This is currently an alias for IDResponse, but may become a distinct type in a future release. moby/moby#49444

API

  • Update API version to v1.48 moby/moby#48476
  • GET /images/{name}/json response now returns the Manifests field containing information about the sub-manifests contained in the image index. This includes things like platform-specific manifests and build attestations. moby/moby#48264
  • POST /containers/create now supports Mount of type image for mounting an image inside a container. moby/moby#48798
  • GET /images/{name}/history now supports a platform parameter (JSON encoded OCI Platform type) that lets you specify a platform to show the history of. moby/moby#48295
  • POST /images/{name}/load and GET /images/{name}/get now supports a platform parameter (JSON encoded OCI Platform type) that lets you specify a platform to load/save. Not passing this parameter results in loading/saving the full multi-platform image. moby/moby#48295
  • Improve errors for invalid width/height on container resize and exec resize moby/moby#48679
  • The POST /containers/create endpoint now includes a warning in the response when setting the container-wide VolumeDriver option in combination with volumes defined through Mounts because the VolumeDriver option has no effect on those volumes. This warning was previously generated by the CLI. moby/moby#48789
  • containerd image store: GET /images/json and GET /images/{name}/json responses now includes Descriptor field, which contains an OCI descriptor of the image target. The new field is only populated if the daemon provides a multi-platform image store. moby/moby#48894
  • containerd image store: GET /containers/{name}/json now returns an ImageManifestDescriptor field containing the OCI descriptor of the platform-specific image manifest of the image that was used to create the container. moby/moby#48855
  • Add debug endpoints (GET /debug/vars, GET /debug/pprof/, GET /debug/pprof/cmdline, GET /debug/pprof/profile, GET /debug/pprof/symbol, GET /debug/pprof/trace, GET /debug/pprof/{name}) are now also accessible through the versioned-API paths (/v<API-version>/<endpoint>). moby/moby#49051
  • Fix API returning a 500 status code instead of 400 for validation errors. moby/moby#49217
  • Fix status codes for archive endpoints HEAD /containers/{name:.*}/archive, GET /containers/{name:.*}/archive, PUT /containers/{name:.*}/archive returning a 500 status instead of a 400 status. moby/moby#49219
  • POST /containers/create now accepts a writable-cgroups=true option in HostConfig.SecurityOpt to mount the container's cgroups writable. This provides a more granular approach than HostConfig.Privileged. moby/moby#48828
  • POST /build/prune renames keep-bytes to reserved-space and now supports additional prune parameters max-used-space and min-free-space. moby/moby#48720
  • POST /networks/create now has an EnableIPv4 field. Setting it to false disables IPv4 IPAM for the network. moby/moby#48271
    • GET /networks/{id} now returns an EnableIPv4 field showing whether the network has IPv4 IPAM enabled. moby/moby#48271
    • User-defined bridge networks require either IPv4 or IPv6 address assignment to be enabled. IPv4 cannot be disabled for the default bridge network (docker0). moby/moby#48323
    • macvlan and ipvlan networks can be created with address assignment disabled for IPv4, IPv6, or both address families. moby/moby#48299
    • IPv4 cannot be disabled for Windows or Swarm networks. moby/moby#48278
  • Add a way to specify which network should provide the default gateway for a container. moby/moby#48936
    • POST /networks/{id}/connect and POST /containers/create now accept a GwPriority field in EndpointsConfig. This value is used to determine which network endpoint provides the default gateway for the container. The endpoint with the highest priority is selected. If multiple endpoints have the same priority, endpoints are sorted lexicographically by their network name, and the one that sorts first is picked. moby/moby#48746
    • GET /containers/json now returns a GwPriority field in NetworkSettings for each network endpoint. The GwPriority field is used by the CLI’s new gw-priority option for docker run and docker network connect. moby/moby#48746
  • Settings for eth0 in --sysctl options are no longer automatically migrated to the network endpoint. moby/moby#48746
    • For example, in the Docker CLI, docker run --network mynet --sysctl net.ipv4.conf.eth0.log_martians=1 ... is rejected. Instead, you must use docker run --network name=mynet,driver-opt=com.docker.network.endpoint.sysctls=net.ipv4.conf.IFNAME.log_martians=1 ...
  • GET /containers/json now returns an ImageManifestDescriptor field matching the same field in /containers/{name}/json. This field is only populated if the daemon provides a multi-platform image store. moby/moby#49407

Removed

  • The Fluent logger option fluentd-async-connect has been deprecated in v20.10 and is now removed. moby/moby#46114
  • The --time option on docker stop and docker restart is deprecated and renamed to --timeout. docker/cli#5485
  • Go-SDK: pkg/ioutils: Remove NewReaderErrWrapper as it was never used. moby/moby#49258
  • Go-SDK: pkg/ioutils: Remove deprecated BytesPipe, NewBytesPipe, ErrClosed, WriteCounter, NewWriteCounter, NewReaderErrWrapper, NopFlusher. moby/moby#49245
  • Go-SDK: pkg/ioutils: Remove deprecated NopWriter and NopWriteCloser. moby/moby#49256
  • Go-SDK: pkg/sysinfo: Remove deprecated NumCPU. moby/moby#49242
  • Go-SDK: Remove pkg/broadcaster, as it was only used internally moby/moby#49172
  • Go-SDK: Remove deprecated cli.Errors type docker/cli#5549
  • Remove pkg/ioutils.ReadCloserWrapper, as it was only used in tests. moby/moby#49237
  • Remove deprecated api-cors-header config parameter and the dockerd --api-cors-header option moby/moby#48209
  • Remove deprecated APIEndpoint.Version field, APIVersion type, and APIVersion1 and APIVersion2 consts. moby/moby#49004
  • Remove deprecated api-cors-header config parameter and the Docker daemon's --api-cors-header option. docker/cli#5437
  • Remove deprecated pkg/directory package moby/moby#48779
  • Remove deprecated pkg/dmsg.Dmesg() moby/moby#48109
  • Remove deprecated image/spec package, which was moved to a separate module (github.com/moby/docker-image-spec) moby/moby#48460
  • Remove migration code and errors for the deprecated logentries logging driver. moby/moby#48891
  • Remove support for deprecated external graph-driver plugins. moby/moby#48072
  • api/types: Remove deprecated container.ContainerNode and ContainerJSONBase.Node field. moby/moby#48107
  • api/types: Remove deprecated aliases: ImagesPruneReport, VolumesPruneReport, NetworkCreateRequest, NetworkCreate, NetworkListOptions, NetworkCreateResponse, NetworkInspectOptions, NetworkConnect, NetworkDisconnect, EndpointResource, NetworkResource, NetworksPruneReport, ExecConfig, ExecStartCheck, ContainerExecInspect, ContainersPruneReport, ContainerPathStat, CopyToContainerOptions, ContainerStats, ImageSearchOptions, ImageImportSource, ImageLoadResponse, ContainerNode. moby/moby#48107
  • libnetwork/iptables: Remove deprecated IPV, Iptables, IP6Tables and Passthrough(). moby/moby#49121
  • pkg/archive: Remove deprecated CanonicalTarNameForPath, NewTempArchive, TempArchive moby/moby#48708
  • pkg/fileutils: Remove deprecated GetTotalUsedFds moby/moby#49210
  • pkg/ioutils: Remove OnEOFReader, which was only used internally moby/moby#49170
  • pkg/longpath: Remove deprecated Prefix constant. moby/moby#48779
  • pkg/stringid: Remove deprecated IsShortID and ValidateID functions moby/moby#48705
  • runconfig/opts: Remove deprecated ConvertKVStringsToMap moby/moby#48102
  • runconfig: Remove deprecated ContainerConfigWrapper, SetDefaultNetModeIfBlank, DefaultDaemonNetworkMode, IsPreDefinedNetwork moby/moby#48102
  • container: Remove deprecated ErrNameReserved, ErrNameNotReserved. moby/moby#48728
  • Remove Daemon.ContainerInspectCurrent() method and change Daemon.ContainerInspect() signature to accept a backend.ContainerInspectOptions struct moby/moby#48672
  • Remove deprecated Daemon.Exists() and Daemon.IsPaused() methods. moby/moby#48723

Deprecations

  • API: The BridgeNfIptables and BridgeNfIp6tables fields in the GET /info response are now always be false and will be omitted in API v1.49. The netfilter module is now loaded on-demand, and no longer during daemon startup, making these fields obsolete. moby/moby#49114
  • API: The error and progress fields in streaming responses for endpoints that return a JSON progress response, such as POST /images/create, POST /images/{name}/push, and POST /build are deprecated. moby/moby#49447
    • Users should use the information in the errorDetail and progressDetail fields instead.
    • These fields were marked deprecated in API v1.4 (docker v0.6.0) and API v1.8 (docker v0.7.1) respectively, but still returned.
    • These fields will be left empty or will be omitted in a future API version.
  • Deprecate Daemon.Register(). This function is unused and will be removed in the next release. moby/moby#48702
  • Deprecate client.ImageInspectWithRaw function in favor of the new client.ImageInspect. moby/moby#48264
  • Deprecate daemon/config.Config.ValidatePlatformConfig(). This method was used as helper for config.Validate, which should be used instead. moby/moby#48985
  • Deprecate pkg/reexec. This package is deprecated and moved to a separate module. Use github.com/moby/sys/reexec instead. moby/moby#49129
  • Deprecate configuration for pushing non-distributable artifacts docker/cli#5724
  • Deprecate the --allow-nondistributable-artifacts daemon flag and corresponding allow-nondistributable-artifacts field in daemon.json. Setting either option will no longer take an effect, but a deprecation warning log is added. moby/moby#49065
  • Deprecate the RegistryConfig.AllowNondistributableArtifactsCIDRs and RegistryConfig.AllowNondistributableArtifactsHostnames fields in the GET /info API response. For API version v1.48 and older, the fields are still included in the response, but always null. In API version v1.49 and later, the field will be omitted entirely. moby/moby#49065
  • Go-SDK: Deprecate registry.ServiceOptions.AllowNondistributableArtifacts field. moby/moby#49065
  • Go-SDK: The BridgeNfIptables, BridgeNfIp6tables fields in api/types/system.Info and BridgeNFCallIPTablesDisabled, BridgeNFCallIP6TablesDisabled fields in pkg/sysinfo.SysInfo are deprecated and will be removed in the next release. moby/moby#49114
  • Go-SDK: client: Deprecate CommonAPIClient interface in favor of the APIClient interface. The CommonAPIClient will be changed to an alias for APIClient in the next release, and removed in the release after. moby/moby#49388
  • Go-SDK: client: Deprecate ErrorConnectionFailed helper. This function was only used internally, and will be removed in the next release. moby/moby#49389
  • Go-SDK: pkg/ioutils: Deprecate NewAtomicFileWriter, AtomicWriteFile, AtomicWriteSet, NewAtomicWriteSet in favor of pkg/atomicwriter equivalents. moby/moby#49171
  • Go-SDK: pkg/sysinfo: Deprecate NumCPU. This utility has the same behavior as runtime.NumCPU. moby/moby#49241
  • Go-SDK: pkg/system: Deprecate MkdirAll. This function provided custom handling for Windows GUID volume paths. Handling for such paths is now supported by Go standard library in go1.22 and newer, and this function is now an alias for os.MkdirAll, which should be used instead. This alias will be removed in the next release. moby/moby#49162
  • Go-SDK: Deprecate pkg/parsers.ParseKeyValueOpt. moby/moby#49177
  • Go-SDK: Deprecate pkg/parsers.ParseUintListMaximum, pkg/parsers.ParseUintList. These utilities were only used internally and will be removed in the next release. moby/moby#49222
  • Go-SDK: Deprecate api/type.IDResponse in favor of container.CommitResponse and container.ExecCreateResponse, which are currently an alias, but may become distinct types in a future release. This type will be removed in the next release. moby/moby#49446
  • Go-SDK: Deprecate api/types/container.ContainerUpdateOKBody in favor of UpdateResponse. This type will be removed in the next release. moby/moby#49442
  • Go-SDK: Deprecate api/types/container.ContainerTopOKBody in favor of TopResponse. This type will be removed in the next release. moby/moby#49442
  • Go-SDK: pkg/jsonmessage: Fix deprecation of ProgressMessage, ErrorMessage, which were deprecated in Docker v0.6.0 and v0.7.1 respectively. moby/moby#49447
  • Move GraphDriverData from api/types to api/types/storage. The old type is deprecated and will be removed in the next release. moby/moby#48108
  • Move RequestPrivilegeFunc from api/types to api/types/registry. The old type is deprecated and will be removed in the next release. moby/moby#48119
  • Move from api/types to api/types/container - NetworkSettings, NetworkSettingsBase, DefaultNetworkSettings, SummaryNetworkSettings, Health, HealthcheckResult, NoHealthcheck, Starting, Healthy, and Unhealthy constants, MountPoint, Port, ContainerState, Container, ContainerJSONBase, ContainerJSON, ContainerNode. The old types are deprecated and will be removed in the next release. moby/moby#48108
  • Move from api/types to api/types/image - ImageInspect, RootFS. The old types are deprecated and will be removed in the next release. moby/moby#48108
  • ContainerdCommit.Expected, RuncCommit.Expected, and InitCommit.Expected fields in the GET /info endpoint are deprecated and will be omitted in API v1.49. moby/moby#48478
  • api/types/registry: Deprecate ServiceConfig.AllowNondistributableArtifactsCIDRs and ServiceConfig.AllowNondistributableArtifactsHostnames fields. These fields will be removed in the next release. moby/moby#49065
  • api/types/system/Commit.Expected field is deprecated and should no longer be used. moby/moby#48478
  • daemon/graphdriver: Deprecate GetDriver() moby/moby#48079
  • libnetwork/iptables: Deprecate Passthrough. This function was only used internally, and will be removed in the next release. moby/moby#49115
  • pkg/directory.Size() function is deprecated, and will be removed in the next release. moby/moby#48057
  • registry: Deprecate APIEndpoint.TrimHostName; hostname is now trimmed unconditionally for remote names. This field will be removed in the next release. moby/moby#49005
  • allow-nondistributable-artifacts field in daemon.json. Setting either option will no longer take effect, but a deprecation warning log is added to raise awareness about the deprecation. This warning is planned to become an error in the next release. moby/moby#49065