Docker Engine 25.0 release notes
This page describes the latest changes, additions, known issues, and fixes for Docker Engine version 25.0.
For more information about:
- Deprecated and removed features, see Deprecated Engine Features.
- Changes to the Engine API, see Engine API version history.
25.0.5
2024-03-19For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Security
This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
Bug fixes and enhancements
CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
plugin: fix mounting /etc/hosts when running in UserNS. moby/moby#47588
rootless: fix
open /etc/docker/plugins: permission denied
. moby/moby#47587Fix multiple parallel
docker build
runs leaking disk space. moby/moby#47527
25.0.4
2024-03-07For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
- Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47490
- Fix
docker start
failing when used with--checkpoint
moby/moby#47466 - Don't enforce new validation rules for existing swarm networks moby/moby#47482
- Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47481
- Fix a regression introduced in v25.0 that prevented the classic builder from adding tar archive with
xattrs
created on a non-Linux OS moby/moby#47483 - containerd image store: Fix image pull not emitting
Pulling fs layer status
moby/moby#47484 - API: To preserve backwards compatibility, make read-only mounts non-recursive by default when using older clients (API versions < v1.44). moby/moby#47393
- API:
GET /images/{id}/json
omits theCreated
field (previously it was0001-01-01T00:00:00Z
) if theCreated
field was missing from the image config. moby/moby#47451 - API: Populate a missing
Created
field inGET /images/{id}/json
with0001-01-01T00:00:00Z
for API versions <= 1.43. moby/moby#47387 - API: Fix a regression that caused API socket connection failures to report an API version negotiation failure instead. moby/moby#47470
- API: Preserve supplied endpoint configuration in a container-create API request, when a container-wide MAC address is specified, but
NetworkMode
name or id is not the same as the name or id used inNetworkSettings.Networks
. moby/moby#47510
Packaging updates
- Upgrade Go runtime to 1.21.8. moby/moby#47503
- Upgrade RootlessKit to v2.0.2. moby/moby#47508
- Upgrade Compose to v2.24.7. docker/docker-ce-packaging#998
- Upgrade Buildx to v0.13.0. docker/docker-ce-packaging#997
25.0.3
2024-02-06For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
containerd image store: Fix a bug where
docker image history
would fail if a manifest wasn't found in the content store. moby/moby#47348Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47304
Note
- Containers created with Docker Engine version 25.0.0 may have duplicate MAC addresses. They must be re-created.
- Containers with user-defined MAC addresses created with Docker Engine versions 25.0.0 or 25.0.1 receive new MAC addresses when started using Docker Engine version 25.0.2. They must also be re-created.
Fix
docker save <image>@<digest>
producing an OCI archive with index without manifests. moby/moby#47294Fix a bug preventing bridge networks from being created with an MTU higher than 1500 on RHEL and CentOS 7. moby/moby#47308, moby/moby#47311
Fix a bug where containers are unable to communicate over an
internal
network. moby/moby#47303Fix a bug where the value of the
ipv6
daemon option was ignored. moby/moby#47310Fix a bug where trying to install a pulling using a digest revision would cause a panic. moby/moby#47323
Fix a potential race condition in the managed containerd supervisor. moby/moby#47313
Fix an issue with the
journald
log driver preventing container logs from being followed correctly with systemd version 255. moby/moby#47243seccomp: Update the builtin seccomp profile to include syscalls added in kernel v5.17 - v6.7 to align the profile with the profile used by containerd. moby/moby#47341
Windows: Fix cache not being used when building images based on Windows versions older than the host's version. moby/moby#47307, moby/moby#47337
Packaging updates
- Removed support for Ubuntu Lunar (23.04). docker/ce-packaging#986
25.0.2
2024-01-31For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Security
This release contains security fixes for the following CVEs affecting Docker Engine and its components.
CVE | Component | Fix version | Severity |
---|---|---|---|
CVE-2024-21626 | runc | 1.1.12 | High, CVSS 8.6 |
CVE-2024-23651 | BuildKit | 1.12.5 | High, CVSS 8.7 |
CVE-2024-23652 | BuildKit | 1.12.5 | High, CVSS 8.7 |
CVE-2024-23653 | BuildKit | 1.12.5 | High, CVSS 7.7 |
CVE-2024-23650 | BuildKit | 1.12.5 | Medium, CVSS 5.5 |
CVE-2024-24557 | Docker Engine | 25.0.2 | Medium, CVSS 6.9 |
The potential impacts of the above vulnerabilities include:
- Unauthorized access to the host filesystem
- Compromising the integrity of the build cache
- In the case of CVE-2024-21626, a scenario that could lead to full container escape
For more information about the security issues addressed in this release, refer to the blog post. For details about each vulnerability, see the relevant security advisory:
Packaging updates
- Upgrade containerd to v1.6.28.
- Upgrade containerd to v1.7.13 (static binaries only). moby/moby#47280
- Upgrade runc to v1.1.12. moby/moby#47269
- Upgrade Compose to v2.24.5. docker/docker-ce-packaging#985
- Upgrade BuildKit to v0.12.5. moby/moby#47273
25.0.1
2024-01-23For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
- API: Fix incorrect HTTP status code for containers with an invalid network configuration created before upgrading to Docker Engine v25.0. moby/moby#47159
- Ensure that a MAC address based on a container's IP address is re-generated when the container is stopped and restarted, in case the generated IP/MAC addresses have been reused. moby/moby#47171
- Fix
host-gateway-ip
not working during build when not set through configuration. moby/moby#47192 - Fix a bug that prevented a container from being renamed twice. moby/moby#47196
- Fix an issue causing containers to have their short ID added to their network alias when inspecting them. moby/moby#47182
- Fix an issue in detecting whether a remote build context is a Git repository. moby/moby#47136
- Fix an issue with layers order in OCI manifests. moby/moby#47150
- Fix volume mount error when passing an
addr
orip
mount option. moby/moby#47185 - Improve error message related to extended attributes that can't be set due to improperly namespaced attribute names. moby/moby#47178
- Swarm: Fixed
start_interval
not being passed to the container config. moby/moby#47163
Packaging updates
- Upgrade Compose to
2.24.2
. docker/docker-ce-packaging#981
25.0.0
2024-01-19For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Note
In earlier versions of Docker Engine, recursive mounts (submounts) would always be mounted as writable, even when specifying a read-only mount. This behavior has changed in v25.0.0, for hosts running on kernel version 5.12 or later. Now, read-only bind mounts are recursively read-only by default.
To get the same behavior as earlier releases, you can specify the
bind-recursive
option for the--mount
flag.$ docker run --mount type=bind,src=SRC,dst=DST,readonly,bind-recursive=writable IMAGE
This option isn't supported with the
-v
or--volume
flag. For more information, see Recursive mounts.
New
The daemon now uses systemd's default
LimitNOFILE
. In earlier versions of Docker Engine, this limit was set toinfinity
. This would cause issues with recent versions of systemd, where the hard limit was increased, causing programs that adjusted their behaviors based on ulimits to consume a high amount of memory. moby/moby#45534The new setting makes containers behave the same way as programs running on the host, but may cause programs that make incorrect assumptions based on the soft limit to misbehave. To get the previous behavior, you can set
LimitNOFILE=1048576
.This change currently only affects build containers created with
docker build
when using BuildKit with thedocker
driver. Future versions of containerd will also use this limit, which will cause this behavior to affect all containers, not only build containers.If you're experiencing issues with the higher ulimit in systemd v240 or later, consider adding a system
drop-in
oroverride
file to configure the ulimit settings for your setup. The Flatcar Container Linux documentation has a great article covering this topic in detail.Add OpenTelemetry tracing. moby/moby#45652, moby/moby#45579
Add support for CDI devices under Linux. moby/moby#45134, docker/cli#4510, moby/moby#46004
Add an additional interval to be used by healthchecks during the container start period. moby/moby#40894, docker/cli#4405, moby/moby#45965
Add a
--log-format
flag todockerd
to control the logging format: text (default) or JSON. moby/moby#45737Add support for recursive read-only mounts. moby/moby#45278, moby/moby#46037
Add support for filtering images based on timestamp with
docker image ls --filter=until=<timestamp>
. moby/moby#46577
Bug fixes and enhancements
- API: Fix error message for invalid policies at
ValidateRestartPolicy
. moby/moby#46352 - API: Update
/info
endpoint to use singleflight. moby/moby#45847 - Add an error message for when specifying a Dockerfile filename with
-f
, and also usingstdin
. docker/cli#4346 - Add support for
mac-address
andlink-local-ip
fields in--network
long format. docker/cli#4419 - Add support for specifying multiple
--network
flags withdocker container create
anddocker run
. moby/moby#45906 - Automatically enable IPv6 on a network when an IPv6 subnet is specified. moby/moby#46455
- Add support for overlay networks over IPv6 transport. moby/moby#46790
- Configuration reloading is now more robust: if there's an error during the configuration reload process, no configuration changes are applied. moby/moby#43980
- Live restore: Containers with auto remove (
docker run --rm
) are no longer forcibly removed on engine restart. moby/moby#46857 - Live restore: containers that are live-restored will now be given another health-check start period when the daemon restarts. moby/moby#47051
- Container health status is flushed to disk less frequently, reducing wear on flash storage. moby/moby#47044
- Ensure network names are unique. moby/moby#46251
- Ensure that overlay2 layer metadata is correct. moby/moby#46471
- Fix
Downloading
progress message on image pull. moby/moby#46515 - Fix
NetworkConnect
andContainerCreate
with improved data validation, and return all validation errors at once. moby/moby#46183 - Fix
com.docker.network.host_ipv4
option when IPv6 and ip6tables are enabled. moby/moby#46446 - Fix daemon's
cleanupContainer
if containerd is stopped. moby/moby#46213 - Fix returning incorrect HTTP status codes for libnetwork errors. moby/moby#46146
- Fix various issues with images/json API filters and image list. moby/moby#46034
- CIFS volumes now resolves FQDN correctly. moby/moby#46863
- Improve validation of the
userland-proxy-path
daemon configuration option. Validation now happens during daemon startup, instead of producing an error when starting a container with port-mapping. moby/moby#47000 - Set the MAC address of container's interface when network mode is a short network ID. moby/moby#46406
- Sort unconsumed build arguments before display in build output. moby/moby#45917
- The
docker image save
tarball output is now OCI compliant. moby/moby#44598 - The daemon no longer appends
ACCEPT
rules to the end of theINPUT
iptables chain for encrypted overlay networks. Depending on firewall configuration, a rule may be needed to permit incoming encrypted overlay network traffic. moby/moby#45280 - Unpacking layers with extended attributes onto an incompatible filesystem will now fail instead of silently discarding extended attributes. moby/moby#45464
- Update daemon MTU option to BridgeConfig and display warning on Windows. moby/moby#45887
- Validate IPAM config when creating a network. Automatically fix networks created prior to this release where
--ip-range
is larger than--subnet
. moby/moby#45759 - Containers connected only to internal networks will now have no default route set, making the
connect
syscall fail-fast. moby/moby#46603 - containerd image store: Add image events for
push
,pull
, andsave
. moby/moby#46405 - containerd image store: Add support for pulling legacy schema1 images. moby/moby#46513
- containerd image store: Add support for pushing all tags. moby/moby#46485
- containerd image store: Add support for registry token. moby/moby#46475
- containerd image store: Add support for showing the number of containers that use an image. moby/moby#46511
- containerd image store: Fix a bug related to the
ONBUILD
,MAINTAINER
, andHEALTHCHECK
Dockerfile instructions. moby/moby#46313 - containerd image store: Fix
Pulling from
progress message. moby/moby#46494 - containerd image store: Add support for referencing images via the truncated ID with
sha256:
prefix. moby/moby#46435 - containerd image store: Fix
docker images
showing intermediate layers by default. moby/moby#46423 - containerd image store: Fix checking if the specified platform exists when getting an image. moby/moby#46495
- containerd image store: Fix errors when multiple
ADD
orCOPY
instructions were used with the classic builder. moby/moby#46383 - containerd image store: Fix stack overflow errors when importing an image. moby/moby#46418
- containerd image store: Improve
docker pull
progress output. moby/moby#46412 - containerd image store: Print the tag, digest, and size after pushing an image. moby/moby#46384
- containerd image store: Remove panic from
UpdateConfig
. moby/moby#46433 - containerd image store: Return an error when an image tag resembles a digest. moby/moby#46492
- containerd image store:
docker image ls
now shows the correct image creation time and date. moby/moby#46719 - containerd image store: Fix an issue handling user namespace settings. moby/moby#46375
- containerd image store: Add support for pulling all tags (
docker pull -a
). moby/moby#46618 - containerd image store: Use the domain name in the image reference as the default registry authentication domain. moby/moby#46779
Packaging updates
- Upgrade API to v1.44. moby/moby#45468
- Upgrade Compose to
2.24.1
. docker/docker-ce-packaging#980 - Upgrade containerd to v1.7.12 (static binaries only). moby/moby#47070
- Upgrade Go runtime to 1.21.6. moby/moby#47053
- Upgrade runc to v1.1.11. moby/moby#47007
- Upgrade BuildKit to v0.12.4. moby/moby#46882
- Upgrade Buildx to v0.12.1. docker/docker-ce-packaging#979
Removed
- API: Remove VirtualSize field for the
GET /images/json
andGET /images/{id}/json
endpoints. moby/moby#45469 - Remove deprecated
devicemapper
storage driver. moby/moby#43637 - Remove deprecated orchestrator options. docker/cli#4366
- Remove support for Debian Upstart init system. moby/moby#45548, moby/moby#45551
- Remove the
--oom-score-adjust
daemon option. moby/moby#45484 - Remove warning for deprecated
~/.dockercfg
file. docker/cli#4281 - Remove
logentries
logging driver. moby/moby#46925
Deprecated
- Deprecate API versions older than 1.24. Deprecation notice
- Deprecate
IsAutomated
field andis-automated
filter fordocker search
. Deprecation notice - API: Deprecate
Container
andContainerConfig
properties for/images/{id}/json
(docker image inspect
). moby/moby#46939
Known limitations
Extended attributes for tar files
In this release, the code that handles tar
archives was changed to be more
strict and to produce an error when failing to write extended attributes
(xattr
). The tar
implementation for macOS generates additional extended
attributes by default when creating tar files. These attribute prefixes aren't
valid Linux xattr
namespace prefixes, which causes an error when Docker
attempts to process these files. For example, if you try to use a tar file with
an ADD
Dockerfile instruction, you might see an error message similar to the
following:
failed to solve: lsetxattr /sftp_key.ppk: operation not supported
Error messages related to extended attribute validation were improved to
include more context in
v25.0.1, but the limitation in Docker being
unable to process the files remains. Tar files created with the macOS tar
using default arguments will produce an error when the tar file is used with
Docker.
As a workaround, if you need to use tar files with Docker generated on macOS, you can either:
Use the
--no-xattr
flag for the macOStar
command to strip all the extended attributes. If you want to preserve extended attributes, this isn't a recommended option.Install and use
gnu-tar
to create the tarballs on macOS instead of the defaulttar
implementation. To installgnu-tar
using Homebrew:$ brew install gnu-tar
After installing, add the
gnu-tar
binary to yourPATH
, for example by updating your.zshrc
file:$ echo 'PATH="/opt/homebrew/opt/gnu-tar/libexec/gnubin:$PATH"' >> ~/.zshrc $ source ~/.zshrc