content/manuals/engine/release-notes/20.10.md
This document describes the latest changes, additions, known issues, and fixes for Docker Engine version 20.10.
{{< release-date date="2023-04-04" >}}
xt_bpf kernel module.{{< release-date date="2023-01-19" >}}
This release of Docker Engine contains updated versions of Docker Compose, Docker Buildx, containerd, and some minor bug fixes and enhancements.
containerd.io package) to v1.6.15.docker-compose-cli to allow distribution version updates docker/docker-ce-packaging#822.Fix an issue where docker build would fail when using --add-host=host.docker.internal:host-gateway
with BuildKit enabled moby/moby#44650.
Revert seccomp: block socket calls to AF_VSOCK in default profile moby/moby#44712.
This change, while favorable from a security standpoint, caused a change in behavior for some use-cases. As such, we are reverting it to ensure stability and compatibility for the affected users.
However, users of AF_VSOCK in containers should recognize that this
(special) address family is not currently namespaced in any version of
the Linux kernel, and may result in unexpected behavior, like containers
communicating directly with host hypervisors.
Future releases, will filter AF_VSOCK. Users who need to allow containers
to communicate over the unnamespaced AF_VSOCK will need to turn off seccomp
confinement or set a custom seccomp profile.
{{< release-date date="2022-12-16" >}}
This release of Docker Engine contains updated versions of Docker Compose, Docker Scan, containerd, and some minor bug fixes and enhancements.
containerd.io package) to v1.6.13,
to include a fix for CVE-2022-23471.ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above moby/moby#3862.AF_VSOCK in default profile moby/moby#44564.{{< release-date date="2022-10-25" >}}
This release of Docker Engine contains updated versions of Docker Compose, Docker Scan, containerd, added packages for Ubuntu 22.10, and some minor bug fixes and enhancements.
allow-nondistributable-artifacts towards Docker Hub moby/moby#44313.containerd.io package) to v1.6.9.output clipped, log limit 1MiB reached errors moby/moby#44339.--platform in bash completion docker/cli#3824.Invalid standard handle identifier panic when registering the Docker Engine as a service from a legacy CLI on Windows moby/moby#44326.{{< release-date date="2022-10-18" >}}
This release of Docker Engine contains partial mitigations for a Git vulnerability
(CVE-2022-39253),
and has updated handling of image:tag@digest image references.
The Git vulnerability allows a maliciously crafted Git repository, when used as a build context, to copy arbitrary filesystem paths into resulting containers/images; this can occur in both the daemon, and in API clients, depending on the versions and tools in use.
The mitigations available in this release and in other consumers of the daemon API
are partial and only protect users who build a Git URL context (e.g. git+protocol://).
As the vulnerability could still be exploited by manually run Git commands that interact
with and check out submodules, users should immediately upgrade to a patched version of
Git to protect against this vulnerability. Further details are available from the GitHub
blog ("Git security vulnerabilities announced").
image:tag@digest references. When pulling an image using
the image:tag@digest ("pull by digest"), image resolution happens through
the content-addressable digest and the image and tag are not used. While
this is expected, this could lead to confusing behavior, and could potentially
be exploited through social engineering to run an image that is already present
in the local image store. Docker now checks if the digest matches the repository
name used to pull the image, and otherwise will produce an error.image:tag@digest references. Refer to the "Daemon" section
above for details.{{< release-date date="2022-10-14" >}}
This release of Docker Engine comes with some bug-fixes, and an updated version of Docker Compose.
docker builder prune or
docker system prune moby/moby#44122.docker volume prune would remove volumes that were
still in use if the daemon was running with "live restore" and was restarted
moby/moby#44238.{{< release-date date="2022-09-09" >}}
This release of Docker Engine comes with a fix for a low-severity security issue,
some minor bug fixes, and updated versions of Docker Compose, Docker Buildx,
containerd, and runc.
containerd.io package) to v1.6.8.exec processes and healthchecks were not terminated
when they timed out moby/moby#44018.{{< release-date date="2022-06-06" >}}
This release of Docker Engine comes with updated versions of Docker Compose and the
containerd, and runc components, as well as some minor bug fixes.
containerd.io package) to v1.6.6,
which contains a fix for CVE-2022-31030{{< release-date date="2022-05-12" >}}
This release of Docker Engine fixes a regression in the Docker CLI builds for
macOS, fixes an issue with docker stats when using containerd 1.5 and up,
and updates the Go runtime to include a fix for CVE-2022-29526.
golang.org/x/sys build-time dependency which contains a fix for CVE-2022-29526.docker stats was showing empty stats when running with
containerd 1.5.0 or up moby/moby#43567.docker scan CLI plugin, to prevent a
"conflicting requests" error when users performed an off-line installation from
downloaded RPM packages docker/docker-ce-packaging#659.{{< release-date date="2022-05-05" >}}
This release of Docker Engine comes with updated versions of the compose,
buildx, containerd, and runc components, as well as some minor bug fixes.
containerd.io package) to v1.6.4.{{< release-date date="2022-03-23" >}}
This release of Docker Engine updates the default inheritable capabilities for
containers to address CVE-2022-24769,
a new version of the containerd.io runtime is also included to address the same
issue.
containerd.io package) to v1.5.11.docker buildx to v0.8.1.{{< release-date date="2022-03-10" >}}
This release of Docker Engine contains some bug-fixes and packaging changes,
updates to the docker scan and docker buildx commands, an updated version of
the Go runtime, and new versions of the containerd.io runtime.
Together with this release, we now also provide .deb and .rpm packages of
Docker Compose V2, which can be installed using the (optional) docker-compose-plugin
package.
.deb and .rpm packages for Docker Compose V2. Docker Compose v2.3.3
can now be installed on Linux using the docker-compose-plugin packages, which
provides the docker compose subcommand on the Docker CLI. The Docker Compose
plugin can also be installed and run standalone to be used as a drop-in replacement
for docker-compose (Docker Compose V1) docker/docker-ce-packaging#638.
The compose-cli-plugin package can also be used on older version of the Docker
CLI with support for CLI plugins (Docker CLI 18.09 and up).docker buildx to v0.8.0.docker scan (docker-scan-plugin) to v0.17.0.containerd.io package) to v1.5.10.fluentd-async-connect=true and the
remote server is unreachable moby/moby#43147.net.ipv4.ping_group_range sysctl moby/moby#43084.2021-12-13
This release of Docker Engine contains changes in packaging only, and provides
updates to the docker scan and docker buildx commands. Versions of docker scan
before v0.11.0 are not able to detect the Log4j 2 CVE-2021-44228.
We are shipping an updated version of docker scan in this release to help you
scan your images for this vulnerability.
[!NOTE]
The
docker scancommand on Linux is currently only supported on x86 platforms. We do not yet provide a package for other hardware architectures on Linux.
The docker scan feature is provided as a separate package and, depending on your
upgrade or installation method, 'docker scan' may not be updated automatically to
the latest version. Use the instructions below to update docker scan to the latest
version. You can also use these instructions to install, or upgrade the docker scan
package without upgrading the Docker Engine:
On .deb based distributions, such as Ubuntu and Debian:
$ apt-get update && apt-get install docker-scan-plugin
On rpm-based distributions, such as CentOS or Fedora:
$ yum install docker-scan-plugin
After upgrading, verify you have the latest version of docker scan installed:
$ docker scan --accept-license --version
Version: v0.12.0
Git commit: 1074dd0
Provider: Snyk (1.790.0 (standalone))
Read our blog post on CVE-2021-44228
to learn how to use the docker scan command to check if images are vulnerable.
2021-11-17
[!IMPORTANT]
Due to net/http changes in Go 1.16, HTTP proxies configured through the
$HTTP_PROXYenvironment variable are no longer used for TLS (https://) connections. Make sure you also set an$HTTPS_PROXYenvironment variable for handling requests tohttps://URLs. Refer to Configure the daemon to use a proxy to learn how to configure the Docker Daemon to use a proxy server.
2021-10-25
[!IMPORTANT]
Due to net/http changes in Go 1.16, HTTP proxies configured through the
$HTTP_PROXYenvironment variable are no longer used for TLS (https://) connections. Make sure you also set an$HTTPS_PROXYenvironment variable for handling requests tohttps://URLs. Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.
docker build using not finding images in
the local image cache on Arm machines when using BuildKit moby/moby#42954clone3 syscall in the default seccomp policy to support running
containers based on recent versions of Fedora and Ubuntu. moby/moby/#42836.docker stop could hang forever moby/moby#42956.docker scan to v0.9.02021-10-04
This release is a security release with security fixes in the CLI, runtime, as well as updated versions of the containerd.io package.
[!IMPORTANT]
Due to net/http changes in Go 1.16, HTTP proxies configured through the
$HTTP_PROXYenvironment variable are no longer used for TLS (https://) connections. Make sure you also set an$HTTPS_PROXYenvironment variable for handling requests tohttps://URLs. Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.
docker cp to prevent a specially
crafted container from changing permissions of existing files in the host’s filesystem./var/lib/docker.Known issue
The
ctrbinary shipping with the static packages of this release is not statically linked, and will not run in Docker images using alpine as a base image. Users can install thelibc6-compatpackage, or download a previous version of thectrbinary as a workaround. Refer to the containerd ticket related to this issue for more details: containerd/containerd#5824.
2021-08-03
[!IMPORTANT]
Due to net/http changes in Go 1.16, HTTP proxies configured through the
$HTTP_PROXYenvironment variable are no longer used for TLS (https://) connections. Make sure you also set an$HTTPS_PROXYenvironment variable for handling requests tohttps://URLs. Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.
stack and context commands in the Docker CLI
is now marked as deprecated, and will be removed in an upcoming release docker/cli#3174.Invalid standard handle identifier errors on Windows docker/cli#3132.can't open lock file /run/xtables.lock: Permission denied error on
SELinux hosts moby/moby#42462.x509: certificate signed by unknown authority error on openSUSE Tumbleweed moby/moby#42462.--platform option to pull a single-arch image
that does not match the specified architecture moby/moby#42633.Your kernel does not support swap memory limit warning when
running with cgroups v2 moby/moby#42479.HcsShutdownComputeSystem
returned an ERROR_PROC_NOT_FOUND error moby/moby#42613Known issue
The
ctrbinary shipping with the static packages of this release is not statically linked, and will not run in Docker images using alpine as a base image. Users can install thelibc6-compatpackage, or download a previous version of thectrbinary as a workaround. Refer to the containerd ticket related to this issue for more details: containerd/containerd#5824.
2021-06-02
SIGURG signals to container on Linux and macOS. The Go runtime
(starting with Go 1.14) uses SIGURG signals internally as an interrupt to
support preemptable syscalls. In situations where the Docker CLI was attached
to a container, these interrupts were forwarded to the container. This fix
changes the Docker CLI to ignore SIGURG signals docker/cli#3107,
moby/moby#42421.COPY command with a wildcard. Note that this change invalidates
existing build caches for copy commands that use a wildcard. moby/buildkit#2018.FROM image is not cached when using legacy schema 1 images moby/moby#42382.ipv6.disable=1, and to fix a deadlock causing internal DNS lookups
to fail moby/moby#42413.slirp4netns port driver moby/moby#42294.docker-scan-plugin) to v0.8 docker/docker-ce-packaging#545.2021-04-12
~/.dockercfg. Support for this file will be removed in a future release docker/cli#3000docker-scan-plugin package as a recommended dependency for the docker-ce-cli package docker/docker-ce-packaging#5372021-03-02
docker start --attach and remove spurious Unsupported signal: <nil>. Discarding messages. docker/cli#2987.2021-02-26
invalid mutable ref errors)builder prune moby/moby#42065docker login if no config file is present docker/cli#2959WARNING: Error loading config file: .dockercfg: $HOME is not defined docker/cli#2958labels-regex config even if labels is not set moby/moby#42046--update-order and --rollback-order flags when only --update-order or --rollback-order is provided docker/cli#2963docker service rollback returning a non-zero exit code in some situations docker/cli#2964docker service rollback docker/cli#29642021-02-01
2021-01-04
sd_notify STOPPING=1 when shutting down moby/moby#41832replicated-job and global-job service modes moby/moby#418062020-12-14
2020-12-08
For an overview of all deprecated features, refer to the Deprecated Engine Features page.
docker pull-ing from non-compliant registries not supporting pull-by-digest docker/cli#2872docker run --kernel-memory) moby/moby#41254 docker/cli#2652aufs storage driver docker/cli#1484ENV name=value instead docker/cli#2743DOCKER_API_VERSION moby/moby#39076docker search --automated and --stars flags docker/cli#2338GET /events now returns prune events after pruning resources have completed moby/moby#41259
container, network, volume, image, and builder, and have a reclaimed attribute, indicating the amount of space reclaimed (in bytes)one-shot stats option to not prime the stats moby/moby#40478/info) moby/moby#38349RUN --mount options without needing to specify experimental dockerfile #syntax directive. moby/buildkit#1717ARG command now supports defining multiple build args on the same line similarly to ENV moby/buildkit#1692--chown flag in ADD now allows parameter expansion moby/buildkit#1473--secret id=foo,env=MY_ENV as an alternative for storing a secret value to a file.--secret id=GIT_AUTH_TOKEN will load env if it exists and the file does not.-a/--all-tags to docker push docker/cli#2220--pull=missing|always|never to run and create commands docker/cli#1498--env-file flag to docker exec for parsing environment variables from a file docker/cli#2602-n for --tail option docker/cli#2646--cgroupns docker/cli#2024docker manifest rm command to remove manifest list draft from local storage docker/cli#2449docker ps --format flag now has a .State placeholder to print the container's state without additional details about uptime and health check docker/cli#2000--quiet docker/cli#2197docker rm -v to clarify the option only removes anonymous (unnamed) volumes docker/cli#2289--label-add/--label-rm, --container-label-add/--container-label-rm, and --env-add/--env-rm flags on docker service update to allow replacing existing values docker/cli#2668docker rm --force returning a non-zero exit code if one or more containers did not exist docker/cli#2678total_inactive_file instead of cache docker/cli#2415username and password auth even if auth is empty docker/cli#2122docker logs with all logging drivers (best effort) moby/moby#40543splunk-index-acknowledgment log option to work with Splunk HECs with index acknowledgment enabled moby/moby#39987docker push now defaults to latest tag instead of all tags moby/moby#40302io.containerd.runc.v2 runtime moby/moby#41182--device flag in docker run will now be honored when the container is started in privileged mode moby/moby#40291--ip6tables enables IPv6 iptables rules (only if experimental) moby/moby#41622--default-address-pool option in certain cases moby/moby#40711DOCKER-USER chain not created when IPTableEnable=false moby/moby#40808 moby/libnetwork#2471--exec-opt native.cgroupdriver=systemd moby/moby#40486clock_adjtime. CAP_SYS_TIME is still required for time adjustment moby/moby#40929--mount type=bind,bind-nonrecursive moby/moby#38788