content/manuals/engine/release-notes/27.md
This page describes the latest changes, additions, known issues, and fixes for Docker Engine version 27.
For more information about:
Release notes for Docker Engine version 27.5 releases.
{{< release-date date="2025-01-22" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
DOCKER_IGNORE_BR_NETFILTER_ERROR environment variable. Setting it to 1 allows running on hosts that cannot load br_netfilter. Some things won't work, including disabling inter-container communication in a bridge network. With the userland proxy disabled, it won't be possible to access one container's published ports from another container on the same network. moby/moby#49306passt >= 2024_10_30.ee7d0b6. moby/moby#49304{{< release-date date="2025-01-13" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
/build endpoint. moby/moby#49194keepStorage value now inherit the defaultKeepStorage limit as intended. moby/moby#49137pkg/sysinfo: deprecate NumCPU. This utility has the same behavior as runtime.NumCPU. moby/moby#49247pkg/fileutils: deprecate GetTotalUsedFds: this function is only used internally and will be removed in the next release. moby/moby#49209pkg/ioutils: deprecate BytesPipe, NewBytesPipe, ErrClosed, WriteCounter, NewWriteCounter, NewReaderErrWrapper, NopFlusher, NopWriter, NopWriteCloser. They were only used internally and will be removed in the next release. moby/moby#49246, moby/moby#49255pkg/reexec: This package is deprecated and moved to a separate module. Use github.com/moby/sys/reexec instead. moby/moby#49135runc to v1.2.4 moby/moby#49243Release notes for Docker Engine version 27.4 releases.
{{< release-date date="2024-12-18" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
docker info command and the corresponding GET /info API endpoint no longer include warnings when bridge-nf-call-iptables or bridge-nf-call-ip6tables are disabled at the daemon is started. The br_netfilter kernel module is now attempted to be loaded when needed, which made those warnings inaccurate. moby/moby#49090ip6_tables and br_netfilter when required, using a method that is likely to succeed inside a Docker-in-Docker container. moby/moby#49043DOCKER FILTER chain not being cleaned up on failure. moby/moby#49110{{< release-date date="2024-12-09" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
GET /images/json with the manifests option enabled now preserves the original order in which manifests appeared in the manifest-index. moby/moby#48712jsonfile or local log drivers, any errors while trying to read or parse underlying log files will cause the rest of the file to be skipped and move to the next log file (if one exists) rather than returning an error to the client and closing the stream. The errors are viewable in the Docker Daemon logs and exported to traces when tracing is configured. moby/moby#48842userland-proxy disabled, if the kernel's br_netfilter module was not loaded and enabled. The daemon will now attempt to load the module and enable bridge-nf-call-iptables or bridge-nf-call-ip6tables when creating a network with the userland proxy disabled. moby/moby#48685bridge and br_netfilter kernel modules. moby/moby#48966docker image inspect outputting duplicate references in RepoDigests. moby/moby#48785docker image ls --tree. docker/cli#5519USED column in docker image ls --tree to IN USE. docker/cli#5518dockerd-rootless-setuptool.sh install --force now ignores RootlessKit errors moby/moby#48695--mount option not being marked as anonymous. moby/moby#48755DOCKER-USER chain is placed before other rules. moby/moby#48714docker run. docker/cli#5654docker login and docker logout command no longer update the configuration file if the credentials didn't change. docker/cli#5569docker stats to reduce flickering issues. docker/cli#5588, docker/cli#5635events --filter in cobra generated shell completions. docker/cli#5614events --filter daemon=. docker/cli#5563docker rm. docker/cli#5540--platform flags. docker/cli#5540/etc/cdi and /var/run/cdi accessible by the Container Device Interface (CDI) integration. moby/moby#49027Daemon.Exists() and Daemon.IsPaused(). These functions are no longer used and will be removed in the next release. moby/moby#48719container.ErrNameReserved and container.ErrNameNotReserved. moby/moby#48697pkg/platform - this package is only used internally, and will be removed in the next release. moby/moby#48863RepositoryInfo.Class. This field is no longer used, and will be removed in the next release. moby/moby#49013cli/command.ConfigureAuth(), which was deprecated since v27.2.1. docker/cli#5552cli.Errors type in favour of Go's errors.Join docker/cli#5548Release notes for Docker Engine version 27.3 releases.
{{< release-date date="2024-09-20" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
{{< release-date date="2024-09-19" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
docker image prune -a untagging images used by containers started from images referenced by a digested reference. moby/moby#48488--feature flag to the daemon options. moby/moby#48487--gpus=0 flag to be consistent with the NVIDIA Container Runtime. moby/moby#48483loopback0 for packets from the Windows host. moby/moby#48514--iptables=false, --ip6tables=true (the default), a firewall with a DROP rule for forwarded packets on hosts where the br_netfilter kernel module was not normally loaded. moby/moby#48511docker volume update command would cause the CLI to panic if no argument/volume was passed. docker/cli#5426Release notes for Docker Engine version 27.2 releases.
{{< release-date date="2024-09-09" >}}
docker image ls output. moby/moby#48402docker pull error message when the image platform doesn't match. moby/moby#48415docker login to not remove repository names from passed in registry addresses, resulting in credentials being stored under the wrong key. docker/cli#5385docker login now returns an error instead of hanging if called non-interactively with --password or --password-stdin but without --user. docker/cli#5402{{< release-date date="2024-08-27" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
The new features in this release are:
This release adds support for using device code login when authenticating to Docker Hub.
You can still use the old method of logging in with a username and password or access token, but device code login is more secure and doesn't require you to enter your password in the CLI.
To use the old method, use docker login -u <username>.
docker image ls{{< experimental >}} This is experimental and may change at any time without any backward compatibility. {{< /experimental >}}
With the containerd image store enabled, the docker image ls command (or
docker images shorthand) now supports a --tree flag that now shows
if an image is a multi-platform image.
GET /images/json response now includes Manifests field, which contains information about the sub-manifests included in the image index. This includes things like platform-specific manifests and build attestations.
The new field will only be populated if the request also sets the manifests query parameter to true.
{{< experimental >}} This is experimental and may change at any time without any backward compatibility. {{< /experimental >}}
--ip-range ending on a 64-bit boundary. moby/moby#48326docker ps in port bindings are now bracketed. docker/cli#5365docker load in cases where unpacking the image would fail. moby/moby#48376docker pull. moby/moby#48380docker login [registry address]) where, if the provided registry address includes a repository/image name (such as docker login index.docker.io/docker/welcome-to-docker), the repository part (docker/welcome-to-docker) is not normalized and results in credentials being stored incorrectly, which causes subsequent pulls from the registry (docker pull index.docker.io/docker/welcome-to-docker) to not be authenticated. To prevent this, don't include any extraneous suffix in the registry address when running docker login.
[!NOTE] Using
docker loginwith an address that includes URL path segments is not a documented use case and is considered unsupported. The recommended usage is to specify only a registry hostname, and optionally a port, as the address fordocker login.
Release notes for Docker Engine version 27.1 releases.
{{< release-date date="2024-08-13" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
ResourceExhausted desc = grpc: received message larger than max error when building from a large Dockerfile. moby/moby#48245docker attach printing a spurious context cancelled error message. docker/cli#5296docker attach exiting on SIGINT instead of forwarding the signal to the container and waiting for it to exit. docker/cli#5302--device-read-bps and --device-write-bps options not taking effect. docker/cli#5339docker-proxy.exe binary from Windows packages. docker/docker-ce-packaging#1045{{< release-date date="2024-07-23" >}}
This release contains a fix for CVE-2024-41110 / GHSA-v23v-6jw2-98fq that impacted setups using authorization plugins (AuthZ) for access control. No other changes are included in this release, and this release is otherwise identical for users not using AuthZ plugins.
{{< release-date date="2024-07-22" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Requires=dbus.socket to prevent errors when starting the daemon on a cgroup v2 host with systemd moby/moby#48141image tag event is now properly emitted when building images with BuildKit moby/moby#48182docker image rm, docker image history, and docker image inspect moby/moby#5261docker service create and docker stack docker/cli#5274DOCKER_CUSTOM_HEADERS environment variable (experimental) docker/cli#5271docker push defaulting the --platform flag to a value of DOCKER_DEFAULT_PLATFORM environment variable on unsupported API versions docker/cli#5248login prompt docker/cli#5260pkg/rootless/specconv package is deprecated, and will be removed in the next release moby/moby#48185pkg/containerfs package is deprecated, and will be removed in the next release moby/moby#48185pkg/directory package is deprecated, and will be removed in the next release moby/moby#48185api/types/system: remove deprecated Info.ExecutionDriver moby/moby#48184Release notes for Docker Engine 27.0.
{{< release-date date="2024-07-01" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
fail to register layer: failed to Lchown errors when trying to pull an image with rootless enabled on a system that supports native overlay with user-namespaces. moby/moby#48086{{< release-date date="2024-06-27" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
ContainerJSONBase.Node field and ContainerNode type. These definitions were used by the standalone ("classic") Swarm API, but never implemented in the Docker Engine itself. moby/moby#48055{{< release-date date="2024-06-24" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
--platform flag to docker image push and improve the default behavior when not all platforms of the multi-platform image are available locally. docker/cli#4984, moby/moby#47679docker stack deploy for driver_opts in a service's networks. docker/cli#5125/usr/local/libexec and /usr/libexec paths when looking up the userland proxy binaries by a name with a docker- prefix. moby/moby#47804*client.Client instances are now always safe for concurrent use by multiple goroutines. Previously, this could lead to data races when the WithAPIVersionNegotiation() option is used. moby/moby#47961$TMPDIR in some cases. docker/cli#5146--privileged. moby/moby#47500StartInterval default value of healthcheck to reflect the documented value of 5s. moby/moby#47799docker save and docker load not ending on the daemon side when the operation was cancelled by the user, for example with <kbd>Ctrl+C</kbd>. moby/moby#47629StartedAt property of containers is now recorded before container startup, guaranteeing that the StartedAt is always before FinishedAt. moby/moby#47003nslookup to resolve external hostnames. This behaviour can be disabled via daemon.json, using "features": { "windows-dns-proxy": false }. The configuration option will be removed in a future release. moby/moby#47826docker run command,--network mynet --sysctl net.ipv4.conf.eth0.log_martians=1 will be rejected.
Instead, you must use --network name=mynet,driver-opt=com.docker.network.endpoint.sysctls=net.ipv4.conf.IFNAME.log_martians=1.ip6tables is no longer experimental. You may remove the experimental configuration option and continue to use IPv6, if it is not required by any other features.ip6tables is now enabled for Linux bridge networks by default. moby/moby#47747
ip6tables enabled (new default).ip6tables, this is likely a breaking change. Only published container ports (-p or --publish) are accessible from outside the Docker bridge network, and outgoing connections masquerade as the host.ip6tables at all, set "ip6tables": false in daemon.json, or use the CLI option --ip6tables=false. Alternatively, leave ip6tables enabled, publish ports, and enable direct routing.ip6tables enabled, if ip6tables is not functional on your host, Docker Engine will start but it will not be possible to create an IPv6-enabled network.default-address-pools if this parameter wasn't manually configured, or if it contains no IPv6 prefixes. moby/moby#47853
--subnet option to specify an IPv6 subnet, or add IPv6 ranges to default-address-pools in daemon.json.--ipv6 and no IPv6 subnet is defined by those options, an IPv6 Unique Local Address (ULA) base prefix is used.default-address-pools. moby/moby#47768"default-network-opts": { "bridge": {"com.docker.network.enable_ipv6": "true"}} in daemon.json, or dockerd --default-network-opt=bridge=com.docker.network.enable_ipv6=trueon the command line. moby/moby#47867ip6tables enabled. moby/moby#47871
com.docker.network.bridge.gateway_mode_ipv6=<nat|routed>.nat, is unchanged from previous releases running with ip6tables enabled. NAT and masquerading rules are set up for each published container port.routed, no NAT or masquerading rules are configured for published ports. This enables direct IPv6 access to the container, if the host's network can route packets for the container's address to the host. Published ports will be opened in the container's firewall.routed mode, only addresses 0.0.0.0 or :: are allowed and a host port must not be given.nat or routed mode, are accessible from any remote address if routing is set up in the network, unless the Docker host's firewall has additional restrictions. For example: docker network create --ipv6 -o com.docker.network.bridge.gateway_mode_ipv6=routed mynet.com.docker.network.bridge.gateway_mode_ipv4=<nat|routed> is also available, with the same behavior but for IPv4.docker-forwarding to allow forwarding from any zone to the docker zone. This makes it possible to configure a bridge network with a routable IPv6 address, and no NAT or masquerading. moby/moby#47745-p 80 will result in the same ephemeral port being allocated for 0.0.0.0 and ::, and -p 8080-8083:80 will pick the same port from the range for both address families.-p 127.0.0.1::80 -p '[::1]::80'.DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE, introduced in release 26.1.1, no longer has any effect. moby/moby#47963
/proc/sys/net, the environment variable allowed the container to start anyway.--ipv6 when creating it. Other workarounds are to configure the OS to disable IPv6 by default on new interfaces, mount /proc/sys/net read-write, or use a kernel with no IPv6 support.fe80::1. moby/moby#47787NewTempArchive and TempArchive. These types were only used in tests and will be removed in the next release. moby/moby#48002CanonicalTarNameForPath moby/moby#48001pkg/stringid.ValidateID and pkg/stringid.IsShortID moby/moby#47995SetDefaultNetModeIfBlank and move ContainerConfigWrapper to api/types/container moby/moby#48007DefaultDaemonNetworkMode and move to daemon/network moby/moby#48008opts.ConvertKVStringsToMap. This utility is no longer used, and will be removed in the next release. moby/moby#48016IsPreDefinedNetwork. moby/moby#48011POST /images/{name}/push now supports a platform parameter (JSON encoded OCI Platform type) that allows selecting a specific platform-manifest from the multi-platform image. This is experimental and may change in future API versions. moby/moby#47679POST /services/create and POST /services/{id}/update now support OomScoreAdj. moby/moby#47950ContainerList api returns container annotations. moby/moby#47866POST /containers/create and POST /services/create now take Options as part of HostConfig.Mounts.TmpfsOptions allowing to set options for tmpfs mounts. moby/moby#46809Healthcheck.StartInterval property is now correctly ignored when updating a Swarm service using API versions less than v1.44. moby/moby#47991GET /events now supports image create event that is emitted when a new image is built regardless if it was tagged or not. moby/moby#47929GET /info now includes a Containerd field containing information about the location of the containerd API socket and containerd namespaces used by the daemon to run containers and plugins. moby/moby#47239Config field returned by this endpoint (used for docker image inspect) returned additional fields that are not part of the image's configuration and not part of the Docker Image Spec and the OCI Image Spec. These fields are never set (and always return the default value for the type), but are not omitted in the response when left empty. As these fields were not intended to be part of the image configuration response, they are deprecated, and will be removed in the future API versions.--api-cors-header and the corresponding daemon.json configuration option. These will be removed in the next major release. moby/moby#45313The following deprecated fields are currently included in the API response, but are not part of the underlying image's Config: moby/moby#47941
HostnameDomainnameAttachStdinAttachStdoutAttachStderrTtyOpenStdinStdinOnceImageNetworkDisabled (already omitted unless set)MacAddress (already omitted unless set)StopTimeout (already omitted unless set)client.RequestPrivilegeFuncclient.ImageSearchOptions.AcceptPermissionsFuncimage.ImportOptions.PrivilegeFuncImageImportOptionsImageCreateOptionsImagePullOptionsImagePushOptionsImageListOptionsImageRemoveOptionsUlimit type alias for github.com/docker/go-units.Ulimit.
The Ulimit type as used in the API is defined in a Go module that will transition to a new location in future.
A type alias is added to reduce the friction that comes with moving the type to a new location.
The alias makes sure that existing code continues to work, but its definition may change in future.
Users are recommended to use this alias instead of the units.Ulimit directly. moby/moby#48023Move and rename types, changing their import paths and exported names. moby/moby#47936, moby/moby#47873, moby/moby#47887, moby/moby#47882, moby/moby#47921, moby/moby#48040
api/types/container:
BlkioStatEntryBlkioStatsCPUStatsCPUUsageContainerExecInspectContainerPathStatContainerStatsContainersPruneReportCopyToContainerOptionsExecConfigExecStartCheckMemoryStatsNetworkStatsPidsStatsStatsJSONStatsStorageStatsThrottlingDataapi/types/image:
ImagesPruneReportImageImportSourceImageLoadResponseExecStartOptions type to api/types/backend.VolumesPruneReport type to api/types/volume.EventsOptions type to api/types/events.ImageSearchOptions type to api/types/registry.Network prefix and move the following types to api/types/network:
NetworkCreateResponseNetworkConnectNetworkDisconnectNetworkInspectOptionsEndpointResourceNetworkListOptionsNetworkCreateOptionsNetworkCreateRequestNetworksPruneReportNetworkResource to api/types/network.There's no 27.0.0 release due to a mistake during the pre-release of 27.0.0-rc.1 on GitHub which resulted in the v27.0.0 tag being created. Unfortunately the tag was already picked up by the Go Module Mirror so it's not possible to cleanly change the v27.0.0. To workaround this, the 27.0.1 will be the first release of the 27.0.