content/manuals/engine/release-notes/28.md
This page describes the latest changes, additions, known issues, and fixes for Docker Engine version 28.
For more information about:
{{< release-date date="2025-11-05" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
[!CAUTION] This release contains fixes for three high-severity security vulnerabilities in runc:
All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary
/procfiles.
DefaultDockerfileName, DetectArchiveReader, WriteTempDockerfile, ResolveAndValidateContextPath. These utilities were only used internally and will be removed in the next release. docker/cli#6610ValidateMACAddress. docker/cli#6560{{< release-date date="2025-10-08" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Parent and DockerVersion fields. moby/moby#51105Config.DockerVersion field. moby/moby#51110{{< release-date date="2025-10-02" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
[!WARNING] Raspberry Pi OS 32-bit (armhf) Deprecation
Docker Engine v28 will be the last major version to support Raspberry Pi OS 32-bit (armhf). Starting with Docker Engine v29, new major versions will no longer provide packages for Raspberry Pi OS 32-bit (armhf).
Migration options
- 64-bit ARM: Install the Debian
arm64packages (fully supported).- 32-bit ARM (v7): Install the Debian
armhfpackages (targets ARMv7 CPUs).Note: Older devices based on the ARMv6 architecture are no longer supported by official packages, including:
- Raspberry Pi 1 (Model A/B/A+/B+)
- Raspberry Pi Zero and Zero W
docker info for broken symlinks in CLI-plugin directories. docker/cli#6476stats on empty event Actor.ID. docker/cli#6471endpoint_count from the data store. moby/moby#51064KernelMemoryTCP). moby/moby#51067GET containers/{name}/checkpoints returning null instead of empty JSON array when there are no checkpoints. moby/moby#51052WithUserAgent option. docker/cli#6477DockerCli.Apply. This method is no longer used and will be removed in the next release if there are no remaining uses. docker/cli#6497DockerCli.ContentTrustEnabled. This method is no longer used and will be removed in the next release. docker/cli#6495DockerCli.DefaultVersion. This method is no longer used and will be removed in the next release. docker/cli#6491ResolveDefaultContext utility. docker/cli#6529WithContentTrustFromEnv, WithContentTrust options. These options were used internally, and will be removed in the next release.. docker/cli#6489IsNotFound(). docker/cli#6514{{< release-date date="2025-09-03" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
GODEBUG environment variable when the key-value pair ("GODEBUG":"...") exists inside the docker context metadata. docker/cli#6399docker pull and docker image pull. docker/cli#6420docker push if the client did not send an X-Registry-Auth header. moby/moby#50738docker history failing with snapshot X does not exist when calling on a non-native image that was built locally. moby/moby#50875docker image prune to emit correct untag and delete events and list only the deleted images root digests instead of every blob. moby/moby#50837docker push and docker pull after a failure caused by missing authentication. docker/cli#6256runc to v1.3.0. moby/moby#50699AuthConfig.Email field. moby/moby#50797--tlscacert, --tlscert, and --tlskey command-line flags. docker/cli#6291DOCKER_KEEP_DEPRECATED_LEGACY_LINKS_ENV_VARS) as deprecated in v28.4 and set for removal in v30.0. docker/cli#6309NetworkSettingsBase.Bridge, struct NetworkSettingsBase, all the fields of DefaultNetworkSettings, and struct DefaultNetworkSettings. moby/moby#50839build.CacheDiskUsage, container.DiskUsage, images.DiskUsage and volumes.DiskUsage are now deprecated and will be removed in the next major release. moby/moby#50768ReexecEnvvar. docker/cli#6411CommandAnnotationPlugin, CommandAnnotationPluginVendor, CommandAnnotationPluginVersion, CommandAnnotationPluginInvalid, CommandAnnotationPluginCommandPath) in favor of their equivalent in cli-plugins/manager/metadata. docker/cli#6298NamePrefix, MetadataSubcommandName, HookSubcommandName, Metadata, ReexecEnvvar) in favor of their equivalent in cli-plugins/manager/metadata. docker/cli#6269Candidate interface, which was only for internal use. docker/cli#6269NewPluginError function, which was only for internal use. docker/cli#6269ResourceAttributesEnvvar const. docker/cli#6269NewBuilderCommand and NewBakeStubCommand. These functions will be removed in the next release. docker/cli#6312NewPruneCommand. docker/cli#6343NewCheckpointCommand. This function will be removed in the next release. docker/cli#6312NewFormat, FormatWrite. docker/cli#6341NoComplete. docker/cli#6405ValidArgsFn. docker/cli#6259NewConfigCommand. This function will be removed in the next release. docker/cli#6312NewFormat, FormatWrite, InspectFormatWrite. docker/cli#6341RunConfigCreate, CreateOptions, RunConfigInspect, InspectOptions, RunConfigList, ListOptions, RunConfigRemove, and RemoveOptions. docker/cli#6369NewBuildCommand, NewPullCommand, NewPushCommand, NewImagesCommand, NewImageCommand, NewHistoryCommand, NewImportCommand, NewLoadCommand, NewRemoveCommand, NewSaveCommand, NewTagCommand, NewPruneCommand. These functions will be removed in the next release. docker/cli#6312NewDiffFormat, DiffFormatWrite. These functions were only used internally and will be removed in the next release. docker/cli#6341NewRunCommand, NewExecCommand, NewPsCommand, NewContainerCommand, NewAttachCommand, NewCommitCommand, NewCopyCommand, NewCreateCommand, NewDiffCommand, NewExportCommand, NewKillCommand, NewLogsCommand, NewPauseCommand, NewPortCommand, NewRenameCommand, NewRestartCommand, NewRmCommand, NewStartCommand, NewStatsCommand, NewStopCommand, NewTopCommand, NewUnpauseCommand, NewUpdateCommand, NewWaitCommand, NewPruneCommand. These functions will be removed in the next release. docker/cli#6312NewContextCommand. This function will be removed in the next release. docker/cli#6312RunCreate and CreateOptions. docker/cli#6403RunExport and ExportOptions. docker/cli#6403RunImport. docker/cli#6403RunRemove and RemoveOptions. docker/cli#6403RunUpdate and UpdateOptions. docker/cli#6403RunUse. docker/cli#6403AuthResolver utility. docker/cli#6357NewHistoryFormat, HistoryWrite. docker/cli#6341, docker/cli#6341NewManifestCommand. This functions will be removed in the next release. docker/cli#6312NewFormat, FormatWrite. docker/cli#6341NewNetworkCommand. These functions will be removed in the next release. docker/cli#6312NewFormat, FormatWrite, InspectFormatWrite. docker/cli#6341NewNodeCommand. This functions will be removed in the next release. docker/cli#6312NewFormat, FormatWrite. docker/cli#6341NewPluginCommand. This function will be removed in the next release. docker/cli#6312NewLoginCommand, NewLogoutCommand, NewSearchCommand. These functions will be removed in the next release. docker/cli#6312NewSearchFormat, SearchWrite. docker/cli#6341OauthLoginEscapeHatchEnvVar const. docker/cli#6413NewFormat, FormatWrite, InspectFormatWrite. docker/cli#6341NewSecretCommand. This functions will be removed in the next release. docker/cli#6312NewFormat, InspectFormatWrite. docker/cli#6341NewServiceCommand. This function will be removed in the next release. docker/cli#6312NewStackCommand. This function will be removed in the next release. docker/cli#6312RunList, RunServices. docker/cli#6391NewSwarmCommand. This function will be removed in the next release. docker/cli#6312NewVersionCommand, NewInfoCommand, NewSystemCommand, NewEventsCommand, NewInspectCommand. These functions will be removed in the next release. docker/cli#6312NewTaskFormat, FormatWrite. docker/cli#6341NewTrustCommand. This function will be removed in the next release. docker/cli#6312SignedTagInfo, SignerInfo, NewTrustTagFormat, NewSignerInfoFormat, TagWrite, SignerInfoWrite. docker/cli#6341NewVolumeCommand, NewPruneCommand. These functions will be removed in the next release. docker/cli#6312AddTrustSigningFlags, AddTrustVerificationFlags, and AddPlatformFlag utilities, which were only used internally. docker/cli#6311ConfigureAuth utility. docker/cli#6257CopyToFile utility. docker/cli#6257AuthConfig.Email field. docker/cli#6392VisitAll, DisableFlagsInUseLine utilities. These utilities were only used internally and will be removed in the next release. docker/cli#6276HasCompletionArg utility. This utility was only used internally. docker/cli#6276cli/command.RegistryAuthenticationPrivilegedFunc. docker/cli#6256NewNamedListOptsRef, NewNamedMapOpts, NamedListOpts, NamedMapOpts, and NamedOption. These types and functions are no longer used and will be removed in the next release. docker/cli#6292ParseEnvFile in favor of kvfile.Parse. docker/cli#6381QuotedString. This utility is no longer used, and will be removed in the next release. docker/cli#6275ValidateHost utility. This function is no longer used, and will be removed in the next release. docker/cli#6280JSONMessage.From, JSONMessage.Time, and JSONMessage.TimeNano fields, as they are no longer returned by the API for progress messages. Use the events.Message type instead to unmarshal the /events response. moby/moby#50762{{< release-date date="2025-07-29" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
This release fixes an issue where, after a firewalld reload, published container ports could be accessed directly from the local network, even when they were intended to be accessible only via a loopback address. CVE-2025-54388 / GHSA-x4rx-4gw3-53p4 / moby/moby#50506.
{{< release-date date="2025-07-09" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
--use-api-socket not working correctly when targeting a remote daemon. docker/cli#6157DOCKER_AUTH_CONFIG is set during docker login and docker logout. docker/cli#6163{{< release-date date="2025-07-02" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
models: key in Docker Compose. docker/docker-ce-packaging#1222{{< release-date date="2025-06-24" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
docker run --gpus. moby/moby#49952DOCKER_AUTH_CONFIG as a credential store. docker/cli#6008docker image inspect inspect omitting empty fields. moby/moby#50135docker images --tree not marking images as in-use when the containerd image store is disabled. docker/cli#6140docker pull/push hang in non-interactive when authentication is required caused by prompting for login credentials. docker/cli#6141docker pull would show Docker Hub-specific hints when logging in on other registries. docker/cli#6135docker remove command that was accidentally introduced in Docker 23.0. docker/cli#6144dockerd --validate and improve error messages for invalid mirrors. moby/moby#50240dockerd-rootless-setuptool.sh: Fix the script from silently returning with no error message when subuid/subgid system requirements are not satisfied. moby/moby#50059docker push not creating a tag on the remote repository. moby/moby#50199docker pull/push. moby/moby#50176docker network inspect --verbose could sometimes crash the daemon (https://github.com/moby/moby/pull/49937).0.0.0.0 and others are mapped to specific host addresses. moby/moby#50054network inspect response for an overlay network now reports that EnableIPv4 is true. moby/moby#50147"Mirrored". moby/moby#50155docker system prune and docker network prune only remove networks created by Docker. moby/moby#50154GET /images/json now sets the value of the Containers field for all images to the count of containers using the image. moby/moby#50146GET /images/{name}/json response are now deprecated and will be removed in v29.0. docker/cli#6129ExecOptions.Detach. This field is not used, and will be removed in a future release. moby/moby#50219IdentityMapping and Identity.Chown. moby/moby#50210{{< release-date date="2025-05-30" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
docker build --push to fail. This reverts the fix for docker build not persisting overridden images as dangling. moby/moby#50105DOCKER-USER chain, do not add an explicit RETURN rule, allowing users to append as well as insert their own rules. Existing rules are not removed on upgrade, but it won't be replaced after a reboot. moby/moby#50098{{< release-date date="2025-05-29" >}}
docker group/user on fresh installations. docker-ce-packaging#1209{{< release-date date="2025-05-28" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
[!NOTE] RHEL packages are currently not available and will be released later.
{{.Platform}} as formatting option for docker ps to show the platform of the image the container is running. docker/cli#6042../) on bind mount sources when using docker run/create with -v/--volume or --mount type=bind options. docker/cli#4966docker info. docker/cli#6078docker image rm: add --platform option to remove a variant from multi-platform images. docker/cli#6109DOCKER_BUILDKIT=1). moby/moby#49740fluentd-write-timeout), which enables specifying write timeouts for fluentd connections. moby/moby#49911DOCKER_AUTH_CONFIG for the experimental --use-api-socket option. docker/cli#6019docker exec waiting for 10 seconds if a non-existing user or group was specified. moby/moby#49868docker swarm init ignoring cacert option of --external-ca. docker/cli#5995~/.docker/config.json) if it was a relative symbolic link. docker/cli#5282--restart always policy using CDI devices failing to start on daemon restart. moby/moby#49990plugin does not implement PluginAddr interface error for Swarm CSI drivers. moby/moby#49961docker login error messages for invalid options. docker/cli#6036listmount, statmount, lsm_get_self_attr, lsm_list_modules, lsm_set_self_attr, mseal, uretprobe, riscv_hwprobe, getxattrat, listxattrat, removexattrat, and setxattrat. This prevents containers from receiving EPERM errors when using them. moby/moby#50077docker inspect: add shell completion, improve flag-description for --type and improve validation. docker/cli#6052docker build not persisting overridden images as dangling. moby/moby#49702docker system df reporting a negative reclaimable space amount. moby/moby#49707PUT requests when pushing a multi-platform image. moby/moby#49949docker-ce man-pages. docker/docker-ce-packaging#1203"com.docker.network.bridge.trusted_host_interfaces", accepting a colon-separated list of interface names. These interfaces have direct access to published ports on container IP addresses. moby/moby#49832"allow-direct-routing" to disable filtering of packets from outside the host addressed directly to containers. moby/moby#49832com.docker.network.enable_ipv4 or com.docker.network.enable_ipv6 in inspect output if they have been overridden by EnableIPv4 or EnableIPv6 in the network create request. moby/moby#49866docker network inspect --verbose could sometimes crash the daemon. moby/moby#49937DELETE /images/{name} now supports a platforms query parameter. It accepts an array of JSON-encoded OCI Platform objects, allowing for selecting a specific platforms to delete content for. moby/moby#49982GET /info now includes a DiscoveredDevices field. This is an array of DeviceInfo objects, each providing details about a device discovered by a device driver. moby/moby#49980api/types/container: add ContainerState and constants for container state. moby/moby#49965api/types/container: change Summary.State to a ContainerState. moby/moby#49991api/types/container: define HealthStatus type for health-status constants. moby/moby#49876api/types: deprecate BuildResult, ImageBuildOptions, ImageBuildOutput, ImageBuildResponse, BuilderVersion, BuilderV1, and BuilderBuildKi which were moved to api/types/build. moby/moby#50025GET /images/{name}/json no longer returns the following fields: Config, Hostname, Domainname, AttachStdin, AttachStdout, AttachStderr, Tty, OpenStdin, StdinOnce, Image, NetworkDisabled (already omitted unless set), MacAddress (already omitted unless set), StopTimeout (already omitted unless set). These additional fields were included in the response due to an implementation detail but not part of the image's Configuration, were marked deprecated in API v1.46, and are now omitted. moby/moby#48457filepath.Rel(). moby/moby#49843BuildCachePruneOptions in favor of api/types/builder.CachePruneOptions. moby/moby#50015BuildCachePruneReport in favor of api/types/builder.CachePruneReport. moby/moby#50015NodeListOptions, NodeRemoveOptions, ServiceCreateOptions, ServiceUpdateOptions, RegistryAuthFromSpec, RegistryAuthFromPreviousSpec, ServiceListOptions, ServiceInspectOptions, and SwarmUnlockKeyResponse which were moved to api/types/swarm. moby/moby#50027SecretCreateResponse, SecretListOptions, ConfigCreateResponse, ConfigListOptions which were moved to api/types/swarm. moby/moby#50024IsErrNotFound. moby/moby#50012IsValidHealthString in favor of api/types/container.ValidateHealthStatus. moby/moby#49893StateStatus, WaitCondition, and the related WaitConditionNotRunning, WaitConditionNextExit, and WaitConditionRemoved consts in favor of their equivalents in api/types/container. moby/moby#49874ListOpts.GetAll in favor of ListOpts.GetSlice. docker/cli#6032IsAutomated formatting placeholder from docker search. docker/cli#6091docker.pkg.github.com registry. moby/moby#50094DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE environment-variable. moby/moby#50036, moby/moby#42300BridgeNfIptables and BridgeNfIp6tables fields in the GET /info response were deprecated in API v1.48, and are now omitted in API v1.50. moby/moby#49904errdefs.FromStatusCode. Use containerd's errhttp.ToNative instead. moby/moby#50030{{< release-date date="2025-04-18" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
dockerd-rootless-setuptool.sh incorrectly reporting missing iptables. moby/moby#49833docker load with archives containing zero-size tar headers. moby/moby#49837/etc/resolv.conf when no upstream DNS servers were found. moby/moby#49827{{< release-date date="2025-04-17" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
docker bake sub-command as alias for docker buildx bake. docker/cli#5947--use-api-socket flag on docker run and docker create to enable access to Docker socket from inside a container and to share credentials from the host with the container. docker/cli#5858docker image inspect now supports a --platform flag to inspect a specific platform of a multi-platform image. docker/cli#5934docker images --tree not including non-container images content size in the total image content size. docker/cli#6000docker load not preserving replaced images. moby/moby#49650docker login hints when logging in to a custom registry. docker/cli#6015docker stats not working properly on machines with high CPU core count. moby/moby#49734docker pull/push to fail when interacting with a private repository. docker/cli#5964ip_tables kernel module. moby/moby#49727docker service scale. docker/cli#5968docker images --tree now hides both untagged and dangling images by default. docker/cli#5924docker system info will provide an exit code if a connection cannot be established to the Docker daemon. docker/cli#5918image tag event not being emitted when building with BuildKit. moby/moby#49678docker push/pull handling of remote registry errors. moby/moby#49770docker ps and docker inspect. moby/moby#49724--link from a container in the default bridge network. moby/moby#49778GET /image/{name}/json now supports a platform parameter allowing to specify which platform variant of a multi-platform image to inspect. moby/moby#49586GET /info now returns a FirewallBackend containing information about the daemon's firewalling configuration. moby/moby#49761ContextType field from JSON output. docker/cli#5981AllowNondistributableArtifactsCIDRs and AllowNondistributableArtifactsHostnames fields in the RegistryConfig struct in the GET /info response are omitted in API v1.49. moby/moby#49749ContainerdCommit.Expected, RuncCommit.Expected, and InitCommit.Expected fields in the GET /info endpoint were deprecated in API v1.48, and are now omitted in API v1.49. moby/moby#48556RunPull: this function was only used internally and will be removed in the next release. docker/cli#5975ConfigFile.Experimental field. Experimental CLI features are always enabled since version v20.10 and this field is no longer used. Use ConfigFile.Features instead for optional features. This field will be removed in a future release. docker/cli#5977pkg/archive, which was migrated to github.com/moby/go-archive. moby/moby#49743pkg/atomicwriter, which was migrated to github.com/moby/sys/atomicwriter. moby/moby#49748PortOpt, ConfigOpt, SecretOpt aliases. docker/cli#5953APIEndpoint.Official field. moby/moby#49706{{< release-date date="2025-03-25" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
docker pull/push to fail when interacting with a private repository. docker/cli#5964{{< release-date date="2025-03-25" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
docker run truncating the STDOUT/STDERR prematurely when the container exits before the data is consumed. docker/cli#5957runc to v1.2.6. moby/moby#49682{{< release-date date="2025-03-19" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
docker.cli.*) being unintentionally passed to downstream OTel services. docker/cli#5842OTEL_RESOURCE_ATTRIBUTES were being overridden by CLI's internal telemetry attributes. The CLI now properly merges user-specified attributes with internal ones, allowing both to coexist. docker/cli#5842docker buildx prune with --min-free-space. moby/moby#49623io: read/write on closed pipe error in the daemon log when closing a container. moby/moby#49590/proc and /sys by default. moby/moby#49560contrib/check-config.sh to check for more kernel modules related to iptables. moby/moby#49622--user. moby/moby#49652reference for unknown type: application/vnd.in-toto+json warning being logged to the daemon's log. moby/moby#49652docker ps when running a large number of containers. moby/moby#49365DOCKER_INSECURE_NO_IPTABLES_RAW=1 to allow Docker to run on systems where the Linux kernel can't provide CONFIG_IP_NF_RAW support. When enabled, Docker will not create rules in the iptables raw table. Warning: This is not recommended for production environments as it reduces security by allowing other hosts on the local network to route to ports published to host addresses, even when they are published to 127.0.0.1. This option bypasses some of the security hardening introduced in Docker Engine 28.0.0. moby/moby#49621gateway_mode=routed network. moby/moby#49577docker ps to inconsistently report dual-stack port mappings. moby/moby#49657docker-proxy to stop forwarding UDP datagrams to containers. moby/moby#49649docker-proxy to close UDP connections to containers eagerly and resulting in the source address to change needlessly. moby/moby#49649cli-plugins/manager to a separate package. docker/cli#5902cli/command: Move PrettyPrint utility to cli/command/formatter. docker/cli#5916ErrConflictHostNetwork into ErrConflictConnectToHostNetwork and ErrConflictDisconnectFromHostNetwork. moby/moby#49605cli-plugins/manager.ResourceAttributesEnvvar constant. It was used internally, but holds the OTEL_RESOURCE_ATTRIBUTES name, which is part of the OpenTelemetry specification. Users of this constant should define their own. It will be removed in the next release. docker/cli#5881opts.PortOpt, opts.ConfigOpt and opts.SecretOpt. These types were moved to the opts/swarmopts package. docker/cli#5907service/logs package. docker/cli#5910cli/command/image: Deprecate PushTrustedReference and move to cli/trust. docker/cli#5894cli/command/image: Deprecate and internalize TrustedPush. docker/cli#5894cli/command: deprecate Cli.NotaryClient: use trust.GetNotaryRepository instead. This method is no longer used and will be removed in the next release. docker/cli#5885cli/command: deprecate Cli.RegistryClient. This method was only used internally and will be removed in the next release. Use client.NewRegistryClient instead. docker/cli#5889, docker/cli#5889registry: Deprecate RepositoryInfo.Official field. moby/moby#49567registry: deprecate HostCertsDir: this function was only used internally and will be removed in the next release. moby/moby#49612registry: deprecate SetCertsDir: the cert-directory is now automatically selected when running with RootlessKit, and should no longer be set manually. moby/moby#49612{{< release-date date="2025-02-26" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
ip_set, ip_set_hash_net and netfilter_xt_set.
--ip6tables=false. moby/moby#49525--restart=always and a published port already in use to restart in a tight loop. moby/moby#49507--config-only network. moby/moby#49521docker network inspect reporting an IPv6 gateway with CIDR suffix for a newly created network with no specific IPAM config, until a daemon restart. moby/moby#49520ip_set, ip_set_hash_net and netilter_xt_set are not available. moby/moby#49524--help output and man page lo state which options only apply to the default bridge network. moby/moby#49522docker context create always returning an error when using the "skip-tls-verify" option. docker/cli#5850docker exec/run returns a non-zero status. docker/cli#5854protocol "tcp" is not supported by the RootlessKit port driver "slirp4netns". moby/moby#49514docker inspect not being able to show multi-platform images with missing layers for all platforms. moby/moby#49533docker images --tree reporting wrong content size. moby/moby#49535github.com/go-jose/go-jose/v4 to v4.0.5 to address GHSA-c6gw-w398-hv78 / CVE-2025-27144. docker/cli#5867GET /images/json?manifests=1 not filling Manifests for index-only images moby/moby#49533GET /images/json and /images/<name>/json Size.Content field including the size of content that's not available locally moby/moby#49535{{< release-date date="2025-02-19" >}}
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
--mount type=image. moby/moby#48798
--mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755docker images --tree now shows metadata badges docker/cli#5744docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331OOMScoreAdj to docker service create and docker stack. docker/cli#5145docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132
docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution./etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290
/etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155
eth, the container might fail to start.en0, or a numerical suffix high enough to never collide, for example eth100.docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….--network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372dockerd now requires ipset support in the Linux kernel. moby/moby#48596
iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:
iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTiptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKERACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.ip6tables policy for the FORWARD chain in the filter table to DROP if it enables IP forwarding on the host itself (sysctls net.ipv6.conf.all.forwarding and net.ipv6.conf.default.forwarding). This is now aligned with existing IPv4 behaviour. moby/moby#48594
DROP, you may need to update your host's configuration to make sure it is secure.p/-publish is now blocked in the DOCKER iptables chain. moby/moby#48724
ACCEPT on your host, and direct routed access to a container's unpublished ports from a remote host is still required, options are:
gateway_mode_ipv[46]=nat-unprotected, described below.gateway_mode_ipv[46]=routed are now accessible from other bridge networks running on the same Docker host, as well as from outside the host. moby/moby#48596com.docker.network.bridge.gateway_mode_ipv4 and com.docker.network.bridge.gateway_mode_ipv6 now accept mode nat-unprotected. moby/moby#48597
nat-unprotected is similar to the default nat mode, but no per port/protocol rules are set up. This means any port on a container can be accessed by direct-routing from a remote host.com.docker.network.bridge.gateway_mode_ipv4 and com.docker.network.bridge.gateway_mode_ipv6 now accept mode isolated, when the network is also internal. moby/moby#49262
internal network. So, processes on the Docker host can access the network, and containers in the network can access host services listening on that bridge address (including services listening on "any" host address, 0.0.0.0 or ::).internal bridge network created with gateway mode isolated does not have an address on the Docker host.--gateway_mode_ipv[46], container creation will no longer fail. The unused fields may be needed if the gateway endpoint changes when networks are connected or disconnected. A message about the unused fields will be logged. moby/moby#48575docker network create option --ipv4. To disable IPv4 address assignment for a network, use docker network create --ipv4=false [...]. docker/cli#5599--ipv6 ("ipv6": true in daemon.json) can now be used without fixed-cidr-v6. moby/moby#48319host-gateway, for compatibility with IPv6-only networks. moby/moby#48807
host-gateway is used in an --add-host option in place of an address, it's replaced by an address on the Docker host to make it possible to refer to the host by name. The address used belongs to the default bridge (normally docker0). Until now it's always been an IPv4 address, because all containers on bridge networks had IPv4 addresses./etc/hosts entries will be created for IPv4 and IPv6 addresses. So, a container that's only connected to IPv6-only networks can access the host by name.--host-gateway-ip option overrides the address used to replace host-gateway. Two of these options are now allowed on the command line, for one IPv4 gateway and one IPv6.daemon.json file, to provide two addresses, use "host-gateway-ips". For example, "host-gateway-ips": ["192.0.2.1", "2001:db8::1111"].dockerd. moby/moby#49339systemd auto-start on boot moby/moby#48812volume.subpath docker/cli#5833docker export continuing the export after the operation is canceled. moby/moby#49265docker export not releasing the container's writable layer after a failure. moby/moby#48517docker images --tree unnecessary truncating long image names when multiple names are available docker/cli#5757docker ps to be properly bracketed docker/cli#5468docker run. docker/cli#5645docker run to be inconsistent when using --attach stdout or --attach stderr versus stdin. docker run --attach stdin now exits if the container exits. docker/cli#5662subid backed by NSS modules. moby/moby#49036docker ps in port bindings are now bracketed docker/cli#5363exec-opts in daemon configuration. moby/moby#48979--gpus=0 flag to be consistent with the NVIDIA Container Runtime. moby/moby#48482client.ContainerCreate now normalizes CapAdd and CapDrop fields in HostConfig to their canonical form. moby/moby#48551docker image save now produces stable timestamps. moby/moby#48611docker inspect now lets you inspect Swarm configs docker/cli#5573Extracting layer status in docker pull. moby/moby#49064commit, import, and build not preserving a replaced image as a dangling image. moby/moby#48316docker load --platform return an error when the requested platform isn't loaded. moby/moby#48718--link option. docker/cli#5739com.docker.network.bridge.inhibit_ipv4, ipvlan or macvlan networks with no parent interface, and L3 IPvlan modes. moby/moby#49261GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372/etc/hosts entries when disconnecting a container from a network. moby/moby#48857fixed-cidr for docker0, and inferring configuration from a user-managed default bridge (--bridge). moby/moby#48319windows-dns-proxy, introduced in release 26.1.0 to control forwarding to external DNS resolvers from Windows containers, to make nslookup work. It was enabled by default in release 27.0.0. moby/moby#48738iptables mangle rule for checksumming SCTP. The rule can be re-enabled by setting DOCKER_IPTABLES_SCTP_CHECKSUM=1 in the daemon's environment. This override will be removed in a future release. moby/moby#48149runc to v1.2.5 (static binaries only). moby/moby#49464dockerd(8) man page has been moved back to the moby/moby repository itself. moby/moby#48298Client.ImageBuild() now omits default values from the API request's query string. moby/moby#48651api/types/container: Merge Stats and StatsResponse moby/moby#49287client.WithVersion: Strip v-prefix when setting API version moby/moby#49352client: Add WithTraceOptions allowing to specify custom OTe1 trace options. moby/moby#49415client: Add HijackDialer interface. moby/moby#49388client: Add SwarmManagementAPIClient interface to describe all API client methods related to Swarm-specific objects. moby/moby#49388client: Add WithTraceOptions allowing to specify custom OTel trace options. moby/moby#49415client: ImageHistory, ImageLoad and ImageSave now use variadic functional options moby/moby#49466pkg/containerfs: Move to internal moby/moby#48097pkg/reexec: Can now be used on platforms other than Linux, Windows, macOS and FreeBSD moby/moby#49118api/types/container: introduce CommitResponse type. This is currently an alias for IDResponse, but may become a distinct type in a future release. moby/moby#49444api/types/container: introduce ExecCreateResponse type. This is currently an alias for IDResponse, but may become a distinct type in a future release. moby/moby#49444GET /images/{name}/json response now returns the Manifests field containing information about the sub-manifests contained in the image index. This includes things like platform-specific manifests and build attestations. moby/moby#48264POST /containers/create now supports Mount of type image for mounting an image inside a container. moby/moby#48798GET /images/{name}/history now supports a platform parameter (JSON encoded OCI Platform type) that lets you specify a platform to show the history of. moby/moby#48295POST /images/{name}/load and GET /images/{name}/get now supports a platform parameter (JSON encoded OCI Platform type) that lets you specify a platform to load/save. Not passing this parameter results in loading/saving the full multi-platform image. moby/moby#48295POST /containers/create endpoint now includes a warning in the response when setting the container-wide VolumeDriver option in combination with volumes defined through Mounts because the VolumeDriver option has no effect on those volumes. This warning was previously generated by the CLI. moby/moby#48789GET /images/json and GET /images/{name}/json responses now includes Descriptor field, which contains an OCI descriptor of the image target. The new field is only populated if the daemon provides a multi-platform image store. moby/moby#48894GET /containers/{name}/json now returns an ImageManifestDescriptor field containing the OCI descriptor of the platform-specific image manifest of the image that was used to create the container. moby/moby#48855GET /debug/vars, GET /debug/pprof/, GET /debug/pprof/cmdline, GET /debug/pprof/profile, GET /debug/pprof/symbol, GET /debug/pprof/trace, GET /debug/pprof/{name}) are now also accessible through the versioned-API paths (/v<API-version>/<endpoint>). moby/moby#49051500 status code instead of 400 for validation errors. moby/moby#49217HEAD /containers/{name:.*}/archive, GET /containers/{name:.*}/archive, PUT /containers/{name:.*}/archive returning a 500 status instead of a 400 status. moby/moby#49219POST /containers/create now accepts a writable-cgroups=true option in HostConfig.SecurityOpt to mount the container's cgroups writable. This provides a more granular approach than HostConfig.Privileged. moby/moby#48828POST /build/prune renames keep-bytes to reserved-space and now supports additional prune parameters max-used-space and min-free-space. moby/moby#48720POST /networks/create now has an EnableIPv4 field. Setting it to false disables IPv4 IPAM for the network. moby/moby#48271
GET /networks/{id} now returns an EnableIPv4 field showing whether the network has IPv4 IPAM enabled. moby/moby#48271docker0). moby/moby#48323macvlan and ipvlan networks can be created with address assignment disabled for IPv4, IPv6, or both address families. moby/moby#48299POST /networks/{id}/connect and POST /containers/create now accept a GwPriority field in EndpointsConfig. This value is used to determine which network endpoint provides the default gateway for the container. The endpoint with the highest priority is selected. If multiple endpoints have the same priority, endpoints are sorted lexicographically by their network name, and the one that sorts first is picked. moby/moby#48746GET /containers/json now returns a GwPriority field in NetworkSettings for each network endpoint. The GwPriority field is used by the CLI’s new gw-priority option for docker run and docker network connect. moby/moby#48746eth0 in --sysctl options are no longer automatically migrated to the network endpoint. moby/moby#48746
docker run --network mynet --sysctl net.ipv4.conf.eth0.log_martians=1 ... is rejected. Instead, you must use docker run --network name=mynet,driver-opt=com.docker.network.endpoint.sysctls=net.ipv4.conf.IFNAME.log_martians=1 ...GET /containers/json now returns an ImageManifestDescriptor field matching the same field in /containers/{name}/json. This field is only populated if the daemon provides a multi-platform image store. moby/moby#49407fluentd-async-connect has been deprecated in v20.10 and is now removed. moby/moby#46114--time option on docker stop and docker restart is deprecated and renamed to --timeout. docker/cli#5485pkg/ioutils: Remove NewReaderErrWrapper as it was never used. moby/moby#49258pkg/ioutils: Remove deprecated BytesPipe, NewBytesPipe, ErrClosed, WriteCounter, NewWriteCounter, NewReaderErrWrapper, NopFlusher. moby/moby#49245pkg/ioutils: Remove deprecated NopWriter and NopWriteCloser. moby/moby#49256pkg/sysinfo: Remove deprecated NumCPU. moby/moby#49242pkg/broadcaster, as it was only used internally moby/moby#49172cli.Errors type docker/cli#5549pkg/ioutils.ReadCloserWrapper, as it was only used in tests. moby/moby#49237api-cors-header config parameter and the dockerd --api-cors-header option moby/moby#48209APIEndpoint.Version field, APIVersion type, and APIVersion1 and APIVersion2 consts. moby/moby#49004api-cors-header config parameter and the Docker daemon's --api-cors-header option. docker/cli#5437pkg/directory package moby/moby#48779pkg/dmsg.Dmesg() moby/moby#48109github.com/moby/docker-image-spec) moby/moby#48460logentries logging driver. moby/moby#48891api/types: Remove deprecated container.ContainerNode and ContainerJSONBase.Node field. moby/moby#48107api/types: Remove deprecated aliases: ImagesPruneReport, VolumesPruneReport, NetworkCreateRequest, NetworkCreate, NetworkListOptions, NetworkCreateResponse, NetworkInspectOptions, NetworkConnect, NetworkDisconnect, EndpointResource, NetworkResource, NetworksPruneReport, ExecConfig, ExecStartCheck, ContainerExecInspect, ContainersPruneReport, ContainerPathStat, CopyToContainerOptions, ContainerStats, ImageSearchOptions, ImageImportSource, ImageLoadResponse, ContainerNode. moby/moby#48107libnetwork/iptables: Remove deprecated IPV, Iptables, IP6Tables and Passthrough(). moby/moby#49121pkg/archive: Remove deprecated CanonicalTarNameForPath, NewTempArchive, TempArchive moby/moby#48708pkg/fileutils: Remove deprecated GetTotalUsedFds moby/moby#49210pkg/ioutils: Remove OnEOFReader, which was only used internally moby/moby#49170pkg/longpath: Remove deprecated Prefix constant. moby/moby#48779pkg/stringid: Remove deprecated IsShortID and ValidateID functions moby/moby#48705runconfig/opts: Remove deprecated ConvertKVStringsToMap moby/moby#48102runconfig: Remove deprecated ContainerConfigWrapper, SetDefaultNetModeIfBlank, DefaultDaemonNetworkMode, IsPreDefinedNetwork moby/moby#48102container: Remove deprecated ErrNameReserved, ErrNameNotReserved. moby/moby#48728Daemon.ContainerInspectCurrent() method and change Daemon.ContainerInspect() signature to accept a backend.ContainerInspectOptions struct moby/moby#48672Daemon.Exists() and Daemon.IsPaused() methods. moby/moby#48723BridgeNfIptables and BridgeNfIp6tables fields in the GET /info response are now always be false and will be omitted in API v1.49. The netfilter module is now loaded on-demand, and no longer during daemon startup, making these fields obsolete. moby/moby#49114error and progress fields in streaming responses for endpoints that return a JSON progress response, such as POST /images/create, POST /images/{name}/push, and POST /build are deprecated. moby/moby#49447
errorDetail and progressDetail fields instead.Daemon.Register(). This function is unused and will be removed in the next release. moby/moby#48702client.ImageInspectWithRaw function in favor of the new client.ImageInspect. moby/moby#48264daemon/config.Config.ValidatePlatformConfig(). This method was used as helper for config.Validate, which should be used instead. moby/moby#48985pkg/reexec. This package is deprecated and moved to a separate module. Use github.com/moby/sys/reexec instead. moby/moby#49129--allow-nondistributable-artifacts daemon flag and corresponding allow-nondistributable-artifacts field in daemon.json. Setting either option will no longer take an effect, but a deprecation warning log is added. moby/moby#49065RegistryConfig.AllowNondistributableArtifactsCIDRs and RegistryConfig.AllowNondistributableArtifactsHostnames fields in the GET /info API response. For API version v1.48 and older, the fields are still included in the response, but always null. In API version v1.49 and later, the field will be omitted entirely. moby/moby#49065registry.ServiceOptions.AllowNondistributableArtifacts field. moby/moby#49065BridgeNfIptables, BridgeNfIp6tables fields in api/types/system.Info and BridgeNFCallIPTablesDisabled, BridgeNFCallIP6TablesDisabled fields in pkg/sysinfo.SysInfo are deprecated and will be removed in the next release. moby/moby#49114client: Deprecate CommonAPIClient interface in favor of the APIClient interface. The CommonAPIClient will be changed to an alias for APIClient in the next release, and removed in the release after. moby/moby#49388client: Deprecate ErrorConnectionFailed helper. This function was only used internally, and will be removed in the next release. moby/moby#49389pkg/ioutils: Deprecate NewAtomicFileWriter, AtomicWriteFile, AtomicWriteSet, NewAtomicWriteSet in favor of pkg/atomicwriter equivalents. moby/moby#49171pkg/sysinfo: Deprecate NumCPU. This utility has the same behavior as runtime.NumCPU. moby/moby#49241pkg/system: Deprecate MkdirAll. This function provided custom handling for Windows GUID volume paths. Handling for such paths is now supported by Go standard library in go1.22 and newer, and this function is now an alias for os.MkdirAll, which should be used instead. This alias will be removed in the next release. moby/moby#49162pkg/parsers.ParseKeyValueOpt. moby/moby#49177pkg/parsers.ParseUintListMaximum, pkg/parsers.ParseUintList. These utilities were only used internally and will be removed in the next release. moby/moby#49222api/type.IDResponse in favor of container.CommitResponse and container.ExecCreateResponse, which are currently an alias, but may become distinct types in a future release. This type will be removed in the next release. moby/moby#49446api/types/container.ContainerUpdateOKBody in favor of UpdateResponse. This type will be removed in the next release. moby/moby#49442api/types/container.ContainerTopOKBody in favor of TopResponse. This type will be removed in the next release. moby/moby#49442pkg/jsonmessage: Fix deprecation of ProgressMessage, ErrorMessage, which were deprecated in Docker v0.6.0 and v0.7.1 respectively. moby/moby#49447GraphDriverData from api/types to api/types/storage. The old type is deprecated and will be removed in the next release. moby/moby#48108RequestPrivilegeFunc from api/types to api/types/registry. The old type is deprecated and will be removed in the next release. moby/moby#48119api/types to api/types/container - NetworkSettings, NetworkSettingsBase, DefaultNetworkSettings, SummaryNetworkSettings, Health, HealthcheckResult, NoHealthcheck, Starting, Healthy, and Unhealthy constants, MountPoint, Port, ContainerState, Container, ContainerJSONBase, ContainerJSON, ContainerNode. The old types are deprecated and will be removed in the next release. moby/moby#48108api/types to api/types/image - ImageInspect, RootFS. The old types are deprecated and will be removed in the next release. moby/moby#48108ContainerdCommit.Expected, RuncCommit.Expected, and InitCommit.Expected fields in the GET /info endpoint are deprecated and will be omitted in API v1.49. moby/moby#48478api/types/registry: Deprecate ServiceConfig.AllowNondistributableArtifactsCIDRs and ServiceConfig.AllowNondistributableArtifactsHostnames fields. These fields will be removed in the next release. moby/moby#49065api/types/system/Commit.Expected field is deprecated and should no longer be used. moby/moby#48478daemon/graphdriver: Deprecate GetDriver() moby/moby#48079libnetwork/iptables: Deprecate Passthrough. This function was only used internally, and will be removed in the next release. moby/moby#49115pkg/directory.Size() function is deprecated, and will be removed in the next release. moby/moby#48057registry: Deprecate APIEndpoint.TrimHostName; hostname is now trimmed unconditionally for remote names. This field will be removed in the next release. moby/moby#49005allow-nondistributable-artifacts field in daemon.json. Setting either option will no longer take effect, but a deprecation warning log is added to raise awareness about the deprecation. This warning is planned to become an error in the next release. moby/moby#49065