Docker Engine release notes

This document describes the latest changes, additions, known issues, and fixes for Docker Engine.

Note: The client and container runtime are now in separate packages from the daemon in Docker Engine 18.09. Users should install and update all three packages at the same time to get the latest patch releases. For example, on Ubuntu: sudo apt install docker-ce docker-ce-cli containerd.io. See the install instructions for the corresponding linux distro for details.

Version 20.10

20.10.2

2021-01-04

Runtime

  • Fix a daemon start up hang when restoring containers with restart policies but that keep failing to start moby/moby#41729
  • overlay2: fix an off-by-one error preventing to build or run containers when data-root is 24-bytes long moby/moby#41830
  • systemd: send sd_notify STOPPING=1 when shutting down moby/moby#41832

Networking

Swarm

  • Fix filtering for replicated-job and global-job service modes moby/moby#41806

Packaging

20.10.1

2020-12-14

Builder

Packaging

20.10.0

2020-12-08

Deprecation / Removal

For an overview of all deprecated features, refer to the Deprecated Engine Features page.

API

  • Update API version to v1.41
  • Do not require “experimental” for metrics API moby/moby#40427
  • GET /events now returns prune events after pruning resources have completed moby/moby#41259
    • Prune events are returned for container, network, volume, image, and builder, and have a reclaimed attribute, indicating the amount of space reclaimed (in bytes)
  • Add one-shot stats option to not prime the stats moby/moby#40478
  • Adding OS version info to the system info’s API (/info) moby/moby#38349
  • Add DefaultAddressPools to docker info moby/moby#40714
  • Add API support for PidsLimit on services moby/moby#39882

Builder

  • buildkit,dockerfile: Support for RUN --mount options without needing to specify experimental dockerfile #syntax directive. moby/buildkit#1717
  • dockerfile: ARG command now supports defining multiple build args on the same line similarly to ENV moby/buildkit#1692
  • dockerfile: --chown flag in ADD now allows parameter expansion moby/buildkit#1473
  • buildkit: Fetching authorization tokens has been moved to client-side (if the client supports it). Passwords do not leak into the build daemon anymore and users can see from build output when credentials or tokens are accessed. moby/buildkit#1660
  • buildkit: Connection errors while communicating with the registry for push and pull now trigger a retry moby/buildkit#1791
  • buildkit: Git source now supports token authentication via build secrets moby/moby#41234 docker/cli#2656 moby/buildkit#1533
  • buildkit: Building from git source now supports forwarding SSH socket for authentication moby/buildkit#1782
  • buildkit: Avoid builds that generate excessive logs to cause a crash or slow down the build. Clipping is performed if needed. moby/buildkit#1754
  • buildkit: Change default Seccomp profile to the one provided by Docker moby/buildkit#1807
  • buildkit: Support for exposing SSH agent socket on Windows has been improved moby/buildkit#1695
  • buildkit: Disable truncating by default when using --progress=plain moby/buildkit#1435
  • buildkit: Allow better handling client sessions dropping while it is being shared by multiple builds moby/buildkit#1551
  • buildkit: secrets: allow providing secrets with env moby/moby#41234 docker/cli#2656 moby/buildkit#1534
    • Support --secret id=foo,env=MY_ENV as an alternative for storing a secret value to a file.
    • --secret id=GIT_AUTH_TOKEN will load env if it exists and the file does not.
  • buildkit: Support for mirrors fallbacks, insecure TLS and custom TLS config moby/moby#40814
  • buildkit: remotecache: Only visit each item once when walking results moby/moby#41234 moby/buildkit#1577
    • Improves performance and CPU use on bigger graphs
  • buildkit: Check remote when local image platform doesn’t match moby/moby#40629
  • buildkit: image export: Use correct media type when creating new layer blobs moby/moby#41234 moby/buildkit#1541
  • buildkit: progressui: fix logs time formatting moby/moby#41234 docker/cli#2656 moby/buildkit#1549
  • buildkit: mitigate containerd issue on parallel push moby/moby#41234 moby/buildkit#1548
  • buildkit: inline cache: fix handling of duplicate blobs moby/moby#41234 moby/buildkit#1568
    • Fixes https://github.com/moby/buildkit/issues/1388 cache-from working unreliably
    • Fixes https://github.com/moby/moby/issues/41219 Image built from cached layers is missing data
  • Allow ssh:// for remote context URLs moby/moby#40179
  • builder: remove legacy build’s session handling (was experimental) moby/moby#39983

Client

  • Add swarm jobs support to CLI docker/cli#2262
  • Add -a/--all-tags to docker push docker/cli#2220
  • Add support for Kubernetes username/password auth docker/cli#2308
  • Add --pull=missing|always|never to run and create commands docker/cli#1498
  • Add --env-file flag to docker exec for parsing environment variables from a file docker/cli#2602
  • Add shorthand -n for --tail option docker/cli#2646
  • Add log-driver and options to service inspect “pretty” format docker/cli#1950
  • docker run: specify cgroup namespace mode with --cgroupns docker/cli#2024
  • docker manifest rm command to remove manifest list draft from local storage docker/cli#2449
  • Add “context” to “docker version” and “docker info” docker/cli#2500
  • Propagate platform flag to container create API docker/cli#2551
  • The docker ps --format flag now has a .State placeholder to print the container’s state without additional details about uptime and health check docker/cli#2000
  • Add support for docker-compose schema v3.9 docker/cli#2073
  • Add support for docker push --quiet docker/cli#2197
  • Hide flags that are not supported by BuildKit, if BuildKit is enabled docker/cli#2123
  • Update flag description for docker rm -v to clarify the option only removes anonymous (unnamed) volumes docker/cli#2289
  • Improve tasks printing for docker services docker/cli#2341
  • docker info: list CLI plugins alphabetically docker/cli#2236
  • Fix order of processing of --label-add/--label-rm, --container-label-add/--container-label-rm, and --env-add/--env-rm flags on docker service update to allow replacing existing values docker/cli#2668
  • Fix docker rm --force returning a non-zero exit code if one or more containers did not exist docker/cli#2678
  • Improve memory stats display by using total_inactive_file instead of cache docker/cli#2415
  • Mitigate against YAML files that has excessive aliasing docker/cli#2117
  • Allow using advanced syntax when setting a config or secret with only the source field docker/cli#2243
  • Fix reading config files containing username and password auth even if auth is empty docker/cli#2122
  • docker cp: prevent NPE when failing to stat destination docker/cli#2221
  • config: preserve ownership and permissions on configfile docker/cli#2228

Logging

  • Support reading docker logs with all logging drivers (best effort) moby/moby#40543
  • Add splunk-index-acknowledgment log option to work with Splunk HECs with index acknowledgment enabled moby/moby#39987
  • Add partial metadata to journald logs moby/moby#41407
  • Reduce allocations for logfile reader moby/moby#40796
  • Fluentd: add fluentd-async, fluentd-request-ack, and deprecate fluentd-async-connect moby/moby#39086

Runtime

Networking

Packaging

Rootless

Security

  • Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc moby/moby#39612
  • seccomp: Whitelist clock_adjtime. CAP_SYS_TIME is still required for time adjustment moby/moby#40929
  • seccomp: Add openat2 and faccessat2 to default seccomp profile moby/moby#41353
  • seccomp: allow ‘rseq’ syscall in default seccomp profile moby/moby#41158
  • seccomp: allow syscall membarrier moby/moby#40731
  • seccomp: whitelist io-uring related system calls moby/moby#39415
  • Add default sysctls to allow ping sockets and privileged ports with no capabilities moby/moby#41030
  • Fix seccomp profile for clone syscall moby/moby#39308

Swarm

docker, docker engine, ce, whats new, release notes