The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
Subpath field to the VolumeOptions making it possible to mount a subpath of a volume. moby/moby#45687
volume-subpath support to the mount flag (--mount type=volume,...,volume-subpath=<subpath>). docker/cli#4331
= separators and [ipv6] in compose files for docker stack deploy. docker/cli#4860
DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK environment variable to false (defaults to true). This lets containers connect to the host by using IP address 10.0.2.2. moby/moby#47352
docker image ls no longer creates duplicates entries for multi-platform images. moby/moby#45967
[!WARNING]
Containers created using Docker Engine 25.0.0 may have duplicate MAC addresses, they must be re-created. Containers created using version 25.0.0 or 25.0.1 with user-defined MAC addresses will get generated MAC addresses when they are started using 25.0.2. They must also be re-created.
/etc/hosts if successful. moby/moby#47062
[!NOTE]
By default, IPv6 will remain enabled on a container's loopback interface when the container is not connected to an IPv6-enabled network. For example, containers that are only connected to an IPv4-only network now have the
::1address on their loopback interface.To disable IPv6 in a container, use option
--sysctl net.ipv6.conf.all.disable_ipv6=1in thecreateorruncommand, or the equivalentsysctlsoption in the service configuration section of a Compose file.If IPv6 is not available in a container because it has been explicitly disabled for the container, or the host's networking stack does not have IPv6 enabled (or for any other reason) the container's
/etc/hostsfile will not include IPv6 entries.
ADD Dockerfile instruction failing with lsetxattr <file>: operation not supported when unpacking archive with xattrs onto a filesystem that doesn't support them. moby/moby#47175
docker container start failing when used with --checkpoint. moby/moby#47456
docker image ls with ambiguous argument. docker/cli#4849
@docker_cli_[UUID] files on OpenBSD. docker/cli#4862
resolv.conf as upstream resolvers for Docker Engine's internal DNS, rather than listing them in the container's resolv.conf. moby/moby#47512
--userns-remap option is used. moby/moby#46786
Pulling fs layer status. moby/moby#47432
GET /images/{id}/json omits the Created field (previously it was 0001-01-01T00:00:00Z) if the Created field is missing from the image config. moby/moby#47451
Created field in GET /images/{id}/json with 0001-01-01T00:00:00Z for API version <= 1.43. moby/moby#47387
is_automated field in the POST /images/search endpoint results is always false now. Consequently, searching for is-automated=true will yield no results, while is-automated=false will be a no-op. moby/moby#47465
Container and ContainerConfig fields from the GET /images/{name}/json response. moby/moby#47430
Remove Container and ContainerConfig fields from the GET /images/{name}/json response. moby/moby#47430
Deprecate the ability to accept remote TCP connections without TLS. Deprecation notice docker/cli#4928 moby/moby#47556.
Remove deprecated API versions (API < v1.24) moby/moby#47155
Disable pulling of deprecated image formats by default. These image formats are deprecated, and support will be removed in a future version. moby/moby#47459
image: remove deprecated IDFromDigest moby/moby#47198
Remove the deprecated github.com/docker/docker/pkg/loopback package. moby/moby#47128
pkg/system: remove deprecated ErrNotSupportedOperatingSystem, IsOSSupported moby/moby#47129
pkg/homedir: remove deprecated Key() and GetShortcutString() moby/moby#47130
pkg/containerfs: remove deprecated ResolveScopedPath moby/moby#47131
The daemon flag --oom-score-adjust was deprecated in v24.0 and is now removed. moby/moby#46113
Remove deprecated aliases from the api/types package. These types were deprecated in v25.0.0, which provided temporary aliases. moby/moby#47148
These aliases are now removed: types.Info, types.Commit, types.PluginsInfo, types.NetworkAddressPool, types.Runtime, types.SecurityOpt, types.KeyValue, types.DecodeSecurityOptions, types.CheckpointCreateOptions, types.CheckpointListOptions, types.CheckpointDeleteOptions, types.Checkpoint, types.ImageDeleteResponseItem, types.ImageSummary, types.ImageMetadata, types.ServiceUpdateResponse, types.ServiceCreateResponse, types.ResizeOptions, types.ContainerAttachOptions, types.ContainerCommitOptions, types.ContainerRemoveOptions, types.ContainerStartOptions, types.ContainerListOptions, types.ContainerLogsOptions
cli/command/container: remove deprecated NewStartOptions() docker/cli#4811
cli/command: remove deprecated DockerCliOption, InitializeOpt docker/cli#4810
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
docker images performance. moby/moby#47580
resolv.conf as upstream resolvers for Docker Engine's internal DNS, rather than listing them in the container's resolv.conf. moby/moby#47512
image list not showing images when an image that has no locally available platforms is encountered.open /etc/docker/plugins: permission denied moby/moby#47559
Container and ContainerConfig fields from the GET /images/{name}/json response. moby/moby#47430
Update Buildx to v0.13.1. docker/docker-ce-packaging#1000
Update Buildkit to v0.13.1. moby/moby#47582
Update Compose to v2.25.0. docker/docker-ce-packaging#1002
Add Ubuntu Noble packages. docker/docker-ce-packaging#1006
Add Fedora 40 packages. docker/docker-ce-packaging#1005
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
plugin: fix mounting /etc/hosts when running in UserNS. moby/moby#47588
rootless: fix open /etc/docker/plugins: permission denied. moby/moby#47587
Fix multiple parallel docker build runs leaking disk space. moby/moby#47527
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK to false, defaults true. It allows to connect to host by using 10.0.2.2 IP moby/moby#47352
docker build runs leaking disk space. moby/moby#47523
docker pull regression introduced in rc1 causing a wrong pull progress message moby/moby#47475
ERROR: failed to solve: unknown blob <digest> in history. moby/moby#47520
is_automated field in the POST /images/search endpoint results is always false now. Consequently, searching for is-automated=true will yield no results, while is-automated=false will be a no-op. moby/moby#47465
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
docker start failing when used with --checkpoint moby/moby#47466
Pulling fs layer status moby/moby#47484
GET /images/{id}/json omits the Created field (previously it was 0001-01-01T00:00:00Z) if the Created field is missing from the image config. moby/moby#47451
Created field in GET /images/{id}/json with 0001-01-01T00:00:00Z for API version <= 1.43. moby/moby#47387
NetworkMode name-or-id is not the same as the name-or-id used in NetworkSettings.Networks. moby/moby#47510
Full Changelog: https://github.com/moby/moby/compare/v25.0.3...v25.0.4
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Subpath field to the VolumeOptions making it possible to mount a subpath of a volume. moby/moby#45687
volume-subpath option to mount flag (--mount type=volume,...,volume-subpath=<subpath>) docker/cli#4331
image list will no longer produce multiple duplicates image entries for multi-platform images moby/moby#45967
= separators and [ipv6] in compose files for docker stack deploy docker/cli#4860
ADD Dockerfile instruction failing with lsetxattr <file>: operation not supported when unpacking archive with xattrs onto a filesystem that doesn't support them. moby/moby#47175
docker start failing when used with --checkpoint moby/moby#47456
@docker_cli_[UUID] files on OpenBSD https://github.com/docker/cli/pull/4862
--userns-remap option is used moby/moby#46786
Pulling fs layer status moby/moby#47432
[!NOTE]
Containers created using 25.0.0 may have duplicate MAC addresses, they must be re-created. Containers created using 25.0.0 or 25.0.1 with user-defined MAC addresses will get generated MAC addresses when they are started using 25.0.2. They must also be re-created.
GET /images/{id}/json omits the Created field (previously it was 0001-01-01T00:00:00Z) if the Created field is missing from the image config. moby/moby#47451
Created field in GET /images/{id}/json with 0001-01-01T00:00:00Z for API version <= 1.43. moby/moby#47387
github.com/docker/docker/pkg/loopback package. moby/moby#47128
ErrNotSupportedOperatingSystem, IsOSSupported moby/moby#47129
--oom-score-adjust has been deprecated in v24.0 and is now removed. moby/moby#46113
types.Info, types.Commit, types.PluginsInfo, types.NetworkAddressPool, types.Runtime, types.SecurityOpt, types.KeyValue, types.DecodeSecurityOptions, types.CheckpointCreateOptions, types.CheckpointListOptions, types.CheckpointDeleteOptions, types.Checkpoint, types.ImageDeleteResponseItem, types.ImageSummary, types.ImageMetadata, types.ServiceUpdateResponse, types.ServiceCreateResponse, types.ResizeOptions, types.ContainerAttachOptions, types.ContainerCommitOptions, types.ContainerRemoveOptions, types.ContainerStartOptions, types.ContainerListOptions, types.ContainerLogsOptions
NewStartOptions() docker/cli#4811
DockerCliOption, InitializeOptdocker/cli#4810
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
containerd image store: Fix a bug where docker image history would fail if a manifest wasn't found in the content store. moby/moby#47348
Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47304
Note
- Containers created with Docker Engine version 25.0.0 may have duplicate MAC addresses. They must be re-created.
- Containers with user-defined MAC addresses created with Docker Engine versions 25.0.0 or 25.0.1 receive new MAC addresses when started using Docker Engine version 25.0.2. They must also be re-created.
docker save <image>@<digest> producing an OCI archive with index without manifests. moby/moby#47294
internal network. moby/moby#47303
ipv6 daemon option was ignored. moby/moby#47310
journald log driver preventing container logs from being followed correctly with systemd version 255. moby/moby47243
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
This release contains security fixes for the following CVEs affecting Docker Engine and its components.
| CVE | Component | Fix version | Severity |
|---|---|---|---|
| CVE-2024-21626 | runc | 1.1.12 | High, CVSS 8.6 |
| CVE-2024-24557 | Docker Engine | 24.0.9 | Medium, CVSS 6.9 |
Important ⚠️
Note that this release of Docker Engine doesn't include fixes for the following known vulnerabilities in BuildKit:
To address these vulnerabilities, upgrade to Docker Engine v25.0.2.
For more information about the security issues addressed in this release, and the unaddressed vulnerabilities in BuildKit, refer to the blog post. For details about each vulnerability, see the relevant security advisory:
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
This release contains security fixes for the following CVEs affecting Docker Engine and its components.
| CVE | Component | Fix version | Severity |
|---|---|---|---|
| CVE-2024-21626 | runc | 1.1.12 | High, CVSS 8.6 |
| CVE-2024-23651 | BuildKit | 1.12.5 | High, CVSS 8.7 |
| CVE-2024-23652 | BuildKit | 1.12.5 | High, CVSS 8.7 |
| CVE-2024-23653 | BuildKit | 1.12.5 | High, CVSS 7.7 |
| CVE-2024-23650 | BuildKit | 1.12.5 | Medium, CVSS 5.5 |
| CVE-2024-24557 | Docker Engine | 25.0.2 | Medium, CVSS 6.9 |
The potential impacts of the above vulnerabilities include:
For more information about the security issues addressed in this release, refer to the blog post. For details about each vulnerability, see the relevant security advisory: