The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
Subpath
field to the VolumeOptions
making it possible to mount a subpath of a volume. moby/moby#45687
volume-subpath
support to the mount flag (--mount type=volume,...,volume-subpath=<subpath>
). docker/cli#4331
=
separators and [ipv6]
in compose files for docker stack deploy
. docker/cli#4860
DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK
environment variable to false
(defaults to true
). This lets containers connect to the host by using IP address 10.0.2.2
. moby/moby#47352
docker image ls
no longer creates duplicates entries for multi-platform images. moby/moby#45967
[!WARNING]
Containers created using Docker Engine 25.0.0 may have duplicate MAC addresses, they must be re-created. Containers created using version 25.0.0 or 25.0.1 with user-defined MAC addresses will get generated MAC addresses when they are started using 25.0.2. They must also be re-created.
/etc/hosts
if successful. moby/moby#47062
[!NOTE]
By default, IPv6 will remain enabled on a container's loopback interface when the container is not connected to an IPv6-enabled network. For example, containers that are only connected to an IPv4-only network now have the
::1
address on their loopback interface.To disable IPv6 in a container, use option
--sysctl net.ipv6.conf.all.disable_ipv6=1
in thecreate
orrun
command, or the equivalentsysctls
option in the service configuration section of a Compose file.If IPv6 is not available in a container because it has been explicitly disabled for the container, or the host's networking stack does not have IPv6 enabled (or for any other reason) the container's
/etc/hosts
file will not include IPv6 entries.
ADD
Dockerfile instruction failing with lsetxattr <file>: operation not supported
when unpacking archive with xattrs onto a filesystem that doesn't support them. moby/moby#47175
docker container start
failing when used with --checkpoint
. moby/moby#47456
docker image ls
with ambiguous argument. docker/cli#4849
@docker_cli_[UUID]
files on OpenBSD. docker/cli#4862
resolv.conf
as upstream resolvers for Docker Engine's internal DNS, rather than listing them in the container's resolv.conf
. moby/moby#47512
--userns-remap
option is used. moby/moby#46786
Pulling fs layer
status. moby/moby#47432
GET /images/{id}/json
omits the Created
field (previously it was 0001-01-01T00:00:00Z
) if the Created
field is missing from the image config. moby/moby#47451
Created
field in GET /images/{id}/json
with 0001-01-01T00:00:00Z
for API version <= 1.43. moby/moby#47387
is_automated
field in the POST /images/search
endpoint results is always false
now. Consequently, searching for is-automated=true
will yield no results, while is-automated=false
will be a no-op. moby/moby#47465
Container
and ContainerConfig
fields from the GET /images/{name}/json
response. moby/moby#47430
Remove Container
and ContainerConfig
fields from the GET /images/{name}/json
response. moby/moby#47430
Deprecate the ability to accept remote TCP connections without TLS. Deprecation notice docker/cli#4928 moby/moby#47556.
Remove deprecated API versions (API < v1.24) moby/moby#47155
Disable pulling of deprecated image formats by default. These image formats are deprecated, and support will be removed in a future version. moby/moby#47459
image: remove deprecated IDFromDigest moby/moby#47198
Remove the deprecated github.com/docker/docker/pkg/loopback
package. moby/moby#47128
pkg/system: remove deprecated ErrNotSupportedOperatingSystem
, IsOSSupported
moby/moby#47129
pkg/homedir: remove deprecated Key() and GetShortcutString() moby/moby#47130
pkg/containerfs: remove deprecated ResolveScopedPath moby/moby#47131
The daemon flag --oom-score-adjust
was deprecated in v24.0 and is now removed. moby/moby#46113
Remove deprecated aliases from the api/types package. These types were deprecated in v25.0.0, which provided temporary aliases. moby/moby#47148
These aliases are now removed: types.Info
, types.Commit
, types.PluginsInfo
, types.NetworkAddressPool
, types.Runtime
, types.SecurityOpt
, types.KeyValue
, types.DecodeSecurityOptions
, types.CheckpointCreateOptions
, types.CheckpointListOptions
, types.CheckpointDeleteOptions
, types.Checkpoint
, types.ImageDeleteResponseItem
, types.ImageSummary
, types.ImageMetadata
, types.ServiceUpdateResponse
, types.ServiceCreateResponse
, types.ResizeOptions
, types.ContainerAttachOptions
, types.ContainerCommitOptions
, types.ContainerRemoveOptions
, types.ContainerStartOptions
, types.ContainerListOptions
, types.ContainerLogsOptions
cli/command/container: remove deprecated NewStartOptions()
docker/cli#4811
cli/command: remove deprecated DockerCliOption
, InitializeOpt
docker/cli#4810
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
docker images
performance. moby/moby#47580
resolv.conf
as upstream resolvers for Docker Engine's internal DNS, rather than listing them in the container's resolv.conf
. moby/moby#47512
image list
not showing images when an image that has no locally available platforms is encountered.open /etc/docker/plugins: permission denied
moby/moby#47559
Container
and ContainerConfig
fields from the GET /images/{name}/json
response. moby/moby#47430
Update Buildx to v0.13.1. docker/docker-ce-packaging#1000
Update Buildkit to v0.13.1. moby/moby#47582
Update Compose to v2.25.0. docker/docker-ce-packaging#1002
Add Ubuntu Noble packages. docker/docker-ce-packaging#1006
Add Fedora 40 packages. docker/docker-ce-packaging#1005
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
plugin: fix mounting /etc/hosts when running in UserNS. moby/moby#47588
rootless: fix open /etc/docker/plugins: permission denied
. moby/moby#47587
Fix multiple parallel docker build
runs leaking disk space. moby/moby#47527
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK
to false, defaults true. It allows to connect to host by using 10.0.2.2 IP moby/moby#47352
docker build
runs leaking disk space. moby/moby#47523
docker pull
regression introduced in rc1 causing a wrong pull progress message moby/moby#47475
ERROR: failed to solve: unknown blob <digest> in history
. moby/moby#47520
is_automated
field in the POST /images/search
endpoint results is always false
now. Consequently, searching for is-automated=true
will yield no results, while is-automated=false
will be a no-op. moby/moby#47465
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
docker start
failing when used with --checkpoint
moby/moby#47466
Pulling fs layer
status moby/moby#47484
GET /images/{id}/json
omits the Created
field (previously it was 0001-01-01T00:00:00Z
) if the Created
field is missing from the image config. moby/moby#47451
Created
field in GET /images/{id}/json
with 0001-01-01T00:00:00Z
for API version <= 1.43. moby/moby#47387
NetworkMode
name-or-id is not the same as the name-or-id used in NetworkSettings.Networks
. moby/moby#47510
Full Changelog: https://github.com/moby/moby/compare/v25.0.3...v25.0.4
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Subpath
field to the VolumeOptions
making it possible to mount a subpath of a volume. moby/moby#45687
volume-subpath
option to mount flag (--mount type=volume,...,volume-subpath=<subpath>
) docker/cli#4331
image list
will no longer produce multiple duplicates image entries for multi-platform images moby/moby#45967
=
separators and [ipv6]
in compose files for docker stack deploy
docker/cli#4860
ADD
Dockerfile instruction failing with lsetxattr <file>: operation not supported
when unpacking archive with xattrs onto a filesystem that doesn't support them. moby/moby#47175
docker start
failing when used with --checkpoint
moby/moby#47456
@docker_cli_[UUID]
files on OpenBSD https://github.com/docker/cli/pull/4862
--userns-remap
option is used moby/moby#46786
Pulling fs layer
status moby/moby#47432
[!NOTE]
Containers created using 25.0.0 may have duplicate MAC addresses, they must be re-created. Containers created using 25.0.0 or 25.0.1 with user-defined MAC addresses will get generated MAC addresses when they are started using 25.0.2. They must also be re-created.
GET /images/{id}/json
omits the Created
field (previously it was 0001-01-01T00:00:00Z
) if the Created
field is missing from the image config. moby/moby#47451
Created
field in GET /images/{id}/json
with 0001-01-01T00:00:00Z
for API version <= 1.43. moby/moby#47387
github.com/docker/docker/pkg/loopback
package. moby/moby#47128
ErrNotSupportedOperatingSystem
, IsOSSupported
moby/moby#47129
--oom-score-adjust
has been deprecated in v24.0 and is now removed. moby/moby#46113
types.Info
, types.Commit
, types.PluginsInfo
, types.NetworkAddressPool
, types.Runtime
, types.SecurityOpt
, types.KeyValue
, types.DecodeSecurityOptions
, types.CheckpointCreateOptions
, types.CheckpointListOptions
, types.CheckpointDeleteOptions
, types.Checkpoint
, types.ImageDeleteResponseItem
, types.ImageSummary
, types.ImageMetadata
, types.ServiceUpdateResponse
, types.ServiceCreateResponse
, types.ResizeOptions
, types.ContainerAttachOptions
, types.ContainerCommitOptions
, types.ContainerRemoveOptions
, types.ContainerStartOptions
, types.ContainerListOptions
, types.ContainerLogsOptions
NewStartOptions()
docker/cli#4811
DockerCliOption
, InitializeOpt
docker/cli#4810
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
containerd image store: Fix a bug where docker image history
would fail if a manifest wasn't found in the content store. moby/moby#47348
Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47304
Note
- Containers created with Docker Engine version 25.0.0 may have duplicate MAC addresses. They must be re-created.
- Containers with user-defined MAC addresses created with Docker Engine versions 25.0.0 or 25.0.1 receive new MAC addresses when started using Docker Engine version 25.0.2. They must also be re-created.
docker save <image>@<digest>
producing an OCI archive with index without manifests. moby/moby#47294
internal
network. moby/moby#47303
ipv6
daemon option was ignored. moby/moby#47310
journald
log driver preventing container logs from being followed correctly with systemd version 255. moby/moby47243
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
This release contains security fixes for the following CVEs affecting Docker Engine and its components.
CVE | Component | Fix version | Severity |
---|---|---|---|
CVE-2024-21626 | runc | 1.1.12 | High, CVSS 8.6 |
CVE-2024-24557 | Docker Engine | 24.0.9 | Medium, CVSS 6.9 |
Important ⚠️
Note that this release of Docker Engine doesn't include fixes for the following known vulnerabilities in BuildKit:
To address these vulnerabilities, upgrade to Docker Engine v25.0.2.
For more information about the security issues addressed in this release, and the unaddressed vulnerabilities in BuildKit, refer to the blog post. For details about each vulnerability, see the relevant security advisory:
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
This release contains security fixes for the following CVEs affecting Docker Engine and its components.
CVE | Component | Fix version | Severity |
---|---|---|---|
CVE-2024-21626 | runc | 1.1.12 | High, CVSS 8.6 |
CVE-2024-23651 | BuildKit | 1.12.5 | High, CVSS 8.7 |
CVE-2024-23652 | BuildKit | 1.12.5 | High, CVSS 8.7 |
CVE-2024-23653 | BuildKit | 1.12.5 | High, CVSS 7.7 |
CVE-2024-23650 | BuildKit | 1.12.5 | Medium, CVSS 5.5 |
CVE-2024-24557 | Docker Engine | 25.0.2 | Medium, CVSS 6.9 |
The potential impacts of the above vulnerabilities include:
For more information about the security issues addressed in this release, refer to the blog post. For details about each vulnerability, see the relevant security advisory: