chore(deps): update module github.com/docker/docker to v23 #212

Merged

prskr merged 5 commits from renovate/github.com-docker-docker-23.x into main 2023-02-28 19:48:06 +00:00

Conversation 2 Commits 5 Files changed 12 +139 -100

prskr commented 2023-02-02 21:28:25 +00:00

Owner

Copy link

This PR contains the following updates:

Package	Type	Update	Change
github.com/docker/docker	replace	major	v20.10.3-0.20221013203545-33ab36d6b304+incompatible -> v23.0.1

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

---

Release Notes

docker/docker

v23.0.1

Compare Source

23.0.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 23.0.1 milestone
• moby/moby, 23.0.1 milestone

Bug fixes and enhancements

• Fix containers not starting if the kernel has AppArmor enabled, but apparmor_parser is not available. moby/moby#​44942
• Fix BuildKit-enabled builds with inline caching causing the daemon to crash. moby/moby#​44944
• Fix BuildKit improperly loading cached layers created by previous versions. moby/moby#​44959
• Fix an issue where ipvlan networks created prior to upgrading would prevent the daemon from starting. moby/moby#​44937
• Fix the overlay2 storage driver failing early in metacopy testing when initialized on an unsupported backing filesystem. moby/moby#​44922
• Fix exec exit events being misinterpreted as container exits under some runtimes, such as Kata Containers. moby/moby#​44892
• Improve the error message returned by the CLI when recieving a truncated JSON response caused by the API hanging up mid-request. docker/cli#​4004
• Fix an incorrect CLI exit code when attempting to execute a directory with a runc compiled using Go 1.20. docker/cli#​4004
• Fix mishandling the size argument to --device-write-bps as a path. docker/cli#​4004

Packaging

• Add /etc/docker to RPM and DEB packaging. docker/docker-ce-packaging#​842
  • Not all use cases will benefit; if you depend on this, you should explicitly mkdir -p /etc/docker.
• Upgrade Compose to v2.16.0. docker/docker-ce-packaging#​844

v23.0.0

Compare Source

23.0.0

For more information about:

• Deprecated and removed features, see Deprecated Engine Features.
• Changes to the Engine API, see Engine API version history.

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 23.0.0 milestone
• moby/moby, 23.0.0 milestone

New

• Set Buildx and BuildKit as the default builder on Linux. moby/moby#​43992
  • Alias docker build to docker buildx build. docker/cli#​3314
  • The legacy builder can still be used by explicitly setting DOCKER_BUILDKIT=0.
  • There are differences in how BuildKit and the legacy builder handle multi-stage builds. For more information, see
    Multi-stage builds.
• Add support for pulling zstd compressed layers. moby/moby#​41759, moby/moby#​42862
• Add support for alternate OCI runtimes on Linux, compatible with the containerd runtime v2 API. moby/moby#​43887, moby/moby#​43993
• Add support for the containerd runhcs shim on Windows (off by default). moby/moby#​42089
• Add dockerd --validate to check the daemon JSON config and exit. moby/moby#​42393
• Add the ability to configure the daemon's HTTP proxy via flags or JSON config. moby/moby#​42835
• Add support for RFC 3021 point-to-point networks (IPv4 /31s) and single hosts (IPv4 /32s). For networks with two or fewer addresses, IPAM won't reserve a network and broadcast address. moby/moby#​42626
• Add support for setting ipvlan_flag and using the l3s ipvlan_mode in the ipvlan network driver. moby/moby#​42542
• Add support for displaying the value of the metacopy option for the overlay2 storage driver. moby/moby#​43557
• Add support for describing Windows devices using the syntax IDType://ID. moby/moby#​43368
• Add RootlessKit, slirp4netns, and VPNKit version reporting. moby/moby#​42330
• Add experimental support for SwarmKit cluster volumes (CSI). moby/moby#​41982
  • CLI: Add cluster volume (CSI) options to docker volume. docker/cli#​3606
  • CLI: Add cluster volume (CSI) support to docker stack. docker/cli#​3662
• Add support for SwarmKit jobs in docker stack deploy. docker/cli#​2907
• Add the docker stack config command to output the merged and interpolated config files as utilized by stack deploy. docker/cli#​3544
• Add a new docker context show command that prints the name of the current context. docker/cli#​3567
• Add the --format=json shorthand variant of --format="{{ json . }}" to all commands supporting the --format flag. docker/cli#​2936
• Add a --quiet option to docker create and docker run commands to suppress output when pulling an image. docker/cli#​3377
• Add a --force option to docker network rm subcommand. Causes CLI to return a 0 exit code even if the network doesn't exist. Has no effect on the server-side procedure for removing a network. docker/cli#​3547
• Add a --signal option to docker stop and docker restart. docker/cli#​3614
• Add a -v/--version flag to docker-proxy. moby/moby#​44703
• Plugins are now discovered in well-known user-level paths when the daemon is running in rootless mode. moby/moby#​44778
• The daemon now handles common alternate JSON encodings in the JSON configuration file gracefully, and reports useful errors. moby/moby#​44777, moby/moby#​44832
  • UTF-8 with a byte order mark is accepted.
  • UTF-16 with a byte order mark is accepted.
  • Invalid UTF-8 is reported early and with a comprehensible error message.
• Allow use of STOPSIGNAL via docker commit. moby/moby#​43369
• Add a new option to the awslogs log driver to allow skipping log stream creation in CloudWatch. moby/moby#​42132
• Add a new option to the awslogs log driver to specify the log format that's sent to CloudWatch. moby/moby#​42838
• Add a new option to the fluentd log driver to set the reconnection interval. moby/moby#​43100
• Add new options-setters to the Go API client: WithTLSClientConfigFromEnv(), WithHostFromEnv(), and WithVersionFromEnv(). moby/moby#​42224
• Add generation of shell command completion through a docker completion subcommand. docker/cli#​3429
• API: Add a Swarm header to GET /_ping and HEAD /_ping, allowing single-request detection of Swarm support. moby/moby#​42064
• API: Add a signal parameter to POST /containers/{id}/stop and POST /containers/{id}/restart to set the signal used. moby/moby#​43206
• API: Add a CreateMountPoint parameter to POST /containers/create. moby/moby#​43484
• API: Add a shared-size parameter to GET /images/json to enable shared-size computation of images. moby/moby#​42531
• API: Add a type parameter to GET /system/df, to control what object types to are considered when computing disk usage. moby/moby#​42559
• systemd: Start docker.service after time-set.target. moby/moby#​43107

Removed

• Remove support for reading configuration from ~/.dockercfg. docker/cli#​2504
  • This location has been deprecated since 1.7.0.
  • Deprecation notice
• Remove the -g and --graph daemon options in favor of --data-root. docker/cli#​3739
  • These options have been hidden and deprecated since 17.05.
  • Deprecation notice
• Remove client-side sorting of results, in favor of the order in which the search API returns. docker/cli#​3470
• Remove warnings related to deprecated storage drivers from the CLI. Warnings are now handled by the daemon instead. docker/cli#​3542
• Remove Experimental client field from docker version. docker/cli#​3543
  • Deprecation notice
• Require explicit opt-in to use deprecated storage drivers, and don't automatically select them when upgrading. moby/moby#​43378
• Remove deprecated support for overlay and overlay2 storage drivers on backing filesystems without d_type support. moby/moby#​43472
  • Deprecation notice
• Remove the deprecated overrideKernelCheck option from the overlay2 storage driver. moby/moby#​44279
  Deprecation notice
• Remove support for the deprecated io.containerd.runtime.v1.linux OCI runtime. moby/moby#​43695
• Remove LCOW (Linux Containers on Windows). moby/moby#​42451, moby/moby#​42499, moby/moby#​42506, moby/moby#​42511, moby/moby#​42520, moby/moby#​42683, moby/moby#​42684, moby/moby#​42685, moby/moby#​43187
  • LCOW was introduced as a technical preview in 17.09 and deprecated in 20.10.
  • Deprecation notice
• Remove daemon options related to legacy overlay networks used with standalone Swarm.
  • Remove --cluster-xx options from dockerd. moby/moby#​40383
  • Remove host-discovery and overlay networks with external k/v stores. moby/moby#​42247
  • Deprecation notice
• Remove a deprecated arm platform fallback. --platform linux/arm/vY will now return a error when arm/vY isn't available instead of pulling the wrong image. moby/moby#​44414
• Remove the deprecated SetCustomHTTPHeaders(), CustomHTTPHeaders() options-setters from the Go client API. moby/moby#​42694
• Remove the deprecated WithDialer() option-setter from the Go client API. moby/moby#​44022
  • Use WithDialContext() instead.
• Remove the daemon implementation of opts.QuotedString. The implementation has moved to the CLI. moby/moby#​43250
• Remove separate daemon ID from trust-key in the daemon, and disable generating the trust-key. moby/moby#​43555
• API: Remove the deprecated KernelMemory option from POST /containers/create on API version >= 1.42. moby/moby#​43214
  • Deprecation notice

Deprecated

• Require Windows Server RS5 / LTSC 2019 (build 17763) as the minimum to run the daemon. moby/moby#​43254
• Deprecate BuilderSize in API versions >= 1.42 moby/moby#​42608
• Deprecate BuildCache.Parent in favor of the newly introduced BuildCache.Parents in API version >= 1.42. moby/moby#​43908
• Deprecate pkg/urlutil, moving the implementation to builder/remotecontext/urlutil. moby/moby#​43477

Upgrades

• Upgrade Go to 1.19.5. docker/cli#​3958, moby/moby#​44794
• Upgrade rootlesskit to v0.14.4. moby/moby#​42708
• Upgrade buildkit to v0.10.6. moby/moby#​43239
• Upgrade buildx to v0.10.2. docker/docker-ce-packaging#​840
• Upgrade swarmkit to v2.0.0-20230119195359-904c221ac281. moby/moby#​44858
• Upgrade containerd to v1.6.16. moby/moby#​44766, moby/moby#​44769, moby/moby#​44881
• Upgrade runc to v1.1.4. moby/moby#​44039
• Upgrade hcsshim v0.9.6. moby/moby#​44658
• The btrfs storage driver now depends on Linux kernel headers (>= 4.12) instead of headers from btrfs-progs. moby/moby#​44776

Security

• Change permissions on container hostconfig.json files to 0600 (was 0644). moby/moby#​41620
• Fix --seccomp-profile not accepting unconfined and renamed the default seccomp profile to builtin. moby/moby#​42481
• Always build with seccomp support, and remove the seccomp build tag. moby/moby#​42501
• Add seccomp support on riscv64. moby/moby#​43553
• Add support for setting flags passed to seccomp(2) in seccomp profiles. moby/moby#​42648
• Refactor seccomp types to reuse runtime-spec, and add support for ErrnoRet. moby/moby#​42005
• Add support for DefaultErrnoRet in seccomp profiles. moby/moby#​42604
• Add an explicit DefaultErrnoRet field to the default seccomp profile, with no behavior change. moby/moby#​42649
• Block socket with AF_VSOCK in the default seccomp profile. moby/moby#​44563
• Re-enable process_vm_readv and process_vm_writev in the default seccomp profile. moby/moby#​42083
• Add syscalls related to PKU to the default seccomp profile. moby/moby#​43812
• Allow clock_settime64 with CAP_SYS_TIME. moby/moby#​43775
• Allow bpf with CAP_BPF and perf_event_open with CAP_PERFMON. moby/moby#​43988
• Explicitly set the clone3 syscall to return ENOSYS in the default seccomp profile, in order to ensure glibc will correctly fallback to using clone. moby/moby#​42681

Bug fixes and enhancements

• Promote overlay2 to be the default storage driver (btrfs and zfs are now opt-in). moby/moby#​42661
• Add a loading spinner to the docker cp command. docker/cli#​2708
• Deprecate the ElectAuthServer function, and made it return the default registry without calling the GET /info API endpoint. docker/cli#​2819
• Progress bars are no longer reversed when rolling back Swarm services docker/cli#​2940
• Use net.JoinHostPort() to fix formatting with IPv6 addresses docker/cli#​2972
• CLI error messages are now printed to stderr. docker/cli#​3044
• Improve performance of docker info if a custom --format is used that only uses local information. With this change, the CLI only uses the daemon API if it detects that information from the daemon is needed. docker/cli#​3179
• Remove the default value from the --stop-signal flag, as it may not reflect the actual default used by the daemon. docker/cli#​3245
• Add Compose schema 3.10 to docker stack; allow omitting the version field (resulting in latest). docker/cli#​3257
• Compose version 3 is now equivalent to 3.x (latest) in docker stack. docker/cli#​3445
• Fix <Ctrl-c> hanging on Windows to exit after running a container in non-interactive mode. docker/cli#​3302
• Add relative source paths to the run command in the -v/--volume and -m/--mount flags. docker/cli#​3469
• docker exec -t now sets the console size for the executed process immediately when it's created. docker/cli#​3627
• Update the pretty-print format of docker info to provide more details on installed plugins. docker/cli#​3645
• Print warning messages for the docker context list and docker context use commands when the context is overridden by the environment. docker/cli#​3668
• Add a custom aliases annotation that can be used to print all available aliases for a command. docker/cli#​3694
• The CLI no longer creates or updates the CLI configuration file when running docker context use and selecting the current context. docker/cli#​3721
• Non-existing contexts are now ignored when running docker context rm --force. docker/cli#​3791
• Add the ability to override integers to 0 in Compose files docker/cli#​3812
• SIGINT (<Ctrl-c>) now passes through to running containers instead of causing the CLI to exit. docker/cli#​3849
• Improve docker port CONTAINER UX by sorting ports before printing. docker/cli#​3892
• API: GET /containers/{id}/logs and POST /containers/{id}/attach now report which raw-stream format is in use using the Content-type response header on API version >= 1.42. moby/moby#​39812
• Set default sandbox size for Windows layers to 127GB, and ensure that the --storage-opts flag applies to all storage on Windows. moby/moby#​41636
• Remove the plugin section from the containerd configuration file (/var/run/docker/containerd/containerd.toml). moby/moby#​41675
• Reject null manifests during tar import. moby/moby#​41842
• Add shim config for custom runtimes for plugins. moby/moby#​41854
• Container health checks now resume when the daemon is restarted. moby/moby#​41935
• Quota is no longer disabled on cleanup of the btrfs driver. moby/moby#​42273
• Host devices that are accessible can now be mounted in --privileged rootless containers. moby/moby#​42638
• Fix incorrect handling of **/foo recursive wildcard directory patterns in .dockerignore. moby/moby#​42676
• Extend docker import --platform to allow marking an imported image as a foreign architecture. moby/moby#​43103
• Validation of CPU real-time options is now performed when the daemon starts instead of performing validations for each individual container, allowing startup to fail early. moby/moby#​43131
• Freeze the namesgenerator package against new additions. Users will have to be satisfied with the existing 25359 adjective-name combinations. moby/moby#​43210
• API: containers/{id}/attach/ws only to streams according by stdin, stdout and stderr parameters on API version >= 1.42. moby/moby#​43322
• Fix UDP traffic in containers not working after the container is restarted under sustained traffic. moby/moby#​43409
• Add support for pulling images with custom amd64 micro-architecture feature levels as supported by the latest versions of Go, GCC, LLVM, and other compiler tools. moby/moby#​43434
• Improve validation of invalid JSON requests in the API. moby/moby#​43463
• Mitigate the impact of slow exec starts on health checks. Check timeout now only applies to the duration that the health check command is running. The time it takes to start the command no longer counts against the timeout. moby/moby#​43480
• Console tty size is set immediately on creation. moby/moby#​43593, moby/moby#​43622
• Fix overlay2 mounts not being cleaned up after failed container starts, or daemon shutdown. moby/moby#​43659
• Match manifest list resolution with containerd. moby/moby#​43675
• Skip use of firewalld for networking when the daemon is running in rootless mode. moby/moby#​43813
• Custom NAT networks are now re-created after daemon restart if missing on Windows. moby/moby#​43858
• Fix terminating the container health-check process when it times out. moby/moby#​43994
• Fix live-restore with restart policies and volume refs. moby/moby#​44237
• API: Only anonymous volumes now pruned by default on API version >= v1.42. Pass the filter all=true to prune named volumes in addition to anonymous. moby/moby#​44259
• API: Support concurrent calls on the GET /system/df endpoint. moby/moby#​42715
• Improve the reliability of the daemon dumping the stack and exits with code 2 when sent a SIGQUIT. moby/moby#​44831
• Fix a rare deadlock in the daemon caused by buffering of container logs. moby/moby#​44856
• Improve error handling in misc filesystem operations so that the daemon can start on a overlayfs backing filesystem. moby/moby#​44834
• Fix an issue where --ipc=host wasn't handled correctly when the daemon is running in rootless mode. moby/moby#​44863
• Fix a long-standing set of issues where stale conntrack entries caused incorrect routing of UDP traffic for containers. moby/moby#​44752
• Fix half-registered containers being listed in the API, as well as a nil pointer de-reference and panic caused by using a partially registered container in API calls. moby/moby#​44633
• Fix a failure to create the DOCKER-USER ip6tables chain. moby/moby#​44845
• Fix a failure to clean up iptables rules when the ip6tables command isn't available. moby/moby#​44727
• Fix an issue where some iptables NAT rules weren't cleaned up after enabling the userland proxy. moby/moby#​44811
• Fix a potentially leaked process in rare situations where cleaning up a failed attempt to start a container was mishandled. moby/moby#​44400
• Fix the CreatedAt time of a volume reflecting initialization and not creation. moby/moby#​44725
• Fix an issue where the CLI incorrectly reported an incompatible server instead of an unreachable server in some commands. docker/cli#​3901, docker/cli#​3904
• Fix broken completion of volumes in Zsh. docker/cli#​2998
• Improve output of docker context when an invalid context is present. docker/cli#​3847
• Remove ANSI decoration of CLI help annotations when the output isn't a TTY, and added a newline for readability. docker/cli#​3973
• Add docker container remove as an alias for docker container rm. docker/cli#​3986

v20.10.23

Compare Source

Bug fixes and enhancements

• Fix an issue where docker build would fail when using --add-host=host.docker.internal:host-gateway
  with BuildKit enabled moby/moby#​44650.

• Revert seccomp: block socket calls to AF_VSOCK in default profile moby/moby#​44712.
  This change, while favorable from a security standpoint, caused a change
  in behavior for some use-cases. As such, we are reverting it to ensure
  stability and compatibility for the affected users.

  However, users of AF_VSOCK in containers should recognize that this
  (special) address family is not currently namespaced in any version of
  the Linux kernel, and may result in unexpected behavior, like containers
  communicating directly with host hypervisors.

  Future releases, will filter AF_VSOCK. Users who need to allow containers
  to communicate over the unnamespaced AF_VSOCK will need to turn off seccomp
  confinement or set a custom seccomp profile.

Packaging Updates

• Update Docker Compose to v2.15.1.
• Update Docker Buildx to v0.10.0.
• Update containerd (containerd.io package) to v1.6.15.
• Update the package versioning format for docker-compose-cli to allow distro version updates docker/docker-ce-packaging#​822.
• Update Go runtime to 1.18.10.

v20.10.22

Compare Source

Bug fixes and enhancements

• Improve error message when attempting to pull an unsupported image format or OCI artifact (moby/moby#​44413, moby/moby#​44569).
• Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers (moby/moby#​44476).
• Fix ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above (moby/moby#​3862).
• seccomp: block socket calls to AF_VSOCK in default profile (moby/moby#​44564).

Packaging Updates

• Update Docker Compose to v2.14.1.
• Update Docker Scan to v0.23.0.
• Update containerd (containerd.io package) to v1.6.13 to include a fix for CVE-2022-23471.
• Update Go runtime to 1.18.9 to include fixes for CVE-2022-41716, CVE-2022-41717, and CVE-2022-41720.

v20.10.21

Compare Source

This release of Docker Engine contains updated versions of Docker Compose,
Docker Scan, Containerd, added packages for Ubuntu 22.10, and some minor bug
fixes and enhancements.

Client

• Remove "experimental" gates around "--platform" in bash completion docker/cli#​3824.

Daemon

• Allow "allow-nondistributable-artifacts" to be configured for Docker Hub moby/moby#​44313.
• Fix an Invalid standard handle identifie panic when registering the docker daemon as a service from a legacy CLI on Windows moby/moby#​44326.

Builder

• Fix running git commands in Cygwin on Windows moby/moby#​44332.
• Update bundled BuildKit version to to fix "output clipped, log limit 1MiB reached" errors moby/moby#​44339.

Packaging

• Provide packages for Ubuntu 22.10 "Kinetic Kudu".
• Update Docker Compose to v2.12.2.
• Update Docker Scan to v0.21.0.
• Update containerd (containerd.io package) to v1.6.9.

v20.10.20

Compare Source

This release of Docker Engine contains partial mitigations for a Git vulnerability
(CVE-2022-39253), and has updated handling of image:tag@digest image references.

The Git vulnerability allows a maliciously crafted Git repository, when used as a
build context, to copy arbitrary filesystem paths into resulting containers/images;
this can occur in both the daemon, and in API clients, depending on the versions and
tools in use.

The mitigations available in this release and in other consumers of the daemon API
are partial and only protect users who build a Git URL context (e.g. git+protocol://).
As the vulnerability could still be exploited by manually run Git commands that interact
with and check out submodules, users should immediately upgrade to a patched version of
Git to protect against this vulernability. Further details are available from the GitHub
blog ("Git security vulnerabilities announced").

Client

• Added a mitigation for CVE-2022-39253,
  when using the classic Builder with a Git URL as the build context.

Daemon

• Updated handling of image:tag@digest references. When pulling an image using
  the image:tag@digest ("pull by digest"), image resolution happens through
  the content-addressable digest and the image and tag are not used. While
  this is expected, this could lead to confusing behavior, and could potentially
  be exploited through social engineering to run an image that is already present
  in the local image store. Docker now checks if the digest matches the repository
  name used to pull the image, and otherwise will produce an error.

Builder

• Updated handling of image:tag@digest references. Refer to the "Daemon" section
  above for details.
• Added a mitigation to the classic Builder and updated BuildKit to v0.8.3-31-gc0149372,
  for CVE-2022-39253.

v20.10.19

Compare Source

This release of Docker Engine comes with some bug-fixes, and an updated version
of Docker Compose.

Builder

• Fix an issue that could result in a panic during docker builder prune or
  docker system prune moby/moby#​44122.

Daemon

• Fix a bug where using docker volume prune would remove volumes that were
  still in use if the daemon was running with "live restore" and was restarted
  moby/moby#​44238.

Packaging

• Update Docker Compose to v2.11.2.
• Update Go runtime to 1.18.7, which contains fixes for CVE-2022-2879, CVE-2022-2880,
  and CVE-2022-41715.

v20.10.18

Compare Source

This release of Docker Engine comes with a fix for a low-severity security issue,
some minor bug fixes, and updated versions of Docker Compose, Docker Buildx,
containerd, and runc.

Client

• Add Bash completion for Docker Compose docker/cli#​3752.

Builder

• Fix an issue where file-capabilities were not preserved during build moby/moby#​43876.
• Fix an issue that could result in a panic caused by a concurrent map read and map write moby/moby#​44067

Daemon

• Fix a security vulnerability relating to supplementary group permissions, which
  could allow a container process to bypass primary group restrictions within the
  container CVE-2022-36109, GHSA-rc4r-wh2q-q6c4.
• seccomp: add support for Landlock syscalls in default policy moby/moby#​43991.
• seccomp: update default policy to support new syscalls introduced in kernel 5.12 - 5.16 moby/moby#​43991.
• Fix an issue where cache lookup for image manifests would fail, resulting
  in a redundant round-trip to the image registry moby/moby#​44109.
• Fix an issue where exec processes and healthchecks were not terminated
  when they timed out moby/moby#​44018.

Packaging

• Update Docker Buildx to v0.9.1.
• Update Docker Compose to v2.10.2.
• Update containerd (containerd.io package) to v1.6.8.
• Update runc to v1.1.4.
• Update Go runtime to 1.18.6,
  which contains fixes for CVE-2022-27664
  and CVE-2022-32190.

v20.10.17

Compare Source

This release of Docker Engine comes with updated versions of the compose,
containerd, and runc components, as well as some minor bug fixes.

Client

• Remove asterisk from docker commands in zsh completion script docker/cli#​3648.

Networking

• Fix Windows port conflict with published ports in host mode for overlay moby/moby#​43644.
• Ensure performance tuning is always applied to libnetwork sandboxes moby/moby#​43683.

Packaging

• Update Docker Compose to v2.6.0.
• Update containerd (containerd.io package) to v1.6.6, which contains a fix for CVE-2022-31030
• Update runc version to v1.1.2, which contains a fix for CVE-2022-29162.
• Updated Go runtime to 1.17.11, which contains fixes for CVE-2022-30634, CVE-2022-30629, CVE-2022-30580 and CVE-2022-29804

v20.10.16

Compare Source

This release of Docker Engine fixes a regression in the Docker CLI builds for
macOS, fixes an issue with docker stats when using containerd 1.5 and up,
and updates the Go runtime to include a fix for CVE-2022-29526.

Client

• Fix a regression in binaries for macOS introduced in 20.10.15, which
  resulted in a panic docker/cli#​43426.
• Update golang.org/x/sys dependency which contains a fix for
  CVE-2022-29526.

Daemon

• Fix an issue where docker stats was showing empty stats when running with
  containerd 1.5.0 or up moby/moby#​43567.
• Update the golang.org/x/sys build-time dependency which contains a fix for CVE-2022-29526.

Packaging

• Update Go runtime to 1.17.10,
  which contains a fix for CVE-2022-29526.
• Use "weak" dependencies for the docker scan CLI plugin, to prevent a
  "conflicting requests" error when users performed an off-line installation from
  downloaded RPM packages docker/docker-ce-packaging#​659.

v20.10.15

Compare Source

This release of Docker Engine comes with updated versions of the compose,
buildx, containerd, and runc components, as well as some minor bugfixes.

Daemon

• Use a RWMutex for stateCounter to prevent potential locking congestion moby/moby#​43426.
• Prevent an issue where the daemon was unable to find an available IP-range in
  some conditions moby/moby#​43360

Packaging

• Update Docker Compose to v2.5.0.
• Update Docker Buildx to v0.8.2.
• Update Go runtime to 1.17.9.
• Update containerd (containerd.io package) to v1.6.4.
• Update runc version to v1.1.1.
• Add packages for CentOS 9 stream and Fedora 36.

v20.10.14

Compare Source

This release of Docker Engine updates the default inheritable capabilities for
containers to address CVE-2022-24769,
a new version of the containerd.io runtime is also included to address the same
issue.

Daemon

• Update the default inheritable capabilities.

Builder

• Update the default inheritable capabilities for containers used during build.

Packaging

• Update containerd (containerd.io package) to v1.5.11.
• Update docker buildx to v0.8.1.

v20.10.13

Compare Source

This release of Docker Engine contains some bug-fixes and packaging changes,
updates to the docker scan and docker buildx commands, an updated version of
the Go runtime, and new versions of the containerd.io runtime.
Together with this release, we now also provide .deb and .rpm packages of
Docker Compose V2, which can be installed using the (optional) docker-compose-plugin
package.

Builder

• Updated the bundled version of buildx to v0.8.0.

Daemon

• Fix a race condition when updating the container's state moby/moby#​43166.
• Update the etcd dependency to prevent the daemon from incorrectly holding file locks moby/moby#​43259
• Fix detection of user-namespaces when configuring the default net.ipv4.ping_group_range sysctl moby/moby#​43084.

Distribution

• Retry downloading image-manifests if a connection failure happens during image
  pull moby/moby#​43333.

Documentation

• Various fixes in command-line reference and API documentation.

Logging

• Prevent an OOM when using the "local" logging driver with containers that produce
  a large amount of log messages moby/moby#​43165.
• Updates the fluentd log driver to prevent a potential daemon crash, and prevent
  containers from hanging when using the fluentd-async-connect=true and the
  remote server is unreachable moby/moby#​43147.

Packaging

• Provide .deb and .rpm packages for Docker Compose V2. Docker Compose v2.3.3
  can now be installed on Linux using the docker-compose-plugin packages, which
  provides the docker compose subcommand on the Docker CLI. The Docker Compose
  plugin can also be installed and run standalone to be used as a drop-in replacement
  for docker-compose (Docker Compose V1) docker/docker-ce-packaging#​638.
  The compose-cli-plugin package can also be used on older version of the Docker
  CLI with support for CLI plugins (Docker CLI 18.09 and up).
• Provide packages for the upcoming Ubuntu 22.04 "Jammy Jellyfish" LTS release docker/docker-ce-packaging#​645, docker/containerd-packaging#​271.
• Update docker buildx to v0.8.0.
• Update docker scan (docker-scan-plugin) to v0.17.0.
• Update containerd (containerd.io package) to v1.5.10.
• Update the bundled runc version to v1.0.3.
• Update Golang runtime to Go 1.16.15.

v20.10.12

Compare Source

Packaging

• Update docker scan to v0.12.0.
• Update docker buildx to v0.7.1.
• Update Golang runtime to Go 1.16.12.

v20.10.11

Compare Source

20.10.11

IMPORTANT

Due to net/http changes in Go 1.16,
HTTP proxies configured through the $HTTP_PROXY environment variable are no
longer used for TLS (https://) connections. Make sure you also set an $HTTPS_PROXY
environment variable for handling requests to https:// URLs.

Refer to the HTTP/HTTPS proxy section
to learn how to configure the Docker Daemon to use a proxy server.
{: .important }

Distribution

• Handle ambiguous OCI manifest parsing to mitigate CVE-2021-41190 / GHSA-mc8v-mgrf-8f4m.
  See GHSA-xmmx-7jpf-fx42 for details.

Windows

• Fix panic.log file having read-only attribute set moby/moby#​42987.

Packaging

• Update containerd to v1.4.12 to mitigate CVE-2021-41190.
• Update Golang runtime to Go 1.16.10.

v20.10.10

Compare Source

20.10.10

IMPORTANT

Due to net/http changes in Go 1.16,
HTTP proxies configured through the $HTTP_PROXY environment variable are no
longer used for TLS (https://) connections. Make sure you also set an $HTTPS_PROXY
environment variable for handling requests to https:// URLs.

Refer to the HTTP/HTTPS proxy section
to learn how to configure the Docker Daemon to use a proxy server.

Builder

• Fix platform-matching logic to fix docker build using not finding images in
  the local image cache on Arm machines when using BuildKit moby/moby#​42954

Runtime

• Add support for clone3 syscall in the default seccomp policy to support running
  containers based on recent versions of Fedora and Ubuntu. moby/moby/#​42836.
• Windows: update hcsshim library to fix a bug in sparse file handling in container
  layers, which was exposed by recent changes in Windows moby/moby#​42944.
• Fix some situations where docker stop could hang forever moby/moby#​42956.

Swarm

• Fix an issue where updating a service did not roll back on failure moby/moby#​42875.

Packaging

• Add packages for Ubuntu 21.10 "Impish Indri" and Fedora 35.
• Update docker scan to v0.9.0
• Update Golang runtime to Go 1.16.9.

v20.10.9

Compare Source

This release is a security release with security fixes in the CLI, runtime, as
well as updated versions of the containerd.io package and the Go runtime.

Client

• CVE-2021-41092
  Ensure default auth config has address field set, to prevent credentials being
  sent to the default registry.

Runtime

• CVE-2021-41089
  Create parent directories inside a chroot during docker cp to prevent a specially
  crafted container from changing permissions of existing files in the host’s filesystem.
• CVE-2021-41091
  Lock down file permissions to prevent unprivileged users from discovering and
  executing programs in /var/lib/docker.

Packaging

• Update Golang runtime to Go 1.16.8, which contains fixes for CVE-2021-36221
  and CVE-2021-39293
• Update static binaries and containerd.io rpm and deb packages to containerd
  v1.4.11 and runc v1.0.2 to address CVE-2021-41103.
• Update the bundled buildx version to v0.6.3 for rpm and deb packages.

v20.10.8

Compare Source

20.10.8

IMPORTANT

Due to net/http changes in Go 1.16, HTTP proxies configured through the $HTTP_PROXY environment variable are no longer used for TLS (https://) connections. Make sure you also set an $HTTPS_PROXY environment variable for handling requests to https:// URLs. Refer to the HTTP/HTTPS proxy section in the documentation to learn how to configure the Docker Daemon to use a proxy server.

Deprecation

• Deprecate support for encrypted TLS private keys. Legacy PEM encryption as
  specified in RFC 1423 is insecure by design. Because it does not authenticate
  the ciphertext, it is vulnerable to padding oracle attacks that can let an
  attacker recover the plaintext. Support for encrypted TLS private keys is now
  marked as deprecated, and will be removed in an upcoming release. docker/cli#​3219
• Deprecate Kubernetes stack support. Following the deprecation of Compose on Kubernetes,
  support for Kubernetes in the stack and context commands in the Docker CLI
  is now marked as deprecated, and will be removed in an upcoming release docker/cli#​3174.

Client

• Fix Invalid standard handle identifier errors on Windows docker/cli#​3132.

Rootless

• Avoid can't open lock file /run/xtables.lock: Permission denied error on
  SELinux hosts moby/moby#​42462.
• Disable overlay2 when running with SELinux to prevent permission denied errors moby/moby#​42462.
• Fix x509: certificate signed by unknown authority error on openSUSE Tumbleweed moby/moby#​42462.

Runtime

• Print a warning when using the --platform option to pull a single-arch image
  that does not match the specified architecture moby/moby#​42633.
• Fix incorrect Your kernel does not support swap memory limit warning when
  running with cgroups v2 moby/moby#​42479.
• Windows: Fix a situation where containers were not stopped if HcsShutdownComputeSystem
  returned an ERROR_PROC_NOT_FOUND error moby/moby#​42613

Swarm

• Fix a possibility where overlapping IP addresses could exist as a result of the
  node failing to clean up its old loadbalancer IPs moby/moby#​42538
• Fix a deadlock in log broker ("dispatcher is stopped") moby/moby#​42537

Packaging

Known issue

The ctr binary shipping with the static packages of this release is not
statically linked, and will not run in Docker images using alpine as a base
image. Users can install the libc6-compat package, or download a previous
version of the ctr binary as a workaround. Refer to the containerd ticket
related to this issue for more details: containerd/containerd#​5824.

• Remove packaging for Ubuntu 16.04 "Xenial" and Fedora 32, as they reached EOL docker/docker-ce-packaging#​560
• Update Golang runtime to Go 1.16.6
• Update the bundled buildx version to v0.6.1 for rpm and deb packages docker/docker-ce-packaging#​562
• Update static binaries and containerd.io rpm and deb packages to containerd v1.4.9 and runc v1.0.1: docker/containerd-packaging#​241, docker/containerd-packaging#​245, docker/containerd-packaging#​247.

v20.10.7

Compare Source

20.10.7

Client

• Suppress warnings for deprecated cgroups docker/cli#​3099.
• Prevent sending SIGURG signals to container on Linux and macOS. The Go runtime
  (starting with Go 1.14) uses SIGURG signals internally as an interrupt to
  support preemptable syscalls. In situations where the Docker CLI was attached
  to a container, these interrupts were forwarded to the container. This fix
  changes the Docker CLI to ignore SIGURG signals docker/cli#​3107,
  moby/moby#​42421.

Builder

• Update BuildKit to version v0.8.3-3-g244e8cde moby/moby#​42448:
  • Transform relative mountpoints for exec mounts in the executor to work around
    a breaking change in runc v1.0.0-rc94 and up. moby/buildkit#​2137.
  • Add retry on image push 5xx errors. moby/buildkit#​2043.
  • Fix build-cache not being invalidated when renaming a file that is copied using
    a COPY command with a wildcard. Note that this change invalidates
    existing build caches for copy commands that use a wildcard. moby/buildkit#​2018.
  • Fix build-cache not being invalidated when using mounts moby/buildkit#​2076.
• Fix build failures when FROM image is not cached when using legacy schema 1 images moby/moby#​42382.

Logging

• Update the hcsshim SDK to make daemon logs on Windows less verbose moby/moby#​42292.

Rootless

• Fix capabilities not being honored when an image was built on a daemon with
  user-namespaces enabled moby/moby#​42352.

Networking

• Update libnetwork to fix publishing ports on environments with kernel boot
  parameter ipv6.disable=1, and to fix a deadlock causing internal DNS lookups
  to fail moby/moby#​42413.

Contrib

• Update rootlesskit to v0.14.2 to fix a timeout when starting the userland proxy
  with the slirp4netns port driver moby/moby#​42294.
• Fix "Device or resource busy" errors when running docker-in-docker on a rootless
  daemon moby/moby#​42342.

Packaging

• Update containerd to v1.4.6, runc v1.0.0-rc95 to address CVE-2021-30465
  moby/moby#​42398, moby/moby#​42395,
  ocker/containerd-packaging#​234
• Update containerd to v1.4.5, runc v1.0.0-rc94 moby/moby#​42372,
  moby/moby#​42388, docker/containerd-packaging#​232.
• Update Docker Scan plugin packages (docker-scan-plugin) to v0.8 docker/docker-ce-packaging#​545.

v20.10.6

Compare Source

release notes: https://docs.docker.com/engine/release-notes/#​20106

v20.10.5

Compare Source

release notes: https://docs.docker.com/engine/release-notes/#​20105

20.10.5

Client

• Revert docker/cli#​2960 to fix hanging in docker start --attach and remove spurious “Unsupported signal: . Discarding." messages docker/cli#​2987

v20.10.4

Compare Source

release notes: https://docs.docker.com/engine/release-notes/#​20104

20.10.4

Builder

• Fix incorrect cache match for inline cache import with empty layers moby/moby#​42061
• Update BuildKit to v0.8.2 moby/moby#​42061
  • resolver: avoid error caching on token fetch
  • fileop: fix checksum to contain indexes of inputs preventing certain cache misses
  • Fix reference count issues on typed errors with mount references (fixing invalid mutable ref errors)
  • git: set token only for main remote access allowing cloning submodules with different credentials
• Ensure blobs get deleted in /var/lib/docker/buildkit/content/blobs/sha256 after pull. To clean up old state run builder prune moby/moby#​42065
• Fix parallel pull synchronization regression moby/moby#​42049
• Ensure libnetwork state files do not leak moby/moby#​41972

Client

• Fix a panic on docker login if no config file is present docker/cli#​2959
• Fix WARNING: Error loading config file: .dockercfg: $HOME is not defined docker/cli#​2958

Runtime

• docker info: silence unhandleable warnings moby/moby#​41958
• Avoid creating parent directories for XGlobalHeader moby/moby#​42017
• Use 0755 permissions when creating missing directories moby/moby#​42017
• Fallback to manifest list when no platform matches in image config moby/moby#​42045 moby/moby#​41873
• Fix a daemon panic on setups with a custom default runtime configured moby/moby#​41974
• Fix a panic when daemon configuration is empty moby/moby#​41976
• Fix daemon panic when starting container with invalid device cgroup rule moby/moby#​42001
• Fix userns-remap option when username & UID match moby/moby#​42013
• static: update runc binary to v1.0.0-rc93 moby/moby#​42014

Logger

• Honor labels-regex config even if labels is not set moby/moby#​42046
• Handle long log messages correctly preventing awslogs in non-blocking mode to split events bigger than 16kB mobymoby#​41975

Rootless

• Prevent the service hanging when stopping by setting systemd KillMode to mixed moby/moby#​41956
• dockerd-rootless.sh: add typo guard moby/moby#​42070
• Update rootlesskit to v0.13.1 to fix handling of IPv6 addresses moby/moby#​42025
• allow mknodding FIFO inside userns moby/moby#​41957

Security

• profiles: seccomp: update to Linux 5.11 syscall list moby/moby#​41971

Swarm

• Fix issue with heartbeat not persisting upon restart moby/moby#​42060
• Fix potential stalled tasks moby/moby#​42060
• Fix --update-order and --rollback-order flags when only --update-order or --rollback-order is provided docker/cli#​2963
• Fix docker service rollback returning a non-zero exit code in some situations docker/cli#​2964
• Fix inconsistent progress-bar direction on docker service rollback docker/cli#​2964

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/docker/docker](https://github.com/docker/docker) | replace | major | `v20.10.3-0.20221013203545-33ab36d6b304+incompatible` -> `v23.0.1` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>docker/docker</summary> ### [`v23.0.1`](https://github.com/moby/moby/releases/tag/v23.0.1) [Compare Source](https://github.com/docker/docker/compare/v23.0.0...v23.0.1) #### 23.0.1 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: - [docker/cli, 23.0.1 milestone](https://github.com/docker/cli/milestone/73?closed=1) - [moby/moby, 23.0.1 milestone](https://github.com/moby/moby/milestone/113?closed=1) ##### Bug fixes and enhancements - Fix containers not starting if the kernel has AppArmor enabled, but `apparmor_parser` is not available. [moby/moby#&#8203;44942](https://github.com/moby/moby/pull/44942) - Fix BuildKit-enabled builds with inline caching causing the daemon to crash. [moby/moby#&#8203;44944](https://github.com/moby/moby/pull/44944) - Fix BuildKit improperly loading cached layers created by previous versions. [moby/moby#&#8203;44959](https://github.com/moby/moby/pull/44959) - Fix an issue where `ipvlan` networks created prior to upgrading would prevent the daemon from starting. [moby/moby#&#8203;44937](https://github.com/moby/moby/pull/44937) - Fix the `overlay2` storage driver failing early in `metacopy` testing when initialized on an unsupported backing filesystem. [moby/moby#&#8203;44922](https://github.com/moby/moby/pull/44922) - Fix `exec` exit events being misinterpreted as container exits under some runtimes, such as Kata Containers. [moby/moby#&#8203;44892](https://github.com/moby/moby/pull/44892) - Improve the error message returned by the CLI when recieving a truncated JSON response caused by the API hanging up mid-request. [docker/cli#&#8203;4004](https://github.com/docker/cli/pull/4004) - Fix an incorrect CLI exit code when attempting to execute a directory with a `runc` compiled using Go 1.20. [docker/cli#&#8203;4004](https://github.com/docker/cli/pull/4004) - Fix mishandling the size argument to `--device-write-bps` as a path. [docker/cli#&#8203;4004](https://github.com/docker/cli/pull/4004) ##### Packaging - Add `/etc/docker` to RPM and DEB packaging. [docker/docker-ce-packaging#&#8203;842](https://github.com/docker/docker-ce-packaging/pull/842) - Not all use cases will benefit; if you depend on this, you should explicitly `mkdir -p /etc/docker`. - Upgrade Compose to `v2.16.0`. [docker/docker-ce-packaging#&#8203;844](https://github.com/docker/docker-ce-packaging/pull/844) ### [`v23.0.0`](https://github.com/moby/moby/releases/tag/v23.0.0) [Compare Source](https://github.com/docker/docker/compare/v20.10.23...v23.0.0) #### 23.0.0 For more information about: - Deprecated and removed features, see [Deprecated Engine Features](https://github.com/docker/cli/blob/v23.0.0/docs/deprecated.md). - Changes to the Engine API, see [Engine API version history](https://github.com/moby/moby/blob/v23.0.0/docs/api/version-history.md). For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: - [docker/cli, 23.0.0 milestone](https://github.com/docker/cli/milestone/51?closed=1) - [moby/moby, 23.0.0 milestone](https://github.com/moby/moby/milestone/91?closed=1) ##### New - Set Buildx and BuildKit as the default builder on Linux. [moby/moby#&#8203;43992](https://github.com/moby/moby/pull/43992) - Alias `docker build` to `docker buildx build`. [docker/cli#&#8203;3314](https://github.com/docker/cli/pull/3314) - The legacy builder can still be used by explicitly setting `DOCKER_BUILDKIT=0`. - There are differences in how BuildKit and the legacy builder handle multi-stage builds. For more information, see [Multi-stage builds](../../build/building/multi-stage.md#differences-between-legacy-builder-and-buildkit). - Add support for pulling `zstd` compressed layers. [moby/moby#&#8203;41759](https://github.com/moby/moby/pull/41759), [moby/moby#&#8203;42862](https://github.com/moby/moby/pull/42862) - Add support for alternate OCI runtimes on Linux, compatible with the containerd runtime v2 API. [moby/moby#&#8203;43887](https://github.com/moby/moby/pull/43887), [moby/moby#&#8203;43993](https://github.com/moby/moby/pull/43993) - Add support for the containerd `runhcs` shim on Windows (off by default). [moby/moby#&#8203;42089](https://github.com/moby/moby/pull/42089) - Add `dockerd --validate` to check the daemon JSON config and exit. [moby/moby#&#8203;42393](https://github.com/moby/moby/pull/42393) - Add the ability to configure the daemon's HTTP proxy via flags or JSON config. [moby/moby#&#8203;42835](https://github.com/moby/moby/pull/42835) - Add support for RFC 3021 point-to-point networks (IPv4 /31s) and single hosts (IPv4 /32s). For networks with two or fewer addresses, IPAM won't reserve a network and broadcast address. [moby/moby#&#8203;42626](https://github.com/moby/moby/pull/42626) - Add support for setting `ipvlan_flag` and using the `l3s` `ipvlan_mode` in the `ipvlan` network driver. [moby/moby#&#8203;42542](https://github.com/moby/moby/pull/42542) - Add support for displaying the value of the `metacopy` option for the `overlay2` storage driver. [moby/moby#&#8203;43557](https://github.com/moby/moby/pull/43557) - Add support for describing Windows devices using the syntax `IDType://ID`. [moby/moby#&#8203;43368](https://github.com/moby/moby/pull/43368) - Add `RootlessKit`, `slirp4netns`, and `VPNKit` version reporting. [moby/moby#&#8203;42330](https://github.com/moby/moby/pull/42330) - Add experimental support for SwarmKit cluster volumes (CSI). [moby/moby#&#8203;41982](https://github.com/moby/moby/pull/41982) - CLI: Add cluster volume (CSI) options to `docker volume`. [docker/cli#&#8203;3606](https://github.com/docker/cli/pull/3606) - CLI: Add cluster volume (CSI) support to `docker stack`. [docker/cli#&#8203;3662](https://github.com/docker/cli/pull/3662) - Add support for SwarmKit jobs in `docker stack deploy`. [docker/cli#&#8203;2907](https://github.com/docker/cli/pull/2907) - Add the `docker stack config` command to output the merged and interpolated config files as utilized by `stack deploy`. [docker/cli#&#8203;3544](https://github.com/docker/cli/pull/3544) - Add a new `docker context show` command that prints the name of the current context. [docker/cli#&#8203;3567](https://github.com/docker/cli/pull/3567) - Add the `--format=json` shorthand variant of `--format="{{ json . }}"` to all commands supporting the `--format` flag. [docker/cli#&#8203;2936](https://github.com/docker/cli/pull/2936) - Add a `--quiet` option to `docker create` and `docker run` commands to suppress output when pulling an image. [docker/cli#&#8203;3377](https://github.com/docker/cli/pull/3377) - Add a `--force` option to `docker network rm` subcommand. Causes CLI to return a 0 exit code even if the network doesn't exist. Has no effect on the server-side procedure for removing a network. [docker/cli#&#8203;3547](https://github.com/docker/cli/pull/3547) - Add a `--signal` option to `docker stop` and `docker restart`. [docker/cli#&#8203;3614](https://github.com/docker/cli/pull/3614) - Add a `-v/--version` flag to `docker-proxy`. [moby/moby#&#8203;44703](https://github.com/moby/moby/pull/44703) - Plugins are now discovered in well-known user-level paths when the daemon is running in rootless mode. [moby/moby#&#8203;44778](https://github.com/moby/moby/pull/44778) - The daemon now handles common alternate JSON encodings in the JSON configuration file gracefully, and reports useful errors. [moby/moby#&#8203;44777](https://github.com/moby/moby/pull/44777), [moby/moby#&#8203;44832](https://github.com/moby/moby/pull/44832) - UTF-8 with a byte order mark is accepted. - UTF-16 with a byte order mark is accepted. - Invalid UTF-8 is reported early and with a comprehensible error message. - Allow use of `STOPSIGNAL` via `docker commit`. [moby/moby#&#8203;43369](https://github.com/moby/moby/pull/43369) - Add a new option to the `awslogs` log driver to allow skipping log stream creation in CloudWatch. [moby/moby#&#8203;42132](https://github.com/moby/moby/pull/42132) - Add a new option to the `awslogs` log driver to specify the log format that's sent to CloudWatch. [moby/moby#&#8203;42838](https://github.com/moby/moby/pull/42838) - Add a new option to the `fluentd` log driver to set the reconnection interval. [moby/moby#&#8203;43100](https://github.com/moby/moby/pull/43100) - Add new options-setters to the Go API client: `WithTLSClientConfigFromEnv()`, `WithHostFromEnv()`, and `WithVersionFromEnv()`. [moby/moby#&#8203;42224](https://github.com/moby/moby/pull/42224) - Add generation of shell command completion through a `docker completion` subcommand. [docker/cli#&#8203;3429](https://github.com/docker/cli/pull/3429) - API: Add a `Swarm` header to `GET /_ping` and `HEAD /_ping`, allowing single-request detection of Swarm support. [moby/moby#&#8203;42064](https://github.com/moby/moby/pull/42064) - API: Add a `signal` parameter to `POST /containers/{id}/stop` and `POST /containers/{id}/restart` to set the signal used. [moby/moby#&#8203;43206](https://github.com/moby/moby/pull/43206) - API: Add a `CreateMountPoint` parameter to `POST /containers/create`. [moby/moby#&#8203;43484](https://github.com/moby/moby/pull/43484) - API: Add a `shared-size` parameter to `GET /images/json` to enable shared-size computation of images. [moby/moby#&#8203;42531](https://github.com/moby/moby/pull/42531) - API: Add a `type` parameter to `GET /system/df`, to control what object types to are considered when computing disk usage. [moby/moby#&#8203;42559](https://github.com/moby/moby/pull/42559) - systemd: Start `docker.service` after `time-set.target`. [moby/moby#&#8203;43107](https://github.com/moby/moby/pull/43107) ##### Removed - Remove support for reading configuration from `~/.dockercfg`. [docker/cli#&#8203;2504](https://github.com/docker/cli/pull/2504) - This location has been deprecated since 1.7.0. - [Deprecation notice](../deprecated.md#support-for-legacy-dockercfg-configuration-files) - Remove the `-g` and `--graph` daemon options in favor of `--data-root`. [docker/cli#&#8203;3739](https://github.com/docker/cli/pull/3739) - These options have been hidden and deprecated since 17.05. - [Deprecation notice](../deprecated.md#-g-and---graph-flags-on-dockerd) - Remove client-side sorting of results, in favor of the order in which the search API returns. [docker/cli#&#8203;3470](https://github.com/docker/cli/pull/3470) - Remove warnings related to deprecated storage drivers from the CLI. Warnings are now handled by the daemon instead. [docker/cli#&#8203;3542](https://github.com/docker/cli/pull/3542) - Remove `Experimental` client field from `docker version`. [docker/cli#&#8203;3543](https://github.com/docker/cli/pull/3543) - [Deprecation notice](../deprecated.md#configuration-options-for-experimental-cli-features) - Require explicit opt-in to use deprecated storage drivers, and don't automatically select them when upgrading. [moby/moby#&#8203;43378](https://github.com/moby/moby/pull/43378) - Remove deprecated support for `overlay` and `overlay2` storage drivers on backing filesystems without `d_type` support. [moby/moby#&#8203;43472](https://github.com/moby/moby/pull/43472) - [Deprecation notice](../deprecated.md#backing-filesystem-without-d_type-support-for-overlayoverlay2) - Remove the deprecated `overrideKernelCheck` option from the `overlay2` storage driver. [moby/moby#&#8203;44279](https://github.com/moby/moby/pull/44279) [Deprecation notice](../deprecated.md#support-for-the-overlay2override_kernel_check-storage-option) - Remove support for the deprecated `io.containerd.runtime.v1.linux` OCI runtime. [moby/moby#&#8203;43695](https://github.com/moby/moby/pull/43695) - Remove LCOW (Linux Containers on Windows). [moby/moby#&#8203;42451](https://github.com/moby/moby/pull/42451), [moby/moby#&#8203;42499](https://github.com/moby/moby/pull/42499), [moby/moby#&#8203;42506](https://github.com/moby/moby/pull/42506), [moby/moby#&#8203;42511](https://github.com/moby/moby/pull/42511), [moby/moby#&#8203;42520](https://github.com/moby/moby/pull/42520), [moby/moby#&#8203;42683](https://github.com/moby/moby/pull/42683), [moby/moby#&#8203;42684](https://github.com/moby/moby/pull/42684), [moby/moby#&#8203;42685](https://github.com/moby/moby/pull/42685), [moby/moby#&#8203;43187](https://github.com/moby/moby/pull/43187) - LCOW was introduced as a technical preview in 17.09 and deprecated in 20.10. - [Deprecation notice](../deprecated.md#linux-containers-on-windows-lcow-experimental) - Remove daemon options related to legacy overlay networks used with standalone Swarm. - Remove `--cluster-xx` options from `dockerd`. [moby/moby#&#8203;40383](https://github.com/moby/moby/issues/40383) - Remove `host-discovery` and overlay networks with external k/v stores. [moby/moby#&#8203;42247](https://github.com/moby/moby/pull/42247) - [Deprecation notice](../deprecated.md#classic-swarm-and-overlay-networks-using-cluster-store) - Remove a deprecated `arm` platform fallback. `--platform linux/arm/vY` will now return a error when `arm/vY` isn't available instead of pulling the wrong image. [moby/moby#&#8203;44414](https://github.com/moby/moby/pull/44414) - Remove the deprecated `SetCustomHTTPHeaders()`, `CustomHTTPHeaders()` options-setters from the Go client API. [moby/moby#&#8203;42694](https://github.com/moby/moby/pull/42694) - Remove the deprecated `WithDialer()` option-setter from the Go client API. [moby/moby#&#8203;44022](https://github.com/moby/moby/pull/44022) - Use `WithDialContext()` instead. - Remove the daemon implementation of `opts.QuotedString`. The implementation has moved to the CLI. [moby/moby#&#8203;43250](https://github.com/moby/moby/pull/43250) - Remove separate daemon ID from trust-key in the daemon, and disable generating the trust-key. [moby/moby#&#8203;43555](https://github.com/moby/moby/pull/43555) - API: Remove the deprecated `KernelMemory` option from `POST /containers/create` on API version >= 1.42. [moby/moby#&#8203;43214](https://github.com/moby/moby/pull/43214) - [Deprecation notice](../deprecated.md#kernel-memory-limit) ##### Deprecated - Require Windows Server RS5 / LTSC 2019 (build 17763) as the minimum to run the daemon. [moby/moby#&#8203;43254](https://github.com/moby/moby/pull/43254) - Deprecate `BuilderSize` in API versions >= 1.42 [moby/moby#&#8203;42608](https://github.com/moby/moby/pull/42608) - Deprecate `BuildCache.Parent` in favor of the newly introduced `BuildCache.Parents` in API version >= 1.42. [moby/moby#&#8203;43908](https://github.com/moby/moby/pull/43908) - Deprecate `pkg/urlutil`, moving the implementation to `builder/remotecontext/urlutil`. [moby/moby#&#8203;43477](https://github.com/moby/moby/pull/43477) ##### Upgrades - Upgrade Go to `1.19.5`. [docker/cli#&#8203;3958](https://github.com/docker/cli/pull/3958), [moby/moby#&#8203;44794](https://github.com/moby/moby/pull/44794) - Upgrade `rootlesskit` to `v0.14.4`. [moby/moby#&#8203;42708](https://github.com/moby/moby/pull/42708) - Upgrade `buildkit` to `v0.10.6`. [moby/moby#&#8203;43239](https://github.com/moby/moby/pull/43239) - Upgrade `buildx` to `v0.10.2`. [docker/docker-ce-packaging#&#8203;840](https://github.com/docker/docker-ce-packaging/pull/840) - Upgrade `swarmkit` to `v2.0.0-20230119195359-904c221ac281`. [moby/moby#&#8203;44858](https://github.com/moby/moby/pull/44858) - Upgrade `containerd` to `v1.6.16`. [moby/moby#&#8203;44766](https://github.com/moby/moby/pull/44766), [moby/moby#&#8203;44769](https://github.com/moby/moby/pull/44769), [moby/moby#&#8203;44881](https://github.com/moby/moby/pull/44881) - Upgrade `runc` to `v1.1.4`. [moby/moby#&#8203;44039](https://github.com/moby/moby/pull/44039) - Upgrade `hcsshim` `v0.9.6`. [moby/moby#&#8203;44658](https://github.com/moby/moby/pull/44658) - The `btrfs` storage driver now depends on Linux kernel headers (>= 4.12) instead of headers from btrfs-progs. [moby/moby#&#8203;44776](https://github.com/moby/moby/pull/44776) ##### Security - Change permissions on container `hostconfig.json` files to `0600` (was `0644`). [moby/moby#&#8203;41620](https://github.com/moby/moby/pull/41620) - Fix `--seccomp-profile` not accepting `unconfined` and renamed the default seccomp profile to `builtin`. [moby/moby#&#8203;42481](https://github.com/moby/moby/pull/42481) - Always build with seccomp support, and remove the `seccomp` build tag. [moby/moby#&#8203;42501](https://github.com/moby/moby/pull/42501) - Add seccomp support on `riscv64`. [moby/moby#&#8203;43553](https://github.com/moby/moby/pull/43553) - Add support for setting flags passed to `seccomp(2)` in seccomp profiles. [moby/moby#&#8203;42648](https://github.com/moby/moby/pull/42648) - Refactor seccomp types to reuse runtime-spec, and add support for `ErrnoRet`. [moby/moby#&#8203;42005](https://github.com/moby/moby/pull/42005) - Add support for `DefaultErrnoRet` in `seccomp` profiles. [moby/moby#&#8203;42604](https://github.com/moby/moby/pull/42604) - Add an explicit `DefaultErrnoRet` field to the default seccomp profile, with no behavior change. [moby/moby#&#8203;42649](https://github.com/moby/moby/pull/42649) - Block `socket` with `AF_VSOCK` in the default seccomp profile. [moby/moby#&#8203;44563](https://github.com/moby/moby/pull/44563) - Re-enable `process_vm_readv` and `process_vm_writev` in the default seccomp profile. [moby/moby#&#8203;42083](https://github.com/moby/moby/pull/42083) - Add syscalls related to PKU to the default seccomp profile. [moby/moby#&#8203;43812](https://github.com/moby/moby/pull/43812) - Allow `clock_settime64` with `CAP_SYS_TIME`. [moby/moby#&#8203;43775](https://github.com/moby/moby/pull/43775) - Allow `bpf` with `CAP_BPF` and `perf_event_open` with `CAP_PERFMON`. [moby/moby#&#8203;43988](https://github.com/moby/moby/pull/43988) - Explicitly set the `clone3` syscall to return `ENOSYS` in the default seccomp profile, in order to ensure `glibc` will correctly fallback to using `clone`. [moby/moby#&#8203;42681](https://github.com/moby/moby/pull/42681) ##### Bug fixes and enhancements - Promote `overlay2` to be the default storage driver (`btrfs` and `zfs` are now opt-in). [moby/moby#&#8203;42661](https://github.com/moby/moby/pull/42661) - Add a loading spinner to the `docker cp` command. [docker/cli#&#8203;2708](https://github.com/docker/cli/pull/2708) - Deprecate the `ElectAuthServer` function, and made it return the default registry without calling the `GET /info` API endpoint. [docker/cli#&#8203;2819](https://github.com/docker/cli/pull/2819) - Progress bars are no longer reversed when rolling back Swarm services [docker/cli#&#8203;2940](https://github.com/docker/cli/pull/2940) - Use `net.JoinHostPort()` to fix formatting with IPv6 addresses [docker/cli#&#8203;2972](https://github.com/docker/cli/pull/2972) - CLI error messages are now printed to `stderr`. [docker/cli#&#8203;3044](https://github.com/docker/cli/pull/3044) - Improve performance of `docker info` if a custom `--format` is used that only uses local information. With this change, the CLI only uses the daemon API if it detects that information from the daemon is needed. [docker/cli#&#8203;3179](https://github.com/docker/cli/pull/3179) - Remove the default value from the `--stop-signal` flag, as it may not reflect the actual default used by the daemon. [docker/cli#&#8203;3245](https://github.com/docker/cli/pull/3245) - Add Compose schema `3.10` to `docker stack`; allow omitting the `version` field (resulting in `latest`). [docker/cli#&#8203;3257](https://github.com/docker/cli/pull/3257) - Compose version `3` is now equivalent to `3.x` (latest) in `docker stack`. [docker/cli#&#8203;3445](https://github.com/docker/cli/pull/3445) - Fix `<Ctrl-c>` hanging on Windows to exit after running a container in non-interactive mode. [docker/cli#&#8203;3302](https://github.com/docker/cli/pull/3302) - Add relative source paths to the `run` command in the `-v`/`--volume` and `-m`/`--mount` flags. [docker/cli#&#8203;3469](https://github.com/docker/cli/pull/3469) - `docker exec -t` now sets the console size for the executed process immediately when it's created. [docker/cli#&#8203;3627](https://github.com/docker/cli/pull/3627) - Update the pretty-print format of `docker info` to provide more details on installed plugins. [docker/cli#&#8203;3645](https://github.com/docker/cli/pull/3645) - Print warning messages for the `docker context list` and `docker context use` commands when the context is overridden by the environment. [docker/cli#&#8203;3668](https://github.com/docker/cli/pull/3668) - Add a custom `aliases` annotation that can be used to print all available aliases for a command. [docker/cli#&#8203;3694](https://github.com/docker/cli/pull/3694) - The CLI no longer creates or updates the CLI configuration file when running `docker context use` and selecting the current context. [docker/cli#&#8203;3721](https://github.com/docker/cli/pull/3721) - Non-existing contexts are now ignored when running `docker context rm --force`. [docker/cli#&#8203;3791](https://github.com/docker/cli/pull/3791) - Add the ability to override integers to `0` in Compose files [docker/cli#&#8203;3812](https://github.com/docker/cli/pull/3812) - SIGINT (`<Ctrl-c>`) now passes through to running containers instead of causing the CLI to exit. [docker/cli#&#8203;3849](https://github.com/docker/cli/pull/3849) - Improve `docker port CONTAINER` UX by sorting ports before printing. [docker/cli#&#8203;3892](https://github.com/docker/cli/pull/3892) - API: `GET /containers/{id}/logs` and `POST /containers/{id}/attach` now report which raw-stream format is in use using the `Content-type` response header on API version >= 1.42. [moby/moby#&#8203;39812](https://github.com/moby/moby/pull/39812) - Set default sandbox size for Windows layers to 127GB, and ensure that the `--storage-opts` flag applies to all storage on Windows. [moby/moby#&#8203;41636](https://github.com/moby/moby/pull/41636) - Remove the plugin section from the containerd configuration file `(/var/run/docker/containerd/containerd.toml)`. [moby/moby#&#8203;41675](https://github.com/moby/moby/pull/41675) - Reject `null` manifests during tar import. [moby/moby#&#8203;41842](https://github.com/moby/moby/pull/41842) - Add shim config for custom runtimes for plugins. [moby/moby#&#8203;41854](https://github.com/moby/moby/pull/41854) - Container health checks now resume when the daemon is restarted. [moby/moby#&#8203;41935](https://github.com/moby/moby/pull/41935) - Quota is no longer disabled on cleanup of the `btrfs` driver. [moby/moby#&#8203;42273](https://github.com/moby/moby/pull/42273) - Host devices that are accessible can now be mounted in `--privileged` rootless containers. [moby/moby#&#8203;42638](https://github.com/moby/moby/pull/42638) - Fix incorrect handling of `**/foo` recursive wildcard directory patterns in `.dockerignore`. [moby/moby#&#8203;42676](https://github.com/moby/moby/pull/42676) - Extend `docker import --platform` to allow marking an imported image as a foreign architecture. [moby/moby#&#8203;43103](https://github.com/moby/moby/pull/43103) - Validation of CPU real-time options is now performed when the daemon starts instead of performing validations for each individual container, allowing startup to fail early. [moby/moby#&#8203;43131](https://github.com/moby/moby/pull/43131) - Freeze the `namesgenerator` package against new additions. Users will have to be satisfied with the existing 25359 adjective-name combinations. [moby/moby#&#8203;43210](https://github.com/moby/moby/pull/43210) - API: `containers/{id}/attach/ws` only to streams according by `stdin`, `stdout` and `stderr` parameters on API version >= 1.42. [moby/moby#&#8203;43322](https://github.com/moby/moby/pull/43322) - Fix UDP traffic in containers not working after the container is restarted under sustained traffic. [moby/moby#&#8203;43409](https://github.com/moby/moby/pull/43409) - Add support for pulling images with custom amd64 micro-architecture feature levels as supported by the latest versions of Go, GCC, LLVM, and other compiler tools. [moby/moby#&#8203;43434](https://github.com/moby/moby/pull/43434) - Improve validation of invalid JSON requests in the API. [moby/moby#&#8203;43463](https://github.com/moby/moby/pull/43463) - Mitigate the impact of slow `exec` starts on health checks. Check timeout now only applies to the duration that the health check command is running. The time it takes to start the command no longer counts against the timeout. [moby/moby#&#8203;43480](https://github.com/moby/moby/pull/43480) - Console `tty` size is set immediately on creation. [moby/moby#&#8203;43593](https://github.com/moby/moby/pull/43593), [moby/moby#&#8203;43622](https://github.com/moby/moby/pull/43622) - Fix `overlay2` mounts not being cleaned up after failed container starts, or daemon shutdown. [moby/moby#&#8203;43659](https://github.com/moby/moby/pull/43659) - Match manifest list resolution with `containerd`. [moby/moby#&#8203;43675](https://github.com/moby/moby/pull/43675) - Skip use of `firewalld` for networking when the daemon is running in rootless mode. [moby/moby#&#8203;43813](https://github.com/moby/moby/pull/43813) - Custom NAT networks are now re-created after daemon restart if missing on Windows. [moby/moby#&#8203;43858](https://github.com/moby/moby/pull/43858) - Fix terminating the container health-check process when it times out. [moby/moby#&#8203;43994](https://github.com/moby/moby/pull/43994) - Fix `live-restore` with restart policies and volume refs. [moby/moby#&#8203;44237](https://github.com/moby/moby/pull/44237) - API: Only anonymous volumes now pruned by default on API version >= v1.42. Pass the filter `all=true` to prune named volumes in addition to anonymous. [moby/moby#&#8203;44259](https://github.com/moby/moby/pull/44259) - API: Support concurrent calls on the `GET /system/df` endpoint. [moby/moby#&#8203;42715](https://github.com/moby/moby/pull/42715) - Improve the reliability of the daemon dumping the stack and exits with code 2 when sent a SIGQUIT. [moby/moby#&#8203;44831](https://github.com/moby/moby/pull/44831) - Fix a rare deadlock in the daemon caused by buffering of container logs. [moby/moby#&#8203;44856](https://github.com/moby/moby/pull/44856) - Improve error handling in misc filesystem operations so that the daemon can start on a overlayfs backing filesystem. [moby/moby#&#8203;44834](https://github.com/moby/moby/pull/44834) - Fix an issue where `--ipc=host` wasn't handled correctly when the daemon is running in rootless mode. [moby/moby#&#8203;44863](https://github.com/moby/moby/pull/44863) - Fix a long-standing set of issues where stale conntrack entries caused incorrect routing of UDP traffic for containers. [moby/moby#&#8203;44752](https://github.com/moby/moby/pull/44752) - Fix half-registered containers being listed in the API, as well as a nil pointer de-reference and panic caused by using a partially registered container in API calls. [moby/moby#&#8203;44633](https://github.com/moby/moby/pull/44633) - Fix a failure to create the `DOCKER-USER` ip6tables chain. [moby/moby#&#8203;44845](https://github.com/moby/moby/pull/44845) - Fix a failure to clean up iptables rules when the `ip6tables` command isn't available. [moby/moby#&#8203;44727](https://github.com/moby/moby/pull/44727) - Fix an issue where some iptables NAT rules weren't cleaned up after enabling the userland proxy. [moby/moby#&#8203;44811](https://github.com/moby/moby/pull/44811) - Fix a potentially leaked process in rare situations where cleaning up a failed attempt to start a container was mishandled. [moby/moby#&#8203;44400](https://github.com/moby/moby/pull/44400) - Fix the `CreatedAt` time of a volume reflecting initialization and not creation. [moby/moby#&#8203;44725](https://github.com/moby/moby/pull/44725) - Fix an issue where the CLI incorrectly reported an incompatible server instead of an unreachable server in some commands. [docker/cli#&#8203;3901](https://github.com/docker/cli/pull/3901), [docker/cli#&#8203;3904](https://github.com/docker/cli/pull/3904) - Fix broken completion of volumes in Zsh. [docker/cli#&#8203;2998](https://github.com/docker/cli/pull/2998) - Improve output of `docker context` when an invalid context is present. [docker/cli#&#8203;3847](https://github.com/docker/cli/pull/3847) - Remove ANSI decoration of CLI help annotations when the output isn't a TTY, and added a newline for readability. [docker/cli#&#8203;3973](https://github.com/docker/cli/pull/3973) - Add `docker container remove` as an alias for `docker container rm`. [docker/cli#&#8203;3986](https://github.com/docker/cli/pull/3986) ### [`v20.10.23`](https://github.com/moby/moby/releases/tag/v20.10.23) [Compare Source](https://github.com/docker/docker/compare/v20.10.22...v20.10.23) ##### Bug fixes and enhancements - Fix an issue where `docker build` would fail when using `--add-host=host.docker.internal:host-gateway` with BuildKit enabled [moby/moby#&#8203;44650](https://github.com/moby/moby/pull/44650). - Revert seccomp: block socket calls to `AF_VSOCK` in default profile [moby/moby#&#8203;44712](https://github.com/moby/moby/pull/44712). This change, while favorable from a security standpoint, caused a change in behavior for some use-cases. As such, we are reverting it to ensure stability and compatibility for the affected users. However, users of `AF_VSOCK` in containers should recognize that this (special) address family is not currently namespaced in any version of the Linux kernel, and may result in unexpected behavior, like containers communicating directly with host hypervisors. Future releases, will filter `AF_VSOCK`. Users who need to allow containers to communicate over the unnamespaced `AF_VSOCK` will need to turn off seccomp confinement or set a custom seccomp profile. ##### Packaging Updates - Update Docker Compose to [v2.15.1](https://github.com/docker/compose/releases/tag/v2.15.1). - Update Docker Buildx to [v0.10.0](https://github.com/docker/buildx/releases/tag/v0.10.0). - Update containerd (`containerd.io` package) to [v1.6.15](https://github.com/containerd/containerd/releases/tag/v1.6.15). - Update the package versioning format for `docker-compose-cli` to allow distro version updates [docker/docker-ce-packaging#&#8203;822](https://github.com/docker/docker-ce-packaging/pull/822). - Update Go runtime to [1.18.10](https://go.dev/doc/devel/release#go1.18.minor). ### [`v20.10.22`](https://github.com/moby/moby/releases/tag/v20.10.22) [Compare Source](https://github.com/docker/docker/compare/v20.10.21...v20.10.22) ##### Bug fixes and enhancements - Improve error message when attempting to pull an unsupported image format or OCI artifact ([moby/moby#&#8203;44413](https://github.com/moby/moby/pull/44413), [moby/moby#&#8203;44569](https://github.com/moby/moby/pull/44569)). - Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers ([moby/moby#&#8203;44476](https://github.com/moby/moby/pull/44476)). - Fix `ssh: parse error in message type 27` errors during `docker build` on hosts using OpenSSH 8.9 or above ([moby/moby#&#8203;3862](https://github.com/moby/moby/pull/3862)). - seccomp: block socket calls to `AF_VSOCK` in default profile ([moby/moby#&#8203;44564](https://github.com/moby/moby/pull/44564)). ##### Packaging Updates - Update Docker Compose to [v2.14.1](https://github.com/docker/compose/releases/tag/v2.14.1). - Update Docker Scan to [v0.23.0](https://github.com/docker/scan-cli-plugin/releases/tag/v0.23.0). - Update containerd (`containerd.io` package) to [v1.6.13](https://github.com/containerd/containerd/releases/tag/v1.6.13) to include a fix for [CVE-2022-23471](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23471). - Update Go runtime to [1.18.9](https://go.dev/doc/devel/release#go1.18.minor) to include fixes for [CVE-2022-41716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41716), [CVE-2022-41717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717), and [CVE-2022-41720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720). ### [`v20.10.21`](https://github.com/moby/moby/releases/tag/v20.10.21) [Compare Source](https://github.com/docker/docker/compare/v20.10.20...v20.10.21) This release of Docker Engine contains updated versions of Docker Compose, Docker Scan, Containerd, added packages for Ubuntu 22.10, and some minor bug fixes and enhancements. ##### Client - Remove "experimental" gates around "--platform" in bash completion [docker/cli#&#8203;3824](https://github.com/docker/cli/pull/3824). ##### Daemon - Allow "allow-nondistributable-artifacts" to be configured for Docker Hub [moby/moby#&#8203;44313](https://github.com/moby/moby/pull/44313). - Fix an `Invalid standard handle identifie` panic when registering the docker daemon as a service from a legacy CLI on Windows [moby/moby#&#8203;44326](https://github.com/moby/moby/pull/44326). ##### Builder - Fix running git commands in Cygwin on Windows [moby/moby#&#8203;44332](https://github.com/moby/moby/pull/44332). - Update bundled BuildKit version to to fix "output clipped, log limit 1MiB reached" errors [moby/moby#&#8203;44339](https://github.com/moby/moby/pull/44339). ##### Packaging - Provide packages for Ubuntu 22.10 "Kinetic Kudu". - Update Docker Compose to [v2.12.2](https://github.com/docker/compose/releases/tag/v2.12.2). - Update Docker Scan to [v0.21.0](https://github.com/docker/scan-cli-plugin/releases/tag/v0.21.0). - Update containerd (`containerd.io` package) to [v1.6.9](https://github.com/containerd/containerd/releases/tag/v1.6.9). ### [`v20.10.20`](https://github.com/moby/moby/releases/tag/v20.10.20) [Compare Source](https://github.com/docker/docker/compare/v20.10.19...v20.10.20) This release of Docker Engine contains partial mitigations for a Git vulnerability ([CVE-2022-39253](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253)), and has updated handling of `image:tag@digest` image references. The Git vulnerability allows a maliciously crafted Git repository, when used as a build context, to copy arbitrary filesystem paths into resulting containers/images; this can occur in both the daemon, and in API clients, depending on the versions and tools in use. The mitigations available in this release and in other consumers of the daemon API are partial and only protect users who build a Git URL context (e.g. `git+protocol://`). As the vulnerability could still be exploited by manually run Git commands that interact with and check out submodules, users should immediately upgrade to a patched version of Git to protect against this vulernability. Further details are available from the GitHub blog (["Git security vulnerabilities announced"](https://github.blog/2022-10-18-git-security-vulnerabilities-announced/)). ##### Client - Added a mitigation for [CVE-2022-39253](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253), when using the classic Builder with a Git URL as the build context. ##### Daemon - Updated handling of `image:tag@digest` references. When pulling an image using the `image:tag@digest` ("pull by digest"), image resolution happens through the content-addressable digest and the `image` and `tag` are not used. While this is expected, this could lead to confusing behavior, and could potentially be exploited through social engineering to run an image that is already present in the local image store. Docker now checks if the digest matches the repository name used to pull the image, and otherwise will produce an error. ##### Builder - Updated handling of `image:tag@digest` references. Refer to the "Daemon" section above for details. - Added a mitigation to the classic Builder and updated BuildKit to [v0.8.3-31-gc0149372](https://github.com/moby/buildkit/commit/c014937225cba29cfb1d5161fd134316c0e9bdaa), for [CVE-2022-39253](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253). ### [`v20.10.19`](https://github.com/moby/moby/releases/tag/v20.10.19) [Compare Source](https://github.com/docker/docker/compare/v20.10.18...v20.10.19) This release of Docker Engine comes with some bug-fixes, and an updated version of Docker Compose. ##### Builder - Fix an issue that could result in a panic during `docker builder prune` or `docker system prune` [moby/moby#&#8203;44122](https://github.com/moby/moby/pull/44122). ##### Daemon - Fix a bug where using `docker volume prune` would remove volumes that were still in use if the daemon was running with "live restore" and was restarted [moby/moby#&#8203;44238](https://github.com/moby/moby/pull/44238). ##### Packaging - Update Docker Compose to [v2.11.2](https://github.com/docker/compose/releases/tag/v2.11.2). - Update Go runtime to [1.18.7](https://go.dev/doc/devel/release#go1.18.minor), which contains fixes for [CVE-2022-2879](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2879), [CVE-2022-2880](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2880), and [CVE-2022-41715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41715). ### [`v20.10.18`](https://github.com/moby/moby/releases/tag/v20.10.18) [Compare Source](https://github.com/docker/docker/compare/v20.10.17...v20.10.18) This release of Docker Engine comes with a fix for a low-severity security issue, some minor bug fixes, and updated versions of Docker Compose, Docker Buildx, `containerd`, and `runc`. ##### Client - Add Bash completion for Docker Compose [docker/cli#&#8203;3752](https://github.com/docker/cli/pull/3752). ##### Builder - Fix an issue where file-capabilities were not preserved during build [moby/moby#&#8203;43876](https://github.com/moby/moby/pull/43876). - Fix an issue that could result in a panic caused by a concurrent map read and map write [moby/moby#&#8203;44067](https://github.com/moby/moby/pull/44067) ##### Daemon - Fix a security vulnerability relating to supplementary group permissions, which could allow a container process to bypass primary group restrictions within the container [CVE-2022-36109](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36109), [GHSA-rc4r-wh2q-q6c4](https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4). - seccomp: add support for Landlock syscalls in default policy [moby/moby#&#8203;43991](https://github.com/moby/moby/pull/43991). - seccomp: update default policy to support new syscalls introduced in kernel 5.12 - 5.16 [moby/moby#&#8203;43991](https://github.com/moby/moby/pull/43991). - Fix an issue where cache lookup for image manifests would fail, resulting in a redundant round-trip to the image registry [moby/moby#&#8203;44109](https://github.com/moby/moby/pull/44109). - Fix an issue where `exec` processes and healthchecks were not terminated when they timed out [moby/moby#&#8203;44018](https://github.com/moby/moby/pull/44018). ##### Packaging - Update Docker Buildx to [v0.9.1](https://github.com/docker/buildx/releases/tag/v0.9.1). - Update Docker Compose to [v2.10.2](https://github.com/docker/compose/releases/tag/v2.10.2). - Update containerd (`containerd.io` package) to [v1.6.8](https://github.com/containerd/containerd/releases/tag/v1.6.8). - Update runc to [v1.1.4](https://github.com/opencontainers/runc/releases/tag/v1.1.4). - Update Go runtime to [1.18.6](https://go.dev/doc/devel/release#go1.18.minor), which contains fixes for [CVE-2022-27664](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27664) and [CVE-2022-32190](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32190). ### [`v20.10.17`](https://github.com/moby/moby/releases/tag/v20.10.17) [Compare Source](https://github.com/docker/docker/compare/v20.10.16...v20.10.17) This release of Docker Engine comes with updated versions of the `compose`, `containerd`, and `runc` components, as well as some minor bug fixes. ##### Client - Remove asterisk from docker commands in zsh completion script [docker/cli#&#8203;3648](https://github.com/docker/cli/pull/3648). ##### Networking - Fix Windows port conflict with published ports in host mode for overlay [moby/moby#&#8203;43644](https://github.com/moby/moby/pull/43644). - Ensure performance tuning is always applied to libnetwork sandboxes [moby/moby#&#8203;43683](https://github.com/moby/moby/pull/43683). ##### Packaging - Update Docker Compose to [v2.6.0](https://github.com/docker/compose/releases/tag/v2.6.0). - Update containerd (`containerd.io` package) to [v1.6.6](https://github.com/containerd/containerd/releases/tag/v1.6.6), which contains a fix for [CVE-2022-31030](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31030) - Update runc version to [v1.1.2](https://github.com/opencontainers/runc/releases/tag/v1.1.2), which contains a fix for [CVE-2022-29162](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29162). - Updated Go runtime to [1.17.11](https://go.dev/doc/devel/release#go1.17.minor), which contains fixes for [CVE-2022-30634](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634), [CVE-2022-30629](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629), [CVE-2022-30580](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580) and [CVE-2022-29804](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804) ### [`v20.10.16`](https://github.com/moby/moby/releases/tag/v20.10.16) [Compare Source](https://github.com/docker/docker/compare/v20.10.15...v20.10.16) This release of Docker Engine fixes a regression in the Docker CLI builds for macOS, fixes an issue with `docker stats` when using containerd 1.5 and up, and updates the Go runtime to include a fix for [CVE-2022-29526](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526). ##### Client - Fix a regression in binaries for macOS introduced in [20.10.15](#&#8203;201015), which resulted in a panic [docker/cli#&#8203;43426](https://github.com/docker/cli/pull/3592). - Update golang.org/x/sys dependency which contains a fix for [CVE-2022-29526](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526). ##### Daemon - Fix an issue where `docker stats` was showing empty stats when running with containerd 1.5.0 or up [moby/moby#&#8203;43567](https://github.com/moby/moby/pull/43567). - Update the `golang.org/x/sys` build-time dependency which contains a fix for [CVE-2022-29526](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526). ##### Packaging - Update Go runtime to [1.17.10](https://go.dev/doc/devel/release#go1.17.minor), which contains a fix for [CVE-2022-29526](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526). - Use "weak" dependencies for the `docker scan` CLI plugin, to prevent a "conflicting requests" error when users performed an off-line installation from downloaded RPM packages [docker/docker-ce-packaging#&#8203;659](https://github.com/docker/docker-ce-packaging/pull/659). ### [`v20.10.15`](https://github.com/moby/moby/releases/tag/v20.10.15) [Compare Source](https://github.com/docker/docker/compare/v20.10.14...v20.10.15) This release of Docker Engine comes with updated versions of the `compose`, `buildx`, `containerd`, and `runc` components, as well as some minor bugfixes. ##### Daemon - Use a RWMutex for stateCounter to prevent potential locking congestion [moby/moby#&#8203;43426](https://github.com/moby/moby/pull/43426). - Prevent an issue where the daemon was unable to find an available IP-range in some conditions [moby/moby#&#8203;43360](https://github.com/moby/moby/pull/43360) ##### Packaging - Update Docker Compose to [v2.5.0](https://github.com/docker/compose/releases/tag/v2.5.0). - Update Docker Buildx to [v0.8.2](https://github.com/docker/buildx/releases/tag/v0.8.2). - Update Go runtime to [1.17.9](https://go.dev/doc/devel/release#go1.17.minor). - Update containerd (`containerd.io` package) to [v1.6.4](https://github.com/containerd/containerd/releases/tag/v1.6.3). - Update runc version to [v1.1.1](https://github.com/opencontainers/runc/releases/tag/v1.1.1). - Add packages for CentOS 9 stream and Fedora 36. ### [`v20.10.14`](https://github.com/moby/moby/releases/tag/v20.10.14) [Compare Source](https://github.com/docker/docker/compare/v20.10.13...v20.10.14) This release of Docker Engine updates the default inheritable capabilities for containers to address [CVE-2022-24769](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24769), a new version of the `containerd.io` runtime is also included to address the same issue. ##### Daemon - Update the default inheritable capabilities. ##### Builder - Update the default inheritable capabilities for containers used during build. ##### Packaging - Update containerd (`containerd.io` package) to [v1.5.11](https://github.com/containerd/containerd/releases/tag/v1.5.11). - Update `docker buildx` to [v0.8.1](https://github.com/docker/buildx/releases/tag/v0.8.1). ### [`v20.10.13`](https://github.com/moby/moby/releases/tag/v20.10.13) [Compare Source](https://github.com/docker/docker/compare/v20.10.12...v20.10.13) This release of Docker Engine contains some bug-fixes and packaging changes, updates to the `docker scan` and `docker buildx` commands, an updated version of the Go runtime, and new versions of the `containerd.io` runtime. Together with this release, we now also provide `.deb` and `.rpm` packages of Docker Compose V2, which can be installed using the (optional) `docker-compose-plugin` package. ##### Builder - Updated the bundled version of buildx to [v0.8.0](https://github.com/docker/buildx/releases/tag/v0.8.0). ##### Daemon - Fix a race condition when updating the container's state [moby/moby#&#8203;43166](https://github.com/moby/moby/pull/43166). - Update the etcd dependency to prevent the daemon from incorrectly holding file locks [moby/moby#&#8203;43259](https://github.com/moby/moby/pull/43259) - Fix detection of user-namespaces when configuring the default `net.ipv4.ping_group_range` sysctl [moby/moby#&#8203;43084](https://github.com/moby/moby/pull/43084). ##### Distribution - Retry downloading image-manifests if a connection failure happens during image pull [moby/moby#&#8203;43333](https://github.com/moby/moby/pull/43333). ##### Documentation - Various fixes in command-line reference and API documentation. ##### Logging - Prevent an OOM when using the "local" logging driver with containers that produce a large amount of log messages [moby/moby#&#8203;43165](https://github.com/moby/moby/pull/43165). - Updates the fluentd log driver to prevent a potential daemon crash, and prevent containers from hanging when using the `fluentd-async-connect=true` and the remote server is unreachable [moby/moby#&#8203;43147](https://github.com/moby/moby/pull/43147). ##### Packaging - Provide `.deb` and `.rpm` packages for Docker Compose V2. [Docker Compose v2.3.3](https://github.com/docker/compose/releases/tag/v2.3.3) can now be installed on Linux using the `docker-compose-plugin` packages, which provides the `docker compose` subcommand on the Docker CLI. The Docker Compose plugin can also be installed and run standalone to be used as a drop-in replacement for `docker-compose` (Docker Compose V1) [docker/docker-ce-packaging#&#8203;638](https://github.com/docker/docker-ce-packaging/pull/638). The `compose-cli-plugin` package can also be used on older version of the Docker CLI with support for CLI plugins (Docker CLI 18.09 and up). - Provide packages for the upcoming Ubuntu 22.04 "Jammy Jellyfish" LTS release [docker/docker-ce-packaging#&#8203;645](https://github.com/docker/docker-ce-packaging/pull/645), [docker/containerd-packaging#&#8203;271](https://github.com/docker/containerd-packaging/pull/271). - Update `docker buildx` to [v0.8.0](https://github.com/docker/buildx/releases/tag/v0.8.0). - Update `docker scan` (`docker-scan-plugin`) to [v0.17.0](https://github.com/docker/scan-cli-plugin/releases/tag/v0.17.0). - Update containerd (`containerd.io` package) to [v1.5.10](https://github.com/containerd/containerd/releases/tag/v1.5.10). - Update the bundled runc version to [v1.0.3](https://github.com/opencontainers/runc/releases/tag/v1.0.3). - Update Golang runtime to Go 1.16.15. ### [`v20.10.12`](https://github.com/moby/moby/releases/tag/v20.10.12) [Compare Source](https://github.com/docker/docker/compare/v20.10.11...v20.10.12) #### Packaging - Update `docker scan` to [v0.12.0](https://github.com/docker/scan-cli-plugin/releases/tag/v0.12.0). - Update `docker buildx` to [v0.7.1](https://github.com/docker/buildx/releases/tag/v0.7.1). - Update Golang runtime to Go 1.16.12. ### [`v20.10.11`](https://github.com/moby/moby/releases/tag/v20.10.11) [Compare Source](https://github.com/docker/docker/compare/v20.10.10...v20.10.11) #### 20.10.11 > **IMPORTANT** > > Due to [net/http changes](https://github.com/golang/go/issues/40909) in [Go 1.16](https://golang.org/doc/go1.16#net/http), > HTTP proxies configured through the `$HTTP_PROXY` environment variable are no > longer used for TLS (`https://`) connections. Make sure you also set an `$HTTPS_PROXY` > environment variable for handling requests to `https://` URLs. > > Refer to the [HTTP/HTTPS proxy section](../../config/daemon/systemd.md#httphttps-proxy) > to learn how to configure the Docker Daemon to use a proxy server. > {: .important } ##### Distribution - Handle ambiguous OCI manifest parsing to mitigate [CVE-2021-41190](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190) / [GHSA-mc8v-mgrf-8f4m](https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m). See [GHSA-xmmx-7jpf-fx42](https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42) for details. ##### Windows - Fix panic.log file having read-only attribute set [moby/moby#&#8203;42987](https://github.com/moby/moby/pull/42987). #### Packaging - Update containerd to [v1.4.12](https://github.com/containerd/containerd/releases/tag/v1.4.12) to mitigate [CVE-2021-41190](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190). - Update Golang runtime to Go 1.16.10. ### [`v20.10.10`](https://github.com/moby/moby/releases/tag/v20.10.10) [Compare Source](https://github.com/docker/docker/compare/v20.10.9...v20.10.10) #### 20.10.10 > **IMPORTANT** > > Due to [net/http changes](https://github.com/golang/go/issues/40909) in [Go 1.16](https://golang.org/doc/go1.16#net/http), > HTTP proxies configured through the `$HTTP_PROXY` environment variable are no > longer used for TLS (`https://`) connections. Make sure you also set an `$HTTPS_PROXY` > environment variable for handling requests to `https://` URLs. > > Refer to the [HTTP/HTTPS proxy section](../../config/daemon/systemd.md#httphttps-proxy) > to learn how to configure the Docker Daemon to use a proxy server. ##### Builder - Fix platform-matching logic to fix `docker build` using not finding images in the local image cache on Arm machines when using BuildKit [moby/moby#&#8203;42954](https://github.com/moby/moby/pull/42954) #### Runtime - Add support for `clone3` syscall in the default seccomp policy to support running containers based on recent versions of Fedora and Ubuntu. [moby/moby/#&#8203;42836](https://github.com/moby/moby/pull/42836). - Windows: update hcsshim library to fix a bug in sparse file handling in container layers, which was exposed by recent changes in Windows [moby/moby#&#8203;42944](https://github.com/moby/moby/pull/42944). - Fix some situations where `docker stop` could hang forever [moby/moby#&#8203;42956](https://github.com/moby/moby/pull/42956). ##### Swarm - Fix an issue where updating a service did not roll back on failure [moby/moby#&#8203;42875](https://github.com/moby/moby/pull/42875). #### Packaging - Add packages for Ubuntu 21.10 "Impish Indri" and Fedora 35. - Update `docker scan` to v0.9.0 - Update Golang runtime to Go 1.16.9. ### [`v20.10.9`](https://github.com/moby/moby/releases/tag/v20.10.9) [Compare Source](https://github.com/docker/docker/compare/v20.10.8...v20.10.9) This release is a security release with security fixes in the CLI, runtime, as well as updated versions of the containerd.io package and the Go runtime. #### Client - [CVE-2021-41092](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41092) Ensure default auth config has address field set, to prevent credentials being sent to the default registry. #### Runtime - [CVE-2021-41089](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41089) Create parent directories inside a chroot during `docker cp` to prevent a specially crafted container from changing permissions of existing files in the host’s filesystem. - [CVE-2021-41091](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41091) Lock down file permissions to prevent unprivileged users from discovering and executing programs in `/var/lib/docker`. #### Packaging - Update Golang runtime to Go 1.16.8, which contains fixes for [CVE-2021-36221](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36221) and [CVE-2021-39293](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39293) - Update static binaries and containerd.io rpm and deb packages to containerd v1.4.11 and runc v1.0.2 to address [CVE-2021-41103](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41103). - Update the bundled buildx version to v0.6.3 for rpm and deb packages. ### [`v20.10.8`](https://github.com/moby/moby/releases/tag/v20.10.8) [Compare Source](https://github.com/docker/docker/compare/v20.10.7...v20.10.8) #### 20.10.8 > **IMPORTANT** > > Due to [net/http changes](https://github.com/golang/go/issues/40909) in [Go 1.16](https://golang.org/doc/go1.16#net/http), HTTP proxies configured through the `$HTTP_PROXY` environment variable are no longer used for TLS (`https://`) connections. Make sure you also set an `$HTTPS_PROXY` environment variable for handling requests to `https://` URLs. Refer to the [HTTP/HTTPS proxy section in the documentation](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy) to learn how to configure the Docker Daemon to use a proxy server. ##### Deprecation - Deprecate support for encrypted TLS private keys. Legacy PEM encryption as specified in RFC 1423 is insecure by design. Because it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext. Support for encrypted TLS private keys is now marked as deprecated, and will be removed in an upcoming release. [docker/cli#&#8203;3219](https://github.com/docker/cli/pull/3219) - Deprecate Kubernetes stack support. Following the deprecation of [Compose on Kubernetes](https://github.com/docker/compose-on-kubernetes), support for Kubernetes in the `stack` and `context` commands in the Docker CLI is now marked as deprecated, and will be removed in an upcoming release [docker/cli#&#8203;3174](https://github.com/docker/cli/pull/3174). ##### Client - Fix `Invalid standard handle identifier` errors on Windows [docker/cli#&#8203;3132](https://github.com/docker/cli/pull/3132). ##### Rootless - Avoid `can't open lock file /run/xtables.lock: Permission denied` error on SELinux hosts [moby/moby#&#8203;42462](https://github.com/moby/moby/pull/42462). - Disable overlay2 when running with SELinux to prevent permission denied errors [moby/moby#&#8203;42462](https://github.com/moby/moby/pull/42462). - Fix `x509: certificate signed by unknown authority` error on openSUSE Tumbleweed [moby/moby#&#8203;42462](https://github.com/moby/moby/pull/42462). ##### Runtime - Print a warning when using the `--platform` option to pull a single-arch image that does not match the specified architecture [moby/moby#&#8203;42633](https://github.com/moby/moby/pull/42633). - Fix incorrect `Your kernel does not support swap memory limit` warning when running with cgroups v2 [moby/moby#&#8203;42479](https://github.com/moby/moby/pull/42479). - Windows: Fix a situation where containers were not stopped if `HcsShutdownComputeSystem` returned an `ERROR_PROC_NOT_FOUND` error [moby/moby#&#8203;42613](https://github.com/moby/moby/pull/42613) #### Swarm - Fix a possibility where overlapping IP addresses could exist as a result of the node failing to clean up its old loadbalancer IPs [moby/moby#&#8203;42538](https://github.com/moby/moby/pull/42538) - Fix a deadlock in log broker ("dispatcher is stopped") [moby/moby#&#8203;42537](https://github.com/moby/moby/pull/42537) ##### Packaging > **Known issue** > > The `ctr` binary shipping with the static packages of this release is not > statically linked, and will not run in Docker images using alpine as a base > image. Users can install the `libc6-compat` package, or download a previous > version of the `ctr` binary as a workaround. Refer to the containerd ticket > related to this issue for more details: [containerd/containerd#&#8203;5824](https://github.com/containerd/containerd/issues/5824). - Remove packaging for Ubuntu 16.04 "Xenial" and Fedora 32, as they reached EOL [docker/docker-ce-packaging#&#8203;560](https://github.com/docker/docker-ce-packaging/pull/560) - Update Golang runtime to Go 1.16.6 - Update the bundled buildx version to v0.6.1 for rpm and deb packages [docker/docker-ce-packaging#&#8203;562](https://github.com/docker/docker-ce-packaging/pull/562) - Update static binaries and containerd.io rpm and deb packages to containerd v1.4.9 and runc v1.0.1: [docker/containerd-packaging#&#8203;241](https://github.com/docker/containerd-packaging/pull/241), [docker/containerd-packaging#&#8203;245](https://github.com/docker/containerd-packaging/pull/245), [docker/containerd-packaging#&#8203;247](https://github.com/docker/containerd-packaging/pull/247). ### [`v20.10.7`](https://github.com/moby/moby/releases/tag/v20.10.7) [Compare Source](https://github.com/docker/docker/compare/v20.10.6...v20.10.7) #### 20.10.7 ##### Client - Suppress warnings for deprecated cgroups [docker/cli#&#8203;3099](https://github.com/docker/cli/pull/3099). - Prevent sending `SIGURG` signals to container on Linux and macOS. The Go runtime (starting with Go 1.14) uses `SIGURG` signals internally as an interrupt to support preemptable syscalls. In situations where the Docker CLI was attached to a container, these interrupts were forwarded to the container. This fix changes the Docker CLI to ignore `SIGURG` signals [docker/cli#&#8203;3107](https://github.com/docker/cli/pull/3107), [moby/moby#&#8203;42421](https://github.com/moby/moby/pull/42421). ##### Builder - Update BuildKit to version v0.8.3-3-g244e8cde [moby/moby#&#8203;42448](https://github.com/moby/moby/pull/42448): - Transform relative mountpoints for exec mounts in the executor to work around a breaking change in runc v1.0.0-rc94 and up. [moby/buildkit#&#8203;2137](https://github.com/moby/buildkit/pull/2137). - Add retry on image push 5xx errors. [moby/buildkit#&#8203;2043](https://github.com/moby/buildkit/pull/2043). - Fix build-cache not being invalidated when renaming a file that is copied using a `COPY` command with a wildcard. Note that this change invalidates existing build caches for copy commands that use a wildcard. [moby/buildkit#&#8203;2018](https://github.com/moby/buildkit/pull/2018). - Fix build-cache not being invalidated when using mounts [moby/buildkit#&#8203;2076](https://github.com/moby/buildkit/pull/2076). - Fix build failures when `FROM` image is not cached when using legacy schema 1 images [moby/moby#&#8203;42382](https://github.com/moby/moby/pull/42382). ##### Logging - Update the hcsshim SDK to make daemon logs on Windows less verbose [moby/moby#&#8203;42292](https://github.com/moby/moby/pull/42292). ##### Rootless - Fix capabilities not being honored when an image was built on a daemon with user-namespaces enabled [moby/moby#&#8203;42352](https://github.com/moby/moby/pull/42352). ##### Networking - Update libnetwork to fix publishing ports on environments with kernel boot parameter `ipv6.disable=1`, and to fix a deadlock causing internal DNS lookups to fail [moby/moby#&#8203;42413](https://github.com/moby/moby/pull/42413). ##### Contrib - Update rootlesskit to v0.14.2 to fix a timeout when starting the userland proxy with the `slirp4netns` port driver [moby/moby#&#8203;42294](https://github.com/moby/moby/pull/42294). - Fix "Device or resource busy" errors when running docker-in-docker on a rootless daemon [moby/moby#&#8203;42342](https://github.com/moby/moby/pull/42342). ##### Packaging - Update containerd to v1.4.6, runc v1.0.0-rc95 to address [CVE-2021-30465](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30465) [moby/moby#&#8203;42398](https://github.com/moby/moby/pull/42398), [moby/moby#&#8203;42395](https://github.com/moby/moby/pull/42395), [ocker/containerd-packaging#&#8203;234](https://github.com/docker/containerd-packaging/pull/234) - Update containerd to v1.4.5, runc v1.0.0-rc94 [moby/moby#&#8203;42372](https://github.com/moby/moby/pull/42372), [moby/moby#&#8203;42388](https://github.com/moby/moby/pull/42388), [docker/containerd-packaging#&#8203;232](https://github.com/docker/containerd-packaging/pull/232). - Update Docker Scan plugin packages (`docker-scan-plugin`) to v0.8 [docker/docker-ce-packaging#&#8203;545](https://github.com/docker/docker-ce-packaging/pull/545). ### [`v20.10.6`](https://github.com/moby/moby/releases/tag/v20.10.6) [Compare Source](https://github.com/docker/docker/compare/v20.10.5...v20.10.6) release notes: https://docs.docker.com/engine/release-notes/[#&#8203;20106](https://github.com/docker/docker/issues/20106) ### [`v20.10.5`](https://github.com/moby/moby/releases/tag/v20.10.5) [Compare Source](https://github.com/docker/docker/compare/v20.10.4...v20.10.5) release notes: https://docs.docker.com/engine/release-notes/[#&#8203;20105](https://github.com/docker/docker/issues/20105) #### 20.10.5 ##### Client - Revert [docker/cli#&#8203;2960](https://github.com/docker/cli#&#8203;2960) to fix hanging in docker start --attach and remove spurious “Unsupported signal: . Discarding." messages [docker/cli#&#8203;2987](https://github.com/docker/cli/pull/2987) ### [`v20.10.4`](https://github.com/moby/moby/releases/tag/v20.10.4) [Compare Source](https://github.com/docker/docker/compare/v20.10.3...v20.10.4) release notes: https://docs.docker.com/engine/release-notes/[#&#8203;20104](https://github.com/docker/docker/issues/20104) #### 20.10.4 ##### Builder - Fix incorrect cache match for inline cache import with empty layers [moby/moby#&#8203;42061](https://github.com/moby/moby/pull/42061) - Update BuildKit to v0.8.2 [moby/moby#&#8203;42061](https://github.com/moby/moby/pull/42061) - resolver: avoid error caching on token fetch - fileop: fix checksum to contain indexes of inputs preventing certain cache misses - Fix reference count issues on typed errors with mount references (fixing `invalid mutable ref` errors) - git: set token only for main remote access allowing cloning submodules with different credentials - Ensure blobs get deleted in /var/lib/docker/buildkit/content/blobs/sha256 after pull. To clean up old state run `builder prune` [moby/moby#&#8203;42065](https://github.com/moby/moby/pull/42065) - Fix parallel pull synchronization regression [moby/moby#&#8203;42049](https://github.com/moby/moby/pull/42049) - Ensure libnetwork state files do not leak [moby/moby#&#8203;41972](https://github.com/moby/moby/pull/41972) ##### Client - Fix a panic on `docker login` if no config file is present [docker/cli#&#8203;2959](https://github.com/docker/cli/pull/2959) - Fix `WARNING: Error loading config file: .dockercfg: $HOME is not defined` [docker/cli#&#8203;2958](https://github.com/docker/cli/pull/2958) ##### Runtime - docker info: silence unhandleable warnings [moby/moby#&#8203;41958](https://github.com/moby/moby/pull/41958) - Avoid creating parent directories for XGlobalHeader [moby/moby#&#8203;42017](https://github.com/moby/moby/pull/42017) - Use 0755 permissions when creating missing directories [moby/moby#&#8203;42017](https://github.com/moby/moby/pull/42017) - Fallback to manifest list when no platform matches in image config [moby/moby#&#8203;42045](https://github.com/moby/moby/pull/42045) [moby/moby#&#8203;41873](https://github.com/moby/moby/pull/41873) - Fix a daemon panic on setups with a custom default runtime configured [moby/moby#&#8203;41974](https://github.com/moby/moby/pull/41974) - Fix a panic when daemon configuration is empty [moby/moby#&#8203;41976](https://github.com/moby/moby/pull/41976) - Fix daemon panic when starting container with invalid device cgroup rule [moby/moby#&#8203;42001](https://github.com/moby/moby/pull/42001) - Fix userns-remap option when username & UID match [moby/moby#&#8203;42013](https://github.com/moby/moby/pull/42013) - static: update runc binary to v1.0.0-rc93 [moby/moby#&#8203;42014](https://github.com/moby/moby/pull/42014) ##### Logger - Honor `labels-regex` config even if `labels` is not set [moby/moby#&#8203;42046](https://github.com/moby/moby/pull/42046) - Handle long log messages correctly preventing awslogs in non-blocking mode to split events bigger than 16kB [mobymoby#&#8203;41975](https://github.com/moby/moby/pull/41975) ##### Rootless - Prevent the service hanging when stopping by setting systemd KillMode to mixed [moby/moby#&#8203;41956](https://github.com/moby/moby/pull/41956) - dockerd-rootless.sh: add typo guard [moby/moby#&#8203;42070](https://github.com/moby/moby/pull/42070) - Update rootlesskit to v0.13.1 to fix handling of IPv6 addresses [moby/moby#&#8203;42025](https://github.com/moby/moby/pull/42025) - allow mknodding FIFO inside userns [moby/moby#&#8203;41957](https://github.com/moby/moby/pull/41957) ##### Security - profiles: seccomp: update to Linux 5.11 syscall list [moby/moby#&#8203;41971](https://github.com/moby/moby/pull/41971) ##### Swarm - Fix issue with heartbeat not persisting upon restart [moby/moby#&#8203;42060](https://github.com/moby/moby/pull/42060) - Fix potential stalled tasks [moby/moby#&#8203;42060](https://github.com/moby/moby/pull/42060) - Fix `--update-order` and `--rollback-order` flags when only `--update-order` or `--rollback-order` is provided [docker/cli#&#8203;2963](https://github.com/docker/cli/pull/2963) - Fix `docker service rollback` returning a non-zero exit code in some situations [docker/cli#&#8203;2964](https://github.com/docker/cli/pull/2964) - Fix inconsistent progress-bar direction on `docker service rollback` [docker/cli#&#8203;2964](https://github.com/docker/cli/pull/2964) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xMjAuMCIsInVwZGF0ZWRJblZlciI6IjM0LjE1Mi4yIn0=-->

prskr commented 2023-02-02 21:28:26 +00:00

Author

Owner

Copy link

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

No tool releases found.

### ⚠ Artifact update problem Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens: - any of the package files in this branch needs updating, or - the branch becomes conflicted, or - you click the rebase/retry checkbox if found above, or - you rename this PR's title to start with "rebase!" to trigger it manually The artifact failure details are included below: ##### File name: go.sum ``` No tool releases found. ```

prskr force-pushed renovate/github.com-docker-docker-23.x from dffeb1c08d to 6783e9ff51 2023-02-08 19:50:50 +00:00 Compare

prskr force-pushed renovate/github.com-docker-docker-23.x from 6783e9ff51 to 32f5b97ff3 2023-02-09 22:06:47 +00:00 Compare

prskr force-pushed renovate/github.com-docker-docker-23.x from 32f5b97ff3 to 3c944d86c7 2023-02-10 21:34:31 +00:00 Compare

prskr force-pushed renovate/github.com-docker-docker-23.x from 3c944d86c7 to d4fdd700e2 2023-02-10 21:54:54 +00:00 Compare

prskr force-pushed renovate/github.com-docker-docker-23.x from d4fdd700e2 to df03fdb709 2023-02-15 18:42:42 +00:00 Compare

prskr force-pushed renovate/github.com-docker-docker-23.x from df03fdb709 to 4f76396f4f 2023-02-15 19:08:58 +00:00 Compare

prskr force-pushed renovate/github.com-docker-docker-23.x from 4f76396f4f to 3f51ec8dfe 2023-02-16 10:43:01 +00:00 Compare

prskr force-pushed renovate/github.com-docker-docker-23.x from 3f51ec8dfe to f9f9822054 2023-02-16 12:27:29 +00:00 Compare

prskr force-pushed renovate/github.com-docker-docker-23.x from f9f9822054 to e6f1993459 2023-02-22 20:55:00 +00:00 Compare

prskr commented 2023-02-23 00:40:26 +00:00

Author

Owner

Copy link

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

### Edited/Blocked Notification Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. ⚠ **Warning**: custom changes will be lost.

prskr force-pushed renovate/github.com-docker-docker-23.x from e6f1993459 to d3bf1c23e3 2023-02-23 17:03:06 +00:00 Compare

prskr force-pushed renovate/github.com-docker-docker-23.x from 9a384b40d2 to 4dbebc8de7 2023-02-24 00:24:02 +00:00 Compare

prskr force-pushed renovate/github.com-docker-docker-23.x from 4dbebc8de7 to f55684e300 2023-02-26 00:23:46 +00:00 Compare

prskr force-pushed renovate/github.com-docker-docker-23.x from f55684e300 to 54790580f8 2023-02-26 15:20:18 +00:00 Compare

prskr force-pushed renovate/github.com-docker-docker-23.x from 54790580f8 to 1f661122c4 2023-02-26 15:29:20 +00:00 Compare

prskr added 1 commit 2023-02-27 07:34:08 +00:00

fix(ci): use cache volume for lint step (again) f3ca6aa626

prskr added 1 commit 2023-02-28 19:15:30 +00:00

fix(ci): disable eBPF firewall in integration tests d081b6d408

prskr merged commit b1717aec05 into main 2023-02-28 19:48:06 +00:00

prskr referenced this pull request from a commit 2023-02-28 19:48:07 +00:00

chore(deps): update module github.com/docker/docker to v23 (#212)

prskr deleted branch renovate/github.com-docker-docker-23.x 2023-02-28 19:48:07 +00:00

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

Doing

  

To Do

  

api::config

  

api::grpc

Issues that include an extension/change of the gRPC API

  

bug

  

component::imctl

Related to the imctl client component

  

component::inetmock

Related to the inetmock server component

  

documentation

  

duplicate

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

new_protocol

Issues that in/directly require new protocols

  

pcap

  

protocols::dhcp

  

protocols::dns_mock

  

protocols::dns_over_https

Dns-over-HTTPS related issues

  

protocols::http_mock

  

protocols::http_proxy

  

protocols::ntp

  

protocols::smtp

Related to the SMTP protocol

  

question

  

wontfix

No labels

Doing

To Do

api::config

api::grpc

bug

component::imctl

component::inetmock

documentation

duplicate

enhancement

good first issue

help wanted

invalid

new_protocol

pcap

protocols::dhcp

protocols::dns_mock

protocols::dns_over_https

protocols::http_mock

protocols::http_proxy

protocols::ntp

protocols::smtp

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

inetmock/inetmock!212

No description provided.