Docker 17.05.0-ce

Docker is an open platform for distributing software application in containers. It utilizes operating system-level virtualization for process and full resource isolation through cgroups, capabilities, SELinux, AppArmor, netfilter, and Linux kernel namespaces. Its libcontainer is based on libvirt and lxc. Docker Engine is the application and environment packaging tool. And Docker Hub is a cloud service for sharing prepackaged containers.

Tags virtualization application-containers security distributed-computing systems-administration
License Apache
State initial

Recent Releases

17.05.0-ce10 Jun 2017 03:15 minor feature: Builder: Add multi-stage build support. Allow using build-time args (`ARG`) in `FROM`. Add an option for specifying build target. Accept `-f -` to read Dockerfile from `stdin`, but use local context for building. The values of default build time arguments (e.g `HTTP_PROXY`) are no longer displayed in docker image history unless a corresponding `ARG` instruction is written in the Dockerfile.. setting command if a custom shell is used in a parent image. `docker build --label` when the label includes single quotes and a space. Client: Add `--mount` flag to `docker run` and `docker create`. Add `--type=secret` to `docker inspect`. Add `--format` option to `docker secret ls`. Add `--filter` option to `docker secret ls`. Add `--filter scope=` to `docker network ls`. Add `--cpus` support to `docker update`. Add label filter to `docker system prune` and other `prune` commands. `docker stack rm` now accepts multiple stacks as input. Improve `docker version --format` option when the client has downgraded the API version. Prompt when using an encrypted client certificate to connect to a docker daemon. Display created tags on successful `docker build`. Cleanup compose convert error messages. Contrib: Add support for building docker debs for Ubuntu 17.04 Zesty on amd64. Daemon: `--api-cors-header` being ignored if `--api-enable-cors` is not set. Cleanup docker tmp dir on start. Deprecate `--graph` flag in favor or `--data-root`. Logging: Add support for logging driver plugins. Add support for showing logs of individual tasks to `docker service logs`, and add `/task/ id /logs` REST endpoint. Add `--log-opt env-regex` option to match environment variables using a regular expression. Networking: Allow user to replace, and customize the ingress network. UDP traffic in containers not working after the container is restarted. files being written to `/var/lib/docker` if a different data-root is set. Runtime: Ensure health probe is
17.04.0-ce11 Apr 2017 03:25 minor feature: Builder: Disable container logging for build containers. use of `/` in `.dockerignore`. Client: Sort `docker stack ls` by name. Flags for specifying bind mount consistency. Output of docker CLI --help is now wrapped to the terminal width. Suppress image digest in docker ps. Hide command options that are related to Windows. `docker plugin install` prompt to accept "enter" for the "N" default. Add `truncate` function for Go templates. Support expanded syntax of ports in `stack deploy`. Support expanded syntax of mounts in `stack deploy`. Add `--add-host` for docker build. Add `.CreatedAt` placeholder for `docker network ls --format`. Update order of `--secret-rm` and `--secret-add`. Add `--filter enabled=true` for `docker plugin ls`. Add `--format` to `docker service ls`. Add `publish` and `expose` filter for `docker ps --filter`. Support multiple service IDs on `docker service ps`. Allow swarm join with `--availability=drain`. Docker inspect now shows "docker-default" when AppArmor is enabled and no other profile was defined. Logging: Implement optional ring buffer for container logs. Add `--log-opt awslogs-create-group=` for awslogs (CloudWatch) to support creation of log groups as needed. segfault when using the gcplogs logging driver with a "static" binary. Networking: Check parameter `--ip`, `--ip6` and `--link-local-ip` in `docker network connect`. Added support for `dns-search`. Added --verbose option for docker network inspect to show task details from all swarm nodes. Clear stale datapath encryption states when joining the cluster docker/libnetwork#1354. Ensure iptables initialization only happens once docker/libnetwork#1676. bad order of iptables filter rules docker/libnetwork#961. Add anonymous container alias to service record on attachable network docker/libnetwork#1651. Support for `` driver label docker/libnetwork#1667. Improve network list performance by omitting ne
17.03.1-ce30 Mar 2017 06:45 minor bugfix: ### Remote API (v1.27) Client. autoremove on older api. default network customization for a stack. Correct CPU usage calculation in presence of offline CPUs and newer Linux. where service healthcheck is ` ` in remote API. Runtime: Update runc to 54296cf40ad8143b62dbcaa1d90e520a2136ddfe. Ignore cgroup2 mountpoints opencontainers/runc#1266. Update containerd to 595e75c212d19a81d2b808a518fe1afc1391dad5. Register healtcheck service before calling restore() docker/containerd#609. `docker exec` not working after unattended upgrades that reload apparmor profiles. unmounting layer without merge dir with Overlay2. Do not ignore "volume in use" errors when force-delete. Swarm Mode: Update swarmkit to 17756457ad6dc4d8a639a1f0b7a85d1b65a617bb. Scheduler now correctly considers tasks which have been assigned to a node but aren't yet running docker/swarmkit#1980. Allow removal of a network when only dead tasks reference it docker/swarmkit#2018. Retry failed network allocations less aggressively docker/swarmkit#2021. Avoid network allocation for tasks that are no longer running docker/swarmkit#2017. Bookkeeping inside network allocator allocator docker/swarmkit#2019 docker/swarmkit#2020. Windows: Cleanup HCS on restore.
17.03.0-ce07 Mar 2017 03:15 major bugfix: IMPORTANT: Starting with this release, Docker is on a monthly release cycle and uses a new YY.MM versioning scheme to reflect this. Two channels are available: monthly and quarterly. Any given monthly release will only receive security and until the next monthly release is available. Quarterly releases receive security and for 4 months after initial release. This release includes for 1.13.1 but there are no major feature additions and the API version stays the same. Upgrading from Docker 1.13.1 to 17.03.0 is expected to be simple and low-risk. Client: panic in `docker stats --format`. Contrib: Update various `bash` and `zsh` completion scripts, and more. Block obsolete socket families in default seccomp profile - mitigates unpatched kernels' CVE-2017-6074. Networking: on overlay encryption keys rotation in cross-datacenter swarm. side effect panic in overlay encryption and network control plane communication failure ("No installed keys could decrypt the message") on frequent swarm leader re-election. Several around system responsiveness and datapath programming when using overlay network with external kv-store docker/libnetwork#1639, docker/libnetwork#1632 and more. Discard incoming plain vxlan packets for encrypted overlay network. Release the network attachment on allocation failure. port allocation when multiple published ports map to the same target port docker/swarmkit#1835. Runtime: a deadlock in docker logs. cpu spin waiting for log write events. a possible crash when using journald. a panic on of nil channel. duplicate mount point for `--volumes-from` in `docker run`. `--cache-from` does not cache last step. Swarm Mode: Shutdown leaks an error when the container was never started. possibility of tasks getting stuck in the "NEW" state during a leader failover docker/swarmkit#1938. extraneous task creations for global services that led to confusing replica counts in `docker service ls` docker/swarmkit#1957. problem that m
1.13.112 Feb 2017 11:05 minor bugfix: IMPORTANT: On Linux distributions where `devicemapper` was the default storage driver, the `overlay2`, or `overlay` is now used by default (if the kernel supports it). To use devicemapper, you can manually configure the storage driver to use through the `--storage-driver` daemon option, or by setting "storage-driver" in the `daemon.json` configuration file. IMPORTANT: In Docker 1.13, the managed plugin api changed, as compared to the experimental. version introduced in Docker 1.12. You must uninstall plugins which you installed with Docker 1.12 _before_ upgrading to Docker 1.13. You can uninstall plugins using the `docker plugin rm` command. If you have already upgraded to Docker 1.13 without uninstalling. previously-installed plugins, you may see this message when the Docker daemon starts: Error starting daemon: json: cannot unmarshal string into Go value of type types.PluginEnv. To manually remove all plugins and resolve this problem, take the following steps: 1. Remove plugins.json from: `/var/lib/docker/plugins/`. 2. Restart Docker. Verify that the Docker daemon starts with no errors. 3. Reinstall your plugins. Contrib: Do not require a custom build of tini. Upgrade to Go 1.7.5. ### Remote API (v1.26) Client. Support secrets in docker stack deploy with compose file. Runtime: size in `docker system df`. error on `docker inspect` when Swarm certificates were expired.. deadlock on v1 plugin with activate error. SELinux regression. Plugins: Support global scoped network plugins (v2) in swarm mode. Add `docker plugin upgrade`. Windows: small regression with old plugins in Windows. warning on Windows.
1.13.012 Nov 2016 16:05 major feature: Builder: Add capability to specify images used as a cache source on build. These images do not need to have local parent chain and can be pulled from other registries. (experimental) Add option to squash image layers to the FROM image after successful builds. dockerfile parser with empty line after escape. Add step number on `docker build`. Add support for compressing build context during image build. add `--network` to `docker build`. inconsistent behavior between `--label` flag on `docker build` and `docker run`. image layer inconsistencies when using the overlay storage driver. Unused build-args are now allowed. A warning is presented instead of an error and failed build. builder cache on Windows. Contrib: Add support for building docker debs for Ubuntu Xenial on PPC64. Add support for building docker debs for Ubuntu Xenial on s390x. Add RPM builder for VMWare Photon OS. Add shell completions to tgz. Update the install script to allow using the mirror in China. Add DEB builder for Ubuntu 16.10 Yakkety Yak. Add RPM builder for Fedora 25. Distribution: Update notary dependency to 0.4.2 (full changelogs here). - Support for compilation on windows docker/notary#970. - Improved error messages for client authentication errors docker/notary#972. - Support for finding keys that are anywhere in the ` /.docker/trust/private` directory, not just under ` /.docker/trust/private/root_keys` or ` /.docker/trust/private/tuf_keys` docker/notary#981. - Previously, on any error updating, the client would fall back on the cache. Now we only do so if there is a network error or if the server is unavailable or missing the TUF data. Invalid TUF data will cause the update to fail - for example if there was an invalid root rotation. docker/notary#982. - Improve root validation and yubikey delogging docker/notary#858 docker/notary#891. - Warn if certificates for root or delegations are near expiry docker/notary#802. - Warn if role metadata is near expiry docker/no
1.12.327 Oct 2016 03:15 minor bugfix: IMPORTANT: Docker 1.12 ships with an updated systemd unit file for rpm based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When upgrading from an older version of docker, the upgrade process may not automatically install the updated version of the unit file, or fail to start the docker service if; the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or. a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive. Starting the docker service will produce an error: Failed to start docker.service: Unit docker.socket failed to load: No such file or directory. or. no sockets found via socket activation: make sure the service was started by systemd. To resolve this: Backup the current version of the unit file, and replace the file with the version that ships with docker 1.12. Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present. Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present). After making those changes, run `sudo systemctl daemon-reload`, and `sudo. systemctl restart docker` to reload changes and (re)start the docker daemon. Runtime: ambient capability usage in containers (CVE-2016-8867). Prevent a deadlock in libcontainerd for Windows. error reporting in CopyFileWithTar. Reset health status to starting when a container is restarted. Properly handle shared mount propagation in storage directory. docker exec. backward compatibility with containerd s events log. Swarm Mode: conversion of restart-policy. Update Swarmkit. Avoid restarting a task that has already been restarted docker/swarmkit#1305. Allow duplicate published ports when they use different protocols docker/swarmkit#1632. Allow multiple randomly assigned published ports on service docker/swarmkit#1657. - panic when allocations happen at init time docker/swarmkit#16
1.12.213 Oct 2016 06:45 minor bugfix: IMPORTANT: Docker 1.12 ships with an updated systemd unit file for rpm based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When upgrading from an older version of docker, the upgrade process may not automatically install the updated version of the unit file, or fail to start the docker service if; the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or. a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive. Starting the docker service will produce an error: Failed to start docker.service: Unit docker.socket failed to load: No such file or directory. or. no sockets found via socket activation: make sure the service was started by systemd. To resolve this: Backup the current version of the unit file, and replace the file with the version that ships with docker 1.12. Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present. Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present). After making those changes, run `sudo systemctl daemon-reload`, and `sudo. systemctl restart docker` to reload changes and (re)start the docker daemon. Runtime: a panic due to a race condition filtering `docker ps`. Implement retry logic to prevent "Unable to remove filesystem" errors when using the aufs storage driver. Prevent devicemapper from removing device symlinks if `dm.use_deferred_removal` is enabled. an where the CLI did not return correct exit codes if a command was run with invalid options. a panic due to a in stdout / stderr processing in health checks. exec's children handling. exec form of HEALTHCHECK CMD. Networking: a daemon start panic on armv5. Vendor libnetwork. Avoid returning early on agent join failures docker/libnetwork#1473. - service published port cleanup docker/libetwork#1432 docker/libnetwork#1433. Recover properly from transient go
1.12.119 Aug 2016 08:05 minor bugfix: IMPORTANT: Docker 1.12 ships with an updated systemd unit file for rpm based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When upgrading from an older version of docker, the upgrade process may not automatically install the updated version of the unit file, or fail to start the docker service if; the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or. a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive. Starting the docker service will produce an error: Failed to start docker.service: Unit docker.socket failed to load: No such file or directory. or. no sockets found via socket activation: make sure the service was started by systemd. To resolve this: Backup the current version of the unit file, and replace the file with the version that ships with docker 1.12. Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present. Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present). After making those changes, run `sudo systemctl daemon-reload`, and `sudo. systemctl restart docker` to reload changes and (re)start the docker daemon. Client: Add `Joined at` information in `node inspect --pretty`. a crash on `service inspect`. preventing `service update --env-add` to work as intended. preventing `service update --publish-add` to work as intended. Remove `service update --network-add` and `service update --network-rm` flags because this feature is not yet implemented in 1.12, but was inadvertently added to the client in 1.12.0. Contrib: Official ARM installation for Debian Jessie, Ubuntu Trusty, and Raspbian Jessie. Add selinux policy per distro/version, ing preventing successful installation on Fedora 24, and Oracle Linux. Networking: that prevented containers to be accessed by hostname with Docker overlay driver in Swarm Mode. random net
1.12.030 Jul 2016 14:05 major feature: Builder: New `HEALTHCHECK` Dockerfile instruction to support user-defined healthchecks. New `SHELL` Dockerfile instruction to specify the default shell when using the shell form for commands in a Dockerfile. Add `#escape=` Dockerfile directive to support platform-specific parsing of file paths in Dockerfile. Add support for comments in `.dockerignore`. Support for UTF-8 in Dockerfiles. Skip UTF-8 BOM bytes from `Dockerfile` and `.dockerignore` if exist. Windows: support for `ARG` to match Linux. error message when building using a daemon with the bridge network disabled. Contrib: Enable seccomp for Centos 7 and Oracle Linux 7. Remove MountFlags in systemd unit to allow shared mount propagation. Distribution: Add `--max-concurrent-downloads` and `--max-concurrent-uploads` daemon flags useful for situations where network connections don't support multiple downloads/uploads. Registry operations now honor the `ALL_PROXY` environment variable. Provide more information to the user on `docker load`. Always save registry digest metadata about images pushed and pulled. Logging: Syslog logging driver now supports DGRAM sockets. Add `--details` option to `docker logs` to also display log tags. Enable syslog logger to have access to env and labels. An additional syslog-format option `rfc5424micro` to allow microsecond resolution in syslog timestamp. Inherit the daemon log options when creating containers. Remove `docker/` prefrom log messages tag and replace it with ` .DaemonName ` so that users have the option of changing the pre. Networking: Built-in Virtual-IP based internal and ingress load-balancing using IPVS. Routing Mesh using ingress overlay network. Secured multi-host overlay networking using encrypted control-plane and Data-plane. MacVlan driver is out of experimental. Add `driver` filter to `network ls`. Adding `network` filter to `docker ps --filter`. Add `--link-local-ip` flag to `create`, `run` and `network connect` to
1.11.211 Jun 2016 03:15 minor bugfix: Networking: a stale endpoint on overlay networks during ungraceful restart. an where the wrong port could be reported by `docker inspect/ps/port`. Runtime: a potential panic when running `docker build`. Interpretation of `--user` parameter. a preventing container statistics to be correctly reported. an preventing container to be restarted after daemon restart. When running 32 bit binaries on Ubuntu 16.04. a possible deadlock on image deletion and container attach. an where containers fail to start after a daemon restart if they depend on a containerized cluster store. an causing `docker ps` to hang on CentOS when using devicemapper. a preventing to `docker exec` into a container when using devicemapper.
1.11.129 Apr 2016 10:05 minor bugfix: Distribution: schema2 manifest media type to be of type `application/vnd.docker.container.image.v1+json`. Documentation: Add missing API documentation for changes introduced with 1.11.0. Builder: Append label passed to `docker build` as arguments as an implicit `LABEL` command at the end of the processed `Dockerfile`. Networking: a panic that would occur when forwarding DNS query. an where OS threads could end up within an incorrect network namespace when using user defined networks. Runtime: a preventing labels configuration to be reloaded via the config file. a regression where container mounting `/var/run` would prevent other containers from being removed. an where it would be impossible to update both `memory-swap` and `memory` value together. a regression from 1.11.0 where the `/auth` endpoint would not initialize `serveraddress` if it is not provided. Add missing cleanup of container temporary files when cancelling a schedule restart. Removed scary error message when no restart policy is specified. a panic that would occur when the plugins were activated via the json spec. restart backoff logic to correctly reset delay if container ran for at least 10secs. Remove error message when a container restart get cancelled. an where `docker` would not correcly clean up after `docker exec`. a panic that could occur when servicing concurrent `docker stats` commands `. Revert deprecation of non-existing host directories auto-creation. Hide misleading rpc error on daemon shutdown.
1.11.020 Apr 2016 00:45 major bugfix: IMPORTANT: With Docker 1.11, a Linux docker installation is now made of 4 binaries (`docker`, `docker-containerd`, `docker-containerd-shim` and `docker-runc`). If you have scripts relying on docker being a single static binaries, please make sure to update them. Interaction with the daemon stay the same otherwise, the usage of the other binaries should be transparent. A Windows docker installation remains a single binary, `docker.exe`. Builder: a where Docker would not use the correct uid/gid when processing the `WORKDIR` command. a where copy operations with userns would not use the proper uid/gid. Client: Usage of the `:` separator for security option has been deprecated. `=` should be used instead. The client user agent is now passed to the registry on `pull`, `build`, `push`, `login` and `search` operations. Allow setting the Domainname and Hostname separately through the API. Docker info will now warn users if it can not detect the kernel version or the operating system. an where `docker stats --no-stream` output could be all 0s. a where some newly started container would not appear in a running `docker stats` command. Post processing is no longer enabled for linux-cgo terminals. Values to `--hostname` are now refused if they do not comply with RFC1123. Docker learned how to use a SOCKS proxy. Docker now supports external credential stores. `docker ps` now supports displaying the list of volumes mounted inside a container. `docker info` now also reports Docker's root directory location. Docker now prohibits login in with an empty username (spaces are trimmed). Docker events attributes are now sorted by key. `docker ps` no longer shows exported port for stopped containers. Docker now cleans after itself if a save/export command fails. Docker load learned how to display a progress bar. Distribution: a panic that occurred when pulling an image with 0 layers. a panic that could occur on error while pushing to a registry with a miscon
1.10.316 Mar 2016 03:15 minor bugfix: Runtime: Docker client exiting with an "Unrecognized input header" error. Docker exiting if Exec is started with both `AttachStdin` and `Detach`. Distribution: a crash when pushing multiple images sharing the same layers to the same repository in parallel. a panic when pushing images to a registry which uses a misconfigured token service. Plugin system: preventing volume plugins to start when SELinux is enabled. Prevent Docker from exiting if a volume plugin returns a null response for Get requests. plugin system leaking file descriptors if a plugin has an error. Security: linux32 emulation to fail during docker build It was due to the `personality` syscall being blocked by the default seccomp profile. Oracle XE 10g failing to start in a container It was due to the `ipc` syscall being blocked by the default seccomp profile. user namespaces not working on Linux From Scratch. preventing daemon to start if userns is enabled and the `subuid` or `subgid` files contain comments.
1.10.202 Mar 2016 06:05 minor bugfix: Runtime: Prevent systemd from deleting containers' cgroups when its configuration is reloaded. SELinux by disregarding `--read-only` when mounting `/dev/mqueue`. chown permissions used during `docker cp` when userns is used. configuration loading with all booleans defaulting to `true`. occasional panic with `docker logs -f`. Distribution: Keep layer reference if deletion failed to avoid a badly inconsistent state. Handle gracefully a corner case when canceling migration. docker import on compressed data. tar-split files corruption during migration that later cause docker push and docker save to fail. Networking: daemon crash if embedded DNS is sent garbage. Volumes: with multiple volume references with same name. Security: potential cache corruption and delegation conflict.
1.9.124 Nov 2015 03:25 minor bugfix: Runtime: Do not prevent daemon from booting if images could not be restored. Force IPC mount to unmount on daemon shutdown/init. Turn IPC unmount errors into warnings. `docker stats` performance regression. Clarify cryptic error message upon `docker logs` if `--log-driver=none`. seldom panics. opq whiteouts problems for files with dot pre. devicemapper: try defaulting to xfs instead of ext4 for performance reasons. devicemapper: displayed fs in docker info. selinux: only relabel if user requested so with the `z` option. Do not make network calls when normalizing names. Client: `docker login` on windows. with `docker inspect` output when not connected to daemon. `docker inspect -f .HostConfig.Dns somecontainer`. Builder: regression with symlink behavior in ADD/COPY. Networking: Allow passing a network ID as an argument for `--net`. connect to host and prevent disconnect from host for `host` network. `---cidr` when gateway ip falls in ip-range and ip-range is not the first block in the network. Restore deterministic `IPv6` generation from `MAC` address on default `bridge` network. Allow port-mapping only for endpoints created on docker run. an endpoint delete with a possible stale sbox. Distribution: Correct parent chain in v2 push when v1Compatibility files on the disk are inconsistent.
1.9.004 Nov 2015 03:15 major feature: Runtime: `docker stats` now returns block IO metrics. `docker stats` now details network stats per interface. Add `ancestor=` filter to `docker ps --filter` flag to filter. containers based on their ancestor images Add `label=` filter to `docker ps --filter` to filter containers. based on label Add `--kernel-memory` flag to `docker run`. Add `--message` flag to `docker import` allowing to specify an optional. message Add `--privileged` flag to `docker exec`. Add `--stop-signal` flag to `docker run` allowing to replace the container. process stopping signal Add a new `unless-stopped` restart policy. Inspecting an image now returns tags. Add container size information to `docker inspect`. Add `RepoTags` and `RepoDigests` field to `/images/ name:* /json`. Remove the deprecated `/container/ps` endpoint from the API. Send and document correct HTTP codes for `/exec//start`. Share shm and mqueue between containers sharing IPC namespace. Event stream now shows OOM status when `--oom-kill-disable` is set. Ensure special network files (/etc/hosts etc.) are read-only if bind-mounted. with `ro` option Improve `rmi` performance. Do not update /etc/hosts for the default bridge network, except for links. conflict with duplicate container names. an with incorrect template execution in `docker inspect`. DEPRECATE `-c` short flag variant for `--cpu-shares` in docker run. Client: Allow `docker import` to import from local files. Builder: Add a `STOPSIGNAL` Dockerfile instruction allowing to set a different. stop-signal for the container process Add an `ARG` Dockerfile instruction and a `--build-arg` flag to `docker build`. that allows to add build-time environment variables Improve cache miss performance. Storage: devicemapper: Implement deferred deletion capability. Networking: `docker network` exits experimental and is part of standard release. New network top-level concept, with associated subcommands and API WARNING: the API is
1.8.313 Oct 2015 03:15 minor bugfix: Distribution: Layer IDs lead to local graph poisoning (CVE-2014-8178). Manifest validation and parsing logic errors allow pull-by-digest validation bypass (CVE-2014-8179). Add `--disable-legacy-registry` to prevent a daemon from using a v1 registry.
1.8.216 Sep 2015 03:15 minor bugfix: ### Distribution: Rare edge case of handling GNU LongLink and LongName entries. C on docker pull. Docker pull on client disconnection. That caused the daemon to panic when loggers weren't configured properly. Goroutine leak pulling images from registry V2. ### Runtime: a mounting cgroups for docker daemons running inside docker containers. Initialize log configuration properly. ### Client: Handle `-q` flag in `docker ps` properly when there is a default format. ### Networking: Several corner cases with netlink. ### Contrib: Several with bash completion.
1.8.012 Aug 2015 12:05 minor feature: Distribution: Trusted pull, push and build, disabled by default. Make tar layers deterministic between registries. Don't allow deleting the image of running containers. Check if a tag name to load is a valid digest. Allow one character repository names. Add a more accurate error description for invalid tag name. Make build cache ignore mtime. Cli: Add support for DOCKER_CONFIG/--config to specify config file dir. Add --type flag for docker inspect command. Add formatting options to `docker ps` with `--format`. Replace `docker -d` with new subcommand `docker daemon`. Zsh completion updates and improvements. Add some missing events to bash completion. Support daemon urls with base paths in `docker -H`. Validate status= filter to docker ps. Display when a container is in --net=host in docker ps. Extend docker inspect to export image metadata related to graph driver. Restore --default-gateway ,-v6 daemon options. Add missing unpublished ports in docker ps. Allow duration strings in `docker events` as --since/--until. Expose more mounts information in `docker inspect`. Runtime: Add new Fluentd logging driver. Allow `docker import` to load from local files. Add logging driver for GELF via UDP. Allow to copy files from host to containers with `docker cp`. Promote volume drivers from experimental to master. Add rollover log driver, and --log-driver-opts flag. Add memory swappiness tuning options. Remove cgroup read-only flag when privileged. Make /proc, /sys, /dev readonly for readonly containers. Add cgroup bind mount by default. Overlay: Export metadata for container and image in `docker inspect`. Devicemapper: external device activation. Devicemapper: Compare uuid of base device on startup. Remove RC4 from the list of registry cipher suites. Add syslog-facility option. LXC execdriver compatibility with recent LXC versions. Mark LXC execriver as deprecated (to be removed with the migration to runc). Plugins: Separate
1.7.116 Jul 2015 03:15 minor feature: Runtime: Fix default user spawning exec process with `docker exec`. Make `--bridge=none` not to configure the network bridge. Publish networking stats properly. Fix implicit devicemapper selection with static binaries. Fix socket connections that hung intermittently. Fix bridge interface creation on CentOS/RHEL 6.6. Fix local dns lookups added to resolv.conf. Fix copy command mounting volumes. Fix read/write privileges in volumes mounted with --volumes-from. Remote API: Fix unmarshalling of Command and Entrypoint. Set limit for minimum client version supported. Validate port specification. Return proper errors when attach/reattach fail. Distribution: Fix pulling private images. Fix fallback between registry V2 and V1.
1.7.019 Jun 2015 10:05 feature bugfix: Runtime: Experimental feature: support for out-of-process volume plugins. The userland proxy can be disabled in favor of hairpin NAT using the daemon s `--userland-proxy=false` flag. The `exec` command supports the `-u --user` flag to specify the new process owner. Default gateway for containers can be specified daemon-wide using the `--default-gateway` and `--default-gateway-v6` flags. The CPU CFS (Completely Fair Scheduler) quota can be set in `docker run` using `--cpu-quota`. Container block IO can be controlled in `docker run` using`--blkio-weight`. ZFS support. The `docker logs` command supports a `--since` argument. UTS namespace can be shared with the host with `docker run --uts=host`. Quality: Networking stack was entirely rewritten as part of the libnetwork effort. Engine internals refactoring. Volumes code was entirely rewritten to support the plugins effort. Sending SIGUSR1 to a daemon will dump all goroutines stacks without exiting. Build: Support variable:-value and variable:+value syntax for environment variables. Support resource management flags `--cgroup-parent`, `--cpu-period`, `--cpu-quota`, `--cpuset-cpus`, `--cpuset-mems`. git context changes with branches and directories. The.dockerignore file support exclusion rules. Distribution: Client support for v2 mirroring support for the official registry. Bugfixes: Firewalld is now supported and will automatically be used when available. mounting --device recursively.
1.6.108 May 2015 08:45 security: Fix read/write /proc paths (CVE-2015-3630). Prohibit VOLUME /proc and VOLUME / (CVE-2015-3631). Fix opening of file-descriptor 1 (CVE-2015-3627). Fix symlink traversal on container respawn allowing local privilege escalation (CVE-2015-3629). Prohibit mount of /sys. Update Apparmor policy to not allow mounts.
1.6.017 Apr 2015 15:05 minor feature: Building images from an image ID. build containers with resource constraints, ie `docker build --cpu-shares=100 --memory=1024m...`. `commit --change` to apply specified Dockerfile instructions while committing the image. `import --change` to apply specified Dockerfile instructions while importing the image. Basic build cancellation. Client: Windows Support. Runtime: Container and image Labels. `--cgroup-parent` for specifying a parent cgroup to place container cgroup within. Logging drivers, `json-file`, `syslog`, or `none`. Pulling images by ID. `--ulimit` to set the ulimit on a container. `--default-ulimit` option on the daemon which applies to all created containers (and overwritten by `--ulimit` on run).
1.5.011 Feb 2015 20:05 major feature: Builder: Dockerfile to use for a given `docker build` can be specified with the `-f` flag. Dockerfile and .dockerignore files can be themselves excluded as part of the .dockerignore file, thus preventing modifications to these files invalidating ADD or COPY instructions cache. ADD and COPY instructions accept relative paths. Dockerfile `FROM scratch` instruction is now interpreted as a no-base specifier. Improve performance when exposing a large number of ports. Hack: Allow client-side only integration tests for Windows. Include docker-py integration tests against Docker daemon as part of our test suites. Packaging: Support for the new version of the registry HTTP API. Speed up `docker push` for images with a majority of already existing layers. Fixed contacting a private registry through a proxy. Remote API: A new endpoint will stream live container resource metrics and can be accessed with the `docker stats` command. Containers can be renamed using the new `rename` endpoint and the associated `docker rename` command. Container `inspect` endpoint show the ID of `exec` commands running in this container. Container `inspect` endpoint show the number of times Docker auto-restarted the container. New types of event can be streamed by the `events` endpoint: OOM , exec_create , and exec_start'. Fixed returned string fields which hold numeric characters incorrectly omitting surrounding double quotes. Runtime: Docker daemon has full IPv6 support. The `docker run` command can take the `--pid=host` flag to use the host PID namespace, which makes it possible for example to debug host processes using containerized debugging tools. The `docker run` command can take the `--read-only` flag to make the container s root filesystem mounted as readonly, which can be used in combination with volumes to force a container s processes to only write to locations that will be persisted. Container total memory usage can be limited for `docker run` using the ` memory-swap` flag. Major st
1.4.012 Dec 2014 04:25 feature: Notable Features since 1.3.0 Set key=value labels to the daemon , applied with new `-label` daemon flag Add support for `ENV` in Dockerfile of the form: ENV name=value name2=value2...` New Overlayfs Storage Driver docker info` now returns an `ID` and `Name` field Filter events by event name, container, or image docker cp` now supports copying from container volumes Fixed `docker tag`, so it honors `--force` when overriding a tag for existing image.
1.3.225 Nov 2014 03:15 security: Security: Fix tar breakout vulnerability Extractions are now sandboxed chroot Security options are no longer committed to images Runtime: Fix deadlock in `docker ps -f exited=1` Fix a bug when `--volumes-from` references a container that failed to start Registry: insecure-registry` now accepts CIDR notation such as Private registries whose IPs fall in the range do no need the `--insecure-registry` flag Skip the experimental registry v2 API when mirroring is enabled
1.3.131 Oct 2014 03:15 security: Security: Prevent fallback to SSL protocols TLS 1.0 for client, daemon and registry Secure HTTPS connection to registries with certificate verification and without HTTP fallback unless `--insecure-registry` is specified Runtime: Fix issue where volumes would not be shared Client: Fix issue with `--iptables=false` not automatically setting `--ip-masq=false` Fix docker run output to non-TTY stdout Builder: Fix escaping ` ` for environment variables Fix issue with lowercase `onbuild` Dockerfile instruction Restrict envrionment variable expansion to `ENV`, `ADD`, `COPY`, `WORKDIR`, `EXPOSE`, `VOLUME` and `USER`
1.3.017 Oct 2014 12:39 major feature: `exec` allows you to run additional processes inside existing containers. Docker `create` gives you the ability to create a container via the CLI without executing a process. security-opts` options to allow user to customize container labels and apparmor profiles Docker `ps` filters. Wildcard support to COPY/ADD Move production URLs to from Allocate IP address on the bridge inside a valid CIDR. Use for PR and CI testing. Ability to setup an official registry mirror. Ability to save multiple images with docker `save`.
1.2.026 Aug 2014 00:58 major feature: Three new --restart policies have been introduced for docker run. Finer control for capabilities have been added through --cap-add and --cap-drop. A new --device flag allows block device and filesystem binding for non-priviliged containers. System files /etc/hosts, hostname resolve.conf are writable per default. The userland proxy is now in a separate process, and IPv6 support has been enhanced for the DNS resolver.