23.0.1

Release date	Name	Upstream release
2023-02-23	MCR 23.0.1	Moby 23.0.1 and 23.0.0, Docker CLI 23.0.1 and 23.0.0

Highlights

Enhancement	Detail
Storage driver removals	Beginning with the release of MCR 23.0, Mirantis no longer delivers unsupported storage drivers to customers. While this creates an upgrade barrier for customers using MCR 20.10 with an unsupported storage driver, it is certain to prevent the late discovery of an unsupportable MCR deployment. overlay2 is the only storage driver MCR builds and supports, with the exception of the btrfs storage driver, which Mirantis will continue to build and support exclusively for the SLES platform (for which overlay2 is also viable). In addition, Mirantis continues to make the vfs storage driver available, but only for the purpose of helping to debug the storage back end. The vfs driver remains unsupported and is entirely unfit for use in production environments. In removing the unsupported storage drivers, Mirantis aims to align customers with a longer-term migration to new storage backends that are currently under development in the Moby project. Other points of interest: overlay2 is now preferred to btrfs and zfs, which affects new MCR deployments running on SLES systems. overlay2 can no longer be used on a file system without d_type,which may prevent in-place upgrades.
Semantic Versioning (SemVer) format	Beginning with the MCR 23.0 release, in alignment with Moby, Semantic Versioning (SemVer) replaces Calendar Versioning (CalVer). Upstream Moby is moving to SemVer as part of the migration to a Go module, however Moby 23.0 is not yet Go module compatible.
CSI drivers	MCR 23.0 introduces experimental support for Container Storage Interface (CSI) drivers in Swarm. CSI drivers are the same storage drivers that Kubernetes uses, and as Swarm matures as a CSI-compliant implementation it is expected that an entire ecosystem of persistent storage backends will become available. For use with Swarm, a CSI driver must not have a direct coupling to the Kubernetes control plane. The driver must also be packaged natively for Swarm as an Engine plugin. At this time, CSI on Swarm is only fit for development and experimental use. Mirantis is working actively with the Moby development community to evangelize Swarm CSI and further develop its implementation, quickly addressing any bugs and missing features as these become apparent.
BuildKit and buildx by default	MCR 23.0 defaults to the BuildKit builder (DOCKER_BUILDKIT=1) on Linux. In addition, the 23.0 CLI makes docker build an alias for docker buildx build. This reflects the growing maturity of BuildKit, and it will help customers to take advantage of the significant improvements that BuidlKit brings in caching, performance, and flexibility. Though this is a large change in behavior, it is also a mostly transparent one, and users should be aware that they can still request the previous behavior through DOCKER_BUILDKIT=0. Refer to the upstream documentation, Differences between legacy builder and BuildKit for more information.
Volume prune and API 1.42	The MCR 23.0 release increments the supported Docker Engine API version to 1.42. With this version of the API, the volume prune action only considers anonymous volumes, ignoring those that were given a name at creation. This change in behavior only occurs when both the CLI and daemon support API version 1.42. Only MCR 23.0 supports API 1.42 at this time, and thus an updated API client such as the MCR 23.0 CLI is required to encounter this new behavior. Users should be aware that older versions of the Docker Engine API continue to consider both anonymous and named volumes when performing a volume prune. A new all=1 filter is available for use with Docker Engine API 1.42, to widen the filtering so that it once again considers named volumes. Specifically, using an MCR 23.0 CLI, docker volume prune --filter all=1 produces the same result as docker volume prune with an older CLI. docker system prune -a is not able to specify this filter, and as such will always reflect the default behavior of the negotiated API version. Refer to Docker Engine API (1.42) for the full API documentation, and to Engine API version history for the full list of changes.
Windows Server 2019 required	Support for Windows Server 2016 is dropped in MCR 23.0. Windows Server RS5 / LTSC 2019 (build 17763) is the new baseline version.
Health checks	In MCR 23.0, the overhead that is required to perform a health check is no longer counted as part of the time threshold. Health checks now properly resume when the daemon is restarted with running containers. Also, rather than being left to hang indefinitely, timed-out health checks are now more reliably killed.
Rootless and seccomp	MCR 23.0 further develops rootless mode by improving support for privileged features, and by making significant enhancements to the capabilities of the seccomp filtering implementation. Advanced MCR users should consider the following changes when diagnosing issues with privilege and permissions: Engine plugins are discoverable at well known user-specific paths in rootless mode. --privileged rootless containers can use host devices. --ipc=host now works in rootless mode. seccomp profiles can now pass additional flags to the seccomp userspace binary. ErrnoRet can now be set in seccomp profiles. clone3 is correctly blocked so that glibc will instead use clone. AF_VSOCK is blocked in the default profile as it cannot be containerized. Other enhancements to the built-in seccomp profile for new system calls, such as BPF and clock_settime64.

Changelog

MCR 23.0.1 represents the first iteration of the MCR 23.0 major release, combining the Moby 23.0.0 and Moby 23.0.1 upstream releases.

Changes specific to MCR

• MCR no longer builds unsupported storage drivers, also known as graphdrivers.

• apparmor is now unconditionally installed on Ubuntu systems.

• MCR contains the following component versions:

  • Fipster (Go runtime) go1.19.5m1

  • containerd v1.6.17

  • buildx v0.10.0

  • cri-dockerd v0.3.0

Changes from upstream

The upstream pull requests detailed in the sections that follow are those that pertain to the MCR product. For the complete list of changes and pull requests upstream, refer to the GitHub milestones.

What is new

• moby/moby#43992 Set Buildx and BuildKit as the default builder on Linux.

  • docker/cli#3314 Alias docker build to docker buildx build.

  • To use the legacy builder, set DOCKER_BUILDKIT=0.

  • Refer to Multi-stage builds to learn the differences between how BuildKit and the legacy builder handle multi-stage builds.

  • moby/moby#41759, moby/moby#42862 Add support for pulling zstd compressed layers.

• moby/moby#43887, moby/moby#43993 Added support for alternate OCI runtimes that are compatible with the containerd runtime v2 API on Linux.

• moby/moby#42089 Added support for the containerd runhcs shim on Windows (off by default).

• moby/moby#42393 Added the dockerd --validate option, to check the daemon JSON configuration and exit.

• moby/moby#42835 Added the ability to configure the daemon HTTP proxy through flags or JSON configuration.

• moby/moby#42626 Added support for RFC 3021 point-to-point networks (IPv4 /31s) and single hosts (IPv4 /32s). For networks with two or fewer addresses, IPAM does not reserve a network and broadcast address.

• moby/moby#42542 Added support for setting ipvlan_flag and using the l3s ipvlan_mode in the ipvlan network driver.

• moby/moby#43557 Added support for displaying the value of the metacopy option for the overlay2 storage driver.

• moby/moby#43368 Added support for describing Windows devices using the syntax IDType://ID.

• moby/moby#42330 Added RootlessKit, slirp4netns, and VPNKit version reporting.

• moby/moby#41982 Added experimental support for SwarmKit cluster volumes (CSI).

  • docker/cli#3606 CLI: Add cluster volume (CSI) options to docker volume.

  • docker/cli#3662 CLI: Add cluster volume (CSI) support to docker stack.

• docker/cli#2907 Added support for SwarmKit jobs in docker stack deploy.

• docker/cli#3544 Added the docker stack config command, which outputs the merged and interpolated configuration files as used by stack deploy.

• docker/cli#3567 Added the docker context show command, which prints the name of the current context.

• docker/cli#2936 Added the --format=json shorthand variant of --format="{{ json . }}" to all commands supporting the --format flag.

• docker/cli#3377 Added a --quiet option to both the docker create and docker run commands, to suppress output when pulling an image.

• docker/cli#3547 Added a --force option to the docker network rm subcommand, which causes the CLI to return a 0 exit code even if the network does not exist. This option has no effect on the server-side procedure for removing a network.

• docker/cli#3614 Added a --signal option to the docker stop and docker restart commands.

• moby/moby#44703 Added a --version (-v) flag to docker-proxy.

• moby/moby#44778 Plugins are now discoverable in well-known user-level paths when the daemon is running in rootless mode.

• moby/moby#44777, moby/moby#44832 Improved the daemon handling of common alternate JSON encodings in the JSON configuration file, which includes the reporting of useful errors.

  • UTF-8 with a byte order mark is accepted.

  • UTF-16 with a byte order mark is accepted.

  • Invalid UTF-8 is reported early, with a comprehensible error message.

• moby/moby#43369 Now allows the use of STOPSIGNAL through the docker commit command.

• moby/moby#42132 Added a new option to the awslogs log driver, to allow for skipping log stream creation in CloudWatch.

• moby/moby#42838 Added a new option to the awslogs log driver, to specify the log format that is sent to CloudWatch.

• moby/moby#43100 Added a new option to the fluentd log driver, to set the reconnection interval.

• moby/moby#42224 Added new options-setters to the Go API client: WithTLSClientConfigFromEnv(), WithHostFromEnv(), and WithVersionFromEnv().

• docker/cli#3429 Added generation of shell command completion through a docker completion subcommand.

• Added to the API:

  • moby/moby#42064 Swarm header to GET /_ping and HEAD /_ping, which allows single-request detection of Swarm support.

  • moby/moby#43206 signal parameter to POST /containers/{id}/stop and POST /containers/{id}/restart, to set the signal used.

  • moby/moby#43484 CreateMountPoint parameter to POST /containers/create.

  • moby/moby#42531 shared-size parameter to GET /images/json, to enable shared-size computation of images.

  • moby/moby#42559 type parameter to GET /system/df, to control which object types are considered in computing disk usage.

Removed

• docker/cli#2504 Removed support for reading configuration from ~/.dockercfg.

• docker/cli#3739 Removed the -g and --graph daemon options in favor of --data-root.

• docker/cli#3470 Removed client-side sorting of results, in favor of the order in which the search API returns results.

• docker/cli#3542 Removed warnings related to deprecated storage drivers from the CLI. Such warnings are now handled by the daemon instead.

• docker/cli#3543 Removed Experimental client field from docker version.

• moby/moby#43378 Explicit opt-in is required to use deprecated storage drivers, which are not automatically selected when upgrading.

• moby/moby#43472 Removed deprecated support for overlay and overlay2 storage drivers on backing filesystems without d_type support.

• moby/moby#44279 Removed the deprecated overrideKernelCheck option from the overlay2 storage driver.

• moby/moby#43695 Removed support for the deprecated io.containerd.runtime.v1.linux OCI runtime.

• moby/moby#42451, moby/moby#42499, moby/moby#42506, moby/moby#42511, moby/moby#42520, moby/moby#42683, moby/moby#42684, moby/moby#42685, moby/moby#43187 Removed LCOW (Linux Containers on Windows).

• Removed daemon options related to legacy overlay networks used with standalone Swarm:

  • moby/moby#40383 Removed --cluster-xx options from dockerd.

  • moby/moby#42247 Removed host-discovery and overlay networks with external k/v stores.

• moby/moby#44414 Removed a deprecated arm platform fallback. --platform linux/arm/vY now returns an error when arm/vY is not available rather than pulling the wrong image.

• moby/moby#42694 Removed the deprecated SetCustomHTTPHeaders(), CustomHTTPHeaders() options-setters from the Go client API.

• moby/moby#44022 Removed the deprecated WithDialer() option-setter from the Go client API. Instead, use WithDialContext().

• moby/moby#43250 Removed the daemon implementation of opts.QuotedString, which has moved to the CLI.

• moby/moby#43555 Removed the separate daemon ID from the trust-key in the daemon, and disabled the generation of the trust-key.

• moby/moby#43214 Removed from the API the deprecated KernelMemory option from POST /containers/create on API version >= 1.42.

• moby/moby#43254 Removed daemon support for Windows versions older than Windows Server RS5 / LTSC 2019 (build 17763).

Deprecated

• moby/moby#42608 Deprecated BuilderSize on API version >= 1.42.

• moby/moby#43908 Deprecated BuildCache.Parent in favor of the newly introduced BuildCache.Parents on API version >= 1.42.

• moby/moby#43477 Deprecated pkg/urlutil, moving the implementation to builder/remotecontext/urlutil.

Upgrades

• moby/moby#42708 Upgraded rootlesskit to v0.14.4.

• moby/moby#44959 Upgraded buildkit to v0.10.7-0.20230208155512-4f0ee09c40e2.

• moby/moby#44858 Upgraded swarmkit to v2.0.0-20230119195359-904c221ac281.

• moby/moby#44658 Upgraded hcsshim v0.9.6.

Security

• moby/moby#41620 Changed permissions on container hostconfig.json files to 0600 from 0644.

• moby/moby#42481 Fixed --seccomp-profile failing to accept unconfined and renamed the default seccomp profile to builtin.

• moby/moby#42501 Build always done with seccomp support, and removed the seccomp build tag.

• moby/moby#43553 Added seccomp support on riscv64.

• moby/moby#42648 Added support for setting flags passed to seccomp(2) in seccomp profiles.

• moby/moby#42005 Refactored seccomp types to reuse runtime-spec, and added support for ErrnoRet.

• moby/moby#42604 Added support for DefaultErrnoRet in seccomp profiles.

• moby/moby#42649 Added an explicit DefaultErrnoRet field to the default seccomp profile, with no resulting behavior change.

• moby/moby#44563 Blocked socket with AF_VSOCK in the default seccomp profile.

• moby/moby#42083 Reenabled process_vm_readv and process_vm_writev in the default seccomp profile.

• moby/moby#43812 Added syscalls related to PKU to the default seccomp profile.

• moby/moby#43775 Now allow clock_settime64 with CAP_SYS_TIME.

• moby/moby#43988 Now allow bpf with CAP_BPF and perf_event_open with CAP_PERFMON.

• moby/moby#42681 Explicitly set the clone3 syscall to return ENOSYS in the default seccomp profile, in order to ensure glibc correctly falls back to using clone.

Bug fixes

• moby/moby#44944 Fixed an issue wherein BuildKit-enabled builds with inline caching enabled were causing the daemon to crash.

• moby/moby#44959 Fixed an issue wherein BuildKit improperly loaded cached layers created by previous versions.

• moby/moby#44937 Fixed an issue wherein ipvlan networks created prior to upgrading would prevent the daemon from starting.

• moby/moby#44922 Fixed an issue wherein the overlay2 storage driver failed early in metacopy testing when it was initialized on an unsupported backing filesystem.

• moby/moby#44892 Fixed an issue wherein exec exit events were misinterpreted as container exits under some runtimes, such as Kata Containers.

• docker/cli#4004 Improved the error message that the CLI returned upon receipt of a truncated JSON response caused by the API hanging up during a request.

• docker/cli#4004 Fixed an incorrect CLI exit code that occurred when attempting to execute a directory with a runc compiled using Go 1.20.

• docker/cli#4004 Fixed an issue wherein --device-write-bps interpreted the size argument not as a size but as a path.

• moby/moby#42661 Promoted overlay2 to default storage driver. btrfs and zfs are now opt-in.

• docker/cli#2708 Added a loading spinner to the docker cp command.

• docker/cli#2819 Deprecated the ElectAuthServer function and forced it to return the default registry without calling the GET /info API endpoint.

• docker/cli#2940 Progress bars no longer reverse when Swarm services are rolled back.

• docker/cli#2972 net.JoinHostPort() is now used to fix formatting with IPv6 addresses.

• docker/cli#3044 CLI error messages are now printed to stderr.

• docker/cli#3179 Improved the performance of docker info for instances in which a custom --format is used that only requires local information. Now, the CLI only uses the daemon API if it detects that information from the daemon is required.

• docker/cli#3245 Removed the default value from the --stop-signal flag, as at times it may not reflect the actual default in use by the daemon.

• docker/cli#3257 Added Compose schema 3.10 to docker stack to thus allow ommission of the version field (resulting in latest).

• docker/cli#3445 Compose version 3 is now equivalent to 3.x, the latest version, in docker stack.

• docker/cli#3302 Fixed an issue wherein <Ctrl-C> did not send SIGTERM when invoking docker run without --interactive (-i) on Windows.

• docker/cli#3469 Added relative source paths to the run command in the -v / --volume and -m / --mount flags.

• docker/cli#3627 docker exec -t now sets the console size for the executed process immediately upon creation.

• docker/cli#3645 Updated the pretty-print format of docker info, to provide more details on installed plugins.

• docker/cli#3668 Added printing of warning messages for the docker context list and docker context use commands, to display whenever the context is overridden by the environment.

• docker/cli#3694 Added a custom aliases annotation, to print all available aliases for a command.

• docker/cli#3721 The CLI no longer creates or updates the context file when running docker context use with the already active context.

• docker/cli#3791 Non-existing contexts are now ignored when docker context rm --force is run.

• docker/cli#3812 Integers can now be overridden to 0 in Compose files.

• docker/cli#3849 SIGINT (<Ctrl-c>) now passes through to running containers rather than causing the CLI to exit.

• docker/cli#3892 Improved the docker port CONTAINER UX by sorting ports prior to printing.

• moby/moby#39812 Improvement to the API wherein GET /containers/{id}/logs and POST /containers/{id}/attach now report which raw-stream format is in use by way of the Content-type response header on API version >= 1.42.

• moby/moby#41636 Set default sandbox size for Windows layers to 127GB, and ensured that the --storage-opts flag applies to all storage on Windows.

• moby/moby#41675 Removed the plugin section from the containerd configuration file (/var/run/docker/containerd/containerd.toml).

• moby/moby#41842 null manifests are now rejected during tar import.

• moby/moby#41854 Added shim configuration for custom runtimes for plugins.

• moby/moby#41935 Fixed an issue wherein container health checks did not resume when the daemon was restarted.

• moby/moby#42273 Fixed an issue wherein quota was disabled on cleanup of the btrfs driver.

• moby/moby#42638 Accessible host devices can now be mounted in --privileged rootless containers.

• moby/moby#42676 Fixed the incorrect handling of **/foo recursive wildcard directory patterns in .dockerignore.

• moby/moby#43103 docker import --platform can now mark an imported image as a foreign architecture.

• moby/moby#43131 The validation of CPU real-time options is now performed when the daemon starts, rather than being done separately for each individual container, which allows startup to fail earlier in the process.

• moby/moby#43210 Close the namesgenerator package off from new additions.

• moby/moby#43322 The containers/{id}/attach/ws API endpoint only attaches to the requested streams, as specified by the stdin, stdout, and stderr parameters on API version >= 1.42.

• moby/moby#43409 Fixed an issue wherein UDP traffic in containers did not work following container restart under sustained traffic.

• moby/moby#43434 Added support for pulling images with custom amd64 micro-architecture feature levels, as supported by the latest versions of Go, GCC, LLVM, and other compilers.

• moby/moby#43463 Improved validation of invalid JSON requests in the API.

• moby/moby#43480 Mitigated the impact of slow exec starts on health checks. Now, check timeout only applies to the duration that the health check command is running, and the time needed to start the command no longer counts against the timeout.

• moby/moby#43593, moby/moby#43622 Console tty size is set immediately on creation.

• moby/moby#43659 Fixed an issue wherein overlay2 mounts were not cleaned up following failed container starts, or daemon shutdowns.

• moby/moby#43675 Matched manifest list resolution with containerd.

• moby/moby#43813 firewalld-enabled networking is now skipped when the daemon is running in rootless mode.

• moby/moby#43858 Fixed an issue wherein custom NAT networks were not re-created following daemon restart if they were missing on Windows.

• moby/moby#43994 Fixed an issue wherein the container health-check process would not terminate at time out.

• moby/moby#44237 Fixed an issue wherein restart policies and volume refs were not correctly restored when the live-restore feature is enabled.

• moby/moby#44259 Only anonymous volumes are now pruned by default on API version >= v1.42. To restore the previous setting, wherein named volumes were also included in pruning, pass the filter all=true.

• moby/moby#42715 The API now supports concurrent calls to the GET /system/df endpoint.

• moby/moby#44831 Improved the reliability of the daemon dumping the stack when sent a SIGQUIT, and exit with status code 2 on SIGQUIT.

• moby/moby#43294 Improved the reliability of docker logs -f on Windows, and prevent newlines from being dropped in the local log driver.

• moby/moby#44856 Fixed an issue wherein a rare deadlock in the daemon occurred due to the buffering of container logs.

• moby/moby#44834 Improved error handling in misc filesystem operations so that the daemon can start on a overlayfs backing filesystem.

• moby/moby#44863 Fixed an issue wherein --ipc=host was incorrectly handled whenever the daemon was run in rootless mode.

• moby/moby#44752 Fixed a long-standing set of issues wherein stale conntrack entries caused incorrect routing of UDP traffic for containers.

• moby/moby#44633 Fixed an issue wherein half-registered containers were listed in the API, as well as a nil pointer de-reference and panic that were caused by the use of a partially registered container in API calls.

• moby/moby#44845 Fixed an issue wherein the DOCKER-USER ip6tables chain was not created.

• moby/moby#44727 Fixed a failure to clean up iptables rules when the ip6tables command is not available.

• moby/moby#44811 Fixed an issue wherein a number of iptables NAT rules were not cleaned up when reenabling the userland proxy.

• moby/moby#44400 Fixed a process leak that can occur when a container start fails on Linux.

• moby/moby#44725 Fixed an issue wherein the CreatedAt time of a volume was reflecting initialization and not creation.

• docker/cli#3901, docker/cli#3904 Fixed an issue in a number of commands wherein the CLI incorrectly reported an incompatible server rather than an unreachable server.

• docker/cli#2998 Fixed broken completion of volumes in Zsh.

• docker/cli#3847 Improved the output of docker context when an invalid context is present.

• docker/cli#3973 Removed ANSI decoration of CLI help annotations when the output is not a TTY, and added a newline for readability.

• docker/cli#3986 Added docker container remove as an alias for docker container rm.

GitHub milestones

The Github milestones offer full detail on the pull requests and changes as they correlate to the upstream Moby 23.0.0 and Moby 23.0.1 releases:

• docker/cli, 23.0.1 milestone

• moby/moby, 23.0.1 milestone

• docker/cli, 23.0.0 milestone

• moby/moby, 23.0.0 milestone

Major component versions

Version detail for the major components that comprise MCR 23.0.1 is presented in the table below:

Component	Version
Moby	23.0.1
Docker CLI	23.0.1
containerd	1.6.17
runc	1.1.4
cri-dockerd	0.3.0
buildx	0.10.0
Fipster (Go runtime)	go1.19.5m1
buildkit	0.10.7-0.20230208155512-4f0ee09c40e2
rootlesskit	1.1.0