23.0.1¶
Release date |
Name |
Upstream release |
---|---|---|
2023-02-23 |
MCR 23.0.1 |
Moby 23.0.1 and 23.0.0, Docker CLI 23.0.1 and 23.0.0 |
Highlights¶
Enhancement |
Detail |
---|---|
Storage driver removals |
Beginning with the release of MCR 23.0, Mirantis no longer delivers unsupported storage drivers to customers. While this creates an upgrade barrier for customers using MCR 20.10 with an unsupported storage driver, it is certain to prevent the late discovery of an unsupportable MCR deployment.
In addition, Mirantis continues to make the In removing the unsupported storage drivers, Mirantis aims to align customers with a longer-term migration to new storage backends that are currently under development in the Moby project. Other points of interest:
|
Semantic Versioning (SemVer) format |
Beginning with the MCR 23.0 release, in alignment with Moby, Semantic Versioning (SemVer) replaces Calendar Versioning (CalVer). Upstream Moby is moving to SemVer as part of the migration to a Go module, however Moby 23.0 is not yet Go module compatible. |
CSI drivers |
MCR 23.0 introduces experimental support for Container Storage Interface (CSI) drivers in Swarm. CSI drivers are the same storage drivers that Kubernetes uses, and as Swarm matures as a CSI-compliant implementation it is expected that an entire ecosystem of persistent storage backends will become available. For use with Swarm, a CSI driver must not have a direct coupling to the Kubernetes control plane. The driver must also be packaged natively for Swarm as an Engine plugin. At this time, CSI on Swarm is only fit for development and experimental use. Mirantis is working actively with the Moby development community to evangelize Swarm CSI and further develop its implementation, quickly addressing any bugs and missing features as these become apparent. |
BuildKit and buildx by default |
MCR 23.0 defaults to the BuildKit builder ( Refer to the upstream documentation, Differences between legacy builder and BuildKit for more information. |
Volume prune and API 1.42 |
The MCR 23.0 release increments the supported Docker Engine API version to 1.42. With this version of the API, the volume prune action only considers anonymous volumes, ignoring those that were given a name at creation. This change in behavior only occurs when both the CLI and daemon support API version 1.42. Only MCR 23.0 supports API 1.42 at this time, and thus an updated API client such as the MCR 23.0 CLI is required to encounter this new behavior. Users should be aware that older versions of the Docker Engine API continue to consider both anonymous and named volumes when performing a volume prune. A new Refer to Docker Engine API (1.42) for the full API documentation, and to Engine API version history for the full list of changes. |
Windows Server 2019 required |
Support for Windows Server 2016 is dropped in MCR 23.0. Windows Server RS5 / LTSC 2019 (build 17763) is the new baseline version. |
Health checks |
In MCR 23.0, the overhead that is required to perform a health check is no longer counted as part of the time threshold. Health checks now properly resume when the daemon is restarted with running containers. Also, rather than being left to hang indefinitely, timed-out health checks are now more reliably killed. |
Rootless and seccomp |
MCR 23.0 further develops rootless mode by improving support for privileged features, and by making significant enhancements to the capabilities of the seccomp filtering implementation. Advanced MCR users should consider the following changes when diagnosing issues with privilege and permissions:
|
Changelog¶
MCR 23.0.1 represents the first iteration of the MCR 23.0 major release, combining the Moby 23.0.0 and Moby 23.0.1 upstream releases.
Changes specific to MCR¶
MCR no longer builds unsupported storage drivers, also known as graphdrivers.
apparmor is now unconditionally installed on Ubuntu systems.
MCR contains the following component versions:
Fipster (Go runtime)
go1.19.5m1
containerd
v1.6.17
buildx
v0.10.0
cri-dockerd
v0.3.0
Changes from upstream¶
The upstream pull requests detailed in the sections that follow are those that pertain to the MCR product. For the complete list of changes and pull requests upstream, refer to the GitHub milestones.
What is new
moby/moby#43992 Set Buildx and BuildKit as the default builder on Linux.
docker/cli#3314 Alias
docker build
todocker buildx build
.To use the legacy builder, set
DOCKER_BUILDKIT=0
.Refer to Multi-stage builds to learn the differences between how BuildKit and the legacy builder handle multi-stage builds.
moby/moby#41759, moby/moby#42862 Add support for pulling
zstd
compressed layers.
moby/moby#43887, moby/moby#43993 Added support for alternate OCI runtimes that are compatible with the containerd runtime v2 API on Linux.
moby/moby#42089 Added support for the containerd
runhcs
shim on Windows (off by default).moby/moby#42393 Added the
dockerd --validate
option, to check the daemon JSON configuration and exit.moby/moby#42835 Added the ability to configure the daemon HTTP proxy through flags or JSON configuration.
moby/moby#42626 Added support for RFC 3021 point-to-point networks (IPv4 /31s) and single hosts (IPv4 /32s). For networks with two or fewer addresses, IPAM does not reserve a network and broadcast address.
moby/moby#42542 Added support for setting
ipvlan_flag
and using thel3s
ipvlan_mode
in theipvlan
network driver.moby/moby#43557 Added support for displaying the value of the
metacopy
option for theoverlay2
storage driver.moby/moby#43368 Added support for describing Windows devices using the syntax
IDType://ID
.moby/moby#42330 Added
RootlessKit
,slirp4netns
, andVPNKit
version reporting.moby/moby#41982 Added experimental support for SwarmKit cluster volumes (CSI).
docker/cli#3606 CLI: Add cluster volume (CSI) options to
docker volume
.docker/cli#3662 CLI: Add cluster volume (CSI) support to
docker stack
.
docker/cli#2907 Added support for SwarmKit jobs in
docker stack deploy
.docker/cli#3544 Added the
docker stack config
command, which outputs the merged and interpolated configuration files as used bystack deploy
.docker/cli#3567 Added the
docker context show
command, which prints the name of the current context.docker/cli#2936 Added the
--format=json
shorthand variant of--format="{{ json . }}"
to all commands supporting the--format
flag.docker/cli#3377 Added a
--quiet
option to both thedocker create
anddocker run
commands, to suppress output when pulling an image.docker/cli#3547 Added a
--force
option to thedocker network rm
subcommand, which causes the CLI to return a0
exit code even if the network does not exist. This option has no effect on the server-side procedure for removing a network.docker/cli#3614 Added a
--signal
option to thedocker stop
anddocker restart
commands.moby/moby#44703 Added a
--version
(-v
) flag todocker-proxy
.moby/moby#44778 Plugins are now discoverable in well-known user-level paths when the daemon is running in rootless mode.
moby/moby#44777, moby/moby#44832 Improved the daemon handling of common alternate JSON encodings in the JSON configuration file, which includes the reporting of useful errors.
UTF-8 with a byte order mark is accepted.
UTF-16 with a byte order mark is accepted.
Invalid UTF-8 is reported early, with a comprehensible error message.
moby/moby#43369 Now allows the use of
STOPSIGNAL
through thedocker commit
command.moby/moby#42132 Added a new option to the
awslogs
log driver, to allow for skipping log stream creation in CloudWatch.moby/moby#42838 Added a new option to the
awslogs
log driver, to specify the log format that is sent to CloudWatch.moby/moby#43100 Added a new option to the
fluentd
log driver, to set the reconnection interval.moby/moby#42224 Added new options-setters to the Go API client:
WithTLSClientConfigFromEnv()
,WithHostFromEnv()
, andWithVersionFromEnv()
.docker/cli#3429 Added generation of shell command completion through a
docker completion
subcommand.Added to the API:
moby/moby#42064
Swarm
header toGET /_ping
andHEAD /_ping
, which allows single-request detection of Swarm support.moby/moby#43206
signal
parameter toPOST /containers/{id}/stop
andPOST /containers/{id}/restart
, to set the signal used.moby/moby#43484
CreateMountPoint
parameter toPOST /containers/create
.moby/moby#42531
shared-size
parameter toGET /images/json
, to enable shared-size computation of images.moby/moby#42559
type
parameter toGET /system/df
, to control which object types are considered in computing disk usage.
Removed
docker/cli#2504 Removed support for reading configuration from
~/.dockercfg
.docker/cli#3739 Removed the
-g
and--graph
daemon options in favor of--data-root
.docker/cli#3470 Removed client-side sorting of results, in favor of the order in which the search API returns results.
docker/cli#3542 Removed warnings related to deprecated storage drivers from the CLI. Such warnings are now handled by the daemon instead.
docker/cli#3543 Removed
Experimental
client field fromdocker version
.moby/moby#43378 Explicit opt-in is required to use deprecated storage drivers, which are not automatically selected when upgrading.
moby/moby#43472 Removed deprecated support for
overlay
andoverlay2
storage drivers on backing filesystems withoutd_type
support.moby/moby#44279 Removed the deprecated
overrideKernelCheck
option from theoverlay2
storage driver.moby/moby#43695 Removed support for the deprecated
io.containerd.runtime.v1.linux
OCI runtime.moby/moby#42451, moby/moby#42499, moby/moby#42506, moby/moby#42511, moby/moby#42520, moby/moby#42683, moby/moby#42684, moby/moby#42685, moby/moby#43187 Removed LCOW (Linux Containers on Windows).
Removed daemon options related to legacy overlay networks used with standalone Swarm:
moby/moby#40383 Removed
--cluster-xx
options fromdockerd
.moby/moby#42247 Removed
host-discovery
and overlay networks with external k/v stores.
moby/moby#44414 Removed a deprecated
arm
platform fallback.--platform linux/arm/vY
now returns an error whenarm/vY
is not available rather than pulling the wrong image.moby/moby#42694 Removed the deprecated
SetCustomHTTPHeaders()
,CustomHTTPHeaders()
options-setters from the Go client API.moby/moby#44022 Removed the deprecated
WithDialer()
option-setter from the Go client API. Instead, useWithDialContext()
.moby/moby#43250 Removed the daemon implementation of
opts.QuotedString
, which has moved to the CLI.moby/moby#43555 Removed the separate daemon ID from the trust-key in the daemon, and disabled the generation of the trust-key.
moby/moby#43214 Removed from the API the deprecated
KernelMemory
option fromPOST /containers/create
on API version >= 1.42.moby/moby#43254 Removed daemon support for Windows versions older than Windows Server RS5 / LTSC 2019 (build 17763).
Deprecated
moby/moby#42608 Deprecated
BuilderSize
on API version >= 1.42.moby/moby#43908 Deprecated
BuildCache.Parent
in favor of the newly introducedBuildCache.Parents
on API version >= 1.42.moby/moby#43477 Deprecated
pkg/urlutil
, moving the implementation tobuilder/remotecontext/urlutil
.
Upgrades
moby/moby#42708 Upgraded
rootlesskit
tov0.14.4
.moby/moby#44959 Upgraded
buildkit
tov0.10.7-0.20230208155512-4f0ee09c40e2
.moby/moby#44858 Upgraded
swarmkit
tov2.0.0-20230119195359-904c221ac281
.moby/moby#44658 Upgraded
hcsshim
v0.9.6
.
Security
moby/moby#41620 Changed permissions on container
hostconfig.json
files to0600
from0644
.moby/moby#42481 Fixed
--seccomp-profile
failing to acceptunconfined
and renamed the default seccomp profile tobuiltin
.moby/moby#42501 Build always done with seccomp support, and removed the
seccomp
build tag.moby/moby#43553 Added seccomp support on
riscv64
.moby/moby#42648 Added support for setting flags passed to
seccomp(2)
in seccomp profiles.moby/moby#42005 Refactored seccomp types to reuse runtime-spec, and added support for
ErrnoRet
.moby/moby#42604 Added support for
DefaultErrnoRet
inseccomp
profiles.moby/moby#42649 Added an explicit
DefaultErrnoRet
field to the default seccomp profile, with no resulting behavior change.moby/moby#44563 Blocked
socket
withAF_VSOCK
in the default seccomp profile.moby/moby#42083 Reenabled
process_vm_readv
andprocess_vm_writev
in the default seccomp profile.moby/moby#43812 Added syscalls related to PKU to the default seccomp profile.
moby/moby#43775 Now allow
clock_settime64
withCAP_SYS_TIME
.moby/moby#43988 Now allow
bpf
withCAP_BPF
andperf_event_open
withCAP_PERFMON
.moby/moby#42681 Explicitly set the
clone3
syscall to returnENOSYS
in the default seccomp profile, in order to ensureglibc
correctly falls back to usingclone
.
Bug fixes
moby/moby#44944 Fixed an issue wherein BuildKit-enabled builds with inline caching enabled were causing the daemon to crash.
moby/moby#44959 Fixed an issue wherein BuildKit improperly loaded cached layers created by previous versions.
moby/moby#44937 Fixed an issue wherein
ipvlan
networks created prior to upgrading would prevent the daemon from starting.moby/moby#44922 Fixed an issue wherein the
overlay2
storage driver failed early inmetacopy
testing when it was initialized on an unsupported backing filesystem.moby/moby#44892 Fixed an issue wherein
exec
exit events were misinterpreted as container exits under some runtimes, such as Kata Containers.docker/cli#4004 Improved the error message that the CLI returned upon receipt of a truncated JSON response caused by the API hanging up during a request.
docker/cli#4004 Fixed an incorrect CLI exit code that occurred when attempting to execute a directory with a
runc
compiled using Go 1.20.docker/cli#4004 Fixed an issue wherein
--device-write-bps
interpreted thesize
argument not as a size but as a path.moby/moby#42661 Promoted
overlay2
to default storage driver.btrfs
andzfs
are now opt-in.docker/cli#2708 Added a loading spinner to the
docker cp
command.docker/cli#2819 Deprecated the
ElectAuthServer
function and forced it to return the default registry without calling theGET /info
API endpoint.docker/cli#2940 Progress bars no longer reverse when Swarm services are rolled back.
docker/cli#2972
net.JoinHostPort()
is now used to fix formatting with IPv6 addresses.docker/cli#3044 CLI error messages are now printed to
stderr
.docker/cli#3179 Improved the performance of
docker info
for instances in which a custom--format
is used that only requires local information. Now, the CLI only uses the daemon API if it detects that information from the daemon is required.docker/cli#3245 Removed the default value from the
--stop-signal
flag, as at times it may not reflect the actual default in use by the daemon.docker/cli#3257 Added Compose schema
3.10
todocker stack
to thus allow ommission of theversion
field (resulting inlatest
).docker/cli#3445 Compose version
3
is now equivalent to3.x
, the latest version, indocker stack
.docker/cli#3302 Fixed an issue wherein
<Ctrl-C>
did not sendSIGTERM
when invokingdocker run
without--interactive
(-i
) on Windows.docker/cli#3469 Added relative source paths to the
run
command in the-v
/--volume
and-m
/--mount
flags.docker/cli#3627
docker exec -t
now sets the console size for the executed process immediately upon creation.docker/cli#3645 Updated the pretty-print format of
docker info
, to provide more details on installed plugins.docker/cli#3668 Added printing of warning messages for the
docker context list
anddocker context use
commands, to display whenever the context is overridden by the environment.docker/cli#3694 Added a custom
aliases
annotation, to print all available aliases for a command.docker/cli#3721 The CLI no longer creates or updates the context file when running
docker context use
with the already active context.docker/cli#3791 Non-existing contexts are now ignored when
docker context rm --force
is run.docker/cli#3812 Integers can now be overridden to
0
in Compose files.docker/cli#3849
SIGINT
(<Ctrl-c>
) now passes through to running containers rather than causing the CLI to exit.docker/cli#3892 Improved the
docker port CONTAINER
UX by sorting ports prior to printing.moby/moby#39812 Improvement to the API wherein
GET /containers/{id}/logs
andPOST /containers/{id}/attach
now report which raw-stream format is in use by way of theContent-type
response header on API version >= 1.42.moby/moby#41636 Set default sandbox size for Windows layers to 127GB, and ensured that the
--storage-opts
flag applies to all storage on Windows.moby/moby#41675 Removed the plugin section from the containerd configuration file (
/var/run/docker/containerd/containerd.toml
).moby/moby#41842
null
manifests are now rejected during tar import.moby/moby#41854 Added shim configuration for custom runtimes for plugins.
moby/moby#41935 Fixed an issue wherein container health checks did not resume when the daemon was restarted.
moby/moby#42273 Fixed an issue wherein quota was disabled on cleanup of the
btrfs
driver.moby/moby#42638 Accessible host devices can now be mounted in
--privileged
rootless containers.moby/moby#42676 Fixed the incorrect handling of
**/foo
recursive wildcard directory patterns in.dockerignore
.moby/moby#43103
docker import --platform
can now mark an imported image as a foreign architecture.moby/moby#43131 The validation of CPU real-time options is now performed when the daemon starts, rather than being done separately for each individual container, which allows startup to fail earlier in the process.
moby/moby#43210 Close the
namesgenerator
package off from new additions.moby/moby#43322 The
containers/{id}/attach/ws
API endpoint only attaches to the requested streams, as specified by thestdin
,stdout
, andstderr
parameters on API version >= 1.42.moby/moby#43409 Fixed an issue wherein UDP traffic in containers did not work following container restart under sustained traffic.
moby/moby#43434 Added support for pulling images with custom amd64 micro-architecture feature levels, as supported by the latest versions of Go, GCC, LLVM, and other compilers.
moby/moby#43463 Improved validation of invalid JSON requests in the API.
moby/moby#43480 Mitigated the impact of slow
exec
starts on health checks. Now, check timeout only applies to the duration that the health check command is running, and the time needed to start the command no longer counts against the timeout.moby/moby#43593, moby/moby#43622 Console
tty
size is set immediately on creation.moby/moby#43659 Fixed an issue wherein
overlay2
mounts were not cleaned up following failed container starts, or daemon shutdowns.moby/moby#43675 Matched manifest list resolution with
containerd
.moby/moby#43813
firewalld
-enabled networking is now skipped when the daemon is running in rootless mode.moby/moby#43858 Fixed an issue wherein custom NAT networks were not re-created following daemon restart if they were missing on Windows.
moby/moby#43994 Fixed an issue wherein the container health-check process would not terminate at time out.
moby/moby#44237 Fixed an issue wherein restart policies and volume refs were not correctly restored when the
live-restore
feature is enabled.moby/moby#44259 Only anonymous volumes are now pruned by default on API version >= v1.42. To restore the previous setting, wherein named volumes were also included in pruning, pass the filter
all=true
.moby/moby#42715 The API now supports concurrent calls to the
GET /system/df
endpoint.moby/moby#44831 Improved the reliability of the daemon dumping the stack when sent a
SIGQUIT
, and exit with status code 2 onSIGQUIT
.moby/moby#43294 Improved the reliability of
docker logs -f
on Windows, and prevent newlines from being dropped in thelocal
log driver.moby/moby#44856 Fixed an issue wherein a rare deadlock in the daemon occurred due to the buffering of container logs.
moby/moby#44834 Improved error handling in misc filesystem operations so that the daemon can start on a overlayfs backing filesystem.
moby/moby#44863 Fixed an issue wherein
--ipc=host
was incorrectly handled whenever the daemon was run in rootless mode.moby/moby#44752 Fixed a long-standing set of issues wherein stale conntrack entries caused incorrect routing of UDP traffic for containers.
moby/moby#44633 Fixed an issue wherein half-registered containers were listed in the API, as well as a nil pointer de-reference and panic that were caused by the use of a partially registered container in API calls.
moby/moby#44845 Fixed an issue wherein the
DOCKER-USER
ip6tables
chain was not created.moby/moby#44727 Fixed a failure to clean up iptables rules when the
ip6tables
command is not available.moby/moby#44811 Fixed an issue wherein a number of iptables NAT rules were not cleaned up when reenabling the userland proxy.
moby/moby#44400 Fixed a process leak that can occur when a container start fails on Linux.
moby/moby#44725 Fixed an issue wherein the
CreatedAt
time of a volume was reflecting initialization and not creation.docker/cli#3901, docker/cli#3904 Fixed an issue in a number of commands wherein the CLI incorrectly reported an incompatible server rather than an unreachable server.
docker/cli#2998 Fixed broken completion of volumes in Zsh.
docker/cli#3847 Improved the output of
docker context
when an invalid context is present.docker/cli#3973 Removed ANSI decoration of CLI help annotations when the output is not a TTY, and added a newline for readability.
docker/cli#3986 Added
docker container remove
as an alias fordocker container rm
.
GitHub milestones¶
The Github milestones offer full detail on the pull requests and changes as they correlate to the upstream Moby 23.0.0 and Moby 23.0.1 releases:
Major component versions¶
Version detail for the major components that comprise MCR 23.0.1 is presented in the table below:
Component |
Version |
---|---|
Fipster (Go runtime) |
|
0.10.7-0.20230208155512-4f0ee09c40e2 |
|