25.0.7

Release date

Name

Upstream release

2024-DEC-04

MCR 25.0.7

Moby 25.0.7 and Docker CLI 25.0.7

Highlights

Enhancement

Detail

Alternative OCI Runtimes

MCR now incorporates upstream changes that allow for alternative OCI runtimes with cri-dockerd. Thus, users can now create containers with compatible alternative runtimes, such as Kata or gVisor.

Container Device Interface (CDI) support

MCR now supports the Container Device Interface (CDI) on Linux platforms, which allows for the automation of a copious amount of device configuration through the use of spec files.

Note

CDI is an experimental feature that must be manually enabled through the setting of the feature flag in the daemon.json file.

OpenTelemetry tracing

MCR supports tracing through Engine API requests using OpenTelemetry, allowing for the configuration of OpenTelemetry through the use of its common environment variables. For information on how to use this feature, refer to the official OpenTelemetry documentation.

Changelog

MCR 25.0.7 comprises the Moby 25.0.7 upstream release. In addition, changes are included for the interceding upstream 24.0 release, for which there was no MCR release.

Changes specific to MCR

  • Overhaul of release versioning and packaging

    • Greater emphasis and differentiation is now placed on Product Version versus Major component versions. Product Version is based on the upstream engine release version, but is distinct from it.

    • Major Linux releases are no longer published to the stable channel and must instead be installed from their major version specific channel. This change greatly reduces the chance of performing accidental upgrades between major releases.

      • MCR 25.0.7 is installed from the stable-25.0 channel.

      • Windows releases continue to be published to the stable channel.

    • MCR components are built from soft-forks of upstream projects, which combine an upstream software release with patches that Mirantis maintains. Such components can be identified by a software version in which the patch version indicator is followed by the character m and another number. This is the m-revision, the revision of the Mirantis patch set for the given upstream release of the software.

      Note

      Several software components are built from unmodified upstream sources. These components use the upstream version directly, and can be identified by their lack of an m-revision component.

  • FIPS changes

    • All MCR 25.0.x releases are provided in two types.

      • The FIPS-mode MCR type always operates in a FIPS 140-2 compliant mode.

      • The non-FIPS MCR type cannot be configured to operate in a FIPS 140-2 compliant mode of operation.

    • Installing the FIPS-mode MCR type requires the use of a FIPS channel, which for MCR 25.0.7 is stable-25.0/fips. A similar pattern will persist through future MCR releases.

    • FIPS binaries can be identified by +fips in the package or software version. Some packages, such as runc, do not have a specific +fips version, while some packages, such as containerd shims, contain non- +fips binaries. This is both normal and expected, as +fips versions are built only for packages that use cryptography.

  • MCR telemetry changes

    • Users can no longer disable telemetry for MCR instancees that are unlicensed. This includes cases wherein the license is expired or malformed. In the event that the user has configured telemetry to be disabled, MCR will ignore the configuration and print an ERROR level message to the daemon logs.

Changes from upstream

The upstream pull requests detailed in the sections that follow are those that pertain to the MCR product. For the complete list of changes and pull requests upstream, refer to the GitHub milestones.

What is new
Removed

  • docker/cli#4204 docker info no longer reports IndexServiceAddress.

  • moby/moby#44684, moby/moby#44802 libnetwork: Remove fallback code for obsolete kernel versions.

  • moby/moby#44965 libnetwork: Remove unused code related to classic Swarm.

  • moby/moby#45281 libnetwork: Remove usage of the xt_u32 kernel module from encrypted Swarm overlay networks.

  • moby/moby#45097 Remove support for BuildKit’s deprecated buildinfo in favor of standard provenance attestations.

  • moby/moby#45368 Remove the deprecated overlay2.override_kernel_check storage driver option.

  • moby/moby#45500 Remove workarounds for obsolete versions of apparmor_parser from the AppArmor profiles.

  • moby/moby#45068 API: GET /images/json no longer represents empty RepoTags and RepoDigests as <none>:<none>/<none>@<none>. Empty arrays are returned instead on API >= 1.43.

  • docker/cli#4302 Remove CLI completions for storage drivers removed in the 24.0 major release.

  • moby/moby#45469 API: Remove VirtualSize field for the GET /images/json and GET /images/{id}/json endpoints.

  • docker/cli#4366 Remove deprecated orchestrator options.

  • moby/moby#45484 Remove the --oom-score-adjust daemon option.

  • docker/cli#4281 Remove warning for deprecated ~/.dockercfg file.

  • moby/moby#46925 Remove logentries logging driver.

Deprecated

  • Deprecate API versions older than 1.24. Deprecation notice

  • Deprecate IsAutomated field and is-automated filter for docker search. Deprecation notice

  • moby/moby#46939 API: Deprecate Container and ContainerConfig properties for /images/{id}/json (docker image inspect).

Bug fixes and enhancements

  • docker/cli#4214 The docker stack command no longer validates the build section of Compose files.

  • moby/moby#43739 Fix lingering healthcheck processes after timeout is reached.

  • moby/moby#44285 Reduce the overhead of container startup when using the overlay2 storage driver.

  • moby/moby#44503 API: Handle multiple before= and since= filters in GET /images.

  • moby/moby#44664 Fix numerous bugs in the embedded DNS resolver implementation used by user-defined networks.

  • moby/moby#45494 Add execDuration field to the map of event attributes.

  • moby/swarmkit#3121, moby/moby#45291 Swarm-level networks can now be created with the Windows internal, l2bridge, and nat drivers.

  • moby/moby#45573 Fix an issue where DNS query NXDOMAIN replies from external servers were forwarded to the client as SERVFAIL.

  • moby/moby#45562 Fix an issue where docker pull --platform would report No such image regarding another tag pointing to the same image.

  • moby/moby#45571 Fix an issue where insecure registry configuration would be forgotten during config reload.

  • moby/moby#45568 API: Fix an issue where POST /commit did not accept empty request body.

  • moby/moby#45620 Fix builds potentially failing with exit code: 4294967295 when performing many concurrent build stages.

  • moby/moby#45810 Fix a Swarm CSI issue where the Topology field was not propagated into NodeCSIInfo.

  • moby/moby#45703, moby/swarmkit#3122, moby/swarmkit#3128 Fix failures to add new Swarm managers caused by a very large raft log.

  • moby/moby#45824 name_to_handle_at(2) is now always allowed in the default seccomp profile.

  • moby/moby#45637 Fix an issue that prevented encrypted Swarm overlay networks from working on ports other than the default (4789).

  • moby/moby#45643 Fix an exception caused by attaching a terminal to an exec with a non-existent command.

  • moby/moby#45790 Fix host-gateway with BuildKit by passing the IP as a label (also requires docker/buildx#1894).

  • moby/moby#45774 Fix an issue where POST /containers/{id}/stop would forcefully terminate the container when the request was canceled, instead of waiting until the specified timeout for a ‘graceful’ stop.

  • moby/moby#45746 Improve compatibility with non-runc container runtimes by more correctly setting resource constraint parameters in the OCI config.

  • moby/moby#45747, rootless-containers/rootlesskit#369 Fix an issue caused by overlapping subuid/subgid ranges in certain configurations (e.g. LDAP) in rootless mode.

  • moby/moby#45856 Greatly reduce CPU and memory usage while populating the Debug section of GET /info.

  • docker/cli#4393 Fix an issue where debug information was not correctly printed during docker info when only the client is in debug mode.

  • docker/cli#4395 Fix issues related to hung connections when connecting to hosts over an SSH connection.

  • docker/cli#4423 Properly report errors parsing volume specifications from the command line.

  • docker/cli#4450 Fix a panic caused when auths: null is found in the CLI config file.

  • moby/moby#46137 Warn when pulling Docker Image Format v1, and Docker Image manifest version 2, schema 1 images from all registries.

  • moby/moby#46366 Fix live-restore of volumes with custom volume options.

  • moby/moby#46214 Fix network isolation iptables rules preventing IPv6 Neighbor Solicitation packets from being exchanged between containers.

  • moby/moby#46215 Fix dockerd.exe --register-service not working when the binary is in the current directory on Windows.

  • docker/cli#4500 Add a hint suggesting the use of a PAT to docker login against Docker Hub.

  • docker/cli#4517 Improve shell startup time for users of Bash completion for the CLI.

  • docker/cli#4508 Improve the speed of some commands by skipping GET /_ping when possible.

  • docker/cli#4512 Fix credential scopes when using a PAT to docker manifest inspect an image on Docker Hub.

  • docker/cli#4544 Fix docker events not supporting --format=json.

  • moby/moby#46703 Write overlay2 layer metadata atomically.

  • moby/moby#46564 Fix “Rootful-in-Rootless” Docker-in-Docker on systemd version 250 and later.

  • moby/moby#44395 Fix dockerd-rootless-setuptools.sh when username contains a backslash.

  • moby/moby#46651 Fix a bug that would prevent network sandboxes to be fully deleted when stopping containers with no network attachments and when dockerd --bridge=none is used.

  • moby/moby#46700 Fix data corruption with zstd output.

  • moby/moby#46406 Fix the conditions under which the container’s MAC address is applied.

  • moby/moby#46448 Improve the performance of the stats collector.

  • moby/moby#46857 Live restore: Containers with auto remove (docker run --rm) are no longer forcibly removed on engine restart.

  • moby/moby#46352 API: Fix error message for invalid policies at ValidateRestartPolicy.

  • moby/moby#45847 API: Update /info endpoint to use singleflight.

  • docker/cli#4346 Add an error message for when specifying a Dockerfile filename with -f, and also using stdin.

  • docker/cli#4419 Add support for mac-address and link-local-ip fields in --network long format.

  • moby/moby#45906 Add support for specifying multiple --network flags with docker container create and docker run.

  • moby/moby#46455 Automatically enable IPv6 on a network when an IPv6 subnet is specified.

  • moby/moby#46790 Add support for overlay networks over IPv6 transport.

  • moby/moby#43980 Configuration reloading is now more robust: if there’s an error during the configuration reload process, no configuration changes are applied.

  • moby/moby#47051 Live restore: containers that are live-restored will now be given another health-check start period when the daemon restarts.

  • moby/moby#47044 Container health status is flushed to disk less frequently, reducing wear on flash storage.

  • moby/moby#46251 Ensure network names are unique.

  • moby/moby#46471 Ensure that overlay2 layer metadata is correct.

  • moby/moby#46515 Fix Downloading progress message on image pull.

  • moby/moby#46183 Fix NetworkConnect and ContainerCreate with improved data validation, and return all validation errors at once.

  • moby/moby#46446 Fix com.docker.network.host_ipv4 option when IPv6 and ip6tables are enabled.

  • moby/moby#46213 Fix daemon’s cleanupContainer if containerd is stopped.

  • moby/moby#46146 Fix returning incorrect HTTP status codes for libnetwork errors.

  • moby/moby#46034 Fix various issues with images/json API filters and image list.

  • moby/moby#46863 CIFS volumes now resolves FQDN correctly.

  • moby/moby#47000 Improve validation of the userland-proxy-path daemon configuration option. Validation now happens during daemon startup, instead of producing an error when starting a container with port-mapping.

  • moby/moby#46406 Set the MAC address of container’s interface when network mode is a short network ID.

  • moby/moby#45917 Sort unconsumed build arguments before display in build output.

  • moby/moby#44598 The docker image save tarball output is now OCI compliant.

  • moby/moby#45280 The daemon no longer appends ACCEPT rules to the end of the INPUT iptables chain for encrypted overlay networks. Depending on firewall configuration, a rule may be needed to permit incoming encrypted overlay network traffic.

  • moby/moby#45464 Unpacking layers with extended attributes onto an incompatible filesystem will now fail instead of silently discarding extended attributes.

  • moby/moby#45887 Update daemon MTU option to BridgeConfig and display warning on Windows.

  • moby/moby#45759 Validate IPAM config when creating a network. Automatically fix networks created prior to this release where --ip-range is larger than --subnet.

  • moby/moby#46603 Containers connected only to internal networks will now have no default route set, making the connect syscall fail-fast.

  • moby/moby#47136 Fix an issue in detecting whether a remote build context is a Git repository.

  • moby/moby#47163 Swarm: Fixed start_interval not being passed to the container config.

  • moby/moby#47304 Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved.

  • moby/moby#47294 Fix docker save <image>@<digest> producing an OCI archive with index without manifests.

  • moby/moby#47323 Fix a bug where trying to install a plugin using a digest revision would cause a panic.

  • moby/moby#47243 Fix an issue with the journald log driver preventing container logs from being followed correctly with systemd version 255.

  • moby/moby#47341 seccomp: Update the builtin seccomp profile to include syscalls added in kernel v5.17 - v6.7 to align the profile with the profile used by containerd.

  • moby/moby#47307, moby/moby#47337 Windows: Fix cache not being used when building images based on Windows versions older than the host’s version.

  • moby/moby#47466 Fix docker start failing when used with --checkpoint

  • moby/moby#47393 API: To preserve backwards compatibility, make read-only mounts non-recursive by default when using older clients (API versions < v1.44).

  • moby/moby#47451 API: GET /images/{id}/json omits the Created field (previously it was 0001-01-01T00:00:00Z) if the Created field was missing from the image config.

  • moby/moby#47387 API: Populate a missing Created field in GET /images/{id}/json with 0001-01-01T00:00:00Z for API versions <= 1.43.

  • moby/moby#47470 API: Fix a regression that caused API socket connection failures to report an API version negotiation failure instead.

  • moby/moby#47527 Fix multiple parallel docker build runs leaking disk space.

  • moby/moby#47589 CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an ‘internal’ network. Previously, requests were forwarded if the host’s DNS server was running on a loopback address, like systemd’s 127.0.0.53.

GitHub milestones

The GitHub milestones offer full detail on the pull requests and changes as they correlate to the upstream Moby 24.0 and 25.0 releases.

Major component versions

Version detail for the major components that comprise MCR 25.0.7 is presented in the table below:

Component

Upstream Version

Mirantis Version

Moby

25.0.7

25.0.7m1

Docker CLI

25.0.7

25.0.7m1

containerd

1.7.23

1.7.23m1

runc

1.5.15

1.5.15m1

cri-dockerd

0.3.0

buildx

0.12.1

0.12.1m1

Fipster (Go runtime)

go1.22.9-m1

buildkit

0.12.5

rootlesskit

2.0.2