25.0.7¶
Release date |
Name |
Upstream release |
---|---|---|
2024-DEC-04 |
MCR 25.0.7 |
Moby 25.0.7 and Docker CLI 25.0.7 |
Highlights¶
Enhancement |
Detail |
---|---|
Alternative OCI Runtimes |
MCR now incorporates upstream changes that allow for alternative OCI runtimes with cri-dockerd. Thus, users can now create containers with compatible alternative runtimes, such as Kata or gVisor. |
Container Device Interface (CDI) support |
MCR now supports the Container Device Interface (CDI) on Linux platforms, which allows for the automation of a copious amount of device configuration through the use of spec files. Note CDI is an experimental feature that must be manually enabled through the setting of the feature flag in the daemon.json file. |
OpenTelemetry tracing |
MCR supports tracing through Engine API requests using OpenTelemetry, allowing for the configuration of OpenTelemetry through the use of its common environment variables. For information on how to use this feature, refer to the official OpenTelemetry documentation. |
Changelog¶
MCR 25.0.7 comprises the Moby 25.0.7 upstream release. In addition, changes are included for the interceding upstream 24.0 release, for which there was no MCR release.
Changes specific to MCR¶
Overhaul of release versioning and packaging
Greater emphasis and differentiation is now placed on Product Version versus Major component versions. Product Version is based on the upstream engine release version, but is distinct from it.
Major Linux releases are no longer published to the
stable
channel and must instead be installed from their major version specific channel. This change greatly reduces the chance of performing accidental upgrades between major releases.MCR 25.0.7 is installed from the
stable-25.0
channel.Windows releases continue to be published to the
stable
channel.
MCR components are built from soft-forks of upstream projects, which combine an upstream software release with patches that Mirantis maintains. Such components can be identified by a software version in which the patch version indicator is followed by the character
m
and another number. This is the m-revision, the revision of the Mirantis patch set for the given upstream release of the software.Note
Several software components are built from unmodified upstream sources. These components use the upstream version directly, and can be identified by their lack of an m-revision component.
FIPS changes
All MCR 25.0.x releases are provided in two types.
The FIPS-mode MCR type always operates in a FIPS 140-2 compliant mode.
The non-FIPS MCR type cannot be configured to operate in a FIPS 140-2 compliant mode of operation.
Installing the FIPS-mode MCR type requires the use of a FIPS channel, which for MCR 25.0.7 is
stable-25.0/fips
. A similar pattern will persist through future MCR releases.FIPS binaries can be identified by
+fips
in the package or software version. Some packages, such asrunc
, do not have a specific+fips
version, while some packages, such as containerd shims, contain non-+fips
binaries. This is both normal and expected, as+fips
versions are built only for packages that use cryptography.
MCR telemetry changes
Users can no longer disable telemetry for MCR instancees that are unlicensed. This includes cases wherein the license is expired or malformed. In the event that the user has configured telemetry to be disabled, MCR will ignore the configuration and print an ERROR level message to the daemon logs.
Changes from upstream¶
The upstream pull requests detailed in the sections that follow are those that pertain to the MCR product. For the complete list of changes and pull requests upstream, refer to the GitHub milestones.
What is new
moby/moby#43735, other moby/moby pull requests Introduce experimental support for containerd as the content store (replacing the existing storage drivers).
Notice
Though this feature is present in the upstream, it is not a supported MCR feature.
docker/cli#4073 The
--host
CLI flag now supports a path component in assh://
host address, allowing the use of an alternate socket path without configuration on the remote host.docker/cli#4180 The
docker info
CLI command now reports a version and platform field.moby/moby#43197 Introduce the daemon flag
--default-network-opt
to configure options for newly created networks.moby/moby#44562 Restrict access to
AF_VSOCK
in thesocket(2)
family of syscalls in the default seccomp profile.docker/cli#4156, moby/moby#45025 Introduce support for setting OCI runtime annotations on containers.
moby/moby#45032 Alternative runtimes can now be configured in
daemon.json
, enabling runtime names to be aliased and options to be passed.moby/moby#45198 The
docker-init
binary will now be discovered in FHS-compliant libexec directories, in addition to thePATH
.moby/moby#45320 API: Surface the daemon-level
--no-new-privileges
inGET /info
.moby/moby#45652, moby/moby#45579 Add OpenTelemetry tracing.
moby/moby#45134, docker/cli#4510, moby/moby#46004 Add support for CDI devices under Linux.
moby/moby#40894, docker/cli#4405, moby/moby#45965 Add an additional interval to be used by health checks during the container start period.
moby/moby#45737 Add a
--log-format
flag todockerd
to control the logging format: text (default) or JSON.moby/moby#45278, moby/moby#46037 Add support for recursive read-only mounts.
moby/moby#46577 Add support for filtering images based on timestamp with
docker image ls --filter=until=<timestamp>
.
Removed
docker/cli#4204
docker info
no longer reportsIndexServiceAddress
.moby/moby#44684, moby/moby#44802 libnetwork: Remove fallback code for obsolete kernel versions.
moby/moby#44965 libnetwork: Remove unused code related to classic Swarm.
moby/moby#45281 libnetwork: Remove usage of the
xt_u32
kernel module from encrypted Swarm overlay networks.moby/moby#45097 Remove support for BuildKit’s deprecated
buildinfo
in favor of standard provenance attestations.moby/moby#45368 Remove the deprecated
overlay2.override_kernel_check
storage driver option.moby/moby#45500 Remove workarounds for obsolete versions of
apparmor_parser
from the AppArmor profiles.moby/moby#45068 API:
GET /images/json
no longer represents empty RepoTags and RepoDigests as<none>:<none>
/<none>@<none>
. Empty arrays are returned instead on API >= 1.43.docker/cli#4302 Remove CLI completions for storage drivers removed in the 24.0 major release.
moby/moby#45469 API: Remove VirtualSize field for the
GET /images/json
andGET /images/{id}/json
endpoints.docker/cli#4366 Remove deprecated orchestrator options.
moby/moby#45484 Remove the
--oom-score-adjust
daemon option.docker/cli#4281 Remove warning for deprecated
~/.dockercfg
file.moby/moby#46925 Remove
logentries
logging driver.
Deprecated
Deprecate API versions older than 1.24. Deprecation notice
Deprecate
IsAutomated
field andis-automated
filter fordocker search
. Deprecation noticemoby/moby#46939 API: Deprecate
Container
andContainerConfig
properties for/images/{id}/json
(docker image inspect
).
Bug fixes and enhancements
docker/cli#4214 The
docker stack
command no longer validates thebuild
section of Compose files.moby/moby#43739 Fix lingering healthcheck processes after timeout is reached.
moby/moby#44285 Reduce the overhead of container startup when using the
overlay2
storage driver.moby/moby#44503 API: Handle multiple
before=
andsince=
filters inGET /images
.moby/moby#44664 Fix numerous bugs in the embedded DNS resolver implementation used by user-defined networks.
moby/moby#45494 Add
execDuration
field to the map of event attributes.moby/swarmkit#3121, moby/moby#45291 Swarm-level networks can now be created with the Windows
internal
,l2bridge
, andnat
drivers.moby/moby#45573 Fix an issue where DNS query NXDOMAIN replies from external servers were forwarded to the client as SERVFAIL.
moby/moby#45562 Fix an issue where
docker pull --platform
would reportNo such image
regarding another tag pointing to the same image.moby/moby#45571 Fix an issue where insecure registry configuration would be forgotten during config reload.
moby/moby#45568 API: Fix an issue where
POST /commit
did not accept empty request body.moby/moby#45620 Fix builds potentially failing with
exit code: 4294967295
when performing many concurrent build stages.moby/moby#45810 Fix a Swarm CSI issue where the Topology field was not propagated into NodeCSIInfo.
moby/moby#45703, moby/swarmkit#3122, moby/swarmkit#3128 Fix failures to add new Swarm managers caused by a very large raft log.
moby/moby#45824
name_to_handle_at(2)
is now always allowed in the default seccomp profile.moby/moby#45637 Fix an issue that prevented encrypted Swarm overlay networks from working on ports other than the default (4789).
moby/moby#45643 Fix an exception caused by attaching a terminal to an exec with a non-existent command.
moby/moby#45790 Fix host-gateway with BuildKit by passing the IP as a label (also requires docker/buildx#1894).
moby/moby#45774 Fix an issue where
POST /containers/{id}/stop
would forcefully terminate the container when the request was canceled, instead of waiting until the specified timeout for a ‘graceful’ stop.moby/moby#45746 Improve compatibility with non-runc container runtimes by more correctly setting resource constraint parameters in the OCI config.
moby/moby#45747, rootless-containers/rootlesskit#369 Fix an issue caused by overlapping subuid/subgid ranges in certain configurations (e.g. LDAP) in rootless mode.
moby/moby#45856 Greatly reduce CPU and memory usage while populating the Debug section of
GET /info
.docker/cli#4393 Fix an issue where debug information was not correctly printed during docker info when only the client is in debug mode.
docker/cli#4395 Fix issues related to hung connections when connecting to hosts over an SSH connection.
docker/cli#4423 Properly report errors parsing volume specifications from the command line.
docker/cli#4450 Fix a panic caused when
auths: null
is found in the CLI config file.moby/moby#46137 Warn when pulling Docker Image Format v1, and Docker Image manifest version 2, schema 1 images from all registries.
moby/moby#46366 Fix live-restore of volumes with custom volume options.
moby/moby#46214 Fix network isolation iptables rules preventing IPv6 Neighbor Solicitation packets from being exchanged between containers.
moby/moby#46215 Fix
dockerd.exe --register-service
not working when the binary is in the current directory on Windows.docker/cli#4500 Add a hint suggesting the use of a PAT to
docker login
against Docker Hub.docker/cli#4517 Improve shell startup time for users of Bash completion for the CLI.
docker/cli#4508 Improve the speed of some commands by skipping
GET /_ping
when possible.docker/cli#4512 Fix credential scopes when using a PAT to
docker manifest inspect
an image on Docker Hub.docker/cli#4544 Fix
docker events
not supporting--format=json
.moby/moby#46703 Write overlay2 layer metadata atomically.
moby/moby#46564 Fix “Rootful-in-Rootless” Docker-in-Docker on systemd version 250 and later.
moby/moby#44395 Fix
dockerd-rootless-setuptools.sh
when username contains a backslash.moby/moby#46651 Fix a bug that would prevent network sandboxes to be fully deleted when stopping containers with no network attachments and when
dockerd --bridge=none
is used.moby/moby#46700 Fix data corruption with zstd output.
moby/moby#46406 Fix the conditions under which the container’s MAC address is applied.
moby/moby#46448 Improve the performance of the stats collector.
moby/moby#46857 Live restore: Containers with auto remove (
docker run --rm
) are no longer forcibly removed on engine restart.moby/moby#46352 API: Fix error message for invalid policies at
ValidateRestartPolicy
.moby/moby#45847 API: Update
/info
endpoint to use singleflight.docker/cli#4346 Add an error message for when specifying a Dockerfile filename with
-f
, and also usingstdin
.docker/cli#4419 Add support for
mac-address
andlink-local-ip
fields in--network
long format.moby/moby#45906 Add support for specifying multiple
--network
flags withdocker container create
anddocker run
.moby/moby#46455 Automatically enable IPv6 on a network when an IPv6 subnet is specified.
moby/moby#46790 Add support for overlay networks over IPv6 transport.
moby/moby#43980 Configuration reloading is now more robust: if there’s an error during the configuration reload process, no configuration changes are applied.
moby/moby#47051 Live restore: containers that are live-restored will now be given another health-check start period when the daemon restarts.
moby/moby#47044 Container health status is flushed to disk less frequently, reducing wear on flash storage.
moby/moby#46251 Ensure network names are unique.
moby/moby#46471 Ensure that overlay2 layer metadata is correct.
moby/moby#46515 Fix
Downloading
progress message on image pull.moby/moby#46183 Fix
NetworkConnect
andContainerCreate
with improved data validation, and return all validation errors at once.moby/moby#46446 Fix
com.docker.network.host_ipv4
option when IPv6 and ip6tables are enabled.moby/moby#46213 Fix daemon’s
cleanupContainer
if containerd is stopped.moby/moby#46146 Fix returning incorrect HTTP status codes for libnetwork errors.
moby/moby#46034 Fix various issues with images/json API filters and image list.
moby/moby#46863 CIFS volumes now resolves FQDN correctly.
moby/moby#47000 Improve validation of the
userland-proxy-path
daemon configuration option. Validation now happens during daemon startup, instead of producing an error when starting a container with port-mapping.moby/moby#46406 Set the MAC address of container’s interface when network mode is a short network ID.
moby/moby#45917 Sort unconsumed build arguments before display in build output.
moby/moby#44598 The
docker image save
tarball output is now OCI compliant.moby/moby#45280 The daemon no longer appends
ACCEPT
rules to the end of theINPUT
iptables chain for encrypted overlay networks. Depending on firewall configuration, a rule may be needed to permit incoming encrypted overlay network traffic.moby/moby#45464 Unpacking layers with extended attributes onto an incompatible filesystem will now fail instead of silently discarding extended attributes.
moby/moby#45887 Update daemon MTU option to BridgeConfig and display warning on Windows.
moby/moby#45759 Validate IPAM config when creating a network. Automatically fix networks created prior to this release where
--ip-range
is larger than--subnet
.moby/moby#46603 Containers connected only to internal networks will now have no default route set, making the
connect
syscall fail-fast.moby/moby#47136 Fix an issue in detecting whether a remote build context is a Git repository.
moby/moby#47163 Swarm: Fixed
start_interval
not being passed to the container config.moby/moby#47304 Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved.
moby/moby#47294 Fix
docker save <image>@<digest>
producing an OCI archive with index without manifests.moby/moby#47323 Fix a bug where trying to install a plugin using a digest revision would cause a panic.
moby/moby#47243 Fix an issue with the
journald
log driver preventing container logs from being followed correctly with systemd version 255.moby/moby#47341 seccomp: Update the builtin seccomp profile to include syscalls added in kernel v5.17 - v6.7 to align the profile with the profile used by containerd.
moby/moby#47307, moby/moby#47337 Windows: Fix cache not being used when building images based on Windows versions older than the host’s version.
moby/moby#47466 Fix
docker start
failing when used with--checkpoint
moby/moby#47393 API: To preserve backwards compatibility, make read-only mounts non-recursive by default when using older clients (API versions < v1.44).
moby/moby#47451 API:
GET /images/{id}/json
omits theCreated
field (previously it was0001-01-01T00:00:00Z
) if theCreated
field was missing from the image config.moby/moby#47387 API: Populate a missing
Created
field inGET /images/{id}/json
with0001-01-01T00:00:00Z
for API versions <= 1.43.moby/moby#47470 API: Fix a regression that caused API socket connection failures to report an API version negotiation failure instead.
moby/moby#47527 Fix multiple parallel docker build runs leaking disk space.
moby/moby#47589 CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an ‘internal’ network. Previously, requests were forwarded if the host’s DNS server was running on a loopback address, like systemd’s 127.0.0.53.
GitHub milestones¶
The GitHub milestones offer full detail on the pull requests and changes as they correlate to the upstream Moby 24.0 and 25.0 releases.
Major component versions¶
Version detail for the major components that comprise MCR 25.0.7 is presented in the table below:
Component |
Upstream Version |
Mirantis Version |
---|---|---|
25.0.7m1 |
||
25.0.7m1 |
||
1.7.23m1 |
||
1.5.15m1 |
||
– |
||
0.12.1m1 |
||
Fipster (Go runtime) |
– |
|
– |
||
– |