28.3.3

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.3.3 milestone
• moby/moby, 28.3.3 milestone

Security

This release fixes an issue where, after a firewalld reload, published container ports could be accessed directly from the local network, even when they were intended to be accessible only via a loopback address. CVE-2025-54388 / GHSA-x4rx-4gw3-53p4 / moby/moby#50506.

Packaging updates

• Update Buildx to v0.26.1. docker/docker-ce-packaging#1230
• Update Compose to v2.39.1. docker/docker-ce-packaging#1234
• Update Docker Model CLI plugin to v0.1.36. docker/docker-ce-packaging#1233

Go SDK

• cli/command/formatter: add TrunateID() utility as alternative for github.com/docker/docker/pkg/stringid.TrunateID(). docker/cli#6180

25.0.12

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:

• moby/moby, 25.0.12 milestone
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Fix an issue where all new tasks in the Swarm could get stuck in the PENDING state forever after scaling up a service with placement preferences. #50203
• Fix an issue which made DNS service discovery for Swarm services unreliable. #50230

Packaging updates

• Update Go toolchain to go1.23.9. #50053

28.3.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.3.2 milestone
• moby/moby, 28.3.2 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Fix --use-api-socket not working correctly when targeting a remote daemon. docker/cli#6157
• Fix stray "otel error" logs being printed if debug logging is enabled. docker/cli#6160
• Quote SSH arguments when connecting to a remote daemon over an SSH connection to avoid unexpected expansion. docker/cli#6147
• Warn when DOCKER_AUTH_CONFIG is set during docker login and docker logout. docker/cli#6163

Packaging updates

• Update Compose to v2.38.2. docker/docker-ce-packaging#1225
• Update Docker Model CLI plugin to v0.1.33. docker/docker-ce-packaging#1227
• Update Go runtime to 1.24.5. moby/moby#50354

28.3.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.3.1 milestone
• moby/moby, 28.3.1 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Packaging updates

• Update BuildKit to v0.23.2. moby/moby#50309
• Update Compose to v2.38.1. docker/docker-ce-packaging#1221
• Update Model to v0.1.32 which adds the support for the new top-level models: key in Docker Compose. docker/docker-ce-packaging#1222

28.3.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.3.0 milestone
• moby/moby, 28.3.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• Add support for AMD GPUs in docker run --gpus. moby/moby#49952
• Use DOCKER_AUTH_CONFIG as a credential store. docker/cli#6008

Bug fixes and enhancements

• Ensure that the state of the container in the daemon database (used by /containers/json API) is up to date when the container is stopped using the /containers/{id}/stop API (before response of API). moby/moby#50136
• Fix docker image inspect inspect omitting empty fields. moby/moby#50135
• Fix docker images --tree not marking images as in-use when the containerd image store is disabled. docker/cli#6140
• Fix docker pull/push hang in non-interactive when authentication is required caused by prompting for login credentials. docker/cli#6141
• Fix a potential resource leak when a node leaves a Swarm. moby/moby#50115
• Fix a regression where a login prompt on docker pull would show Docker Hub-specific hints when logging in on other registries. docker/cli#6135
• Fix an issue where all new tasks in the Swarm could get stuck in the PENDING state forever after scaling up a service with placement preferences. moby/moby#50211
• Remove an undocumented, hidden, top-level docker remove command that was accidentally introduced in Docker 23.0. docker/cli#6144
• Validate registry-mirrors configuration as part of dockerd --validate and improve error messages for invalid mirrors. moby/moby#50240
• dockerd-rootless-setuptool.sh: Fix the script from silently returning with no error message when subuid/subgid system requirements are not satisfied. moby/moby#50059
• containerd image store: Fix docker push not creating a tag on the remote repository. moby/moby#50199
• containerd image store: Improve handling of errors returned by the token server during docker pull/push. moby/moby#50176

Packaging updates

• Allow customizing containerd service name for OpenRC. moby/moby#50156
• Update BuildKit to v0.23.1. moby/moby#50243
• Update Buildx to v0.25.0. docker/docker-ce-packaging#1217
• Update Compose to v2.37.2. docker/docker-ce-packaging#1219
• Update Docker Model CLI plugin to v0.1.30. docker/docker-ce-packaging#1218
• Update Go runtime to 1.24.4. docker/docker-ce-packaging#1213, moby/moby#50153, docker/cli#6124

Networking

• Revert Swarm related changes added in 28.2.x builds, due to a regression reported in #50129. moby/moby#50169
  • Revert: Fix an issue where docker network inspect --verbose could sometimes crash the daemon (#49937).
  • Revert: Fix an issue where the load-balancer IP address for an overlay network would not be released in certain cases if the Swarm was lacking an ingress network (#49948).
  • Revert: Improve the reliability of NetworkDB in busy clusters and lossy networks (#49932).
  • Revert: Improvements to the reliability and convergence speed of NetworkDB (#49939).
• Fix an issue that could cause container startup to fail, or lead to failed UDP port mappings, when some container ports are mapped to 0.0.0.0 and others are mapped to specific host addresses. moby/moby#50054
• The network inspect response for an overlay network now reports that EnableIPv4 is true. moby/moby#50147
• Windows: Improve daemon startup time in cases where the host has networks of type "Mirrored". moby/moby#50155
• Windows: Make sure docker system prune and docker network prune only remove networks created by Docker. moby/moby#50154

API

• Update API version to 1.51. moby/moby#50145
• GET /images/json now sets the value of the Containers field for all images to the count of containers using the image. moby/moby#50146

Deprecations

• Empty/nil image config fields in the GET /images/{name}/json response are now deprecated and will be removed in v29.0. docker/cli#6129
• api/types/container: deprecate ExecOptions.Detach. This field is not used, and will be removed in a future release. moby/moby#50219
• pkg/idtools: deprecate IdentityMapping and Identity.Chown. moby/moby#50210

28.3.0-rc.2

For a full list of changes from the last release candidate refer to the diff:

• moby/moby, 28.3.0-rc.1...28.3.0-rc.2
• docker/cli, 28.3.0-rc.1...28.3.0-rc.2

New

• Use DOCKER_AUTH_CONFIG as a credential store. docker/cli#6008

Bug fixes and enhancements

• Fix docker images --tree not marking images as in-use when the containerd image store is disabled. docker/cli#6140
• Fix docker pull/push hang in non-interactive when authentication is required caused by prompting for login credentials. docker/cli#6141
• Fix a regression where a login prompt on docker pull would show Docker Hub-specific hints when logging in on other registries. docker/cli#6135
• Fix an issue where all new tasks in the Swarm could get stuck in the PENDING state forever after scaling up a service with placement preferences. moby/moby#50211
• Remove an undocumented, hidden, top-level docker remove command that was accidentally introduced in docker 23.0. docker/cli#6144
• Validate registry-mirrors configuration as part of dockerd --validate and improve error messages for invalid mirrors. moby/moby#50240

Packaging updates

• Update Compose to v2.37.2. docker/docker-ce-packaging#1219
• Update BuildKit to v0.23.1. moby/moby#50243
• Update Buildx to v0.25.0. docker/docker-ce-packaging#1217
• Update Docker Model CLI plugin to v0.1.30. docker/docker-ce-packaging#1218

Deprecations

• api/types/container: deprecate ExecOptions.Detach. This field is not used, and will be removed in a future release. moby/moby#50219
• pkg/idtools: deprecate IdentityMapping and Identity.Chown. moby/moby#50210

25.0.11

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:

• moby/moby, 25.0.11 milestone
• Changes to the Engine API, see API version history.

Networking

• [25.0] Backport network fixes by @dperny in #50005

Known Issues

• Some Swarm services are not discoverable over DNS #50129

Full Changelog: v25.0.10...v25.0.11

28.3.0-rc.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.3.0-rc.1 milestone
• moby/moby, 28.3.0-rc.1 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• Add support for AMD GPUs in docker run --gpus. moby/moby#49952

Bug fixes and enhancements

• Ensuring state of container in daemon database (used by /containers/json API) is up to date when container is stopped using /containers/{id}/stop API (before response of API). moby/moby#50136
• Fix docker image inspect inspect omitting empty fields. moby/moby#50135
• Fix a potential resource leak when a node leaves a Swarm. moby/moby#50115
• dockerd-rootless-setuptool.sh: Fix the script from silently returning with no error message when subuid/subgid system requirements are not satisfied. moby/moby#50059
• containerd image store: Fix docker push not creating a tag on the remote repository. moby/moby#50199
• containerd image store: Improve handling of errors returned by the token server during docker pull/push. moby/moby#50176

Packaging updates

• Allow customizing containerd service name for OpenRC. moby/moby#50156
• Update BuildKit to v0.23.0-rc1. moby/moby#50174
• Update Compose to v2.37.1. docker/docker-ce-packaging#1214
• Update Go runtime to 1.24.4. docker/docker-ce-packaging#1213, moby/moby#50153, docker/cli#6124

Networking

• Fix an issue that could cause container startup to fail, or lead to failed UDP port mappings, when some container ports are mapped to 0.0.0.0 and others are mapped to specific host addresses. moby/moby#50054
• Revert Swarm related changes added in 28.2.x builds, due to a regression reported in #50129. Including:. moby/moby#50169
• Revert: Fix an issue where docker network inspect --verbose could sometimes crash the daemon (#49937). moby/moby#50169
• Revert: Fix an issue where the load-balancer IP address for an overlay network would not be released in certain cases if the Swarm was lacking an ingress network (#49948). moby/moby#50169
• Revert: Improve the reliability of NetworkDB in busy clusters and lossy networks (#49932). moby/moby#50169
• Revert: Improvements to the reliability and convergence speed of NetworkDB (#49939). moby/moby#50169
• The network inspect response for an overlay network now reports that EnableIPv4 is true. moby/moby#50147
• Windows: Improve daemon startup time in cases where the host has networks of type "Mirrored". moby/moby#50155
• Windows: Make sure "docker system prune" and "docker network prune" only remove networks created by Docker. moby/moby#50154

API

• Update API version to 1.51. moby/moby#50145
• GET /images/json now sets the value of Containers field for all images to the count of containers using the image. moby/moby#50146

Deprecations

• Empty/nil image config fields in the GET /images/{name}/json response are now deprecated and will be removed in v29.0. docker/cli#6129

28.2.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.2.2 milestone
• moby/moby, 28.2.2 milestone

Bug fixes and enhancements

• containerd image store: Fix a regression causing docker build --push to fail. This reverts the fix for docker build not persisting overridden images as dangling. moby/moby#50105

Networking

• When creating the iptables DOCKER-USER chain, do not add an explicit RETURN rule, allowing users to append as well as insert their own rules. Existing rules are not removed on upgrade, but it won't be replaced after a reboot. moby/moby#50098

28.2.1

Packaging updates

• Fix packaging regression in v28.2.0 which broke creating the docker group/user on fresh installations. docker-ce-packaging#1209