The interactive file manager requires Javascript. Please enable it or use sftp or scp.
You may still browse the files here.

Download Latest Version v29.0.0 source code.tar.gz (18.7 MB)
Email in envelope

Get an email when there's a new version of Moby

Home / docker-v29.0.0
Name Modified Size InfoDownloads / Week
Parent folder
README.md 2025-11-10 51.4 kB
0
v29.0.0 source code.tar.gz 2025-11-10 18.7 MB
0
v29.0.0 source code.zip 2025-11-10 25.6 MB
0
Totals: 3 Items   44.4 MB 0

29.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

[!CAUTION] This release includes several breaking changes and deprecations. Review the release notes carefully before upgrading.

  • Experimental support for nftables can now be enabled by setting Docker daemon's firewall-backend option to nftables. For more information, see Docker Engine docs.
  • containerd image store is now the default for fresh installs. This doesn't apply to daemons configured with userns-remap (see [#47377]).

Breaking Changes

  • The Go module github.com/docker/docker is deprecated in favor of github.com/moby/moby/client and github.com/moby/moby/api. The github.com/moby/moby module is considered an internal implementation detail - the only supported public modules are client and api. Starting with v29, releases are tagged with the docker- prefix (e.g., docker-v29.0.0). This only affects Go module users and package maintainers.
  • The daemon now requires API version v1.44 or later (Docker v25.0+).
  • Debian armhf (32-bit) packages now target ARMv7 CPUs and will not work on ARMv6 devices.
  • Official Raspbian (32-bit) packages are no longer provided. Use Debian arm64 packages for 64-bit devices, or Debian armhf packages for 32-bit ARMv7 devices.
  • cgroup v1 is deprecated. Support continues until at least May 2029, but migrate to cgroup v2 as soon as possible. See [#51111].
  • Docker Content Trust was removed from the Docker CLI. Can be built as a separate plugin: https://github.com/docker/cli/blob/v29.0.0/cmd/docker-trust/main.go

New

Bug fixes and enhancements

Packaging updates

  • client: remove legacy CBC cipher suites from client config. [#50126]
  • contrib: remove editorconfig as it was unmaintained. [#50607]
  • contrib: remove Dockerfile syntax highlighting files for nano and TextMate (tmbundle) as they were unmaintained and outdated. [#50606]
  • contrib: remove mkimage-xxx scripts as they were unmaintained and not tested. [#50297]
  • If Docker is downgraded to a version that does not have this support the network will become unusable, it must be deleted and re-created. [#50114]
  • The Windows overlay network driver now supports option --dns. [#51229]
  • Update BuildKit to v0.25.2. [#51397]
  • Update Go runtime to 1.25.4. [#51418], [docker/cli#6632](https://github.com/docker/cli/issues/6632)
  • Users can request a specific prefix size for networks allocated from the default pools by using the unspecified address, for example --subnet 0.0.0.0/24 --subnet ::/96. [#50114]

Networking

  • Add daemon option --bridge-accept-fwmark. Packets with this firewall mark will accepted by bridge networks, overriding Docker's iptables or nftables "drop" rules. [#50476]
  • api/types/system: deprecated top level DiskUsage fields for type specific fields. [#51235]
  • Ensure bridge devices are removed when bridge network creation fails. [#51147]
  • Ensure that Windows NAT networks are recreated with their original labels when the Engine restarts. [#50447]
  • Environment variables set on a container using legacy links are deprecated and aren't added automatically anymore. [#50719]
  • The daemon can be started with DOCKER_KEEP_DEPRECATED_LEGACY_LINKS_ENV_VARS=1 to get them back
  • Users are encouraged to stop relying on these as they're deprecated, and the escape hatch will be removed in a later version
  • Fix a bug in NetworkDB which would sometimes cause entries to get stuck deleted on some of the nodes, leading to connectivity issues between containers on overlay networks. [#50342]
  • Fix a bug that could cause the Engine and another host process to bind the same UDP port. [#50669]
  • Fix a deadlock that could happen if a firewalld reload was processed while the bridge networking driver was starting up, or creating or deleting a network, or creating port-mappings. [#50620]
  • Fix an issue preventing container startup or selection of its network gateway when IPv6 is only disabled on a specific interface. [#48971]
  • For Linux, docker info now reports the firewall backend if available. [docker/cli#6191](https://github.com/docker/cli/issues/6191)
  • Greatly improve the reliability of overlay networking and the Swarm routing mesh. [#50393]
  • Improve the convergence rate of NetworkDB, part of the management plane for overlay networking, after bursts of updates. [#50193]
  • Improve the reliability of the overlay network driver. [#50260]
  • Improved error handling for connection of a container to a network. [#50945]
  • macvlan and ipvlan-l2 networks: no default gateway will be configured unless a --gateway is explicitly included in IPAM configuration. This addresses an issue which could cause container startup to fail in networks with IPv6 auto-configuration enabled. [#50929]
  • nftables: Docker will not enable IP forwarding on the host. If forwarding is needed by a bridge network, but not enabled, daemon startup or network creation will fail with an error. You must either enable forwarding and ensure firewall rules are in place to prevent unwanted forwarding between non-Docker interfaces. Or, use daemon option --ip-forward=false to disable the check, but some bridge network functionality including port forwarding may not work. See Engine Docs for more information about migration from iptables to nftables. [#50646]
  • On daemon startup, restart containers that share their network stacks before containers that need those stacks. [#50327]
  • Published ports are now always accessible in networks with gateway mode "routed". Previously, rules to open those ports were only added when the routed mode network was selected as the container's default gateway. [#50140]
  • Since 28.0.0, an iptables mangle rule for checksumming SCTP was only added if environment variable DOCKER_IPTABLES_SCTP_CHECKSUM=1 was set. The rule has now been removed, the environment variable now has no effect. [#50539]
  • The iptables rules for bridge networks have been updated, including removal of the DOCKER-ISOLATION-STAGE-1 and DOCKER-ISOLATION-STAGE-2 chains. With these changes:. [#49981]
  • Containers can now access ports published to host addresses by containers in other networks when the userland-proxy is not running
  • Containers can now access ports on container addresses in other networks that have gateway mode "nat-unprotected"
  • When dynamically linked, the Docker daemon now depends on libnftables. [#51033]
  • Windows: network inspect: the HNS network name is now reported in option com.docker.network.windowsshim.networkname rather than the Docker network name, which was only reported after a daemon restart. [#50961]
  • Windows: when restoring networks on daemon restart, preserve their association with non-default IPAM drivers. [#50649]

API

  • events API now reports content-type as application/x-ndjson for newline-delimited JSON event stream. [#50953]
  • GET /images/{name}/get and POST /images/load now accept multiple platform query parameters, allowing export and load of images for multiple platforms. [#50166]
  • GET /images/{name}/json now omits the following fields if their value is empty: Parent, Comment, DockerVersion, Author. [#51072]
  • GET /images/{name}/json: omit empty Config fields when not set. [#50915]
  • POST /images/{name:}/push: remove compatibility with API v1.4 auth-config in body. [#50371]
  • Add support for memory swappiness in Swarm services. [#51114]
  • GET /services now returns SwapBytes and MemorySwappiness fields as part of the Resource requirements
  • GET /services/{id} now returns SwapBytes and MemorySwappiness fields as part of the Resource requirements
  • POST /services/create now accepts SwapBytes and MemorySwappiness fields as part of the Resource requirements
  • POST /services/{id}/update now accepts SwapBytes and MemorySwappiness fields as part of the Resource requirements
  • GET /tasks now returns SwapBytes and MemorySwappiness fields as part of the Resource requirements
  • GET /tasks/{id} now returns SwapBytes and MemorySwappiness fields as part of the Resource requirements
  • api/types/build: move CachePruneOptions type to client.BuildCachePruneOptions. [#50772]
  • api/types/checkpoint: move checkpoint options to client module. [#50905]
  • api/types/container: OnBuild will now be omitted if its value is empty or zero. [#51154]
  • api/types/container: make the container config MacAddress obsolete for v1.52 and onwards. Use network endpoint settings instead. [#51189]
  • api/types/container: move ResizeOptions type to ContainerResizeOptions in the client. [#50773]
  • api/types/events: move ListOptions type to the client EventsListOptions. [#50774]
  • api/types/image: move image options out to the client. [#50776]
  • api/types/network: move CreateOptions, ConnectOptions and DisconnectOptions to the client module. [#50817]
  • api/types/network: move the ListOptions and InspectOptions types to the client. [#50786]
  • api/types/plugin: change ListResponse to a non-pointer slice. [#51440]
  • api/types/plugin: remove deprecated Config.DockerVersion. [#51458]
  • api/types/registry: move SearchOptions to ImageSearchOptions in the client. [#50787]
  • api/types/registry: moved ServiceConfig legacy field marshaling support into daemon backend. [#50826]
  • api/types/registry: moved encode/decode auth config functions into reference utility package. [#50785]
  • api/types/storage: add Storage type and integrate in container inspect. [#50857]
  • api/types/swarm: deprecated and dropped support for PortConfigProtocol; use network.IPProtocol instead. [#51094]
  • api/types/swarm: move option types to the client module. [#50794]
  • api/types/swarm: move the SecretListOptions type to the client module. [#50816]
  • api/types/system: move DiskUsageOptions to the client. [#50788]
  • api/types/system: move SecurityOpt and DecodeSecurityOptions to client module. [#50825]
  • api/types/volume: change ListResponse.Volumes to a non-pointer slice. [#51454]
  • api/types/volume: move the ListOptions type to the client module. [#50789]
  • api/types/volume: moved UpdateOptions into client module. [#51205]
  • api/types: daemon: move the disk usage structs to the backend server. [#50764]
  • api: make GraphDriver field in image.InspectResponse optional. This field will continue to be emitted when using the legacy graph drivers and will be omitted when using the containerd image backend. [#50893]
  • api: redefine container network port types. [#50710]
  • client: PluginListResult: change Items field to a non-pointer slice. [#51440]
  • Inspecting networks with API v1.52 and newer provides statistics about IPAM allocations for the subnets assigned to the network. [#50917]
  • MAC address fields are represented as byte slices compatible with the standard library net.HardwareAddr type instead of strings. [#51355]
  • Swagger definitions for NetworkSummary and NetworkInspect have been added to the Swagger spec describing the Engine API. [#50855]
  • Update API version to 1.52. [#50418]

Go SDK

  • api/pkg/progress and api/pkg/streamformatter have been removed. [#51153]
  • api/types/registry: EncodeAuthConfig: use empty string for zero value. [#50426]
  • api/types/versions has moved to the client and daemon. [#51284]
  • client.ConfigCreate, client.ConfigList, client.ConfigInspectWithRaw, client.ConfigUpdate, and client.ConfigRemove methods now accept option structs instead of positional arguments, and return dedicated result structs. [#51078]
  • client.ImageBuild, client.BuildCancel, client.ImageList, client.ImageRemove, client.ImageTag, and client.ImageSearch methods now accept option structs instead of positional arguments, and return dedicated result structs. [#51227]
  • client: ContainerExec... methods were renamed to Exec.... [#51262]
  • client: Wrap return values of ImageInspect, ImageHistory, ImageLoad and ImageSave in a struct. [#51236]
  • ImagePull now returns an object with JSONMessages method returning iterator over the message objects. [#50935]
  • ImagePush now returns an object with JSONMessages method returning iterator over the message objects. [#51148]
  • api/types/container: move StatsResponseReader to client package. [#50521]
  • api/types/container: move container options to client. [#50897]
  • api/types/container: rename Port to PortSummary. [#50711]
  • api/types/container: StatsResponse: add OSType field. [#51305]
  • api/types: move ErrorResponse to common/ErrorResponse. [#50632]
  • api: remove unused DefaultVersion, MinSupportedAPIVersion consts. [#50587]
  • cli/command: add WithUserAgent option. [docker/cli#4574](https://github.com/docker/cli/issues/4574)
  • client: ContainerCommitOptions: remove Pause field in favor of NoPause. [#51019]
  • client: add DefaultAPIVersion const, which defines the default (and maximum) API version supported by the client. [#50433]
  • client: add ExecAPIClient interface for exec methods provided by the client. [#50997]
  • client: Client.PluginList: add options-struct. [#51207]
  • client: ContainersPrune: rewrite to use option structs and result. [#51200]
  • client: ImagesPrune: rewrite to use option structs and result. [#51200]
  • client: NetworksPrune: rewrite to use option structs and result. [#51200]
  • client: remove client.ContainerStatsResult.OSType field. [#51305]
  • client: VolumesPrune: rewrite to use option structs and result. [#51200]
  • daemon/config: add DefaultAPIVersion const, which defines the default (and maximum) API version supported by the daemon. [#50436]
  • Fix data race in ContainerExecStart, ContainerList, and Events. [#50448]
  • IP addresses and subnets are now of type netip.Addr and netip.Prefix, respectively. [#50956]
  • Remove structs NetworkSettingsBase and DefaultNetworkSettings. Fields in NetworkSettingsBase that were not deprecated are now directly in NetworkSettings. [#50846]
  • the client now uses its own client.Filters type for filtering API requests, with a more ergonomic interface. Users of the github.com/docker/docker/api/types/filters package will need to refactor when they upgrade to the v29 client. [#51115]
  • Types "github.com/moby/moby/api/types/network".Summary and "github.com/moby/moby/api/types/network".Inspect are no longer aliases, and most of their fields have been moved into an embedded struct. Engine API clients may require some source-level changes when migrating to the new github.com/moby/moby/api module. [#50878]
  • Update minimum go version to go1.24. [docker/cli#6624](https://github.com/docker/cli/issues/6624)

Deprecations

Source: README.md, updated 2025-11-10