New features in Docker 20.10 (Yes, it’s alive)
Docker 20.10.0 was released on December 9, 2020, with CentOS 8 support, Fedora support, graduation of Rootless mode, and a lot of features. This release is the first major release after Docker 19.03.0, which was released on July 22, 2019.
The installer script is available at https://get.docker.com
$ curl -fsSL https://get.docker.com/ | shWorks on CentOS 8 by default (firewalld)
Docker 19.03 containers on CentOS 8 hosts had issues with resolving hostnames and exposing ports, because Docker 19.03 did not automatically set up firewalld. Users had to configure firewalld manually by themselves to run Docker on CentOS 8 hosts.
The issues are resolved in Docker 20.10. So, now you can install Docker to CentOS 8 without concern.
With regard to RHEL 8, neither Docker, Inc. nor Red Hat, Inc. still ships Docker packages for RHEL 8. However, probably you can just install CentOS 8 RPMs to RHEL 8 at your own risk: https://download.docker.com/linux/centos/8/x86_64/stable/Packages/
Works on Fedora by default (cgroup v2)
Docker 19.03 didn’t support cgroup v2, which is Fedora’s default cgroup version since Fedora 31. Fedora users had to switch back the cgroup version to v1 for running Docker.
Docker 20.10 supports cgroup v2 and works on Fedora by default.
Rootless mode reached GA
Rootless mode means running the entire Docker environment including Docker daemon and containers without the root privileges.
Rootless mode graduated from experimental in this release, with addition of a lot of features.
Supports setting up resource limitations
Setting resource limitations for containers (docker run --cpus , docker run --memory , docker run --pids-limit, …) with Rootless mode was not possible in Docker 19.03, due to lack of support for cgroup.
Docker 20.10 supports setting these limitations on hosts with cgroup v2. Note that cgroup v1 is not supported and will not be supported, due to security concerns.
See https://rootlesscontaine.rs/getting-started/common/cgroup2/ for how to set up cgroup v2 for Rootless mode.
Supports FUSE-OverlayFS
Mounting OverlayFS without the root is not supported on most host operating systems except Ubuntu and Debian. So, Rootless Docker 19.03 running on a non-Ubuntu/non-Debian host could not deduplicate files using OverlayFS.
Docker 20.10 supports FUSE-OverlayFS, which is an unprivileged alternative for OverlayFS and works on any host with kernel ≥ 4.18.
Docker 20.10 automatically falls back into FUSE-OverlayFS when OverlayFS is not functional but FUSE-OverlayFS is functional.
Supports RPM/DEB installation
The RPMs and DEBs of Docker 19.03 did not contain the binaries needed for Rootless mode. So, a user had to install Rootless Docker under $HOME using https://get.docker.com/rootless or extract the binary archive to /usr/local/bin manually.
The Rootless binaries are now included in the official RPMs and DEBs. So, the rootless installer script https://get.docker.com/rootless is no longer required, but using this script is still supported as well.
To enable Rootless mode with RPM/DEB-installed Docker, run the following script as a non-root user:
$ dockerd-rootless-setuptool.sh installThis tool does not install any binary under $HOME , but installs the systemd unit under $HOME/.config/systemd/user .
As in the previous version, a Docker client needs to be launched with a custom $DOCKER_HOST variable:
$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
$ docker run hello-worldDockerfile: RUN --mount=type=(cache|secret|ssh|…) reached GA
Docker 18.06 experimentally added a new Dockerfile instruction RUN --mount=type=cache , which can be used for preserving package managers’ cache files.
After that, Docker 18.09 experimentally added RUN --mount=type=secret for mounting credential files into “RUN” containers, and RUN --mount=type=ssh for injecting SSH credentials.
These RUN --mount=type=... instructions graduated from experimental in Docker 20.10. These instructions still need BuildKit to be enabled ( export DOCKER_BUILDKIT=1 ).
Swarm Jobs
Everyone thinks Swarm is dead, but it is still alive.
Docker 20.10 adds support for running batch jobs as in Kubernetes’s Job manifests.
For example, to create a file /etc/some-file on the host filesystem on all the Swarm nodes, run the following command:
$ docker service create \
--name create-file-on-all-nodes \
--mode global-job \
--mount type=bind,src=/,dst=/mnt \
alpine \
sh -exc "echo foo > /mnt/etc/some-file"Other notable changes in Docker 20.10
docker runnow supports--pull=(always|missing|never)flagdocker buildnow supportsdocker build -t foo ssh://USER@github.com/REPOto build an image from a private git repodocker buildxis now out of experimental- The host IP can be now exposed to containers with
docker run --add-host=host.docker.internal:host-gateway - Dockerfile: supports
COPY --chmodandADD --chmod - Dockerfile: supports multi-value
ARG, e.g.ARG foo=123 bar=456
See here for the full changes: https://docs.docker.com/engine/release-notes/
Other recent news about Docker
Aside from the release of Docker 20.10, there were lots of news about Docker recently.
Docker Compose CLI for Amazon ECS and Azure ACI
The new Docker Compose CLI ( docker compose up , not docker-compose up ) supports running compose stacks on Amazon Elastic Container Service (ECS) and Azure Container Instances (ACI) directly, without using Docker daemon.
The new Docker Compose CLI is not a part of Docker 20.10, but included in the recent versions of Docker for Mac/Win. To install the new Docker Compose CLI on Linux, see https://github.com/docker/compose-cli .
BuildKit is enabled by default on Mac/Win
Starting with September 2020 (Docker Desktop 2.4), BuildKit has been enabled by default on Docker for Mac/Win.
This change does not apply to Docker for Linux. To enable BuildKit on Linux, see here.
CSI support for Swarm
Docker Swarm-mode is going to support distributed data volumes using Container Storage Interface (CSI). The work is in progress here: https://github.com/docker/swarmkit/commits/feature-volumes
Vulnerability scanner
The docker scan command included in Docker for Mac/Win scans vulnerabilities in images using Snyk as the backend.
$ docker scan nginx:alpineThedocker scan CLI needs logging into Docker Hub ( docker login ) and optionally Snyk. Scanning local images is limited to 10 times per month for free users without Snyk auth, and 200 times per month with Snyk auth: https://www.docker.com/pricing
Also, the docker scan CLI is a currently proprietary product, and not available for Linux. A good FLOSS alternative for docker scan is Trivy: https://github.com/aquasecurity/trivy
Docker Hub quota
Starting with November 2020, Docker Hub imposes limits on counts of docker pull .
- Without logging in: “100 pulls per 6 hours per IP address”
- With a free account: “200 pulls per 6 hour period”
- With a paid account: “Unlimited”
Especially, the limitation for anonymous accesses is causing serious issues for people running Docker in CI environments. These users are already switching away from Docker Hub to other registry services with less severe restrictions for anonymous accesses. e.g.
- GitHub Container Registry: “free for public repositories”
- Quay: “unlimited storage and serving of public repositories”
- Amazon ECR Public: “Anyone who pulls images anonymously gets 500 GB of free data bandwidth each month“
In addition, Docker Hub was also planning to remove inactive images, but the removal is now postponed to “mid 2021”: https://docs.docker.com/docker-hub/download-rate-limit/
dockershim is spinning off from Kubernetes
Kubernetes deprecated its native support for Docker ( dockershim ) in Kubernetes 1.20 (December 8, 2020), and they are going to remove dockershim completely in late 2021. Future version of Kubernetes will only support CRI-compliant runtimes such as containerd and CRI-O.
Note that Docker is only being deprecated as the first-class supported runtime for Kubernetes. Docker is not dead. Docker can be still used outside Kubernetes. And of course, using docker build for building images for Kubernetes is also 100% fine, because all the CRI runtimes as well as Docker implement the OCI Specifications.
Also, deprecation of dockershim does not really mean Docker can no longer be used as a Kubernetes runtime. Mirantis announced that they will take over dockershim and reform it into a standalone CRI runtime called cri-dockerd: https://github.com/Mirantis/cri-dockerd
cri-dockerd will work exactly same as dockershim except that it is not a built-in feature of Kubernetes. However, typical Kubernetes users will not need cri-dockerd, because they can just switch away from Docker to containerd, without breaking any compatibility in most cases.
NTT is hiring!
For Docker 20.10, we NTT made significant contributions including support for cgroup v2 and rootless mode. We are looking for engineers who work in Open Source communities like Docker, Kubernetes, containerd, and their relevant projects. Visit https://www.rd.ntt/e/sic/recruit/ to see how to join us.
私たちNTTは、Docker 20.10に対してcgroup v2やrootlessモードの対応などをコントリビュートしました。NTTでは、Docker、Kubernetes、containerd などのオープンソースコミュニティで共に活動する仲間を募集しています。ぜひ弊社採用情報ページをご覧ください: https://www.rd.ntt/sic/recruit/
