New features in Docker 20.10 (Yes, it’s alive)


Akihiro Suda

Docker 20.10.0 was released on December 9, 2020, with CentOS 8 support, Fedora support, graduation of Rootless mode, and a lot of features. This release is the first major release after Docker 19.03.0, which was released on July 22, 2019.

The installer script is available at https://get.docker.com

$ curl -fsSL https://get.docker.com/ | sh

Docker 19.03 containers on CentOS 8 hosts had issues with resolving hostnames and exposing ports, because Docker 19.03 did not automatically set up firewalld. Users had to configure firewalld manually by themselves to run Docker on CentOS 8 hosts.

The issues are resolved in Docker 20.10. So, now you can install Docker to CentOS 8 without concern.

With regard to RHEL 8, neither Docker, Inc. nor Red Hat, Inc. still ships Docker packages for RHEL 8. However, probably you can just install CentOS 8 RPMs to RHEL 8 at your own risk: https://download.docker.com/linux/centos/8/x86_64/stable/Packages/

Docker 19.03 didn’t support cgroup v2, which is Fedora’s default cgroup version since Fedora 31. Fedora users had to switch back the cgroup version to v1 for running Docker.

Docker 20.10 supports cgroup v2 and works on Fedora by default.

Docker 20.10 on Fedora 33

Rootless mode means running the entire Docker environment including Docker daemon and containers without the root privileges.

Rootless mode graduated from experimental in this release, with addition of a lot of features.

Supports setting up resource limitations

Setting resource limitations for containers (docker run –cpus , docker run –memory , docker run –pids-limit, …) with Rootless mode was not possible in Docker 19.03, due to lack of support for cgroup.

Docker 20.10 supports setting these limitations on hosts with cgroup v2. Note that cgroup v1 is not supported and will not be supported, due to security concerns.

See https://rootlesscontaine.rs/getting-started/common/cgroup2/ for how to set up cgroup v2 for Rootless mode.

Supports FUSE-OverlayFS

Mounting OverlayFS without the root is not supported on most host operating systems except Ubuntu and Debian. So, Rootless Docker 19.03 running on a non-Ubuntu/non-Debian host could not deduplicate files using OverlayFS.

Docker 20.10 supports FUSE-OverlayFS, which is an unprivileged alternative for OverlayFS and works on any host with kernel ≥ 4.18.

Docker 20.10 automatically falls back into FUSE-OverlayFS when OverlayFS is not functional but FUSE-OverlayFS is functional.

Supports RPM/DEB installation

The RPMs and DEBs of Docker 19.03 did not contain the binaries needed for Rootless mode. So, a user had to install Rootless Docker under $HOME using https://get.docker.com/rootless or extract the binary archive to /usr/local/bin manually.

The Rootless binaries are now included in the official RPMs and DEBs. So, the rootless installer script https://get.docker.com/rootless is no longer required, but using this script is still supported as well.

To enable Rootless mode with RPM/DEB-installed Docker, run the following script as a non-root user:

$ dockerd-rootless-setuptool.sh install

This tool does not install any binary under $HOME , but installs the systemd unit under $HOME/.config/systemd/user .

As in the previous version, a Docker client needs to be launched with a custom $DOCKER_HOST variable:

$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
$ docker run hello-world

Docker 18.06 experimentally added a new Dockerfile instruction RUN –mount=type=cache , which can be used for preserving package managers’ cache files.

After that, Docker 18.09 experimentally added RUN –mount=type=secret for mounting credential files into “RUN” containers, and RUN –mount=type=ssh for injecting SSH credentials.

These RUN –mount=type=… instructions graduated from experimental in Docker 20.10. These instructions still need BuildKit to be enabled ( export DOCKER_BUILDKIT=1 ).

Everyone thinks Swarm is dead, but it is still alive.

Docker 20.10 adds support for running batch jobs as in Kubernetes’s Job manifests.

For example, to create a file /etc/some-file on the host filesystem on all the Swarm nodes, run the following command:

$ docker service create
–name create-file-on-all-nodes
–mode global-job
–mount type=bind,src=/,dst=/mnt
alpine
sh -exc “echo foo > /mnt/etc/some-file”

See here for the full changes: https://docs.docker.com/engine/release-notes/

Aside from the release of Docker 20.10, there were lots of news about Docker recently.

Docker Compose CLI for Amazon ECS and Azure ACI

The new Docker Compose CLI ( docker compose up , not docker-compose up ) supports running compose stacks on Amazon Elastic Container Service (ECS) and Azure Container Instances (ACI) directly, without using Docker daemon.

The new Docker Compose CLI is not a part of Docker 20.10, but included in the recent versions of Docker for Mac/Win. To install the new Docker Compose CLI on Linux, see https://github.com/docker/compose-cli .

BuildKit is enabled by default on Mac/Win

Starting with September 2020 (Docker Desktop 2.4), BuildKit has been enabled by default on Docker for Mac/Win.

This change does not apply to Docker for Linux. To enable BuildKit on Linux, see here.

CSI support for Swarm

Docker Swarm-mode is going to support distributed data volumes using Container Storage Interface (CSI). The work is in progress here: https://github.com/docker/swarmkit/commits/feature-volumes

Vulnerability scanner

The docker scan command included in Docker for Mac/Win scans vulnerabilities in images using Snyk as the backend.

$ docker scan nginx:alpine

Thedocker scan CLI needs logging into Docker Hub ( docker login ) and optionally Snyk. Scanning local images is limited to 10 times per month for free users without Snyk auth, and 200 times per month with Snyk auth: https://www.docker.com/pricing

Also, the docker scan CLI is a currently proprietary product, and not available for Linux. A good FLOSS alternative for docker scan is Trivy: https://github.com/aquasecurity/trivy

Docker Hub quota

Starting with November 2020, Docker Hub imposes limits on counts of docker pull .

Especially, the limitation for anonymous accesses is causing serious issues for people running Docker in CI environments. These users are already switching away from Docker Hub to other registry services with less severe restrictions for anonymous accesses. e.g.

In addition, Docker Hub was also planning to remove inactive images, but the removal is now postponed to “mid 2021”: https://docs.docker.com/docker-hub/download-rate-limit/

dockershim is spinning off from Kubernetes

Kubernetes deprecated its native support for Docker ( dockershim ) in Kubernetes 1.20 (December 8, 2020), and they are going to remove dockershim completely in late 2021. Future version of Kubernetes will only support CRI-compliant runtimes such as containerd and CRI-O.

dockershim vs CRI

Note that Docker is only being deprecated as the first-class supported runtime for Kubernetes. Docker is not dead. Docker can be still used outside Kubernetes. And of course, using docker build for building images for Kubernetes is also 100% fine, because all the CRI runtimes as well as Docker implement the OCI Specifications.

Also, deprecation of dockershim does not really mean Docker can no longer be used as a Kubernetes runtime. Mirantis announced that they will take over dockershim and reform it into a standalone CRI runtime called cri-dockerd: https://github.com/Mirantis/cri-dockerd

cri-dockerd

cri-dockerd will work exactly same as dockershim except that it is not a built-in feature of Kubernetes. However, typical Kubernetes users will not need cri-dockerd, because they can just switch away from Docker to containerd, without breaking any compatibility in most cases.

For Docker 20.10, we NTT made significant contributions including support for cgroup v2 and rootless mode. We are looking for engineers who work in Open Source communities like Docker, Kubernetes, containerd, and their relevant projects. Visit https://www.rd.ntt/e/sic/recruit/ to see how to join us.

私たちNTTは、Docker 20.10に対してcgroup v2やrootlessモードの対応などをコントリビュートしました。NTTでは、Docker、Kubernetes、containerd などのオープンソースコミュニティで共に活動する仲間を募集しています。ぜひ弊社採用情報ページをご覧ください: https://www.rd.ntt/sic/recruit/

Leave a Comment

Your email address will not be published. Required fields are marked *