Docker 20.10.0 was released on December 9, 2020, with CentOS 8 support, Fedora support, graduation of Rootless mode, and a lot of features. This release is the first major release after Docker 19.03.0, which was released on July 22, 2019.
The installer script is available at https://get.docker.com
$ curl -fsSL https://get.docker.com/ | sh
Docker 19.03 containers on CentOS 8 hosts had issues with resolving hostnames and exposing ports, because Docker 19.03 did not automatically set up firewalld. Users had to configure firewalld manually by themselves to run Docker on CentOS 8 hosts.
The issues are resolved in Docker 20.10. So, now you can install Docker to CentOS 8 without concern.
With regard to RHEL 8, neither Docker, Inc. nor Red Hat, Inc. still ships Docker packages for RHEL 8. However, probably you can just install CentOS 8 RPMs to RHEL 8 at your own risk: https://download.docker.com/linux/centos/8/x86_64/stable/Packages/
Docker 19.03 didn’t support cgroup v2, which is Fedora’s default cgroup version since Fedora 31. Fedora users had to switch back the cgroup version to v1 for running Docker.
Docker 20.10 supports cgroup v2 and works on Fedora by default.
Docker 20.10 on Fedora 33
Rootless mode means running the entire Docker environment including Docker daemon and containers without the root privileges.
Rootless mode graduated from experimental in this release, with addition of a lot of features.
Supports setting up resource limitations
Setting resource limitations for containers (docker run –cpus , docker run –memory , docker run –pids-limit, …) with Rootless mode was not possible in Docker 19.03, due to lack of support for cgroup.
Docker 20.10 supports setting these limitations on hosts with cgroup v2. Note that cgroup v1 is not supported and will not be supported, due to security concerns.
See https://rootlesscontaine.rs/getting-started/common/cgroup2/ for how to set up cgroup v2 for Rootless mode.
Mounting OverlayFS without the root is not supported on most host operating systems except Ubuntu and Debian. So, Rootless Docker 19.03 running on a non-Ubuntu/non-Debian host could not deduplicate files using OverlayFS.
Docker 20.10 supports FUSE-OverlayFS, which is an unprivileged alternative for OverlayFS and works on any host with kernel ≥ 4.18.
Docker 20.10 automatically falls back into FUSE-OverlayFS when OverlayFS is not functional but FUSE-OverlayFS is functional.
Supports RPM/DEB installation
The RPMs and DEBs of Docker 19.03 did not contain the binaries needed for Rootless mode. So, a user had to install Rootless Docker under $HOME using https://get.docker.com/rootless or extract the binary archive to /usr/local/bin manually.
The Rootless binaries are now included in the official RPMs and DEBs. So, the rootless installer script https://get.docker.com/rootless is no longer required, but using this script is still supported as well.
To enable Rootless mode with RPM/DEB-installed Docker, run the following script as a non-root user:
$ dockerd-rootless-setuptool.sh install
This tool does not install any binary under $HOME , but installs the systemd unit under $HOME/.config/systemd/user .
As in the previous version, a Docker client needs to be launched with a custom $DOCKER_HOST variable:
$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
$ docker run hello-world
Docker 18.06 experimentally added a new Dockerfile instruction RUN –mount=type=cache , which can be used for preserving package managers’ cache files.
These RUN –mount=type=… instructions graduated from experimental in Docker 20.10. These instructions still need BuildKit to be enabled ( export DOCKER_BUILDKIT=1 ).
Everyone thinks Swarm is dead, but it is still alive.
Docker 20.10 adds support for running batch jobs as in Kubernetes’s Job manifests.
For example, to create a file /etc/some-file on the host filesystem on all the Swarm nodes, run the following command:
$ docker service create
sh -exc “echo foo > /mnt/etc/some-file”
- docker run now supports –pull=(always|missing|never) flag
- docker build now supports docker build -t foo ssh://USER@github.com/REPO to build an image from a private git repo
- docker buildx is now out of experimental
- The host IP can be now exposed to containers with docker run –add-host=host.docker.internal:host-gateway
- Dockerfile: supports COPY –chmod and ADD –chmod
- Dockerfile: supports multi-value ARG , e.g. ARG foo=123 bar=456
See here for the full changes: https://docs.docker.com/engine/release-notes/
Aside from the release of Docker 20.10, there were lots of news about Docker recently.
Docker Compose CLI for Amazon ECS and Azure ACI
The new Docker Compose CLI ( docker compose up , not docker-compose up ) supports running compose stacks on Amazon Elastic Container Service (ECS) and Azure Container Instances (ACI) directly, without using Docker daemon.
The new Docker Compose CLI is not a part of Docker 20.10, but included in the recent versions of Docker for Mac/Win. To install the new Docker Compose CLI on Linux, see https://github.com/docker/compose-cli .
BuildKit is enabled by default on Mac/Win
Starting with September 2020 (Docker Desktop 2.4), BuildKit has been enabled by default on Docker for Mac/Win.
This change does not apply to Docker for Linux. To enable BuildKit on Linux, see here.
CSI support for Swarm
Docker Swarm-mode is going to support distributed data volumes using Container Storage Interface (CSI). The work is in progress here: https://github.com/docker/swarmkit/commits/feature-volumes
$ docker scan nginx:alpine
Thedocker scan CLI needs logging into Docker Hub ( docker login ) and optionally Snyk. Scanning local images is limited to 10 times per month for free users without Snyk auth, and 200 times per month with Snyk auth: https://www.docker.com/pricing
Also, the docker scan CLI is a currently proprietary product, and not available for Linux. A good FLOSS alternative for docker scan is Trivy: https://github.com/aquasecurity/trivy
Docker Hub quota
- Without logging in: “100 pulls per 6 hours per IP address”
- With a free account: “200 pulls per 6 hour period”
- With a paid account: “Unlimited”
Especially, the limitation for anonymous accesses is causing serious issues for people running Docker in CI environments. These users are already switching away from Docker Hub to other registry services with less severe restrictions for anonymous accesses. e.g.
- GitHub Container Registry: “free for public repositories”
- Quay: “unlimited storage and serving of public repositories”
- Amazon ECR Public: “Anyone who pulls images anonymously gets 500 GB of free data bandwidth each month“
In addition, Docker Hub was also planning to remove inactive images, but the removal is now postponed to “mid 2021”: https://docs.docker.com/docker-hub/download-rate-limit/
dockershim is spinning off from Kubernetes
Kubernetes deprecated its native support for Docker ( dockershim ) in Kubernetes 1.20 (December 8, 2020), and they are going to remove dockershim completely in late 2021. Future version of Kubernetes will only support CRI-compliant runtimes such as containerd and CRI-O.
dockershim vs CRI
Note that Docker is only being deprecated as the first-class supported runtime for Kubernetes. Docker is not dead. Docker can be still used outside Kubernetes. And of course, using docker build for building images for Kubernetes is also 100% fine, because all the CRI runtimes as well as Docker implement the OCI Specifications.
Also, deprecation of dockershim does not really mean Docker can no longer be used as a Kubernetes runtime. Mirantis announced that they will take over dockershim and reform it into a standalone CRI runtime called cri-dockerd: https://github.com/Mirantis/cri-dockerd
cri-dockerd will work exactly same as dockershim except that it is not a built-in feature of Kubernetes. However, typical Kubernetes users will not need cri-dockerd, because they can just switch away from Docker to containerd, without breaking any compatibility in most cases.
For Docker 20.10, we NTT made significant contributions including support for cgroup v2 and rootless mode. We are looking for engineers who work in Open Source communities like Docker, Kubernetes, containerd, and their relevant projects. Visit https://www.rd.ntt/e/sic/recruit/ to see how to join us.