moby/moby docker-v29.5.0-rc.1

v29.5.0-rc.1

on GitHub

29.5.0-rc.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 29.5.0 milestone
• moby/moby, 29.5.0 milestone

New

• Enable private time namespace for containers by default on supported kernels. moby/moby#52326
• The local logging-driver now has support for custom attributes, adding support for the label, label-regex, env, env-regex, and tag log-options. moby/moby#52348
• Windows: The daemon now supports listening on a Unix socket (-H unix://...), with optional group-based access control via --group. moby/moby#52365

Security

• CVE-2026-32288: Fix a denial of service where pulling a maliciously crafted image could cause the daemon to allocate unbounded memory when processing sparse tar archives. GHSA-x4jj-h2v8-hqqv. moby/moby#52478

Bug fixes and enhancements

• Add "time-namespaces" feature-flag to disable time-namespaces. moby/moby#52577
• Daemon reload events now signify that the daemon reload has fully completed. moby/moby#52589
• Expose diagnostic data about userland proxy in docker info. moby/moby#52321
• Fix docker image ls --filter reference=... (GET /images/json) to also match fully qualified canonical image names (e.g. docker.io/library/alpine), not only the familiar short form. moby/moby#52333
• Fix a bug where leaving an autolock-enabled swarm could leave orphaned state, causing subsequent swarm init to fail with "Swarm is encrypted and needs to be unlocked". moby/moby#52479
• Fix an issue where logging errors logged to the daemon log show an empty string instead of the log message that failed to be logged. moby/moby#52442
• Fix incorrect SHARED SIZE and UNIQUE SIZE reporting in docker system df -v by including shared content blobs in size calculation. moby/moby#52482
• Fix volume subpath file mounts over an existing file in the image failing container creation with "not a directory". moby/moby#52584
• Sort labels in volume, network, config, and secret formatters for deterministic output. docker/cli#6954
• Swarm: Prevent corruption of Raft snapshots when swarm state is large. moby/moby#52441

Packaging updates

• Update BuildKit to v0.30.0-rc1. moby/moby#52559
• Update Go runtime to 1.26.3. moby/moby#52572, docker/cli#6967

Networking

• Fix conntrack entries being incorrectly deleted for UDP containers sharing the same port on different IPs when one container is restarted. moby/moby#52423
• Fix the userland proxy silently dropping UDP datagrams when a previous write to an unavailable backend left a stale ECONNREFUSED error on the socket. moby/moby#52483
• Rootless: Properly support --net=host and localhost registries. moby/moby#47103

Rootless

• Update RootlessKit (3.0.0). moby/moby#52319

Go SDK

• cli/config/configfile: GetAuthConfig, GetCredentialsStore: normalize hostname when resolving auth. docker/cli#6846

Deprecations

• cli/command/image/build: remove deprecated DefaultDockerfileName const. docker/cli#6737
• cli/command/image/build: remove deprecated DetectArchiveReader util. docker/cli#6737
• cli/command/image/build: remove deprecated IsArchive utility. docker/cli#6737
• cli/command/image/build: remove deprecated ResolveAndValidateContextPath util. docker/cli#6737
• cli/command/image/build: remove deprecated WriteTempDockerfile util. docker/cli#6737