- Install Docker Engine from binaries
- Install daemon and client binaries on Linux
- Prerequisites
- Secure your environment as much as possible
- Install static binaries
- Install client binaries on macOS
- Docker Engine release notes
- Version 20.10
- 20.10.9
- Client
- Runtime
- Packaging
- 20.10.8
- Deprecation
- Client
- Rootless
- Runtime
- Swarm
- Packaging
- 20.10.7
- Client
- Builder
- Logging
- Rootless
- Networking
- Contrib
- Packaging
- 20.10.6
- Client
- Builder
- Logging
- Networking
- Packaging
- Plugins
- Rootless
- 20.10.5
- Client
- 20.10.4
- Builder
- Client
- Runtime
- Logger
- Rootless
- Security
- Swarm
- 20.10.3
- Security
- Client
- 20.10.2
- Runtime
- Networking
- Swarm
- Packaging
- 20.10.1
- Builder
- Packaging
- 20.10.0
- Deprecation / Removal
Install Docker Engine from binaries
Estimated reading time: 5 minutes
Note: You may have been redirected to this page because there is no longer a dynamically-linked Docker package for your Linux distribution.
If you want to try Docker or use it in a testing environment, but you’re not on a supported platform, you can try installing from static binaries. If possible, you should use packages built for your operating system, and use your operating system’s package management system to manage Docker installation and upgrades. Be aware that 32-bit static binary archives do not include the Docker daemon.
Static binaries for the Docker daemon binary are only available for Linux (as dockerd ). Static binaries for the Docker client are available for Linux and macOS (as docker ).
This topic discusses binary installation for both Linux and macOS:
Install daemon and client binaries on Linux
Prerequisites
Before attempting to install Docker from binaries, be sure your host machine meets the prerequisites:
- A 64-bit installation
- Version 3.10 or higher of the Linux kernel. The latest version of the kernel available for your platform is recommended.
- iptables version 1.4 or higher
- git version 1.7 or higher
- A ps executable, usually provided by procps or a similar package.
- XZ Utils 4.9 or higher
- A properly mounted cgroupfs hierarchy; a single, all-encompassing cgroup mount point is not sufficient. See Github issues #2683, #3485, #4568).
Secure your environment as much as possible
OS considerations
Enable SELinux or AppArmor if possible.
It is recommended to use AppArmor or SELinux if your Linux distribution supports either of the two. This helps improve security and blocks certain types of exploits. Review the documentation for your Linux distribution for instructions for enabling and configuring AppArmor or SELinux.
If either of the security mechanisms is enabled, do not disable it as a work-around to make Docker or its containers run. Instead, configure it correctly to fix any problems.
Docker daemon considerations
Enable seccomp security profiles if possible. See Enabling seccomp for Docker.
Enable user namespaces if possible. See the Daemon user namespace options.
Install static binaries
Download the static binary archive. Go to https://download.docker.com/linux/static/stable/ (or change stable to nightly or test ), choose your hardware platform, and download the .tgz file relating to the version of Docker Engine you want to install.
Extract the archive using the tar utility. The dockerd and docker binaries are extracted.
Optional: Move the binaries to a directory on your executable path, such as /usr/bin/ . If you skip this step, you must provide the path to the executable when you invoke docker or dockerd commands.
Start the Docker daemon:
If you need to start the daemon with additional options, modify the above command accordingly or create and edit the file /etc/docker/daemon.json to add the custom configuration options.
Verify that Docker is installed correctly by running the hello-world image.
This command downloads a test image and runs it in a container. When the container runs, it prints a message and exits.
Install client binaries on macOS
The macOS binary includes the Docker client only. It does not include the dockerd daemon.
Download the static binary archive. Go to https://download.docker.com/mac/static/stable/x86_64/, (or change stable to nightly or test ), and download the .tgz file relating to the version of Docker Engine you want to install.
Extract the archive using the tar utility. The docker binary is extracted.
Clear the extended attributes to allow it run.
In case executing docker/docker you get the error message: вЂdocker’ is damaged and cannot be opened. You should move it to the bin.
Apple takes care about our security. Hence, we need to remove the security mechanism preventing us running the executable.
Now, when you run the following command, you can see the Docker CLI usage instructions:
Optional: Move the binary to a directory on your executable path, such as /usr/local/bin/ . If you skip this step, you must provide the path to the executable when you invoke docker or dockerd commands.
Verify that Docker is installed correctly by running the hello-world image. The value of is a hostname or IP address running the Docker daemon and accessible to the client.
This command downloads a test image and runs it in a container. When the container runs, it prints a message and exits.
Источник
Docker Engine release notes
This document describes the latest changes, additions, known issues, and fixes for Docker Engine.
Note: The client and container runtime are now in separate packages from the daemon in Docker Engine 18.09. Users should install and update all three packages at the same time to get the latest patch releases. For example, on Ubuntu: sudo apt install docker-ce docker-ce-cli containerd.io . See the install instructions for the corresponding linux distro for details.
Version 20.10
20.10.9
This release is a security release with security fixes in the CLI, runtime, as well as updated versions of the containerd.io package.
Due to net/http changes in Go 1.16, HTTP proxies configured through the $HTTP_PROXY environment variable are no longer used for TLS ( https:// ) connections. Make sure you also set an $HTTPS_PROXY environment variable for handling requests to https:// URLs.
Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.
Client
- CVE-2021-41092 Ensure default auth config has address field set, to prevent credentials being sent to the default registry.
Runtime
- CVE-2021-41089 Create parent directories inside a chroot during docker cp to prevent a specially crafted container from changing permissions of existing files in the host’s filesystem.
- CVE-2021-41091 Lock down file permissions to prevent unprivileged users from discovering and executing programs in /var/lib/docker .
Packaging
The ctr binary shipping with the static packages of this release is not statically linked, and will not run in Docker images using alpine as a base image. Users can install the libc6-compat package, or download a previous version of the ctr binary as a workaround. Refer to the containerd ticket related to this issue for more details: containerd/containerd#5824.
- Update Golang runtime to Go 1.16.8, which contains fixes for CVE-2021-36221 and CVE-2021-39293
- Update static binaries and containerd.io rpm and deb packages to containerd v1.4.11 and runc v1.0.2 to address CVE-2021-41103.
- Update the bundled buildx version to v0.6.3 for rpm and deb packages.
20.10.8
Due to net/http changes in Go 1.16, HTTP proxies configured through the $HTTP_PROXY environment variable are no longer used for TLS ( https:// ) connections. Make sure you also set an $HTTPS_PROXY environment variable for handling requests to https:// URLs.
Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.
Deprecation
- Deprecate support for encrypted TLS private keys. Legacy PEM encryption as specified in RFC 1423 is insecure by design. Because it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext. Support for encrypted TLS private keys is now marked as deprecated, and will be removed in an upcoming release. docker/cli#3219
- Deprecate Kubernetes stack support. Following the deprecation of Compose on Kubernetes, support for Kubernetes in the stack and context commands in the Docker CLI is now marked as deprecated, and will be removed in an upcoming release docker/cli#3174.
Client
- Fix Invalid standard handle identifier errors on Windows docker/cli#3132.
Rootless
- Avoid can’t open lock file /run/xtables.lock: Permission denied error on SELinux hosts moby/moby#42462.
- Disable overlay2 when running with SELinux to prevent permission denied errors moby/moby#42462.
- Fix x509: certificate signed by unknown authority error on openSUSE Tumbleweed moby/moby#42462.
Runtime
- Print a warning when using the —platform option to pull a single-arch image that does not match the specified architecture moby/moby#42633.
- Fix incorrect Your kernel does not support swap memory limit warning when running with cgroups v2 moby/moby#42479.
- Windows: Fix a situation where containers were not stopped if HcsShutdownComputeSystem returned an ERROR_PROC_NOT_FOUND error moby/moby#42613
Swarm
- Fix a possibility where overlapping IP addresses could exist as a result of the node failing to clean up its old loadbalancer IPs moby/moby#42538
- Fix a deadlock in log broker (“dispatcher is stopped”) moby/moby#42537
Packaging
The ctr binary shipping with the static packages of this release is not statically linked, and will not run in Docker images using alpine as a base image. Users can install the libc6-compat package, or download a previous version of the ctr binary as a workaround. Refer to the containerd ticket related to this issue for more details: containerd/containerd#5824.
- Remove packaging for Ubuntu 16.04 “Xenial” and Fedora 32, as they reached EOL docker/docker-ce-packaging#560
- Update Golang runtime to Go 1.16.6
- Update the bundled buildx version to v0.6.1 for rpm and deb packages docker/docker-ce-packaging#562
- Update static binaries and containerd.io rpm and deb packages to containerd v1.4.9 and runc v1.0.1: docker/containerd-packaging#241, docker/containerd-packaging#245, docker/containerd-packaging#247.
20.10.7
Client
- Suppress warnings for deprecated cgroups docker/cli#3099.
- Prevent sending SIGURG signals to container on Linux and macOS. The Go runtime (starting with Go 1.14) uses SIGURG signals internally as an interrupt to support preemptable syscalls. In situations where the Docker CLI was attached to a container, these interrupts were forwarded to the container. This fix changes the Docker CLI to ignore SIGURG signals docker/cli#3107, moby/moby#42421.
Builder
- Update BuildKit to version v0.8.3-3-g244e8cde moby/moby#42448:
- Transform relative mountpoints for exec mounts in the executor to work around a breaking change in runc v1.0.0-rc94 and up. moby/buildkit#2137.
- Add retry on image push 5xx errors. moby/buildkit#2043.
- Fix build-cache not being invalidated when renaming a file that is copied using a COPY command with a wildcard. Note that this change invalidates existing build caches for copy commands that use a wildcard. moby/buildkit#2018.
- Fix build-cache not being invalidated when using mounts moby/buildkit#2076.
- Fix build failures when FROM image is not cached when using legacy schema 1 images moby/moby#42382.
Logging
- Update the hcsshim SDK to make daemon logs on Windows less verbose moby/moby#42292.
Rootless
- Fix capabilities not being honored when an image was built on a daemon with user-namespaces enabled moby/moby#42352.
Networking
- Update libnetwork to fix publishing ports on environments with kernel boot parameter ipv6.disable=1 , and to fix a deadlock causing internal DNS lookups to fail moby/moby#42413.
Contrib
- Update rootlesskit to v0.14.2 to fix a timeout when starting the userland proxy with the slirp4netns port driver moby/moby#42294.
- Fix “Device or resource busy” errors when running docker-in-docker on a rootless daemon moby/moby#42342.
Packaging
- Update containerd to v1.4.6, runc v1.0.0-rc95 to address CVE-2021-30465moby/moby#42398, moby/moby#42395, ocker/containerd-packaging#234
- Update containerd to v1.4.5, runc v1.0.0-rc94 moby/moby#42372, moby/moby#42388, docker/containerd-packaging#232.
- Update Docker Scan plugin packages ( docker-scan-plugin ) to v0.8 docker/docker-ce-packaging#545.
20.10.6
Client
- Apple Silicon (darwin/arm64) support for Docker CLI docker/cli#3042
- config: print deprecation warning when falling back to pre-v1.7.0 config file
/.dockercfg . Support for this file will be removed in a future release docker/cli#3000
Builder
- Fix classic builder silently ignoring unsupported Dockerfile options and prompt to enable BuildKit instead moby/moby#42197
Logging
- json-file: fix sporadic unexpected EOF errors moby/moby#42174
Networking
- Fix a regression in docker 20.10, causing IPv6 addresses no longer to be bound by default when mapping ports moby/moby#42205
- Fix implicit IPv6 port-mappings not included in API response. Before docker 20.10, published ports were accessible through both IPv4 and IPv6 by default, but the API only included information about the IPv4 (0.0.0.0) mapping moby/moby#42205
- Fix a regression in docker 20.10, causing the docker-proxy to not be terminated in all cases moby/moby#42205
- Fix iptables forwarding rules not being cleaned up upon container removal moby/moby#42205
Packaging
- Update containerd to v1.4.4 for static binaries. The containerd.io package on apt/yum repos already had this update out of band. Includes a fix for CVE-2021-21334. moby/moby#42124
- Packages for Debian/Raspbian 11 Bullseye, Ubuntu 21.04 Hirsute Hippo and Fedora 34 docker/docker-ce-packaging#521docker/docker-ce-packaging#522docker/docker-ce-packaging#533
- Provide the Docker Scan CLI plugin on Linux amd64 via a docker-scan-plugin package as a recommended dependency for the docker-ce-cli package docker/docker-ce-packaging#537
- Include VPNKit binary for arm64 moby/moby#42141
Plugins
- Fix docker plugin create making plugins that were incompatible with older versions of Docker moby/moby#42256
Rootless
- Update RootlessKit to v0.14.1 (see also v0.14.0v0.13.2) moby/moby#42186moby/moby#42232
- dockerd-rootless-setuptool.sh: create CLI context “rootless” moby/moby#42109
- dockerd-rootless.sh: prohibit running as root moby/moby#42072
- Fix “operation not permitted” when bind mounting existing mounts moby/moby#42233
- overlay2: fix “createDirWithOverlayOpaque(. ) . input/output error” moby/moby#42235
- overlay2: support “userxattr” option (kernel 5.11) moby/moby#42168
- btrfs: allow unprivileged user to delete subvolumes (kernel >= 4.18) moby/moby#42253
- cgroup2: Move cgroup v2 out of experimental moby/moby#42263
20.10.5
Client
- Revert docker/cli#2960 to fix hanging in docker start —attach and remove spurious Unsupported signal: . Discarding messages. docker/cli#2987.
20.10.4
Builder
- Fix incorrect cache match for inline cache import with empty layers moby/moby#42061
- Update BuildKit to v0.8.2 moby/moby#42061
- resolver: avoid error caching on token fetch
- fileop: fix checksum to contain indexes of inputs preventing certain cache misses
- Fix reference count issues on typed errors with mount references (fixing invalid mutable ref errors)
- git: set token only for main remote access allowing cloning submodules with different credentials
- Ensure blobs get deleted in /var/lib/docker/buildkit/content/blobs/sha256 after pull. To clean up old state run builder prune moby/moby#42065
- Fix parallel pull synchronization regression moby/moby#42049
- Ensure libnetwork state files do not leak moby/moby#41972
Client
- Fix a panic on docker login if no config file is present docker/cli#2959
- Fix WARNING: Error loading config file: .dockercfg: $HOME is not defined docker/cli#2958
Runtime
- docker info: silence unhandleable warnings moby/moby#41958
- Avoid creating parent directories for XGlobalHeader moby/moby#42017
- Use 0755 permissions when creating missing directories moby/moby#42017
- Fallback to manifest list when no platform matches in image config moby/moby#42045moby/moby#41873
- Fix a daemon panic on setups with a custom default runtime configured moby/moby#41974
- Fix a panic when daemon configuration is empty moby/moby#41976
- Fix daemon panic when starting container with invalid device cgroup rule moby/moby#42001
- Fix userns-remap option when username & UID match moby/moby#42013
- static: update runc binary to v1.0.0-rc93 moby/moby#42014
Logger
- Honor labels-regex config even if labels is not set moby/moby#42046
- Handle long log messages correctly preventing awslogs in non-blocking mode to split events bigger than 16kB mobymoby#41975
Rootless
- Prevent the service hanging when stopping by setting systemd KillMode to mixed moby/moby#41956
- dockerd-rootless.sh: add typo guard moby/moby#42070
- Update rootlesskit to v0.13.1 to fix handling of IPv6 addresses moby/moby#42025
- allow mknodding FIFO inside userns moby/moby#41957
Security
- profiles: seccomp: update to Linux 5.11 syscall list moby/moby#41971
Swarm
- Fix issue with heartbeat not persisting upon restart moby/moby#42060
- Fix potential stalled tasks moby/moby#42060
- Fix —update-order and —rollback-order flags when only —update-order or —rollback-order is provided docker/cli#2963
- Fix docker service rollback returning a non-zero exit code in some situations docker/cli#2964
- Fix inconsistent progress-bar direction on docker service rollback docker/cli#2964
20.10.3
Security
- CVE-2021-21285 Prevent an invalid image from crashing docker daemon
- CVE-2021-21284 Lock down file permissions to prevent remapped root from accessing docker state
- Ensure AppArmor and SELinux profiles are applied when building with BuildKit
Client
- Check contexts before importing them to reduce risk of extracted files escaping context store
- Windows: prevent executing certain binaries from current directory docker/cli#2950
20.10.2
Runtime
- Fix a daemon start up hang when restoring containers with restart policies but that keep failing to start moby/moby#41729
- overlay2: fix an off-by-one error preventing to build or run containers when data-root is 24-bytes long moby/moby#41830
- systemd: send sd_notify STOPPING=1 when shutting down moby/moby#41832
Networking
Swarm
- Fix filtering for replicated-job and global-job service modes moby/moby#41806
Packaging
20.10.1
Builder
- buildkit: updated to v0.8.1 with various bugfixes moby/moby#41793
Packaging
- Revert a change in the systemd unit that could prevent docker from starting due to a startup order conflict docker/docker-ce-packaging#514
- buildx updated to v0.5.0docker/docker-ce-packaging#515
20.10.0
Deprecation / Removal
For an overview of all deprecated features, refer to the Deprecated Engine Features page.
- Warnings and deprecation notice when docker pull -ing from non-compliant registries not supporting pull-by-digest docker/cli#2872
- Sterner warnings and deprecation notice for unauthenticated tcp access moby/moby#41285
- Deprecate KernelMemory ( docker run —kernel-memory ) moby/moby#41254docker/cli#2652
- Deprecate aufs storage driver docker/cli#1484
- Deprecate host-discovery and overlay networks with external k/v stores moby/moby#40614moby/moby#40510
- Deprecate Dockerfile legacy вЂENV name value’ syntax, use ENV name=value instead docker/cli#2743
- Remove deprecated “filter” parameter for API v1.41 and up moby/moby#40491
- Disable distribution manifest v2 schema 1 on push moby/moby#41295
- Remove hack MalformedHostHeaderOverride breaking old docker clients ( DOCKER_API_VERSION moby/moby#39076
- Remove “docker engine” subcommands docker/cli#2207
- Remove experimental “deploy” from “dab” files docker/cli#2216
- Remove deprecated docker search —automated and —stars flags docker/cli#2338
- No longer allow reserved namespaces in engine labels docker/cli#2326
Источник
