{"id":2779,"date":"2025-11-11T15:47:31","date_gmt":"2025-11-11T15:47:31","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/11\/11\/docker-engine-v29-foundational-updates-for-the-future\/"},"modified":"2025-11-11T15:47:31","modified_gmt":"2025-11-11T15:47:31","slug":"docker-engine-v29-foundational-updates-for-the-future","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/11\/11\/docker-engine-v29-foundational-updates-for-the-future\/","title":{"rendered":"Docker Engine v29: Foundational Updates for the Future"},"content":{"rendered":"<p>This post is for Linux users running Docker Engine (Community Edition) directly on their hosts. Docker Desktop users don\u2019t need to take any action \u2014 Engine updates are included automatically in future Desktop releases.<\/p>\n<p><a href=\"https:\/\/github.com\/moby\/moby\/releases\/tag\/docker-v29.0.0\" rel=\"nofollow noopener\" target=\"_blank\">Docker Engine v29<\/a> is a foundational release that sets the stage for the future of the Docker platform. While it may not come with flashy new features, it introduces two significant under-the-hood changes that simplify our architecture and improve ecosystem alignment:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>The Containerd image store is now the default for new installations.<\/li>\n<li>Migration to Go modules<\/li>\n<li>Experimental Support for NFTables<\/li>\n<\/ul>\n<p>These changes improve maintainability, developer experience, and interoperability across the container ecosystem.<\/p>\n\n<h2 class=\"wp-block-heading\">Containerd Image Store Becomes the Default<\/h2>\n\n<h3 class=\"wp-block-heading\">Why We Made This Change<\/h3>\n\n<p>The <a href=\"https:\/\/www.docker.com\/blog\/containerd-vs-docker\/\">Containerd<\/a> runtime originated as a core component of Docker Engine and was later split out and donated to the Cloud Native Computing Foundation (CNCF). It now serves as the industry-standard container runtime, powering Kubernetes and many other platforms.<\/p>\n\n<p>While Docker introduced containerd for container execution years ago, we continued using the <a href=\"https:\/\/docs.docker.com\/engine\/storage\/drivers\/\" rel=\"nofollow noopener\" target=\"_blank\">graph driver storage backend<\/a> for managing image layers. Meanwhile, containerd evolved its own image content store and snapshotter framework, designed for modularity, performance, and ecosystem alignment.<\/p>\n\n<p>To ensure stability, Docker has been <a href=\"https:\/\/www.docker.com\/blog\/extending-docker-integration-with-containerd\/\">gradually migrating<\/a> to the containerd image store over time. Docker Desktop has already used the containerd image store as <a href=\"https:\/\/docs.docker.com\/desktop\/release-notes\/#4340\" rel=\"nofollow noopener\" target=\"_blank\">the default<\/a> for most of the past year. With Docker Engine v29, this migration takes the next step by becoming the <a href=\"https:\/\/github.com\/moby\/moby\/issues\/49872\" rel=\"nofollow noopener\" target=\"_blank\">default in the Moby engine<\/a>.<\/p>\n\n<h3 class=\"wp-block-heading\">What it is<\/h3>\n\n<ul class=\"wp-block-list\">\n<li>As of Docker Engine v29, the <a href=\"https:\/\/docs.docker.com\/desktop\/features\/containerd\/\" rel=\"nofollow noopener\" target=\"_blank\">containerd image store<\/a> becomes the default for image layer and content management for <strong>new installs<\/strong>.<\/li>\n<li>Legacy graph drivers are still available, but are now deprecated. New installs can still opt out of Containerd image store if there is any issue.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">Why This Matters<\/h3>\n\n<ul class=\"wp-block-list\">\n<li><strong>Simplified architecture<\/strong>: Both execution and storage now use containerd, reducing duplication and internal complexity<\/li>\n<li><strong>Unlock new feature possibilities<\/strong>, such as:\n<ul class=\"wp-block-list\">\n<li>Snapshotter innovations<\/li>\n<li>Lazy pulling of image content<\/li>\n<li>Remote content stores<\/li>\n<li>Peer-to-peer distribution<\/li>\n<\/ul>\n<\/li>\n<li><strong>Ecosystem alignment<\/strong>: Brings Docker Engine in sync with containerd-based platforms, like Kubernetes, improving interoperability.<\/li>\n<li><strong>Future-proofing<\/strong>: Enables faster innovation in image layer handling and runtime behaviour<\/li>\n<\/ul>\n<p>We appreciate that this change may cause some disruption, as the Containerd image store takes a different approach to content and layer management compared to the existing storage drivers.<\/p>\n\n<p>However, this shift is a positive one. It enables a more consistent, modular, and predictable container experience.<\/p>\n\n<h4 class=\"wp-block-heading\">Migration Path<\/h4>\n\n<p>To be clear, these changes only impact new installs; existing users will not be forced to containerd. However, you can start your migration now and <a href=\"https:\/\/docs.docker.com\/engine\/storage\/containerd\/#enable-containerd-image-store-on-docker-engine\" rel=\"nofollow noopener\" target=\"_blank\">opt-in<\/a>.<\/p>\n\n<p>We are working on a migration guide to help teams transition and move their existing content to the containerd image store.<\/p>\n\n<h3 class=\"wp-block-heading\">What\u2019s next<\/h3>\n\n<ul class=\"wp-block-list\">\n<li>The graph driver backend will be removed in a future release.<\/li>\n<li>Docker will continue evolving the image store experience, leveraging the full capabilities of containerd\u2019s ecosystem.<\/li>\n<li>Expect to see enhanced content management, multi-snapshotter support, and faster pull\/push workflows in the future.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">Moby Migrates to Go Modules<\/h2>\n\n<h3 class=\"wp-block-heading\">Why We Made This Change<\/h3>\n\n<p>Go modules have been the community standard since 2019, but until now, the Moby project used a legacy vendoring system. Avoiding Go modules was creating:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Constant maintenance churn to work around tooling assumptions<\/li>\n<li>Confusing workflows for contributors<\/li>\n<li>Compatibility issues with newer Go tools and ecosystem practices<\/li>\n<\/ul>\n<p>Simply put, continuing to resist Go modules was making life harder for everyone.<\/p>\n\n<h3 class=\"wp-block-heading\">What It Is<\/h3>\n\n<ul class=\"wp-block-list\">\n<li>The Moby codebase is now fully module-aware using go.mod.<\/li>\n<li>This means cleaner dependency management and better interoperability for tools and contributors.<\/li>\n<li>External clients, API libraries, and SDKs will find the Moby codebase easier to consume and integrate with.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">What It\u2019s Not<\/h3>\n\n<ul class=\"wp-block-list\">\n<li>This is not a user-facing feature\u2014you won\u2019t see a UI or command change.<\/li>\n<li>However, it does affect developers who consume Docker\u2019s Go APIs.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">Important for Go Developers<\/h3>\n\n<p>If you\u2019re consuming the Docker client or API packages in your own Go projects:<\/p>\n<ul class=\"wp-block-list\">\n<li>The old module path github.com\/docker\/docker will no longer receive updates.<\/li>\n<li>To stay current with Docker Engine releases, you must switch to importing from github.com\/moby\/moby.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">Experimental support for nftables<\/h2>\n\n<h3 class=\"wp-block-heading\">Why We Made This Change<\/h3>\n\n<p>For bridge and overlay networks on Linux, Docker Engine currently creates firewall rules using \u201ciptables\u201d and \u201cip6tables\u201d.<\/p>\n\n<p>In most cases, these commands are linked to \u201ciptables-nft\u201d and \u201cip6tables-nft\u201d. So, Docker\u2019s rules are translated to nftables behind the scenes.<\/p>\n\n<p>However, OS distributions are beginning to deprecate support for iptables. It\u2019s past time for Docker Engine to create its own nftables rules directly.<\/p>\n\n<h3 class=\"wp-block-heading\">What It Is<\/h3>\n\n<p>Opt-in support for creating nftables rules instead of iptables.<\/p>\n\n<p>The rules are functionally equivalent, but there are some differences to be aware of, particularly if you make use of the \u201cDOCKER-USER\u201d chain in iptables.<\/p>\n\n<p>On a host that uses \u201cfirewalld\u201d, iptables rules are created via firewalld\u2019s deprecated \u201cdirect\u201d interface. That\u2019s not necessary for nftables because rules are organised into separate tables, each with its own base chains. Docker will still set up firewalld zones and policies for its devices, but it creates nftables rules directly, just as it does on a host without firewalld.<\/p>\n\n<h3 class=\"wp-block-heading\">What It\u2019s Not<\/h3>\n\n<p>In this initial version, nftables support is \u201cexperimental\u201d. Please be cautious about deploying it in a production environment.<\/p>\n\n<p>Swarm support is planned for a future release. At present, it\u2019s not possible to enable Docker Engine\u2019s nftables support on a node with Swarm enabled.<\/p>\n\n<p>In a future release, nftables will become the default firewall backend and iptables support will be deprecated.<\/p>\n\n<h3 class=\"wp-block-heading\">Future Work<\/h3>\n\n<p>In addition to adding planned Swarm support, there\u2019s scope for efficiency improvements.<\/p>\n\n<p>For example, the rules themselves could make more use of nftables features, particularly sets of ports.<\/p>\n\n<p>These changes will be prioritised based on the feedback received. If you would like to contribute, do let us know!<\/p>\n\n<h3 class=\"wp-block-heading\">Try It Out<\/h3>\n\n<p>Start \u201c<code>dockerd<\/code>\u201d with option \u201c<code>--firewall-backend=nftables<\/code>\u201d to enable nftables support.<br \/>After a reboot, you may find you need to enable IP Forwarding on the host. If you\u2019re using the \u201cDOCKER-USER\u201d iptables chain, it will need to be migrated. For more information, see <a href=\"https:\/\/docs.docker.com\/engine\/network\/firewall-nftables\/\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/docs.docker.com\/engine\/network\/firewall-nftables<\/a><br \/>We\u2019re looking for feedback. If you find issues, let us know at <a href=\"https:\/\/github.com\/moby\/moby\/issues\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/github.com\/moby\/moby\/issues<\/a>.<\/p>\n\n<h2 class=\"wp-block-heading\">Getting Started with Engine v29<\/h2>\n\n<p>As mentioned, this post is for Linux users running Docker Engine (Community Edition) directly on their hosts. Docker Desktop users don\u2019t need to take any action \u2014 Engine updates are included automatically in the upcoming Desktop releases.<\/p>\n\n<p>To install Docker Engine on your host or update an existing installation, please <a href=\"https:\/\/docs.docker.com\/engine\/install\/\" rel=\"nofollow noopener\" target=\"_blank\">follow the guide<\/a> for your specific OS.<\/p>\n\n<p>For additional information about this release:<\/p>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.docker.com\/engine\/release-notes\/29\/\" rel=\"nofollow noopener\" target=\"_blank\">Release notes for Engine v29<\/a><\/li>\n<li><a href=\"https:\/\/docs.docker.com\/desktop\/features\/containerd\/\" rel=\"nofollow noopener\" target=\"_blank\">Documentation<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>This post is for Linux users running Docker Engine (Community Edition) directly on their hosts. Docker Desktop users don\u2019t need [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":94,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[],"class_list":["post-2779","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-docker"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=2779"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2779\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/94"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=2779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=2779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=2779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}