Last checked and updated on 05 Jun 2026
What Is New in Docker Engine 1.8
Docker Engine 1.8 delivers a significant update focused on content trust, builder enhancements, and core runtime improvements. This release introduces the long-awaited ability to sign and verify images, making deployments more secure by default.
| Category | Key Changes |
|---|---|
| New Features | Docker Content Trust (image signing), Builder --pull flag, OverlayFS storage driver support |
| Improvements | Faster container startup, Enhanced docker logs handling, Improved docker ps filtering |
| Bug Fixes | Numerous fixes for networking, volumes, and the daemon startup process |
| Deprecations | Short image ID references, The --api-enable-cors flag |
How does Docker Content Trust work in 1.8?
Docker Content Trust (DCT) is the headline feature, enabling cryptographic signing and verification of images. It uses a set of keys to sign images pushed to a registry and verify them on pull, ensuring their integrity and origin.
You control it with the DOCKER_CONTENT_TRUST environment variable. Set it to 1 to enforce signing, making it impossible to pull or run unsigned images. In practice, this is a major step towards securing your supply chain against tampering.
What builder improvements were made?
The docker build process got smarter with the new --pull flag. This forces the builder to pull a fresh version of your FROM image even if it already exists locally, preventing stale base image caches.
We also saw updates to the .dockerignore file handling, making it more consistent with how .gitignore works. This matters because it streamlines the build context exclusion process, especially for Node.js and Python projects with heavy node_modules or __pycache__ directories.
Is the OverlayFS driver ready for use?
Yes, the OverlayFS storage driver graduated from experimental to a fully supported option. It's a big deal for performance, as it often leads to faster container start times and more efficient use of disk space compared to AUFS.
This driver uses the native kernel support for OverlayFS, so you'll need a Linux kernel version 3.18 or later. For many, this was the default driver choice on newer distributions, and its official support stabilizes a key piece of the container runtime.
What logging changes should I be aware of?
The behavior of docker logs on detached containers (docker run -d) was improved. Previously, logs could be lost if no one attached to the container immediately after startup. Now, the daemon buffers the logs, ensuring you can always retrieve them.
We also got new filtering capabilities for docker ps with the --filter flag. You can now list containers more precisely, such as filtering by health status or isolation mode, which is great for scripting and automation.
FAQ
How do I enable Docker Content Trust?
Set the environment variable DOCKER_CONTENT_TRUST=1 before running your docker commands. Once enabled, the CLI will require you to push signed images and will only run images that have been verified.
What happens if I try to run an unsigned image with DCT enabled?
The operation will fail. The daemon will reject the attempt with an error stating that no trust data is available for the image, effectively blocking the deployment of unsigned content.
Why would I use the --pull flag with docker build?
To ensure your build uses the most up-to-date version of the base image specified in your Dockerfile. Without it, you might be building on a locally cached, older base image that could contain unpatched vulnerabilities.
Is OverlayFS now the recommended storage driver?
For hosts running supported kernels (3.18+), it became a strong, officially supported contender. Its performance benefits often make it the preferred choice over AUFS, but the best driver can still depend on your specific filesystem and workload.
What was deprecated in Docker 1.8?
Referencing images by short IDs (e.g., the first 12 characters of the hash) was deprecated in favor of using full IDs. The --api-enable-cors flag was also deprecated, as it was a legacy setting for enabling CORS on the Docker API.