Last checked and updated on April 15, 2026What Is New in Docker Engine 17.09
Docker 17.09 CE brought significant enhancements focused on the builder, runtime, and networking. This release merged the previously separate Docker CE and EE codebases into a single stream, simplifying the development process.
| Category | Key Changes |
|---|---|
| New Features | Multi-stage build support, Dockerfile syntax updates (FROM ... AS ...), --chown flag for COPY/ADD, --network flag for build stage. |
| Runtime & Orchestration | Initial support for Kubernetes (tech preview), service logs over websockets, improved docker service commands. |
| Networking | MACvlan driver support for Windows containers, DNS round-robin load balancing for swarm services. |
| Deprecations | The --api-enable-cors daemon flag was marked for deprecation. |
How did multi-stage builds change Dockerfile creation?
Multi-stage builds are the standout feature of 17.09, fundamentally changing how we write efficient Dockerfiles. They allow you to use multiple FROM statements in a single Dockerfile, each starting a new build stage.
You can copy artifacts from one stage to another, letting you separate your build-time dependencies from your final runtime image. In practice, this means you can have a stage with the entire compiler toolchain to build your application, and then copy just the resulting binary into a lean, production-ready stage based on a minimal base image like Alpine.
This slashes image size and reduces attack surface by eliminating build tools from the final image. The syntax is straightforward:
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp .
FROM alpine:latest
COPY --from=builder /app/myapp /
CMD ["/myapp"]What networking improvements were introduced for Windows and Swarm?
17.09 expanded networking capabilities to better support Windows workloads and enhance Swarm service discovery. The MACvlan driver became available for Windows containers, giving them direct access to the physical network with their own MAC address.
For Swarm mode, a new internal DNS-based load balancer was added. It performs round-robin DNS resolution for service names, providing a simple and effective way to distribute network connections across all tasks of a service.
This is a lightweight alternative to the traditional routing mesh and is useful for scenarios where clients can handle DNS-based load balancing, like custom service discovery systems.
How did the builder get more powerful beyond multi-stage?
Beyond multi-stage builds, the builder gained several quality-of-life improvements. The COPY and ADD instructions now support a --chown flag to directly set file ownership, eliminating the need for a separate RUN chown command and the extra layer it created.
You could also specify a network mode for a build stage using the --network flag. This is crucial for controlling the network environment during the build process, which can affect how your application dependencies are fetched.
These changes made Dockerfiles more concise, efficient, and secure by reducing layer count and providing finer control over the build environment.
What was the significance of the unified CE/EE codebase?
This release marked the completion of the project to unify the codebases for Docker Community Edition (CE) and Enterprise Edition (EE). From 17.09 onward, both editions were built from the same underlying code.
For users, this meant that Docker CE became the upstream source for Docker EE. The community edition got even more stable and well-tested, as it was now the foundation for the enterprise product. This move simplified the entire release process and ensured feature parity.
FAQ
Do I have to rewrite all my Dockerfiles for 17.09?
No, your existing Dockerfiles will continue to work exactly as before. Multi-stage builds and the new flags like --chown are optional features that you can adopt to optimize your images when you're ready.
Can I use the Kubernetes support in production?
The initial Kubernetes integration in 17.09 was a technical preview. It was not intended for production workloads. It was a foundational step for the more mature orchestration support that arrived in later versions.
What's the real-world benefit of the --chown flag?
The main benefit is reducing image layers. Before, you needed a COPY and then a RUN chown, which created two layers. Now, you can do it in a single layer with COPY --chown=user:group, making your image slightly smaller and the build history cleaner.
How does the new DNS load balancing in Swarm work?
When you resolve a service name (e.g., myservice) from within the overlay network, the embedded DNS server returns the IP addresses of all healthy tasks for that service. The client then uses round-robin to choose which IP to connect to, distributing the load.
Is the deprecated --api-enable-cors flag immediately removed?
No, deprecation in Docker means the flag still works but will generate a warning. It's scheduled for removal in a future release, giving you time to update any scripts or tools that might rely on it.