Last checked and updated on April 15, 2026What Is New in Docker Engine 17.11
Docker Engine 17.11.0-ce introduces a mix of new features, critical security patches, and foundational improvements for both developers and operators. This release primarily focuses on enhancing container security and providing more granular control over container resources and networking.
| Category | Key Changes |
|---|---|
| New Features | Rootless mode (experimental), Support for multiple Dockerfile -f flags in docker build, docker service create --hostname |
| Security | Lazy activation of AppArmor profiles, CVE-2017-14992 mitigation, seccomp improvements |
| Runtime & Orchestration | docker stack deploy --prune, Service log driver options, Windows Server version 1709 support |
| Deprecations | Deprecation of `docker stack deploy --file` in favor of `--compose-file` |
| Bug Fixes & Improvements | Over 30 fixes for issues in networking, build, runtime, and the CLI |
How does Docker 17.11 improve container security?
This release tackles security from multiple angles, making it a significant update for production environments. The headline is the experimental introduction of rootless mode, allowing the daemon to run without root privileges, which drastically reduces the attack surface.
Under the hood, AppArmor profile activation is now lazy, meaning profiles are only loaded when needed instead of all at startup. This improves performance and stability on systems with many profiles. The release also includes a critical mitigation for CVE-2017-14992 and adds a default seccomp profile for ppc64le architecture.
Key Security Updates:
- Rootless mode (experimental)
- Lazy activation of AppArmor profiles
- Mitigation for CVE-2017-14992 ( vulnerability in `runc`)
- Default seccomp profile for ppc64le
What new build and service features were added?
For developers, the build process gets more flexible with support for multiple -f flags. This allows you to use different Dockerfiles in a single build context, which is useful for complex build scenarios without needing to change directories.
For operators using Swarm, the docker service create command now includes a --hostname flag to set a custom hostname for service tasks. The docker stack deploy command gains a --prune flag to automatically remove services that are no longer defined in the compose file, helping to keep your stack clean.
Key Build & Service Updates:
docker build -f Dockerfile.debug -f Dockerfile.proddocker service create --hostname myhostdocker stack deploy --prune- Service log driver options (e.g.,
--log-opt env)
What changes were made for Windows containers?
Support for Windows Server version 1709 is now official in this release. This ensures compatibility with the latest Windows Server base images and the features they provide.
In practice, this means you can reliably build and run containers targeting the Windows Server 1709 environment using Docker Engine 17.11, keeping your Windows container workflow up to date.
Were there any important deprecations or breaking changes?
Yes, one notable deprecation is the --file flag for docker stack deploy. It's been replaced with the more explicit --compose-file flag to avoid ambiguity. The old flag still works but will be removed in a future release, so it's a good time to update your scripts.
This change matters because it makes the CLI more consistent and clear. Always using --compose-file leaves no doubt about the purpose of the flag, especially for newcomers.
FAQ
Is Docker 17.11 a stable release?
Yes, the 17.11.0-ce version is a stable release. However, it includes some experimental features like rootless mode, which are clearly marked and should be evaluated carefully before use in production.
How do I try the new rootless mode?
Rootless mode is experimental. You'll need to run the Docker daemon with specific flags and configurations to operate without root privileges. Consult the official documentation for the detailed setup procedure, as it requires careful setup of user namespaces and other system parameters.
What was the CVE-2017-14992 vulnerability?
It was a flaw in `runc` that allowed a malicious container to overwrite the host's `runc` binary, potentially leading to privilege escalation. Docker Engine 17.11 includes a mitigation for this vulnerability, making your environment more secure.
Can I now use multiple Dockerfiles in a single build?
Yes. You can now pass multiple -f or --file flags to docker build. The builder will use each subsequent file as the new Dockerfile, which is useful for building a final image from a series of intermediate Dockerfiles.
What does --prune do for docker stack deploy?
The new --prune flag automatically removes any services that are part of the stack but are no longer present in the updated compose file you're deploying. This helps keep your stack state clean and in sync with your declared configuration.