Last checked and updated on 06 Jun 2026
What Is New in Docker Engine 23.0
Docker Engine 23.0 introduces significant updates focused on runtime enhancements, security, and developer experience. This release aligns with the Moby Project 23.0 and includes a refreshed containerd runtime and new CLI capabilities.
| Category | Key Changes |
|---|---|
| New Features | New docker init command, docker build from stdin, containerd image store management. |
| Runtime & Orchestration | containerd v1.7.0, Compose v2.17, Swarm fixed-length node ID, BuildKit v0.11. |
| Security | Rootless mode improvements, seccomp profile updates, cgroup v2 support. |
| Deprecations & Removals | Deprecation of the --cgroup-parent flag for containers, removal of AUFS storage driver. |
| Bug Fixes & Improvements | Numerous fixes in logging, networking, and volume management. |
What new CLI commands were added?
The standout addition is the docker init command. This is a helper tool that automatically generates the necessary Docker assets for your project, like Dockerfile, .dockerignore, and compose.yaml.
In practice, this dramatically speeds up containerizing new applications. You can run it in your project directory, and it will detect your project type (Node.js, Go, Python, etc.) and create sensible defaults.
How has the build experience improved?
You can now build images directly from standard input using docker build - < context.tar.gz. This is a game-changer for automated pipelines where you want to pipe a context archive directly into the build process without writing to disk first.
Under the hood, BuildKit v0.11 brings performance optimizations and better cache handling. This matters because it translates to faster, more efficient builds, especially in CI/CD environments.
What are the key runtime updates?
The engine now ships with containerd v1.7.0 as its core container runtime. This upgrade brings better stability, performance, and support for newer Kubernetes and container standards.
For Swarm users, node IDs are now fixed-length, making them more consistent and manageable. Docker Compose is also bundled at version 2.17, which includes its own set of improvements for local multi-container development.
What security enhancements should I know about?
Rootless mode is more robust, allowing you to run the entire Docker daemon and your containers without root privileges. This significantly reduces the attack surface on your host machine.
The default seccomp profile has been updated to block newer syscalls like io_uring, and there's broader support for cgroup v2. This means your containers are isolated by a more modern and restrictive security profile out of the box.
What features are being deprecated?
The --cgroup-parent flag for docker run is now deprecated. You should use the --cgroup-parent flag for docker create instead.
The AUFS storage driver has been completely removed. If you were still using it, you need to migrate your data to an overlay2 storage driver before upgrading. This was a long-planned removal as overlay2 has been the recommended driver for years.
FAQ
How do I use the new `docker init` command?
Navigate to your project's source code directory and simply run docker init. The CLI will interactively guide you through creating a Dockerfile, .dockerignore, and compose.yaml file tailored to your project's language.
Why was the AUFS storage driver removed?
AUFS has been deprecated for a long time in favor of overlay2. The overlay2 driver is faster, more stable, and has been the default for many years. This removal simplifies the codebase and maintenance.
What is the impact of the new containerd 1.7.0 runtime?
For most developers, the upgrade is seamless and brings performance benefits and better compatibility. It's a foundational update that ensures Docker stays aligned with the broader container ecosystem, including newer Kubernetes versions.
How does building from stdin (`docker build -`) work?
You can pipe a tar archive of your build context to the command. For example: tar -cz . | docker build -. This is useful in scripts where creating a temporary directory for the build context is undesirable.
Is the deprecated `--cgroup-parent` flag for `docker run` still functional?
Yes, it is currently deprecated but not yet removed. It will continue to work but will print a warning. You should update your scripts and tools to use the flag with docker create instead to future-proof them.