Docker Engine 28: What's New, Release History & EOL Status

What is new in Docker Engine 28

Docker Engine 28 brings important improvements in networking security, multi-platform image support, and overall container management. This version series strengthens port publishing rules, adds new ways to mount images directly into containers, and updates core components for better performance and compatibility.

Administrators will notice enhanced IPv6 handling, better isolation for published ports, and a shift toward modern defaults such as CDI device discovery. The release also includes several security patches and begins cleaning up older features to prepare for future changes.

Key Highlights

• Stronger security for published ports on bridge networks with better isolation from external and loopback access
• New --mount type=image option to mount an entire image or specific subpath inside a container
• Expanded support for multi-platform images across many CLI commands and API endpoints
• AMD GPU support added for docker run --gpus
• CDI (Container Device Interface) enabled by default with discovered devices shown in docker info
• Improved IPv6 networking options including --ipv4 flag and new gateway modes
• Relative parent paths now supported in bind mounts

Security Improvements

Docker Engine 28 includes multiple security enhancements:

• Refactored iptables rules to prevent unauthorized access to published ports from remote hosts or after firewall reloads
• High-severity fixes in runc (version 1.3.3) that prevent container breakout attacks via /proc file writes
• Removal of legacy CBC cipher suites to strengthen TLS security
• Better port isolation in the DOCKER chain and updated docker-proxy behavior

These changes make container environments more secure by default, especially in multi-tenant or networked setups.

New Features and Enhancements

Component Updates

The 28 series keeps important dependencies current:

These updates bring performance gains, bug fixes, and the latest security patches from upstream projects.

Networking Changes

Networking received major attention in this release:

• Requires the ipset kernel module for improved port publishing
• New bridge options like com.docker.network.bridge.trusted_host_interfaces and gateway_mode_ipv[46]
• Better IPv6 support: --ipv4 to disable IPv4, support for subnets larger than /64, and IPv6 entries in /etc/hosts
• Improved reliability for NetworkDB in large or unstable clusters
• Rootless mode now falls back to pasta (passt) when slirp4netns is unavailable

Bug Fixes

Many stability and usability issues were addressed, including:

• Fixes for multi-platform image handling in history, prune, and inspect commands
• Resolved hangs and authentication problems during pull and push operations
• Improved container state consistency after stop commands
• Fixed panics related to stats, events, and certain Windows scenarios
• Better handling of Swarm task placement and network creation

Deprecations and Breaking Changes

Docker Engine 28 continues the process of modernizing the codebase:

• Support for Raspberry Pi OS 32-bit (armhf) ends in this series -- migrate to 64-bit or use Debian packages
• Legacy links environment variables are deprecated and will be removed in a future release
• Several API fields such as Parent, DockerVersion, and KernelMemoryTCP are deprecated
• Extensive cleanups in the Go SDK including removal of older utility functions and type aliases
• Minimum Go version for the SDK raised to 1.23

Review the deprecation list carefully before upgrading, especially if your automation or custom tools rely on older CLI constructors or API fields.

Upgrade Advice

When moving to Docker Engine 28, pay special attention to networking configuration and test port publishing behavior. Most users will see improved security and new capabilities with minimal disruption. Update your scripts and SDK usage to prepare for the planned removals in upcoming versions.