Docker, a leading open-source platform for developing, shipping, and running applications inside containers, has officially rolled out Docker Engine 28, an update brimming with enhancements that lock down container networking by default.
Previously, containers on Docker’s default “bridge” network could be accessed if a user’s host firewall was permissive. However, starting with Docker v28, these unpublished ports are blocked by default, effectively shutting the door to these local network exploits.
Who might be affected? Upgrading to the new version will seamlessly improve security for most Docker users on a single machine. Docker Desktop users are not impacted since the internal networking there already includes protection for unpublished ports.
Beyond the headline security updates, Docker Engine 28 brings several useful additions and improvements:
- Docker now explicitly requires ipset support in the Linux kernel to handle new filter rules.
- Developers can now use
docker run --mount type=image,image-subpath=[subpath] ...to mount an image or a specific path from an image directly inside a container. docker images --treenow shows you additional metadata in a tree-like output, making it easier to visualize your local images and their relationships.docker load / save / historycommands now accept--platform, enabling single-platform operations on multi-arch images.- When containers boot, they broadcast ARP or neighbor advertisements to tie addresses to the correct new MAC.
As always with every new Docker release, a wide range of smaller issues have been addressed, from faster bridging connections to more consistent behavior in commands like docker export. Windows users may also notice more stable container usage thanks to an option letting Docker manage containers as a child process.
For more information on all changes, see Docker Engine 28’s release notes or visit this article on the Docker Blog.
