Docker Engine 29 Makes containerd the Default Image Store

Docker Engine v29, released in early 2026, makes containerd the default image store for all new installations — a change that aligns Docker's image management architecture with the container runtime that Kubernetes has depended on since deprecating dockershim in version 1.24. The shift from Docker's legacy image store to containerd was available as an opt-in feature in earlier versions, but v29 promotes it to the default for all new deployments.

Why containerd as Default Matters

The containerd image store provides a unified storage layer for container images that is shared between Docker Engine and Kubernetes. Previously, Docker maintained its own image storage format and management logic, separate from containerd's native image handling. This separation meant that images pulled by Docker were not directly visible to Kubernetes and vice versa, requiring duplicate storage and separate pull operations in environments running both. With containerd as the default, images are stored in a single shared format, reducing disk usage and simplifying the image lifecycle in mixed Docker-and-Kubernetes environments.

The change also improves compatibility with OCI (Open Container Initiative) image specifications. containerd's image store natively supports multi-platform image manifests, image content addressing, and the OCI distribution specification — all of which are increasingly important as container workloads span multiple CPU architectures including ARM-based servers and Apple Silicon development machines.

Experimental nftables Support

Docker Engine v29 introduces experimental nftables support via the --firewall-backend=nftables flag for the Docker daemon. nftables is the successor to iptables in the Linux kernel's networking stack, offering better performance, a cleaner rule syntax, and improved scalability for systems with large numbers of container networking rules. The move to nftables has been long anticipated — most modern Linux distributions now ship nftables as the default firewall backend, and iptables compatibility layers add overhead and complexity.

The nftables support is marked as experimental in v29, meaning it is available for testing but not yet recommended for production workloads. Docker plans to make nftables the default firewall backend in a future release once the experimental phase validates compatibility across the diverse range of Linux distributions and networking configurations that Docker supports.

Additional Changes

Version 29.2.0 added experimental NRI (Node Resource Interface) support, allowing external plugins to hook into container lifecycle events for resource management and policy enforcement. A new Identity field in the container inspect endpoint exposes trusted origin and signature information for container images, providing runtime visibility into image provenance. BuildKit was updated to v0.27.1, bringing performance improvements and bug fixes to Docker's build subsystem.

Existing Docker installations upgrading to v29 will not be automatically migrated to the containerd image store — the change applies to new installations only. Docker provides migration tooling for users who want to transition existing installations to the containerd backend.