test(deps): update dependency docker to v28.3.0 (main)

[renovate]

This PR contains the following updates:

Package	Update	Change
docker	minor	v28.1.1 -> v28.3.0

---

Release Notes

moby/moby (docker)

v28.3.0: 28.3.0

Compare Source

28.3.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.3.0 milestone
• moby/moby, 28.3.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• Add support for AMD GPUs in docker run --gpus. moby/moby#49952
• Use DOCKER_AUTH_CONFIG as a credential store. docker/cli#6008

Bug fixes and enhancements

• Ensure that the state of the container in the daemon database (used by /containers/json API) is up to date when the container is stopped using the /containers/{id}/stop API (before response of API). moby/moby#50136
• Fix docker image inspect inspect omitting empty fields. moby/moby#50135
• Fix docker images --tree not marking images as in-use when the containerd image store is disabled. docker/cli#6140
• Fix docker pull/push hang in non-interactive when authentication is required caused by prompting for login credentials. docker/cli#6141
• Fix a potential resource leak when a node leaves a Swarm. moby/moby#50115
• Fix a regression where a login prompt on docker pull would show Docker Hub-specific hints when logging in on other registries. docker/cli#6135
• Fix an issue where all new tasks in the Swarm could get stuck in the PENDING state forever after scaling up a service with placement preferences. moby/moby#50211
• Remove an undocumented, hidden, top-level docker remove command that was accidentally introduced in Docker 23.0. docker/cli#6144
• Validate registry-mirrors configuration as part of dockerd --validate and improve error messages for invalid mirrors. moby/moby#50240
• dockerd-rootless-setuptool.sh: Fix the script from silently returning with no error message when subuid/subgid system requirements are not satisfied. moby/moby#50059
• containerd image store: Fix docker push not creating a tag on the remote repository. moby/moby#50199
• containerd image store: Improve handling of errors returned by the token server during docker pull/push. moby/moby#50176

Packaging updates

• Allow customizing containerd service name for OpenRC. moby/moby#50156
• Update BuildKit to v0.23.1. moby/moby#50243
• Update Buildx to v0.25.0. docker/docker-ce-packaging#1217
• Update Compose to v2.37.2. docker/docker-ce-packaging#1219
• Update Docker Model CLI plugin to v0.1.30. docker/docker-ce-packaging#1218
• Update Go runtime to 1.24.4. docker/docker-ce-packaging#1213, moby/moby#50153, docker/cli#6124

Networking

• Revert Swarm related changes added in 28.2.x builds, due to a regression reported in https://github.com/moby/moby/issues/50129. moby/moby#50169
  • Revert: Fix an issue where docker network inspect --verbose could sometimes crash the daemon (https://github.com/moby/moby/pull/49937).
  • Revert: Fix an issue where the load-balancer IP address for an overlay network would not be released in certain cases if the Swarm was lacking an ingress network (https://github.com/moby/moby/pull/49948).
  • Revert: Improve the reliability of NetworkDB in busy clusters and lossy networks (https://github.com/moby/moby/pull/49932).
  • Revert: Improvements to the reliability and convergence speed of NetworkDB (https://github.com/moby/moby/pull/49939).
• Fix an issue that could cause container startup to fail, or lead to failed UDP port mappings, when some container ports are mapped to 0.0.0.0 and others are mapped to specific host addresses. moby/moby#50054
• The network inspect response for an overlay network now reports that EnableIPv4 is true. moby/moby#50147
• Windows: Improve daemon startup time in cases where the host has networks of type "Mirrored". moby/moby#50155
• Windows: Make sure docker system prune and docker network prune only remove networks created by Docker. moby/moby#50154

API

• Update API version to 1.51. moby/moby#50145
• GET /images/json now sets the value of the Containers field for all images to the count of containers using the image. moby/moby#50146

Deprecations

• Empty/nil image config fields in the GET /images/{name}/json response are now deprecated and will be removed in v29.0. docker/cli#6129
• api/types/container: deprecate ExecOptions.Detach. This field is not used, and will be removed in a future release. moby/moby#50219
• pkg/idtools: deprecate IdentityMapping and Identity.Chown. moby/moby#50210

v28.2.2: 28.2.2

Compare Source

28.2.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.2.2 milestone
• moby/moby, 28.2.2 milestone

Bug fixes and enhancements

• containerd image store: Fix a regression causing docker build --push to fail. This reverts the fix for docker build not persisting overridden images as dangling. moby/moby#50105

Networking

• When creating the iptables DOCKER-USER chain, do not add an explicit RETURN rule, allowing users to append as well as insert their own rules. Existing rules are not removed on upgrade, but it won't be replaced after a reboot. moby/moby#50098

v28.2.1: 28.2.1

Compare Source

28.2.1

Packaging updates

• Fix packaging regression in v28.2.0 which broke creating the docker group/user on fresh installations. docker-ce-packaging#1209

v28.2.0: 28.2.0

Compare Source

28.2.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.2.0 milestone
• moby/moby, 28.2.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

[!NOTE]
RHEL packages are currently not available and will be released later.

New

• Add {{.Platform}} as formatting option for docker ps to show the platform of the image the container is running. docker/cli#6042
• Add support for relative parent paths (../) on bind mount sources when using docker run/create with -v/--volume or --mount type=bind options. docker/cli#4966
• CDI is now enabled by default. moby/moby#49963
• Show discovered CDI devices in docker info. docker/cli#6078
• docker image rm: add --platform option to remove a variant from multi-platform images. docker/cli#6109
• containerd image store: Initial BuildKit support for building Windows container images on Windows (requires an opt-in with DOCKER_BUILDKIT=1). moby/moby#49740

Bug fixes and enhancements

• Add a new log option for fluentd log driver (fluentd-write-timeout), which enables specifying write timeouts for fluentd connections. moby/moby#49911
• Add support for DOCKER_AUTH_CONFIG for the experimental --use-api-socket option. docker/cli#6019
• Fix docker exec waiting for 10 seconds if a non-existing user or group was specified. moby/moby#49868
• Fix docker swarm init ignoring cacert option of --external-ca. docker/cli#5995
• Fix an issue where the CLI would not correctly save the configuration file (~/.docker/config.json) if it was a relative symbolic link. docker/cli#5282
• Fix containers with --restart always policy using CDI devices failing to start on daemon restart. moby/moby#49990
• Fix shell-completion to only complete some flags once, even though they can be set multiple times. docker/cli#6030
• Fix the plugin does not implement PluginAddr interface error for Swarm CSI drivers. moby/moby#49961
• Improve docker login error messages for invalid options. docker/cli#6036
• Make sure the terminal state is restored if the CLI is forcefully terminated. docker/cli#6058
• Update the default seccomp profile to match the libseccomp v2.6.0. The new syscalls are: listmount, statmount, lsm_get_self_attr, lsm_list_modules, lsm_set_self_attr, mseal, uretprobe, riscv_hwprobe, getxattrat, listxattrat, removexattrat, and setxattrat. This prevents containers from receiving EPERM errors when using them. moby/moby#50077
• docker inspect: add shell completion, improve flag-description for --type and improve validation. docker/cli#6052
• containerd image store: Enable BuildKit garbage collector by default. moby/moby#49899
• containerd image store: Fix docker build not persisting overridden images as dangling. moby/moby#49702
• containerd image store: Fix docker system df reporting a negative reclaimable space amount. moby/moby#49707
• containerd image store: Fix duplicate PUT requests when pushing a multi-platform image. moby/moby#49949

Packaging updates

• Drop Ubuntu 20.04 "Focal" packages as it reached end of life. docker/docker-ce-packaging#1200
• Fix install location for RPM-based docker-ce man-pages. docker/docker-ce-packaging#1203
• Update BuildKit to v0.22.0. moby/moby#50046
• Update Buildx to v0.24.0. docker/docker-ce-packaging#1205
• Update Compose to v2.36.2. docker/docker-ce-packaging#1208
• Update Go runtime to 1.24.3. docker/docker-ce-packaging#1192, docker/cli#6060, moby/moby#49174

Networking

• Add bridge network option "com.docker.network.bridge.trusted_host_interfaces", accepting a colon-separated list of interface names. These interfaces have direct access to published ports on container IP addresses. moby/moby#49832
• Add daemon option "allow-direct-routing" to disable filtering of packets from outside the host addressed directly to containers. moby/moby#49832
• Do not display network options com.docker.network.enable_ipv4 or com.docker.network.enable_ipv6 in inspect output if they have been overridden by EnableIPv4 or EnableIPv6 in the network create request. moby/moby#49866
• Fix an issue that could cause network deletion to fail after a daemon restart, with error "has active endpoints" listing empty endpoint names. moby/moby#49901
• Fix an issue where docker network inspect --verbose could sometimes crash the daemon. moby/moby#49937
• Fix an issue where the load-balancer IP address for an overlay network would not be released in certain cases if the Swarm was lacking an ingress network. moby/moby#49948
• Improve the reliability of NetworkDB in busy clusters and lossy networks. moby/moby#49932
• Improvements to the reliability and convergence speed of NetworkDB. moby/moby#49939

API

• Update API version to 1.50.
• DELETE /images/{name} now supports a platforms query parameter. It accepts an array of JSON-encoded OCI Platform objects, allowing for selecting a specific platforms to delete content for. moby/moby#49982
• GET /info now includes a DiscoveredDevices field. This is an array of DeviceInfo objects, each providing details about a device discovered by a device driver. moby/moby#49980

Go SDK

• api/types/container: add ContainerState and constants for container state. moby/moby#49965
• api/types/container: change Summary.State to a ContainerState. moby/moby#49991
• api/types/container: define HealthStatus type for health-status constants. moby/moby#49876
• api/types: deprecate BuildResult, ImageBuildOptions, ImageBuildOutput, ImageBuildResponse, BuilderVersion, BuilderV1, and BuilderBuildKi which were moved to api/types/build. moby/moby#50025

Deprecations

• API: Deprecated: GET /images/{name}/json no longer returns the following fields: Config, Hostname, Domainname, AttachStdin, AttachStdout, AttachStderr, Tty, OpenStdin, StdinOnce, Image, NetworkDisabled (already omitted unless set), MacAddress (already omitted unless set), StopTimeout (already omitted unless set). These additional fields were included in the response due to an implementation detail but not part of the image's Configuration, were marked deprecated in API v1.46, and are now omitted. moby/moby#48457
• Go-SDK: Deprecate builder/remotecontext.Rel(). This function was needed on older versions of Go, but can now be replaced by filepath.Rel(). moby/moby#49843
• Go-SDK: api/types: deprecate BuildCachePruneOptions in favor of api/types/builder.CachePruneOptions. moby/moby#50015
• Go-SDK: api/types: deprecate BuildCachePruneReport in favor of api/types/builder.CachePruneReport. moby/moby#50015
• Go-SDK: api/types: deprecate NodeListOptions, NodeRemoveOptions, ServiceCreateOptions, ServiceUpdateOptions, RegistryAuthFromSpec, RegistryAuthFromPreviousSpec, ServiceListOptions, ServiceInspectOptions, and SwarmUnlockKeyResponse which were moved to api/types/swarm. moby/moby#50027
• Go-SDK: api/types: deprecate SecretCreateResponse, SecretListOptions, ConfigCreateResponse, ConfigListOptions which were moved to api/types/swarm. moby/moby#50024
• Go-SDK: client: deprecate IsErrNotFound. moby/moby#50012
• Go-SDK: container: deprecate IsValidHealthString in favor of api/types/container.ValidateHealthStatus. moby/moby#49893
• Go-SDK: container: deprecate StateStatus, WaitCondition, and the related WaitConditionNotRunning, WaitConditionNextExit, and WaitConditionRemoved consts in favor of their equivalents in api/types/container. moby/moby#49874
• Go-SDK: opts: deprecate ListOpts.GetAll in favor of ListOpts.GetSlice. docker/cli#6032
• Remove deprecated IsAutomated formatting placeholder from docker search. docker/cli#6091
• Remove fallback for pulling images from non-OCI-compliant docker.pkg.github.com registry. moby/moby#50094
• Remove support for pulling legacy v2, schema 1 images and remove DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE environment-variable. moby/moby#50036, moby/moby#42300
• The BridgeNfIptables and BridgeNfIp6tables fields in the GET /info response were deprecated in API v1.48, and are now omitted in API v1.50. moby/moby#49904
• errdefs: Deprecate errdefs.FromStatusCode. Use containerd's errhttp.ToNative instead. moby/moby#50030

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.