diff --git a/_vendor/github.com/docker/buildx/docs/bake-reference.md b/_vendor/github.com/docker/buildx/docs/bake-reference.md index 192dded4fe60..d8fd5ecc3015 100644 --- a/_vendor/github.com/docker/buildx/docs/bake-reference.md +++ b/_vendor/github.com/docker/buildx/docs/bake-reference.md @@ -221,8 +221,10 @@ The following table shows the complete list of attributes that you can assign to | [`attest`](#targetattest) | List | Build attestations | | [`cache-from`](#targetcache-from) | List | External cache sources | | [`cache-to`](#targetcache-to) | List | External cache destinations | +| [`call`](#targetcall) | String | Specify the frontend method to call for the target. | | [`context`](#targetcontext) | String | Set of files located in the specified path or URL | | [`contexts`](#targetcontexts) | Map | Additional build contexts | +| [`description`](#targetdescription) | String | Description of a target | | [`dockerfile-inline`](#targetdockerfile-inline) | String | Inline Dockerfile string | | [`dockerfile`](#targetdockerfile) | String | Dockerfile location | | [`inherits`](#targetinherits) | List | Inherit attributes from other targets | @@ -371,6 +373,13 @@ target "app" { } ``` +Supported values are: + +- `build` builds the target (default) +- `check`: evaluates [build checks](https://docs.docker.com/build/checks/) for the target +- `outline`: displays the target's build arguments and their default values if available +- `targets`: lists all Bake targets in the loaded definition, along with its [description](#targetdescription). + For more information about frontend methods, refer to the CLI reference for [`docker buildx build --call`](https://docs.docker.com/reference/cli/docker/buildx/build/#call). @@ -481,6 +490,25 @@ FROM baseapp RUN echo "Hello world" ``` +### `target.description` + +Defines a human-readable description for the target, clarifying its purpose or +functionality. + +```hcl +target "lint" { + description = "Runs golangci-lint to detect style errors" + args = { + GOLANGCI_LINT_VERSION = null + } + dockerfile = "lint.Dockerfile" +} +``` + +This attribute is useful when combined with the `docker buildx bake --list=targets` +option, providing a more informative output when listing the available build +targets in a Bake file. + ### `target.dockerfile-inline` Uses the string value as an inline Dockerfile for the build target. diff --git a/_vendor/modules.txt b/_vendor/modules.txt index 3a19633bb399..1a83022753c9 100644 --- a/_vendor/modules.txt +++ b/_vendor/modules.txt @@ -1,6 +1,6 @@ # github.com/moby/moby v27.5.0+incompatible # github.com/moby/buildkit v0.19.0 -# github.com/docker/buildx v0.20.0 +# github.com/docker/buildx v0.20.1 # github.com/docker/cli v27.5.0+incompatible # github.com/docker/compose/v2 v2.32.4 # github.com/docker/scout-cli v1.15.0 diff --git a/content/manuals/billing/docker-hub-pricing.md b/content/manuals/billing/docker-hub-pricing.md index 9b97802cde7e..f1b60043e8e1 100644 --- a/content/manuals/billing/docker-hub-pricing.md +++ b/content/manuals/billing/docker-hub-pricing.md @@ -10,7 +10,7 @@ to help you understand your storage consumption and costs. > [!NOTE] > -> Docker Hub plan limits will take effect on March 1, 2025. No charge on Docker Hub image pulls +> Docker Hub plan limits will take effect on March 1, 2025. No charges on Docker Hub image pulls or storage will be incurred from December 10, 2024 and February 28, 2025. ## How storage is measured @@ -23,7 +23,7 @@ Docker Hub measures storage using: ## How storage is calculated -Docker subscription plans include a specific amount of allocated +[Docker subscription plans](/manuals/subscription/details.md) include a specific amount of allocated private repository storage: - Personal plan: Includes up to 2GB of storage. @@ -31,10 +31,10 @@ private repository storage: - Team plan: Includes up to 50GB of storage. - Business plan: Includes up to 500GB of storage. -Docker Hub determines additional charges based on your average monthly usage of private repository storage. +Docker Hub determines additional charges based on your average monthly usage of private repository storage. If a repository is private at any point within an hour, it is counted as private for the full hour. If you go over your allocated private repository storage, you will incur overage -costs. To calculate overage costs the included storage for your plan is subtracted from your average monthly +costs. To calculate overage costs, the included storage for your plan is subtracted from your average monthly usage. ## Docker Hub consumption pricing @@ -56,7 +56,7 @@ at the end of your billing cycle. ### Storage carryover -If you pre-pay for storage, your purchased storage is valid for the entire subscription period. You can use it any time during that period, and any unused portion will roll over to the next month until the subscription period ends. +If you pre-pay for storage, your purchased storage is valid for your entire subscription period. You can use it any time during that period, and any unused portion will roll over to the next month until the subscription period ends. In the following example, a customer with an annual Business plan pre-pays for 500GB of storage for the year. Their plan includes a base allocation of 500GB of storage per month. - In January, they use 510 GB-month, exceed their base allocation, and use 10GB from their pre-paid storage. Their remaining pre-paid @@ -68,7 +68,7 @@ storage is 490GB. |---------------------------------|----------|----------|---------| | Included GB-month | 500 | 500 | 500 | | Used storage in month | 510 | 450 | 600 | -| Overage in GB-month | 10 | 0 | 100 | +| Overage in GB-month | 10 | 0 | 100 | | Remaining pre-purchased storage | 490 | 490 | 390 | At the end of March, the customer has 390GB of pre-purchased storage left to use for the rest of the year. diff --git a/content/manuals/desktop/release-notes.md b/content/manuals/desktop/release-notes.md index 77e393ef4eee..edc23caed501 100644 --- a/content/manuals/desktop/release-notes.md +++ b/content/manuals/desktop/release-notes.md @@ -92,6 +92,11 @@ Take a look at the [Docker Public Roadmap](https://github.com/orgs/docker/projec - Fixed a bug where resetting default settings would also reset the CLI context. - Fixed a bug where the Docker Desktop Dashboard would get out of sync with the Docker daemon after restarting the engine while in Resource Saver mode (Windows with WSL2 backend only) or after switching engines (macOS). - Fixed a bug where Resource Saver mode would fail to re-engage after restarting the engine while in Resource Saver mode. +- Build UI: + - Fixed a bug where the source file could not be found for some builds. + - Fixed a bug where error logs were not displayed in the **Source** tab. + - Fixed a bug where users had to scroll to the bottom for error logs in **Source** tab. + - Fixed a bug where timestamps would be broken in the **Logs** tab. #### For Mac @@ -178,6 +183,13 @@ Take a look at the [Docker Public Roadmap](https://github.com/orgs/docker/projec - Fixed a bug that restricted containers using `--network=host` to 18 open host ports. - Fixed bind mount ownership for non-root containers. Fixes [docker/for-mac#6243](https://github.com/docker/for-mac/issues/6243). - Docker Desktop will not unpause automatically after a manual pause. The system will stay paused until you manually resume the Docker engine. This fixes a bug where other software would accidentally trigger a resume by running a CLI command in the background. Fixes [for-mac/#6908](https://github.com/docker/for-mac/issues/6908) +- Build UI: + - The **Source** tab now supports multiple source files. + - Links for image dependencies in the **Info** tab now support other well-known registries such as GitHub, Google, and GitLab. + - Disabled the **Delete** button if only cloud builds are selected. + - Fixed an issue where users were unable to delete builds. + - Fixed malformed Jaeger traces that were missing events and links. + - Fixed missing export attributes when building with the cloud driver. #### For Mac diff --git a/content/manuals/desktop/setup/allow-list.md b/content/manuals/desktop/setup/allow-list.md index a801607e0466..28b285919ecb 100644 --- a/content/manuals/desktop/setup/allow-list.md +++ b/content/manuals/desktop/setup/allow-list.md @@ -29,5 +29,6 @@ This page contains the domain URLs that you need to add to a firewall allowlist |https://hub.docker.com| Docker Pull/Push | |https://registry-1.docker.io| Docker Pull/Push | |https://production.cloudflare.docker.com| Docker Pull/Push | +|https://docker-images-prod.r2.cloudflarestorage.com| Docker Pull/Push | |https://docker-pinata-support.s3.amazonaws.com| Troubleshooting | |https://api.dso.docker.com| Docker Scout service | diff --git a/content/manuals/engine/release-notes/27.md b/content/manuals/engine/release-notes/27.md index cb539519bf87..9761f4edcf8b 100644 --- a/content/manuals/engine/release-notes/27.md +++ b/content/manuals/engine/release-notes/27.md @@ -27,6 +27,28 @@ For more information about: Release notes for Docker Engine version 27.5 releases. +## 27.5.1 + +{{< release-date date="2025-01-22" >}} + +For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: + +- [docker/cli, 27.5.1 milestone](https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A27.5.1) +- [moby/moby, 27.5.1 milestone](https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A27.5.1) + + +### Bug fixes and enhancements + +- Fix an issue that could persistently prevent daemon startup after failure to initialize the default bridge. [moby/moby#49307](https://github.com/moby/moby/pull/49307) +- Add a `DOCKER_IGNORE_BR_NETFILTER_ERROR` environment variable. Setting it to `1` allows running on hosts that cannot load `br_netfilter`. Some things won't work, including disabling inter-container communication in a bridge network. With the userland proxy disabled, it won't be possible to access one container's published ports from another container on the same network. [moby/moby#49306](https://github.com/moby/moby/pull/49306) + +### Packaging updates + +- Update Go runtime to 1.22.11 (fix CVE-2024-45341, CVE-2024-45336). [moby/moby#49312](https://github.com/moby/moby/pull/49312), [docker/docker-ce-packaging#1147](https://github.com/docker/docker-ce-packaging/pull/1147), [docker/cli#5762](https://github.com/docker/cli/pull/5762) +- Update RootlessKit to v2.3.2 to support `passt` >= 2024_10_30.ee7d0b6. [moby/moby#49304](https://github.com/moby/moby/pull/49304) +- Update Buildx to [v0.20.0](https://github.com/docker/buildx/releases/tag/v0.20.0). [docker/docker-ce-packaging#1149](https://github.com/docker/docker-ce-packaging/pull/1149) + + ### 27.5.0 {{< release-date date="2025-01-13" >}} diff --git a/content/manuals/security/faqs/single-sign-on/faqs.md b/content/manuals/security/faqs/single-sign-on/faqs.md index 85964d83d01d..383ee8df8aa8 100644 --- a/content/manuals/security/faqs/single-sign-on/faqs.md +++ b/content/manuals/security/faqs/single-sign-on/faqs.md @@ -58,3 +58,7 @@ other sensitive data in the directory. Due to potential security risks, Docker doesn't support this configuration. Instead, Docker recommends [configuring SCIM to enable group sync securely](/security/for-admins/provisioning/group-mapping/#use-group-mapping-with-scim). + +### Are there any firewall rules required for SSO configuration? + +No. There are no specific firewall rules required for configuring SSO, as long as the domain `login.docker.com` is accessible. This domain is commonly accessible by default. However, in rare cases, some organizations may have firewall restrictions in place that block this domain. If you encounter issues during SSO setup, ensure that `login.docker.com` is allowed in your network's firewall settings. \ No newline at end of file diff --git a/content/manuals/security/for-admins/access-tokens.md b/content/manuals/security/for-admins/access-tokens.md index 470a0cb96885..d7d60e6fa024 100644 --- a/content/manuals/security/for-admins/access-tokens.md +++ b/content/manuals/security/for-admins/access-tokens.md @@ -3,7 +3,12 @@ title: Organization access tokens description: Learn how to create and manage organization access tokens to securely push and pull images programmatically. keywords: docker hub, security, OAT, organization access token -linkTitle: Organization access tokens (Beta) +linkTitle: Organization access tokens +params: + sidebar: + badge: + color: blue + text: Beta --- {{< summary-bar feature_name="OATs" >}} diff --git a/data/buildx/docker_buildx_bake.yaml b/data/buildx/docker_buildx_bake.yaml index 203d066a00a1..14666cf341a3 100644 --- a/data/buildx/docker_buildx_bake.yaml +++ b/data/buildx/docker_buildx_bake.yaml @@ -20,6 +20,7 @@ options: value_type: stringArray default_value: '[]' description: Allow build to access specified resources + details_url: '#allow' deprecated: false hidden: false experimental: false @@ -218,6 +219,80 @@ inherited_options: kubernetes: false swarm: false examples: |- + ### Allow extra privileged entitlement (--allow) {#allow} + + ```text + --allow=ENTITLEMENT[=VALUE] + ``` + + Entitlements are designed to provide controlled access to privileged + operations. By default, Buildx and BuildKit operates with restricted + permissions to protect users and their systems from unintended side effects or + security risks. The `--allow` flag explicitly grants access to additional + entitlements, making it clear when a build or bake operation requires elevated + privileges. + + In addition to BuildKit's `network.host` and `security.insecure` entitlements + (see [`docker buildx build --allow`](/reference/cli/docker/buildx/build/#allow), + Bake supports file system entitlements that grant granular control over file + system access. These are particularly useful when working with builds that need + access to files outside the default working directory. + + Bake supports the following filesystem entitlements: + + - `--allow fs=` - Grant read and write access to files outside of the + working directory. + - `--allow fs.read=` - Grant read access to files outside of the + working directory. + - `--allow fs.write=` - Grant write access to files outside of the + working directory. + + The `fs` entitlements take a path value (relative or absolute) to a directory + on the filesystem. Alternatively, you can pass a wildcard (`*`) to allow Bake + to access the entire filesystem. + + ### Example: fs.read + + Given the following Bake configuration, Bake would need to access the parent + directory, relative to the Bake file. + + ```hcl + target "app" { + context = "../src" + } + ``` + + Assuming `docker buildx bake app` is executed in the same directory as the + `docker-bake.hcl` file, you would need to explicitly allow Bake to read from + the `../src` directory. In this case, the following invocations all work: + + ```console + $ docker buildx bake --allow fs.read=* app + $ docker buildx bake --allow fs.read=../src app + $ docker buildx bake --allow fs=* app + ``` + + ### Example: fs.write + + The following `docker-bake.hcl` file requires write access to the `/tmp` + directory. + + ```hcl + target "app" { + output = "/tmp" + } + ``` + + Assuming `docker buildx bake app` is executed outside of the `/tmp` directory, + you would need to allow the `fs.write` entitlement, either by specifying the + path or using a wildcard: + + ```console + $ docker buildx bake --allow fs=/tmp app + $ docker buildx bake --allow fs.write=/tmp app + $ docker buildx bake --allow fs.write=* app + ``` + ### Override the configured builder instance (--builder) {#builder} Same as [`buildx --builder`](/reference/cli/docker/buildx/#builder). diff --git a/go.mod b/go.mod index 500a6b9e9f24..595dcbb688bc 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/docker/docs go 1.23.1 require ( - github.com/docker/buildx v0.20.0 // indirect + github.com/docker/buildx v0.20.1 // indirect github.com/docker/cli v27.5.0+incompatible // indirect github.com/docker/compose/v2 v2.32.4 // indirect github.com/docker/scout-cli v1.15.0 // indirect @@ -12,7 +12,7 @@ require ( ) replace ( - github.com/docker/buildx => github.com/docker/buildx v0.20.0 + github.com/docker/buildx => github.com/docker/buildx v0.20.1 github.com/docker/cli => github.com/docker/cli v27.5.0+incompatible github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.32.4 github.com/docker/scout-cli => github.com/docker/scout-cli v1.15.0 diff --git a/go.sum b/go.sum index ba47eca2db11..76a15346c1eb 100644 --- a/go.sum +++ b/go.sum @@ -90,6 +90,8 @@ github.com/docker/buildx v0.19.2 h1:2zXzgP2liQKgQ5BiOqMc+wz7hfWgAIMWw5MR6QDG++I= github.com/docker/buildx v0.19.2/go.mod h1:k4WP+XmGRYL0a7l4RZAI2TqpwhuAuSQ5U/rosRgFmAA= github.com/docker/buildx v0.20.0 h1:XM2EvwEfohbxLPAheVm03biNHpspB/dA6U9F0c6yJsI= github.com/docker/buildx v0.20.0/go.mod h1:VVi4Nvo4jd/IkRvwyExbIyW7u82fivK61MRx5I0oKic= +github.com/docker/buildx v0.20.1 h1:q88EfoYwrWEKVqNb9stOFq8fUlFp/OPlDcFE+QUYZBM= +github.com/docker/buildx v0.20.1/go.mod h1:VVi4Nvo4jd/IkRvwyExbIyW7u82fivK61MRx5I0oKic= github.com/docker/cli v24.0.2+incompatible h1:QdqR7znue1mtkXIJ+ruQMGQhpw2JzMJLRXp6zpzF6tM= github.com/docker/cli v24.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/cli v24.0.4+incompatible h1:Y3bYF9ekNTm2VFz5U/0BlMdJy73D+Y1iAAZ8l63Ydzw= diff --git a/layouts/_default/cli.html b/layouts/_default/cli.html index f9cd66d1dc79..1a5b0fad8a5d 100644 --- a/layouts/_default/cli.html +++ b/layouts/_default/cli.html @@ -17,7 +17,7 @@

{{ .Title }}

{{ with $data.short }} Description - {{ . }} + {{ . }} {{ end }} {{ with $data.usage }}