publish updates from main

_vendor/modules.txt

@@ -1,6 +1,6 @@
 # github.com/moby/moby v27.5.0+incompatible
 # github.com/moby/buildkit v0.19.0
-# github.com/docker/buildx v0.20.0
+# github.com/docker/buildx v0.20.1
 # github.com/docker/cli v27.5.0+incompatible
 # github.com/docker/compose/v2 v2.32.4
 # github.com/docker/scout-cli v1.15.0

content/manuals/billing/docker-hub-pricing.md

@@ -10,7 +10,7 @@ to help you understand your storage consumption and costs.
 
 > [!NOTE]
 >
-> Docker Hub plan limits will take effect on March 1, 2025. No charge on Docker Hub image pulls
+> Docker Hub plan limits will take effect on March 1, 2025. No charges on Docker Hub image pulls
 or storage will be incurred from December 10, 2024 and February 28, 2025.
 
 ## How storage is measured
@@ -23,18 +23,18 @@ Docker Hub measures storage using:
 
 ## How storage is calculated
 
-Docker subscription plans include a specific amount of allocated
+[Docker subscription plans](/manuals/subscription/details.md) include a specific amount of allocated
 private repository storage:
 
 - Personal plan: Includes up to 2GB of storage.
 - Pro plan: Includes up to 5GB of storage.
 - Team plan: Includes up to 50GB of storage.
 - Business plan: Includes up to 500GB of storage.
 
-Docker Hub determines additional charges based on your average monthly usage of private repository storage.
+Docker Hub determines additional charges based on your average monthly usage of private repository storage. If a repository is private at any point within an hour, it is counted as private for the full hour.
 
 If you go over your allocated private repository storage, you will incur overage
-costs. To calculate overage costs the included storage for your plan is subtracted from your average monthly
+costs. To calculate overage costs, the included storage for your plan is subtracted from your average monthly
 usage.
 
 ## Docker Hub consumption pricing
@@ -56,7 +56,7 @@ at the end of your billing cycle.
 
 ### Storage carryover
 
-If you pre-pay for storage, your purchased storage is valid for the entire subscription period. You can use it any time during that period, and any unused portion will roll over to the next month until the subscription period ends.
+If you pre-pay for storage, your purchased storage is valid for your entire subscription period. You can use it any time during that period, and any unused portion will roll over to the next month until the subscription period ends.
 
 In the following example, a customer with an annual Business plan pre-pays for 500GB of storage for the year. Their plan includes a base allocation of 500GB of storage per month.
 - In January, they use 510 GB-month, exceed their base allocation, and use 10GB from their pre-paid storage. Their remaining pre-paid
@@ -68,7 +68,7 @@ storage is 490GB.
 |---------------------------------|----------|----------|---------|
 | Included GB-month	              | 500	     | 500      | 500     |
 | Used storage in month	          | 510	     | 450	    | 600     |
-| Overage in GB-month	          | 10	     | 0	    | 100     |
+| Overage in GB-month	            | 10	     | 0	      | 100     |
 | Remaining pre-purchased storage |	490	     | 490	    | 390     |
 
 At the end of March, the customer has 390GB of pre-purchased storage left to use for the rest of the year.

content/manuals/desktop/release-notes.md

@@ -92,6 +92,11 @@ Take a look at the [Docker Public Roadmap](https://github.com/orgs/docker/projec
 - Fixed a bug where resetting default settings would also reset the CLI context.
 - Fixed a bug where the Docker Desktop Dashboard would get out of sync with the Docker daemon after restarting the engine while in Resource Saver mode (Windows with WSL2 backend only) or after switching engines (macOS).
 - Fixed a bug where Resource Saver mode would fail to re-engage after restarting the engine while in Resource Saver mode.
+- Build UI:
+  - Fixed a bug where the source file could not be found for some builds.
+  - Fixed a bug where error logs were not displayed in the **Source** tab.
+  - Fixed a bug where users had to scroll to the bottom for error logs in **Source** tab.
+  - Fixed a bug where timestamps would be broken in the **Logs** tab.
 
 #### For Mac
 
@@ -178,6 +183,13 @@ Take a look at the [Docker Public Roadmap](https://github.com/orgs/docker/projec
 - Fixed a bug that restricted containers using `--network=host` to 18 open host ports.
 - Fixed bind mount ownership for non-root containers. Fixes [docker/for-mac#6243](https://github.com/docker/for-mac/issues/6243).
 - Docker Desktop will not unpause automatically after a manual pause. The system will stay paused until you manually resume the Docker engine. This fixes a bug where other software would accidentally trigger a resume by running a CLI command in the background. Fixes [for-mac/#6908](https://github.com/docker/for-mac/issues/6908)
+- Build UI:
+  - The **Source** tab now supports multiple source files.
+  - Links for image dependencies in the **Info** tab now support other well-known registries such as GitHub, Google, and GitLab.
+  - Disabled the **Delete** button if only cloud builds are selected.
+  - Fixed an issue where users were unable to delete builds.
+  - Fixed malformed Jaeger traces that were missing events and links.
+  - Fixed missing export attributes when building with the cloud driver.
 
 #### For Mac
 

content/manuals/desktop/setup/allow-list.md

@@ -29,5 +29,6 @@ This page contains the domain URLs that you need to add to a firewall allowlist
 |https://hub.docker.com| Docker Pull/Push |
 |https://registry-1.docker.io| Docker Pull/Push |
 |https://production.cloudflare.docker.com| Docker Pull/Push |
+|https://docker-images-prod.r2.cloudflarestorage.com| Docker Pull/Push |
 |https://docker-pinata-support.s3.amazonaws.com| Troubleshooting |
 |https://api.dso.docker.com| Docker Scout service |

content/manuals/engine/release-notes/27.md

@@ -27,6 +27,28 @@ For more information about:
 
 Release notes for Docker Engine version 27.5 releases.
 
+## 27.5.1
+
+{{< release-date date="2025-01-22" >}}
+
+For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
+
+- [docker/cli, 27.5.1 milestone](https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A27.5.1)
+- [moby/moby, 27.5.1 milestone](https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A27.5.1)
+
+
+### Bug fixes and enhancements
+
+- Fix an issue that could persistently prevent daemon startup after failure to initialize the default bridge. [moby/moby#49307](https://github.com/moby/moby/pull/49307)
+- Add a `DOCKER_IGNORE_BR_NETFILTER_ERROR` environment variable. Setting it to `1` allows running on hosts that cannot load `br_netfilter`. Some things won't work, including disabling inter-container communication in a bridge network. With the userland proxy disabled, it won't be possible to access one container's published ports from another container on the same network.  [moby/moby#49306](https://github.com/moby/moby/pull/49306)
+
+### Packaging updates
+
+- Update Go runtime to 1.22.11 (fix CVE-2024-45341, CVE-2024-45336). [moby/moby#49312](https://github.com/moby/moby/pull/49312), [docker/docker-ce-packaging#1147](https://github.com/docker/docker-ce-packaging/pull/1147), [docker/cli#5762](https://github.com/docker/cli/pull/5762)
+- Update RootlessKit to v2.3.2 to support `passt` >= 2024_10_30.ee7d0b6. [moby/moby#49304](https://github.com/moby/moby/pull/49304)
+- Update Buildx to [v0.20.0](https://github.com/docker/buildx/releases/tag/v0.20.0). [docker/docker-ce-packaging#1149](https://github.com/docker/docker-ce-packaging/pull/1149)
+
+
 ### 27.5.0
 
 {{< release-date date="2025-01-13" >}}

content/manuals/security/faqs/single-sign-on/faqs.md

@@ -58,3 +58,7 @@ other sensitive data in the directory. Due to potential security risks, Docker
 doesn't support this configuration. Instead, Docker recommends [configuring SCIM
 to enable group sync
 securely](/security/for-admins/provisioning/group-mapping/#use-group-mapping-with-scim).
+
+### Are there any firewall rules required for SSO configuration?
+
+No. There are no specific firewall rules required for configuring SSO, as long as the domain `login.docker.com` is accessible. This domain is commonly accessible by default. However, in rare cases, some organizations may have firewall restrictions in place that block this domain. If you encounter issues during SSO setup, ensure that `login.docker.com` is allowed in your network's firewall settings.

content/manuals/security/for-admins/access-tokens.md

@@ -3,7 +3,12 @@ title: Organization access tokens
 description: Learn how to create and manage organization access tokens
   to securely push and pull images programmatically.
 keywords: docker hub, security, OAT, organization access token
-linkTitle: Organization access tokens (Beta)
+linkTitle: Organization access tokens
+params:
+  sidebar:
+    badge:
+      color: blue
+      text: Beta
 ---
 
 {{< summary-bar feature_name="OATs" >}}

data/buildx/docker_buildx_bake.yaml

@@ -20,6 +20,7 @@ options:
       value_type: stringArray
       default_value: '[]'
       description: Allow build to access specified resources
+      details_url: '#allow'
       deprecated: false
       hidden: false
       experimental: false
@@ -218,6 +219,80 @@ inherited_options:
       kubernetes: false
       swarm: false
 examples: |-
+    ### Allow extra privileged entitlement (--allow) {#allow}
+
+    ```text
+    --allow=ENTITLEMENT[=VALUE]
+    ```
+
+    Entitlements are designed to provide controlled access to privileged
+    operations. By default, Buildx and BuildKit operates with restricted
+    permissions to protect users and their systems from unintended side effects or
+    security risks. The `--allow` flag explicitly grants access to additional
+    entitlements, making it clear when a build or bake operation requires elevated
+    privileges.
+
+    In addition to BuildKit's `network.host` and `security.insecure` entitlements
+    (see [`docker buildx build --allow`](/reference/cli/docker/buildx/build/#allow),
+    Bake supports file system entitlements that grant granular control over file
+    system access. These are particularly useful when working with builds that need
+    access to files outside the default working directory.
+
+    Bake supports the following filesystem entitlements:
+
+    - `--allow fs=<path|*>` - Grant read and write access to files outside of the
+      working directory.
+    - `--allow fs.read=<path|*>` - Grant read access to files outside of the
+      working directory.
+    - `--allow fs.write=<path|*>` - Grant write access to files outside of the
+      working directory.
+
+    The `fs` entitlements take a path value (relative or absolute) to a directory
+    on the filesystem. Alternatively, you can pass a wildcard (`*`) to allow Bake
+    to access the entire filesystem.
+
+    ### Example: fs.read
+
+    Given the following Bake configuration, Bake would need to access the parent
+    directory, relative to the Bake file.
+
+    ```hcl
+    target "app" {
+      context = "../src"
+    }
+    ```
+
+    Assuming `docker buildx bake app` is executed in the same directory as the
+    `docker-bake.hcl` file, you would need to explicitly allow Bake to read from
+    the `../src` directory. In this case, the following invocations all work:
+
+    ```console
+    $ docker buildx bake --allow fs.read=* app
+    $ docker buildx bake --allow fs.read=../src app
+    $ docker buildx bake --allow fs=* app
+    ```
+
+    ### Example: fs.write
+
+    The following `docker-bake.hcl` file requires write access to the `/tmp`
+    directory.
+
+    ```hcl
+    target "app" {
+      output = "/tmp"
+    }
+    ```
+
+    Assuming `docker buildx bake app` is executed outside of the `/tmp` directory,
+    you would need to allow the `fs.write` entitlement, either by specifying the
+    path or using a wildcard:
+
+    ```console
+    $ docker buildx bake --allow fs=/tmp app
+    $ docker buildx bake --allow fs.write=/tmp app
+    $ docker buildx bake --allow fs.write=* app
+    ```
+
     ### Override the configured builder instance (--builder) {#builder}
 
     Same as [`buildx --builder`](/reference/cli/docker/buildx/#builder).

go.mod

@@ -3,7 +3,7 @@ module github.com/docker/docs
 go 1.23.1
 
 require (
-	github.com/docker/buildx v0.20.0 // indirect
+	github.com/docker/buildx v0.20.1 // indirect
 	github.com/docker/cli v27.5.0+incompatible // indirect
 	github.com/docker/compose/v2 v2.32.4 // indirect
 	github.com/docker/scout-cli v1.15.0 // indirect
@@ -12,7 +12,7 @@ require (
 )
 
 replace (
-	github.com/docker/buildx => github.com/docker/buildx v0.20.0
+	github.com/docker/buildx => github.com/docker/buildx v0.20.1
 	github.com/docker/cli => github.com/docker/cli v27.5.0+incompatible
 	github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.32.4
 	github.com/docker/scout-cli => github.com/docker/scout-cli v1.15.0

go.sum

@@ -90,6 +90,8 @@ github.com/docker/buildx v0.19.2 h1:2zXzgP2liQKgQ5BiOqMc+wz7hfWgAIMWw5MR6QDG++I=
 github.com/docker/buildx v0.19.2/go.mod h1:k4WP+XmGRYL0a7l4RZAI2TqpwhuAuSQ5U/rosRgFmAA=
 github.com/docker/buildx v0.20.0 h1:XM2EvwEfohbxLPAheVm03biNHpspB/dA6U9F0c6yJsI=
 github.com/docker/buildx v0.20.0/go.mod h1:VVi4Nvo4jd/IkRvwyExbIyW7u82fivK61MRx5I0oKic=
+github.com/docker/buildx v0.20.1 h1:q88EfoYwrWEKVqNb9stOFq8fUlFp/OPlDcFE+QUYZBM=
+github.com/docker/buildx v0.20.1/go.mod h1:VVi4Nvo4jd/IkRvwyExbIyW7u82fivK61MRx5I0oKic=
 github.com/docker/cli v24.0.2+incompatible h1:QdqR7znue1mtkXIJ+ruQMGQhpw2JzMJLRXp6zpzF6tM=
 github.com/docker/cli v24.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v24.0.4+incompatible h1:Y3bYF9ekNTm2VFz5U/0BlMdJy73D+Y1iAAZ8l63Ydzw=

layouts/_default/cli.html

@@ -17,7 +17,7 @@ <h1 class="scroll-mt-36">{{ .Title }}</h1>
           {{ with $data.short }}
           <tr>
             <th class="text-left w-32">Description</th>
-            <td>{{ . }}</th>
+            <td>{{ . }}</td>
           </tr>
           {{ end }}
           {{ with $data.usage }}