publish updates from main

.github/workflows/build.yml

@@ -36,9 +36,6 @@ jobs:
           files: |
             docker-bake.hcl
           targets: releaser-build
-          set: |
-            *.cache-from=type=gha,scope=releaser
-            *.cache-to=type=gha,scope=releaser,mode=max
 
   build:
     runs-on: ubuntu-24.04
@@ -59,9 +56,6 @@ jobs:
           files: |
             docker-bake.hcl
           targets: release
-          set: |
-            *.cache-from=type=gha,scope=build
-            *.cache-to=type=gha,scope=build,mode=max
       -
         name: Check Cloudfront config
         uses: docker/bake-action@v6
@@ -110,6 +104,3 @@ jobs:
           targets: ${{ matrix.target }}
           set: |
             *.args.BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
-            *.cache-to=type=gha,scope=validate-${{ matrix.target }},mode=max
-            *.cache-from=type=gha,scope=validate-${{ matrix.target }}
-            *.cache-from=type=gha,scope=build

.github/workflows/deploy.yml

@@ -96,9 +96,6 @@ jobs:
           files: |
             docker-bake.hcl
           targets: release
-          set: |
-            *.cache-from=type=gha,scope=deploy-${{ env.BRANCH_NAME }}
-            *.cache-to=type=gha,scope=deploy-${{ env.BRANCH_NAME }},mode=max
           provenance: false
       -
         name: Configure AWS Credentials
@@ -134,8 +131,6 @@ jobs:
           files: |
             docker-bake.hcl
           targets: aws-s3-update-config
-          set: |
-            *.cache-from=type=gha,scope=releaser
         env:
           AWS_REGION: ${{ env.DOCS_AWS_REGION }}
           AWS_S3_BUCKET: ${{ env.DOCS_S3_BUCKET }}

.github/workflows/validate-upstream.yml

@@ -97,9 +97,6 @@ jobs:
             docker-bake.hcl
           targets: validate-upstream
           provenance: false
-          set: |
-            *.cache-from=type=gha,scope=docs-upstream
-            *.cache-to=type=gha,scope=docs-upstream
         env:
           UPSTREAM_MODULE_NAME: ${{ inputs.module-name }}
           UPSTREAM_REPO: ${{ github.repository }}

_vale/Docker/Acronyms.yml

@@ -38,6 +38,7 @@ exceptions:
   - DCT
   - DEBUG
   - DHCP
+  - DMR
   - DNS
   - DOM
   - DPI
@@ -85,8 +86,8 @@ exceptions:
   - LTS
   - MAC
   - MATE
-  - MCP
   - mcp
+  - MCP
   - MDM
   - MDN
   - MSI
@@ -105,8 +106,8 @@ exceptions:
   - PATH
   - PDF
   - PEM
-  - PID
   - PHP
+  - PID
   - POSIX
   - POST
   - QA

_vendor/modules.txt

@@ -3,5 +3,5 @@
 # github.com/docker/buildx v0.24.0
 # github.com/docker/cli v28.2.1+incompatible
 # github.com/docker/compose/v2 v2.36.2
-# github.com/docker/model-cli v0.1.25
+# github.com/docker/model-cli v0.1.26-0.20250527144806-15d0078a3c01
 # github.com/docker/scout-cli v1.15.0

content/contribute/file-conventions.md

@@ -37,7 +37,7 @@ following keys are supported. The title, description, and keywords are required.
 Here's an example of a valid (but contrived) page metadata. The order of
 the metadata elements in the front matter isn't important.
 
-```liquid
+```text
 ---
 description: Instructions for installing Docker Engine on Ubuntu
 keywords: requirements, apt, installation, ubuntu, install, uninstall, upgrade, update
@@ -70,7 +70,7 @@ Splitting long lines (preferably up to 80 characters) can make it easier to prov
 If you want to add an entry to the sidebar, but you want the link to point somewhere else, you can use the `sidebar.goto` parameter.
 This is useful in combination with `build.render` set to `always`, which creates a pageless entry in the sidebar that links to another page.
 
-```md
+```text
 ---
 title: Dummy sidebar link
 build:

content/manuals/ai/model-runner.md

@@ -8,7 +8,7 @@
     group: AI
 weight: 20
 description: Learn how to use Docker Model Runner to manage and run AI models.
-keywords: Docker, ai, model runner, docker deskotp, llm
+keywords: Docker, ai, model runner, docker desktop, docker engine, llm
 aliases:
   - /desktop/features/model-runner/
   - /ai/model-runner/
@@ -45,6 +45,37 @@
 
 You can now use the `docker model` command in the CLI and view and interact with your local models in the **Models** tab in the Docker Desktop Dashboard.
 
+### Enable DMR in Docker Engine
+
+1. Ensure you have installed [Docker Engine](/engine/install/).
+2. DMR is available as a package. To install it, run:
+
+   {{< tabs >}}
+   {{< tab name="Ubuntu/Debian">}}
+
+   ```console
+   $ sudo apt-get update
+   $ sudo apt-get install docker-model-plugin
+   ```
+
+   {{< /tab >}}
+   {{< tab name="RPM-base distributions">}}
+
+   ```console
+   $ sudo dnf update
+   $ sudo dnf install docker-model-plugin
+   ```
+
+   {{< /tab >}}
+   {{< /tabs >}}
+
+3. Test the installation:
+
+   ```console
+   $ docker model version
+   $ docker model run ai/smollm2
+   ```
+
 ## Integrate the Docker Model Runner into your software development lifecycle
 
 You can now start building your Generative AI application powered by the Docker Model Runner.
@@ -143,6 +174,10 @@
 
 1. Enable the host-side TCP support from the Docker Desktop GUI, or via the [Docker Desktop CLI](/manuals/desktop/features/desktop-cli.md).
    For example: `docker desktop enable model-runner --tcp <port>`.
+
+   If you are running on Windows, also enable GPU-backed inference.
+   See [Enable Docker Model Runner](#enable-dmr-in-docker-desktop).
+
 2. Interact with it as documented in the previous section using `localhost` and the correct port.
 
 ```bash

content/manuals/compose/releases/release-notes.md

@@ -13,7 +13,7 @@ aliases:
 
 For more detailed information, see the [release notes in the Compose repo](https://github.com/docker/compose/releases/).
 
-## 2.36.1
+## 2.36.2
 
 {{< release-date date="2025-05-23" >}}
 

content/manuals/engine/network/packet-filtering-firewalls.md

@@ -150,15 +150,51 @@
 arrange for external routing to container addresses ("direct routing").
 
 To access containers on a bridge network from outside the Docker host,
-you must set up routing to the bridge network via an address on the Docker
-host. This can be achieved using static routes, Border Gateway Protocol
-(BGP), or any other means appropriate for your network.
-
-Within a local layer 2 network, remote hosts can set up static routes
-to a container network using the Docker daemon host's address on the local
-network. Those hosts can access containers directly. For remote hosts
-outside the local network, direct access to containers requires router
-configuration to enable the necessary routing.
+you must first set up routing to the bridge network via an address on the
+Docker host. This can be achieved using static routes, Border Gateway Protocol (BGP),
+or any other means appropriate for your network. For example, within
+a local layer 2 network, remote hosts can set up static routes to a container
+network via the Docker daemon host's address on the local network.
+
+#### Direct routing to containers in bridge networks
+
+By default, remote hosts are not allowed direct access to container IP
+addresses in Docker's Linux bridge networks. They can only access ports
+published to host IP addresses.
+
+To allow direct access to any published port, on any container, in any
+Linux bridge network, use daemon option `"allow-direct-routing": true`
+in `/etc/docker/daemon.json` or the equivalent `--allow-direct-routing`.
+
+To allow direct routing from anywhere to containers in a specific bridge
+network, see [Gateway modes](#gateway-modes).
+
+Or, to allow direct routing via specific host interfaces, to a specific
+bridge network, use the following option when creating the network:
+- `com.docker.network.bridge.trusted_host_interfaces`
+
+#### Example
+
+Create a network where published ports on container IP addresses can be
+accessed directly from interfaces `vxlan.1` and `eth3`:
+
+```console
+$ docker network create --subnet 192.0.2.0/24 --ip-range 192.0.2.0/29 -o com.docker.network.bridge.trusted_host_interfaces="vxlan.1:eth3" mynet
+```
+
+Run a container in that network, publishing its port 80 to port 8080 on
+the host's loopback interface:
+
+```console
+$ docker run -d --ip 192.0.2.100 -p 127.0.0.1:8080:80 nginx
+```
+
+The web server running on the container's port 80 can now be accessed
+from the Docker host at `http://127.0.0.1:8080`, or directly at
+`http://192.0.2.100:80`. If remote hosts on networks connected to
+interfaces `vxlan.1` and `eth3` have a route to the `192.0.2.0/24`
+network inside the Docker host, they can also access the web server
+via `http://192.0.2.100:80`.
 
 #### Gateway modes
 

content/manuals/engine/release-notes/28.md

@@ -82,7 +82,7 @@ For a full list of pull requests and changes in this release, refer to the relev
 
 ### Networking
 
-- Add bridge network option `"com.docker.network.bridge.trusted_host_interfaces"`, accepting a space-separated list of interface names. These interfaces have direct access to published ports on container IP addresses. [moby/moby#49832](https://github.com/moby/moby/pull/49832)
+- Add bridge network option `"com.docker.network.bridge.trusted_host_interfaces"`, accepting a colon-separated list of interface names. These interfaces have direct access to published ports on container IP addresses. [moby/moby#49832](https://github.com/moby/moby/pull/49832)
 - Add daemon option `"allow-direct-routing"` to disable filtering of packets from outside the host addressed directly to containers. [moby/moby#49832](https://github.com/moby/moby/pull/49832)
 - Do not display network options `com.docker.network.enable_ipv4` or `com.docker.network.enable_ipv6` in inspect output if they have been overridden by `EnableIPv4` or `EnableIPv6` in the network create request. [moby/moby#49866](https://github.com/moby/moby/pull/49866)
 - Fix an issue that could cause network deletion to fail after a daemon restart, with error "has active endpoints" listing empty endpoint names. [moby/moby#49901](https://github.com/moby/moby/pull/49901)

content/manuals/security/_index.md

@@ -59,10 +59,6 @@ grid_admins:
   description: Create organization access tokens as an alternative to a password.
   link: /security/for-admins/access-tokens/
   icon: password
-- title: Enforce sign-in
-  description: Enforce your users to sign in to Docker Desktop.
-  link: /security/for-admins/enforce-sign-in/
-  icon: login
 grid_developers:
 - title: Set up two-factor authentication
   description: Add an extra layer of authentication to your Docker account.

data/summary.yaml

@@ -152,7 +152,7 @@ Docker GitHub Copilot:
   availability: Early Access
 Docker Model Runner:
   availability: Beta
-  requires: Docker Desktop 4.40 and later
+  requires: Docker Engine or Docker Desktop (Windows) 4.41+ or Docker Desktop (MacOS) 4.40+
   for: Docker Desktop for Mac with Apple Silicon or Windows with NVIDIA GPUs
 Docker Projects:
   availability: Beta

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/docker/buildx v0.24.0 // indirect
 	github.com/docker/cli v28.2.1+incompatible // indirect
 	github.com/docker/compose/v2 v2.36.2 // indirect
-	github.com/docker/model-cli v0.1.25 // indirect
+	github.com/docker/model-cli v0.1.26-0.20250527144806-15d0078a3c01 // indirect
 	github.com/docker/scout-cli v1.15.0 // indirect
 	github.com/moby/buildkit v0.22.0 // indirect
 	github.com/moby/moby v28.2.1+incompatible // indirect