docker · aevesdocker · Jul 3, 2025 · Jul 3, 2025 · Jul 3, 2025 · Jul 3, 2025
diff --git a/content/includes/gordondhi.md b/content/includes/gordondhi.md
diff --git a/content/manuals/ai/compose/model-runner.md b/content/manuals/ai/compose/model-runner.md
@@ -40,7 +40,7 @@ services:
 
 models:
   smollm2:
-    image: ai/smollm2
+    model: ai/smollm2
 ```
 
 ### How it works
@@ -70,7 +70,7 @@ services:
 
 models:
   smollm2:
-    image: ai/smollm2
+    model: ai/smollm2
 ```
 
 With this configuration, your `my-chat-app` service will receive:

diff --git a/content/manuals/ai/compose/models-and-compose.md b/content/manuals/ai/compose/models-and-compose.md
@@ -42,7 +42,7 @@ services:
 
 models:
   llm:
-    image: ai/smollm2
+    model: ai/smollm2
 ```
 
 This example defines:
@@ -56,7 +56,7 @@ Models support various configuration options:
 ```yaml
 models:
   llm:
-    image: ai/smollm2
+    model: ai/smollm2
     context_size: 1024
     runtime_flags:
       - "--a-flag"
@@ -87,9 +87,9 @@ services:
 
 models:
   llm:
-    image: ai/smollm2
+    model: ai/smollm2
   embedding-model:
-    image: ai/all-minilm
+    model: ai/all-minilm
 ```
 
 With short syntax, the platform automatically generates environment variables based on the model name:
@@ -116,9 +116,9 @@ services:
 
 models:
   llm:
-    image: ai/smollm2
+    model: ai/smollm2
   embedding-model:
-    image: ai/all-minilm
+    model: ai/all-minilm
 ```
 
 With this configuration, your service receives:
@@ -142,7 +142,7 @@ services:
 
 models:
   llm:
-    image: ai/smollm2
+    model: ai/smollm2
 ```
 
 Docker Model Runner will:
@@ -163,9 +163,9 @@ services:
 
 models:
   llm:
-    image: ai/smollm2
+    model: ai/smollm2
     # Cloud-specific configurations
-    labels:
+    x-cloud-options:
       - "cloud.instance-type=gpu-small"
       - "cloud.region=us-west-2"
 ```

diff --git a/content/manuals/ai/gordon/_index.md b/content/manuals/ai/gordon/_index.md
@@ -20,13 +20,12 @@ of the Docker ecosystem.
 
 ## Key features
 
-Ask Gordon provides AI-powered assistance in Docker tools. It can:
+Ask Gordon provides AI-powered assistance within Docker tools. It can:
 
 - Improve Dockerfiles
 - Run and troubleshoot containers
 - Interact with your images and code
 - Find vulnerabilities or configuration issues
-- Migrate a Dockerfile to use [Docker Hardened Images](/manuals/dhi/_index.md)
 
 It understands your local environment, including source code, Dockerfiles, and
 images, to provide personalized and actionable guidance.
@@ -105,10 +104,9 @@ If you have concerns about data collection or usage, you can
 
 ## Using Ask Gordon
 
-You can access Gordon:
-
-- In Docker Desktop, in the **Ask Gordon** view.
-- Via the Docker CLI, with the `docker ai` CLI command.
+The primary interfaces to Docker's AI capabilities are through the **Ask
+Gordon** view in Docker Desktop, or if you prefer to use the CLI: the `docker
+ai` CLI command.
 
 Once you've enabled the Docker AI features, you'll also find references to **Ask
 Gordon** in various other places throughout the Docker Desktop user interface.
@@ -124,7 +122,6 @@ ways things you can try:
 - [Troubleshoot a crashed container](#troubleshoot-a-crashed-container)
 - [Get help with running a container](#get-help-with-running-a-container)
 - [Improve a Dockerfile](#improve-a-dockerfile)
-- [Migrate a Dockerfile to DHI](#migrate-a-dockerfile-to-dhi)
 
 For more examples, try asking Gordon directly. For example:
 
@@ -200,17 +197,6 @@ across several dimensions:
 - Portability
 - Resource efficiency
 
-### Migrate a Dockerfile to DHI
-
-Migrating your Dockerfile to use [Docker Hardened Images](/manuals/dhi/_index.md) helps you build
-more secure, minimal, and production-ready containers. DHIs are designed to
-reduce vulnerabilities, enforce best practices, and simplify compliance, making
-them a strong foundation for secure software supply chains.
-
-To request Gordon's help for the migration:
-
-{{% include "gordondhi.md" %}}
-
 ## Disable Ask Gordon
 
 ### For individual users

@@ -46,6 +46,10 @@ For more frequently asked questions, see the [FAQs](/manuals/desktop/troubleshoo
 - [Docker Engine v28.3.0](https://docs.docker.com/engine/release-notes/28/#2830)
 - [NVIDIA Container Toolkit v1.17.8](https://github.com/NVIDIA/nvidia-container-toolkit/releases/tag/v1.17.8)
 
+### Security 
+
+- Fixed [CVE-2025-6587](https://www.cve.org/CVERecord?id=CVE-2025-6587) where sensitive system environment variables were included in Docker Desktop diagnostic logs, allowing for potential secret exposure.
+
 ### Bug fixes and enhancements
 
 #### For all platforms

@@ -78,4 +78,4 @@ and CI to scanning and deployment. They:
 - Include security metadata that plugs into your existing compliance systems
 
 This means you can adopt stronger security controls without disrupting your
-engineering workflows.
+engineering workflows.
@@ -9,9 +9,7 @@ keywords: migrate dockerfile, hardened base image, multi-stage build, non-root c
 {{< summary-bar feature_name="Docker Hardened Images" >}}
 
 This guide helps you migrate your existing Dockerfiles to use Docker Hardened
-Images (DHIs) [manually](#step-1-update-the-base-image-in-your-dockerfile),
-or with [Gordon](#use-gordon).
-DHIs are minimal and security-focused, which may require
+Images (DHIs). DHIs are minimal and security-focused, which may require
 adjustments to your base images, build process, and runtime configuration.
 
 This guide focuses on migrating framework images, such as images for building
@@ -242,10 +240,3 @@ ENTRYPOINT [ "python", "/app/image.py" ]
 
 {{< /tab >}}
 {{< /tabs >}}
-
-### Use Gordon
-
-Alternatively, you can request assistance to 
-[Gordon](/manuals/ai/gordon/_index.md), Docker's AI-powered assistant, to migrate your Dockerfile:
-
-{{% include "gordondhi.md" %}}
@@ -7,30 +7,38 @@ toc_min: 1
 toc_max: 2
 ---
 
+## Docker Desktop 4.43.0 Security Update: CVE-2025-6587
+
+_Last updated July 03, 2025_
+
+A vulnerability in Docker Desktop was fixed on July 03 in the [4.43.0](/manuals/desktop/release-notes.md#4430) release: 
+
+- Fixed [CVE-2025-6587](https://www.cve.org/CVERecord?id=CVE-2025-6587) where sensitive system environment variables were included in Docker Desktop diagnostic logs, allowing for potential secret exposure.
+
 ## Docker Desktop 4.41.0 Security Update: CVE-2025-3224, CVE-2025-4095, and CVE-2025-3911
 
 _Last updated May 15, 2025_
 
-Three vulnerabilities in Docker Desktop were fixed on April 28 in the [4.41.0](https://docs.docker.com/desktop/release-notes/#4410) release.
+Three vulnerabilities in Docker Desktop were fixed on April 28 in the [4.41.0](/manuals/desktop/release-notes.md#4410) release.
 
 - Fixed [CVE-2025-3224](https://www.cve.org/CVERecord?id=CVE-2025-3224) allowing an attacker with access to a user machine to perform an elevation of privilege when Docker Desktop updates.
 - Fixed [CVE-2025-4095](https://www.cve.org/CVERecord?id=CVE-2025-4095) where Registry Access Management (RAM) policies were not enforced when using a MacOS configuration profile, allowing users to pull images from unapproved registries.
 - Fixed [CVE-2025-3911](https://www.cve.org/CVERecord?id=CVE-2025-3911) allowing an attacker with read access to a user's machine to obtain sensitive information from Docker Desktop log files, including environment variables configured for running containers.
 
-We strongly encourage you to update to Docker Desktop [4.41.0](https://docs.docker.com/desktop/release-notes/#4410).
+We strongly encourage you to update to Docker Desktop [4.41.0](/manuals/desktop/release-notes.md#4410).
 
 ## Docker Desktop 4.34.2 Security Update: CVE-2024-8695 and CVE-2024-8696
 
 _Last updated September 13, 2024_
 
-Two remote code execution (RCE) vulnerabilities in Docker Desktop related to Docker Extensions were reported by [Cure53](https://cure53.de/) and were fixed on September 12 in the [4.34.2](https://docs.docker.com/desktop/release-notes/#4342) release.
+Two remote code execution (RCE) vulnerabilities in Docker Desktop related to Docker Extensions were reported by [Cure53](https://cure53.de/) and were fixed on September 12 in the [4.34.2](/manuals/desktop/release-notes.md#4342) release.
 
 - [CVE-2024-8695](https://www.cve.org/cverecord?id=CVE-2024-8695): A remote code execution (RCE) vulnerability via crafted extension description/changelog could be abused by a malicious extension in Docker Desktop before 4.34.2. [Critical]
 - [CVE-2024-8696](https://www.cve.org/cverecord?id=CVE-2024-8696): A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2. [High]
 
 No existing extensions exploiting the vulnerabilities were found in the Extensions Marketplace. The Docker team will be closely monitoring and diligently reviewing any requests for publishing new extensions.
 
-We strongly encourage you to update to Docker Desktop [4.34.2](https://docs.docker.com/desktop/release-notes/#4342). If you are unable to update promptly, you can [disable Docker Extensions](https://docs.docker.com/extensions/settings-feedback/#turn-on-or-turn-off-extensions) as a workaround.
+We strongly encourage you to update to Docker Desktop [4.34.2](/manuals/desktop/release-notes.md#4342). If you are unable to update promptly, you can [disable Docker Extensions](/manuals/extensions/settings-feedback.md#turn-on-or-turn-off-extensions) as a workaround.
 
 ## Deprecation of password logins on CLI when SSO enforced
 
@@ -87,7 +95,7 @@ If you are unable to update to an unaffected version promptly, follow these best
   * [Enhanced Container Isolation](/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md), which mitigates the impact of CVE-2024-21626 in the case of running containers from malicious images.
   * [Image Access Management](for-admins/hardened-desktop/image-access-management.md), and [Registry Access Management](/manuals/security/for-admins/hardened-desktop/registry-access-management.md), which give organizations control over which images and repositories their users can access.
 * For CVE-2024-23650, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, avoid using BuildKit frontend from an untrusted source. A frontend image is usually specified as the #syntax line on your Dockerfile, or with `--frontend` flag when using the `buildctl build` command.
-* To mitigate CVE-2024-24557, make sure to either use BuildKit or disable caching when building images. From the CLI this can be done via the `DOCKER_BUILDKIT=1` environment variable (default for Moby >= v23.0 if the buildx plugin is installed) or the `--no-cache flag`. If you are using the HTTP API directly or through a client, the same can be done by setting `nocache` to `true` or `version` to `2` for the [/build API endpoint](https://docs.docker.com/engine/api/v1.44/#tag/Image/operation/ImageBuild).
+* To mitigate CVE-2024-24557, make sure to either use BuildKit or disable caching when building images. From the CLI this can be done via the `DOCKER_BUILDKIT=1` environment variable (default for Moby >= v23.0 if the buildx plugin is installed) or the `--no-cache flag`. If you are using the HTTP API directly or through a client, the same can be done by setting `nocache` to `true` or `version` to `2` for the [/build API endpoint](https://docs.docker.com/reference/api/engine/version/v1.44/#tag/Image/operation/ImageBuild).
 
 ### Technical details and impact