Update dependency docker/docker to v27

[renovate]

This PR contains the following updates:

Package	Update	Change
docker/docker	major	25.0.2 -> 27.3.1

---

Release Notes

docker/docker (docker/docker)

v27.3.1

Compare Source

27.3.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.3.1 milestone
• moby/moby, 27.3.1 milestone

Bug fixes and enhancements

• CLI: Fix issue with command execution metrics not being exported due to the CLI MeterProvider being shutdown too early. docker/cli#5457

Packaging updates

• Update Compose to v2.29.7

v27.3.0

Compare Source

27.3.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.3.0 milestone
• moby/moby, 27.3.0 milestone

Bug fixes and enhancements

• containerd image store: Fix docker image prune -a untagging images used by containers started from images referenced by a digested reference. moby/moby#48488
• Add a --feature flag to the daemon options. moby/moby#48487
• Updated the handling of the --gpus=0 flag to be consistent with the NVIDIA Container Runtime. moby/moby#48483
  https://github.com/docker/cli/pull/54325432)
• Support WSL2 mirrored-mode networking's use of interface loopback0 for packets from the Windows host. moby/moby#48514
• Fix an issue that prevented communication between containers on an IPv4 bridge network when running with --iptables=false, --ip6tables=true (the default), a firewall with a DROP rule for forwarded packets on hosts where the br_netfilter kernel module was not normally loaded. moby/moby#48511
• CLI: Fix issue where docker volume update command would cause the CLI to panic if no argument/volume was passed. docker/cli#5426
• CLI: Properly report metrics when run in WSL environment on Windows. [docker/cli#5432]

Packaging updates

• Update containerd (static binaries only) to v1.7.22
  moby/moby#48468
• Updated Buildkit to v0.16.0
• Update Compose to v2.29.6
• Update Buildx to v0.17.1

v27.2.1

Compare Source

27.2.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.2.1 milestone
• moby/moby, 27.2.1 milestone

Bug fixes and enhancements

• containerd image store: Fix non-container images being hidden in the docker image ls output. moby/moby#48402
• containerd image store: Improve docker pull error message when the image platform doesn't match. moby/moby#48415
• CLI: Fix issue causing docker login to not remove repository names from passed in registry addresses, resulting in credentials being stored under the wrong key. docker/cli#5385
• CLI: Fix issue that will sometimes cause the browser-login flow to fail if the CLI process is suspended and then resumed while waiting for the user to authenticate. docker/cli#5376
• CLI: docker login now returns an error instead of hanging if called non-interactively with --password or --password-stdin but without --user. docker/cli#5402

Packaging updates

• Update runc to v1.1.14, which contains a fix for CVE-2024-45310. moby/moby#48426
• Update Go runtime to 1.22.7. moby/moby#48433, docker/cli#5411, docker/docker-ce-packaging#1068

v27.2.0

Compare Source

27.2.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.2.0 milestone
• moby/moby, 27.2.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• CLI: Add support for device-code flow login when authenticating to the official registry. docker/cli#5349
• containerd image store: docker image ls now supports --tree flag that shows a multiplatform-aware image list. This is experimental and may change at any time without any backwards compatibility. docker/cli#5353

API

• GET /images/json response now includes Manifests field, which contains information about the sub-manifests included in the image index. This includes things like platform-specific manifests and build attestations.
  The new field will only be populated if the request also sets the manifests query parameter to true.

[!WARNING]

This is experimental and may change at any time without any backward compatibility.

Bug fixes and enhancements

• CLI: Fix issue with remote contexts over SSH where the CLI would allocate a pseudoterminal when connecting to the remote host, which causes issues in rare situations. docker/cli#5351
• Fix an issue that prevented network creation with a --ip-range ending on a 64-bit boundary. moby/moby#48326
• CLI: IPv6 addresses shown by docker ps in port bindings are now bracketed. docker/cli#5365
• containerd image store: Fix early error exit from docker load in cases where unpacking the image would fail. moby/moby#48376
• containerd image store: Fix the previous image not being persisted as dangling after docker pull. moby/moby#48380

Packaging updates

• Update BuildKit to v0.15.2. moby/moby#48341
• Update Compose to v2.29.2. docker/docker-ce-packaging#1050
• The canonical source for the dockerd(8) man page has been moved back to the same source tree as dockerd itself. moby/moby#48378
• Update containerd to v1.7.21. moby/moby#48383, docker/containerd-packaging#389

v27.1.2

Compare Source

27.1.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.1.2 milestone
• moby/moby, 27.1.2 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Fix a regression that could result in a ResourceExhausted desc = grpc: received message larger than max error when building from a large Dockerfile. moby/moby#48245
• CLI: Fix docker attach printing a spurious context cancelled error message. docker/cli#5296
• CLI: Fix docker attach exiting on SIGINT instead of forwarding the signal to the container and waiting for it to exit. docker/cli#5302
• CLI: Fix --device-read-bps and --device-write-bps options not taking effect. docker/cli#5339
• CLI: Fix a panic happening in some cases while running a plugin. docker/cli#5337

Packaging updates

• Update BuildKit to v0.15.1. moby/moby#48246
• Update Buildx to v0.16.2. docker/docker-ce-packaging#1043
• Update Go runtime to 1.21.13. moby/moby#48301, docker/cli#5325, docker/docker-ce-packaging#1046
• Remove unused docker-proxy.exe binary from Windows packages. docker/docker-ce-packaging#1045

v27.1.1

Compare Source

27.1.1

Security

This release contains a fix for CVE-2024-41110 / GHSA-v23v-6jw2-98fq
that impacted setups using authorization plugins (AuthZ)
for access control. No other changes are included in this release, and this
release is otherwise identical for users not using AuthZ plugins.

Packaging updates

• Update Compose to v2.29.1. moby/docker-ce-packaging#1041

Full Changelog: moby/moby@v27.1.0...v27.1.1

v27.1.0

Compare Source

27.1.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.1.0 milestone
• moby/moby, 27.1.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• rootless: add Requires=dbus.socket to prevent errors when starting the daemon on a cgroup v2 host with systemd moby/moby#48141
• containerd integration: image tag event is now properly emitted when building images with BuildKit moby/moby#48182
• CLI: enable shell completion for docker image rm, docker image history, and docker image inspect moby/moby#5261
• CLI: add and improve shell completions for various flags moby/moby#5261
• CLI: add OOMScoreAdj to docker service create and docker stack docker/cli#5274
• CLI: add support for DOCKER_CUSTOM_HEADERS environment variable (experimental) docker/cli#5271
• CLI: containerd-integration: Fix docker push defaulting the --platform flag to a value of DOCKER_DEFAULT_PLATFORM environment variable on unsupported API versions docker/cli#5248
• CLI: fix: context cancellation on login prompt docker/cli#5260
• CLI: fix: wait for the container to exit before closing the stream when sending a termination request to the CLI while attached to a container docker/cli#5250

Deprecated

• The pkg/rootless/specconv package is deprecated, and will be removed in the next release moby/moby#48185
• The pkg/containerfs package is deprecated, and will be removed in the next release moby/moby#48185
• The pkg/directory package is deprecated, and will be removed in the next release moby/moby#48185
• api/types/system: remove deprecated Info.ExecutionDriver moby/moby#48184

Packaging updates

• Update Buildx to v0.16.1. moby/docker-ce-packaging#1039
• Update Compose to v2.29.0. moby/docker-ce-packaging#1038
• Update Containerd (static binaries only) to v1.7.20. moby/moby#48191
• Update BuildKit to v0.15.0. moby/moby#48175
• Update Go runtime to 1.21.12, which contains security fixes for CVE-2024-24791 moby/moby#48120

Full Changelog: moby/moby@v27.0.3...v27.1.0

v27.0.3

Compare Source

27.0.3

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.0.3 milestone
• moby/moby, 27.0.3 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Fix a regression that incorrectly reported a port mapping from a host IPv6 address to an IPv4-only container as an error. moby/moby#48090
• Fix a regression that caused duplicate subnet allocations when creating networks. moby/moby#48089
• Fix a regression resulting in "fail to register layer: failed to Lchown" errors when trying to pull an image with rootless enabled on a system that supports native overlay with user-namespaces. moby/moby#48086

v27.0.2

Compare Source

27.0.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.0.2 milestone
• moby/moby, 27.0.2 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Fix a regression that caused port numbers to be ignored when parsing a Docker registry URL. docker/cli#5197, docker/cli#5198

Removed

• api/types: deprecate ContainerJSONBase.Node field and ContainerNode type. These definitions were used by the standalone ("classic") Swarm API, but never implemented in the Docker Engine itself. moby/moby#48055

v27.0.1

Compare Source

27.0.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.0.0 milestone
• moby/moby, 27.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• containerd image store: Add --platform flag to docker image push and improve the default behavior when not all platforms of the multi-platform image are available locally. docker/cli#4984, moby/moby#47679
• Add support to docker stack deploy for driver_opts in a service's networks. docker/cli#5125
• Consider additional /usr/local/libexec and /usr/libexec paths when looking up the userland proxy binaries by a name with a docker- prefix. moby/moby#47804

Bug fixes and enhancements

• *client.Client instances are now always safe for concurrent use by multiple goroutines. Previously, this could lead to data races when the WithAPIVersionNegotiation() option is used. moby/moby#47961
• Fix a bug causing the Docker CLI to leak Unix sockets in $TMPDIR in some cases. docker/cli#5146
• Don't ignore a custom seccomp profile when used in conjunction with --privileged. moby/moby#47500
• rootless: overlay2: support native overlay diff when using rootless-mode with Linux kernel version 5.11 and later. moby/moby#47605
• Fix the StartInterval default value of healthcheck to reflect the documented value of 5s. moby/moby#47799
• Fix docker save and docker load not ending on the daemon side when the operation was cancelled by the user, for example with Ctrl+C. moby/moby#47629
• The StartedAt property of containers is now recorded before container startup, guaranteeing that the StartedAt is always before FinishedAt. moby/moby#47003
• The internal DNS resolver used by Windows containers on Windows now forwards requests to external DNS servers by default. This enables nslookup to resolve external hostnames. This behaviour can be disabled via daemon.json, using "features": { "windows-dns-proxy": false }. The configuration option will be removed in a future release. moby/moby#47826
• Print a warning when the CLI does not have permissions to read the configuration file. docker/cli#5077
• Fix a goroutine and file-descriptor leak on container attach. moby/moby#45052
• Clear the networking state of all stopped or dead containers during daemon start-up. moby/moby#47984
• Write volume options JSON atomically to avoid "invalid JSON" errors after system crash. moby/moby#48034
• Allow multiple macvlan networks with the same parent. moby/moby#47318
• Allow BuildKit to be used on Windows daemons that advertise it. docker/cli#5178

Networking

• Allow sysctls to be set per-interface during container creation and network connection. moby/moby#47686
  • In a future release, this will be the only way to set per-interface sysctl options.
    For example, on the command line in a docker run command,--network mynet --sysctl net.ipv4.conf.eth0.log_martians=1 will be rejected.
    Instead, you must use --network name=mynet,driver-opt=com.docker.network.endpoint.sysctls=net.ipv4.conf.IFNAME.log_martians=1.

IPv6

• ip6tables is no longer experimental. You may remove the experimental configuration option and continue to use IPv6, if it is not required by any other features.
• ip6tables is now enabled for Linux bridge networks by default. moby/moby#47747
  • This makes IPv4 and IPv6 behaviors consistent with each other, and reduces the risk that IPv6-enabled containers are inadvertently exposed to the network.
  • There is no impact if you are running Docker Engine with ip6tables enabled (new default).
  • If you are using an IPv6-enabled bridge network without ip6tables, this is likely a breaking change. Only published container ports (-p or --publish) are accessible from outside the Docker bridge network, and outgoing connections masquerade as the host.
  • To restore the behavior of earlier releases, no ip6tables at all, set "ip6tables": false in daemon.json, or use the CLI option --ip6tables=false. Alternatively, leave ip6tables enabled, publish ports, and enable direct routing.
  • With ip6tables enabled, if ip6tables is not functional on your host, Docker Engine will start but it will not be possible to create an IPv6-enabled network.

IPv6 network configuration improvements

• A Unique Local Address (ULA) base prefix is automatically added to default-address-pools if this parameter wasn't manually configured, or if it contains no IPv6 prefixes. moby/moby#47853
  • Prior to this release, to create an IPv6-enabled network it was necessary to use the --subnet option to specify an IPv6 subnet, or add IPv6 ranges to default-address-pools in daemon.json.
  • Starting in this release, when a bridge network is created with --ipv6 and no IPv6 subnet is defined by those options, an IPv6 Unique Local Address (ULA) base prefix is used.
  • The ULA prefix is derived from the Engine host ID such that it's unique across hosts and over time.
• IPv6 address pools of any size can now be added to default-address-pools. moby/moby#47768
• IPv6 can now be enabled by default on all custom bridge networks using "default-network-opts": { "bridge": {"com.docker.network.enable_ipv6": "true"}} in daemon.json, or dockerd --default-network-opt=bridge=com.docker.network.enable_ipv6=trueon the comand line. moby/moby#47867
• Direct routing for IPv6 networks, with ip6tables enabled. moby/moby#47871
  • Added bridge driver option com.docker.network.bridge.gateway_mode_ipv6=<nat|routed>.
  • The default behavior, nat, is unchanged from previous releases running with ip6tables enabled. NAT and masquerading rules are set up for each published container port.
  • When set to routed, no NAT or masquerading rules are configured for published ports. This enables direct IPv6 access to the container, if the host's network can route packets for the container's address to the host. Published ports will be opened in the container's firewall.
  • When a port mapping only applies to routed mode, only addresses 0.0.0.0 or :: are allowed and a host port must not be given.
  • Note that published container ports, in nat or routed mode, are accessible from any remote address if routing is set up in the network, unless the Docker host's firewall has additional restrictions. For example: docker network create --ipv6 -o com.docker.network.bridge.gateway_mode_ipv6=routed mynet.
  • The option com.docker.network.bridge.gateway_mode_ipv4=<nat|routed> is also available, with the same behavior but for IPv4.
• If firewalld is running on the host, Docker creates policy docker-forwarding to allow forwarding from any zone to the docker zone. This makes it possible to configure a bridge network with a routable IPv6 address, and no NAT or masquerading. moby/moby#47745
• When a port is published with no host port specified, or a host port range is given, the same port will be allocated for IPv4 and IPv6. moby/moby#47871
  • For example -p 80 will result in the same ephemeral port being allocated for 0.0.0.0 and ::, and -p 8080-8083:80 will pick the same port from the range for both address families.
  • Similarly, ports published to specific addresses will be allocated the same port. For example, -p 127.0.0.1::80 -p '[::1]::80'.
  • If no port is available on all required addresses, container creation will fail.
• Environment variable DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE, introduced in release 26.1.1, no longer has any effect. moby/moby#47963
  • If IPv6 could not be disabled on an interface because of a read-only /proc/sys/net, the environment variable allowed the container to start anyway.
  • In this release, if IPv4 cannot be disabled for an interface, IPv6 can be explicitly enabled for the network simply by using --ipv6 when creating it. Other workarounds are to configure the OS to disable IPv6 by default on new interfaces, mount /proc/sys/net read-write, or use a kernel with no IPv6 support.
• For IPv6-enabled bridge networks, do not attempt to replace the bridge's kernel-assigned link local address with fe80::1. moby/moby#47787

Removed

• Deprecate experimental GraphDriver plugins. moby/moby#48050, docker/cli#5172
• pkg/archive: deprecate NewTempArchive and TempArchive. These types were only used in tests and will be removed in the next release. moby/moby#48002
• pkg/archive: deprecate CanonicalTarNameForPath moby/moby#48001
• Deprecate pkg/dmesg. This package was no longer used, and will be removed in the next release. moby/moby#47999
• Deprecate pkg/stringid.ValidateID and pkg/stringid.IsShortID moby/moby#47995
• runconfig: deprecate SetDefaultNetModeIfBlank and move ContainerConfigWrapper to api/types/container moby/moby#48007
• runconfig: deprecate DefaultDaemonNetworkMode and move to daemon/network moby/moby#48008
• runconfig: deprecate opts.ConvertKVStringsToMap. This utility is no longer used, and will be removed in the next release. moby/moby#48016
• runconfig: deprecate IsPreDefinedNetwork. moby/moby#48011

API

• containerd image store: POST /images/{name}/push now supports a platform parameter (JSON encoded OCI Platform type) that allows selecting a specific platform-manifest from the multi-platform image. This is experimental and may change in future API versions. moby/moby#47679
• POST /services/create and POST /services/{id}/update now support OomScoreAdj. moby/moby#47950
• ContainerList api returns container annotations. moby/moby#47866
• POST /containers/create and POST /services/create now take Options as part of HostConfig.Mounts.TmpfsOptions allowing to set options for tmpfs mounts. moby/moby#46809
• The Healthcheck.StartInterval property is now correctly ignored when updating a Swarm service using API versions less than v1.44. moby/moby#47991
• GET /events now supports image create event that is emitted when a new image is built regardless if it was tagged or not. moby/moby#47929
• GET /info now includes a Containerd field containing information about the location of the containerd API socket and containerd namespaces used by the daemon to run containers and plugins. moby/moby#47239
• Deprecate non-standard (config) fields in image inspect output. The Config field returned by this endpoint (used for docker image inspect) returned additional fields that are not part of the image's configuration and not part of the Docker Image Spec and the OCI Image Spec. These fields are never set (and always return the default value for the type), but are not omitted in the response when left empty. As these fields were not intended to be part of the image configuration response, they are deprecated, and will be removed in the future API versions.
• Deprecate the daemon flag --api-cors-header and the corresponding daemon.json configuration option. These will be removed in the next major release. moby/moby#45313

The following deprecated fields are currently included in the API response, but are not part of the underlying image's Config: moby/moby#47941

• Hostname
• Domainname
• AttachStdin
• AttachStdout
• AttachStderr
• Tty
• OpenStdin
• StdinOnce
• Image
• NetworkDisabled (already omitted unless set)
• MacAddress (already omitted unless set)
• StopTimeout (already omitted unless set)

Go SDK changes

• Client API callback for the following functions now require a context parameter. moby/moby#47536

  • client.RequestPrivilegeFunc
  • client.ImageSearchOptions.AcceptPermissionsFunc
  • image.ImportOptions.PrivilegeFunc

• Remove deprecated aliases for Image types. moby/moby#47900

  • ImageImportOptions
  • ImageCreateOptions
  • ImagePullOptions
  • ImagePushOptions
  • ImageListOptions
  • ImageRemoveOptions

• Introduce Ulimit type alias for github.com/docker/go-units.Ulimit.
  The Ulimit type as used in the API is defined in a Go module that will transition to a new location in future.
  A type alias is added to reduce the friction that comes with moving the type to a new location.
  The alias makes sure that existing code continues to work, but its definition may change in future.
  Users are recommended to use this alias instead of the units.Ulimit directly. moby/moby#48023

• Move and rename types, changing their import paths and exported names. moby/moby#47936, moby/moby#47873, moby/moby#47887, moby/moby#47882, moby/moby#47921, moby/moby#48040:

  • Move the following types to api/types/container:
    • BlkioStatEntry
    • BlkioStats
    • CPUStats
    • CPUUsage
    • ContainerExecInspect
    • ContainerPathStat
    • ContainerStats
    • ContainersPruneReport
    • CopyToContainerOptions
    • ExecConfig
    • ExecStartCheck
    • MemoryStats
    • NetworkStats
    • PidsStats
    • StatsJSON
    • Stats
    • StorageStats
    • ThrottlingData
  • Move the following types to api/types/image:
    • ImagesPruneReport
    • ImageImportSource
    • ImageLoadResponse
  • Move the ExecStartOptions type to api/types/backend.
  • Move the VolumesPruneReport type to api/types/volume.
  • Move the EventsOptions type to api/types/events.
  • Move the ImageSearchOptions type to api/types/registry.
  • Drop Network prefix and move the following types to api/types/network:
    • NetworkCreateResponse
    • NetworkConnect
    • NetworkDisconnect
    • NetworkInspectOptions
    • EndpointResource
    • NetworkListOptions
    • NetworkCreateOptions
    • NetworkCreateRequest
    • NetworksPruneReport
  • Move NetworkResource to api/types/network.

Packaging updates

• Update Buildx to v0.15.1. docker/docker-ce-packaging#1029
• Update BuildKit to v0.14.1. moby/moby#48028
• Update runc to v1.1.13 moby/moby#47976
• Update Compose to v2.28.1. moby/docker-ce-packaging#1032

v26.1.5

Compare Source

26.1.5

Security

This release contains a fix for CVE-2024-41110 / GHSA-v23v-6jw2-98fq
that impacted setups using authorization plugins (AuthZ)
for access control. No other changes are included in this release, and this
release is otherwise identical for users not using AuthZ plugins.

Full Changelog: moby/moby@v26.1.4...v26.1.5

v26.1.4

Compare Source

26.1.4

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.1.4 milestone
• moby/moby, 26.1.4 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Security

This release updates the Go runtime to 1.21.11 which contains security fixes for:

• CVE-2024-24789
• CVE-2024-24790
• A symlink time of check to time of use race condition during directory removal reported by Addison Crump (@​addisoncrump).

Bug fixes and enhancements

• Fixed an issue where promoting a node immediately after another node was demoted could cause the promotion to fail. moby/moby#47870
• Prevent the daemon log from being spammed with superfluous response.WriteHeader call ... messages.. moby/moby#47843
• Don't show empty hints when plugins return an empty hook message. docker/cli#5083
• Added ContextType: "moby" to the context list/inspect output to address a compatibility issue with Visual Studio Container Tools. docker/cli#5095
• Fix a compatibility issue with Visual Studio Container Tools. docker/cli#5095

Packaging updates

• Update containerd (static binaries only) to v1.7.17. moby/moby#47841
• CVE-2024-24789, CVE-2024-24790: Update Go runtime to 1.21.11. moby/moby#47904
• Update Compose to v2.27.1. docker/docker-ce-packages#1022
• Update Buildx to v0.14.1. docker/docker-ce-packages#1021

v26.1.3

Compare Source

26.1.3

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.1.3 milestone
• moby/moby, 26.1.3 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Fix a regression that prevented the use of DNS servers within a --internal network. moby/moby#47832
• When the internal DNS server's own address is supplied as an external server address, ignore it to avoid unproductive recursion. moby/moby#47833

Packaging updates

• Allow runc to kill containers when confined to the runc profile in AppArmor version 4.0.0 and later. moby/moby#47829

v26.1.2

Compare Source

26.1.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.1.2 milestone
• moby/moby, 26.1.2 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Fix issue where the CLI process would sometimes hang when a container failed to start. docker/cli#5062

Packaging updates

• Update Go runtime to 1.21.10. moby/moby#47806

v26.1.1

Compare Source

26.1.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.1.1 milestone
• moby/moby, 26.1.1 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Fix docker run -d printing an context canceled spurious error when OTEL is configured. docker/cli#5044
• Experimental environment variable DOCKER_BRIDGE_PRESERVE_KERNEL_LL=1 will prevent the daemon from removing the kernel-assigned link local address on a Linux bridge. moby/moby#47775
• Resolve an issue preventing container creation on hosts with a read-only /proc/sys/net filesystem. If IPv6 cannot be disabled on an interface due to this, either disable IPv6 by default on the host or ensure /proc/sys/net is read-write. Otherwise, start dockerd with DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE=1 to bypass the error. moby/moby#47769

[!NOTE]
The DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE is added as a temporary fix and will be phased out in a future major release after simplifying the IPv6 enablement process.

Packaging updates

• Update BuildKit to v0.13.2. moby/moby#47762
• Update Compose to v2.27.0. docker/docker-ce-packages#1017

v26.1.0

Compare Source

26.1.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.1.0 milestone
• moby/moby, 26.1.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• Add configurable OpenTelemetry utilities and basic instrumentation to commands.
  For more information, see OpenTelemetry for the Docker CLI. docker/cli#4889

Bug fixes and enhancements

• Native Windows containers are configured with an internal DNS server for container name resolution, and external DNS servers for other lookups. Not all resolvers, including nslookup, fall back to the external resolvers when they get a SERVFAIL answer from the internal server. So, the internal DNS server can now be configured to forward requests to the external resolvers, by setting "features": {"windows-dns-proxy": true } in the daemon.json file. moby/moby#47584

[!NOTE]
This will be the new default behavior in Docker Engine 27.0.

[!WARNING]
The windows-dns-proxy feature flag will be removed in a future release.

• Swarm: Fix Subpath not being passed to the container config. moby/moby#47711
• Classic builder: Fix cache miss on WORKDIR <directory>/ build step (directory with a trailing slash). moby/moby#47723
• containerd image store: Fix docker images failing when any image in the store has unexpected target. moby/moby#47738

v26.0.2

Compare Source

26.0.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.0.2 milestone
• moby/moby, 26.0.2 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Security

This release contains a security fix for CVE-2024-32473, an unexpected configuration of IPv6 on IPv4-only interfaces.

Bug fixes and enhancements

• CVE-2024-32473: Ensure IPv6 is disabled on interfaces only allocated an IPv4 address by the engine. moby#GHSA-x84c-p2g9-rqv9

v26.0.1

Compare Source

26.0.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.0.1 milestone
• moby/moby, 26.0.1 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Fix a regression that meant network interface specific --sysctl options prevented container startup. moby/moby#47646
• Remove erroneous platform from image config OCI descriptor in docker save output. moby/moby#47694
• containerd image store: OCI archives produced by docker save will now have a non-empty mediaType field in index.json moby/moby#47701
• Fix a regression that prevented the internal resolver from forwarding requests from IPvlan L3 networks to external resolvers. moby/moby#47705
• Prevent the use of external resolvers in IPvlan and Macvlan networks created with no parent interface specified. moby/moby#47705

Packaging updates

• Update Go runtime to 1.21.9 moby/moby#47671, docker/cli#4987
• Update Compose to v1.26.1 , docker/docker-ce-packaging#1009
• Update containerd to v1.7.15 (static binaries only) moby/moby#47692

v26.0.0

Compare Source

26.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.0.0 milestone
• moby/moby, 26.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Security

This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.

New

• Add Subpath field to the VolumeOptions making it possible to mount a subpath of a volume. moby/moby#45687
• Add volume-subpath support to the mount flag (--mount type=volume,...,volume-subpath=<subpath>). docker/cli#4331
• Accept = separators and [ipv6] in compose files for docker stack deploy. docker/cli#4860
• rootless: Add support for enabling host loopback by setting the DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK environment variable to false (defaults to true). This lets containers connect to the host by using IP address 10.0.2.2. moby/moby#47352
• containerd image store: docker image ls no longer creates duplicates entries for multi-platform images. moby/moby#45967
• containerd image store: Send Prometheus metrics. moby/moby#47555

Bug fixes and enhancements

• CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
• Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47233

[!WARNING]

Containers created using Docker Engine 25.0.0 may have duplicate MAC addresses, they must be re-created.
Containers created using version 25.0.0 or 25.0.1 with user-defined MAC addresses will get generated MAC addresses when they are started using 25.0.2. They must also be re-created.

• Always attempt to enable IPv6 on a container's loopback interface, and only include IPv6 in /etc/hosts if successful. moby/moby#47062

[!NOTE]

By default, IPv6 will remain enabled on a container's loopback interface when the container is not connected to an IPv6-enabled network.
For example, containers that are only connected to an IPv4-only network now have the ::1 address on their loopback interface.

To disable IPv6 in a container,
use option --sysctl net.ipv6.conf.all.disable_ipv6=1 in the create or run command,
or the equivalent sysctls option in the service configuration section of a Compose file.

If IPv6 is not available in a container because it has been explicitly disabled for the container,
or the host's networking stack does not have IPv6 enabled (or for any other reason)
the container's /etc/hosts file will not include IPv6 entries.

• Fix ADD Dockerfile instruction failing with lsetxattr <file>: operation not supported when unpacking archive with xattrs onto a filesystem that doesn't support them. moby/moby#47175
• Fix docker container start failing when used with --checkpoint. moby/moby#47456
• Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47356
• Do not enforce new validation rules for existing swarm networks. moby/moby#47361
• Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47375
• Print hint when invoking docker image ls with ambiguous argument. docker/cli#4849
• Cleanup @docker_cli_[UUID] files on OpenBSD. docker/cli#4862
• Add explicit deprecation notice message when using remote TCP connections without TLS. docker/cli#4928, moby/moby#47556
• Use IPv6 nameservers from the host's resolv.conf as upstream resolvers for Docker Engine's internal DNS, rather than listing them in the container's resolv.conf. moby/moby#47512
• containerd image store: Isolate images with different containerd namespaces when --userns-remap option is used. moby/moby#46786
• containerd image store: Fix image pull not emitting Pulling fs layer status. moby/moby#47432

API

• To preserve backwards compatibility, read-only mounts are not recursive by default when using older clients (API version < v1.44). moby/moby#47391
• GET /images/{id}/json omits the Created field (previously it was 0001-01-01T00:00:00Z) if the Created field is missing from the image config. moby/moby#47451
• Populate a missing Created field in GET /images/{id}/json with 0001-01-01T00:00:00Z for API version <= 1.43. moby/moby#47387
• The is_automated field in the POST /images/search endpoint results is always false now. Consequently, searching for is-automated=true will yield no resu

---

Configuration

📅 Schedule: Branch creation - "after 6am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.