containerd image store: Add --platform flag to docker image push and improve the default behavior when not all platforms of the multi-platform image are available locally. docker/cli#4984, moby/moby#47679
Add support to docker stack deploy for driver_opts in a service's networks. docker/cli#5125
Consider additional /usr/local/libexec and /usr/libexec paths when looking up the userland proxy binaries by a name with a docker- prefix. moby/moby#47804
Bug fixes and enhancements
*client.Client instances are now always safe for concurrent use by multiple goroutines. Previously, this could lead to data races when the WithAPIVersionNegotiation() option is used. moby/moby#47961
Fix a bug causing the Docker CLI to leak Unix sockets in $TMPDIR in some cases. docker/cli#5146
Don't ignore a custom seccomp profile when used in conjunction with --privileged. moby/moby#47500
rootless: overlay2: support native overlay diff when using rootless-mode with Linux kernel version 5.11 and later. moby/moby#47605
Fix the StartInterval default value of healthcheck to reflect the documented value of 5s. moby/moby#47799
Fix docker save and docker load not ending on the daemon side when the operation was cancelled by the user, for example with Ctrl+C. moby/moby#47629
The StartedAt property of containers is now recorded before container startup, guaranteeing that the StartedAt is always before FinishedAt. moby/moby#47003
The internal DNS resolver used by Windows containers on Windows now forwards requests to external DNS servers by default. This enables nslookup to resolve external hostnames. This behaviour can be disabled via daemon.json, using "features": { "windows-dns-proxy": false }. The configuration option will be removed in a future release. moby/moby#47826
Print a warning when the CLI does not have permissions to read the configuration file. docker/cli#5077
Fix a goroutine and file-descriptor leak on container attach. moby/moby#45052
Clear the networking state of all stopped or dead containers during daemon start-up. moby/moby#47984
Write volume options JSON atomically to avoid "invalid JSON" errors after system crash. moby/moby#48034
Allow multiple macvlan networks with the same parent. moby/moby#47318
Allow BuildKit to be used on Windows daemons that advertise it. docker/cli#5178
Networking
Allow sysctls to be set per-interface during container creation and network connection. moby/moby#47686
In a future release, this will be the only way to set per-interface sysctl options.
For example, on the command line in a docker run command,--network mynet --sysctl net.ipv4.conf.eth0.log_martians=1 will be rejected.
Instead, you must use --network name=mynet,driver-opt=com.docker.network.endpoint.sysctls=net.ipv4.conf.IFNAME.log_martians=1.
IPv6
ip6tables is no longer experimental. You may remove the experimental configuration option and continue to use IPv6, if it is not required by any other features.
ip6tables is now enabled for Linux bridge networks by default. moby/moby#47747
This makes IPv4 and IPv6 behaviors consistent with each other, and reduces the risk that IPv6-enabled containers are inadvertently exposed to the network.
There is no impact if you are running Docker Engine with ip6tables enabled (new default).
If you are using an IPv6-enabled bridge network without ip6tables, this is likely a breaking change. Only published container ports (-p or --publish) are accessible from outside the Docker bridge network, and outgoing connections masquerade as the host.
To restore the behavior of earlier releases, no ip6tables at all, set "ip6tables": false in daemon.json, or use the CLI option --ip6tables=false. Alternatively, leave ip6tables enabled, publish ports, and enable direct routing.
With ip6tables enabled, if ip6tables is not functional on your host, Docker Engine will start but it will not be possible to create an IPv6-enabled network.
... (truncated)
Commits
ff1e2c0 Merge pull request #48050 from thaJeztah/deprecate_graphdriver_plugins
6da604a deprecate experimental Graphdriver plugins, and disable by default
81b2027 Merge pull request #48049 from thaJeztah/fix_swagger_tmpfsopts
97f6a9d Merge pull request #48045 from thaJeztah/bump_ttrpc_1.2.5
3aace75 Merge pull request #48046 from thaJeztah/daemon_no_logrus
ce5571f api: swagger: fix definition of TmpFsOptions (API v1.46)
a9ab046 cmd/dockerd: initMiddlewares: use containerd/logs
418eed6 Merge pull request #47804 from cpuguy83/more_paths_docker_proxy
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/docker/docker from 26.1.4+incompatible to 27.0.1+incompatible.
Release notes
Sourced from github.com/docker/docker's releases.
... (truncated)
Commits
ff1e2c0Merge pull request #48050 from thaJeztah/deprecate_graphdriver_plugins6da604adeprecate experimental Graphdriver plugins, and disable by default81b2027Merge pull request #48049 from thaJeztah/fix_swagger_tmpfsopts97f6a9dMerge pull request #48045 from thaJeztah/bump_ttrpc_1.2.53aace75Merge pull request #48046 from thaJeztah/daemon_no_logrusce5571fapi: swagger: fix definition of TmpFsOptions (API v1.46)a9ab046cmd/dockerd: initMiddlewares: use containerd/logs418eed6Merge pull request #47804 from cpuguy83/more_paths_docker_proxye355e10vendor: github.com/containerd/ttrpc v1.2.5f8c088bLookup docker-proxy in libexec pathsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show