Skip to content

chore(deps): update dependency docker/docker to v28 #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
renovate merged 1 commit into from
Jul 11, 2025
Merged

chore(deps): update dependency docker/docker to v28 #19

renovate merged 1 commit into from
Jul 11, 2025

Conversation

@renovate
Copy link

@renovate renovate bot commented Jul 11, 2025

This PR contains the following updates:

Package Update Change
docker/docker major 27.5.1 -> 28.3.2

Release Notes

docker/docker (docker/docker)

v28.3.2: 28.3.2

Compare Source

28.3.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements
  • Fix --use-api-socket not working correctly when targeting a remote daemon. docker/cli#6157
  • Fix stray "otel error" logs being printed if debug logging is enabled. docker/cli#6160
  • Quote SSH arguments when connecting to a remote daemon over an SSH connection to avoid unexpected expansion. docker/cli#6147
  • Warn when DOCKER_AUTH_CONFIG is set during docker login and docker logout. docker/cli#6163
Packaging updates

v28.3.1: 28.3.1

Compare Source

28.3.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Packaging updates

v28.3.0: 28.3.0

Compare Source

28.3.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

New
Bug fixes and enhancements
  • Ensure that the state of the container in the daemon database (used by /containers/json API) is up to date when the container is stopped using the /containers/{id}/stop API (before response of API). moby/moby#50136
  • Fix docker image inspect inspect omitting empty fields. moby/moby#50135
  • Fix docker images --tree not marking images as in-use when the containerd image store is disabled. docker/cli#6140
  • Fix docker pull/push hang in non-interactive when authentication is required caused by prompting for login credentials. docker/cli#6141
  • Fix a potential resource leak when a node leaves a Swarm. moby/moby#50115
  • Fix a regression where a login prompt on docker pull would show Docker Hub-specific hints when logging in on other registries. docker/cli#6135
  • Fix an issue where all new tasks in the Swarm could get stuck in the PENDING state forever after scaling up a service with placement preferences. moby/moby#50211
  • Remove an undocumented, hidden, top-level docker remove command that was accidentally introduced in Docker 23.0. docker/cli#6144
  • Validate registry-mirrors configuration as part of dockerd --validate and improve error messages for invalid mirrors. moby/moby#50240
  • dockerd-rootless-setuptool.sh: Fix the script from silently returning with no error message when subuid/subgid system requirements are not satisfied. moby/moby#50059
  • containerd image store: Fix docker push not creating a tag on the remote repository. moby/moby#50199
  • containerd image store: Improve handling of errors returned by the token server during docker pull/push. moby/moby#50176
Packaging updates
Networking
API
  • Update API version to 1.51. moby/moby#50145
  • GET /images/json now sets the value of the Containers field for all images to the count of containers using the image. moby/moby#50146
Deprecations
  • Empty/nil image config fields in the GET /images/{name}/json response are now deprecated and will be removed in v29.0. docker/cli#6129
  • api/types/container: deprecate ExecOptions.Detach. This field is not used, and will be removed in a future release. moby/moby#50219
  • pkg/idtools: deprecate IdentityMapping and Identity.Chown. moby/moby#50210

v28.2.2: 28.2.2

Compare Source

28.2.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements
  • containerd image store: Fix a regression causing docker build --push to fail. This reverts the fix for docker build not persisting overridden images as dangling. moby/moby#50105
Networking
  • When creating the iptables DOCKER-USER chain, do not add an explicit RETURN rule, allowing users to append as well as insert their own rules. Existing rules are not removed on upgrade, but it won't be replaced after a reboot. moby/moby#50098

v28.2.1: 28.2.1

Compare Source

28.2.1

Packaging updates

v28.2.0: 28.2.0

Compare Source

28.2.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

[!NOTE]
RHEL packages are currently not available and will be released later.

New
  • Add {{.Platform}} as formatting option for docker ps to show the platform of the image the container is running. docker/cli#6042
  • Add support for relative parent paths (../) on bind mount sources when using docker run/create with -v/--volume or --mount type=bind options. docker/cli#4966
  • CDI is now enabled by default. moby/moby#49963
  • Show discovered CDI devices in docker info. docker/cli#6078
  • docker image rm: add --platform option to remove a variant from multi-platform images. docker/cli#6109
  • containerd image store: Initial BuildKit support for building Windows container images on Windows (requires an opt-in with DOCKER_BUILDKIT=1). moby/moby#49740
Bug fixes and enhancements
  • Add a new log option for fluentd log driver (fluentd-write-timeout), which enables specifying write timeouts for fluentd connections. moby/moby#49911
  • Add support for DOCKER_AUTH_CONFIG for the experimental --use-api-socket option. docker/cli#6019
  • Fix docker exec waiting for 10 seconds if a non-existing user or group was specified. moby/moby#49868
  • Fix docker swarm init ignoring cacert option of --external-ca. docker/cli#5995
  • Fix an issue where the CLI would not correctly save the configuration file (~/.docker/config.json) if it was a relative symbolic link. docker/cli#5282
  • Fix containers with --restart always policy using CDI devices failing to start on daemon restart. moby/moby#49990
  • Fix shell-completion to only complete some flags once, even though they can be set multiple times. docker/cli#6030
  • Fix the plugin does not implement PluginAddr interface error for Swarm CSI drivers. moby/moby#49961
  • Improve docker login error messages for invalid options. docker/cli#6036
  • Make sure the terminal state is restored if the CLI is forcefully terminated. docker/cli#6058
  • Update the default seccomp profile to match the libseccomp v2.6.0. The new syscalls are: listmount, statmount, lsm_get_self_attr, lsm_list_modules, lsm_set_self_attr, mseal, uretprobe, riscv_hwprobe, getxattrat, listxattrat, removexattrat, and setxattrat. This prevents containers from receiving EPERM errors when using them. moby/moby#50077
  • docker inspect: add shell completion, improve flag-description for --type and improve validation. docker/cli#6052
  • containerd image store: Enable BuildKit garbage collector by default. moby/moby#49899
  • containerd image store: Fix docker build not persisting overridden images as dangling. moby/moby#49702
  • containerd image store: Fix docker system df reporting a negative reclaimable space amount. moby/moby#49707
  • containerd image store: Fix duplicate PUT requests when pushing a multi-platform image. moby/moby#49949
Packaging updates
Networking
  • Add bridge network option "com.docker.network.bridge.trusted_host_interfaces", accepting a colon-separated list of interface names. These interfaces have direct access to published ports on container IP addresses. moby/moby#49832
  • Add daemon option "allow-direct-routing" to disable filtering of packets from outside the host addressed directly to containers. moby/moby#49832
  • Do not display network options com.docker.network.enable_ipv4 or com.docker.network.enable_ipv6 in inspect output if they have been overridden by EnableIPv4 or EnableIPv6 in the network create request. moby/moby#49866
  • Fix an issue that could cause network deletion to fail after a daemon restart, with error "has active endpoints" listing empty endpoint names. moby/moby#49901
  • Fix an issue where docker network inspect --verbose could sometimes crash the daemon. moby/moby#49937
  • Fix an issue where the load-balancer IP address for an overlay network would not be released in certain cases if the Swarm was lacking an ingress network. moby/moby#49948
  • Improve the reliability of NetworkDB in busy clusters and lossy networks. moby/moby#49932
  • Improvements to the reliability and convergence speed of NetworkDB. moby/moby#49939
API
  • Update API version to 1.50.
  • DELETE /images/{name} now supports a platforms query parameter. It accepts an array of JSON-encoded OCI Platform objects, allowing for selecting a specific platforms to delete content for. moby/moby#49982
  • GET /info now includes a DiscoveredDevices field. This is an array of DeviceInfo objects, each providing details about a device discovered by a device driver. moby/moby#49980
Go SDK
  • api/types/container: add ContainerState and constants for container state. moby/moby#49965
  • api/types/container: change Summary.State to a ContainerState. moby/moby#49991
  • api/types/container: define HealthStatus type for health-status constants. moby/moby#49876
  • api/types: deprecate BuildResult, ImageBuildOptions, ImageBuildOutput, ImageBuildResponse, BuilderVersion, BuilderV1, and BuilderBuildKi which were moved to api/types/build. moby/moby#50025
Deprecations
  • API: Deprecated: GET /images/{name}/json no longer returns the following fields: Config, Hostname, Domainname, AttachStdin, AttachStdout, AttachStderr, Tty, OpenStdin, StdinOnce, Image, NetworkDisabled (already omitted unless set), MacAddress (already omitted unless set), StopTimeout (already omitted unless set). These additional fields were included in the response due to an implementation detail but not part of the image's Configuration, were marked deprecated in API v1.46, and are now omitted. moby/moby#48457
  • Go-SDK: Deprecate builder/remotecontext.Rel(). This function was needed on older versions of Go, but can now be replaced by filepath.Rel(). moby/moby#49843
  • Go-SDK: api/types: deprecate BuildCachePruneOptions in favor of api/types/builder.CachePruneOptions. moby/moby#50015
  • Go-SDK: api/types: deprecate BuildCachePruneReport in favor of api/types/builder.CachePruneReport. moby/moby#50015
  • Go-SDK: api/types: deprecate NodeListOptions, NodeRemoveOptions, ServiceCreateOptions, ServiceUpdateOptions, RegistryAuthFromSpec, RegistryAuthFromPreviousSpec, ServiceListOptions, ServiceInspectOptions, and SwarmUnlockKeyResponse which were moved to api/types/swarm. moby/moby#50027
  • Go-SDK: api/types: deprecate SecretCreateResponse, SecretListOptions, ConfigCreateResponse, ConfigListOptions which were moved to api/types/swarm. moby/moby#50024
  • Go-SDK: client: deprecate IsErrNotFound. moby/moby#50012
  • Go-SDK: container: deprecate IsValidHealthString in favor of api/types/container.ValidateHealthStatus. moby/moby#49893
  • Go-SDK: container: deprecate StateStatus, WaitCondition, and the related WaitConditionNotRunning, WaitConditionNextExit, and WaitConditionRemoved consts in favor of their equivalents in api/types/container. moby/moby#49874
  • Go-SDK: opts: deprecate ListOpts.GetAll in favor of ListOpts.GetSlice. docker/cli#6032
  • Remove deprecated IsAutomated formatting placeholder from docker search. docker/cli#6091
  • Remove fallback for pulling images from non-OCI-compliant docker.pkg.github.com registry. moby/moby#50094
  • Remove support for pulling legacy v2, schema 1 images and remove DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE environment-variable. moby/moby#50036, moby/moby#42300
  • The BridgeNfIptables and BridgeNfIp6tables fields in the GET /info response were deprecated in API v1.48, and are now omitted in API v1.50. moby/moby#49904
  • errdefs: Deprecate errdefs.FromStatusCode. Use containerd's errhttp.ToNative instead. moby/moby#50030

v28.1.1

Compare Source

28.1.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements
  • Fix dockerd-rootless-setuptool.sh incorrectly reporting missing iptables. moby/moby#49833
  • containerd image store: Fix a potential daemon crash when using docker load with archives containing zero-size tar headers. moby/moby#49837
Packaging updates
Networking
  • Add a warning to a container's /etc/resolv.conf when no upstream DNS servers were found. moby/moby#49827

v28.1.0

Compare Source

28.1.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

New
  • Add docker bake sub-command as alias for docker buildx bake. docker/cli#5947
  • Experimental: add a new --use-api-socket flag on docker run and docker create to enable access to Docker socket from inside a container and to share credentials from the host with the container. docker/cli#5858
  • docker image inspect now supports a --platform flag to inspect a specific platform of a multi-platform image. docker/cli#5934
Bug fixes and enhancements
  • Add CLI shell-completion for context names. docker/cli#6016
  • Fix docker images --tree not including non-container images content size in the total image content size. docker/cli#6000
  • Fix docker load not preserving replaced images. moby/moby#49650
  • Fix docker login hints when logging in to a custom registry. docker/cli#6015
  • Fix docker stats not working properly on machines with high CPU core count. moby/moby#49734
  • Fix a regression causing docker pull/push to fail when interacting with a private repository. docker/cli#5964
  • Fix an issue preventing rootless Docker setup on a host with no ip_tables kernel module. moby/moby#49727
  • Fix an issue that could lead to unwanted iptables rules being restored and never deleted following a firewalld reload. moby/moby#49728
  • Improve CLI completion of docker service scale. docker/cli#5968
  • docker images --tree now hides both untagged and dangling images by default. docker/cli#5924
  • docker system info will provide an exit code if a connection cannot be established to the Docker daemon. docker/cli#5918
  • containerd image store: Fix image tag event not being emitted when building with BuildKit. moby/moby#49678
  • containerd image store: Improve docker push/pull handling of remote registry errors. moby/moby#49770
  • containerd image store: Show pull progress for non-layer image blobs. moby/moby#49746
Packaging updates
Networking
  • Fix a bug causing host port-mappings on Swarm containers to be duplicated on docker ps and docker inspect. moby/moby#49724
  • Fix an issue that caused container network attachment to fail with error "Bridge port not forwarding". moby/moby#49705
  • Fix an issue with removal of a --link from a container in the default bridge network. moby/moby#49778
  • Improve how network-endpoint relationships are tracked to reduce the chance of the "has active endpoints" error to be wrongfully returned. moby/moby#49736
  • Improve the "has active endpoints" error message by including the name of endpoints still connected to the network being deleted. moby/moby#49773
API
  • Update API version to v1.49. moby/moby#49718
  • GET /image/{name}/json now supports a platform parameter allowing to specify which platform variant of a multi-platform image to inspect. moby/moby#49586
  • GET /info now returns a FirewallBackend containing information about the daemon's firewalling configuration. moby/moby#49761
Go SDK
  • Update minimum required Go version to go1.23. docker/cli#5868
  • cli/command/context: remove temporary ContextType field from JSON output. docker/cli#5981
  • client: Keep image references in canonical format where possible. moby/moby#49609
Deprecations
  • API: Deprecated AllowNondistributableArtifactsCIDRs and AllowNondistributableArtifactsHostnames fields in the RegistryConfig struct in the GET /info response are omitted in API v1.49. moby/moby#49749
  • API: Deprecated: The ContainerdCommit.Expected, RuncCommit.Expected, and InitCommit.Expected fields in the GET /info endpoint were deprecated in API v1.48, and are now omitted in API v1.49. moby/moby#48556
  • Go-SDK: cli/command/image: Deprecate RunPull: this function was only used internally and will be removed in the next release. docker/cli#5975
  • Go-SDK: cli/config/configfile: deprecate ConfigFile.Experimental field. Experimental CLI features are always enabled since version v20.10 and this field is no longer used. Use ConfigFile.Features instead for optional features. This field will be removed in a future release. docker/cli#5977
  • Go-SDK: deprecate pkg/archive, which was migrated to github.com/moby/go-archive. moby/moby#49743
  • Go-SDK: deprecate pkg/atomicwriter, which was migrated to github.com/moby/sys/atomicwriter. moby/moby#49748
  • Go-SDK: opts: remove deprecated PortOpt, ConfigOpt, SecretOpt aliases. docker/cli#5953
  • Go-SDK: registry: deprecate APIEndpoint.Official field. moby/moby#49706

v28.0.4

Compare Source

28.0.4

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements
  • Fix a regression causing docker pull/push to fail when interacting with a private repository. docker/cli#5964

v28.0.3

Compare Source

28.0.3

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements
  • Fix docker run truncating the STDOUT/STDERR prematurely when the container exits before the data is consumed. docker/cli#5957
Packaging updates

v28.0.2

Compare Source

28.0.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements
  • Fix CLI-specific attributes (docker.cli.*) being unintentionally passed to downstream OTel services. docker/cli#5842
  • Fix an issue where user-specified OTEL_RESOURCE_ATTRIBUTES were being overridden by CLI's internal telemetry attributes. The CLI now properly merges user-specified attributes with internal ones, allowing both to coexist. docker/cli#5842
  • Fix daemon failing to start on Windows when a container created before v28.0.0 was present. moby/moby#49626
  • Fix possible error on docker buildx prune with the --min-free-space. moby/moby#49623
  • Fix spurious io: read/write on closed pipe error in the daemon log when closing container. moby/moby#49590
  • Fix the Docker daemon failing too early if the containerd socket isn't immediately available. moby/moby#49603
  • Mask Linux thermal interrupt info in a container's /proc and /sys by default. moby/moby#49560
  • Update contrib/check-config.sh to check for more kernel modules related to iptables. moby/moby#49622
  • containerd image store: Fix integer overflow in User ID handling passed via --user. moby/moby#49652
  • containerd image store: Fix spurious reference for unknown type: application/vnd.in-toto+json warning being logged to the daemon's log. moby/moby#49652
  • containerd image store: Improve performance of docker ps when running large number of containers. moby/moby#49365
Packaging updates
Networking
  • Add environment variable DOCKER_INSECURE_NO_IPTABLES_RAW=1 to allow Docker to run on systems where the Linux kernel can't provide CONFIG_IP_NF_RAW support. When enabled, Docker will not create rules in the iptables raw table. Warning: This is not recommended for production environments as it reduces security by allowing other hosts on the local network to route to ports published to host addresses, even when they are published to 127.0.0.1. This option bypasses some of the security hardening introduced in Docker Engine 28.0.0. moby/moby#49621
  • Allow container startup when an endpoint is attached to a macvlan network where the parent interface is down. moby/moby#49630
  • Do not skip DNAT for packets originating in a gateway_mode=routed network. moby/moby#49577
  • Fix a bug causing docker ps to inconsistently report dual-stack port mappings. moby/moby#49657
  • Fix a bug that could cause docker-proxy to stop forwarding UDP datagrams to containers. moby/moby#49649
  • Fix a bug that was causing docker-proxy to close UDP connections to containers eagerly and resulting in the source address to change needlessly. moby/moby#49649
Go SDK
  • Move various types and consts from cli-plugins/manager to a separate package. docker/cli#5902
  • Update minimum required Go version to go1.23. moby/moby#49541
  • cli/command: Move PrettyPrint utility to cli/command/formatter. docker/cli#5916
  • runconfig/errors: split ErrConflictHostNetwork into ErrConflictConnectToHostNetwork and ErrConflictDisconnectFromHostNetwork. moby/moby#49605
Deprecations
  • Go-SDK: Deprecate cli-plugins/manager.ResourceAttributesEnvvar constant. It was used internally, but holds the OTEL_RESOURCE_ATTRIBUTES name, which is part of the OpenTelemetry specification. Users of this constant should define their own. It will be removed in the next release. docker/cli#5881
  • Go-SDK: Deprecate opts.PortOpt, opts.ConfigOpt and opts.SecretOpt. These types were moved to the opts/swarmopts package. docker/cli#5907
  • Go-SDK: Remove service/logs package. docker/cli#5910
  • Go-SDK: cli/command/image: Deprecate PushTrustedReference and move to cli/trust. docker/cli#5894
  • Go-SDK: cli/command/image: Deprecate and internalize TrustedPush. docker/cli#5894
  • Go-SDK: cli/command: deprecate Cli.NotaryClient: use trust.GetNotaryRepository instead. This method is no longer used and will be removed in the next release. docker/cli#5885
  • Go-SDK: cli/command: deprecate Cli.RegistryClient. This method was only used internally and will be removed in the next release. Use client.NewRegistryClient instead. docker/cli#5889, docker/cli#5889
  • Go-SDK: registry: Deprecate RepositoryInfo.Official field. moby/moby#49567
  • Go-SDK: registry: deprecate HostCertsDir: this function was only used internally and will be removed in the next release. moby/moby#49612
  • Go-SDK: registry: deprecate SetCertsDir: the cert-directory is now automatically selected when running with RootlessKit, and should no longer be set manually. moby/moby#49612

v28.0.1

Compare Source

28.0.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Networking

  • Remove dependency on kernel modules ip_set, ip_set_hash_net and netfilter_xt_set.
    • The dependency was introduced in release 28.0.0 but proved too disruptive. The iptables rules using these modules have been replaced. moby/moby#49530
  • Allow daemon startup on a host with IPv6 disabled without requiring --ip6tables=false. moby/moby#49525
  • Fix a bug that was causing containers with --restart=always and a published port already in use to restart in a tight loop. moby/moby#49507
  • Fix an issue with Swarm ingress, caused by incorrect ordering of iptables rules. moby/moby#49538
  • Fix creation of a swarm-scoped network from a --config-only network. moby/moby#49521
  • Fix docker network inspect reporting an IPv6 gateway with CIDR suffix for a newly created network with no specific IPAM config, until a daemon restart. moby/moby#49520
  • Improve the error reported when kernel modules ip_set, ip_set_hash_net and netilter_xt_set are not available. moby/moby#49524
  • Move most of Docker's iptables rules out of the filter-FORWARD chain, so that other applications are free to append rules that must follow Docker's rules. moby/moby#49518
  • Update --help output and man page lo state which options only apply to the default bridge network. moby/moby#49522

Bug fixes and enhancements

  • Fix docker context create always returning an error when using the "skip-tls-verify" option. docker/cli#5850
  • Fix shell completion suggesting IDs instead of names for services and nodes. docker/cli#5848
  • Fix unintentionally printing exit status to standard error output when docker exec/run returns a non-zero status. docker/cli#5854
  • Fix regression protocol "tcp" is not supported by the RootlessKit port driver "slirp4netns". moby/moby#49514
  • containerd image store: Fix docker inspect not being able to show multi-platform images with missing layers for all platforms. moby/moby#49533
  • containerd image store: Fix docker images --tree reporting wrong content size. moby/moby#49535
  • Fix compilation on i386 moby/moby#49526

Packaging updates

API

  • containerd image store: Fix GET /images/json?manifests=1 not filling Manifests for index-only images. moby/moby#49533
  • containerd image store: Fix GET /images/json and /images/<name>/json Size.Content field including the size of content that's not available locally. moby/moby#49535

v28.0.0

Compare Source

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

New

  • Add ability to mount an image inside a container via --mount type=image. moby/moby#48798
    • You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755
  • docker images --tree now shows metadata badges. docker/cli#5744
  • docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331
  • Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145
  • docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720
  • Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955

Networking

  • The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132
    • Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.
    • The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.
  • DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290
    • When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.
  • Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808
    • Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.
    • IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.
  • The deprecated OCI prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406
  • Add a new gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664
  • Add a new netlabel com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155
    • When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names, for example eth, the container might fail to start.
    • The recommended practice is to use a different prefix, for example en0, or a numerical suffix high enough to never collide, for example eth100.
    • This label can be specified on docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….
    • Or via the long-form --network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …
  • If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372

Port publishing in bridge networks

  • dockerd now requires ipset support in the Linux kernel. moby/moby#48596
    • The iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815
    • If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:
      • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER
      • If you were previously running with the iptables filter-FORWARD policy set to ACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.
  • Fix a security issue that was allowing remote hosts to connect directly to a container on its published ports. moby/moby#49325
  • Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. moby/moby#49325
  • Fix an issue that prevented port publishing to link-local addresses. moby/moby#48570
  • UDP ports published by a container are now reliably accessible by containers on other networks, via the host's public IP address. moby/moby#48571
  • Docker will now only set the ip6tables policy for the FORWARD chain in the filter table to DROP if it enables IP forwarding on the host itself (sysctls net.ipv6.conf.all.forwarding and net.ipv6.conf.default.forwarding). This is now aligned with existing IPv4 behaviour. moby/moby#48594
    • If IPv6 forwarding is enabled on your host, but you were depending on Docker to set the ip6tables filter-FORWARD policy to DROP, you may need to update your host's configuration to make sure it is secure.
  • Direct routed access to container ports that are not exposed using p/-publish is now blocked in the DOCKER iptables chain. moby/moby#48724
    • If the default iptables filter-FORWARD policy was previously left at ACCEPT on your host, and direct routed access to a container's unpublished ports from a remote host is still required, options are:
      • Publish the ports you need.
      • Use the new gateway_mode_ipv[46]=nat-unprotected, described below.
    • Container ports published to host addresses will continue to be accessible via those host addresses, using NAT or the userland proxy.
    • Unpublished container ports continue to be directly accessible from the Docker host via the container's IP address.
  • Networks created with gateway_mode_ipv[46]=routed are now accessible from other bridge networks running on the same Docker host, as well as from outside the host. moby/moby#48596
  • Bridge driver options com.docker.network.bridge.gateway_mode_ipv4 and com.docker.network.bridge.gateway_mode_ipv6 now accept mode nat-unprotected. moby/moby#48597
    • nat-unprotected is similar to the default nat mode, but no per port/protocol rules are set up. This means any port on a container can be accessed by direct-routing from a remote host.
  • Bridge driver options com.docker.network.bridge.gateway_mode_ipv4 and com.docker.network.bridge.gateway_mode_ipv6 now accept mode

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovate label Jul 11, 2025
@renovate renovate bot requested a review from a team as a code owner July 11, 2025 00:15
@renovate renovate bot added the renovate label Jul 11, 2025
@renovate renovate bot merged commit 75595ac into main Jul 11, 2025
1 check passed
@renovate renovate bot deleted the renovate/major-28-ubuntu-24.04-dind-image branch July 11, 2025 03:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant