engine: 28.0.0 release notes #21932
Draft
engine: 28.0.0 release notes #21932
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
vvoland
force-pushed
the
engine-28.0.0
branch
5 times, most recently
from
b386e33 to
ac84e4b
Compare
vvoland
commented
Feb 5, 2025
Comment on lines
186
to
204
| ### TODO | ||
| - Fix a bug that was preventing containers exposing a TCP port on the host to be restarted if it was accessed by another container (or from the host) shortly before. [moby/moby#48567](https://github.com/moby/moby/pull/48567) | ||
| - DNS nameservers read from the host's `/etc/resolv.conf` are now always accessed from the host's network namespace. | ||
| - Close a window in which `docker-proxy` could accept TCP connections, which would fail after NAT rules were set up. The `docker-proxy` binary has been updated, the old version will not work with the updated `dockerd`. | ||
| - Fix an issue that meant published ports from one container on a bridge network were not accessible from another container on the same network with `userland-proxy` disabled, if the kernel's `br_netfilter` module was not loaded and enabled. The daemon will now attempt to load the module and enable `bridge-nf-call-iptables` or `bridge-nf-call-ip6tables` when creating a network with the userland proxy disabled. [moby/moby#48676](https://github.com/moby/moby/pull/48676) | ||
| - dockerd requires `ipset` support in the Linux kernel | ||
| - Modifications to `host-gateway`, for compatibility with IPv6-only networks. | ||
| - bridge driver options `com.docker.network.bridge.gateway_mode_ipv4` and `com.docker.network.bridge.gateway_mode_ipv6` now accept mode `nat-unprotected`. | ||
| - `nat-unprotected` is similar to the default `nat` mode, but no per port/protocol iptables rules are set up. | ||
| - Preserve network labels during daemon startup. [moby/moby#49196](https://github.com/moby/moby/pull/49196) | ||
| - Add a couple of iptables rules to filter on the input interface for NAT port mappings. This will prevent rogue neighboring hosts from accessing port mappings that aren't published in the same subnet / L2 segment. | ||
| - The env var `DOCKER_DISABLE_INPUT_IFACE_FILTERING` can be set to any `true`-ish value to globally disable this filtering. This is a temporary escape hatch and will be removed in a future release. Report an issue if you need to use it. [moby/moby#48721](https://github.com/moby/moby/pull/48721) | ||
| - Faster connection to bridge networks, in most cases. [moby/moby#49302](https://github.com/moby/moby/pull/49302) | ||
| - Fix a security issue that was allowing remote hosts to connect directly to a container, on one of its published port. [moby/moby#49325](https://github.com/moby/moby/pull/49325) | ||
| - Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. [moby/moby#49325](https://github.com/moby/moby/pull/49325) | ||
| - Add `docker network create` option `--ipv4`. | ||
| To disable IPv4 address assignment for a network, use `docker network create --ipv4=false [...]`. [docker/cli#5599](https://github.com/docker/cli/pull/5599) | ||
| - Add a new `gw-priority` option to `docker run`, `docker container create`, and `docker network connect`. This option will be used by the Engine to determine which network provides the default gateway for a container. On `docker run`, this option is only available through the extended `--network` syntax. [docker/cli#5664](https://github.com/docker/cli/pull/5664) | ||
| - Fix validation of `--link` option. [docker/cli#5739](https://github.com/docker/cli/pull/5739) |
There was a problem hiding this comment.
@robmry @akerouanton PTAL
Can you assign these to relevant categories?
Feel free to push directly to this branch, or just leave a comment on the corresponding line
There was a problem hiding this comment.
I've ...
- sorted out those TODOs
- combined the networking API section with the top-level API section
- added a couple of recent networking PRs
- fixed the link-text for the links copied from my draft notes
But I don't think I have permission to push to the branch. So, here's diff - or let me know if I should have another go...
There was a problem hiding this comment.
That works for me, thanks!
moby: 7c3fa8172b1cf4b9256861d1b2dbe67d3836b129 cli: 250378a7156272c80bb2329112b01f877680528c Signed-off-by: Paweł Gronowski <[email protected]> Co-authored-by: Rob Murray <[email protected]>
vvoland
force-pushed
the
engine-28.0.0
branch
from
ac84e4b to
09f21f2
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
WIP
Related issues or tickets
Reviews