28.0.4

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.4 milestone
• moby/moby, 28.0.4 milestone

Bug fixes and enhancements

• Fix a regression causing docker pull/push to fail when interacting with a private repository. docker/cli#5964

28.0.3

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.3 milestone
• moby/moby, 28.0.3 milestone

Bug fixes and enhancements

• Fix docker run truncating the STDOUT/STDERR prematurely when the container exits before the data is consumed. docker/cli#5957

Packaging updates

• Update BuildKit to v0.20.2. moby/moby#49698
• Update runc to v1.2.6 (static packages only). moby/moby#49682
• Update containerd to v1.7.26. docker/containerd-packaging#409

28.0.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.2 milestone
• moby/moby, 28.0.2 milestone

Bug fixes and enhancements

• Fix CLI-specific attributes (docker.cli.*) being unintentionally passed to downstream OTel services. docker/cli#5842
• Fix an issue where user-specified OTEL_RESOURCE_ATTRIBUTES were being overridden by CLI's internal telemetry attributes. The CLI now properly merges user-specified attributes with internal ones, allowing both to coexist. docker/cli#5842
• Fix daemon failing to start on Windows when a container created before v28.0.0 was present. moby/moby#49626
• Fix possible error on docker buildx prune with the --min-free-space. moby/moby#49623
• Fix spurious io: read/write on closed pipe error in the daemon log when closing container. moby/moby#49590
• Fix the Docker daemon failing too early if the containerd socket isn't immediately available. moby/moby#49603
• Mask Linux thermal interrupt info in a container's /proc and /sys by default. moby/moby#49560
• Update contrib/check-config.sh to check for more kernel modules related to iptables. moby/moby#49622
• containerd image store: Fix integer overflow in User ID handling passed via --user. moby/moby#49652
• containerd image store: Fix spurious reference for unknown type: application/vnd.in-toto+json warning being logged to the daemon's log. moby/moby#49652
• containerd image store: Improve performance of docker ps when running large number of containers. moby/moby#49365

Packaging updates

• Update BuildKit to v0.20.1. moby/moby#49587
• Update Buildx to v0.22.0. docker/docker-ce-packaging#1175
• Update Compose to v2.34.0. docker/docker-ce-packaging#1172
• Update Go runtime to 1.23.7. docker/cli#5890, docker/docker-ce-packaging#1171, moby/moby#49580
• Update RootlessKit to v2.3.4. moby/moby#49614
• Update containerd (static binaries only) to v1.7.27. moby/moby#49656

Networking

• Add environment variable DOCKER_INSECURE_NO_IPTABLES_RAW=1 to allow Docker to run on systems where the Linux kernel can't provide CONFIG_IP_NF_RAW support. When enabled, Docker will not create rules in the iptables raw table. Warning: This is not recommended for production environments as it reduces security by allowing other hosts on the local network to route to ports published to host addresses, even when they are published to 127.0.0.1. This option bypasses some of the security hardening introduced in Docker Engine 28.0.0. moby/moby#49621
• Allow container startup when an endpoint is attached to a macvlan network where the parent interface is down. moby/moby#49630
• Do not skip DNAT for packets originating in a gateway_mode=routed network. moby/moby#49577
• Fix a bug causing docker ps to inconsistently report dual-stack port mappings. moby/moby#49657
• Fix a bug that could cause docker-proxy to stop forwarding UDP datagrams to containers. moby/moby#49649
• Fix a bug that was causing docker-proxy to close UDP connections to containers eagerly and resulting in the source address to change needlessly. moby/moby#49649

Go SDK

• Move various types and consts from cli-plugins/manager to a separate package. docker/cli#5902
• Update minimum required Go version to go1.23. moby/moby#49541
• cli/command: Move PrettyPrint utility to cli/command/formatter. docker/cli#5916
• runconfig/errors: split ErrConflictHostNetwork into ErrConflictConnectToHostNetwork and ErrConflictDisconnectFromHostNetwork. moby/moby#49605

Deprecations

• Go-SDK: Deprecate cli-plugins/manager.ResourceAttributesEnvvar constant. It was used internally, but holds the OTEL_RESOURCE_ATTRIBUTES name, which is part of the OpenTelemetry specification. Users of this constant should define their own. It will be removed in the next release. docker/cli#5881
• Go-SDK: Deprecate opts.PortOpt, opts.ConfigOpt and opts.SecretOpt. These types were moved to the opts/swarmopts package. docker/cli#5907
• Go-SDK: Remove service/logs package. docker/cli#5910
• Go-SDK: cli/command/image: Deprecate PushTrustedReference and move to cli/trust. docker/cli#5894
• Go-SDK: cli/command/image: Deprecate and internalize TrustedPush. docker/cli#5894
• Go-SDK: cli/command: deprecate Cli.NotaryClient: use trust.GetNotaryRepository instead. This method is no longer used and will be removed in the next release. docker/cli#5885
• Go-SDK: cli/command: deprecate Cli.RegistryClient. This method was only used internally and will be removed in the next release. Use client.NewRegistryClient instead. docker/cli#5889, docker/cli#5889
• Go-SDK: registry: Deprecate RepositoryInfo.Official field. moby/moby#49567
• Go-SDK: registry: deprecate HostCertsDir: this function was only used internally and will be removed in the next release. moby/moby#49612
• Go-SDK: registry: deprecate SetCertsDir: the cert-directory is now automatically selected when running with RootlessKit, and should no longer be set manually. moby/moby#49612

28.0.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.1 milestone
• moby/moby, 28.0.1 milestone

Networking

• Remove dependency on kernel modules ip_set, ip_set_hash_net and netfilter_xt_set.
  • The dependency was introduced in release 28.0.0 but proved too disruptive. The iptables rules using these modules have been replaced. moby/moby#49530
• Allow daemon startup on a host with IPv6 disabled without requiring --ip6tables=false. moby/moby#49525
• Fix a bug that was causing containers with --restart=always and a published port already in use to restart in a tight loop. moby/moby#49507
• Fix an issue with Swarm ingress, caused by incorrect ordering of iptables rules. moby/moby#49538
• Fix creation of a swarm-scoped network from a --config-only network. moby/moby#49521
• Fix docker network inspect reporting an IPv6 gateway with CIDR suffix for a newly created network with no specific IPAM config, until a daemon restart. moby/moby#49520
• Improve the error reported when kernel modules ip_set, ip_set_hash_net and netilter_xt_set are not available. moby/moby#49524
• Move most of Docker's iptables rules out of the filter-FORWARD chain, so that other applications are free to append rules that must follow Docker's rules. moby/moby#49518
• Update --help output and man page lo state which options only apply to the default bridge network. moby/moby#49522

Bug fixes and enhancements

• Fix docker context create always returning an error when using the "skip-tls-verify" option. docker/cli#5850
• Fix shell completion suggesting IDs instead of names for services and nodes. docker/cli#5848
• Fix unintentionally printing exit status to standard error output when docker exec/run returns a non-zero status. docker/cli#5854
• Fix regression protocol "tcp" is not supported by the RootlessKit port driver "slirp4netns". moby/moby#49514
• containerd image store: Fix docker inspect not being able to show multi-platform images with missing layers for all platforms. moby/moby#49533
• containerd image store: Fix docker images --tree reporting wrong content size. moby/moby#49535
• Fix compilation on i386 moby/moby#49526

Packaging updates

• Update github.com/go-jose/go-jose/v4 to v4.0.5 to address. GHSA-c6gw-w398-hv78 / CVE-2025-27144 docker/cli#5867
• Update Buildx to v0.21.1. docker/docker-ce-packaging#1167
• Update Compose to v2.33.1. docker/docker-ce-packaging#1168

API

• containerd image store: Fix GET /images/json?manifests=1 not filling Manifests for index-only images. moby/moby#49533
• containerd image store: Fix GET /images/json and /images/<name>/json Size.Content field including the size of content that's not available locally. moby/moby#49535

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.0 milestone
• moby/moby, 28.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• Add ability to mount an image inside a container via --mount type=image. moby/moby#48798
  • You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755
• docker images --tree now shows metadata badges. docker/cli#5744
• docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331
• Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145
• docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720
• Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955

Networking

• The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132
  • Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.
  • The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.
• DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290
  • When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.
• Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808
  • Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.
  • IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.
• The deprecated OCI prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406
• Add a new gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664
• Add a new netlabel com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155
  • When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names, for example eth, the container might fail to start.
  • The recommended practice is to use a different prefix, for example en0, or a numerical suffix high enough to never collide, for example eth100.
  • This label can be specified on docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….
  • Or via the long-form --network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …
• If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372

Port publishing in bridge networks

• dockerd now requires ipset support in the Linux kernel. moby/moby#48596
  • The iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815
  • If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:
    • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER
    • If you were previously running with the iptables filter-FORWARD policy set to ACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.
• Fix a security issue that was allowing remote hosts to connect directly to a container on its published ports. moby/moby#49325
• Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. moby/moby#49325
• Fix an issue that prevented port publishing to link-local addresses. moby/moby#48570
• UDP ports published by a container are now reliably accessible by containers on other networks, via the host's public IP address. moby/moby#48571
• Docker will now only set the ip6tables policy for the FORWARD chain in the filter table to DROP if it enables IP forwarding on the host itself (sysctls net.ipv6.conf.all.forwarding and net.ipv6.conf.default.forwarding). This is now aligned with existing IPv4 behaviour. moby/moby#48594
  • If IPv6 forwarding is enabled on your host, but you were depending on Docker to set the ip6tables filter-FORWARD policy to DROP, you may need to update your host's configuration to make sure it is secure.
• Direct routed access to container ports that are not exposed using p/-publish is now blocked in the DOCKER iptables chain. moby/moby#48724
  • If the default iptables filter-FORWARD policy was previously left at ACCEPT on your host, and direct routed access to a container's unpublished ports from a remote host is still required, options are:
    • Publish the ports you need.
    • Use the new gateway_mode_ipv[46]=nat-unprotected, described below.
  • Container ports published to host addresses will continue to be accessible via those host addresses, using NAT or the userland proxy.
  • Unpublished container ports continue to be directly accessible from the Docker host via the container's IP address.
• Networks created with gateway_mode_ipv[46]=routed are now accessible from other bridge networks running on the same Docker host, as well as from outside the host. moby/moby#48596
• Bridge driver options com.docker.network.bridge.gateway_mode_ipv4 and com.docker.network.bridge.gateway_mode_ipv6 now accept mode nat-unprotected. moby/moby#48597
  • nat-unprotected is similar to the default nat mode, but no per port/protocol rules are set up. This means any port on a container can be accessed by direct-routing from a remote host.
• Bridge driver options com.docker.network.bridge.gateway_mode_ipv4 and com.docker.network.bridge.gateway_mode_ipv6 now accept mode isolated, when the network is also internal. moby/moby#49262
  • An address is normally assigned to the bridge device in an internal network. So, processes on the Docker host can access the network, and containers in the network can access host services listening on that bridge address (including services listening on "any" host address, 0.0.0.0 or ::).
  • An internal bridge network created with gateway mode isolated does not have an address on the Docker host.
• When a port mapping includes ...

28.0.0-rc.3

This is a pre-release of the upcoming 28.0.0 release.

Pre-releases are intended for testing new releases: only install in a test environment!

curl -fsSL https://get.docker.com -o get-docker.sh
sudo CHANNEL=test sh get-docker.sh

Bugs and regressions can be reported in these issue trackers:

• Related to the CLI: https://github.com/docker/cli/issues
• Related to the Docker Engine https://github.com/moby/moby/issues

When reporting issues, include [28.0.0-rc] in the issue title

What's Changed

• Dockerfile: update golangci-lint to v1.64.5 by @thaJeztah in #49481
• api/swagger: inline Exec example values by @thaJeztah in #49479
• golangci-lint: ignore "nested context" (fatcontext) in tests by @thaJeztah in #49484
• api/swagger: remove custom example from /containers/{id}/json endpoint by @thaJeztah in #49478
• api/swagger: remove custom example from /containers/json endpoint by @thaJeztah in #49477
• c8d/list: Fix panic when listing images by @vvoland in #49485
• docs/api: add documentation for API v1.48 by @thaJeztah in #49480
• Dockerfile: fix linting warnings by @thaJeztah in #49490
• vendor: github.com/moby/buildkit v0.20.0-rc3 by @vvoland in #49491

Full Changelog: v28.0.0-rc.2...v28.0.0-rc.3

28.0.0-rc.2

This is a pre-release of the upcoming 28.0.0 release.

Pre-releases are intended for testing new releases: only install in a test environment!

curl -fsSL https://get.docker.com -o get-docker.sh
sudo CHANNEL=test sh get-docker.sh

Bugs and regressions can be reported in these issue trackers:

• Related to the CLI: https://github.com/docker/cli/issues
• Related to the Docker Engine https://github.com/moby/moby/issues

When reporting issues, include [28.0.0-rc] in the issue title

What's Changed

• Dockerfile: update golangci-lint to v1.63.4 by @thaJeztah in #49416
• update authors and mailmap by @thaJeztah in #49423
• client: fix deprecation comment for ImageInspectWithRaw by @thaJeztah in #49422
• Dockerfile: update docker CLI to v28.0.0-rc.1 by @thaJeztah in #49426
• Dockerfile: update buildx v0.20.1 by @thaJeztah in #49425
• Dockerfile: bump gotest.tools/gotestsum v1.12.0 by @thaJeztah in #49424
• vendor: gotest.tools/v3 v3.5.2 by @thaJeztah in #49421
• daemon: configureMaxThreads: remove unused arg by @thaJeztah in #49409
• vendor: cloud.google.com/go/compute/metadata v0.5.2 by @thaJeztah in #49411
• client: custom trace options by @NathanBaulch in #49415
• api/types/container: rename ContainerUpdateOKBody to UpdateResponse, ContainerTopOKBody to TopResponse by @thaJeztah in #49442
• api/types/container: introduce CommitResponse, ExecCreateResponse types by @thaJeztah in #49444
• Restore new iptables rules on firewalld reload by @robmry in #49443
• api/types: deprecate IDResponse by @thaJeztah in #49446
• Fix deprecation of "error" and "progress" fields in streaming responses by @thaJeztah in #49447
• vendor: github.com/containerd/go-cni v1.1.12 by @thaJeztah in #49449
• vendor: google.golang.org/grpc v1.69.4 by @thaJeztah in #49448
• vendor: github.com/spf13/pflag v1.0.6 by @thaJeztah in #49450
• Add experimental feature warning for image mount by @LaurentGoderre in #49351
• vendor: update buildkit to v0.20.0-rc1 by @tonistiigi in #49452
• vendor: github.com/vishvananda/netlink 655392bc778a by @thaJeztah in #49456
• API: add Platform (OS and Architecture) to /containers/json by @jsternberg in #49407
• vendor: github.com/miekg/dns v1.1.61 by @thaJeztah in #49454
• Fix linting issues to allow enabling more linters by @thaJeztah in #49417
• golangci-lint: enable more linters by @thaJeztah in #49419
• Dockerfile: update runc binary to v1.2.5 by @thaJeztah in #49464
• daemon: use structured logs for printing reloaded config, move to cli by @thaJeztah in #49418
• client: Change ImageHistory, ImageLoad and ImageSave to use variadic functional options by @vvoland in #49466
• vendor: update buildkit to v0.20.0-rc2 by @tonistiigi in #49462
• client: remove serverResponse and use http.Response directly by @thaJeztah in #49420
• Don't create iptables rules when iptables is disabled by @robmry in #49467
• container: ensure image manifest is deep copied from the container into the snapshot by @jsternberg in #49469
• c8d/progress: Fix panic when pulling some images by @vvoland in #49470
• daemon/logger: assorted minor (linting) fixes and cleanups by @thaJeztah in #49472
• container: Container.StopSignal: fix handling of invalid signals and cleanup tests by @thaJeztah in #49471
• project: update status of branches by @thaJeztah in #49468

Full Changelog: v28.0.0-rc.1...v28.0.0-rc.2

28.0.0-rc.1

This is a pre-release of the upcoming 28.0.0 release.

Pre-releases are intended for testing new releases: only install in a test environment!

curl -fsSL https://get.docker.com -o get-docker.sh
sudo CHANNEL=test sh get-docker.sh

Bugs and regressions can be reported in these issue trackers:

• Related to the CLI: https://github.com/docker/cli/issues
• Related to the Docker Engine https://github.com/moby/moby/issues

When reporting issues, include [28.0.0-rc] in the issue title

What's Changed

• update golangci-lint to v1.59.1 by @thaJeztah in #48058
• api/types: deprecate ContainerJSONBase.Node, ContainerNode by @thaJeztah in #48055
• daemon/graphdriver, layer: rename vars that shadowed imports by @thaJeztah in #48071
• Dockerfile: update compose to v2.28.1, update cli to v27.0.2 by @vvoland in #48073
• daemon/graphdriver: remove support for external graphdriver plugins by @thaJeztah in #48072
• daemon/graphdriver: deprecate GetDriver(), and remove its use by @thaJeztah in #48079
• Fix duplicate subnet allocations by @robmry in #48084
• fix some gofmt issues reported by goreportcard by @thaJeztah in #48080
• daemon/graphdriver/overlay2: set TarOptions.InUserNS for native differ (fix "failed to Lchown "/dev/console") by @thaJeztah in #48083
• Fix incorrect validation of port mapping by @robmry in #48088
• cleanup: Remove unnecessary return value by @coolljt0725 in #48095
• runconfig, runconfig/opts: remove deprecated types and functions by @thaJeztah in #48102
• daemon/logger, volume/drivers: remove redundant import-aliases by @thaJeztah in #48098
• errdefs: FromStatusCode(): use early returns by @thaJeztah in #48100
• vendor: github.com/microsoft/hcsshim v0.11.7 by @thaJeztah in #48091
• do another run of gofumpt by @thaJeztah in #48081
• builder/builder-next: applySourcePolicies: remove redundant check and vars by @thaJeztah in #48070
• pkg/capabilities move to daemon/internal by @thaJeztah in #48101
• pkg/containerfs: move to internal by @thaJeztah in #48097
• pkg/rootless/specconv: move to internal by @thaJeztah in #48110
• pkg/dmesg: remove deprecated package by @thaJeztah in #48109
• pkg/directory: deprecate, and move to internal by @thaJeztah in #48108
• api/types/system: remove deprecated Info.ExecutionDriver by @thaJeztah in #48111
• api/types: migrate more types to separate packages by @thaJeztah in #48057
• api/types: remove aliases for deprecated types by @thaJeztah in #48107
• update containerd binary to v1.7.19 by @thaJeztah in #48117
• daemon/logger/journald: add //nolint:unused for readSyncTimeout by @thaJeztah in #48115
• update to go1.21.12 by @vvoland in #48120
• update to go1.21.12 [part 2] by @vvoland in #48121
• api/types/container: InspectResponse: keep old name for embedded type by @thaJeztah in #48124
• vendor: update dependencies in preparation of BuildKit v0.15 by @thaJeztah in #48127
• vendor: github.com/containerd/containerd v1.7.19, migrate to github.com/containerd/platforms module by @thaJeztah in #47142
• Remove IPv6 bridge RouteAdd() that always fails by @robmry in #48135
• rootless: add Requires=dbus.socket by @AkihiroSuda in #48134
• daemon/graphdriver: split, internalize packages to separate snapshotters and graphdrivers by @thaJeztah in #48092
• vendor: update buildkit to v0.15.0-rc1 by @tonistiigi in #48126
• By-default, don't create an iptables rule to checksum SCTP by @robmry in #48149
• Fix API version in TestSetInterfaceSysctl by @robmry in #48156
• docs/api: Add missing ` by @vvoland in #48154
• vendor: update buildkit to v0.15.0-rc2 by @tonistiigi in #48150
• vendor: update buildkit to v0.15.0 by @tonistiigi in #48159
• all: switch to Go 1.19 atomics by @corhere in #48139
• daemon/graphdriver: remove Capabilities, CapabilityDriver by @thaJeztah in #48143
• vendor: cloud.google.com/go/logging v1.9.0 by @thaJeztah in #48165
• rm regexp use by @kolyshkin in #48169
• README: replace obsolete Docker EE mention by @corhere in #48176
• c8d/build: Log image tag event when image was built with Buildkit by @vvoland in #48078
• gha: check-pr-branch: verify major version only by @thaJeztah in #48177
• Dockerfile: update buildx to v0.16.1, compose to v2.29.0 by @thaJeztah in #48186
• gha: check-pr-branch: fix branch check regression by @thaJeztah in #48194
• update containerd binary to v1.7.20 by @thaJeztah in #48190
• vendor: github.com/containerd/containerd v1.7.20 by @thaJeztah in #48188
• vendor: update moby/sys modules by @thaJeztah in #48189
• vendor: github.com/moby/sys/sequential v0.6.0 by @thaJeztah in #48198
• hack: explicitly control enabling the journald logging driver by @williamh in #47789
• contrib/check-config.sh: remove special case for userns on CentOS/RHEL 7 by @thaJeztah in #48212
• Clean up networks in 'integration/network' tests by @robmry in #48217
• dockerd-rootless-setuptool.sh: move RootlessKit smoke test by @AkihiroSuda in #48216
• vendor: github.com/gofrs/flock v0.12.1 by @thaJeztah in #48234
• migrate to github.com/moby/sys/user/userns by @thaJeztah in #48170
• vendor: update buildkit to v0.15.1 by @crazy-max in #48239
• remove support for setting CORS headers (deprecated) by @thaJeztah in #48209
• api/server/router/grpc: NewRouter: set correct MaxRecvMsgSize, MaxSendMsgSize by @thaJeztah in #48242
• images: Extract ImageInspect from GetImage by @vvoland in #48240
• daemon: remove setMayDetachMounts (set may_detach_mounts=1 on startup) by @thaJeztah in #48210
• daemon: isPermissibleC8dRuntimeName: use local utility to reduce c8d deps by @thaJeztah in #48251
• daemon: remove unused import by @thaJeztah in #48263
• Split Linux/bridge and Windows/nat integration tests by @robmry in #48247
• gha: set permissions to read-only by default by @thaJeztah in #48262
• IPv6 related refactoring by @robmry in #48248
• libcontainerd/supervisor: remove remnants of adjusting oom-score by @thaJeztah in #48252
• daemon: assorted cleanups and minor improvements by @thaJeztah in #48244
• Improve documentation around maintenance, building, and packaging by @neersighted in #46772
• hack/make: suppress "not mounted" message by @kolyshkin in #48272
• libnetwork/networkdb: switch to go-immutable-radix v2 by @thaJeztah in #48157
• IPv6 only: add API option enable/disable IPv4 by @robmry in #48271
• plugin, api/types: fix typos and GoDoc by @thaJeztah in #48279
• vendor: golang.org/x/time v0.5.0, google.golang.org/grpc v1.62.0 by @thaJeztah in #48283
• IPv6 only: IPv4 is required for Windows and Swarm networks by @robmry in #48278
• touch-up security policy by @thaJeztah in #48280
• vendor: github.com/containerd/nydus-snapshotter v0.14.0 by @thaJeztah in #48288
• IPv6 only: gateway, IPAM and address configuration by @robmry in #48284
• c8d/image: Simplify presentImages and better "platform not found" error by @vvoland in #48276
• Migrate per-endpoint sysctls until 28.0.0 by @robmry in #48281
• update to go1.21.13 by @vvoland in #48300
• Makefile: Add BIND_GIT variable by @vvoland in #48303
• c8d: Multi-platform image list by @vvoland in https://g...

25.0.8

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:

• docker/cli, 25.0.8 milestone
• moby/moby, 25.0.8 milestone
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• [25.0 backport] volume/mounts: fix anonymous volume not being labeled by @austinvazquez in #48787
• [25.0 backport] daemon: use OwnCgroupPath in withCgroups by @thaJeztah in #48928
• [25.0 backport] Jenkinsfile: modprobe br_netfilter by @thaJeztah in #48997
• [25.0 backport] c8d/tag: Don't log a warning if the source image is not dangling by @vvoland in #49011
• [25.0 backport] Dockerd rootless: make {/etc,/var/run}/cdi available by @thaJeztah in #49029
• [25.0 backport] libnetwork/drivers/bridge: setupIPChains: fix defer checking wrong err by @thaJeztah in #49112

Packaging updates

• [25.0 backport] vendor: github.com/golang-jwt/jwt/v4@v4.5.1 by @austinvazquez in #48920
• [25.0 backport] update xx to v1.6.1 for compatibility with alpine 3.21 by @thaJeztah in #49082
• [25.0 backport] Dockerfile: update containerd to v1.7.25 by @austinvazquez in #49268
• [25.0 backport] Dockerfile: update runc binary to v1.2.4 by @austinvazquez in #49269
• [25.0 backport] update to go1.22.10 by @austinvazquez in #49048

Full Changelog: v25.0.7...v25.0.8

27.5.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.5.1 milestone
• moby/moby, 27.5.1 milestone

Bug fixes and enhancements

• Fixed an issue that could persistently prevent daemon startup after failure to initialize the default bridge. moby/moby#49307
• Add a DOCKER_IGNORE_BR_NETFILTER_ERROR environment variable. Setting it to 1 allows running on hosts that cannot load br_netfilter. Some things won't work, including disabling inter-container communication in a bridge network. With the userland proxy disabled, it won't be possible to access one container's published ports from another container on the same network. moby/moby#49306

Packaging updates

• Update Go runtime to 1.22.11 (fix CVE-2024-45341, CVE-2024-45336). moby/moby#49312, docker/docker-ce-packaging#1147, docker/cli#5762
• Update RootlessKit to v2.3.2 to support passt >= 2024_10_30.ee7d0b6. moby/moby#49304
• Update Buildx to v0.20.0. docker/docker-ce-packaging#1149