Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency moby/moby to v28 #228

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency moby/moby to v28 #228

wants to merge 1 commit into from

Conversation

renovate-rancher[bot]
Copy link
Contributor

This PR contains the following updates:

Package Update Change
moby/moby major 27.1.1 -> 28.0.0

Release Notes

moby/moby (moby/moby)

v28.0.0

Compare Source

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

New
  • Add ability to mount an image inside a container via --mount type=image. moby/moby#48798
    • You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755
  • docker images --tree now shows metadata badges. docker/cli#5744
  • docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331
  • Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145
  • docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720
  • Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955
Networking
  • The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132
    • Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.
    • The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.
  • DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290
    • When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.
  • Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808
    • Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.
    • IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.
  • The deprecated OCI prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406
  • Add a new gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664
  • Add a new netlabel com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155
    • When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names, for example eth, the container might fail to start.
    • The recommended practice is to use a different prefix, for example en0, or a numerical suffix high enough to never collide, for example eth100.
    • This label can be specified on docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….
    • Or via the long-form --network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …
  • If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372
Port publishing in bridge networks
  • dockerd now requires ipset support in the Linux kernel. moby/moby#48596
    • The iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815
    • If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:
      • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER
      • If you were previously running with the iptables filter-FORWARD policy set to ACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.
  • Fix a security issue that was allowing remote hosts to connect directly to a container on its published ports. moby/moby#49325
  • Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. moby/moby#49325
  • Fix an issue that prevented port publishing to link-local addresses. moby/moby#48570
  • UDP ports published by a container are now reliably accessible by containers on other networks, via the host's public IP address. moby/moby#48571
  • Docker will now only set the ip6tables policy for the FORWARD chain in the filter table to DROP if it enables IP forwarding on the host itself (sysctls net.ipv6.conf.all.forwarding and net.ipv6.conf.default.forwarding). This is now aligned with existing IPv4 behaviour. moby/moby#48594
    • If IPv6 forwarding is enabled on your host, but you were depending on Docker to set the ip6tables filter-FORWARD policy to DROP, you may need to update your host's configuration to make sure it is secure.
  • Direct routed access to container ports that are not exposed using p/-publish is now blocked in the DOCKER iptables chain. moby/moby#48724
    • If the default iptables filter-FORWARD policy was previously left at ACCEPT on your host, and direct routed access to a container's unpublished ports from a remote host is still required, options are:
      • Publish the ports you need.
      • Use the new gateway_mode_ipv[46]=nat-unprotected, described below.
    • Container ports published to host addresses will continue to be accessible via those host addresses, using NAT or the userland proxy.
    • Unpublished container ports continue to be directly accessible from the Docker host via the container's IP address.
  • Networks created with gateway_mode_ipv[46]=routed are now accessible from other bridge networks running on the same Docker host, as well as from outside the host. moby/moby#48596
  • Bridge driver options com.docker.network.bridge.gateway_mode_ipv4 and com.docker.network.bridge.gateway_mode_ipv6 now accept mode nat-unprotected. moby/moby#48597
    • nat-unprotected is similar to the default nat mode, but no per port/protocol rules are set up. This means any port on a container can be accessed by direct-routing from a remote host.
  • Bridge driver options com.docker.network.bridge.gateway_mode_ipv4 and com.docker.network.bridge.gateway_mode_ipv6 now accept mode isolated, when the network is also internal. moby/moby#49262
    • An address is normally assigned to the bridge device in an internal network. So, processes on the Docker host can access the network, and containers in the network can access host services listening on that bridge address (including services listening on "any" host address, 0.0.0.0 or ::).
    • An internal bridge network created with gateway mode isolated does not have an address on the Docker host.
  • When a port mapping includes a host IP address or port number that cannot be used because NAT from the host is disabled using --gateway_mode_ipv[46], container creation will no longer fail. The unused fields may be needed if the gateway endpoint changes when networks are connected or disconnected. A message about the unused fields will be logged. moby/moby#48575
  • Do not create iptables nat-POSTROUTING masquerade rules for a container's own published ports, when the userland proxy is enabled. moby/moby#48854
IPv6
  • Add docker network create option --ipv4. To disable IPv4 address assignment for a network, use docker network create --ipv4=false [...]. docker/cli#5599
  • Daemon option --ipv6 ("ipv6": true in daemon.json) can now be used without fixed-cidr-v6. moby/moby#48319
  • IPAM now handles subnets bigger than "/64". moby/moby#49223
  • Duplicate address detection (DAD) is now disabled for addresses assigned to the bridges belonging to bridge networks. moby/moby#48609
  • Modifications to host-gateway, for compatibility with IPv6-only networks. moby/moby#48807
    • When special value host-gateway is used in an --add-host option in place of an address, it's replaced by an address on the Docker host to make it possible to refer to the host by name. The address used belongs to the default bridge (normally docker0). Until now it's always been an IPv4 address, because all containers on bridge networks had IPv4 addresses.
    • Now, if IPv6 is enabled on the default bridge network, /etc/hosts entries will be created for IPv4 and IPv6 addresses. So, a container that's only connected to IPv6-only networks can access the host by name.
    • The --host-gateway-ip option overrides the address used to replace host-gateway. Two of these options are now allowed on the command line, for one IPv4 gateway and one IPv6.
    • In the daemon.json file, to provide two addresses, use "host-gateway-ips". For example, "host-gateway-ips": ["192.0.2.1", "2001:db8::1111"].
Bug fixes and enhancements
  • Add IPv6 loopback address as an insecure registry by default. moby/moby#48540
  • Add support for Cobra-generated completion scripts for dockerd. moby/moby#49339
  • Fix DNS queries failing when containers are launched via systemd auto-start on boot moby/moby#48812
  • Fix Docker Swarm mode ignoring volume.subpath docker/cli#5833
  • Fix docker export continuing the export after the operation is canceled. moby/moby#49265
  • Fix docker export not releasing the container's writable layer after a failure. moby/moby#48517
  • Fix docker images --tree unnecessary truncating long image names when multiple names are available docker/cli#5757
  • Fix a bug where a container with a name matching another container's ID is not restored on daemon startup. moby/moby#48669
  • Fix an issue preventing some IPv6 addresses shown by docker ps to be properly bracketed docker/cli#5468
  • Fix bug preventing image pulls from being cancelled during docker run. docker/cli#5645
  • Fix error-handling when running the daemon as a Windows service to prevent unclean exits. moby/moby#48518
  • Fix issue causing output of docker run to be inconsistent when using --attach stdout or --attach stderr versus stdin. docker run --attach stdin now exits if the container exits. docker/cli#5662
  • Fix rootless Docker setup with subid backed by NSS modules. moby/moby#49036
  • Generated completion scripts from the CLI now show descriptions next to each command/flag suggestion. docker/cli#5756
  • IPv6 addresses shown by docker ps in port bindings are now bracketed docker/cli#5363
  • Implement the ports validation method for Compose docker/cli#5524
  • Improve error-output for invalid flags on the command line. docker/cli#5233
  • Improve errors when failing to start a container using anther container's network namespace. moby/moby#49367
  • Improve handling of invalid API errors that could result in an empty error message being shown. moby/moby#49373
  • Improve output and consistency for unknown (sub)commands and invalid arguments docker/cli#5234
  • Improve validation of exec-opts in daemon configuration. moby/moby#48979
  • Update the handling of the --gpus=0 flag to be consistent with the NVIDIA Container Runtime. moby/moby#48482
  • client.ContainerCreate now normalizes CapAdd and CapDrop fields in HostConfig to their canonical form. moby/moby#48551
  • docker image save now produces stable timestamps. moby/moby#48611
  • docker inspect now lets you inspect Swarm configs docker/cli#5573
  • containerd image store: Add support for Extracting layer status in docker pull. moby/moby#49064
  • containerd image store: Fix commit, import, and build not preserving a replaced image as a dangling image. moby/moby#48316
  • containerd image store: Make docker load --platform return an error when the requested platform isn't loaded. moby/moby#48718
  • Fix validation of --link option. docker/cli#5739
  • Add validation of network-diagnostic-port daemon configuration option. moby/moby#49305
  • Unless explicitly configured, an IP address is no longer reserved for a gateway in cases where it is not required. Namely, “internal” bridge networks with option com.docker.network.bridge.inhibit_ipv4, ipvlan or macvlan networks with no parent interface, and L3 IPvlan modes. moby/moby#49261
  • If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372
  • Fixed an issue that meant a container could not be attached to an L3 IPvlan at the same time as other network types. moby/moby#49130
  • Remove the correct /etc/hosts entries when disconnecting a container from a network. moby/moby#48857
  • Fix duplicate network disconnect events. moby/moby#48800
  • Resolve issues related to changing fixed-cidr for docker0, and inferring configuration from a user-managed default bridge (--bridge). moby/moby#48319
  • Remove feature flag windows-dns-proxy, introduced in release 26.1.0 to control forwarding to external DNS resolvers from Windows containers, to make nslookup work. It was enabled by default in release 27.0.0. moby/moby#48738
  • Remove an iptables mangle rule for checksumming SCTP. The rule can be re-enabled by setting DOCKER_IPTABLES_SCTP_CHECKSUM=1 in the daemon's environment. This override will be removed in a future release. moby/moby#48149
  • Faster connection to bridge networks, in most cases. moby/moby#49302
Packaging updates
Go SDK
  • Improve validation of empty object IDs. The client now returns an "Invalid Parameter" error when trying to use an empty ID or name. This changes the error returned by some "Inspect" functions from a "Not found" error to an "Invalid Parameter". moby/moby#49381
  • Client.ImageBuild() now omits default values from the API request's query string. moby/moby#48651
  • api/types/container: Merge Stats and StatsResponse moby/moby#49287
  • client.WithVersion: Strip v-prefix when setting API version moby/moby#49352
  • client: Add WithTraceOptions allowing to specify custom OTe1 trace options. moby/moby#49415
  • client: Add HijackDialer interface. moby/moby#49388
  • client: Add SwarmManagementAPIClient interface to describe all API client methods related to Swarm-specific objects. moby/moby#49388
  • client: Add WithTraceOptions allowing to specify custom OTel trace options. moby/moby#49415
  • client: ImageHistory, ImageLoad and ImageSave now use variadic functional options moby/moby#49466
  • pkg/containerfs: Move to internal moby/moby#48097
  • pkg/reexec: Can now be used on platforms other than Linux, Windows, macOS and FreeBSD moby/moby#49118
  • api/types/container: introduce CommitResponse type. This is currently an alias for IDResponse, but may become a distinct type in a future release. moby/moby#49444
  • api/types/container: introduce ExecCreateResponse type. This is currently an alias for IDResponse, but may become a distinct type in a future release. moby/moby#49444
API
  • Update API version to v1.48 moby/moby#48476
  • GET /images/{name}/json response now returns the Manifests field containing information about the sub-manifests contained in the image index. This includes things like platform-specific manifests and build attestations. moby/moby#48264
  • POST /containers/create now supports Mount of type image for mounting an image inside a container. moby/moby#48798
  • GET /images/{name}/history now supports a platform parameter (JSON encoded OCI Platform type) that lets you specify a platform to show the history of. moby/moby#48295
  • POST /images/{name}/load and GET /images/{name}/get now supports a platform parameter (JSON encoded OCI Platform type) that lets you specify a platform to load/save. Not passing this parameter results in loading/saving the full multi-platform image. moby/moby#48295
  • Improve errors for invalid width/height on container resize and exec resize moby/moby#48679
  • The POST /containers/create endpoint now includes a warning in the response when setting the container-wide VolumeDriver option in combination with volumes defined through Mounts because the VolumeDriver option has no effect on those volumes. This warning was previously generated by the CLI. moby/moby#48789
  • containerd image store: GET /images/json and GET /images/{name}/json responses now includes Descriptor field, which contains an OCI descriptor of the image target. The new field is only populated if the daemon provides a multi-platform image store. moby/moby#48894
  • containerd image store: GET /containers/{name}/json now returns an ImageManifestDescriptor field containing the OCI descriptor of the platform-specific image manifest of the image that was used to create the container. moby/moby#48855
  • Add debug endpoints (GET /debug/vars, GET /debug/pprof/, GET /debug/pprof/cmdline, GET /debug/pprof/profile, GET /debug/pprof/symbol, GET /debug/pprof/trace, GET /debug/pprof/{name}) are now also accessible through the versioned-API paths (/v<API-version>/<endpoint>). moby/moby#49051
  • Fix API returning a 500 status code instead of 400 for validation errors. moby/moby#49217
  • Fix status codes for archive endpoints HEAD /containers/{name:.*}/archive, GET /containers/{name:.*}/archive, PUT /containers/{name:.*}/archive returning a 500 status instead of a 400 status. moby/moby#49219
  • POST /containers/create now accepts a writable-cgroups=true option in HostConfig.SecurityOpt to mount the container's cgroups writable. This provides a more granular approach than HostConfig.Privileged. moby/moby#48828
  • POST /build/prune renames keep-bytes to reserved-space and now supports additional prune parameters max-used-space and min-free-space. moby/moby#48720
  • POST /networks/create now has an EnableIPv4 field. Setting it to false disables IPv4 IPAM for the network. moby/moby#48271
    • GET /networks/{id} now returns an EnableIPv4 field showing whether the network has IPv4 IPAM enabled. moby/moby#48271
    • User-defined bridge networks require either IPv4 or IPv6 address assignment to be enabled. IPv4 cannot be disabled for the default bridge network (docker0). moby/moby#48323
    • macvlan and ipvlan networks can be created with address assignment disabled for IPv4, IPv6, or both address families. moby/moby#48299
    • IPv4 cannot be disabled for Windows or Swarm networks. moby/moby#48278
  • Add a way to specify which network should provide the default gateway for a container. moby/moby#48936
    • POST /networks/{id}/connect and POST /containers/create now accept a GwPriority field in EndpointsConfig. This value is used to determine which network endpoint provides the default gateway for the container. The endpoint with the highest priority is selected. If multiple endpoints have the same priority, endpoints are sorted lexicographically by their network name, and the one that sorts first is picked. moby/moby#48746
    • GET /containers/json now returns a GwPriority field in NetworkSettings for each network endpoint. The GwPriority field is used by the CLI’s new gw-priority option for docker run and docker network connect. moby/moby#48746
  • Settings for eth0 in --sysctl options are no longer automatically migrated to the network endpoint. moby/moby#48746
    • For example, in the Docker CLI, docker run --network mynet --sysctl net.ipv4.conf.eth0.log_martians=1 ... is rejected. Instead, you must use docker run --network name=mynet,driver-opt=com.docker.network.endpoint.sysctls=net.ipv4.conf.IFNAME.log_martians=1 ...
  • GET /containers/json now returns an ImageManifestDescriptor field matching the same field in /containers/{name}/json. This field is only populated if the daemon provides a multi-platform image store. moby/moby#49407
Removed
  • The Fluent logger option fluentd-async-connect has been deprecated in v20.10 and is now removed. moby/moby#46114
  • The --time option on docker stop and docker restart is deprecated and renamed to --timeout. docker/cli#5485
  • Go-SDK: pkg/ioutils: Remove NewReaderErrWrapper as it was never used. moby/moby#49258
  • Go-SDK: pkg/ioutils: Remove deprecated BytesPipe, NewBytesPipe, ErrClosed, WriteCounter, NewWriteCounter, NewReaderErrWrapper, NopFlusher. moby/moby#49245
  • Go-SDK: pkg/ioutils: Remove deprecated NopWriter and NopWriteCloser. moby/moby#49256
  • Go-SDK: pkg/sysinfo: Remove deprecated NumCPU. moby/moby#49242
  • Go-SDK: Remove pkg/broadcaster, as it was only used internally moby/moby#49172
  • Go-SDK: Remove deprecated cli.Errors type docker/cli#5549
  • Remove pkg/ioutils.ReadCloserWrapper, as it was only used in tests. moby/moby#49237
  • Remove deprecated api-cors-header config parameter and the dockerd --api-cors-header option moby/moby#48209
  • Remove deprecated APIEndpoint.Version field, APIVersion type, and APIVersion1 and APIVersion2 consts. moby/moby#49004
  • Remove deprecated api-cors-header config parameter and the Docker daemon's --api-cors-header option. docker/cli#5437
  • Remove deprecated pkg/directory package moby/moby#48779
  • Remove deprecated pkg/dmsg.Dmesg() moby/moby#48109
  • Remove deprecated image/spec package, which was moved to a separate module (github.com/moby/docker-image-spec) moby/moby#48460
  • Remove migration code and errors for the deprecated logentries logging driver. moby/moby#48891
  • Remove support for deprecated external graph-driver plugins. moby/moby#48072
  • api/types: Remove deprecated container.ContainerNode and ContainerJSONBase.Node field. moby/moby#48107
  • api/types: Remove deprecated aliases: ImagesPruneReport, VolumesPruneReport, NetworkCreateRequest, NetworkCreate, NetworkListOptions, NetworkCreateResponse, NetworkInspectOptions, NetworkConnect, NetworkDisconnect, EndpointResource, NetworkResource, NetworksPruneReport, ExecConfig, ExecStartCheck, ContainerExecInspect, ContainersPruneReport, ContainerPathStat, CopyToContainerOptions, ContainerStats, ImageSearchOptions, ImageImportSource, ImageLoadResponse, ContainerNode. moby/moby#48107
  • libnetwork/iptables: Remove deprecated IPV, Iptables, IP6Tables and Passthrough(). moby/moby#49121
  • pkg/archive: Remove deprecated CanonicalTarNameForPath, NewTempArchive, TempArchive moby/moby#48708
  • pkg/fileutils: Remove deprecated GetTotalUsedFds moby/moby#49210
  • pkg/ioutils: Remove OnEOFReader, which was only used internally moby/moby#49170
  • pkg/longpath: Remove deprecated Prefix constant. moby/moby#48779
  • pkg/stringid: Remove deprecated IsShortID and ValidateID functions moby/moby#48705
  • runconfig/opts: Remove deprecated ConvertKVStringsToMap moby/moby#48102
  • runconfig: Remove deprecated ContainerConfigWrapper, SetDefaultNetModeIfBlank, DefaultDaemonNetworkMode, IsPreDefinedNetwork moby/moby#48102
  • container: Remove deprecated ErrNameReserved, ErrNameNotReserved. moby/moby#48728
  • Remove Daemon.ContainerInspectCurrent() method and change Daemon.ContainerInspect() signature to accept a backend.ContainerInspectOptions struct moby/moby#48672
  • Remove deprecated Daemon.Exists() and Daemon.IsPaused() methods. moby/moby#48723
Deprecations
  • API: The BridgeNfIptables and BridgeNfIp6tables fields in the GET /info response are now always be false and will be omitted in API v1.49. The netfilter module is now loaded on-demand, and no longer during daemon startup, making these fields obsolete. moby/moby#49114
  • API: The error and progress fields in streaming responses for endpoints that return a JSON progress response, such as POST /images/create, POST /images/{name}/push, and POST /build are deprecated. moby/moby#49447
    • Users should use the information in the errorDetail and progressDetail fields instead.
    • These fields were marked deprecated in API v1.4 (docker v0.6.0) and API v1.8 (docker v0.7.1) respectively, but still returned.
    • These fields will be left empty or will be omitted in a future API version.
  • Deprecate Daemon.Register(). This function is unused and will be removed in the next release. moby/moby#48702
  • Deprecate client.ImageInspectWithRaw function in favor of the new client.ImageInspect. moby/moby#48264
  • Deprecate daemon/config.Config.ValidatePlatformConfig(). This method was used as helper for config.Validate, which should be used instead. moby/moby#48985
  • Deprecate pkg/reexec. This package is deprecated and moved to a separate module. Use github.com/moby/sys/reexec instead. moby/moby#49129
  • Deprecate configuration for pushing non-distributable artifacts docker/cli#5724
  • Deprecate the --allow-nondistributable-artifacts daemon flag and corresponding allow-nondistributable-artifacts field in daemon.json. Setting either option will no longer take an effect, but a deprecation warning log is added. moby/moby#49065
  • Deprecate the RegistryConfig.AllowNondistributableArtifactsCIDRs and RegistryConfig.AllowNondistributableArtifactsHostnames fields in the GET /info API response. For API version v1.48 and older, the fields are still included in the response, but always null. In API version v1.49 and later, the field will be omitted entirely. moby/moby#49065
  • Go-SDK: Deprecate registry.ServiceOptions.AllowNondistributableArtifacts field. moby/moby#49065
  • Go-SDK: The BridgeNfIptables, BridgeNfIp6tables fields in api/types/system.Info and BridgeNFCallIPTablesDisabled, BridgeNFCallIP6TablesDisabled fields in pkg/sysinfo.SysInfo are deprecated and will be removed in the next release. moby/moby#49114
  • Go-SDK: client: Deprecate CommonAPIClient interface in favor of the APIClient interface. The CommonAPIClient will be changed to an alias for APIClient in the next release, and removed in the release after. moby/moby#49388
  • Go-SDK: client: Deprecate ErrorConnectionFailed helper. This function was only used internally, and will be removed in the next release. moby/moby#49389
  • Go-SDK: pkg/ioutils: Deprecate NewAtomicFileWriter, AtomicWriteFile, AtomicWriteSet, NewAtomicWriteSet in favor of pkg/atomicwriter equivalents. moby/moby#49171
  • Go-SDK: pkg/sysinfo: Deprecate NumCPU. This utility has the same behavior as runtime.NumCPU. moby/moby#49241
  • Go-SDK: pkg/system: Deprecate MkdirAll. This function provided custom handling for Windows GUID volume paths. Handling for such paths is now supported by Go standard library in go1.22 and newer, and this function is now an alias for os.MkdirAll, which should be used instead. This alias will be removed in the next release. moby/moby#49162
  • Go-SDK: Deprecate pkg/parsers.ParseKeyValueOpt. moby/moby#49177
  • Go-SDK: Deprecate pkg/parsers.ParseUintListMaximum, pkg/parsers.ParseUintList. These utilities were only used internally and will be removed in the next release. moby/moby#49222
  • Go-SDK: Deprecate api/type.IDResponse in favor of container.CommitResponse and container.ExecCreateResponse, which are currently an alias, but may become distinct types in a future release. This type will be removed in the next release. moby/moby#49446
  • Go-SDK: Deprecate api/types/container.ContainerUpdateOKBody in favor of UpdateResponse. This type will be removed in the next release. moby/moby#49442
  • Go-SDK: Deprecate api/types/container.ContainerTopOKBody in favor of TopResponse. This type will be removed in the next release. moby/moby#49442
  • Go-SDK: pkg/jsonmessage: Fix deprecation of ProgressMessage, ErrorMessage, which were deprecated in Docker v0.6.0 and v0.7.1 respectively. moby/moby#49447
  • Move GraphDriverData from api/types to api/types/storage. The old type is deprecated and will be removed in the next release. moby/moby#48108
  • Move RequestPrivilegeFunc from api/types to api/types/registry. The old type is deprecated and will be removed in the next release. moby/moby#48119
  • Move from api/types to api/types/container - NetworkSettings, NetworkSettingsBase, DefaultNetworkSettings, SummaryNetworkSettings, Health, HealthcheckResult, NoHealthcheck, Starting, Healthy, and Unhealthy constants, MountPoint, Port, ContainerState, Container, ContainerJSONBase, ContainerJSON, ContainerNode. The old types are deprecated and will be removed in the next release. moby/moby#48108
  • Move from api/types to api/types/image - ImageInspect, RootFS. The old types are deprecated and will be removed in the next release. moby/moby#48108
  • ContainerdCommit.Expected, RuncCommit.Expected, and InitCommit.Expected fields in the GET /info endpoint are deprecated and will be omitted in API v1.49. moby/moby#48478
  • api/types/registry: Deprecate ServiceConfig.AllowNondistributableArtifactsCIDRs and ServiceConfig.AllowNondistributableArtifactsHostnames fields. These fields will be removed in the next release. moby/moby#49065
  • api/types/system/Commit.Expected field is deprecated and should no longer be used. moby/moby#48478
  • daemon/graphdriver: Deprecate GetDriver() moby/moby#48079
  • libnetwork/iptables: Deprecate Passthrough. This function was only used internally, and will be removed in the next release. moby/moby#49115
  • pkg/directory.Size() function is deprecated, an will be removed in the next release. moby/moby#48057
  • registry: Deprecate APIEndpoint.TrimHostName; hostname is now trimmed unconditionally for remote names. This field will be removed in the next release. moby/moby#49005
  • allow-nondistributable-artifacts field in daemon.json. Setting either option will no longer take effect, but a deprecation warning log is added to raise awareness about the deprecation. This warning is planned to become an error in the next release. moby/moby#49065

v27.5.1

Compare Source

27.5.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements
  • Fixed an issue that could persistently prevent daemon startup after failure to initialize the default bridge. moby/moby#49307
  • Add a DOCKER_IGNORE_BR_NETFILTER_ERROR environment variable. Setting it to 1 allows running on hosts that cannot load br_netfilter. Some things won't work, including disabling inter-container communication in a bridge network. With the userland proxy disabled, it won't be possible to access one container's published ports from another container on the same network. moby/moby#49306
Packaging updates

v27.5.0

Compare Source

27.5.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bugfixes and enhancements
  • containerd image store: Fix passing a build context via tarball to the /build endpoint. moby/moby#49194
  • Builder garbage collection policies without a keepStorage value now inherit the defaultKeepStorage limit as intended. moby/moby#49137
  • Preserve network labels during daemon startup. moby/moby#49200
  • Fix a potential race condition error when deleting a container. moby/moby#49239
Go SDK
  • pkg/sysinfo: deprecate NumCPU. This utility has the same behavior as runtime.NumCPU. moby/moby#49247
  • pkg/fileutils: deprecate GetTotalUsedFds: this function is only used internally and will be removed in the next release. moby/moby#49209
  • pkg/ioutils: deprecate BytesPipe, NewBytesPipe, ErrClosed, WriteCounter, NewWriteCounter, NewReaderErrWrapper, NopFlusher, NopWriter, NopWriteCloser. They were only used internally and will be removed in the next release. moby/moby#49246, moby/moby#49255
  • pkg/reexec: This package is deprecated and moved to a separate module. Use github.com/moby/sys/reexec instead. moby/moby#49135
Packaging updates

v27.4.1

Compare Source

27.4.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements
  • Fix excessive memory allocations when OTel is not configured. moby/moby#49079
  • The docker info command and the corresponding GET /info API endpoint no longer include warnings when bridge-nf-call-iptables or bridge-nf-call-ip6tables are disabled at the daemon is started. The br_netfilter kernel module is now attempted to be loaded when needed, which made those warnings inaccurate. moby/moby#49090
  • Attempt to load kernel modules, including ip6_tables and br_netfilter when required, using a method that is likely to succeed inside a Docker-in-Docker container. moby/moby#49043
  • Fix a bug that could result in an iptables DOCKER FILTER chain not being cleaned up on failure. moby/moby#49110
Deprecations
  • pkg/system: Deprecate Lstat(), Mkdev(), Mknod(), FromStatT() and Stat() functions, and related StatT types. These were only used internally, and will be removed in the next release. moby/moby#49100
  • libnetwork/iptables: Deprecate IPV, Iptables and IP6Tables types in favor of IPVersion, IPv4, and IPv6. This type and consts will be removed in the next release. moby/moby#49093
  • libnetwork/iptables: Deprecate Passthrough. This function was only used internally, and will be removed in the next release. moby/moby#49119
Packaging updates

v27.4.0

Compare Source

27.4.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

API
  • GET /images/json with the manifests option enabled now preserves the original order in which manifests appeared in the manifest-index. moby/moby#48712
Bug fixes and enhancements
  • When reading logs with the jsonfile or local log drivers, any errors while trying to read or parse underlying log files will cause the rest of the file to be skipped and move to the next log file (if one exists) rather than returning an error to the client and closing the stream. The errors are viewable in the Docker Daemon logs and exported to traces when tracing is configured. moby/moby#48842
  • When reading log files, compressed log files are now only decompressed when needed rather than decompressing all files before starting the log stream. moby/moby#48842
  • Fix an issue that meant published ports from one container on a bridge network were not accessible from another container on the same network with userland-proxy disabled, if the kernel's br_netfilter module was not loaded and enabled. The daemon will now attempt to load the module and enable bridge-nf-call-iptables or bridge-nf-call-ip6tables when creating a network with the userland proxy disabled. moby/moby#48685
  • Fix loading of bridge and br_netfilter kernel modules. moby/moby#48966
  • containerd image store: Fix Docker daemon failing to fully start with a "context deadline exceeded error" with containerd snapshotter and many builds/images. moby/moby#48954
  • containerd image-store: Fix partially pulled images not being garbage-collected. moby#48910, moby/moby#48957
  • containerd image store: Fix docker image inspect outputting duplicate references in RepoDigests. moby/moby#48785
  • containerd image store: Fix not being able to connect to some insecure registries in cases where the HTTPS request failed due to a non-TLS related error. moby/moby#48758
  • containerd image store: Remove a confusing warning log when tagging a non-dangling image. moby/moby#49010
  • dockerd-rootless-setuptool.sh: let --force ignore smoke test errors moby/moby#48695
  • Disable IPv6 Duplicate Address Detection (DAD) for addresses assigned to the bridges belonging to bridge networks. moby/moby#48684
  • Remove BuildKit init timeout. moby/moby#48963
  • Ignore "dataset does not exist" error when removing dataset on ZFS. moby/moby#48968
  • Client: Prevent idle connections leaking FDs. moby/moby#48764
  • Fix anonymous volumes being created through the --mount option not being marked as anonymous. moby/moby#48755
  • After a daemon restart with live-restore, ensure an iptables jump to the DOCKER-USER chain is placed before other rules. moby/moby#48714
  • Fix a possible memory leak caused by OTel meters. moby/moby#48693
  • Create distinct build history db for each store. moby/moby#48688
  • Fix an issue that caused excessive memory usage when DNS resolution was made in a tight loop. moby/moby#48840
  • containerd image store: Do not underline names in docker image ls --tree. docker/cli#5519
  • containerd image store: Change name of USED column in docker image ls --tree to IN USE. docker/cli#5518
  • Fix a bug preventing image pulls from being cancelled during docker run. docker/cli#5654
  • Port some completions from the bash completion to the new cobra based completion. docker/cli#5618
  • The docker login and docker logout command no longer update the configuration file if the credentials didn't change. docker/cli#5569
  • Optimise docker stats to reduce flickering issues. docker/cli#5588, docker/cli#5635
  • Fix inaccessible plugins paths preventing plugins from being detected. docker/cli#5652
  • Add support for events --filter in cobra generated shell completions. docker/cli#5614
  • Fix bash completion for events --filter daemon=. docker/cli#5563
  • Improve shell-completion of containers for docker rm. docker/cli#5540
  • Add shell-completion for --platform flags. docker/cli#5540
  • rootless: Make /etc/cdi and /var/run/cdi accessible by the Container Device Interface (CDI) integration. moby/moby#49027
Removed
  • Deprecate Daemon.Exists() and Daemon.IsPaused(). These functions are no longer used and will be removed in the next release. moby/moby#48719
  • Deprecate container.ErrNameReserved and container.ErrNameNotReserved. moby/moby#48697
  • Deprecate pkg/platform - this package is only used internally, and will be removed in the next release. moby/moby#48863
  • Deprecate RepositoryInfo.Class. This field is no longer used, and will be removed in the next release. moby/moby#49013
  • Go SDK: Fix deprecation of cli/command.ConfigureAuth(), which was deprecated since v27.2.1. docker/cli#5552
  • Go SDK: Deprecate cli.Errors type in favour of Go's errors.Join docker/cli#5548
Packaging updates

v27.3.1

Compare Source

27.3.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements
  • CLI: Fix issue with command execution metrics not being exported due to the CLI MeterProvider being shutdown too early. docker/cli#5457
Packaging updates

v27.3.0

Compare Source

27.3.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements
  • containerd image store: Fix docker image prune -a untagging images used by containers started from images referenced by a digested reference. moby/moby#48488
  • Add a --feature flag to the daemon options. moby/moby#48487
  • Updated the handling of the --gpus=0 flag to be consistent with the NVIDIA Contai

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@renovate-rancher renovate-rancher bot requested a review from a team as a code owner February 20, 2025 04:37
@renovate-rancher renovate-rancher bot added the dependencies Pull requests that update a dependency file label Feb 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants