diff --git a/content/manuals/engine/release-notes/28.md b/content/manuals/engine/release-notes/28.md index 57f44ba156..bcd3db7d9d 100644 --- a/content/manuals/engine/release-notes/28.md +++ b/content/manuals/engine/release-notes/28.md @@ -22,6 +22,51 @@ For more information about: - Deprecated and removed features, see [Deprecated Engine Features](../deprecated.md). - Changes to the Engine API, see [Engine API version history](/reference/api/engine/version-history.md). +## 28.0.1 + +{{< release-date date="2025-02-26" >}} + +For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: + +- [docker/cli, 28.0.1 milestone](https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A28.0.1) +- [moby/moby, 28.0.1 milestone](https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A28.0.1) + +### Networking + +- Remove dependency on kernel modules `ip_set`, `ip_set_hash_net` and `netfilter_xt_set`. + * The dependency was introduced in release 28.0.0 but proved too disruptive. The iptables rules using these modules have been replaced. [moby/moby#49530](https://github.com/moby/moby/pull/49530) +- Allow daemon startup on a host with IPv6 disabled without requiring `--ip6tables=false`. [moby/moby#49525](https://github.com/moby/moby/pull/49525) +- Fix a bug that was causing containers with `--restart=always` and a published port already in use to restart in a tight loop. [moby/moby#49507](https://github.com/moby/moby/pull/49507) +- Fix an issue with Swarm ingress, caused by incorrect ordering of iptables rules. [moby/moby#49538](https://github.com/moby/moby/pull/49538) +- Fix creation of a swarm-scoped network from a `--config-only` network. [moby/moby#49521](https://github.com/moby/moby/pull/49521) +- Fix `docker network inspect` reporting an IPv6 gateway with CIDR suffix for a newly created network with no specific IPAM config, until a daemon restart. [moby/moby#49520](https://github.com/moby/moby/pull/49520) +- Improve the error reported when kernel modules `ip_set`, `ip_set_hash_net` and `netilter_xt_set` are not available. [moby/moby#49524](https://github.com/moby/moby/pull/49524) +- Move most of Docker's iptables rules out of the filter-FORWARD chain, so that other applications are free to append rules that must follow Docker's rules. [moby/moby#49518](https://github.com/moby/moby/pull/49518) +- Update `--help` output and man page lo state which options only apply to the default bridge network. [moby/moby#49522](https://github.com/moby/moby/pull/49522) + + +### Bug fixes and enhancements + +- Fix `docker context create` always returning an error when using the `"skip-tls-verify"` option. [docker/cli#5850](https://github.com/docker/cli/pull/5850) +- Fix shell completion suggesting IDs instead of names for services and nodes. [docker/cli#5848](https://github.com/docker/cli/pull/5848) +- Fix unintentionally printing exit status to standard error output when `docker exec/run` returns a non-zero status. [docker/cli#5854](https://github.com/docker/cli/pull/5854) +- Fix regression `protocol "tcp" is not supported by the RootlessKit port driver "slirp4netns"`. [moby/moby#49514](https://github.com/moby/moby/pull/49514) +- containerd image store: Fix `docker inspect` not being able to show multi-platform images with missing layers for all platforms. [moby/moby#49533](https://github.com/moby/moby/pull/49533) +- containerd image store: Fix `docker images --tree` reporting wrong content size. [moby/moby#49535](https://github.com/moby/moby/pull/49535) +- Fix compilation on i386 [moby/moby#49526](https://github.com/moby/moby/pull/49526) + +### Packaging updates + +- Update `github.com/go-jose/go-jose/v4` to v4.0.5 to address [GHSA-c6gw-w398-hv78](https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78) / [CVE-2025-27144](https://www.cve.org/CVERecord?id=CVE-2025-27144). [docker/cli#5867](https://github.com/docker/cli/pull/5867) +- Update Buildx to [v0.21.1](https://github.com/docker/buildx/releases/tag/v0.21.1). [docker/docker-ce-packaging#1167](https://github.com/docker/docker-ce-packaging/pull/1167) +- Update Compose to [v2.33.1](https://github.com/docker/compose/releases/tag/v2.33.1). [docker/docker-ce-packaging#1168](https://github.com/docker/docker-ce-packaging/pull/1168) + +### API + +- containerd image store: Fix `GET /images/json?manifests=1` not filling `Manifests` for index-only images [moby/moby#49533](https://github.com/moby/moby/pull/49533) +- containerd image store: Fix `GET /images/json and /images//json` `Size.Content` field including the size of content that's not available locally [moby/moby#49535](https://github.com/moby/moby/pull/49535) + + ## 28.0.0 {{< release-date date="2025-02-19" >}} diff --git a/data/engine-cli/docker_container_restart.yaml b/data/engine-cli/docker_container_restart.yaml index dcb858d7ff..ab621abde1 100644 --- a/data/engine-cli/docker_container_restart.yaml +++ b/data/engine-cli/docker_container_restart.yaml @@ -75,7 +75,7 @@ examples: |- ### Stop container with timeout (-t, --timeout) {#timeout} The `--timeout` flag sets the number of seconds to wait for the container - to stop after sending the pre-defined (see [`--signal`]{#signal)) system call signal. + to stop after sending the pre-defined (see [`--signal`](#signal)) system call signal. If the container does not exit after the timeout elapses, it's forcibly killed with a `SIGKILL` signal. diff --git a/data/engine-cli/docker_container_run.yaml b/data/engine-cli/docker_container_run.yaml index 05e8cdf226..913e4978f3 100644 --- a/data/engine-cli/docker_container_run.yaml +++ b/data/engine-cli/docker_container_run.yaml @@ -2318,6 +2318,26 @@ examples: |- > $ docker run -it --ulimit as=1024 fedora /bin/bash > ``` + #### Supported options for `--ulimit`: + + | Option | Description | + |:-------------|:----------------------------------------------------------| + | `core` | Maximum size of core files created (`RLIMIT_CORE`) | + | `cpu` | CPU time limit in seconds (`RLIMIT_CPU`) | + | `data` | Maximum data segment size (`RLIMIT_DATA`) | + | `fsize` | Maximum file size (`RLIMIT_FSIZE`) | + | `locks` | Maximum number of file locks (`RLIMIT_LOCKS`) | + | `memlock` | Maximum locked-in-memory address space (`RLIMIT_MEMLOCK`) | + | `msgqueue` | Maximum bytes in POSIX message queues (`RLIMIT_MSGQUEUE`) | + | `nice` | Maximum nice priority adjustment (`RLIMIT_NICE`) | + | `nofile` | Maximum number of open file descriptors (`RLIMIT_NOFILE`) | + | `nproc` | Maximum number of processes available (`RLIMIT_NPROC`) | + | `rss` | Maximum resident set size (`RLIMIT_RSS`) | + | `rtprio` | Maximum real-time scheduling priority (`RLIMIT_RTPRIO`) | + | `rttime` | Maximum real-time execution time (`RLIMIT_RTTIME`) | + | `sigpending` | Maximum number of pending signals (`RLIMIT_SIGPENDING`) | + | `stack` | Maximum stack size (`RLIMIT_STACK`) | + Docker sends the values to the appropriate OS `syscall` and doesn't perform any byte conversion. Take this into account when setting the values. diff --git a/data/engine-cli/docker_network_ls.yaml b/data/engine-cli/docker_network_ls.yaml index d6ba1e68bf..1b3b702d09 100644 --- a/data/engine-cli/docker_network_ls.yaml +++ b/data/engine-cli/docker_network_ls.yaml @@ -39,6 +39,7 @@ options: value_type: bool default_value: "false" description: Do not truncate the output + details_url: '#no-trunc' deprecated: false hidden: false experimental: false @@ -79,6 +80,8 @@ examples: |- 78b03ee04fc4 multi-host overlay swarm ``` + ### List networks without truncating the ID column (--no-trun) {#no-trunc} + Use the `--no-trunc` option to display the full network id: ```console diff --git a/data/engine-cli/docker_swarm_join-token.yaml b/data/engine-cli/docker_swarm_join-token.yaml index ccab60a619..69a69bb5ca 100644 --- a/data/engine-cli/docker_swarm_join-token.yaml +++ b/data/engine-cli/docker_swarm_join-token.yaml @@ -21,6 +21,7 @@ options: value_type: bool default_value: "false" description: Only display token + details_url: '#quiet' deprecated: false hidden: false experimental: false @@ -31,6 +32,7 @@ options: value_type: bool default_value: "false" description: Rotate join token + details_url: '#rotate' deprecated: false hidden: false experimental: false @@ -97,7 +99,7 @@ examples: |- SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-b30ljddcqhef9b9v4rs7mel7t ``` - ### `--rotate` + ### `--rotate` {#rotate} Because tokens allow new nodes to join the swarm, you should keep them secret. Be particularly careful with manager tokens since they allow new manager nodes @@ -116,7 +118,7 @@ examples: |- using the old token. Rotation does not affect existing nodes in the swarm because the join token is only used for authorizing new nodes joining the swarm. - ### `--quiet` + ### `--quiet` {#quiet} Only print the token. Do not print a complete command for joining. deprecated: false diff --git a/data/engine-cli/docker_swarm_join.yaml b/data/engine-cli/docker_swarm_join.yaml index ee2b43ac37..cab96ffe3d 100644 --- a/data/engine-cli/docker_swarm_join.yaml +++ b/data/engine-cli/docker_swarm_join.yaml @@ -11,6 +11,7 @@ options: - option: advertise-addr value_type: string description: 'Advertised address (format: `[:port]`)' + details_url: '#advertise-addr' deprecated: false hidden: false experimental: false @@ -21,6 +22,7 @@ options: value_type: string default_value: active description: Availability of the node (`active`, `pause`, `drain`) + details_url: '#availability' deprecated: false hidden: false experimental: false @@ -31,6 +33,7 @@ options: value_type: string description: | Address or interface to use for data path traffic (format: ``) + details_url: '#data-path-addr' deprecated: false hidden: false min_api_version: "1.31" @@ -42,6 +45,7 @@ options: value_type: node-addr default_value: 0.0.0.0:2377 description: 'Listen address (format: `[:port]`)' + details_url: '#listen-addr' deprecated: false hidden: false experimental: false @@ -51,6 +55,7 @@ options: - option: token value_type: string description: Token for entry into the swarm + details_url: '#token' deprecated: false hidden: false experimental: false @@ -102,7 +107,7 @@ examples: |- dvfxp4zseq4s0rih1selh0d20 * manager1 Ready Active Leader ``` - ### `--listen-addr value` + ### `--listen-addr value` {#listen-addr} If the node is a manager, it will listen for inbound swarm manager traffic on this address. The default is to listen on 0.0.0.0:2377. It is also possible to specify a @@ -113,7 +118,7 @@ examples: |- This flag is generally not necessary when joining an existing swarm. - ### `--advertise-addr value` + ### `--advertise-addr value` {#advertise-addr} This flag specifies the address that will be advertised to other members of the swarm for API access. If unspecified, Docker will check if the system has a @@ -133,7 +138,7 @@ examples: |- ensure the node advertises its IP address and not the IP address of the load balancer. - ### `--data-path-addr` + ### `--data-path-addr` {#data-path-addr} This flag specifies the address that global scope network drivers will publish towards other nodes in order to reach the containers running on this node. @@ -142,11 +147,11 @@ examples: |- If unspecified, Docker will use the same IP address or interface that is used for the advertise address. - ### `--token string` + ### `--token string` {#token} Secret value required for nodes to join the swarm - ### `--availability` + ### `--availability` {#availability} This flag specifies the availability of the node at the time the node joins a master. Possible availability values are `active`, `pause`, or `drain`. diff --git a/data/engine-cli/docker_swarm_unlock-key.yaml b/data/engine-cli/docker_swarm_unlock-key.yaml index d7d8fb2020..93ab3496fa 100644 --- a/data/engine-cli/docker_swarm_unlock-key.yaml +++ b/data/engine-cli/docker_swarm_unlock-key.yaml @@ -22,6 +22,7 @@ options: value_type: bool default_value: "false" description: Only display token + details_url: '#quiet' deprecated: false hidden: false experimental: false @@ -32,6 +33,7 @@ options: value_type: bool default_value: "false" description: Rotate unlock key + details_url: '#rotate' deprecated: false hidden: false experimental: false @@ -87,12 +89,12 @@ examples: |- SWMKEY-1-7c37Cc8654o6p38HnroywCi19pllOnGtbdZEgtKxZu8 ``` - ### `--rotate` + ### `--rotate` {#rotate} This flag rotates the unlock key, replacing it with a new randomly-generated key. The old unlock key will no longer be accepted. - ### `--quiet` + ### `--quiet` {#quiet} Only print the unlock key, without instructions. deprecated: false diff --git a/hugo.yaml b/hugo.yaml index 64ae1a4bbd..9d4bf29e46 100644 --- a/hugo.yaml +++ b/hugo.yaml @@ -113,10 +113,10 @@ params: # Latest version of the Docker Engine API latest_engine_api_version: "1.48" # Latest version of Docker Engine - docker_ce_version: "28.0.0" + docker_ce_version: "28.0.1" # Previous version of the Docker Engine # (Used to show e.g., "latest" and "latest"-1 in engine install examples - docker_ce_version_prev: "27.5.1" + docker_ce_version_prev: "28.0.0" # Latest Docker Compose version compose_version: "v2.33.1" # Latest BuildKit version