chore(deps): update dependency moby/moby to v27 #1437
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
26.1.4
->27.3.1
Release Notes
moby/moby (moby/moby)
v27.3.1
Compare Source
27.3.1
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
Packaging updates
Compose
to v2.29.7v27.3.0
Compare Source
27.3.0
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
docker image prune -a
untagging images used by containers started from images referenced by a digested reference. moby/moby#48488--feature
flag to the daemon options. moby/moby#48487--gpus=0
flag to be consistent with the NVIDIA Container Runtime. moby/moby#48483https://github.com/docker/cli/pull/54325432)
loopback0
for packets from the Windows host. moby/moby#48514--iptables=false
,--ip6tables=true
(the default), a firewall with a DROP rule for forwarded packets on hosts where thebr_netfilter
kernel module was not normally loaded. moby/moby#48511docker volume update
command would cause the CLI to panic if no argument/volume was passed. docker/cli#5426Packaging updates
containerd
(static binaries only) to v1.7.22moby/moby#48468
Buildkit
to v0.16.0Compose
to v2.29.6Buildx
to v0.17.1v27.2.1
Compare Source
27.2.1
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
docker image ls
output. moby/moby#48402docker pull
error message when the image platform doesn't match. moby/moby#48415docker login
to not remove repository names from passed in registry addresses, resulting in credentials being stored under the wrong key. docker/cli#5385docker login
now returns an error instead of hanging if called non-interactively with--password
or--password-stdin
but without--user
. docker/cli#5402Packaging updates
runc
to v1.1.14, which contains a fix for CVE-2024-45310. moby/moby#48426v27.2.0
Compare Source
27.2.0
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
New
docker image ls
now supports--tree
flag that shows a multiplatform-aware image list. This is experimental and may change at any time without any backwards compatibility. docker/cli#5353API
GET /images/json
response now includesManifests
field, which contains information about the sub-manifests included in the image index. This includes things like platform-specific manifests and build attestations.The new field will only be populated if the request also sets the
manifests
query parameter totrue
.Bug fixes and enhancements
--ip-range
ending on a 64-bit boundary. moby/moby#48326docker ps
in port bindings are now bracketed. docker/cli#5365docker load
in cases where unpacking the image would fail. moby/moby#48376docker pull
. moby/moby#48380Packaging updates
v27.1.2
Compare Source
27.1.2
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
ResourceExhausted desc = grpc: received message larger than max
error when building from a large Dockerfile. moby/moby#48245docker attach
printing a spuriouscontext cancelled
error message. docker/cli#5296docker attach
exiting onSIGINT
instead of forwarding the signal to the container and waiting for it to exit. docker/cli#5302--device-read-bps
and--device-write-bps
options not taking effect. docker/cli#5339Packaging updates
docker-proxy.exe
binary from Windows packages. docker/docker-ce-packaging#1045v27.1.1
Compare Source
27.1.1
Security
This release contains a fix for CVE-2024-41110 / GHSA-v23v-6jw2-98fq
that impacted setups using authorization plugins (AuthZ)
for access control. No other changes are included in this release, and this
release is otherwise identical for users not using AuthZ plugins.
Packaging updates
Full Changelog: moby/moby@v27.1.0...v27.1.1
v27.1.0
Compare Source
27.1.0
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
Requires=dbus.socket
to prevent errors when starting the daemon on a cgroup v2 host with systemd moby/moby#48141image tag
event is now properly emitted when building images with BuildKit moby/moby#48182docker image rm
,docker image history
, anddocker image inspect
moby/moby#5261docker service create
anddocker stack
docker/cli#5274DOCKER_CUSTOM_HEADERS
environment variable (experimental) docker/cli#5271docker push
defaulting the--platform
flag to a value ofDOCKER_DEFAULT_PLATFORM
environment variable on unsupported API versions docker/cli#5248login
prompt docker/cli#5260Deprecated
pkg/rootless/specconv
package is deprecated, and will be removed in the next release moby/moby#48185pkg/containerfs
package is deprecated, and will be removed in the next release moby/moby#48185pkg/directory
package is deprecated, and will be removed in the next release moby/moby#48185api/types/system
: remove deprecatedInfo.ExecutionDriver
moby/moby#48184Packaging updates
Full Changelog: moby/moby@v27.0.3...v27.1.0
v27.0.3
Compare Source
27.0.3
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
v27.0.2
Compare Source
27.0.2
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
Removed
ContainerJSONBase.Node
field andContainerNode
type. These definitions were used by the standalone ("classic") Swarm API, but never implemented in the Docker Engine itself. moby/moby#48055v27.0.1
Compare Source
27.0.1
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
New
--platform
flag todocker image push
and improve the default behavior when not all platforms of the multi-platform image are available locally. docker/cli#4984, moby/moby#47679docker stack deploy
fordriver_opts
in a service's networks. docker/cli#5125/usr/local/libexec
and/usr/libexec
paths when looking up the userland proxy binaries by a name with adocker-
prefix. moby/moby#47804Bug fixes and enhancements
*client.Client
instances are now always safe for concurrent use by multiple goroutines. Previously, this could lead to data races when theWithAPIVersionNegotiation()
option is used. moby/moby#47961$TMPDIR
in some cases. docker/cli#5146--privileged
. moby/moby#47500StartInterval
default value of healthcheck to reflect the documented value of 5s. moby/moby#47799docker save
anddocker load
not ending on the daemon side when the operation was cancelled by the user, for example with Ctrl+C. moby/moby#47629StartedAt
property of containers is now recorded before container startup, guaranteeing that theStartedAt
is always beforeFinishedAt
. moby/moby#47003nslookup
to resolve external hostnames. This behaviour can be disabled viadaemon.json
, using"features": { "windows-dns-proxy": false }
. The configuration option will be removed in a future release. moby/moby#47826Networking
For example, on the command line in a
docker run
command,--network mynet --sysctl net.ipv4.conf.eth0.log_martians=1
will be rejected.Instead, you must use
--network name=mynet,driver-opt=com.docker.network.endpoint.sysctls=net.ipv4.conf.IFNAME.log_martians=1
.IPv6
ip6tables
is no longer experimental. You may remove theexperimental
configuration option and continue to use IPv6, if it is not required by any other features.ip6tables
is now enabled for Linux bridge networks by default. moby/moby#47747ip6tables
enabled (new default).ip6tables
, this is likely a breaking change. Only published container ports (-p
or--publish
) are accessible from outside the Docker bridge network, and outgoing connections masquerade as the host.ip6tables
at all, set"ip6tables": false
indaemon.json
, or use the CLI option--ip6tables=false
. Alternatively, leaveip6tables
enabled, publish ports, and enable direct routing.ip6tables
enabled, ifip6tables
is not functional on your host, Docker Engine will start but it will not be possible to create an IPv6-enabled network.IPv6 network configuration improvements
default-address-pools
if this parameter wasn't manually configured, or if it contains no IPv6 prefixes. moby/moby#47853--subnet
option to specify an IPv6 subnet, or add IPv6 ranges todefault-address-pools
indaemon.json
.--ipv6
and no IPv6 subnet is defined by those options, an IPv6 Unique Local Address (ULA) base prefix is used.default-address-pools
. moby/moby#47768"default-network-opts": { "bridge": {"com.docker.network.enable_ipv6": "true"}}
indaemon.json
, ordockerd --default-network-opt=bridge=com.docker.network.enable_ipv6=true
on the comand line. moby/moby#47867ip6tables
enabled. moby/moby#47871com.docker.network.bridge.gateway_mode_ipv6=<nat|routed>
.nat
, is unchanged from previous releases running withip6tables
enabled. NAT and masquerading rules are set up for each published container port.routed
, no NAT or masquerading rules are configured for published ports. This enables direct IPv6 access to the container, if the host's network can route packets for the container's address to the host. Published ports will be opened in the container's firewall.routed
mode, only addresses0.0.0.0
or::
are allowed and a host port must not be given.nat
orrouted
mode, are accessible from any remote address if routing is set up in the network, unless the Docker host's firewall has additional restrictions. For example:docker network create --ipv6 -o com.docker.network.bridge.gateway_mode_ipv6=routed mynet
.com.docker.network.bridge.gateway_mode_ipv4=<nat|routed>
is also available, with the same behavior but for IPv4.docker-forwarding
to allow forwarding from any zone to thedocker
zone. This makes it possible to configure a bridge network with a routable IPv6 address, and no NAT or masquerading. moby/moby#47745-p 80
will result in the same ephemeral port being allocated for0.0.0.0
and::
, and-p 8080-8083:80
will pick the same port from the range for both address families.-p 127.0.0.1::80 -p '[::1]::80'
.DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE
, introduced in release 26.1.1, no longer has any effect. moby/moby#47963/proc/sys/net
, the environment variable allowed the container to start anyway.--ipv6
when creating it. Other workarounds are to configure the OS to disable IPv6 by default on new interfaces, mount/proc/sys/net
read-write, or use a kernel with no IPv6 support.fe80::1
. moby/moby#47787Removed
NewTempArchive
andTempArchive
. These types were only used in tests and will be removed in the next release. moby/moby#48002CanonicalTarNameForPath
moby/moby#48001pkg/stringid.ValidateID
andpkg/stringid.IsShortID
moby/moby#47995SetDefaultNetModeIfBlank
and moveContainerConfigWrapper
toapi/types/container
moby/moby#48007DefaultDaemonNetworkMode
and move todaemon/network
moby/moby#48008opts.ConvertKVStringsToMap
. This utility is no longer used, and will be removed in the next release. moby/moby#48016IsPreDefinedNetwork
. moby/moby#48011API
POST /images/{name}/push
now supports aplatform
parameter (JSON encoded OCI Platform type) that allows selecting a specific platform-manifest from the multi-platform image. This is experimental and may change in future API versions. moby/moby#47679POST /services/create
andPOST /services/{id}/update
now supportOomScoreAdj
. moby/moby#47950ContainerList
api returns container annotations. moby/moby#47866POST /containers/create
andPOST /services/create
now takeOptions
as part ofHostConfig.Mounts.TmpfsOptions
allowing to set options for tmpfs mounts. moby/moby#46809Healthcheck.StartInterval
property is now correctly ignored when updating a Swarm service using API versions less than v1.44. moby/moby#47991GET /events
now supports imagecreate
event that is emitted when a new image is built regardless if it was tagged or not. moby/moby#47929GET /info
now includes aContainerd
field containing information about the location of the containerd API socket and containerd namespaces used by the daemon to run containers and plugins. moby/moby#47239Config
field returned by this endpoint (used fordocker image inspect
) returned additional fields that are not part of the image's configuration and not part of the Docker Image Spec and the OCI Image Spec. These fields are never set (and always return the default value for the type), but are not omitted in the response when left empty. As these fields were not intended to be part of the image configuration response, they are deprecated, and will be removed in the future API versions.--api-cors-header
and the correspondingdaemon.json
configuration option. These will be removed in the next major release. moby/moby#45313The following deprecated fields are currently included in the API response, but are not part of the underlying image's
Config
: moby/moby#47941Hostname
Domainname
AttachStdin
AttachStdout
AttachStderr
Tty
OpenStdin
StdinOnce
Image
NetworkDisabled
(already omitted unless set)MacAddress
(already omitted unless set)StopTimeout
(already omitted unless set)Go SDK changes
Client API callback for the following functions now require a context parameter. moby/moby#47536
client.RequestPrivilegeFunc
client.ImageSearchOptions.AcceptPermissionsFunc
image.ImportOptions.PrivilegeFunc
Remove deprecated aliases for Image types. moby/moby#47900
ImageImportOptions
ImageCreateOptions
ImagePullOptions
ImagePushOptions
ImageListOptions
ImageRemoveOptions
Introduce
Ulimit
type alias forgithub.com/docker/go-units.Ulimit
.The
Ulimit
type as used in the API is defined in a Go module that will transition to a new location in future.A type alias is added to reduce the friction that comes with moving the type to a new location.
The alias makes sure that existing code continues to work, but its definition may change in future.
Users are recommended to use this alias instead of the
units.Ulimit
directly. moby/moby#48023Move and rename types, changing their import paths and exported names. moby/moby#47936, moby/moby#47873, moby/moby#47887, moby/moby#47882, moby/moby#47921, moby/moby#48040:
api/types/container
:BlkioStatEntry
BlkioStats
CPUStats
CPUUsage
ContainerExecInspect
ContainerPathStat
ContainerStats
ContainersPruneReport
CopyToContainerOptions
ExecConfig
ExecStartCheck
MemoryStats
NetworkStats
PidsStats
StatsJSON
Stats
StorageStats
ThrottlingData
api/types/image
:ImagesPruneReport
ImageImportSource
ImageLoadResponse
ExecStartOptions
type toapi/types/backend
.VolumesPruneReport
type toapi/types/volume
.EventsOptions
type toapi/types/events
.ImageSearchOptions
type toapi/types/registry
.Network
prefix and move the following types toapi/types/network
:NetworkCreateResponse
NetworkConnect
NetworkDisconnect
NetworkInspectOptions
EndpointResource
NetworkListOptions
NetworkCreateOptions
NetworkCreateRequest
NetworksPruneReport
NetworkResource
toapi/types/network
.Packaging updates
v26.1.5
Compare Source
26.1.5
Security
This release contains a fix for CVE-2024-41110 / GHSA-v23v-6jw2-98fq
that impacted setups using authorization plugins (AuthZ)
for access control. No other changes are included in this release, and this
release is otherwise identical for users not using AuthZ plugins.
Full Changelog: moby/moby@v26.1.4...v26.1.5
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.