Merge pull request #21450 from docker/published-update

publish updates from main

Author: aevesdocker

Dockerfile

@@ -4,7 +4,7 @@
 ARG ALPINE_VERSION=3.20
 ARG GO_VERSION=1.23
 ARG HTMLTEST_VERSION=0.17.0
-ARG HUGO_VERSION=0.138.0
+ARG HUGO_VERSION=0.139.0
 ARG NODE_VERSION=22
 ARG PAGEFIND_VERSION=1.1.1
 

content/manuals/compose/gettingstarted.md

@@ -59,7 +59,7 @@ Make sure you have:
    @app.route('/')
    def hello():
        count = get_hit_count()
-       return 'Hello World! I have been seen {} times.\n'.format(count)
+       return f'Hello World! I have been seen {count} times.\n'
     ```
 
    In this example, `redis` is the hostname of the redis container on the
@@ -273,7 +273,7 @@ To see Compose Watch in action:
 message to `Hello from Docker!`:
 
    ```python
-   return 'Hello from Docker! I have been seen {} times.\n'.format(count)
+   return f'Hello from Docker! I have been seen {count} times.\n'
    ```
 
 2. Refresh the app in your browser. The greeting should be updated, and the

content/manuals/desktop/release-notes.md

@@ -23,6 +23,60 @@ Docker Desktop versions older than 6 months from the latest release are not avai
 
 Take a look at the [Docker Public Roadmap](https://github.com/orgs/docker/projects/51/views/1?filterQuery=) to see what's coming next.
 
+## 4.36.0
+
+{{< release-date date="2024-11-18" >}}
+
+{{< desktop-install-v2 all=true beta_win_arm=true version="4.36.0" build_path="/175267/" >}}
+
+### New
+
+- WSL2 is now faster, more reliable, and has enhanced security
+- Enhance Container Isolation (ECI) has been improved to support images with wildcard tags
+- Admins can now:
+  - Allow any container to mount the Docker socket with ECI
+  - Enforce sign-in with macOS configuration profiles (Early Access)
+  - Enforce sign-in for more than one organization at a time (Early Access)
+  - Deploy Docker Desktop for Mac in bulk with the PKG installer (Early Access)
+  - Use Desktop Settings Management to manage and enforce defaults via admin.docker.com (Early Access)
+
+### Upgrades
+
+- [Docker Buildx v0.18.0](https://github.com/docker/buildx/releases/tag/v0.18.0)
+- [Docker Compose v2.30.3](https://github.com/docker/compose/releases/tag/v2.30.3)
+- [Kubernetes v1.30.2](https://github.com/kubernetes/kubernetes/releases/tag/v1.30.5)
+- [NVIDIA Container Toolkit v1.17.0](https://github.com/NVIDIA/nvidia-container-toolkit/releases/tag/v1.17.0)
+- [Docker Scout CLI v1.15.0](https://github.com/docker/scout-cli/releases/tag/v1.15.0)
+- Docker Init v1.4.0
+- Linux kernel `v6.10.13`
+
+### Bug fixes and enhancements
+
+#### For all platforms
+
+- Fixed a bug where the `docker events` command would not terminate after streaming the events.
+- Docker Init: Improved Dockerfile caching for PHP applications that don't use Docker Compose.
+- Synchronized file shares now respects the `filesharingAllowedDirectories` setting in `admin-settings.json`.
+- Fixed an issue where if Docker Desktop is configured to use a proxy, it fails to start due to an internal timeout while fetching authentication tokens.
+- Added a recovery banner to retry an update if the download failed.
+- Fixed an issue where if the `umask` is set to `577` it would cause `rpmbuild` failure. Fixes [docker/for-mac#6511](https://github.com/docker/for-mac/issues/6511).
+- Fixed a bug that caused ports open on the host to 18 for containers started with `--network=host`.
+- Fixed bind mount ownership for non-root containers. Fixes [docker/for-mac#6243](https://github.com/docker/for-mac/issues/6243).
+- Docker Desktop will not unpause automatically after a manual pause. The system will stay paused until you manually resume the Docker engine. This fixes a bug where other software would accidentally trigger a resume by running a CLI command in the background. Fixes [for-mac/#6908](https://github.com/docker/for-mac/issues/6908)
+
+#### For Mac
+
+- Fixed a bug in Docker VMM that prevented MySQL and other databases containers to start. Fixes reports from [docker/for-mac#7464](https://github.com/docker/for-mac/issues/7464).
+- The minimum memory requirement is now automatically adjusted for Docker VMM, improving the user experience and addressing reports from [docker/for-mac#7464](https://github.com/docker/for-mac/issues/7464), [docker/for-mac#7482](https://github.com/docker/for-mac/issues/7482).
+- Fixed a bug where the advanced option **Allowed privileged port mapping** was not working as expected. Fixes [docker/for-mac#7460](https://github.com/docker/for-mac/issues/7460).
+- Docker Desktop can now automatically configure shell completion scripts for zsh, bash and fish inside the install wizard and settings screen.
+- Fixed a bug where the in-app update would fail if Docker Desktop was installed by a non-admin user or if the current user was previously an administrator. Fixes [for-mac/#7403](https://github.com/docker/for-mac/issues/7403) and [for-mac/#6920](https://github.com/docker/for-mac/issues/6920)
+
+#### For Windows
+
+- Fixed a bug preventing UDP port 53 to be bound.
+- Fixed a bug where Windows daemon options were overwritten at startup.
+
 ## 4.35.1
 
 {{< release-date date="2024-10-30" >}}

content/manuals/desktop/troubleshoot-and-support/troubleshoot/_index.md

@@ -285,7 +285,7 @@ Spotlight Search.
 
 To read the Docker app log messages, type `docker` in the Console window search bar and press Enter. Then select `ANY` to expand the drop-down list next to your `docker` search entry, and select `Process`.
 
-![Mac Console search for Docker app](../images/console.png)
+![Mac Console search for Docker app](../../images/console.png)
 
 You can use the Console Log Query to search logs, filter the results in various
 ways, and create reports.

content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md

@@ -265,7 +265,7 @@ Your machine must have the following features for Docker Desktop to function cor
    Note that many Windows devices already have virtualization enabled, so this may not apply.
 4. Hypervisor enabled at Windows startup
 
-![WSL 2 enabled](../images/wsl2-enabled.png)
+![WSL 2 enabled](../../images/wsl2-enabled.png)
 
 #### Hyper-V
 
@@ -277,7 +277,7 @@ On Windows 10 Pro or Enterprise, you can also use Hyper-V with the following fea
    Note that many Windows devices already have virtualization enabled, so this may not apply.
 3. Hypervisor enabled at Windows startup
 
-![Hyper-V on Windows features](../images/hyperv-enabled.png)
+![Hyper-V on Windows features](../../images/hyperv-enabled.png)
 
 Docker Desktop requires Hyper-V as well as the Hyper-V Module for Windows
 PowerShell to be installed and enabled. The Docker Desktop installer enables
@@ -295,7 +295,7 @@ In the subsequent screen, verify that Hyper-V is enabled.
 In addition to [Hyper-V](#hyper-v) or [WSL 2](/manuals/desktop/features/wsl/_index.md), virtualization must be turned on. Check the
 Performance tab on the Task Manager. Alternatively, you can type 'systeminfo' into your terminal. If you see 'Hyper-V Requirements:   A hypervisor has been detected. Features required for Hyper-V will not be displayed', then virtualization is enabled.
 
-![Task Manager](../images/virtualization-enabled.png)
+![Task Manager](../../images/virtualization-enabled.png)
 
 If you manually uninstall Hyper-V, WSL 2 or turn off virtualization,
 Docker Desktop cannot start. 

content/manuals/security/for-admins/enforce-sign-in/_index.md

@@ -18,6 +18,7 @@ security features](/manuals/security/for-admins/hardened-desktop/_index.md) for
 
 There are multiple methods for enforcing sign-in, depending on your companies' set up and preferences:
 - [Registry key method (Windows only)](methods.md#registry-key-method-windows-only){{< badge color=green text="New" >}}
+- [Configuration profiles method (Mac only)](methods.md#configuration-profiles-method-mac-only){{< badge color=green text="New" >}}
 - [`.plist` method (Mac only)](methods.md#plist-method-mac-only){{< badge color=green text="New" >}}
 - [`registry.json` method (All)](methods.md#registryjson-method-all)
 

content/manuals/security/for-admins/enforce-sign-in/methods.md

@@ -23,7 +23,7 @@ To enforce sign-in for Docker Desktop on Windows, you can configure a registry k
 2. Create a multi-string value `allowedOrgs`.
    > [!IMPORTANT]
    >
-   > Only one entry for `allowedOrgs` is currently supported. If you add more than one value, sign-in enforcement silently fails.
+   > As of Docker Desktop version 4.36 and later, you can add more than one organization. With Docker Desktop version 4.35 and earlier, if you add more than one organization sign-in enforcement silently fails.
 3. Use your organization's name, all lowercase as string data.
 4. Restart Docker Desktop.
 5. When Docker Desktop restarts, verify that the **Sign in required!** prompt appears.
@@ -43,11 +43,84 @@ The following example outlines how to deploy a registry key to enforce sign-in o
 3. Within the GPO, navigate to **Computer Configuration** and select **Preferences**.
 4. Select **Windows Settings** then **Registry**.
 5. To add the registry item, right-click on the **Registry** node, select **New**, and then **Registry Item**.
-6. Configure the new registry item to match the registry script you created, specifying the action as **Update**. Make sure you input the correct path, value name (`allowedOrgs`), and value data (your organization’s name).
+6. Configure the new registry item to match the registry script you created, specifying the action as **Update**. Make sure you input the correct path, value name (`allowedOrgs`), and value data (your organization names).
 7. Link the GPO to an Organizational Unit (OU) that contains the machines you want to apply this setting to.
 8. Test the GPO on a small set of machines first to ensure it behaves as expected. You can use the `gpupdate /force` command on a test machine to manually refresh its group policy settings and check the registry to confirm the changes.
 9. Once verified, you can proceed with broader deployment. Monitor the deployment to ensure the settings are applied correctly across the organization's computers.
 
+## Configuration profiles method (Mac only)
+
+> [!NOTE]
+>
+> The configuration profiles method is in [Early Access](/manuals/release-lifecycle.md)
+> and is available with Docker Desktop version 4.36 and later.
+
+Configuration profiles are a feature of macOS that let you distribute
+configuration information to the Macs you manage. It is the safest method to
+enforce sign-in on macOS because the installed configuration profiles are
+protected by Apples' System Integrity Protection (SIP) and therefore can't be
+tampered with by the users.
+
+1. Save the following XML file with the extension `.mobileconfig`, for example
+   `docker.mobileconfig`:
+
+   ```xml
+    <?xml version="1.0" encoding="UTF-8"?>
+    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+    <plist version="1.0">
+      <dict>
+        <key>PayloadContent</key>
+        <array>
+          <dict>
+            <key>PayloadType</key>
+            <string>com.docker.config</string>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+            <key>PayloadIdentifier</key>
+            <string>com.docker.config</string>
+            <key>PayloadUUID</key>
+            <string>eed295b0-a650-40b0-9dda-90efb12be3c7</string>
+            <key>PayloadDisplayName</key>
+            <string>Docker Desktop Configuration</string>
+            <key>PayloadDescription</key>
+            <string>Configuration profile to manage Docker Desktop settings.</string>
+            <key>PayloadOrganization</key>
+            <string>Your Company Name</string>
+            <key>allowedOrgs</key>
+            <string>first_org;second_org</string>
+          </dict>
+        </array>
+        <key>PayloadType</key>
+        <string>Configuration</string>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadIdentifier</key>
+        <string>com.yourcompany.docker.config</string>
+        <key>PayloadUUID</key>
+        <string>0deedb64-7dc9-46e5-b6bf-69d64a9561ce</string>
+        <key>PayloadDisplayName</key>
+        <string>Docker Desktop Config Profile</string>
+        <key>PayloadDescription</key>
+        <string>Config profile to enforce Docker Desktop settings for allowed organizations.</string>
+        <key>PayloadOrganization</key>
+        <string>Your Company Name</string>
+      </dict>
+    </plist>
+   ```
+
+2. Change the placeholders `com.yourcompany.docker.config` and `Your Company Name` to the name of your company.
+
+3. Add your organization name. The names of the allowed organizations are stored in the `allowedOrgs`
+   property. It can contain either the name of a single organization or a list of organization names,
+   separated by a semicolon:
+
+   ```xml
+            <key>allowedOrgs</key>
+            <string>first_org;second_org</string>
+   ```
+
+4. Use a MDM solution to distribute your modified `.mobileconfig` file to your macOS clients. 
+
 ## plist method (Mac only)
 
 > [!NOTE]
@@ -66,14 +139,15 @@ To enforce sign-in for Docker Desktop on macOS, you can use a `plist` file that
      <dict>
 	     <key>allowedOrgs</key>
 	     <array>
-             <string>myorg</string>
+             <string>myorg1</string>
+             <string>myorg2</string>
          </array>
      </dict>
    </plist>
    ```
    > [!IMPORTANT]
    >
-   > Only one entry for `allowedOrgs` is currently supported. If you add more than one value, sign-in enforcement silently fails.
+   > As of Docker Desktop version 4.36 and later, you can add more than one organization. With Docker Desktop version 4.35 and earlier, sign-in enforcement silently fails if you add more than one organization.
 
 3. Modify the file permissions to ensure the file cannot be edited by any non-administrator users.
 4. Restart Docker Desktop.
@@ -140,12 +214,12 @@ details, see [Manage members](/admin/organization/members/).
 
     ```json
     {
-    "allowedOrgs": ["myorg"]
+    "allowedOrgs": ["myorg1", "myorg2"]
     }
     ```
    > [!IMPORTANT]
    >
-   > Only one entry for `allowedOrgs` is currently supported. If you add more than one value, sign-in enforcement silently fails.
+   > As of Docker Desktop version 4.36 and later, you can add more than one organization. With Docker Desktop version 4.35 and earlier, if you add more than one organization sign-in enforcement silently fails.
 
 4. Verify that sign-in is enforced.
 
@@ -182,6 +256,9 @@ If you're using the Windows Command Prompt:
 ```console
 C:\Users\Admin> "Docker Desktop Installer.exe" install --allowed-org=myorg
 ```
+> [!IMPORTANT]
+>
+> As of Docker Desktop version 4.36 and later, you can add more than one organization to a single `registry.json` file. With Docker Desktop version 4.35 and earlier, if you add more than one organization sign-in enforcement silently fails.
 
 {{< /tab >}}
 {{< tab name="Mac" >}}
@@ -231,6 +308,10 @@ Path          Owner                  Access
 registry.json BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow  FullControl...
 ```
 
+> [!IMPORTANT]
+>
+> As of Docker Desktop version 4.36 and later, you can add more than one organization to a single `registry.json` file. With Docker Desktop version 4.35 and earlier, if you add more than one organization sign-in enforcement silently fails.
+
 {{< /tab >}}
 {{< tab name="Mac" >}}
 
@@ -264,6 +345,10 @@ $ sudo ls -l "/Library/Application Support/com.docker.docker/registry.json"
 -rw-r--r--  1 root  admin  26 Jul 27 22:01 /Library/Application Support/com.docker.docker/registry.json
 ```
 
+> [!IMPORTANT]
+>
+> As of Docker Desktop version 4.36 and later, you can add more than one organization to a single `registry.json` file. With Docker Desktop version 4.35 and earlier, if you add more than one organization sign-in enforcement silently fails.
+
 {{< /tab >}}
 {{< tab name="Linux" >}}
 
@@ -297,6 +382,10 @@ $ sudo ls -l /usr/share/docker-desktop/registry/registry.json
 -rw-r--r--  1 root  root  26 Jul 27 22:01 /usr/share/docker-desktop/registry/registry.json
 ```
 
+> [!IMPORTANT]
+>
+> As of Docker Desktop version 4.36 and later, you can add more than one organization to a single `registry.json` file. With Docker Desktop version 4.35 and earlier, if you add more than one organization sign-in enforcement silently fails.
+
 {{< /tab >}}
 {{< /tabs >}}
 

content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md

@@ -195,13 +195,30 @@ A couple of caveats:
   from a repository). This is usually not a problem as the tools that need this
   feature (e.g., Paketo buildpacks) will do the pre-pull of the parent image.
 
-* The `allowDerivedImages` setting applies to all images in the `imageList`
-  specified with an explicit tag (e.g., `<name>:<tag>`). It does not apply to
-  images specified using the tag wildcard (e.g., `<name>:*`) described in the
-  prior section, because Docker Desktop needs to know the tag in order to
-  perform ancestor-descendant image checks. Therefore, if you want Docker socket
-  mounts to be allowed for images derived from a parent image in the
-  `imageList`, make sure the parent image is listed with name and tag.
+* For Docker Desktop versions 4.34 and 4.35 only: The `allowDerivedImages` setting
+  applies to all images in the `imageList` specified with an explicit tag (e.g.,
+  `<name>:<tag>`). It does not apply to images specified using the tag wildcard
+  (e.g., `<name>:*`) described in the prior section. In Docker Desktop 4.36 and
+  later, this caveat no longer applies, meaning that the `allowDerivedImages`
+  settings applies to images specified with or without a wildcard tag. This
+  makes it easier to manage the ECI Docker socket image list.
+
+### Allowing all containers to mount the Docker socket
+
+In Docker Desktop version 4.36 and later, it's possible to configure the image
+list to allow any container to mount the Docker socket. You do this by adding
+`"*"` to the `imageList`:
+
+```json
+"imageList": {
+  "images": [
+    "*"
+  ]
+}
+```
+
+It is recommended that you use this only in scenarios where explicitly listing
+allowed container images is not flexible enough.
 
 ### Command list
 
@@ -302,10 +319,13 @@ Whether to configure the list as an allow or deny list depends on the use case.
   this case, remove the local image and pull it again (e.g., `docker rm <image>`
   and `docker pull <image>`).
 
-* It's not possible to allow Docker socket bind-mounts on local images (i.e., images that are not on
-  a registry) unless they are [derived from an allowed image](#docker-socket-mount-permissions-for-derived-images).
-  That's because Docker Desktop pulls the digests for the allowed images from the
-  registry, and then uses that to compare against the local copy of the image.
+* It's not possible to allow Docker socket bind-mounts on containers using
+  local-only images (i.e., images that are not on a registry) unless they are
+  [derived from an allowed image](#docker-socket-mount-permissions-for-derived-images)
+  or you've [allowed all containers to mount the Docker socket](#allowing-all-containers-to-mount-the-docker-socket).
+  That is because Docker Desktop pulls the digests for the allowed images from
+  the registry, and then uses that to compare against the local copy of the
+  image.
 
 * The `commandList` configuration applies to all containers that are allowed to
   bind-mount the Docker socket. Therefore it can't be configured differently per

hack/releaser/cloudfront-lambda-redirects.js

@@ -3,15 +3,16 @@
 exports.handler = (event, context, callback) => {
     //console.log("event", JSON.stringify(event));
     const request = event.Records[0].cf.request;
-    const requestUrl = request.uri.replace(/\/$/, "")
+    // Trim trailing slash and collapse redundant slashes
+    const normalizedUri = request.uri.replace(/\/$/, "").replaceAll(/\/{2,}/g, "/")
 
     const redirects = JSON.parse(`{{.RedirectsJSON}}`);
     for (let key in redirects) {
         const redirectTarget = key.replace(/\/$/, "")
-        if (redirectTarget !== requestUrl) {
+        if (redirectTarget !== normalizedUri) {
             continue;
         }
-        //console.log(`redirect: ${requestUrl} to ${redirects[key]}`);
+        //console.log(`redirect: ${normalizedUri} to ${redirects[key]}`);
         const response = {
             status: '301',
             statusDescription: 'Moved Permanently',
@@ -52,5 +53,6 @@ exports.handler = (event, context, callback) => {
         return
     }
 
+    request.uri = normalizedUri
     callback(null, request);
 };