updates

moby: 2e16c5d1fbeb55c440ff70dd9c24ed42fa149698
cli: f7c3d1c796ca399e698e673e222f5c9c5469a8a0

Signed-off-by: Paweł Gronowski <[email protected]>

Author: vvoland

content/manuals/engine/release-notes/28.md

@@ -36,6 +36,7 @@ For a full list of pull requests and changes in this release, refer to the relev
 ### New
 
 - Windows: add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. [moby/moby#47955](https://github.com/moby/moby/pull/47955)
+- Add ability to mount an image inside a container via `--mount type=image`. [moby/moby#48798](https://github.com/moby/moby/pull/48798)
 - `docker load`, `docker save`, and `docker history` now support a `--platform` flag allowing to choose a specific platform for single-platform operations on multi-platform images. [docker/cli#5331](https://github.com/docker/cli/pull/5331)
 - Add `OOMScoreAdj` to `docker service create` and `docker stack`. [docker/cli#5145](https://github.com/docker/cli/pull/5145)
 - `docker buildx prune` now supports `reserved-space`, `max-used-space` and `min-free-space`, `keep-bytes` filters. [moby/moby#48720](https://github.com/moby/moby/pull/48720)
@@ -68,12 +69,13 @@ For a full list of pull requests and changes in this release, refer to the relev
 - Generated completion scripts from the CLI will now show descriptions next to each command/flag suggestion. [docker/cli#5756](https://github.com/docker/cli/pull/5756)
 - Improve errors when failing to start a container using anther container's network namespace. [moby/moby#49367](https://github.com/moby/moby/pull/49367)
 - Improve handling of invalid API errors that could result in an empty error message being presented to the user. [moby/moby#49373](https://github.com/moby/moby/pull/49373)
+- Fix rootless Docker setup with `subid` backed by NSS modules. [moby/moby#49036](https://github.com/moby/moby/pull/49036)
 - containerd image store: Make `docker load --platform` return an error when the requested platform wasn't loaded. [moby/moby#48718](https://github.com/moby/moby/pull/48718)
 - containerd image store: Fix `commit`, `import` and `build` not preserving replaced image as a dangling. [moby/moby#48316](https://github.com/moby/moby/pull/48316)
 
 ### Packaging updates
 
-- Update Go runtime to [1.23.5](https://go.dev/doc/devel/release#go1.23.5).  [moby/moby#49311](https://github.com/moby/moby/pull/49311), [docker/cli#5761](https://github.com/docker/cli/pull/5761) [docker/docker-ce-packaging#1146](https://github.com/docker/docker-ce-packaging/pull/1146)
+- Update Go runtime to [1.23.6](https://go.dev/doc/devel/release#go1.23.6). [docker/cli#5795](https://github.com/docker/cli/pull/5795), [moby/moby#49393](https://github.com/moby/moby/pull/49393), [docker/docker-ce-packaging#1161](https://github.com/docker/docker-ce-packaging/pull/1161)
 - Update `runc` to [v1.2.4](https://github.com/opencontainers/runc/releases/tag/v1.2.4) [moby/moby#49238](https://github.com/moby/moby/pull/49238)
 - Update containerd to [v1.7.25](https://github.com/containerd/containerd/releases/tag/v1.7.25). [moby/moby#49252](https://github.com/moby/moby/pull/49252)
 - Update BuildKit to [v0.19.0](https://github.com/moby/buildkit/releases/tag/v0.19.0). [moby/moby#49315](https://github.com/moby/moby/pull/49315)
@@ -87,10 +89,15 @@ For a full list of pull requests and changes in this release, refer to the relev
 - `pkg/reexec`: can now be used on platforms other than Linux, Windows, macOS and FreeBSD [moby/moby#49118](https://github.com/moby/moby/pull/49118)
 - `api/types/container`: merge `Stats` and `StatsResponse` [moby/moby#49287](https://github.com/moby/moby/pull/49287)
 - `client.WithVersion`: strip v-prefix when setting API version [moby/moby#49352](https://github.com/moby/moby/pull/49352)
+- Improve validation of empty object IDs; the client now returns an "Invalid Parameter" error when trying to use an empty ID or name. This changes the error returned by some "Inspect" functions from a "Not found" error to an "Invalid Parameter". [moby/moby#49381](https://github.com/moby/moby/pull/49381)
+- `client`: add `HijackDialer` interface. [moby/moby#49388](https://github.com/moby/moby/pull/49388)
+- `client`: add `SwarmManagementAPIClient` interface to describe all API client methods related to swarm-specific objects. [moby/moby#49388](https://github.com/moby/moby/pull/49388)
 
 ### API
 
 - Update API version to [v1.48](https://docs.docker.com/engine/api/v1.48/) [moby/moby#48476](https://github.com/moby/moby/pull/48476)
+- API: `GET /images/{name}/json` response now will return the `Manifests` field containing information about the sub-manifests contained in the image index. This includes things like platform-specific manifests and build attestations. [moby/moby#48264](https://github.com/moby/moby/pull/48264)
+- `POST /containers/create` now supports `Mount` of type `image` for mounting an image inside a container. [moby/moby#48798](https://github.com/moby/moby/pull/48798)
 - `GET /images/{name}/history` now supports a `platform` parameter (JSON encoded OCI Platform type) that allows to specify a platform to show the history of. [moby/moby#48295](https://github.com/moby/moby/pull/48295)
 - `POST /images/{name}/load` and `GET /images/{name}/get` now support a `platform` parameter (JSON encoded OCI Platform type) that allows to specify a platform to load/save. Not passing this parameter will result in loading/saving the full multi-platform image. [moby/moby#48295](https://github.com/moby/moby/pull/48295)
 - Improve errors for invalid width/height on container resize and exec resize [moby/moby#48679](https://github.com/moby/moby/pull/48679)
@@ -148,6 +155,9 @@ For a full list of pull requests and changes in this release, refer to the relev
 
 ### Deprecations
 
+- Go SDK: `client`: deprecate `ErrorConnectionFailed` helper. This function was only used internally, and will be removed in the next release. [moby/moby#49389](https://github.com/moby/moby/pull/49389)
+- Go SDK: `client`: deprecate `CommonAPIClient` interface in favor of the APIClient interface. The CommonAPIClient will be changed to an alias for APIClient in the next release, and removed in the release after. [moby/moby#49388](https://github.com/moby/moby/pull/49388)
+- Deprecate `client.ImageInspectWithRaw` function in favor of the new `client.ImageInspect`. [moby/moby#48264](https://github.com/moby/moby/pull/48264)
 - `daemon/graphdriver`: deprecate `GetDriver()` [moby/moby#48079](https://github.com/moby/moby/pull/48079)
 - `pkg/directory.Size()` function is deprecated, an will be removed in the next release. [moby/moby#48057](https://github.com/moby/moby/pull/48057)
 - Move from `api/types` to `api/types/container` - `NetworkSettings`, `NetworkSettingsBase`, `DefaultNetworkSettings`, `SummaryNetworkSettings`, `Health`, `HealthcheckResult`, `NoHealthcheck`, `Starting`, `Healthy`, and `Unhealthy` constants, `MountPoint`, `Port`, `ContainerState`, `Container`, `ContainerJSONBase`, `ContainerJSON`, `ContainerNode`. The old types are deprecated and will be removed in the next release. [moby/moby#48108](https://github.com/moby/moby/pull/48108)
@@ -192,6 +202,17 @@ For a full list of pull requests and changes in this release, refer to the relev
 - Add a new `gw-priority` option to `docker run`, `docker container create`, and `docker network connect`. This option will be used by the Engine to determine which network provides the default gateway for a container. On `docker run`, this option is only available through the extended `--network` syntax. [docker/cli#5664](https://github.com/docker/cli/pull/5664)
 
 
+### TODO
+- Add a new netlabel `com.docker.network.endpoint.ifname` to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. [moby/moby#49155](https://github.com/moby/moby/pull/49155)
+  - When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names (eg. `eth`), the container might fail to start.
+  - The recommended practice is to use a different prefix (eg. `en0`), or a numerical suffix high enough to never collide (eg. `eth100`).
+  - This label can be specified on `docker network connect` via the `--driver-opt` flag, eg. `docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar …`.
+  - Or via the long-form `--network` flag on `docker run`, eg. `docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …`
+- If a custom network driver reports capability `GwAllocChecker` then, before a network is created, it will get a `GwAllocCheckerRequest` with the network's options. The custom driver may then reply that no gateway IP address should be allocated. [moby/moby#49372](https://github.com/moby/moby/pull/49372)
+- An `internal` bridge network created with gateway mode `isolated` does not have an address on the docker host. [moby/moby#49262](https://github.com/moby/moby/pull/49262)
+  - An address is normally assigned to the bridge device in an `internal` network, so processes on the docker host can access the network, and containers in the network can access host services listening on that bridge address (including services listening on "any" host address, `0.0.0.0` or `::`).
+  - The `network create` options are `-o com.docker.network.bridge.gateway_mode_ipv4=isolated` and `-o com.docker.network.bridge.gateway_mode_ipv6=isolated`.
+
 #### Port Publishing in Bridge Networks
 
 - `dockerd` now requires `ipset` support in the Linux kernel. [moby/moby#48596](https://github.com/moby/moby/pull/48596)
@@ -239,7 +260,7 @@ For a full list of pull requests and changes in this release, refer to the relev
 - Add validation of network-diagnostic-port daemon configuration option. [moby/moby#49305](https://github.com/moby/moby/pull/49305)
 - Unless explicitly configured, an IP address is no longer reserved for a gateway in cases where it is not required. Namely, “internal” bridge networks with option `com.docker.network.bridge.inhibit_ipv4`, `ipvlan` or `macvlan` networks with no parent interface, and L3 IPvlan modes. [moby/moby#49261](https://github.com/moby/moby/pull/49261)
 - If a custom network driver reports capability `GwAllocChecker` then, before a network is created, it will get a `GwAllocCheckerRequest` with the network's options. The custom driver may then reply that no gateway IP address should be allocated. [moby/moby#49372](https://github.com/moby/moby/pull/49372)
-- Fixed an issue that meant a container could not be attached to an L3 ipvlan at the same time as other network types. [moby/moby#49130](https://github.com/moby/moby/pull/49130)
+- Fixed an issue that meant a container could not be attached to an L3 IPvlan at the same time as other network types. [moby/moby#49130](https://github.com/moby/moby/pull/49130)
 - Remove the correct `/etc/hosts` entries when disconnecting a container from a network. [moby/moby#48857](https://github.com/moby/moby/pull/48857)
 - Fix duplicate network disconnect events. [moby/moby#48800](https://github.com/moby/moby/pull/48800)
 - Resolved issues related to changing `fixed-cidr` for `docker0`, and inferring configuration from a user-managed default bridge (`--bridge`). [moby/moby#48319](https://github.com/moby/moby/pull/48319)
@@ -261,7 +282,6 @@ For a full list of pull requests and changes in this release, refer to the relev
 ### Rejected (backported or no impact label)
 
 - Add a couple of iptables rules to filter on the input interface for NAT port mappings. This will prevent rogue neighboring hosts from accessing port mappings that aren't published in the same subnet / L2 segment.
-- The env var `DOCKER_DISABLE_INPUT_IFACE_FILTERING` can be set to any `true`-ish value to globally disable this filtering. This is a temporary escape hatch and will be removed in a future release. Report an issue if you need to use it. [moby/moby#48721](https://github.com/moby/moby/pull/48721)
 - Fix an issue that meant published ports from one container on a bridge network were not accessible from another container on the same network with `userland-proxy` disabled, if the kernel's `br_netfilter` module was not loaded and enabled. The daemon will now attempt to load the module and enable `bridge-nf-call-iptables` or `bridge-nf-call-ip6tables` when creating a network with the userland proxy disabled. [moby/moby#48676](https://github.com/moby/moby/pull/48676)
 - Preserve network labels during daemon startup. [moby/moby#49196](https://github.com/moby/moby/pull/49196)
 - Fix a bug that was preventing containers exposing a TCP port on the host to be restarted if it was accessed by another container (or from the host) shortly before. [moby/moby#48567](https://github.com/moby/moby/pull/48567)