engine: 28.0.1 release notes

content/manuals/engine/release-notes/28.md

@@ -22,6 +22,51 @@
 - Deprecated and removed features, see [Deprecated Engine Features](../deprecated.md).
 - Changes to the Engine API, see [Engine API version history](/reference/api/engine/version-history.md).
 
+## 28.0.1
+
+{{< release-date date="2025-02-26" >}}
+
+For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
+
+- [docker/cli, 28.0.1 milestone](https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A28.0.1)
+- [moby/moby, 28.0.1 milestone](https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A28.0.1)
+
+### Networking
+
+- Remove dependency on kernel modules `ip_set`, `ip_set_hash_net` and `netfilter_xt_set`.
+  * The dependency was introduced in release 28.0.0 but proved too disruptive. The iptables rules using these modules have been replaced. [moby/moby#49530](https://github.com/moby/moby/pull/49530)
+- Allow daemon startup on a host with IPv6 disabled without requiring `--ip6tables=false`. [moby/moby#49525](https://github.com/moby/moby/pull/49525)
+- Fix a bug that was causing containers with `--restart=always` and a published port already in use to restart in a tight loop. [moby/moby#49507](https://github.com/moby/moby/pull/49507)
+- Fix an issue with Swarm ingress, caused by incorrect ordering of iptables rules. [moby/moby#49538](https://github.com/moby/moby/pull/49538)
+- Fix creation of a swarm-scoped network from a `--config-only` network. [moby/moby#49521](https://github.com/moby/moby/pull/49521)
+- Fix `docker network inspect` reporting an IPv6 gateway with CIDR suffix for a newly created network with no specific IPAM config, until a daemon restart. [moby/moby#49520](https://github.com/moby/moby/pull/49520)
+- Improve the error reported when kernel modules `ip_set`, `ip_set_hash_net` and `netilter_xt_set` are not available. [moby/moby#49524](https://github.com/moby/moby/pull/49524)
+- Move most of Docker's iptables rules out of the filter-FORWARD chain, so that other applications are free to append rules that must follow Docker's rules. [moby/moby#49518](https://github.com/moby/moby/pull/49518)
+- Update `--help` output and man page lo state which options only apply to the default bridge network. [moby/moby#49522](https://github.com/moby/moby/pull/49522)
+
+
+### Bug fixes and enhancements
+
+- Fix `docker context create` always returning an error when using the `"skip-tls-verify"` option. [docker/cli#5850](https://github.com/docker/cli/pull/5850)
+- Fix shell completion suggesting IDs instead of names for services and nodes. [docker/cli#5848](https://github.com/docker/cli/pull/5848)
+- Fix unintentionally printing exit status to standard error output when `docker exec/run` returns a non-zero status. [docker/cli#5854](https://github.com/docker/cli/pull/5854)
+- Fix regression `protocol "tcp" is not supported by the RootlessKit port driver "slirp4netns"`. [moby/moby#49514](https://github.com/moby/moby/pull/49514)
+- containerd image store: Fix `docker inspect` not being able to show multi-platform images with missing layers for all platforms. [moby/moby#49533](https://github.com/moby/moby/pull/49533)
+- containerd image store: Fix `docker images --tree` reporting wrong content size. [moby/moby#49535](https://github.com/moby/moby/pull/49535)
+- Fix compilation on i386 [moby/moby#49526](https://github.com/moby/moby/pull/49526)
+
+### Packaging updates
+
+- Update `github.com/go-jose/go-jose/v4` to v4.0.5 to address [GHSA-c6gw-w398-hv78](https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78) / [CVE-2025-27144](https://www.cve.org/CVERecord?id=CVE-2025-27144). [docker/cli#5867](https://github.com/docker/cli/pull/5867)
+- Update Buildx to [v0.21.1](https://github.com/docker/buildx/releases/tag/v0.21.1). [docker/docker-ce-packaging#1167](https://github.com/docker/docker-ce-packaging/pull/1167)
+- Update Compose to [v2.33.1](https://github.com/docker/compose/releases/tag/v2.33.1). [docker/docker-ce-packaging#1168](https://github.com/docker/docker-ce-packaging/pull/1168)
+
+### API
+
+- containerd image store: Fix `GET /images/json?manifests=1` not filling `Manifests` for index-only images [moby/moby#49533](https://github.com/moby/moby/pull/49533)
+- containerd image store: Fix `GET /images/json and /images/<name>/json` `Size.Content` field including the size of content that's not available locally [moby/moby#49535](https://github.com/moby/moby/pull/49535)
+
+
 ## 28.0.0
 
 {{< release-date date="2025-02-19" >}}

data/engine-cli/docker_container_restart.yaml

@@ -75,7 +75,7 @@ examples: |-
     ### Stop container with timeout (-t, --timeout) {#timeout}
 
     The `--timeout` flag sets the number of seconds to wait for the container
-    to stop after sending the pre-defined (see [`--signal`]{#signal)) system call signal.
+    to stop after sending the pre-defined (see [`--signal`](#signal)) system call signal.
     If the container does not exit after the timeout elapses, it's forcibly killed
     with a `SIGKILL` signal.
 

data/engine-cli/docker_container_run.yaml

@@ -2318,6 +2318,26 @@ examples: |-
     > $ docker run -it --ulimit as=1024 fedora /bin/bash
     > ```
 
+    #### Supported options for `--ulimit`:
+
+    | Option       | Description                                               |
+    |:-------------|:----------------------------------------------------------|
+    | `core`       | Maximum size of core files created (`RLIMIT_CORE`)        |
+    | `cpu`        | CPU time limit in seconds (`RLIMIT_CPU`)                  |
+    | `data`       | Maximum data segment size (`RLIMIT_DATA`)                 |
+    | `fsize`      | Maximum file size (`RLIMIT_FSIZE`)                        |
+    | `locks`      | Maximum number of file locks (`RLIMIT_LOCKS`)             |
+    | `memlock`    | Maximum locked-in-memory address space (`RLIMIT_MEMLOCK`) |
+    | `msgqueue`   | Maximum bytes in POSIX message queues (`RLIMIT_MSGQUEUE`) |
+    | `nice`       | Maximum nice priority adjustment (`RLIMIT_NICE`)          |
+    | `nofile`     | Maximum number of open file descriptors (`RLIMIT_NOFILE`) |
+    | `nproc`      | Maximum number of processes available (`RLIMIT_NPROC`)    |
+    | `rss`        | Maximum resident set size (`RLIMIT_RSS`)                  |
+    | `rtprio`     | Maximum real-time scheduling priority (`RLIMIT_RTPRIO`)   |
+    | `rttime`     | Maximum real-time execution time (`RLIMIT_RTTIME`)        |
+    | `sigpending` | Maximum number of pending signals (`RLIMIT_SIGPENDING`)   |
+    | `stack`      | Maximum stack size (`RLIMIT_STACK`)                       |
+
     Docker sends the values to the appropriate OS `syscall` and doesn't perform any byte conversion.
     Take this into account when setting the values.
 

data/engine-cli/docker_network_ls.yaml

@@ -39,6 +39,7 @@ options:
       value_type: bool
       default_value: "false"
       description: Do not truncate the output
+      details_url: '#no-trunc'
       deprecated: false
       hidden: false
       experimental: false
@@ -79,6 +80,8 @@ examples: |-
     78b03ee04fc4        multi-host          overlay         swarm
     ```
 
+    ### List networks without truncating the ID column (--no-trun) {#no-trunc}
+
     Use the `--no-trunc` option to display the full network id:
 
     ```console

data/engine-cli/docker_swarm_join-token.yaml

@@ -21,6 +21,7 @@ options:
       value_type: bool
       default_value: "false"
       description: Only display token
+      details_url: '#quiet'
       deprecated: false
       hidden: false
       experimental: false
@@ -31,6 +32,7 @@ options:
       value_type: bool
       default_value: "false"
       description: Rotate join token
+      details_url: '#rotate'
       deprecated: false
       hidden: false
       experimental: false
@@ -97,7 +99,7 @@ examples: |-
     SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-b30ljddcqhef9b9v4rs7mel7t
     ```
 
-    ### `--rotate`
+    ### `--rotate` {#rotate}
 
     Because tokens allow new nodes to join the swarm, you should keep them secret.
     Be particularly careful with manager tokens since they allow new manager nodes
@@ -116,7 +118,7 @@ examples: |-
     using the old token. Rotation does not affect existing nodes in the swarm
     because the join token is only used for authorizing new nodes joining the swarm.
 
-    ### `--quiet`
+    ### `--quiet` {#quiet}
 
     Only print the token. Do not print a complete command for joining.
 deprecated: false

data/engine-cli/docker_swarm_join.yaml

@@ -11,6 +11,7 @@ options:
     - option: advertise-addr
       value_type: string
       description: 'Advertised address (format: `<ip|interface>[:port]`)'
+      details_url: '#advertise-addr'
       deprecated: false
       hidden: false
       experimental: false
@@ -21,6 +22,7 @@ options:
       value_type: string
       default_value: active
       description: Availability of the node (`active`, `pause`, `drain`)
+      details_url: '#availability'
       deprecated: false
       hidden: false
       experimental: false
@@ -31,6 +33,7 @@ options:
       value_type: string
       description: |
         Address or interface to use for data path traffic (format: `<ip|interface>`)
+      details_url: '#data-path-addr'
       deprecated: false
       hidden: false
       min_api_version: "1.31"
@@ -42,6 +45,7 @@ options:
       value_type: node-addr
       default_value: 0.0.0.0:2377
       description: 'Listen address (format: `<ip|interface>[:port]`)'
+      details_url: '#listen-addr'
       deprecated: false
       hidden: false
       experimental: false
@@ -51,6 +55,7 @@ options:
     - option: token
       value_type: string
       description: Token for entry into the swarm
+      details_url: '#token'
       deprecated: false
       hidden: false
       experimental: false
@@ -102,7 +107,7 @@ examples: |-
     dvfxp4zseq4s0rih1selh0d20 *  manager1  Ready   Active        Leader
     ```
 
-    ### `--listen-addr value`
+    ### `--listen-addr value` {#listen-addr}
 
     If the node is a manager, it will listen for inbound swarm manager traffic on this
     address. The default is to listen on 0.0.0.0:2377. It is also possible to specify a
@@ -113,7 +118,7 @@ examples: |-
 
     This flag is generally not necessary when joining an existing swarm.
 
-    ### `--advertise-addr value`
+    ### `--advertise-addr value` {#advertise-addr}
 
     This flag specifies the address that will be advertised to other members of the
     swarm for API access. If unspecified, Docker will check if the system has a
@@ -133,7 +138,7 @@ examples: |-
     ensure the node advertises its IP address and not the IP address of the load
     balancer.
 
-    ### `--data-path-addr`
+    ### `--data-path-addr` {#data-path-addr}
 
     This flag specifies the address that global scope network drivers will publish towards
     other nodes in order to reach the containers running on this node.
@@ -142,11 +147,11 @@ examples: |-
     If unspecified, Docker will use the same IP address or interface that is used for the
     advertise address.
 
-    ### `--token string`
+    ### `--token string` {#token}
 
     Secret value required for nodes to join the swarm
 
-    ### `--availability`
+    ### `--availability` {#availability}
 
     This flag specifies the availability of the node at the time the node joins a master.
     Possible availability values are `active`, `pause`, or `drain`.

data/engine-cli/docker_swarm_unlock-key.yaml

@@ -22,6 +22,7 @@ options:
       value_type: bool
       default_value: "false"
       description: Only display token
+      details_url: '#quiet'
       deprecated: false
       hidden: false
       experimental: false
@@ -32,6 +33,7 @@ options:
       value_type: bool
       default_value: "false"
       description: Rotate unlock key
+      details_url: '#rotate'
       deprecated: false
       hidden: false
       experimental: false
@@ -87,12 +89,12 @@ examples: |-
     SWMKEY-1-7c37Cc8654o6p38HnroywCi19pllOnGtbdZEgtKxZu8
     ```
 
-    ### `--rotate`
+    ### `--rotate` {#rotate}
 
     This flag rotates the unlock key, replacing it with a new randomly-generated
     key. The old unlock key will no longer be accepted.
 
-    ### `--quiet`
+    ### `--quiet` {#quiet}
 
     Only print the unlock key, without instructions.
 deprecated: false

hugo.yaml

@@ -113,10 +113,10 @@ params:
   # Latest version of the Docker Engine API
   latest_engine_api_version: "1.48"
   # Latest version of Docker Engine
-  docker_ce_version: "28.0.0"
+  docker_ce_version: "28.0.1"
   # Previous version of the Docker Engine
   # (Used to show e.g., "latest" and "latest"-1 in engine install examples
-  docker_ce_version_prev: "27.5.1"
+  docker_ce_version_prev: "28.0.0"
   # Latest Docker Compose version
   compose_version: "v2.33.1"
   # Latest BuildKit version