Sourced fromgithub.com/docker/docker's releases.

v28.0.1

28.0.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.1 milestone
• moby/moby, 28.0.1 milestone

Networking

• Remove dependency on kernel modulesip_set,ip_set_hash_net andnetfilter_xt_set.
  • The dependency was introduced in release 28.0.0 but proved too disruptive. The iptables rules using these modules have been replaced.moby/moby#49530
• Allow daemon startup on a host with IPv6 disabled without requiring--ip6tables=false.moby/moby#49525
• Fix a bug that was causing containers with--restart=always and a published port already in use to restart in a tight loop.moby/moby#49507
• Fix an issue with Swarm ingress, caused by incorrect ordering of iptables rules.moby/moby#49538
• Fix creation of a swarm-scoped network from a--config-only network.moby/moby#49521
• Fixdocker network inspect reporting an IPv6 gateway with CIDR suffix for a newly created network with no specific IPAM config, until a daemon restart.moby/moby#49520
• Improve the error reported when kernel modulesip_set,ip_set_hash_net andnetilter_xt_set are not available.moby/moby#49524
• Move most of Docker's iptables rules out of the filter-FORWARD chain, so that other applications are free to append rules that must follow Docker's rules.moby/moby#49518
• Update--help output and man page lo state which options only apply to the default bridge network.moby/moby#49522

Bug fixes and enhancements

• Fixdocker context create always returning an error when using the"skip-tls-verify" option.docker/cli#5850
• Fix shell completion suggesting IDs instead of names for services and nodes.docker/cli#5848
• Fix unintentionally printing exit status to standard error output whendocker exec/run returns a non-zero status.docker/cli#5854
• Fix regressionprotocol "tcp" is not supported by the RootlessKit port driver "slirp4netns".moby/moby#49514
• containerd image store: Fixdocker inspect not being able to show multi-platform images with missing layers for all platforms.moby/moby#49533
• containerd image store: Fixdocker images --tree reporting wrong content size.moby/moby#49535
• Fix compilation on i386moby/moby#49526

Packaging updates

• Updategithub.com/go-jose/go-jose/v4 to v4.0.5 to address.GHSA-c6gw-w398-hv78 /CVE-2025-27144docker/cli#5867
• Update Buildx tov0.21.1.docker/docker-ce-packaging#1167
• Update Compose tov2.33.1.docker/docker-ce-packaging#1168

API

• containerd image store: FixGET /images/json?manifests=1 not fillingManifests for index-only images.moby/moby#49533
• containerd image store: FixGET /images/json and /images/<name>/jsonSize.Content field including the size of content that's not available locally.moby/moby#49535

• bbd0a17 Merge pull request#49538 from robmry/docker_ingress
• 8ae4858 Merge pull request#49545 from robmry/revert_check-config_ipset
• 1814363 Revert "contrib/check-config: add ipset related flags"
• 558da63 Jump to DOCKER-INGRESS from DOCKER-FORWARD
• f92fdfe Merge pull request#49530 from robmry/disable_ip_set
• 88bc9a3 Merge pull request#49535 from vvoland/c8d-fixcontentsize
• 76417bf Don't use ipset
• c35159e c8d/manifests: Fix Content size including missing content
• 0510499 Merge pull request#49533 from vvoland/c8d-inspectlist-indeximg
• 0274c63 Merge pull request#49518 from robmry/docker_forward_chain
• Additional commits viewable incompare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)