Sourced fromgithub.com/docker/docker's releases.

v28.0.2

28.0.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.2 milestone
• moby/moby, 28.0.2 milestone

Bug fixes and enhancements

• Fix CLI-specific attributes (docker.cli.*) being unintentionally passed to downstream OTel services.docker/cli#5842
• Fix an issue where user-specifiedOTEL_RESOURCE_ATTRIBUTES were being overridden by CLI's internal telemetry attributes. The CLI now properly merges user-specified attributes with internal ones, allowing both to coexist.docker/cli#5842
• Fix daemon failing to start on Windows when a container created before v28.0.0 was present.moby/moby#49626
• Fix possible error ondocker buildx prune with the--min-free-space.moby/moby#49623
• Fix spuriousio: read/write on closed pipe error in the daemon log when closing container.moby/moby#49590
• Fix the Docker daemon failing too early if the containerd socket isn't immediately available.moby/moby#49603
• Mask Linux thermal interrupt info in a container's/proc and/sys by default.moby/moby#49560
• Updatecontrib/check-config.sh to check for more kernel modules related to iptables.moby/moby#49622
• containerd image store: Fix integer overflow in User ID handling passed via--user.moby/moby#49652
• containerd image store: Fix spuriousreference for unknown type: application/vnd.in-toto+json warning being logged to the daemon's log.moby/moby#49652
• containerd image store: Improve performance ofdocker ps when running large number of containers.moby/moby#49365

Packaging updates

• Update BuildKit tov0.20.1.moby/moby#49587
• Update Buildx tov0.22.0.docker/docker-ce-packaging#1175
• Update Compose tov2.34.0.docker/docker-ce-packaging#1172
• Update Go runtime to1.23.7.docker/cli#5890,docker/docker-ce-packaging#1171,moby/moby#49580
• Update RootlessKit tov2.3.4.moby/moby#49614
• Update containerd (static binaries only) tov1.7.27.moby/moby#49656

Networking

• Add environment variableDOCKER_INSECURE_NO_IPTABLES_RAW=1 to allow Docker to run on systems where the Linux kernel can't provideCONFIG_IP_NF_RAW support. When enabled, Docker will not create rules in the iptablesraw table. Warning: This is not recommended for production environments as it reduces security by allowing other hosts on the local network to route to ports published to host addresses, even when they are published to127.0.0.1. This option bypasses some of the security hardening introduced in Docker Engine 28.0.0.moby/moby#49621
• Allow container startup when an endpoint is attached to a macvlan network where the parent interface is down.moby/moby#49630
• Do not skip DNAT for packets originating in a gateway_mode=routed network.moby/moby#49577
• Fix a bug causingdocker ps to inconsistently report dual-stack port mappings.moby/moby#49657
• Fix a bug that could causedocker-proxy to stop forwarding UDP datagrams to containers.moby/moby#49649
• Fix a bug that was causingdocker-proxy to close UDP connections to containers eagerly and resulting in the source address to change needlessly.moby/moby#49649

Go SDK

• Move various types and consts fromcli-plugins/manager to a separate package.docker/cli#5902
• Update minimum required Go version to go1.23.moby/moby#49541
• cli/command: MovePrettyPrint utility tocli/command/formatter.docker/cli#5916
• runconfig/errors: splitErrConflictHostNetwork intoErrConflictConnectToHostNetwork andErrConflictDisconnectFromHostNetwork.moby/moby#49605

Deprecations

• Go-SDK: Deprecatecli-plugins/manager.ResourceAttributesEnvvar constant. It was used internally, but holds theOTEL_RESOURCE_ATTRIBUTES name, which is part of the OpenTelemetry specification. Users of this constant should define their own. It will be removed in the next release.docker/cli#5881

... (truncated)

• bea4de2 Merge pull request#49656 from austinvazquez/bump-container-1.7.27-binary
• 97ee08e Merge pull request#49657 from akerouanton/fix-missing-port-mappings
• f2a183a daemon: return port-mappings from all endpoints
• 6b3b479 daemon: getEndpointPortMapInfo: err is never used
• 35766af Dockerfile: update containerd binary to v1.7.27
• b2363f0 Merge pull request#49602 from thaJeztah/remove_layerstore_experimental
• c9a763e daemon: remove redundant call to getEndpointPortMapInfo
• 2043aa9 Merge pull request#49652 from vvoland/vendor-containerd
• 7cdd1b5 Merge pull request#49649 from akerouanton/proxy-concurrent-write-close
• fb3cce1 vendor: github.com/containerd/containerd/v2 v2.0.4
• Additional commits viewable incompare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)