Merge pull request #18535 from docker/published-update

publish updates from main

.github/workflows/build.yml

@@ -23,10 +23,10 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       -
         name: Build
-        uses: docker/bake-action@v3
+        uses: docker/bake-action@v4
         with:
           files: |
             docker-bake.hcl
@@ -49,10 +49,10 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       -
         name: Validate
-        uses: docker/bake-action@v3
+        uses: docker/bake-action@v4
         with:
           files: |
             docker-bake.hcl
@@ -72,10 +72,10 @@ jobs:
         uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       -
         name: Build
-        uses: docker/bake-action@v3
+        uses: docker/bake-action@v4
         with:
           files: |
             docker-bake.hcl

.github/workflows/deploy.yml

@@ -79,10 +79,10 @@ jobs:
           fetch-depth: 0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       -
         name: Build website
-        uses: docker/bake-action@v3
+        uses: docker/bake-action@v4
         with:
           files: |
             docker-bake.hcl
@@ -106,7 +106,7 @@ jobs:
       -
         name: Update S3 config
         if: ${{ env.DOCS_S3_BUCKET != '' && env.DOCS_S3_CONFIG != '' }}
-        uses: docker/bake-action@v3
+        uses: docker/bake-action@v4
         with:
           files: |
             docker-bake.hcl
@@ -120,7 +120,7 @@ jobs:
       -
         name: Update Cloudfront config
         if: ${{ env.DOCS_CLOUDFRONT_ID != '' }}
-        uses: docker/bake-action@v3
+        uses: docker/bake-action@v4
         with:
           files: |
             docker-bake.hcl

_releaser/go.mod

@@ -44,8 +44,8 @@ require (
 	go.mongodb.org/mongo-driver v1.8.3 // indirect
 	go.opentelemetry.io/otel v1.11.1 // indirect
 	go.opentelemetry.io/otel/trace v1.11.1 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )

_releaser/go.sum

@@ -446,8 +446,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -482,8 +482,8 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -496,8 +496,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

content/config/pruning.md

@@ -174,4 +174,16 @@ Are you sure you want to continue? [y/N] y
 ```
 
 By default, you are prompted to continue. To bypass the prompt, use the `-f` or
-`--force` flag.
+`--force` flag.
+
+By default, all unused containers, networks, images (both dangling and unreferenced)
+are removed. You can limit the scope using the 
+`--filter` flag. For instance, the following command removes items older than 24 hours:
+
+```console
+$ docker system prune --filter "until=24h"
+```
+
+Other filtering expressions are available. See the
+[`docker system prune` reference](../engine/reference/commandline/system_prune.md)
+for more examples.

content/desktop/release-notes.md

@@ -28,7 +28,7 @@ For frequently asked questions about Docker Desktop releases, see [FAQs](faqs/re
 
 {{< release-date date="2023-10-26" >}}
 
-{{< desktop-install all=true version="4.25.0" build_path="/" >}}
+{{< desktop-install all=true version="4.25.0" build_path="/126437/" >}}
 
 ### New
 
@@ -89,12 +89,17 @@ For frequently asked questions about Docker Desktop releases, see [FAQs](faqs/re
 #### For Mac
 
 - Upgrading to MacOS 14 can cause Docker Desktop to also update to a latest version even if the auto update option is disabled.
+- Uninstalling Docker Desktop from the command line is not available. As a workaround, you can [uninstall Docker Desktop from the Dashboard](https://docs.docker.com/desktop/uninstall/).
+
+#### For Windows
+
+- **Switch to Windows containers** option in the tray menu may not show up on Windows. As a workaround, edit the [`settings.json` file](https://docs.docker.com/desktop/settings/windows/) and set `"displaySwitchWinLinContainers": true`.
 
 ## 4.24.2
 
 {{< release-date date="2023-10-12" >}}
 
-{{< desktop-install all=true version="4.25.0" build_path="/124339/" >}}
+{{< desktop-install all=true version="4.24.2" build_path="/124339/" >}}
 
 ### Bug fixes and enhancements
 

content/docker-hub/orgs.md

@@ -20,7 +20,7 @@ detailed instructions on converting an existing user account to an organization,
 
 To create an organization:
 
-1. Sign in to [Docker Hub](https://hub.docker.com/) using your [Docker ID](../docker-id/index.md) or your email address.
+1. Sign in to [Docker Hub](https://hub.docker.com/) using your [Docker ID](../docker-id/index.md), your email address, or your social provider.
 2. Select **Organizations** and then **Create Organization** to create a new
    organization.
 3. Choose a plan for your organization and select **Buy Now**. See

content/docker-id/_index.md

@@ -38,6 +38,11 @@ Your Docker ID becomes your username for hosted Docker services, and [Docker for
 
 ### Sign up with Google or GitHub
 
+> **Important**
+>
+> To sign up with your social provider, make sure you verify your email address with your provider before you begin.
+{ .important }
+
 1. Go to the [Docker sign-up page](https://hub.docker.com/signup/).
 
 2. Select your social provider, Google or GitHub.
@@ -68,6 +73,11 @@ stored in your home directory in `.docker/config.json`. The password is base64-e
 
 ### Sign in with your social provider
 
+> **Important**
+>
+> To sign in with your social provider, make sure you verify your email address with your provider before you begin.
+{ .important }
+
 Optionally, you can sign in to an existing Docker account with your Google or GitHub account. If a Docker account exists with the same email address as the primary email for your social provider, your Docker account will automatically be linked to the social profile. This lets you sign in with your social provider.
 
 If you try to sign in with your social provider and don't have a Docker account yet, a new account will be created for you. Follow the on-screen instructions to create a Docker ID using your social provider.

content/engine/release-notes/24.0.md

@@ -20,6 +20,48 @@ For more information about:
 - Deprecated and removed features, see [Deprecated Engine Features](../deprecated.md).
 - Changes to the Engine API, see [Engine API version history](../api/version-history.md).
 
+## 24.0.7
+
+{{< release-date date="2023-10-27" >}}
+
+For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
+
+- [docker/cli, 24.0.7 milestone](https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A24.0.7)
+- [moby/moby, 24.0.7 milestone](https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A24.0.7)
+
+### Bug fixes and enhancements
+
+* Write overlay2 layer metadata atomically. [moby/moby#46703](https://github.com/moby/moby/pull/46703)
+* Fix "Rootful-in-Rootless" Docker-in-Docker on systemd version 250 and later. [moby/moby#46626](https://github.com/moby/moby/pull/46626)
+* Fix `dockerd-rootless-setuptools.sh` when username contains a backslash. [moby/moby#46407](https://github.com/moby/moby/pull/46407)
+* Fix a bug that would prevent network sandboxes to be fully deleted when stopping containers with no network attachments and when `dockerd --bridge=none` is used. [moby/moby#46702](https://github.com/moby/moby/pull/46702)
+* Fix a bug where cancelling an API request could interrupt container restart. [moby/moby#46697](https://github.com/moby/moby/pull/46697)
+* Fix an issue where containers would fail to start when providing `--ip-range` with a range larger than the subnet. [docker/for-mac#6870](https://github.com/docker/for-mac/issues/6870)
+* Fix data corruption with zstd output. [moby/moby#46709](https://github.com/moby/moby/pull/46709)
+* Fix the conditions under which the container's MAC address is applied. [moby/moby#46478](https://github.com/moby/moby/pull/46478)
+* Improve the performance of the stats collector. [moby/moby#46448](https://github.com/moby/moby/pull/46448)
+* Fix an issue with source policy rules ending up in the wrong order. [moby/moby#46441](https://github.com/moby/moby/pull/46441)
+
+### Packaging updates
+
+* Add support for Fedora 39 and Ubuntu 23.10. [docker/docker-ce-packaging#940](https://github.com/docker/docker-ce-packaging/pull/940), [docker/docker-ce-packaging#955](https://github.com/docker/docker-ce-packaging/pull/955)
+* Fix `docker.socket` not getting disabled when uninstalling the `docker-ce` RPM package. [docker/docker-ce-packaging#852](https://github.com/docker/docker-ce-packaging/pull/852)
+* Upgrade Go to `go1.20.10`. [docker/docker-ce-packaging#951](https://github.com/docker/docker-ce-packaging/pull/951)
+* Upgrade containerd to `v1.7.6` (static binaries only). [moby/moby#46103](https://github.com/moby/moby/pull/46103)
+* Upgrade the `containerd.io` package to [`v1.6.24`](https://github.com/containerd/containerd/releases/tag/v1.6.24).
+
+### Security
+
+* Deny containers access to `/sys/devices/virtual/powercap` by default. This change hardens against
+  [CVE-2020-8694](https://scout.docker.com/v/CVE-2020-8694),
+  [CVE-2020-8695](https://scout.docker.com/v/CVE-2020-8695), and
+  [CVE-2020-12912](https://scout.docker.com/v/CVE-2020-12912),
+  and an attack known as [the PLATYPUS attack](https://platypusattack.com/).
+
+  For more details, see
+  [advisory](https://github.com/moby/moby/security/advisories/GHSA-jq35-85cj-fj4p),
+  [commit](https://github.com/moby/moby/commit/c9ccbfad11a60e703e91b6cca4f48927828c7e35).
+
 ## 24.0.6
 
 {{< release-date date="2023-09-05" >}}

content/network/_index.md

@@ -1,7 +1,7 @@
 ---
 title: Networking overview
-description: How networking works from the container's point of view
-keywords: networking, container, standalone
+description: Learn how networking works from the container's point of view
+keywords: networking, container, standalone, IP address, DNS resolution
 aliases:
 - /articles/networking/
 - /config/containers/container-networking/
@@ -69,7 +69,7 @@ Here are some examples:
 
 If you want to make a container accessible to other containers,
 it isn't necessary to publish the container's ports.
-Inter-container communication is enabled by connecting the containers to the
+You can enable inter-container communication by connecting the containers to the
 same network, usually a [bridge network](./drivers/bridge.md).
 
 ## IP address and hostname
@@ -79,7 +79,7 @@ A container receives an IP address out of the IP subnet of the network.
 The Docker daemon performs dynamic subnetting and IP address allocation for containers.
 Each network also has a default subnet mask and gateway.
 
-When a container starts, it can only attaches to a single network, using the `--network` flag.
+When a container starts, it can only attach to a single network, using the `--network` flag.
 You can connect a running container to additional networks using the `docker network connect` command.
 In both cases, you can use the `--ip` or `--ip6` flags to specify the container's IP address on that particular network.
 
@@ -106,7 +106,7 @@ configuration.
 | Flag           | Description                                                                                                                                                                                                                                                         |
 | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `--dns`        | The IP address of a DNS server. To specify multiple DNS servers, use multiple `--dns` flags. If the container can't reach any of the IP addresses you specify, it uses Google's public DNS server at `8.8.8.8`. This allows containers to resolve internet domains. |
-| `--dns-search` | A DNS search domain to search non-fully-qualified hostnames. To specify multiple DNS search prefixes, use multiple `--dns-search` flags.                                                                                                                            |
+| `--dns-search` | A DNS search domain to search non-fully qualified hostnames. To specify multiple DNS search prefixes, use multiple `--dns-search` flags.                                                                                                                            |
 | `--dns-opt`    | A key-value pair representing a DNS option and its value. See your operating system's documentation for `resolv.conf` for valid options.                                                                                                                            |
 | `--hostname`   | The hostname a container uses for itself. Defaults to the container's ID if not specified.                                                                                                                                                                          |
 
@@ -123,8 +123,8 @@ against the embedded DNS server.
 
 It's rare that the external DNS server is faster than the embedded one. But
 things like garbage collection, or large numbers of concurrent DNS requests,
-can result in a roundtrip to the external server being faster than local
-resolution, on some occasions.
+can sometimes result in a round trip to the external server being faster than local
+resolution.
 
 ### Custom hosts
 

content/network/drivers/_index.md

@@ -1,6 +1,6 @@
 ---
 title: Network drivers overview
-description: Overview of Docker network drivers and related concepts
+description: Learn the basics of Docker network drivers
 keywords: networking, drivers, bridge, routing, routing mesh, overlay, ports
 ---
 

content/network/drivers/bridge.md

@@ -15,14 +15,14 @@ In terms of networking, a bridge network is a Link Layer device
 which forwards traffic between network segments. A bridge can be a hardware
 device or a software device running within a host machine's kernel.
 
-In terms of Docker, a bridge network uses a software bridge which allows
-containers connected to the same bridge network to communicate, while providing
-isolation from containers which are not connected to that bridge network. The
+In terms of Docker, a bridge network uses a software bridge which lets
+containers connected to the same bridge network communicate, while providing
+isolation from containers that aren't connected to that bridge network. The
 Docker bridge driver automatically installs rules in the host machine so that
-containers on different bridge networks cannot communicate directly with each
+containers on different bridge networks can't communicate directly with each
 other.
 
-Bridge networks apply to containers running on the **same** Docker daemon host.
+Bridge networks apply to containers running on the same Docker daemon host.
 For communication among containers running on different Docker daemon hosts, you
 can either manage routing at the OS level, or you can use an
 [overlay network](overlay.md).
@@ -82,7 +82,7 @@ network.**
 
   Originally, the only way to share environment variables between two containers
   was to link them using the [`--link` flag](../links.md). This type of
-  variable sharing is not possible with user-defined networks. However, there
+  variable sharing isn't possible with user-defined networks. However, there
   are superior ways to share environment variables. A few ideas:
 
   - Multiple containers can mount a file or directory containing the shared
@@ -219,7 +219,7 @@ recommended for production use. Configuring it is a manual operation, and it has
 If you do not specify a network using the `--network` flag, and you do specify a
 network driver, your container is connected to the default `bridge` network by
 default. Containers connected to the default `bridge` network can communicate,
-but only by IP address, unless they are linked using the
+but only by IP address, unless they're linked using the
 [legacy `--link` flag](../links.md).
 
 ### Configure the default bridge network