29.6.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 29.6.0 milestone
• moby/moby, 29.6.0 milestone

New

• POST /containers/{id}/update now supports per-device blkio resource settingss. moby/moby#52651
• Add GET /images/{name}/attestations endpoint to retrieve in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image. Supports optional platform selection, predicate type filtering, and a statement query parameter for verbatim statement bodies.

Bug fixes and enhancements

• docker image push now respects NO_COLOR. docker/cli#6957
• containerd image store: Fix docker system prune to include unpacked image data when reporting reclaimed space. moby/moby#52905
• Fix docker system df image size reporting to count only snapshots directly used by images. moby/moby#52901
• Fix a bug where registry authentication failures during worker image pulls were reported as a misleading “No such image” error. moby/moby#52698
• Fix default BuildKit GC policy to prune reproducible cache types as intended. moby/moby#52814
• Fix explicit file modes being filtered by the daemon umask, including COPY --chmod permissions. moby/moby#52892
• Fix image selection with the containerd image store on amd64 hosts when images provide amd64 variant-specific manifests. moby/moby#52773
• The --password flag on docker login now accepts - to pass the password through STDIN as alternative to --password-stdin. docker/cli#7029

Packaging updates

• Update runc (in static binaries) to v1.3.6. moby/moby#52883
• Update BuildKit to v0.31.0. moby/moby#52904

Networking

• Allow the nftables firewall mode to be used with a daemon that is linked against libnftables when the nft command is not installed on the system. moby/moby#52820
• Don't publish container ports on host ports listed in net.ipv4.ip_local_reserved_ports when dynamically allocating ports. moby/moby#52818
• Fix a race condition in overlay network bulk sync that caused ~30s DNS resolution delays on newly joined swarm nodes. moby/moby#52862
• Mitigate a crash in libnftables when using nftables as the firewall backend by changing the default build option to execute the nft command instead. Users building dockerd from source can opt into linking against libnftables by building with the libnftables build tag. moby/moby#52886

Rootless

• Silence the spurious warning "IPv4 forwarding is disabled". moby/moby#52742

Deprecations

• The Engine now returns a deprecation warning when a container connected to the default bridge is created with links specified. moby/moby#47427