29.6.0-rc.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 29.6.0 milestone
• moby/moby, 29.6.0 milestone

New

• Add GET /images/{name}/attestations endpoint returns in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image, with optional platform selection, predicate type filtering, and an opt-in statement query parameter for retrieving the verbatim statement bodies. Clients can now retrieve attestation metadata and content directly from the daemon instead of performing additional registry round-trips. moby/moby#52636

Bug fixes and enhancements

• docker image push now respects NO_COLOR. docker/cli#6957
• Fix a bug where registry authentication failures during worker image pulls were reported as a misleading “No such image” error. moby/moby#52698
• Fix default BuildKit GC policy to prune reproducible cache types as intended. moby/moby#52814
• The --password flag on docker login now accepts - to pass the password through STDIN as alternative to --password-stdin. docker/cli#7029

Packaging updates

• Update BuildKit to v0.31.0-rc2. moby/moby#52835

Networking

• Allow the nftables firewall mode to be used with a daemon that is linked against libnftables when the nft command is not installed on the system. moby/moby#52820
• Don't publish container ports on host ports listed in net.ipv4.ip_local_reserved_ports when dynamically allocating ports. moby/moby#52818

Rootless

• Silence the spurious warning "IPv4 forwarding is disabled". moby/moby#52742

Deprecations

• The Engine now returns a deprecation warning when a container connected to the default bridge is created with links specified. moby/moby#47427