• 068a01e Merge pull request #5870 from thaJeztah/carry_5855
• d75f8d8 Add detailed descriptions for --ulimit options in docker run documentation
• ffdfc5f Merge pull request #5742 from mertssmnoglu/fix-dockerfile-exec-form
• 6bd9908 Merge pull request #5867 from thaJeztah/bump_go_jose
• 7559583 vendor: github.com/go-jose/go-jose/v4 v4.0.5
• 41277f5 Merge pull request #5865 from robmry/doc_default_bridge
• 4e7497e Update dockerd command line ref, default bridge opts
• be66909 Update dockerd command line ref, changes in 28.0
• 111468c Merge pull request #5864 from thaJeztah/gha_bump_docker
• 427c136 gha: add docker 28 to test matrix
• Additional commits viewable in compare view

Sourced from github.com/docker/docker's releases.

v28.0.1

28.0.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.1 milestone
• moby/moby, 28.0.1 milestone

Networking

• Remove dependency on kernel modules ip_set, ip_set_hash_net and netfilter_xt_set.
  • The dependency was introduced in release 28.0.0 but proved too disruptive. The iptables rules using these modules have been replaced. moby/moby#49530
• Allow daemon startup on a host with IPv6 disabled without requiring --ip6tables=false. moby/moby#49525
• Fix a bug that was causing containers with --restart=always and a published port already in use to restart in a tight loop. moby/moby#49507
• Fix an issue with Swarm ingress, caused by incorrect ordering of iptables rules. moby/moby#49538
• Fix creation of a swarm-scoped network from a --config-only network. moby/moby#49521
• Fix docker network inspect reporting an IPv6 gateway with CIDR suffix for a newly created network with no specific IPAM config, until a daemon restart. moby/moby#49520
• Improve the error reported when kernel modules ip_set, ip_set_hash_net and netilter_xt_set are not available. moby/moby#49524
• Move most of Docker's iptables rules out of the filter-FORWARD chain, so that other applications are free to append rules that must follow Docker's rules. moby/moby#49518
• Update --help output and man page lo state which options only apply to the default bridge network. moby/moby#49522

Bug fixes and enhancements

• Fix docker context create always returning an error when using the "skip-tls-verify" option. docker/cli#5850
• Fix shell completion suggesting IDs instead of names for services and nodes. docker/cli#5848
• Fix unintentionally printing exit status to standard error output when docker exec/run returns a non-zero status. docker/cli#5854
• Fix regression protocol "tcp" is not supported by the RootlessKit port driver "slirp4netns". moby/moby#49514
• containerd image store: Fix docker inspect not being able to show multi-platform images with missing layers for all platforms. moby/moby#49533
• containerd image store: Fix docker images --tree reporting wrong content size. moby/moby#49535
• Fix compilation on i386 moby/moby#49526

Packaging updates

• Update github.com/go-jose/go-jose/v4 to v4.0.5 to address. GHSA-c6gw-w398-hv78 / CVE-2025-27144 docker/cli#5867
• Update Buildx to v0.21.1. docker/docker-ce-packaging#1167
• Update Compose to v2.33.1. docker/docker-ce-packaging#1168

API

• containerd image store: Fix GET /images/json?manifests=1 not filling Manifests for index-only images. moby/moby#49533
• containerd image store: Fix GET /images/json and /images/<name>/json Size.Content field including the size of content that's not available locally. moby/moby#49535

• bbd0a17 Merge pull request #49538 from robmry/docker_ingress
• 8ae4858 Merge pull request #49545 from robmry/revert_check-config_ipset
• 1814363 Revert "contrib/check-config: add ipset related flags"
• 558da63 Jump to DOCKER-INGRESS from DOCKER-FORWARD
• f92fdfe Merge pull request #49530 from robmry/disable_ip_set
• 88bc9a3 Merge pull request #49535 from vvoland/c8d-fixcontentsize
• 76417bf Don't use ipset
• c35159e c8d/manifests: Fix Content size including missing content
• 0510499 Merge pull request #49533 from vvoland/c8d-inspectlist-indeximg
• 0274c63 Merge pull request #49518 from robmry/docker_forward_chain
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions