chore(deps): update dependency moby/moby to v26

[renovate]

This PR contains the following updates:

Package	Update	Change
moby/moby	major	v25.0.4 -> v26.0.0

---

Release Notes

moby/moby (moby/moby)

v26.0.0

Compare Source

26.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.0.0 milestone
• moby/moby, 26.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Security

This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.

New

• Add Subpath field to the VolumeOptions making it possible to mount a subpath of a volume. moby/moby#45687
• Add volume-subpath support to the mount flag (--mount type=volume,...,volume-subpath=<subpath>). docker/cli#4331
• Accept = separators and [ipv6] in compose files for docker stack deploy. docker/cli#4860
• rootless: Add support for enabling host loopback by setting the DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK environment variable to false (defaults to true). This lets containers connect to the host by using IP address 10.0.2.2. moby/moby#47352
• containerd image store: docker image ls no longer creates duplicates entries for multi-platform images. moby/moby#45967
• containerd image store: Send Prometheus metrics. moby/moby#47555

Bug fixes and enhancements

• CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
• Ensure that a generated MAC address is not restored when a container is restarted, but a configured MAC address is preserved. moby/moby#47233

[!WARNING]

Containers created using Docker Engine 25.0.0 may have duplicate MAC addresses, they must be re-created.
Containers created using version 25.0.0 or 25.0.1 with user-defined MAC addresses will get generated MAC addresses when they are started using 25.0.2. They must also be re-created.

• Always attempt to enable IPv6 on a container's loopback interface, and only include IPv6 in /etc/hosts if successful. moby/moby#47062

[!NOTE]

By default, IPv6 will remain enabled on a container's loopback interface when the container is not connected to an IPv6-enabled network.
For example, containers that are only connected to an IPv4-only network now have the ::1 address on their loopback interface.

To disable IPv6 in a container,
use option --sysctl net.ipv6.conf.all.disable_ipv6=1 in the create or run command,
or the equivalent sysctls option in the service configuration section of a Compose file.

If IPv6 is not available in a container because it has been explicitly disabled for the container,
or the host's networking stack does not have IPv6 enabled (or for any other reason)
the container's /etc/hosts file will not include IPv6 entries.

• Fix ADD Dockerfile instruction failing with lsetxattr <file>: operation not supported when unpacking archive with xattrs onto a filesystem that doesn't support them. moby/moby#47175
• Fix docker container start failing when used with --checkpoint. moby/moby#47456
• Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47356
• Do not enforce new validation rules for existing swarm networks. moby/moby#47361
• Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47375
• Print hint when invoking docker image ls with ambiguous argument. docker/cli#4849
• Cleanup @docker_cli_[UUID] files on OpenBSD. docker/cli#4862
• Add explicit deprecation notice message when using remote TCP connections without TLS. docker/cli#4928, moby/moby#47556
• Use IPv6 nameservers from the host's resolv.conf as upstream resolvers for Docker Engine's internal DNS, rather than listing them in the container's resolv.conf. moby/moby#47512
• containerd image store: Isolate images with different containerd namespaces when --userns-remap option is used. moby/moby#46786
• containerd image store: Fix image pull not emitting Pulling fs layer status. moby/moby#47432

API

• To preserve backwards compatibility, read-only mounts are not recursive by default when using older clients (API version < v1.44). moby/moby#47391
• GET /images/{id}/json omits the Created field (previously it was 0001-01-01T00:00:00Z) if the Created field is missing from the image config. moby/moby#47451
• Populate a missing Created field in GET /images/{id}/json with 0001-01-01T00:00:00Z for API version <= 1.43. moby/moby#47387
• The is_automated field in the POST /images/search endpoint results is always false now. Consequently, searching for is-automated=true will yield no results, while is-automated=false will be a no-op. moby/moby#47465
• Remove Container and ContainerConfig fields from the GET /images/{name}/json response. moby/moby#47430

Packaging updates

• Update BuildKit to v0.13.1. moby/moby#47582
• Update Buildx to v0.13.1. docker/docker-ce-packaging#1000
• Update Compose to v2.25.0. docker/docker-ce-packaging#1002
• Update Go runtime to 1.21.8. moby/moby#47502
• Update RootlessKit to v2.0.2. moby/moby#47508
• Update containerd to v1.7.13 (static binaries only) moby/moby#47278
• Update runc binary to v1.1.12 moby/moby#47268
• Update OTel to v0.46.1 / v1.21.0 moby/moby#47245

Removed

• Remove Container and ContainerConfig fields from the GET /images/{name}/json response. moby/moby#47430
• Deprecate the ability to accept remote TCP connections without TLS. Deprecation notice docker/cli#4928 moby/moby#47556.
• Remove deprecated API versions (API < v1.24) moby/moby#47155
• Disable pulling of deprecated image formats by default. These image formats are deprecated, and support will be removed in a future version. moby/moby#47459
• image: remove deprecated IDFromDigest moby/moby#47198
• Remove the deprecated github.com/docker/docker/pkg/loopback package. moby/moby#47128
• pkg/system: remove deprecated ErrNotSupportedOperatingSystem, IsOSSupported moby/moby#47129
• pkg/homedir: remove deprecated Key() and GetShortcutString() moby/moby#47130
• pkg/containerfs: remove deprecated ResolveScopedPath moby/moby#47131
• The daemon flag --oom-score-adjust was deprecated in v24.0 and is now removed. moby/moby#46113
• Remove deprecated aliases from the api/types package. These types were deprecated in v25.0.0, which provided temporary aliases. moby/moby#47148
  These aliases are now removed: types.Info, types.Commit, types.PluginsInfo, types.NetworkAddressPool, types.Runtime, types.SecurityOpt, types.KeyValue, types.DecodeSecurityOptions, types.CheckpointCreateOptions, types.CheckpointListOptions, types.CheckpointDeleteOptions, types.Checkpoint, types.ImageDeleteResponseItem, types.ImageSummary, types.ImageMetadata, types.ServiceUpdateResponse, types.ServiceCreateResponse, types.ResizeOptions, types.ContainerAttachOptions, types.ContainerCommitOptions, types.ContainerRemoveOptions, types.ContainerStartOptions, types.ContainerListOptions, types.ContainerLogsOptions
• cli/command/container: remove deprecated NewStartOptions() docker/cli#4811
• cli/command: remove deprecated DockerCliOption, InitializeOpt docker/cli#4810

v25.0.5: 25.0.5

Compare Source

25.0.5

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 25.0.5 milestone
• moby/moby, 25.0.5 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Security

This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.

Bug fixes and enhancements

• CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. moby/moby#47589
• plugin: fix mounting /etc/hosts when running in UserNS. moby/moby#47588
• rootless: fix open /etc/docker/plugins: permission denied. moby/moby#47587
• Fix multiple parallel docker build runs leaking disk space. moby/moby#47527

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 62.64%. Comparing base (9c20b44) to head (1b7d206).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #286   +/-   ##
=======================================
  Coverage   62.64%   62.64%           
=======================================
  Files          16       16           
  Lines         945      945           
  Branches       95       95           
=======================================
  Hits          592      592           
  Misses        322      322           
  Partials       31       31           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.