v29.6.0

New

• POST /containers/{id}/update now supports per-device blkio resource settings
• Add GET /images/{name}/attestations endpoint to retrieve in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image

Bug fixes and enhancements

• docker image push now respects NO_COLOR
• containerd image store: Fix docker system prune to include unpacked image data when reporting reclaimed space
• Fix docker system df image size reporting to count only snapshots directly used by images
• Fix a bug where registry authentication failures during worker image pulls were reported as a misleading "No such image" error
• Fix default BuildKit GC policy to prune reproducible cache types as intended
• Fix explicit file modes being filtered by the daemon umask, including COPY --chmod permissions
• Fix image selection with the containerd image store on amd64 hosts when images provide amd64 variant-specific manifests
• The --password flag on docker login now accepts - to pass the password through STDIN as alternative to --password-stdin

Packaging updates

• Update runc (in static binaries) to v1.3.6
• Update BuildKit to v0.31.0

Networking

• Allow the nftables firewall mode to be used with a daemon that is linked against libnftables when the nft command is not installed on the system
• Don't publish container ports on host ports listed in net.ipv4.ip_local_reserved_ports when dynamically allocating ports
• Fix a race condition in overlay network bulk sync that caused ~30s DNS resolution delays on newly joined swarm nodes
• Mitigate a crash in libnftables when using nftables as the firewall backend by changing the default build option

Rootless

• Silence the spurious warning "IPv4 forwarding is disabled"

Deprecations

• The Engine now returns a deprecation warning when a container connected to the default bridge is created with links specified