Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can not set MTU above 1500 for docker default bridge device #47308

Closed
ivasilyev-mxr opened this issue Feb 2, 2024 · 5 comments
Closed

Can not set MTU above 1500 for docker default bridge device #47308

ivasilyev-mxr opened this issue Feb 2, 2024 · 5 comments
Labels
area/networking/d/bridge area/networking kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. status/confirmed version/25.0
Milestone
25.0.3

Comments

@ivasilyev-mxr
Copy link

ivasilyev-mxr commented Feb 2, 2024
edited

Description

After upgrade to version 25, attempting to set the mtu value above 1500 in /etc/docker/daemon.json results in this error being thrown: https://github.com/moby/moby/pull/46849/files#diff-77245372071f1b23e0b41e6ac4bd8212a33512dce6159146fff873d3da252c75R50

Even attempting to delete the device and any network information in docker data dir results in same error.

Setting a value less than 1500 works as expected and as described in #46849 (the device has the correct value even if no containers are attached).

➜  ~ sudo ip link delete docker0
➜  ~ sudo rm -rf /var/lib/docker/network
➜  ~ sudo ip link show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1600 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether fa:16:3e:63:50:c6 brd ff:ff:ff:ff:ff:ff
    

➜  ~ sudo dockerd --mtu 1501 -D
INFO[2024-02-02T12:41:37.575765119Z] Starting up                                  
DEBU[2024-02-02T12:41:37.577609096Z] Listener created for HTTP on unix (/var/run/docker.sock) 
DEBU[2024-02-02T12:41:37.756685501Z] Golang's threads limit set to 56070          
DEBU[2024-02-02T12:41:37.757971951Z] metrics API listening on /var/run/docker/metrics.sock 
DEBU[2024-02-02T12:41:37.793784202Z] Using default logging driver json-file       
DEBU[2024-02-02T12:41:37.794156567Z] processing event stream                       module=libcontainerd namespace=plugins.moby
DEBU[2024-02-02T12:41:37.794288490Z] No quota support for local volumes in /var/lib/docker/volumes: Filesystem does not support, or has not enabled quotas 
DEBU[2024-02-02T12:41:37.837618598Z] [graphdriver] priority list: [overlay2 fuse-overlayfs btrfs zfs vfs] 
DEBU[2024-02-02T12:41:37.862174483Z] successfully detected metacopy status         storage-driver=overlay2 usingMetacopy=false
DEBU[2024-02-02T12:41:37.879104888Z] backingFs=xfs, projectQuotaSupported=false, usingMetacopy=false, indexOff="index=off,", userxattr=""  storage-driver=overlay2
INFO[2024-02-02T12:41:37.879190019Z] [graphdriver] using prior storage driver: overlay2 
DEBU[2024-02-02T12:41:37.879210700Z] Initialized graph driver overlay2            
DEBU[2024-02-02T12:41:39.783188765Z] Max Concurrent Downloads: 3                  
DEBU[2024-02-02T12:41:39.783241726Z] Max Concurrent Uploads: 5                    
DEBU[2024-02-02T12:41:39.783256036Z] Max Download Attempts: 5                     
INFO[2024-02-02T12:41:39.783298216Z] Loading containers: start.                   
DEBU[2024-02-02T12:41:39.783408948Z] Option DefaultDriver: bridge                 
DEBU[2024-02-02T12:41:39.783422698Z] Option DefaultNetwork: bridge                
DEBU[2024-02-02T12:41:39.783432199Z] Network Control Plane MTU: 1500              
DEBU[2024-02-02T12:41:39.783677922Z] processing event stream                       module=libcontainerd namespace=moby
INFO[2024-02-02T12:41:39.803737077Z] Firewalld: docker zone already exists, returning 
DEBU[2024-02-02T12:41:39.836776204Z] Firewalld passthrough: ipv4, [-t filter -C FORWARD -j DOCKER-ISOLATION] 
DEBU[2024-02-02T12:41:39.849317590Z] Firewalld passthrough: ipv4, [-t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER] 
DEBU[2024-02-02T12:41:39.862420576Z] Firewalld passthrough: ipv4, [-t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER] 
DEBU[2024-02-02T12:41:39.872397902Z] Firewalld passthrough: ipv4, [-t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER] 
DEBU[2024-02-02T12:41:39.883982353Z] Firewalld passthrough: ipv4, [-t nat -D PREROUTING] 
DEBU[2024-02-02T12:41:39.894377456Z] Firewalld passthrough: ipv4, [-t nat -D OUTPUT] 
DEBU[2024-02-02T12:41:39.904517865Z] Firewalld passthrough: ipv4, [-t nat -F DOCKER] 
DEBU[2024-02-02T12:41:39.914930898Z] Firewalld passthrough: ipv4, [-t nat -X DOCKER] 
DEBU[2024-02-02T12:41:39.928427809Z] Firewalld passthrough: ipv4, [-t filter -F DOCKER] 
DEBU[2024-02-02T12:41:39.940257565Z] Firewalld passthrough: ipv4, [-t filter -X DOCKER] 
DEBU[2024-02-02T12:41:39.951720524Z] Firewalld passthrough: ipv4, [-t filter -F DOCKER-ISOLATION-STAGE-1] 
DEBU[2024-02-02T12:41:39.961257423Z] Firewalld passthrough: ipv4, [-t filter -X DOCKER-ISOLATION-STAGE-1] 
DEBU[2024-02-02T12:41:39.970111752Z] Firewalld passthrough: ipv4, [-t filter -F DOCKER-ISOLATION-STAGE-2] 
DEBU[2024-02-02T12:41:39.979666842Z] Firewalld passthrough: ipv4, [-t filter -X DOCKER-ISOLATION-STAGE-2] 
DEBU[2024-02-02T12:41:39.990484350Z] Firewalld passthrough: ipv4, [-t filter -F DOCKER-ISOLATION] 
DEBU[2024-02-02T12:41:40.000524318Z] Firewalld passthrough: ipv4, [-t filter -X DOCKER-ISOLATION] 
DEBU[2024-02-02T12:41:40.009488559Z] Firewalld passthrough: ipv4, [-t nat -n -L DOCKER] 
DEBU[2024-02-02T12:41:40.017724368Z] Firewalld passthrough: ipv4, [-t nat -N DOCKER] 
DEBU[2024-02-02T12:41:40.026659756Z] Firewalld passthrough: ipv4, [-t filter -n -L DOCKER] 
DEBU[2024-02-02T12:41:40.036242738Z] Firewalld passthrough: ipv4, [-t filter -n -L DOCKER-ISOLATION-STAGE-1] 
DEBU[2024-02-02T12:41:40.045497731Z] Firewalld passthrough: ipv4, [-t filter -n -L DOCKER-ISOLATION-STAGE-2] 
DEBU[2024-02-02T12:41:40.054704017Z] Firewalld passthrough: ipv4, [-t filter -N DOCKER-ISOLATION-STAGE-2] 
DEBU[2024-02-02T12:41:40.062958146Z] Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-1 -j RETURN] 
DEBU[2024-02-02T12:41:40.070953191Z] Firewalld passthrough: ipv4, [-A DOCKER-ISOLATION-STAGE-1 -j RETURN] 
DEBU[2024-02-02T12:41:40.078731612Z] Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-2 -j RETURN] 
DEBU[2024-02-02T12:41:40.087589791Z] Firewalld passthrough: ipv4, [-A DOCKER-ISOLATION-STAGE-2 -j RETURN] 
DEBU[2024-02-02T12:41:40.155279152Z] Firewalld passthrough: ipv4, [-t filter -n -L DOCKER-USER] 
DEBU[2024-02-02T12:41:40.164695118Z] Firewalld passthrough: ipv4, [-t filter -C DOCKER-USER -j RETURN] 
DEBU[2024-02-02T12:41:40.173922974Z] Firewalld passthrough: ipv4, [-t filter -C FORWARD -j DOCKER-USER] 
DEBU[2024-02-02T12:41:40.182493528Z] Firewalld passthrough: ipv4, [-D FORWARD -j DOCKER-USER] 
DEBU[2024-02-02T12:41:40.191471038Z] Firewalld passthrough: ipv4, [-I FORWARD -j DOCKER-USER] 
DEBU[2024-02-02T12:41:40.274351696Z] Firewalld passthrough: ipv4, [-t filter -n -L DOCKER-USER] 
DEBU[2024-02-02T12:41:40.284534576Z] Firewalld passthrough: ipv4, [-t filter -C DOCKER-USER -j RETURN] 
DEBU[2024-02-02T12:41:40.294126566Z] Firewalld passthrough: ipv4, [-t filter -C FORWARD -j DOCKER-USER] 
DEBU[2024-02-02T12:41:40.302748301Z] Firewalld passthrough: ipv4, [-D FORWARD -j DOCKER-USER] 
DEBU[2024-02-02T12:41:40.313711923Z] Firewalld passthrough: ipv4, [-I FORWARD -j DOCKER-USER] 
DEBU[2024-02-02T12:41:40.440678600Z] Allocating IPv4 pools for network bridge (c3185d870889cc0cd1ad11b0542d5b4beb2ab0212ecaa3e582841d71fd6cd169) 
DEBU[2024-02-02T12:41:40.440728832Z] RequestPool(LocalDefault, , , _, false)      
DEBU[2024-02-02T12:41:40.441222008Z] RequestAddress(LocalDefault/172.17.0.0/16, <nil>, map[RequestAddressType:com.docker.network.gateway]) 
DEBU[2024-02-02T12:41:40.441287260Z] Request address PoolID:172.17.0.0/16 Bits: 65536, Unselected: 65534, Sequence: (0x80000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:0 Serial:false PrefAddress:invalid IP  
DEBU[2024-02-02T12:41:40.441389682Z] Did not find any interface with name docker0: Link not found 
DEBU[2024-02-02T12:41:40.441424332Z] Setting bridge mac address to 02:42:75:6f:84:38 
ERRO[2024-02-02T12:41:40.442017412Z] Failed to set bridge MTU docker0 via netlink  error="invalid argument"
DEBU[2024-02-02T12:41:40.442071133Z] releasing IPv4 pools from network bridge (c3185d870889cc0cd1ad11b0542d5b4beb2ab0212ecaa3e582841d71fd6cd169) 
DEBU[2024-02-02T12:41:40.442107653Z] ReleaseAddress(LocalDefault/172.17.0.0/16, 172.17.0.1) 
DEBU[2024-02-02T12:41:40.442129964Z] Released address Address:172.17.0.1 Sequence:Bits: 65536, Unselected: 65534, Sequence: (0x80000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:2 
DEBU[2024-02-02T12:41:40.442140844Z] ReleasePool(LocalDefault/172.17.0.0/16)      
DEBU[2024-02-02T12:41:40.442159903Z] daemon configured with a 15 seconds minimum shutdown timeout 
DEBU[2024-02-02T12:41:40.442176364Z] start clean shutdown of all containers with a 15 seconds timeout... 
DEBU[2024-02-02T12:41:40.443544736Z] Unix socket /var/run/docker/libnetwork/af367d88d83b.sock was closed. The external key listener will stop. 
DEBU[2024-02-02T12:41:40.443971402Z] Cleaning up old mountid : start.             
DEBU[2024-02-02T12:41:40.444282437Z] Cleaning up old mountid : done.              
failed to start daemon: Error initializing network controller: error creating default "bridge" network: invalid argument


# Note: device still created with MTU = 1500, even tho different value passed on command line above
➜  ~ ip link show docker0
25: docker0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default 
    link/ether 02:42:75:6f:84:38 brd ff:ff:ff:ff:ff:ff

Error Invalid Argument is same as trying to set value directly like:

➜  ~ sudo ip link set docker0 mtu 1501
RTNETLINK answers: Invalid argument

Any value mtu <=1500 works ok and the daemon starts

➜  ~ sudo dockerd --mtu 1234 -D 
INFO[2024-02-02T12:46:58.344400932Z] Starting up                                  
...               
INFO[2024-02-02T12:46:59.447297038Z] Docker daemon                                 commit=fce6e0c containerd-snapshotter=false storage-driver=overlay2 version=25.0.2
INFO[2024-02-02T12:46:59.447384729Z] Daemon has completed initialization          


# Value set to MTU = 1234 like passed on command line
➜  ~ ip link show docker0
25: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1234 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:75:6f:84:38 brd ff:ff:ff:ff:ff:ff

Reproduce

  1. Stop docker daemon
  2. (Optional) Delete docker0 device to be sure it is created fresh
  3. Set a value mtu > 1500
  4. Start docker daemon

Expected behavior

Docker daemon should start and set the docker0 device MTU equal to whatever value was given, even if above 1500

docker version

Client: Docker Engine - Community
 Version:           25.0.2
 API version:       1.44
 Go version:        go1.21.6
 Git commit:        29cf629
 Built:             Thu Feb  1 00:26:25 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          25.0.2
  API version:      1.44 (minimum version 1.24)
  Go version:       go1.21.6
  Git commit:       fce6e0c
  Built:            Thu Feb  1 00:25:25 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.25
  GitCommit:        d8f198a4ed8892c764191ef7b3b06d8a2eeb5c7f
 runc:
  Version:          1.1.10
  GitCommit:        v1.1.10-0-g18a0cb0
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    25.0.2
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 14
 Server Version: 25.0.2
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: d8f198a4ed8892c764191ef7b3b06d8a2eeb5c7f
 runc version: v1.1.10-0-g18a0cb0
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
 Kernel Version: 3.10.0-1160.83.1.el7.x86_64
 Operating System: CentOS Linux 7 (Core)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 7.638GiB
 Name: xxx
 ID: 152d8db8-141c-4e42-83eb-c573bb5c1de3
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 25
  Goroutines: 48
  System Time: 2024-02-02T12:49:58.542495393Z
  EventsListeners: 0
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

No response
@ivasilyev-mxr ivasilyev-mxr added kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. status/0-triage labels Feb 2, 2024
@ivasilyev-mxr ivasilyev-mxr mentioned this issue Feb 2, 2024
Merged
@akerouanton
Copy link
Member

Hi @ivasilyev-mxr, thanks for reporting.

It looks like only recent kernel versions (>v4.17) support setting a MTU > 1500. This is the kernel commit that changed that: torvalds/linux@804b854#diff-8890d9e4af15cb336e8af091bc0b7495e98a6cc2aed5af0e14d5631d7b7eb0f7L228-L230

I'm going to submit a patch to make sure we just log an error in case with get a -EINVAL.

@akerouanton akerouanton added this to the 25.0.3 milestone Feb 2, 2024
@corhere
Copy link
Contributor

corhere commented Feb 2, 2024

To clarify, Linux <v4.17 does support jumbo frames on bridges. It just doesn't allow the MTU of a bridge to be changed to a value larger than the smallest MTU of the links attached to it, with a default max of 1500 when the bridge is empty.

@ivasilyev-mxr
Copy link
Author

Hi @akerouanton thanks for the reply.

On older version of docker it works ok, on the same machine. The MTU changes to a value > 1500 when attaching a container to the device:

➜  ~ sudo yum list installed | grep docker-ce.x86
docker-ce.x86_64                       3:24.0.9-1.el7                 @docker-ce-stable

➜  ~ ip link show docker0
25: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:75:6f:84:38 brd ff:ff:ff:ff:ff:ff

➜  ~ sudo dockerd --mtu 8000  -D
INFO[2024-02-02T16:29:28.963508498Z] Starting up                                  
.....               
INFO[2024-02-02T16:29:30.487378312Z] Docker daemon                                 commit=fca702d graphdriver=overlay2 version=24.0.9
INFO[2024-02-02T16:29:30.487474823Z] Daemon has completed initialization 
  
# or whatever other image
➜  ~ docker run -d  node:16-alpine tail -f /dev/null
9ba92565f6514f0de37780c46c93049177bd1d86d6051e1ca76430269fefa637

# MTU = 8000 as passed to daemon
➜  ~ ip link show docker0                           
25: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 8000 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 02:42:75:6f:84:38 brd ff:ff:ff:ff:ff:ff

➜  ~ uname -r
3.10.0-1160.83.1.el7.x86_64

@akerouanton akerouanton mentioned this issue Feb 2, 2024
Merged
@ivasilyev-mxr
Copy link
Author

@akerouanton I realized I misunderstood your comment after reading your pull request description...I thought you were saying it had never worked before on the older kernel.

Thanks

@akerouanton akerouanton mentioned this issue Feb 2, 2024
Merged
@akerouanton
Copy link
Member

@ivasilyev-mxr Yeah my previous comment wasn't crystal clear. #47311 has been merged; v25.0.3 will fix this regression. Let me close this one.

@sbesson sbesson mentioned this issue Feb 3, 2024
Open
idodod added a commit to earthly/dind that referenced this issue Apr 22, 2024
@renovate @idodod
Update dependency docker/docker to v25.0.5 (#31)
f469fb4 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [docker/docker](https://togithub.com/docker/docker) | patch | `25.0.1`
-> `25.0.5` |

---

### Release Notes

<details>
<summary>docker/docker (docker/docker)</summary>

### [`v25.0.5`](https://togithub.com/moby/moby/releases/tag/v25.0.5)

[Compare
Source](https://togithub.com/docker/docker/compare/v25.0.4...v25.0.5)

#### 25.0.5

For a full list of pull requests and changes in this release, refer to
the relevant GitHub milestones:

- [docker/cli, 25.0.5
milestone](https://togithub.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.5)
- [moby/moby, 25.0.5
milestone](https://togithub.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.5)
- Deprecated and removed features, see [Deprecated
Features](https://togithub.com/docker/cli/blob/v25.0.5/docs/deprecated.md).
- Changes to the Engine API, see [API version
history](https://togithub.com/moby/moby/blob/v25.0.5/docs/api/version-history.md).

##### Security

This release contains a security fix for [CVE-2024-29018], a potential
data exfiltration from 'internal' networks via authoritative DNS
servers.

##### Bug fixes and enhancements

- [CVE-2024-29018]: Do not forward requests to external DNS servers for
a container that is only connected to an 'internal' network. Previously,
requests were forwarded if the host's DNS server was running on a
loopback address, like systemd's 127.0.0.53.
[moby/moby#47589](https://togithub.com/moby/moby/pull/47589)
- plugin: fix mounting /etc/hosts when running in UserNS.
[moby/moby#47588](https://togithub.com/moby/moby/pull/47588)
- rootless: fix `open /etc/docker/plugins: permission denied`.
[moby/moby#47587](https://togithub.com/moby/moby/pull/47587)
- Fix multiple parallel `docker build` runs leaking disk space.
[moby/moby#47527](https://togithub.com/moby/moby/pull/47527)

[CVE-2024-29018]:
https://togithub.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx

### [`v25.0.4`](https://togithub.com/moby/moby/releases/tag/v25.0.4)

[Compare
Source](https://togithub.com/docker/docker/compare/v25.0.3...v25.0.4)

#### 25.0.4

For a full list of pull requests and changes in this release, refer to
the relevant GitHub milestones:

- [docker/cli, 25.0.4
milestone](https://togithub.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.4)
- [moby/moby, 25.0.4
milestone](https://togithub.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.4)
- Deprecated and removed features, see [Deprecated
Features](https://togithub.com/docker/cli/blob/v25.0.4/docs/deprecated.md).
- Changes to the Engine API, see [API version
history](https://togithub.com/moby/moby/blob/v25.0.4/docs/api/version-history.md).

##### Bug fixes and enhancements

- Restore DNS names for containers in the default "nat" network on
Windows. [moby/moby#47490](https://togithub.com/moby/moby/pull/47490)
- Fix `docker start` failing when used with `--checkpoint`
[moby/moby#47466](https://togithub.com/moby/moby/pull/47466)
- Don't enforce new validation rules for existing swarm networks
[moby/moby#47482](https://togithub.com/moby/moby/pull/47482)
- Restore IP connectivity between the host and containers on an internal
bridge network.
[moby/moby#47481](https://togithub.com/moby/moby/pull/47481)
- Fix a regression introduced in v25.0 that prevented the classic
builder from ADDing a tar archive with xattrs created on a non-Linux OS
[moby/moby#47483](https://togithub.com/moby/moby/pull/47483)
- containerd image store: Fix image pull not emitting `Pulling fs layer`
status [moby/moby#47484](https://togithub.com/moby/moby/pull/47484)

##### API

- To preserve backwards compatibility, make read-only mounts not
recursive by default when using older clients (API version < v1.44).
[moby/moby#47393](https://togithub.com/moby/moby/pull/47393)
- `GET /images/{id}/json` omits the `Created` field (previously it was
`0001-01-01T00:00:00Z`) if the `Created` field is missing from the image
config. [moby/moby#47451](https://togithub.com/moby/moby/pull/47451)
- Populate a missing `Created` field in `GET /images/{id}/json` with
`0001-01-01T00:00:00Z` for API version <= 1.43.
[moby/moby#47387](https://togithub.com/moby/moby/pull/47387)
- Fix a regression that caused API socket connection failures to report
an API version negotiation failure instead.
[moby/moby#47470](https://togithub.com/moby/moby/pull/47470)
- Preserve supplied endpoint configuration in a container-create API
request, when a container-wide MAC address is specified, but
`NetworkMode` name-or-id is not the same as the name-or-id used in
`NetworkSettings.Networks`.
[moby/moby#47510](https://togithub.com/moby/moby/pull/47510)

##### Packaging updates

- Upgrade Go runtime to
[1.21.8](https://go.dev/doc/devel/release#go1.21.8).
[moby/moby#47503](https://togithub.com/moby/moby/pull/47503)
- Upgrade RootlessKit to
[v2.0.2](https://togithub.com/rootless-containers/rootlesskit/releases/tag/v2.0.2).
[moby/moby#47508](https://togithub.com/moby/moby/pull/47508)
- Upgrade Compose to
[v2.24.7](https://togithub.com/docker/compose/releases/tag/v2.24.7).
[docker/docker-ce-packaging#998
- Upgrade Buildx to
[v0.13.0](https://togithub.com/docker/buildx/releases/tag/v0.13.0).
[docker/docker-ce-packaging#997

**Full Changelog**:
moby/moby@v25.0.3...v25.0.4

### [`v25.0.3`](https://togithub.com/moby/moby/releases/tag/v25.0.3)

[Compare
Source](https://togithub.com/docker/docker/compare/v25.0.2...v25.0.3)

#### 25.0.3

For a full list of pull requests and changes in this release, refer to
the relevant GitHub milestones:

- [docker/cli, 25.0.3
milestone](https://togithub.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.3)
- [moby/moby, 25.0.3
milestone](https://togithub.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.3)

##### Bug fixes and enhancements

- containerd image store: Fix a bug where `docker image history` would
fail if a manifest wasn't found in the content store.
[moby/moby#47348](https://togithub.com/moby/moby/pull/47348)
- Ensure that a generated MAC address is not restored when a container
is restarted, but a configured MAC address is preserved.
[moby/moby#47304](https://togithub.com/moby/moby/pull/47304)

    > **Note**
    >
> - Containers created with Docker Engine version 25.0.0 may have
duplicate MAC addresses.
    >     They must be re-created.
> - Containers with user-defined MAC addresses created with Docker
Engine versions 25.0.0 or 25.0.1
> receive new MAC addresses when started using Docker Engine version
25.0.2.
    >     They must also be re-created.

<!---->

- Fix `docker save <image>@&#8203;<digest>` producing an OCI archive
with index without manifests.
[moby/moby#47294](https://togithub.com/moby/moby/pull/47294)
- Fix a bug preventing bridge networks from being created with an MTU
higher than 1500 on RHEL and CentOS 7.
[moby/moby#47308](https://togithub.com/moby/moby/issues/47308),
[moby/moby#47311](https://togithub.com/moby/moby/pull/47311)
- Fix a bug where containers are unable to communicate over an
`internal` network.
[moby/moby#47303](https://togithub.com/moby/moby/pull/47303)
- Fix a bug where the value of the `ipv6` daemon option was ignored.
[moby/moby#47310](https://togithub.com/moby/moby/pull/47310)
- Fix a bug where trying to install a pulling using a digest revision
would cause a panic.
[moby/moby#47323](https://togithub.com/moby/moby/pull/47323)
- Fix a potential race condition in the managed containerd supervisor.
[moby/moby#47313](https://togithub.com/moby/moby/pull/47313)
- Fix an issue with the `journald` log driver preventing container logs
from being followed correctly with systemd version 255.
[moby/moby47243](https://togithub.com/moby/moby/pull/47243)
- seccomp: Update the builtin seccomp profile to include syscalls added
in kernel v5.17 - v6.7 to align the profile with the profile used by
containerd. [moby/moby#47341](https://togithub.com/moby/moby/pull/47341)
- Windows: Fix cache not being used when building images based on
Windows versions older than the host's version.
[moby/moby#47307](https://togithub.com/moby/moby/pull/47307),
[moby/moby#47337](https://togithub.com/moby/moby/pull/47337)

##### Packaging updates

- Removed support for Ubuntu Lunar (23.04).
[docker/ce-packaging#986](https://togithub.com/docker/docker-ce-packaging/pull/986)

### [`v25.0.2`](https://togithub.com/moby/moby/releases/tag/v25.0.2)

[Compare
Source](https://togithub.com/docker/docker/compare/v25.0.1...v25.0.2)

#### 25.0.2

For a full list of pull requests and changes in this release, refer to
the relevant GitHub milestones:

- [docker/cli, 25.0.2
milestone](https://togithub.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.2)
- [moby/moby, 25.0.2
milestone](https://togithub.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.2)

##### Security

This release contains security fixes for the following CVEs
affecting Docker Engine and its components.

| CVE | Component | Fix version | Severity |
| ----------------------------------------------------------- |
------------- | ----------- | ---------------- |
| [CVE-2024-21626](https://scout.docker.com/v/CVE-2024-21626) | runc |
1.1.12 | High, CVSS 8.6 |
| [CVE-2024-23651](https://scout.docker.com/v/CVE-2024-23651) | BuildKit
| 1.12.5 | High, CVSS 8.7 |
| [CVE-2024-23652](https://scout.docker.com/v/CVE-2024-23652) | BuildKit
| 1.12.5 | High, CVSS 8.7 |
| [CVE-2024-23653](https://scout.docker.com/v/CVE-2024-23653) | BuildKit
| 1.12.5 | High, CVSS 7.7 |
| [CVE-2024-23650](https://scout.docker.com/v/CVE-2024-23650) | BuildKit
| 1.12.5 | Medium, CVSS 5.5 |
| [CVE-2024-24557](https://scout.docker.com/v/CVE-2024-24557) | Docker
Engine | 25.0.2 | Medium, CVSS 6.9 |

The potential impacts of the above vulnerabilities include:

-   Unauthorized access to the host filesystem
-   Compromising the integrity of the build cache
- In the case of CVE-2024-21626, a scenario that could lead to full
container escape

For more information about the security issues addressed in this
release,
refer to the [blog
post](https://www.docker.com/blog/docker-security-advisory-multiple-vulnerabilities-in-runc-buildkit-and-moby/).
For details about each vulnerability, see the relevant security
advisory:

-
[CVE-2024-21626](https://togithub.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv)
-
[CVE-2024-23651](https://togithub.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv)
-
[CVE-2024-23652](https://togithub.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8)
-
[CVE-2024-23653](https://togithub.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g)
-
[CVE-2024-23650](https://togithub.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx)
-
[CVE-2024-24557](https://togithub.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc)

##### Packaging updates

- Upgrade containerd to
[v1.6.28](https://togithub.com/containerd/containerd/releases/tag/v1.6.28).
- Upgrade containerd to v1.7.13 (static binaries only).
[moby/moby#47280](https://togithub.com/moby/moby/pull/47280)
- Upgrade runc to v1.1.12.
[moby/moby#47269](https://togithub.com/moby/moby/pull/47269)
- Upgrade Compose to v2.24.5.
[docker/docker-ce-packaging#985](https://togithub.com/docker/docker-ce-packaging/pull/985)
- Upgrade BuildKit to v0.12.5.
[moby/moby#47273](https://togithub.com/moby/moby/pull/47273)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6am on monday" (UTC), Automerge
- At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/earthly/dind).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yOTMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjI5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZSJdfQ==-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: idodod <ido@earthly.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/networking/d/bridge area/networking kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. status/confirmed version/25.0
Projects
None yet
Milestone
25.0.3
Development

No branches or pull requests
4 participants
@corhere @akerouanton @thaJeztah @ivasilyev-mxr