28.0.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.1 milestone
• moby/moby, 28.0.1 milestone

Networking

• Remove dependency on kernel modules ip_set, ip_set_hash_net and netfilter_xt_set.
  • The dependency was introduced in release 28.0.0 but proved too disruptive. The iptables rules using these modules have been replaced. moby/moby#49530
• Allow daemon startup on a host with IPv6 disabled without requiring --ip6tables=false. moby/moby#49525
• Fix a bug that was causing containers with --restart=always and a published port already in use to restart in a tight loop. moby/moby#49507
• Fix an issue with Swarm ingress, caused by incorrect ordering of iptables rules. moby/moby#49538
• Fix creation of a swarm-scoped network from a --config-only network. moby/moby#49521
• Fix docker network inspect reporting an IPv6 gateway with CIDR suffix for a newly created network with no specific IPAM config, until a daemon restart. moby/moby#49520
• Improve the error reported when kernel modules ip_set, ip_set_hash_net and netilter_xt_set are not available. moby/moby#49524
• Move most of Docker's iptables rules out of the filter-FORWARD chain, so that other applications are free to append rules that must follow Docker's rules. moby/moby#49518
• Update --help output and man page lo state which options only apply to the default bridge network. moby/moby#49522

Bug fixes and enhancements

• Fix docker context create always returning an error when using the "skip-tls-verify" option. docker/cli#5850
• Fix shell completion suggesting IDs instead of names for services and nodes. docker/cli#5848
• Fix unintentionally printing exit status to standard error output when docker exec/run returns a non-zero status. docker/cli#5854
• Fix regression protocol "tcp" is not supported by the RootlessKit port driver "slirp4netns". moby/moby#49514
• containerd image store: Fix docker inspect not being able to show multi-platform images with missing layers for all platforms. moby/moby#49533
• containerd image store: Fix docker images --tree reporting wrong content size. moby/moby#49535
• Fix compilation on i386 moby/moby#49526

Packaging updates

• Update github.com/go-jose/go-jose/v4 to v4.0.5 to address. GHSA-c6gw-w398-hv78 / CVE-2025-27144 docker/cli#5867
• Update Buildx to v0.21.1. docker/docker-ce-packaging#1167
• Update Compose to v2.33.1. docker/docker-ce-packaging#1168

API

• containerd image store: Fix GET /images/json?manifests=1 not filling Manifests for index-only images. moby/moby#49533
• containerd image store: Fix GET /images/json and /images/<name>/json Size.Content field including the size of content that's not available locally. moby/moby#49535