From 2334df110831996573262cbf6e440885c7f79e72 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 3 Jan 2025 20:50:48 +0100 Subject: [PATCH 1/3] Deprecate configuration for pushing non-distributable artifacts Non-distributable artifacts (also called foreign layers) were introduced in docker v1.12 to accommodate Windows images for which the EULA did not allow layers to be distributed through registries other than those hosted by Microsoft. The concept of foreign / non-distributable layers was adopted by the OCI distribution spec in [oci#233]. These restrictions were relaxed later to allow distributing these images through non-public registries, for which a configuration was added in Docker v17.0.6.0. In 2022, Microsoft updated the EULA and [removed these restrictions][msft-3645201], followed by the OCI distribution specification deprecating foreign layers in [oci#965]. In 2023, Microsoft [removed the use of foreign data layers][msft-3846833] for their images, making this functionality obsolete. Docker v28.0 deprecates the `--allow-nondistributable-artifacts` daemon flag and corresponding `allow-nondistributable-artifacts` field in `daemon.json`. Setting either option no longer takes an effect, but a deprecation warning log is added to raise awareness about the deprecation. This warning is planned to become an error in the Docker v29.0. Users currently using these options are therefore recommended to remove this option from their configuration to prevent the daemon from starting when upgrading to Docker v29.0. The `AllowNondistributableArtifactsCIDRs` and `AllowNondistributableArtifactsHostnames` fields in the `RegistryConfig` of the `GET /info` API response are also deprecated. For API version v1.48 and lower, the fields are still included in the response but always `null`. In API version v1.49 and higher, the field will be omitted entirely. [oci#233]: https://github.com/opencontainers/image-spec/pull/233 [oci#965]: https://github.com/opencontainers/image-spec/pull/965 [msft-3645201]: https://techcommunity.microsoft.com/blog/containers/announcing-windows-container-base-image-redistribution-rights-change/3645201 [msft-3846833]: https://techcommunity.microsoft.com/blog/containers/announcing-removal-of-foreign-layers-from-windows-container-images/3846833 Signed-off-by: Sebastiaan van Stijn --- docs/deprecated.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/docs/deprecated.md b/docs/deprecated.md index 9c99fad610..f27ea7c6a3 100644 --- a/docs/deprecated.md +++ b/docs/deprecated.md @@ -53,6 +53,7 @@ The following table provides an overview of the current status of deprecated fea | Status | Feature | Deprecated | Remove | |------------|------------------------------------------------------------------------------------------------------------------------------------|------------|--------| +| Deprecated | [Configuration for pushing non-distributable artifacts](#configuration-for-pushing-non-distributable-artifacts) | v28.0 | v29.0 | | Deprecated | [`--time` option on `docker stop` and `docker restart`](#--time-option-on-docker-stop-and-docker-restart) | v28.0 | - | | Deprecated | [Non-standard fields in image inspect](#non-standard-fields-in-image-inspect) | v27.0 | v28.0 | | Removed | [API CORS headers](#api-cors-headers) | v27.0 | v28.0 | @@ -119,6 +120,45 @@ The following table provides an overview of the current status of deprecated fea | Removed | [`--run` flag on `docker commit`](#--run-flag-on-docker-commit) | v0.10 | v1.13 | | Removed | [Three arguments form in `docker import`](#three-arguments-form-in-docker-import) | v0.6.7 | v1.12 | +## Configuration for pushing non-distributable artifacts + +**Deprecated in Release: v28.0** +**Target For Removal In Release: v29.0** + +Non-distributable artifacts (also called foreign layers) were introduced in +docker v1.12 to accommodate Windows images for which the EULA did not allow +layers to be distributed through registries other than those hosted by Microsoft. +The concept of foreign / non-distributable layers was adopted by the OCI distribution +spec in [oci#233]. These restrictions were relaxed later to allow distributing +these images through non-public registries, for which a configuration was added +in Docker v17.0.6.0. + +In 2022, Microsoft updated the EULA and [removed these restrictions][msft-3645201], +followed by the OCI distribution specification deprecating foreign layers in [oci#965]. +In 2023, Microsoft [removed the use of foreign data layers][msft-3846833] for their images, +making this functionality obsolete. + +Docker v28.0 deprecates the `--allow-nondistributable-artifacts` daemon flag and +corresponding `allow-nondistributable-artifacts` field in `daemon.json`. Setting +either option no longer takes an effect, but a deprecation warning log is added +to raise awareness about the deprecation. This warning is planned to become an +error in the Docker v29.0. + +Users currently using these options are therefore recommended to remove this +option from their configuration to prevent the daemon from starting when +upgrading to Docker v29.0. + +The `AllowNondistributableArtifactsCIDRs` and `AllowNondistributableArtifactsHostnames` +fields in the `RegistryConfig` of the `GET /info` API response are also deprecated. +For API version v1.48 and lower, the fields are still included in the response +but always `null`. In API version v1.49 and higher, the field will be omitted +entirely. + +[oci#233]: https://github.com/opencontainers/image-spec/pull/233 +[oci#965]: https://github.com/opencontainers/image-spec/pull/965 +[msft-3645201]: https://techcommunity.microsoft.com/blog/containers/announcing-windows-container-base-image-redistribution-rights-change/3645201 +[msft-3846833]: https://techcommunity.microsoft.com/blog/containers/announcing-removal-of-foreign-layers-from-windows-container-images/3846833 + ### `--time` option on `docker stop` and `docker restart` **Deprecated in Release: v28.0** From 760326694d25decd69a8406fb64a4331556a976f Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 3 Jan 2025 21:06:53 +0100 Subject: [PATCH 2/3] contrib/completion: remove --allow-nondistributable-artifacts flag This flag is deprecated and no longer functional. Signed-off-by: Sebastiaan van Stijn --- contrib/completion/bash/docker | 1 - contrib/completion/zsh/_docker | 1 - 2 files changed, 2 deletions(-) diff --git a/contrib/completion/bash/docker b/contrib/completion/bash/docker index c7f83b90a5..d8936e651f 100644 --- a/contrib/completion/bash/docker +++ b/contrib/completion/bash/docker @@ -2551,7 +2551,6 @@ _docker_daemon() { local options_with_args=" $global_options_with_args --add-runtime - --allow-nondistributable-artifacts --authorization-plugin --bip --bridge -b diff --git a/contrib/completion/zsh/_docker b/contrib/completion/zsh/_docker index 094e4c81f5..8569784b85 100644 --- a/contrib/completion/zsh/_docker +++ b/contrib/completion/zsh/_docker @@ -2726,7 +2726,6 @@ __docker_subcommand() { _arguments $(__docker_arguments) \ $opts_help \ "($help)*--add-runtime=[Register an additional OCI compatible runtime]:runtime:__docker_complete_runtimes" \ - "($help)*--allow-nondistributable-artifacts=[Push nondistributable artifacts to specified registries]:registry: " \ "($help)*--authorization-plugin=[Authorization plugins to load]" \ "($help -b --bridge)"{-b=,--bridge=}"[Attach containers to a network bridge]:bridge:_net_interfaces" \ "($help)--bip=[Network bridge IP]:IP address: " \ From 7e8f94903d46f1592889bc8e745639d5a370f794 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 3 Jan 2025 21:08:11 +0100 Subject: [PATCH 3/3] docs, man: remove --allow-nondistributable-artifacts flag This flag is deprecated and no longer functional. Signed-off-by: Sebastiaan van Stijn --- docs/reference/dockerd.md | 32 -------------------------------- man/dockerd.8.md | 15 --------------- 2 files changed, 47 deletions(-) diff --git a/docs/reference/dockerd.md b/docs/reference/dockerd.md index 75ae2b31ba..3c36462399 100644 --- a/docs/reference/dockerd.md +++ b/docs/reference/dockerd.md @@ -24,7 +24,6 @@ A self-sufficient runtime for containers. Options: --add-runtime runtime Register an additional OCI compatible runtime (default []) - --allow-nondistributable-artifacts list Allow push of nondistributable artifacts to registry --authorization-plugin list Authorization plugins to load --bip string Specify default-bridge IPv4 network --bip6 string Specify default-bridge IPv6 network @@ -688,34 +687,6 @@ To set the DNS search domain for all Docker containers, use: $ sudo dockerd --dns-search example.com ``` -### Allow push of non-distributable artifacts - -Some images (e.g., Windows base images) contain artifacts whose distribution is -restricted by license. When these images are pushed to a registry, restricted -artifacts are not included. - -To override this behavior for specific registries, use the -`--allow-nondistributable-artifacts` option in one of the following forms: - -* `--allow-nondistributable-artifacts myregistry:5000` tells the Docker daemon - to push non-distributable artifacts to myregistry:5000. -* `--allow-nondistributable-artifacts 10.1.0.0/16` tells the Docker daemon to - push non-distributable artifacts to all registries whose resolved IP address - is within the subnet described by the CIDR syntax. - -This option can be used multiple times. - -This option is useful when pushing images containing non-distributable artifacts -to a registry on an air-gapped network so hosts on that network can pull the -images without connecting to another server. - -> [!WARNING] -> Non-distributable artifacts typically have restrictions on how -> and where they can be distributed and shared. Only use this feature to push -> artifacts to private registries and ensure that you are in compliance with -> any terms that cover redistributing non-distributable artifacts. -{ .warning } - ### Insecure registries In this section, "registry" refers to a private registry, and `myregistry:5000` @@ -1086,7 +1057,6 @@ The following is a full example of the allowed configuration options on Linux: ```json { - "allow-nondistributable-artifacts": [], "authorization-plugins": [], "bip": "", "bip6": "", @@ -1234,7 +1204,6 @@ The following is a full example of the allowed configuration options on Windows: ```json { - "allow-nondistributable-artifacts": [], "authorization-plugins": [], "bridge": "", "containerd": "\\\\.\\pipe\\containerd-containerd", @@ -1338,7 +1307,6 @@ The list of currently supported options that can be reconfigured is this: | `default-runtime` | Configures the runtime to be used if not is specified at container creation. | | `runtimes` | Configures the list of available OCI runtimes that can be used to run containers. | | `authorization-plugin` | Specifies the authorization plugins to use. | -| `allow-nondistributable-artifacts` | Specifies a list of registries to which the daemon will push non-distributable artifacts. | | `insecure-registries` | Specifies a list of registries that the daemon should consider insecure. | | `registry-mirrors` | Specifies a list of registry mirrors. | | `shutdown-timeout` | Configures the daemon's existing configuration timeout with a new timeout for shutting down all containers. | diff --git a/man/dockerd.8.md b/man/dockerd.8.md index 16df2f17f8..0bd1b5deda 100644 --- a/man/dockerd.8.md +++ b/man/dockerd.8.md @@ -6,7 +6,6 @@ dockerd - Enable daemon mode # SYNOPSIS **dockerd** [**--add-runtime**[=*[]*]] -[**--allow-nondistributable-artifacts**[=*[]*]] [**--authorization-plugin**[=*[]*]] [**-b**|**--bridge**[=*BRIDGE*]] [**--bip**[=*BIP*]] @@ -126,20 +125,6 @@ $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-ru **Note**: defining runtime arguments via the command line is not supported. -**--allow-nondistributable-artifacts**=[] - Push nondistributable artifacts to the specified registries. - - List can contain elements with CIDR notation to specify a whole subnet. - - This option is useful when pushing images containing nondistributable - artifacts to a registry on an air-gapped network so hosts on that network can - pull the images without connecting to another server. - - **Warning**: Nondistributable artifacts typically have restrictions on how - and where they can be distributed and shared. Only use this feature to push - artifacts to private registries and ensure that you are in compliance with - any terms that cover redistributing nondistributable artifacts. - **--authorization-plugin**="" Set authorization plugins to load