From facdf1a3797eb129206a0e2b9bc5c0a7309bcb84 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Thu, 10 Mar 2022 03:33:20 +0100 Subject: [PATCH 01/18] reference: update buildx to v0.8.0 Signed-off-by: CrazyMax --- _data/buildx/docker_buildx.yaml | 1 + _data/buildx/docker_buildx_bake.yaml | 140 +++- _data/buildx/docker_buildx_build.yaml | 510 +++++++++++---- _data/buildx/docker_buildx_create.yaml | 78 +-- _data/buildx/docker_buildx_du.yaml | 3 + _data/buildx/docker_buildx_imagetools.yaml | 1 + .../docker_buildx_imagetools_create.yaml | 18 +- .../docker_buildx_imagetools_inspect.yaml | 615 +++++++++++++++++- _data/buildx/docker_buildx_inspect.yaml | 2 + _data/buildx/docker_buildx_install.yaml | 1 + _data/buildx/docker_buildx_ls.yaml | 8 +- _data/buildx/docker_buildx_prune.yaml | 6 + _data/buildx/docker_buildx_rm.yaml | 58 ++ _data/buildx/docker_buildx_stop.yaml | 1 + _data/buildx/docker_buildx_uninstall.yaml | 1 + _data/buildx/docker_buildx_use.yaml | 3 + _data/buildx/docker_buildx_version.yaml | 17 +- 17 files changed, 1216 insertions(+), 247 deletions(-) diff --git a/_data/buildx/docker_buildx.yaml b/_data/buildx/docker_buildx.yaml index fb100ccfad..d03487be85 100644 --- a/_data/buildx/docker_buildx.yaml +++ b/_data/buildx/docker_buildx.yaml @@ -35,6 +35,7 @@ options: description: Override the configured builder instance details_url: '#builder' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false diff --git a/_data/buildx/docker_buildx_bake.yaml b/_data/buildx/docker_buildx_bake.yaml index 016572afd2..88daea3e0b 100644 --- a/_data/buildx/docker_buildx_bake.yaml +++ b/_data/buildx/docker_buildx_bake.yaml @@ -22,6 +22,7 @@ options: description: Build definition file details_url: '#file' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -31,6 +32,7 @@ options: default_value: "false" description: Shorthand for `--set=*.output=type=docker` deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -39,6 +41,7 @@ options: value_type: string description: Write build result metadata to the file deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -49,6 +52,7 @@ options: description: Do not use cache when building the image details_url: '#no-cache' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -59,6 +63,7 @@ options: description: Print the options without building details_url: '#print' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -70,6 +75,7 @@ options: Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output details_url: '#progress' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -77,9 +83,10 @@ options: - option: pull value_type: bool default_value: "false" - description: Always attempt to pull a newer version of the image + description: Always attempt to pull all referenced images details_url: '#pull' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -89,6 +96,7 @@ options: default_value: "false" description: Shorthand for `--set=*.output=type=registry` deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -99,6 +107,7 @@ options: description: Override target value (e.g., `targetpattern.key=value`) details_url: '#set' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -109,6 +118,7 @@ inherited_options: description: Override the configured builder instance details_url: '#builder' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -170,10 +180,10 @@ examples: |- You can also use a remote `git` bake definition: ```console - $ docker buildx bake "git://github.com/docker/cli#v20.10.11" --print - #1 [internal] load git source git://github.com/docker/cli#v20.10.11 + $ docker buildx bake "https://github.com/docker/cli.git#v20.10.11" --print + #1 [internal] load git source https://github.com/docker/cli.git#v20.10.11 #1 0.745 e8f1871b077b64bcb4a13334b7146492773769f7 refs/tags/v20.10.11 - #1 2.022 From git://github.com/docker/cli + #1 2.022 From https://github.com/docker/cli #1 2.022 * [new tag] v20.10.11 -> v20.10.11 #1 DONE 2.9s { @@ -186,7 +196,7 @@ examples: |- }, "target": { "binary": { - "context": "git://github.com/docker/cli#v20.10.11", + "context": "https://github.com/docker/cli.git#v20.10.11", "dockerfile": "Dockerfile", "args": { "BASE_VARIANT": "alpine", @@ -205,7 +215,7 @@ examples: |- } ``` - As you can see the context is fixed to `git://github.com/docker/cli` even if + As you can see the context is fixed to `https://github.com/docker/cli.git` even if [no context is actually defined](https://github.com/docker/cli/blob/2776a6d694f988c0c1df61cad4bfac0f54e481c8/docker-bake.hcl#L17-L26) in the definition. @@ -226,7 +236,7 @@ examples: |- ``` ```console - $ docker buildx bake "git://github.com/tonistiigi/buildx#remote-test" --print + $ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" --print { "target": { "default": { @@ -240,7 +250,7 @@ examples: |- ```console $ touch foo bar - $ docker buildx bake "git://github.com/tonistiigi/buildx#remote-test" + $ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" ... > [4/4] RUN ls -l && stop: #8 0.101 total 0 @@ -250,14 +260,14 @@ examples: |- ``` ```console - $ docker buildx bake "git://github.com/tonistiigi/buildx#remote-test" "git://github.com/docker/cli#v20.10.11" --print - #1 [internal] load git source git://github.com/tonistiigi/buildx#remote-test + $ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" "https://github.com/docker/cli.git#v20.10.11" --print + #1 [internal] load git source https://github.com/tonistiigi/buildx.git#remote-test #1 0.429 577303add004dd7efeb13434d69ea030d35f7888 refs/heads/remote-test #1 CACHED { "target": { "default": { - "context": "git://github.com/docker/cli#v20.10.11", + "context": "https://github.com/docker/cli.git#v20.10.11", "dockerfile": "Dockerfile", "dockerfile-inline": "FROM alpine\nWORKDIR /src\nCOPY . .\nRUN ls -l \u0026\u0026 stop\n" } @@ -266,7 +276,7 @@ examples: |- ``` ```console - $ docker buildx bake "git://github.com/tonistiigi/buildx#remote-test" "git://github.com/docker/cli#v20.10.11" + $ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" "https://github.com/docker/cli.git#v20.10.11" ... > [4/4] RUN ls -l && stop: #8 0.136 drwxrwxrwx 5 root root 4096 Jul 27 18:31 kubernetes @@ -335,7 +345,6 @@ examples: |- ... ``` - ### Always attempt to pull a newer version of the image (--pull) {#pull} Same as `build --pull`. @@ -349,9 +358,6 @@ examples: |- Override target configurations from command line. The pattern matching syntax is defined in https://golang.org/pkg/path/#Match. - - **Examples** - ```console $ docker buildx bake --set target.args.mybuildarg=value $ docker buildx bake --set target.platform=linux/arm64 @@ -384,8 +390,7 @@ examples: |- Note: Design of bake command is work in progress, the user experience may change based on feedback. - - **Example HCL definition** + HCL definition example: ```hcl group "default" { @@ -410,8 +415,8 @@ examples: |- Complete list of valid target fields: - `args`, `cache-from`, `cache-to`, `context`, `dockerfile`, `inherits`, `labels`, - `no-cache`, `output`, `platform`, `pull`, `secrets`, `ssh`, `tags`, `target` + `args`, `cache-from`, `cache-to`, `context`, `contexts`, `dockerfile`, `inherits`, `labels`, + `no-cache`, `no-cache-filter`, `output`, `platform`, `pull`, `secrets`, `ssh`, `tags`, `target` ### Global scope attributes @@ -521,6 +526,28 @@ examples: |- } ``` + alternatively, in json format: + + ```json + { + "variable": { + "TAG": { + "default": "latest" + } + } + "group": { + "default": { + "targets": ["webapp"] + } + }, + "target": { + "webapp": { + "tags": ["docker.io/username/webapp:${TAG}"] + } + } + } + ``` + ```console $ docker buildx bake --print webapp { @@ -848,6 +875,77 @@ examples: |- } ``` + ### Defining additional build contexts and linking targets + + In addition to the main `context` key that defines the build context each target can also define additional named contexts with a map defined with key `contexts`. These values map to the `--build-context` flag in the [build command](buildx_build.md#build-context). + + Inside the Dockerfile these contexts can be used with the `FROM` instruction or `--from` flag. + + The value can be a local source directory, container image (with docker-image:// prefix), Git URL, HTTP URL or a name of another target in the Bake file (with target: prefix). + + #### Pinning alpine image + + ```Dockerfile + # Dockerfile + FROM alpine + RUN echo "Hello world" + ``` + + ```hcl + # docker-bake.hcl + target "app" { + contexts = { + alpine = "docker-image://alpine:3.13" + } + } + ``` + + #### Using a secondary source directory + + ```Dockerfile + # Dockerfile + + FROM scratch AS src + + FROM golang + COPY --from=src . . + ``` + + ```hcl + # docker-bake.hcl + target "app" { + contexts = { + src = "../path/to/source" + } + } + ``` + + #### Using a result of one target as a base image in another target + + To use a result of one target as a build context of another, specity the target name with `target:` prefix. + + ```Dockerfile + # Dockerfile + FROM baseapp + RUN echo "Hello world" + ``` + + ```hcl + # docker-bake.hcl + + target "base" { + dockerfile = "baseapp.Dockerfile" + } + + target "app" { + contexts = { + baseapp = "target:base" + } + } + ``` + + Please note that in most cases you should just use a single multi-stage Dockerfile with multiple targets for similar behavior. This case is recommended when you have multiple Dockerfiles that can't be easily merged into one. + ### Extension field with Compose [Special extension](https://github.com/compose-spec/compose-spec/blob/master/spec.md#extension) @@ -959,7 +1057,7 @@ examples: |- Complete list of valid fields for `x-bake`: `tags`, `cache-from`, `cache-to`, `secret`, `ssh`, `platforms`, `output`, - `pull`, `no-cache` + `pull`, `no-cache`, `no-cache-filter` ### Built-in variables diff --git a/_data/buildx/docker_buildx_build.yaml b/_data/buildx/docker_buildx_build.yaml index c46da69a11..381064e5a5 100644 --- a/_data/buildx/docker_buildx_build.yaml +++ b/_data/buildx/docker_buildx_build.yaml @@ -7,7 +7,7 @@ long: |- For documentation on most of these flags, refer to the [`docker build` documentation](/engine/reference/commandline/build/). In - here we’ll document a subset of the new flags. + here we'll document a subset of the new flags. usage: docker buildx build [OPTIONS] PATH | URL | - pname: docker buildx plink: docker_buildx.yaml @@ -18,6 +18,7 @@ options: description: 'Add a custom host-to-IP mapping (format: `host:ip`)' details_url: /engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -29,6 +30,7 @@ options: Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`) details_url: '#allow' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -37,8 +39,20 @@ options: value_type: stringArray default_value: '[]' description: Set build-time variables - details_url: /engine/reference/commandline/build/#set-build-time-variables---build-arg + details_url: '#build-arg' deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false +- option: build-context + value_type: stringArray + default_value: '[]' + description: Additional build contexts (e.g., name=path) + details_url: '#build-context' + deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -50,6 +64,7 @@ options: External cache sources (e.g., `user/app:cache`, `type=local,src=path/to/dir`) details_url: '#cache-from' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -61,6 +76,7 @@ options: Cache export destinations (e.g., `user/app:cache`, `type=local,dest=path/to/dir`) details_url: '#cache-to' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -70,6 +86,7 @@ options: description: Optional parent cgroup for the container details_url: /engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -79,6 +96,7 @@ options: default_value: "false" description: Compress the build context using gzip deprecated: false + hidden: true experimental: false experimentalcli: false kubernetes: false @@ -88,6 +106,7 @@ options: default_value: "0" description: Limit the CPU CFS (Completely Fair Scheduler) period deprecated: false + hidden: true experimental: false experimentalcli: false kubernetes: false @@ -97,6 +116,7 @@ options: default_value: "0" description: Limit the CPU CFS (Completely Fair Scheduler) quota deprecated: false + hidden: true experimental: false experimentalcli: false kubernetes: false @@ -107,6 +127,7 @@ options: default_value: "0" description: CPU shares (relative weight) deprecated: false + hidden: true experimental: false experimentalcli: false kubernetes: false @@ -115,6 +136,7 @@ options: value_type: string description: CPUs in which to allow execution (`0-3`, `0,1`) deprecated: false + hidden: true experimental: false experimentalcli: false kubernetes: false @@ -123,6 +145,7 @@ options: value_type: string description: MEMs in which to allow execution (`0-3`, `0,1`) deprecated: false + hidden: true experimental: false experimentalcli: false kubernetes: false @@ -133,6 +156,7 @@ options: description: 'Name of the Dockerfile (default: `PATH/Dockerfile`)' details_url: /engine/reference/commandline/build/#specify-a-dockerfile--f deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -142,6 +166,7 @@ options: default_value: "false" description: Always remove intermediate containers deprecated: false + hidden: true experimental: false experimentalcli: false kubernetes: false @@ -150,6 +175,7 @@ options: value_type: string description: Write the image ID to the file deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -158,6 +184,7 @@ options: value_type: string description: Container isolation technology deprecated: false + hidden: true experimental: false experimentalcli: false kubernetes: false @@ -167,6 +194,7 @@ options: default_value: '[]' description: Set metadata for an image deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -177,6 +205,7 @@ options: description: Shorthand for `--output=type=docker` details_url: '#load' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -186,6 +215,7 @@ options: value_type: string description: Memory limit deprecated: false + hidden: true experimental: false experimentalcli: false kubernetes: false @@ -195,6 +225,7 @@ options: description: | Swap limit equal to memory plus swap: `-1` to enable unlimited swap deprecated: false + hidden: true experimental: false experimentalcli: false kubernetes: false @@ -202,7 +233,9 @@ options: - option: metadata-file value_type: string description: Write build result metadata to the file + details_url: '#metadata-file' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -210,8 +243,9 @@ options: - option: network value_type: string default_value: default - description: Set the networking mode for the RUN instructions during build + description: Set the networking mode for the `RUN` instructions during build deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -221,6 +255,17 @@ options: default_value: "false" description: Do not use cache when building the image deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false +- option: no-cache-filter + value_type: stringArray + default_value: '[]' + description: Do not cache specified stages + deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -232,6 +277,7 @@ options: description: 'Output destination (format: `type=local,dest=path`)' details_url: '#output' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -242,6 +288,7 @@ options: description: Set target platform for build details_url: '#platform' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -253,6 +300,7 @@ options: Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output details_url: '#progress' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -260,8 +308,9 @@ options: - option: pull value_type: bool default_value: "false" - description: Always attempt to pull a newer version of the image + description: Always attempt to pull all referenced images deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -272,6 +321,7 @@ options: description: Shorthand for `--output=type=registry` details_url: '#push' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -282,6 +332,7 @@ options: default_value: "false" description: Suppress the build output and print image ID on success deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -291,6 +342,7 @@ options: default_value: "true" description: Remove intermediate containers after a successful build deprecated: false + hidden: true experimental: false experimentalcli: false kubernetes: false @@ -299,8 +351,10 @@ options: value_type: stringArray default_value: '[]' description: | - Secret file to expose to the build (format: `id=mysecret,src=/local/secret`) + Secret to expose to the build (format: `id=mysecret[,src=/local/secret]`) + details_url: '#secret' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -310,6 +364,7 @@ options: default_value: '[]' description: Security options deprecated: false + hidden: true experimental: false experimentalcli: false kubernetes: false @@ -320,6 +375,7 @@ options: description: Size of `/dev/shm` details_url: '#shm-size' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -329,6 +385,7 @@ options: default_value: "false" description: Squash newly built layers into a single new layer deprecated: false + hidden: true experimental: false experimentalcli: false kubernetes: false @@ -338,7 +395,9 @@ options: default_value: '[]' description: | SSH agent socket or keys to expose to the build (format: `default|[=|[,]]`) + details_url: '#ssh' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -350,15 +409,17 @@ options: description: 'Name and optionally a tag (format: `name:tag`)' details_url: /engine/reference/commandline/build/#tag-an-image--t deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false swarm: false - option: target value_type: string - description: Set the target build stage to build. + description: Set the target build stage to build details_url: /engine/reference/commandline/build/#specifying-target-build-stage---target deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -369,6 +430,7 @@ options: description: Ulimit options details_url: '#ulimit' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -379,81 +441,202 @@ inherited_options: description: Override the configured builder instance details_url: '#builder' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false swarm: false examples: |- - ### Override the configured builder instance (--builder) {#builder} - - Same as [`buildx --builder`](buildx.md#builder). - - ### Set the target platforms for the build (--platform) {#platform} + ### Allow extra privileged entitlement (--allow) {#allow} ``` - --platform=value[,value] + --allow=ENTITLEMENT ``` - Set the target platform for the build. All `FROM` commands inside the Dockerfile - without their own `--platform` flag will pull base images for this platform and - this value will also be the platform of the resulting image. The default value - will be the current platform of the buildkit daemon. + Allow extra privileged entitlement. List of entitlements: - When using `docker-container` driver with `buildx`, this flag can accept multiple - values as an input separated by a comma. With multiple values the result will be - built for all of the specified platforms and joined together into a single manifest - list. + - `network.host` - Allows executions with host networking. + - `security.insecure` - Allows executions without sandbox. See + [related Dockerfile extensions](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/experimental.md#run---securityinsecuresandbox). - If the `Dockerfile` needs to invoke the `RUN` command, the builder needs runtime - support for the specified platform. In a clean setup, you can only execute `RUN` - commands for your system architecture. - If your kernel supports [`binfmt_misc`](https://en.wikipedia.org/wiki/Binfmt_misc) - launchers for secondary architectures, buildx will pick them up automatically. - Docker desktop releases come with `binfmt_misc` automatically configured for `arm64` - and `arm` architectures. You can see what runtime platforms your current builder - instance supports by running `docker buildx inspect --bootstrap`. - - Inside a `Dockerfile`, you can access the current platform value through - `TARGETPLATFORM` build argument. Please refer to the [`docker build` - documentation](/engine/reference/builder/#automatic-platform-args-in-the-global-scope) - for the full description of automatic platform argument variants . - - The formatting for the platform specifier is defined in the [containerd source - code](https://github.com/containerd/containerd/blob/v1.4.3/platforms/platforms.go#L63). + For entitlements to be enabled, the `buildkitd` daemon also needs to allow them + with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](buildx_create.md#buildkitd-flags)) **Examples** ```console - $ docker buildx build --platform=linux/arm64 . - $ docker buildx build --platform=linux/amd64,linux/arm64,linux/arm/v7 . - $ docker buildx build --platform=darwin . + $ docker buildx create --use --name insecure-builder --buildkitd-flags '--allow-insecure-entitlement security.insecure' + $ docker buildx build --allow security.insecure . ``` - ### Set type of progress output (--progress) {#progress} + ### Set build-time variables (--build-arg) {#build-arg} - ``` - --progress=VALUE - ``` + Same as [`docker build` command](/engine/reference/commandline/build/#set-build-time-variables---build-arg). - Set type of progress output (auto, plain, tty). Use plain to show container - output (default "auto"). + There are also useful built-in build args like: - > You can also use the `BUILDKIT_PROGRESS` environment variable to set - > its value. - - The following example uses `plain` output during the build: + * `BUILDKIT_CONTEXT_KEEP_GIT_DIR=` trigger git context to keep the `.git` directory + * `BUILDKIT_INLINE_BUILDINFO_ATTRS=` inline build info attributes in image config or not + * `BUILDKIT_INLINE_CACHE=` inline cache metadata to image config or not + * `BUILDKIT_MULTI_PLATFORM=` opt into determnistic output regardless of multi-platform output or not ```console - $ docker buildx build --load --progress=plain . + $ docker buildx build --build-arg BUILDKIT_MULTI_PLATFORM=1 . + ``` - #1 [internal] load build definition from Dockerfile - #1 transferring dockerfile: 227B 0.0s done - #1 DONE 0.1s + More built-in build args can be found in [dockerfile frontend docs](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#built-in-build-args). - #2 [internal] load .dockerignore - #2 transferring context: 129B 0.0s done - #2 DONE 0.0s - ... + ### Additional build contexts (--build-context) {#build-context} + + ``` + --build-context=name=VALUE + ``` + + Define additional build context with specified contents. In Dockerfile the context can be accessed when `FROM name` or `--from=name` is used. + When Dockerfile defines a stage with the same name it is overwritten. + + The value can be a local source directory, container image (with docker-image:// prefix), Git or HTTP URL. + + Replace `alpine:latest` with a pinned one: + + ```console + $ docker buildx build --build-context alpine=docker-image://alpine@sha256:0123456789 . + ``` + + Expose a secondary local source directory: + + ```console + $ docker buildx build --build-context project=path/to/project/source . + # docker buildx build --build-context project=https://github.com/myuser/project.git . + ``` + + ```Dockerfile + FROM alpine + COPY --from=project myfile / + ``` + + ### Override the configured builder instance (--builder) {#builder} + + Same as [`buildx --builder`](buildx.md#builder). + + ### Use an external cache source for a build (--cache-from) {#cache-from} + + ``` + --cache-from=[NAME|type=TYPE[,KEY=VALUE]] + ``` + + Use an external cache source for a build. Supported types are `registry`, + `local` and `gha`. + + - [`registry` source](https://github.com/moby/buildkit#registry-push-image-and-cache-separately) + can import cache from a cache manifest or (special) image configuration on the + registry. + - [`local` source](https://github.com/moby/buildkit#local-directory-1) can + import cache from local files previously exported with `--cache-to`. + - [`gha` source](https://github.com/moby/buildkit#github-actions-cache-experimental) + can import cache from a previously exported cache with `--cache-to` in your + GitHub repository + + If no type is specified, `registry` exporter is used with a specified reference. + + `docker` driver currently only supports importing build cache from the registry. + + ```console + $ docker buildx build --cache-from=user/app:cache . + $ docker buildx build --cache-from=user/app . + $ docker buildx build --cache-from=type=registry,ref=user/app . + $ docker buildx build --cache-from=type=local,src=path/to/cache . + $ docker buildx build --cache-from=type=gha . + ``` + + More info about cache exporters and available attributes: https://github.com/moby/buildkit#export-cache + + ### Export build cache to an external cache destination (--cache-to) {#cache-to} + + ``` + --cache-to=[NAME|type=TYPE[,KEY=VALUE]] + ``` + + Export build cache to an external cache destination. Supported types are + `registry`, `local`, `inline` and `gha`. + + - [`registry` type](https://github.com/moby/buildkit#registry-push-image-and-cache-separately) exports build cache to a cache manifest in the registry. + - [`local` type](https://github.com/moby/buildkit#local-directory-1) type + exports cache to a local directory on the client. + - [`inline` type](https://github.com/moby/buildkit#inline-push-image-and-cache-together) + type writes the cache metadata into the image configuration. + - [`gha` type](https://github.com/moby/buildkit#github-actions-cache-experimental) + type exports cache through the [Github Actions Cache service API](https://github.com/tonistiigi/go-actions-cache/blob/master/api.md#authentication). + + `docker` driver currently only supports exporting inline cache metadata to image + configuration. Alternatively, `--build-arg BUILDKIT_INLINE_CACHE=1` can be used + to trigger inline cache exporter. + + Attribute key: + + - `mode` - Specifies how many layers are exported with the cache. `min` on only + exports layers already in the final build stage, `max` exports layers for + all stages. Metadata is always exported for the whole build. + + ```console + $ docker buildx build --cache-to=user/app:cache . + $ docker buildx build --cache-to=type=inline . + $ docker buildx build --cache-to=type=registry,ref=user/app . + $ docker buildx build --cache-to=type=local,dest=path/to/cache . + $ docker buildx build --cache-to=type=gha . + ``` + + More info about cache exporters and available attributes: https://github.com/moby/buildkit#export-cache + + ### Load the single-platform build result to `docker images` (--load) {#load} + + Shorthand for [`--output=type=docker`](#docker). Will automatically load the + single-platform build result to `docker images`. + + ### Write build result metadata to the file (--metadata-file) {#metadata-file} + + To output build metadata such as the image digest, pass the `--metadata-file` flag. + The metadata will be written as a JSON object to the specified file. The + directory of the specified file must already exist and be writable. + + ```console + $ docker buildx build --load --metadata-file metadata.json . + $ cat metadata.json + ``` + ```json + { + "containerimage.buildinfo": { + "frontend": "dockerfile.v0", + "attrs": { + "context": "https://github.com/crazy-max/buildkit-buildsources-test.git#master", + "filename": "Dockerfile", + "source": "docker/dockerfile:master" + }, + "sources": [ + { + "type": "docker-image", + "ref": "docker.io/docker/buildx-bin:0.6.1@sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0", + "pin": "sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0" + }, + { + "type": "docker-image", + "ref": "docker.io/library/alpine:3.13", + "pin": "sha256:026f721af4cf2843e07bba648e158fb35ecc876d822130633cc49f707f0fc88c" + } + ] + }, + "containerimage.config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66", + "containerimage.descriptor": { + "annotations": { + "config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66", + "org.opencontainers.image.created": "2022-02-08T21:28:03Z" + }, + "digest": "sha256:19ffeab6f8bc9293ac2c3fdf94ebe28396254c993aea0b5a542cfb02e0883fa3", + "mediaType": "application/vnd.oci.image.manifest.v1+json", + "size": 506 + }, + "containerimage.digest": "sha256:19ffeab6f8bc9293ac2c3fdf94ebe28396254c993aea0b5a542cfb02e0883fa3" + } ``` ### Set the export action for the build result (-o, --output) {#output} @@ -474,8 +657,6 @@ examples: |- with this path as the destination. If the value is "-", `buildx` will use `tar` exporter and write to `stdout`. - **Examples** - ```console $ docker buildx build -o . . $ docker buildx build -o outdir . @@ -529,7 +710,7 @@ examples: |- Attribute keys: - `dest` - destination path where tarball will be written. If not specified the - tar will be loaded automatically to the current docker instance. + tar will be loaded automatically to the current docker instance. - `context` - name for the docker context where to import the result #### `image` @@ -547,118 +728,163 @@ examples: |- The `registry` exporter is a shortcut for `type=image,push=true`. + ### Set the target platforms for the build (--platform) {#platform} + + ``` + --platform=value[,value] + ``` + + Set the target platform for the build. All `FROM` commands inside the Dockerfile + without their own `--platform` flag will pull base images for this platform and + this value will also be the platform of the resulting image. The default value + will be the current platform of the buildkit daemon. + + When using `docker-container` driver with `buildx`, this flag can accept multiple + values as an input separated by a comma. With multiple values the result will be + built for all of the specified platforms and joined together into a single manifest + list. + + If the `Dockerfile` needs to invoke the `RUN` command, the builder needs runtime + support for the specified platform. In a clean setup, you can only execute `RUN` + commands for your system architecture. + If your kernel supports [`binfmt_misc`](https://en.wikipedia.org/wiki/Binfmt_misc) + launchers for secondary architectures, buildx will pick them up automatically. + Docker desktop releases come with `binfmt_misc` automatically configured for `arm64` + and `arm` architectures. You can see what runtime platforms your current builder + instance supports by running `docker buildx inspect --bootstrap`. + + Inside a `Dockerfile`, you can access the current platform value through + `TARGETPLATFORM` build argument. Please refer to the [`docker build` + documentation](/engine/reference/builder/#automatic-platform-args-in-the-global-scope) + for the full description of automatic platform argument variants . + + The formatting for the platform specifier is defined in the [containerd source + code](https://github.com/containerd/containerd/blob/v1.4.3/platforms/platforms.go#L63). + + ```console + $ docker buildx build --platform=linux/arm64 . + $ docker buildx build --platform=linux/amd64,linux/arm64,linux/arm/v7 . + $ docker buildx build --platform=darwin . + ``` + + ### Set type of progress output (--progress) {#progress} + + ``` + --progress=VALUE + ``` + + Set type of progress output (auto, plain, tty). Use plain to show container + output (default "auto"). + + > You can also use the `BUILDKIT_PROGRESS` environment variable to set + > its value. + + The following example uses `plain` output during the build: + + ```console + $ docker buildx build --load --progress=plain . + + #1 [internal] load build definition from Dockerfile + #1 transferring dockerfile: 227B 0.0s done + #1 DONE 0.1s + + #2 [internal] load .dockerignore + #2 transferring context: 129B 0.0s done + #2 DONE 0.0s + ... + ``` ### Push the build result to a registry (--push) {#push} Shorthand for [`--output=type=registry`](#registry). Will automatically push the build result to registry. - ### Load the single-platform build result to `docker images` (--load) {#load} - - Shorthand for [`--output=type=docker`](#docker). Will automatically load the - single-platform build result to `docker images`. - - ### Use an external cache source for a build (--cache-from) {#cache-from} + ### Secret to expose to the build (--secret) {#secret} ``` - --cache-from=[NAME|type=TYPE[,KEY=VALUE]] + --secret=[type=TYPE[,KEY=VALUE] ``` - Use an external cache source for a build. Supported types are `registry`, - `local` and `gha`. + Exposes secret to the build. The secret can be used by the build using + [`RUN --mount=type=secret` mount](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#run---mounttypesecret). - - [`registry` source](https://github.com/moby/buildkit#registry-push-image-and-cache-separately) - can import cache from a cache manifest or (special) image configuration on the - registry. - - [`local` source](https://github.com/moby/buildkit#local-directory-1) can - import cache from local files previously exported with `--cache-to`. - - [`gha` source](https://github.com/moby/buildkit#github-actions-cache-experimental) - can import cache from a previously exported cache with `--cache-to` in your - GitHub repository + If `type` is unset it will be detected. Supported types are: - If no type is specified, `registry` exporter is used with a specified reference. + #### `file` - `docker` driver currently only supports importing build cache from the registry. + Attribute keys: - **Examples** + - `id` - ID of the secret. Defaults to basename of the `src` path. + - `src`, `source` - Secret filename. `id` used if unset. + + ```dockerfile + # syntax=docker/dockerfile:1.3 + FROM python:3 + RUN pip install awscli + RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \ + aws s3 cp s3://... ... + ``` ```console - $ docker buildx build --cache-from=user/app:cache . - $ docker buildx build --cache-from=user/app . - $ docker buildx build --cache-from=type=registry,ref=user/app . - $ docker buildx build --cache-from=type=local,src=path/to/cache . - $ docker buildx build --cache-from=type=gha . + $ docker buildx build --secret id=aws,src=$HOME/.aws/credentials . ``` - More info about cache exporters and available attributes: https://github.com/moby/buildkit#export-cache + #### `env` - ### Export build cache to an external cache destination (--cache-to) {#cache-to} + Attribute keys: + - `id` - ID of the secret. Defaults to `env` name. + - `env` - Secret environment variable. `id` used if unset, otherwise will look for `src`, `source` if `id` unset. + + ```dockerfile + # syntax=docker/dockerfile:1.3 + FROM node:alpine + RUN --mount=type=bind,target=. \ + --mount=type=secret,id=SECRET_TOKEN \ + SECRET_TOKEN=$(cat /run/secrets/SECRET_TOKEN) yarn run test ``` - --cache-to=[NAME|type=TYPE[,KEY=VALUE]] - ``` - - Export build cache to an external cache destination. Supported types are - `registry`, `local`, `inline` and `gha`. - - - [`registry` type](https://github.com/moby/buildkit#registry-push-image-and-cache-separately) exports build cache to a cache manifest in the registry. - - [`local` type](https://github.com/moby/buildkit#local-directory-1) type - exports cache to a local directory on the client. - - [`inline` type](https://github.com/moby/buildkit#inline-push-image-and-cache-together) - type writes the cache metadata into the image configuration. - - [`gha` type](https://github.com/moby/buildkit#github-actions-cache-experimental) - type exports cache through the [Github Actions Cache service API](https://github.com/tonistiigi/go-actions-cache/blob/master/api.md#authentication). - - `docker` driver currently only supports exporting inline cache metadata to image - configuration. Alternatively, `--build-arg BUILDKIT_INLINE_CACHE=1` can be used - to trigger inline cache exporter. - - Attribute key: - - - `mode` - Specifies how many layers are exported with the cache. `min` on only - exports layers already in the final build stage, `max` exports layers for - all stages. Metadata is always exported for the whole build. - - **Examples** ```console - $ docker buildx build --cache-to=user/app:cache . - $ docker buildx build --cache-to=type=inline . - $ docker buildx build --cache-to=type=registry,ref=user/app . - $ docker buildx build --cache-to=type=local,dest=path/to/cache . - $ docker buildx build --cache-to=type=gha . + $ SECRET_TOKEN=token docker buildx build --secret id=SECRET_TOKEN . ``` - More info about cache exporters and available attributes: https://github.com/moby/buildkit#export-cache - - ### Allow extra privileged entitlement (--allow) {#allow} - - ``` - --allow=ENTITLEMENT - ``` - - Allow extra privileged entitlement. List of entitlements: - - - `network.host` - Allows executions with host networking. - - `security.insecure` - Allows executions without sandbox. See - [related Dockerfile extensions](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/experimental.md#run---securityinsecuresandbox). - - For entitlements to be enabled, the `buildkitd` daemon also needs to allow them - with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](buildx_create.md#buildkitd-flags)) - - **Examples** - - ```console - $ docker buildx create --use --name insecure-builder --buildkitd-flags '--allow-insecure-entitlement security.insecure' - $ docker buildx build --allow security.insecure . - ``` - - ### Size of `/dev/shm` (--shm-size) {#shm-size} + ### Size of /dev/shm (--shm-size) {#shm-size} The format is ``. `number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. + ### SSH agent socket or keys to expose to the build (--ssh) {#ssh} + + ``` + --ssh=default|[=|[,]] + ``` + + This can be useful when some commands in your Dockerfile need specific SSH + authentication (e.g., cloning a private repository). + + `--ssh` exposes SSH agent socket or keys to the build and can be used with the + [`RUN --mount=type=ssh` mount](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#run---mounttypessh). + + Example to access Gitlab using an SSH agent socket: + + ```dockerfile + # syntax=docker/dockerfile:1.3 + FROM alpine + RUN apk add --no-cache openssh-client + RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts + RUN --mount=type=ssh ssh -q -T git@gitlab.com 2>&1 | tee /hello + # "Welcome to GitLab, @GITLAB_USERNAME_ASSOCIATED_WITH_SSHKEY" should be printed here + # with the type of build progress is defined as `plain`. + ``` + + ```console + $ eval $(ssh-agent) + $ ssh-add ~/.ssh/id_rsa + (Input your passphrase here) + $ docker buildx build --ssh default=$SSH_AUTH_SOCK . + ``` + ### Set ulimits (--ulimit) {#ulimit} `--ulimit` is specified with a soft and hard limit as such: diff --git a/_data/buildx/docker_buildx_create.yaml b/_data/buildx/docker_buildx_create.yaml index 3a9a629372..1e763c0129 100644 --- a/_data/buildx/docker_buildx_create.yaml +++ b/_data/buildx/docker_buildx_create.yaml @@ -20,6 +20,7 @@ options: description: Append a node to builder instead of changing it details_url: '#append' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -29,6 +30,7 @@ options: default_value: "false" description: Boot builder after creation deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -38,6 +40,7 @@ options: description: Flags for buildkitd daemon details_url: '#buildkitd-flags' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -47,6 +50,7 @@ options: description: BuildKit config file details_url: '#config' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -57,6 +61,7 @@ options: Driver to use (available: `docker`, `docker-container`, `kubernetes`) details_url: '#driver' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -67,6 +72,7 @@ options: description: Options for the driver details_url: '#driver-opt' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -77,6 +83,7 @@ options: description: Remove a node from builder instead of changing it details_url: '#leave' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -86,6 +93,7 @@ options: description: Builder instance name details_url: '#name' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -95,6 +103,7 @@ options: description: Create/modify node with given name details_url: '#node' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -105,6 +114,7 @@ options: description: Fixed platforms for current node details_url: '#platform' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -115,6 +125,7 @@ options: description: Set the current builder instance details_url: '#use' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -124,6 +135,7 @@ inherited_options: value_type: string description: Override the configured builder instance deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -135,8 +147,6 @@ examples: |- existing builder specified by `--name`. Buildx will choose an appropriate node for a build based on the platforms it supports. - **Examples** - ```console $ docker buildx create mycontext1 eager_beaver @@ -155,8 +165,6 @@ examples: |- configuration file specified by [`--config`](#config). See `buildkitd --help` for the available flags. - **Example** - ``` --buildkitd-flags '--debug --debugaddr 0.0.0.0:6666' ``` @@ -220,46 +228,22 @@ examples: |- - `docker` - No driver options - `docker-container` - - `image=IMAGE` - Sets the container image to be used for running buildkit. - - `network=NETMODE` - Sets the network mode for running the buildkit container. - - `cgroup-parent=CGROUP` - Sets the cgroup parent of the buildkit container if docker is using the "cgroupfs" driver. Defaults to `/docker/buildx`. + - `image=IMAGE` - Sets the container image to be used for running buildkit. + - `network=NETMODE` - Sets the network mode for running the buildkit container. + - `cgroup-parent=CGROUP` - Sets the cgroup parent of the buildkit container if docker is using the "cgroupfs" driver. Defaults to `/docker/buildx`. - `kubernetes` - - `image=IMAGE` - Sets the container image to be used for running buildkit. - - `namespace=NS` - Sets the Kubernetes namespace. Defaults to the current namespace. - - `replicas=N` - Sets the number of `Pod` replicas. Defaults to 1. - - `requests.cpu` - Sets the request CPU value specified in units of Kubernetes CPU. Example `requests.cpu=100m`, `requests.cpu=2` - - `requests.memory` - Sets the request memory value specified in bytes or with a valid suffix. Example `requests.memory=500Mi`, `requests.memory=4G` - - `limits.cpu` - Sets the limit CPU value specified in units of Kubernetes CPU. Example `limits.cpu=100m`, `limits.cpu=2` - - `limits.memory` - Sets the limit memory value specified in bytes or with a valid suffix. Example `limits.memory=500Mi`, `limits.memory=4G` - - `nodeselector="label1=value1,label2=value2"` - Sets the kv of `Pod` nodeSelector. No Defaults. Example `nodeselector=kubernetes.io/arch=arm64` - - `rootless=(true|false)` - Run the container as a non-root user without `securityContext.privileged`. [Using Ubuntu host kernel is recommended](https://github.com/moby/buildkit/blob/master/docs/rootless.md). Defaults to false. - - `loadbalance=(sticky|random)` - Load-balancing strategy. If set to "sticky", the pod is chosen using the hash of the context path. Defaults to "sticky" - - `qemu.install=(true|false)` - Install QEMU emulation for multi platforms support. - - `qemu.image=IMAGE` - Sets the QEMU emulation image. Defaults to `tonistiigi/binfmt:latest` - - **Examples** - - #### Use a custom network - - ```console - $ docker network create foonet - $ docker buildx create --name builder --driver docker-container --driver-opt network=foonet --use - $ docker buildx inspect --bootstrap - $ docker inspect buildx_buildkit_builder0 --format={{.NetworkSettings.Networks}} - map[foonet:0xc00018c0c0] - ``` - - #### OpenTelemetry support - - To capture the trace to [Jaeger](https://github.com/jaegertracing/jaeger), set - `JAEGER_TRACE` environment variable to the collection address using the `driver-opt`: - - ```console - $ docker run -d --name jaeger -p 6831:6831/udp -p 16686:16686 jaegertracing/all-in-one - $ docker buildx create --name builder --driver docker-container --driver-opt network=host --driver-opt env.JAEGER_TRACE=localhost:6831 --use - $ docker buildx inspect --bootstrap - # buildx command should be traced at http://127.0.0.1:16686/ - ``` + - `image=IMAGE` - Sets the container image to be used for running buildkit. + - `namespace=NS` - Sets the Kubernetes namespace. Defaults to the current namespace. + - `replicas=N` - Sets the number of `Pod` replicas. Defaults to 1. + - `requests.cpu` - Sets the request CPU value specified in units of Kubernetes CPU. Example `requests.cpu=100m`, `requests.cpu=2` + - `requests.memory` - Sets the request memory value specified in bytes or with a valid suffix. Example `requests.memory=500Mi`, `requests.memory=4G` + - `limits.cpu` - Sets the limit CPU value specified in units of Kubernetes CPU. Example `limits.cpu=100m`, `limits.cpu=2` + - `limits.memory` - Sets the limit memory value specified in bytes or with a valid suffix. Example `limits.memory=500Mi`, `limits.memory=4G` + - `nodeselector="label1=value1,label2=value2"` - Sets the kv of `Pod` nodeSelector. No Defaults. Example `nodeselector=kubernetes.io/arch=arm64` + - `rootless=(true|false)` - Run the container as a non-root user without `securityContext.privileged`. [Using Ubuntu host kernel is recommended](https://github.com/moby/buildkit/blob/master/docs/rootless.md). Defaults to false. + - `loadbalance=(sticky|random)` - Load-balancing strategy. If set to "sticky", the pod is chosen using the hash of the context path. Defaults to "sticky" + - `qemu.install=(true|false)` - Install QEMU emulation for multi platforms support. + - `qemu.image=IMAGE` - Sets the QEMU emulation image. Defaults to `tonistiigi/binfmt:latest` ### Remove a node from a builder (--leave) {#leave} @@ -267,8 +251,6 @@ examples: |- builder. The builder needs to be specified with `--name` and node that is removed is set with `--node`. - **Examples** - ```console $ docker buildx create --name mybuilder --node mybuilder0 --leave ``` @@ -292,7 +274,7 @@ examples: |- none is specified, it is the name of the builder it belongs to, with an index number suffix. - ### Set the platforms supported by the node {#platform} + ### Set the platforms supported by the node (--platform) {#platform} ``` --platform PLATFORMS @@ -304,14 +286,12 @@ examples: |- priority over the detected ones and can be used when multiple nodes support building for the same platform. - **Examples** - ```console $ docker buildx create --platform linux/amd64 $ docker buildx create --platform linux/arm64,linux/arm/v8 ``` - ### Automatically switch to the newly created builder {#use} + ### Automatically switch to the newly created builder (--use) {#use} The `--use` flag automatically switches the current builder to the newly created one. Equivalent to running `docker buildx use $(docker buildx create ...)`. diff --git a/_data/buildx/docker_buildx_du.yaml b/_data/buildx/docker_buildx_du.yaml index d675447d0b..32350b084f 100644 --- a/_data/buildx/docker_buildx_du.yaml +++ b/_data/buildx/docker_buildx_du.yaml @@ -9,6 +9,7 @@ options: value_type: filter description: Provide filter values deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -18,6 +19,7 @@ options: default_value: "false" description: Provide a more verbose output deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -28,6 +30,7 @@ inherited_options: description: Override the configured builder instance details_url: '#builder' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false diff --git a/_data/buildx/docker_buildx_imagetools.yaml b/_data/buildx/docker_buildx_imagetools.yaml index dbe01e3c0f..3b44ae53db 100644 --- a/_data/buildx/docker_buildx_imagetools.yaml +++ b/_data/buildx/docker_buildx_imagetools.yaml @@ -17,6 +17,7 @@ inherited_options: description: Override the configured builder instance details_url: '#builder' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false diff --git a/_data/buildx/docker_buildx_imagetools_create.yaml b/_data/buildx/docker_buildx_imagetools_create.yaml index da5b39e70f..5d319cd3d9 100644 --- a/_data/buildx/docker_buildx_imagetools_create.yaml +++ b/_data/buildx/docker_buildx_imagetools_create.yaml @@ -1,9 +1,6 @@ command: docker buildx imagetools create short: Create a new image based on source images long: |- - Imagetools contains commands for working with manifest lists in the registry. - These commands are useful for inspecting multi-platform build results. - Create a new manifest list based on source manifests. The source manifests can be manifest lists or single platform distribution manifests and must already exist in the registry where the new manifest is created. If only one source is @@ -18,6 +15,7 @@ options: description: Append to existing manifest details_url: '#append' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -28,6 +26,7 @@ options: description: Show final image instead of pushing details_url: '#dry-run' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -39,6 +38,7 @@ options: description: Read source descriptor from file details_url: '#file' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -50,6 +50,7 @@ options: description: Set reference for new image details_url: '#tag' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -60,6 +61,7 @@ inherited_options: description: Override the configured builder instance details_url: '#builder' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -90,16 +92,15 @@ examples: |- In order to define annotations or additional platform properties like `os.version` and `os.features` you need to add them in the OCI descriptor object encoded in JSON. - ``` - docker buildx imagetools inspect --raw alpine | jq '.manifests[0] | .platform."os.version"="10.1"' > descr.json - docker buildx imagetools create -f descr.json myuser/image + ```console + $ docker buildx imagetools inspect --raw alpine | jq '.manifests[0] | .platform."os.version"="10.1"' > descr.json + $ docker buildx imagetools create -f descr.json myuser/image ``` The descriptor in the file is merged with existing descriptor in the registry if it exists. The supported fields for the descriptor are defined in [OCI spec](https://github.com/opencontainers/image-spec/blob/master/descriptor.md#properties) . - ### Set reference for new image (-t, --tag) {#tag} ``` @@ -108,11 +109,8 @@ examples: |- Use the `-t` or `--tag` flag to set the name of the image to be created. - **Examples** - ```console $ docker buildx imagetools create --dry-run alpine@sha256:5c40b3c27b9f13c873fefb2139765c56ce97fd50230f1f2d5c91e55dec171907 sha256:c4ba6347b0e4258ce6a6de2401619316f982b7bcc529f73d2a410d0097730204 - $ docker buildx imagetools create -t tonistiigi/myapp -f image1 -f image2 ``` deprecated: false diff --git a/_data/buildx/docker_buildx_imagetools_inspect.yaml b/_data/buildx/docker_buildx_imagetools_inspect.yaml index 4469d4f15f..ad16409f54 100644 --- a/_data/buildx/docker_buildx_imagetools_inspect.yaml +++ b/_data/buildx/docker_buildx_imagetools_inspect.yaml @@ -1,37 +1,65 @@ command: docker buildx imagetools inspect -short: Show details of image in the registry +short: Show details of an image in the registry long: |- - Show details of image in the registry. - - Example: + Show details of an image in the registry. ```console $ docker buildx imagetools inspect alpine - Name: docker.io/library/alpine:latest MediaType: application/vnd.docker.distribution.manifest.list.v2+json - Digest: sha256:28ef97b8686a0b5399129e9b763d5b7e5ff03576aa5580d6f4182a49c5fe1913 + Digest: sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300 Manifests: - Name: docker.io/library/alpine:latest@sha256:5c40b3c27b9f13c873fefb2139765c56ce97fd50230f1f2d5c91e55dec171907 + Name: docker.io/library/alpine:latest@sha256:e7d88de73db3d3fd9b2d63aa7f447a10fd0220b7cbf39803c803f2af9ba256b3 MediaType: application/vnd.docker.distribution.manifest.v2+json Platform: linux/amd64 - Name: docker.io/library/alpine:latest@sha256:c4ba6347b0e4258ce6a6de2401619316f982b7bcc529f73d2a410d0097730204 + Name: docker.io/library/alpine:latest@sha256:e047bc2af17934d38c5a7fa9f46d443f1de3a7675546402592ef805cfa929f9d MediaType: application/vnd.docker.distribution.manifest.v2+json Platform: linux/arm/v6 - ... + + Name: docker.io/library/alpine:latest@sha256:8483ecd016885d8dba70426fda133c30466f661bb041490d525658f1aac73822 + MediaType: application/vnd.docker.distribution.manifest.v2+json + Platform: linux/arm/v7 + + Name: docker.io/library/alpine:latest@sha256:c74f1b1166784193ea6c8f9440263b9be6cae07dfe35e32a5df7a31358ac2060 + MediaType: application/vnd.docker.distribution.manifest.v2+json + Platform: linux/arm64/v8 + + Name: docker.io/library/alpine:latest@sha256:2689e157117d2da668ad4699549e55eba1ceb79cb7862368b30919f0488213f4 + MediaType: application/vnd.docker.distribution.manifest.v2+json + Platform: linux/386 + + Name: docker.io/library/alpine:latest@sha256:2042a492bcdd847a01cd7f119cd48caa180da696ed2aedd085001a78664407d6 + MediaType: application/vnd.docker.distribution.manifest.v2+json + Platform: linux/ppc64le + + Name: docker.io/library/alpine:latest@sha256:49e322ab6690e73a4909f787bcbdb873631264ff4a108cddfd9f9c249ba1d58e + MediaType: application/vnd.docker.distribution.manifest.v2+json + Platform: linux/s390x ``` usage: docker buildx imagetools inspect [OPTIONS] NAME pname: docker buildx imagetools plink: docker_buildx_imagetools.yaml options: +- option: format + value_type: string + default_value: '`{{.Manifest}}`' + description: Format the output using the given Go template + details_url: '#format' + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false - option: raw value_type: bool default_value: "false" - description: Show original JSON manifest + description: Show original, unformatted JSON manifest details_url: '#raw' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -42,6 +70,7 @@ inherited_options: description: Override the configured builder instance details_url: '#builder' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -51,10 +80,572 @@ examples: |- Same as [`buildx --builder`](buildx.md#builder). + ### Format the output (--format) {#format} + + Format the output using the given Go template. Defaults to `{{.Manifest}}` if + unset. Following fields are available: + + * `.Name`: provides the reference of the image + * `.Manifest`: provides the manifest or manifest list + * `.Image`: provides the image config + * `.BuildInfo`: provides [build info from image config](https://github.com/moby/buildkit/blob/master/docs/build-repro.md#image-config) + + #### `.Name` + + ```console + $ docker buildx imagetools inspect alpine --format "{{.Name}}" + Name: docker.io/library/alpine:latest + ``` + + #### `.Manifest` + + ```console + $ docker buildx imagetools inspect crazymax/loop --format "{{.Manifest}}" + Name: docker.io/crazymax/loop:latest + MediaType: application/vnd.docker.distribution.manifest.v2+json + Digest: sha256:08602e7340970e92bde5e0a2e887c1fde4d9ae753d1e05efb4c8ef3b609f97f1 + ``` + + ```console + $ docker buildx imagetools inspect moby/buildkit:master --format "{{.Manifest}}" + Name: docker.io/moby/buildkit:master + MediaType: application/vnd.docker.distribution.manifest.list.v2+json + Digest: sha256:3183f7ce54d1efb44c34b84f428ae10aaf141e553c6b52a7ff44cc7083a05a66 + + Manifests: + Name: docker.io/moby/buildkit:master@sha256:667d28c9fb33820ce686887a717a148e89fa77f9097f9352996bbcce99d352b1 + MediaType: application/vnd.docker.distribution.manifest.v2+json + Platform: linux/amd64 + + Name: docker.io/moby/buildkit:master@sha256:71789527b64ab3d7b3de01d364b449cd7f7a3da758218fbf73b9c9aae05a6775 + MediaType: application/vnd.docker.distribution.manifest.v2+json + Platform: linux/arm/v7 + + Name: docker.io/moby/buildkit:master@sha256:fb64667e1ce6ab0d05478f3a8402af07b27737598dcf9a510fb1d792b13a66be + MediaType: application/vnd.docker.distribution.manifest.v2+json + Platform: linux/arm64 + + Name: docker.io/moby/buildkit:master@sha256:1c3ddf95a0788e23f72f25800c05abc4458946685e2b66788c3d978cde6da92b + MediaType: application/vnd.docker.distribution.manifest.v2+json + Platform: linux/s390x + + Name: docker.io/moby/buildkit:master@sha256:05bcde6d460a284e5bc88026cd070277e8380355de3126cbc8fe8a452708c6b1 + MediaType: application/vnd.docker.distribution.manifest.v2+json + Platform: linux/ppc64le + + Name: docker.io/moby/buildkit:master@sha256:c04c57765304ab84f4f9807fff3e11605c3a60e16435c734b02c723680f6bd6e + MediaType: application/vnd.docker.distribution.manifest.v2+json + Platform: linux/riscv64 + ``` + + #### `.BuildInfo` + + ```console + $ docker buildx imagetools inspect crazymax/buildx:buildinfo --format "{{.BuildInfo}}" + Name: docker.io/crazymax/buildx:buildinfo + Frontend: dockerfile.v0 + Attrs: + filename: Dockerfile + source: docker/dockerfile-upstream:master-labs + build-arg:bar: foo + build-arg:foo: bar + Sources: + Type: docker-image + Ref: docker.io/docker/buildx-bin:0.6.1@sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0 + Pin: sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0 + + Type: docker-image + Ref: docker.io/library/alpine:3.13 + Pin: sha256:026f721af4cf2843e07bba648e158fb35ecc876d822130633cc49f707f0fc88c + + Type: docker-image + Ref: docker.io/moby/buildkit:v0.9.0 + Pin: sha256:8dc668e7f66db1c044aadbed306020743516a94848793e0f81f94a087ee78cab + + Type: docker-image + Ref: docker.io/tonistiigi/xx@sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04 + Pin: sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04 + + Type: http + Ref: https://raw.githubusercontent.com/moby/moby/master/README.md + Pin: sha256:419455202b0ef97e480d7f8199b26a721a417818bc0e2d106975f74323f25e6c + ``` + + #### JSON output + + A `json` go template func is also available if you want to render fields as + JSON bytes: + + ```console + $ docker buildx imagetools inspect crazymax/loop --format "{{json .Manifest}}" + ``` + ```json + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:08602e7340970e92bde5e0a2e887c1fde4d9ae753d1e05efb4c8ef3b609f97f1", + "size": 949 + } + ``` + + ```console + $ docker buildx imagetools inspect moby/buildkit:master --format "{{json .Manifest}}" + ``` + ```json + { + "schemaVersion": 2, + "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", + "digest": "sha256:79d97f205e2799d99a3a8ae2a1ef17acb331e11784262c3faada847dc6972c52", + "size": 2010, + "manifests": [ + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:bd1e78f06de26610fadf4eb9d04b1a45a545799d6342701726e952cc0c11c912", + "size": 1158, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:d37dcced63ec0965824fca644f0ac9efad8569434ec15b4c83adfcb3dcfc743b", + "size": 1158, + "platform": { + "architecture": "arm", + "os": "linux", + "variant": "v7" + } + }, + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:ce142eb2255e6af46f2809e159fd03081697c7605a3de03b9cbe9a52ddb244bf", + "size": 1158, + "platform": { + "architecture": "arm64", + "os": "linux" + } + }, + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:f59bfb5062fff76ce464bfa4e25ebaaaac887d6818238e119d68613c456d360c", + "size": 1158, + "platform": { + "architecture": "s390x", + "os": "linux" + } + }, + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:cc96426e0c50a78105d5637d31356db5dd6ec594f21b24276e534a32da09645c", + "size": 1159, + "platform": { + "architecture": "ppc64le", + "os": "linux" + } + }, + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:39f9c1e2878e6c333acb23187d6b205ce82ed934c60da326cb2c698192631478", + "size": 1158, + "platform": { + "architecture": "riscv64", + "os": "linux" + } + } + ] + } + ``` + + ```console + $ docker buildx imagetools inspect crazymax/buildx:buildinfo --format "{{json .BuildInfo}}" + ``` + ```json + { + "frontend": "dockerfile.v0", + "attrs": { + "build-arg:bar": "foo", + "build-arg:foo": "bar", + "filename": "Dockerfile", + "source": "crazymax/dockerfile:buildattrs" + }, + "sources": [ + { + "type": "docker-image", + "ref": "docker.io/docker/buildx-bin:0.6.1@sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0", + "pin": "sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0" + }, + { + "type": "docker-image", + "ref": "docker.io/library/alpine:3.13@sha256:026f721af4cf2843e07bba648e158fb35ecc876d822130633cc49f707f0fc88c", + "pin": "sha256:026f721af4cf2843e07bba648e158fb35ecc876d822130633cc49f707f0fc88c" + }, + { + "type": "docker-image", + "ref": "docker.io/moby/buildkit:v0.9.0@sha256:8dc668e7f66db1c044aadbed306020743516a94848793e0f81f94a087ee78cab", + "pin": "sha256:8dc668e7f66db1c044aadbed306020743516a94848793e0f81f94a087ee78cab" + }, + { + "type": "docker-image", + "ref": "docker.io/tonistiigi/xx@sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04", + "pin": "sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04" + }, + { + "type": "http", + "ref": "https://raw.githubusercontent.com/moby/moby/master/README.md", + "pin": "sha256:419455202b0ef97e480d7f8199b26a721a417818bc0e2d106975f74323f25e6c" + } + ] + } + ``` + + ```console + $ docker buildx imagetools inspect crazymax/buildx:buildinfo --format "{{json .}}" + ``` + ```json + { + "name": "crazymax/buildx:buildinfo", + "manifest": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:899d2c7acbc124d406820857bb51d9089717bbe4e22b97eb4bc5789e99f09f83", + "size": 2628 + }, + "image": { + "created": "2022-02-24T12:27:43.627154558Z", + "architecture": "amd64", + "os": "linux", + "config": { + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "DOCKER_TLS_CERTDIR=/certs", + "DOCKER_CLI_EXPERIMENTAL=enabled" + ], + "Entrypoint": [ + "docker-entrypoint.sh" + ], + "Cmd": [ + "sh" + ] + }, + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:7fcb75871b2101082203959c83514ac8a9f4ecfee77a0fe9aa73bbe56afdf1b4", + "sha256:d3c0b963ff5684160641f936d6a4aa14efc8ff27b6edac255c07f2d03ff92e82", + "sha256:3f8d78f13fa9b1f35d3bc3f1351d03a027c38018c37baca73f93eecdea17f244", + "sha256:8e6eb1137b182ae0c3f5d40ca46341fda2eaeeeb5fa516a9a2bf96171238e2e0", + "sha256:fde4c869a56b54dd76d7352ddaa813fd96202bda30b9dceb2c2f2ad22fa2e6ce", + "sha256:52025823edb284321af7846419899234b3c66219bf06061692b709875ed0760f", + "sha256:50adb5982dbf6126c7cf279ac3181d1e39fc9116b610b947a3dadae6f7e7c5bc", + "sha256:9801c319e1c66c5d295e78b2d3e80547e73c7e3c63a4b71e97c8ca357224af24", + "sha256:dfbfac44d5d228c49b42194c8a2f470abd6916d072f612a6fb14318e94fde8ae", + "sha256:3dfb74e19dedf61568b917c19b0fd3ee4580870027ca0b6054baf239855d1322", + "sha256:b182e707c23e4f19be73f9022a99d2d1ca7bf1ca8f280d40e4d1c10a6f51550e" + ] + }, + "history": [ + { + "created": "2021-11-12T17:19:58.698676655Z", + "created_by": "/bin/sh -c #(nop) ADD file:5a707b9d6cb5fff532e4c2141bc35707593f21da5528c9e71ae2ddb6ba4a4eb6 in / " + }, + { + "created": "2021-11-12T17:19:58.948920855Z", + "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]", + "empty_layer": true + }, + { + "created": "2022-02-24T12:27:38.285594601Z", + "created_by": "RUN /bin/sh -c apk --update --no-cache add bash ca-certificates openssh-client \u0026\u0026 rm -rf /tmp/* /var/cache/apk/* # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-02-24T12:27:41.061874167Z", + "created_by": "COPY /opt/docker/ /usr/local/bin/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-02-24T12:27:41.174098947Z", + "created_by": "COPY /usr/bin/buildctl /usr/local/bin/buildctl # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-02-24T12:27:41.320343683Z", + "created_by": "COPY /usr/bin/buildkit* /usr/local/bin/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-02-24T12:27:41.447149933Z", + "created_by": "COPY /buildx /usr/libexec/docker/cli-plugins/docker-buildx # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-02-24T12:27:43.057722191Z", + "created_by": "COPY /opt/docker-compose /usr/libexec/docker/cli-plugins/docker-compose # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-02-24T12:27:43.145224134Z", + "created_by": "ADD https://raw.githubusercontent.com/moby/moby/master/README.md / # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-02-24T12:27:43.422212427Z", + "created_by": "ENV DOCKER_TLS_CERTDIR=/certs", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2022-02-24T12:27:43.422212427Z", + "created_by": "ENV DOCKER_CLI_EXPERIMENTAL=enabled", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2022-02-24T12:27:43.422212427Z", + "created_by": "RUN /bin/sh -c docker --version \u0026\u0026 buildkitd --version \u0026\u0026 buildctl --version \u0026\u0026 docker buildx version \u0026\u0026 docker compose version \u0026\u0026 mkdir /certs /certs/client \u0026\u0026 chmod 1777 /certs /certs/client # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-02-24T12:27:43.514320155Z", + "created_by": "COPY rootfs/modprobe.sh /usr/local/bin/modprobe # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-02-24T12:27:43.627154558Z", + "created_by": "COPY rootfs/docker-entrypoint.sh /usr/local/bin/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-02-24T12:27:43.627154558Z", + "created_by": "ENTRYPOINT [\"docker-entrypoint.sh\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2022-02-24T12:27:43.627154558Z", + "created_by": "CMD [\"sh\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + } + ] + }, + "buildinfo": { + "frontend": "dockerfile.v0", + "attrs": { + "build-arg:bar": "foo", + "build-arg:foo": "bar", + "filename": "Dockerfile", + "source": "docker/dockerfile-upstream:master-labs" + }, + "sources": [ + { + "type": "docker-image", + "ref": "docker.io/docker/buildx-bin:0.6.1@sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0", + "pin": "sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0" + }, + { + "type": "docker-image", + "ref": "docker.io/library/alpine:3.13", + "pin": "sha256:026f721af4cf2843e07bba648e158fb35ecc876d822130633cc49f707f0fc88c" + }, + { + "type": "docker-image", + "ref": "docker.io/moby/buildkit:v0.9.0", + "pin": "sha256:8dc668e7f66db1c044aadbed306020743516a94848793e0f81f94a087ee78cab" + }, + { + "type": "docker-image", + "ref": "docker.io/tonistiigi/xx@sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04", + "pin": "sha256:21a61be4744f6531cb5f33b0e6f40ede41fa3a1b8c82d5946178f80cc84bfc04" + }, + { + "type": "http", + "ref": "https://raw.githubusercontent.com/moby/moby/master/README.md", + "pin": "sha256:419455202b0ef97e480d7f8199b26a721a417818bc0e2d106975f74323f25e6c" + } + ] + } + } + ``` + + #### Multi-platform + + Multi-platform images are supported for `.Image` and `.BuildInfo` fields. If + you want to pick up a specific platform, you can specify it using the `index` + go template function: + + ```console + $ docker buildx imagetools inspect --format '{{json (index .Image "linux/s390x")}}' moby/buildkit:master + ``` + ```json + { + "created": "2022-02-25T17:13:27.89891722Z", + "architecture": "s390x", + "os": "linux", + "config": { + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Entrypoint": [ + "buildkitd" + ], + "Volumes": { + "/var/lib/buildkit": {} + } + }, + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:41048e32d0684349141cf05f629c5fc3c5915d1f3426b66dbb8953a540e01e1e", + "sha256:2651209b9208fff6c053bc3c17353cb07874e50f1a9bc96d6afd03aef63de76a", + "sha256:6741ed7e73039d853fa8902246a4c7e8bf9dd09652fd1b08251bc5f9e8876a7f", + "sha256:92ac046adeeb65c86ae3f0b458dee04ad4a462e417661c04d77642c66494f69b" + ] + }, + "history": [ + { + "created": "2021-11-24T20:41:23.709681315Z", + "created_by": "/bin/sh -c #(nop) ADD file:cd24c711a2ef431b3ff94f9a02bfc42f159bc60de1d0eceecafea4e8af02441d in / " + }, + { + "created": "2021-11-24T20:41:23.94211262Z", + "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]", + "empty_layer": true + }, + { + "created": "2022-01-26T18:15:21.449825391Z", + "created_by": "RUN /bin/sh -c apk add --no-cache fuse3 git openssh pigz xz \u0026\u0026 ln -s fusermount3 /usr/bin/fusermount # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-02-24T00:34:00.924540012Z", + "created_by": "COPY examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-02-25T17:13:27.89891722Z", + "created_by": "VOLUME [/var/lib/buildkit]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2022-02-25T17:13:27.89891722Z", + "created_by": "COPY / /usr/bin/ # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2022-02-25T17:13:27.89891722Z", + "created_by": "ENTRYPOINT [\"buildkitd\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + } + ] + } + ``` + ### Show original, unformatted JSON manifest (--raw) {#raw} - Use the `--raw` option to print the original JSON bytes instead of the formatted - output. + Use the `--raw` option to print the unformatted JSON manifest bytes. + + > `jq` is used here to get a better rendering of the output result. + + ```console + $ docker buildx imagetools inspect --raw crazymax/loop | jq + ``` + ```json + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "schemaVersion": 2, + "config": { + "mediaType": "application/vnd.docker.container.image.v1+json", + "digest": "sha256:7ace7d324e79b360b2db8b820d83081863d96d22e734cdf297a8e7fd83f6ceb3", + "size": 2298 + }, + "layers": [ + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6b", + "size": 2811478 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:726d3732a87e1c430d67e8969de6b222a889d45e045ebae1a008a37ba38f3b1f", + "size": 1776812 + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:5d7cf9b33148a8f220c84f27dd2cfae46aca019a3ea3fbf7274f6d6dbfae8f3b", + "size": 382855 + } + ] + } + ``` + + ```console + $ docker buildx imagetools inspect --raw moby/buildkit:master | jq + ``` + ```json + { + "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", + "schemaVersion": 2, + "manifests": [ + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:667d28c9fb33820ce686887a717a148e89fa77f9097f9352996bbcce99d352b1", + "size": 1158, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:71789527b64ab3d7b3de01d364b449cd7f7a3da758218fbf73b9c9aae05a6775", + "size": 1158, + "platform": { + "architecture": "arm", + "os": "linux", + "variant": "v7" + } + }, + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:fb64667e1ce6ab0d05478f3a8402af07b27737598dcf9a510fb1d792b13a66be", + "size": 1158, + "platform": { + "architecture": "arm64", + "os": "linux" + } + }, + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:1c3ddf95a0788e23f72f25800c05abc4458946685e2b66788c3d978cde6da92b", + "size": 1158, + "platform": { + "architecture": "s390x", + "os": "linux" + } + }, + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:05bcde6d460a284e5bc88026cd070277e8380355de3126cbc8fe8a452708c6b1", + "size": 1159, + "platform": { + "architecture": "ppc64le", + "os": "linux" + } + }, + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:c04c57765304ab84f4f9807fff3e11605c3a60e16435c734b02c723680f6bd6e", + "size": 1158, + "platform": { + "architecture": "riscv64", + "os": "linux" + } + } + ] + } + ``` deprecated: false experimental: false experimentalcli: false diff --git a/_data/buildx/docker_buildx_inspect.yaml b/_data/buildx/docker_buildx_inspect.yaml index c4a1e234cd..a47bba0dcf 100644 --- a/_data/buildx/docker_buildx_inspect.yaml +++ b/_data/buildx/docker_buildx_inspect.yaml @@ -11,6 +11,7 @@ options: description: Ensure builder has booted before inspecting details_url: '#bootstrap' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -21,6 +22,7 @@ inherited_options: description: Override the configured builder instance details_url: '#builder' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false diff --git a/_data/buildx/docker_buildx_install.yaml b/_data/buildx/docker_buildx_install.yaml index 0f771a6c9f..4505430685 100644 --- a/_data/buildx/docker_buildx_install.yaml +++ b/_data/buildx/docker_buildx_install.yaml @@ -9,6 +9,7 @@ inherited_options: value_type: string description: Override the configured builder instance deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false diff --git a/_data/buildx/docker_buildx_ls.yaml b/_data/buildx/docker_buildx_ls.yaml index b248c2b772..bbe0509043 100644 --- a/_data/buildx/docker_buildx_ls.yaml +++ b/_data/buildx/docker_buildx_ls.yaml @@ -3,21 +3,20 @@ short: List builder instances long: |- Lists all builder instances and the nodes for each instance - **Example** - ```console $ docker buildx ls NAME/NODE DRIVER/ENDPOINT STATUS PLATFORMS elated_tesla * docker-container elated_tesla0 unix:///var/run/docker.sock running linux/amd64 - elated_tesla1 ssh://ubuntu@1.2.3.4 running linux/arm64, linux/arm/v7, linux/arm/v6 + elated_tesla1 ssh://ubuntu@1.2.3.4 running linux/arm64*, linux/arm/v7, linux/arm/v6 default docker default default running linux/amd64 ``` Each builder has one or more nodes associated with it. The current builder's - name is marked with a `*`. + name is marked with a `*` in `NAME/NODE` and explicit node to build against for + the target platform marked with a `*` in the `PLATFORMS` column. usage: docker buildx ls pname: docker buildx plink: docker_buildx.yaml @@ -26,6 +25,7 @@ inherited_options: value_type: string description: Override the configured builder instance deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false diff --git a/_data/buildx/docker_buildx_prune.yaml b/_data/buildx/docker_buildx_prune.yaml index 8c41fa9ecd..43ca9074fd 100644 --- a/_data/buildx/docker_buildx_prune.yaml +++ b/_data/buildx/docker_buildx_prune.yaml @@ -11,6 +11,7 @@ options: default_value: "false" description: Remove all unused images, not just dangling ones deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -19,6 +20,7 @@ options: value_type: filter description: Provide filter values (e.g., `until=24h`) deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -29,6 +31,7 @@ options: default_value: "false" description: Do not prompt for confirmation deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -38,6 +41,7 @@ options: default_value: "0" description: Amount of disk space to keep for cache deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -47,6 +51,7 @@ options: default_value: "false" description: Provide a more verbose output deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -57,6 +62,7 @@ inherited_options: description: Override the configured builder instance details_url: '#builder' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false diff --git a/_data/buildx/docker_buildx_rm.yaml b/_data/buildx/docker_buildx_rm.yaml index c0c12905ba..2c730bba46 100644 --- a/_data/buildx/docker_buildx_rm.yaml +++ b/_data/buildx/docker_buildx_rm.yaml @@ -7,12 +7,47 @@ usage: docker buildx rm [NAME] pname: docker buildx plink: docker_buildx.yaml options: +- option: all-inactive + value_type: bool + default_value: "false" + description: Remove all inactive builders + details_url: '#all-inactive' + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false +- option: force + shorthand: f + value_type: bool + default_value: "false" + description: Do not prompt for confirmation + details_url: '#force' + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false +- option: keep-daemon + value_type: bool + default_value: "false" + description: Keep the buildkitd daemon running + details_url: '#keep-daemon' + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false - option: keep-state value_type: bool default_value: "false" description: Keep BuildKit state details_url: '#keep-state' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -23,15 +58,38 @@ inherited_options: description: Override the configured builder instance details_url: '#builder' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false swarm: false examples: |- + ### Remove all inactive builders (--all-inactive) {#all-inactive} + + Remove builders that are not in running state. + + ```console + $ docker buildx rm --all-inactive + WARNING! This will remove all builders that are not in running state. Are you sure you want to continue? [y/N] y + ``` + ### Override the configured builder instance (--builder) {#builder} Same as [`buildx --builder`](buildx.md#builder). + ### Do not prompt for confirmation (--force) {#force} + + Do not prompt for confirmation before removing inactive builders. + + ```console + $ docker buildx rm --all-inactive --force + ``` + + ### Keep the buildkitd daemon running (--keep-daemon) {#keep-daemon} + + Keep the buildkitd daemon running after the buildx context is removed. This is useful when you manage buildkitd daemons and buildx contexts independently. + Currently, only supported by the [`docker-container` and `kubernetes` drivers](buildx_create.md#driver). + ### Keep BuildKit state (--keep-state) {#keep-state} Keep BuildKit state, so it can be reused by a new builder with the same name. diff --git a/_data/buildx/docker_buildx_stop.yaml b/_data/buildx/docker_buildx_stop.yaml index d67e473c20..a020c63289 100644 --- a/_data/buildx/docker_buildx_stop.yaml +++ b/_data/buildx/docker_buildx_stop.yaml @@ -12,6 +12,7 @@ inherited_options: description: Override the configured builder instance details_url: '#builder' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false diff --git a/_data/buildx/docker_buildx_uninstall.yaml b/_data/buildx/docker_buildx_uninstall.yaml index 802544c435..f223be2ba0 100644 --- a/_data/buildx/docker_buildx_uninstall.yaml +++ b/_data/buildx/docker_buildx_uninstall.yaml @@ -9,6 +9,7 @@ inherited_options: value_type: string description: Override the configured builder instance deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false diff --git a/_data/buildx/docker_buildx_use.yaml b/_data/buildx/docker_buildx_use.yaml index ba6aa21dd4..a68847cd2e 100644 --- a/_data/buildx/docker_buildx_use.yaml +++ b/_data/buildx/docker_buildx_use.yaml @@ -13,6 +13,7 @@ options: default_value: "false" description: Set builder as default for current context deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -22,6 +23,7 @@ options: default_value: "false" description: Builder persists context changes deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false @@ -32,6 +34,7 @@ inherited_options: description: Override the configured builder instance details_url: '#builder' deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false diff --git a/_data/buildx/docker_buildx_version.yaml b/_data/buildx/docker_buildx_version.yaml index b3eff7cbbe..09b6052e1d 100644 --- a/_data/buildx/docker_buildx_version.yaml +++ b/_data/buildx/docker_buildx_version.yaml @@ -1,6 +1,12 @@ command: docker buildx version short: Show buildx version information -long: Show buildx version information +long: |- + View version information + + ```console + $ docker buildx version + github.com/docker/buildx v0.5.1-docker 11057da37336192bfc57d81e02359ba7ba848e4a + ``` usage: docker buildx version pname: docker buildx plink: docker_buildx.yaml @@ -9,18 +15,11 @@ inherited_options: value_type: string description: Override the configured builder instance deprecated: false + hidden: false experimental: false experimentalcli: false kubernetes: false swarm: false -examples: |- - ### View version information - - - ```console - $ docker buildx version - github.com/docker/buildx v0.5.1-docker 11057da37336192bfc57d81e02359ba7ba848e4a - ``` deprecated: false experimental: false experimentalcli: false From 89fcd81809834b779b680fa3204ff5a9b1790b14 Mon Sep 17 00:00:00 2001 From: Jerae Duffin Date: Thu, 10 Mar 2022 11:32:28 -0600 Subject: [PATCH 02/18] updated experimental features --- desktop/mac/index.md | 54 +++++++++++++++----------------------------- 1 file changed, 18 insertions(+), 36 deletions(-) diff --git a/desktop/mac/index.md b/desktop/mac/index.md index 180fc96d8b..0560d29ed9 100644 --- a/desktop/mac/index.md +++ b/desktop/mac/index.md @@ -162,49 +162,31 @@ Type a JSON configuration file in the box to configure the daemon settings. For Click **Apply & Restart** to save your settings and restart Docker Desktop. -### Command Line +### Experimental Features -On the Command Line page, you can specify whether or not to enable experimental features. +On the **Experimental Features** page, you can specify whether or not to enable experimental features. -{% include experimental.md %} +Experimental features provide early access to future product functionality. These features are intended for testing and feedback only as they may change between releases without warning or can be removed entirely from a future release. Experimental features must not be used in production environments. Docker does not offer support for experimental features. -You can toggle the experimental features on and off in Docker Desktop. If you toggle the experimental features off, Docker Desktop uses the current generally available release of Docker Engine. +#### Enable the new Apple Virtualization framework -You can see whether you are running experimental mode at the command line. If -`Experimental` is `true`, then Docker is running in experimental mode, as shown -here. (If `false`, Experimental mode is off.) +Select **Use the new Virtualization framework** to allow Docker Desktop to use the new `virtualization.framework` instead of the ‘hypervisor.framework’. Ensure to reset your Kubernetes cluster when you enable the new Virtualization framework for the first time. -```console -$ docker version +#### Enable VirtioFS -Client: Docker Engine - Community - Version: 19.03.1 - API version: 1.40 - Go version: go1.12.5 - Git commit: 74b1e89 - Built: Thu Jul 25 21:18:17 2019 - OS/Arch: darwin/amd64 - Experimental: true +Select the **Enable VirtioFS accelerated directory** sharing option to enable VirtioFS. You must install Docker Desktop 4.6 or higher and macOS 12.2 to use VirtioFS. -Server: Docker Engine - Community - Engine: - Version: 19.03.1 - API version: 1.40 (minimum version 1.12) - Go version: go1.12.5 - Git commit: 74b1e89 - Built: Thu Jul 25 21:17:52 2019 - OS/Arch: linux/amd64 - Experimental: true - containerd: - Version: v1.2.6 - GitCommit: 894b81a4b802e4eb2a91d1ce216b8817763c29fb - runc: - Version: 1.0.0-rc8 - GitCommit: 425e105d5a03fabd737a126ad93d62a9eeede87f - docker-init: - Version: 0.18.0 - GitCommit: fec3683 -``` +VirtioFS is a file system that shares information quicker by utilizing a virtual machine and host kernel located on the same machine. For example, the VirtioFS daemon ‘virtualization.framework’ runs as a separate process on macOS and allows the Linux VM to directly access files on the macOS host. VirtioFS can also take a file and map it into the Linux VM’s memory space, removing the need to copy the entire contents into the VM’s memory and making the file contents quickly accessible from the host. + +VirtioFS helps developers share the source code volumes located on their host with the container. Meaning that changes made on the host automatically propagate to the container without rebuilding the image. +When developers make changes to a file and save it on their host machine, the changes do not sync automatically with those in the container. Due to this, developers use the `docker run -v` command to share the source code volumes located on their host with the container. This causes slower performance for users and also decreases productivity. + +When using VirtioFS, changes made to the developers' files located on their host system will quickly sync to the container file system. They can then view their changes instantly in a browser or a page reload. + +> **Note** +> +> Currently, Apple’s VirtioFS implementation on macOS Monterey does not +> include this mapping functionality. ### Kubernetes From 5b980e16ddff9a126f779dd47373c038d9b92038 Mon Sep 17 00:00:00 2001 From: jerae-duffin <83294991+jerae-duffin@users.noreply.github.com> Date: Mon, 14 Mar 2022 09:41:52 -0500 Subject: [PATCH 03/18] Update desktop/mac/index.md Co-authored-by: Usha Mandya <47779042+usha-mandya@users.noreply.github.com> --- desktop/mac/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/desktop/mac/index.md b/desktop/mac/index.md index 0560d29ed9..64c115a9f5 100644 --- a/desktop/mac/index.md +++ b/desktop/mac/index.md @@ -176,7 +176,7 @@ Select **Use the new Virtualization framework** to allow Docker Desktop to use t Select the **Enable VirtioFS accelerated directory** sharing option to enable VirtioFS. You must install Docker Desktop 4.6 or higher and macOS 12.2 to use VirtioFS. -VirtioFS is a file system that shares information quicker by utilizing a virtual machine and host kernel located on the same machine. For example, the VirtioFS daemon ‘virtualization.framework’ runs as a separate process on macOS and allows the Linux VM to directly access files on the macOS host. VirtioFS can also take a file and map it into the Linux VM’s memory space, removing the need to copy the entire contents into the VM’s memory and making the file contents quickly accessible from the host. +VirtioFS is a file system that shares information quicker by utilizing a virtual machine and host kernel located on the same machine. For example, the VirtioFS daemon `virtualization.framework` runs as a separate process on macOS and allows the Linux VM to directly access files on the macOS host. VirtioFS can also take a file and map it into the Linux VM’s memory space, removing the need to copy the entire contents into the VM’s memory and making the file contents quickly accessible from the host. VirtioFS helps developers share the source code volumes located on their host with the container. Meaning that changes made on the host automatically propagate to the container without rebuilding the image. When developers make changes to a file and save it on their host machine, the changes do not sync automatically with those in the container. Due to this, developers use the `docker run -v` command to share the source code volumes located on their host with the container. This causes slower performance for users and also decreases productivity. From 221230797eadbafb52a7bf98caf000ae438d8c30 Mon Sep 17 00:00:00 2001 From: Mathieu Champlon Date: Mon, 14 Mar 2022 19:18:36 +0100 Subject: [PATCH 04/18] Merge pull request #14361 from mat007/docker-desktop-4.6.0-release-notes Docker Desktop 4.6.0 release notes --- desktop/mac/release-notes/index.md | 48 ++++++++++++++++++++++++-- desktop/windows/release-notes/index.md | 39 +++++++++++++++++++-- 2 files changed, 82 insertions(+), 5 deletions(-) diff --git a/desktop/mac/release-notes/index.md b/desktop/mac/release-notes/index.md index 6cbb46d6de..1a62a6f6f5 100644 --- a/desktop/mac/release-notes/index.md +++ b/desktop/mac/release-notes/index.md @@ -23,8 +23,8 @@ This page contains information about the new features, improvements, known issue Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/projects/1){: target="_blank" rel="noopener" class="_"} to see what's coming next. -## Docker Desktop 4.5.0 -2022-02-10 +## Docker Desktop 4.6.0 +2022-03-14 > Download Docker Desktop > @@ -35,6 +35,49 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro ### Security +- Fixed [CVE-2022-0847](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847){: target="_blank" rel="noopener" class="_"}, aka “Dirty Pipe”, an issue that could enable attackers to modify files in container images on the host, from inside a container. + +### New + +- Docker Desktop 4.6.0 gives macOS users the option of enabling a new experimental file sharing technology called VirtioFS. During testing VirtioFS has been shown to drastically reduce the time taken to sync changes between the host and VM, leading to substantial performance improvements. For more information, see [VirtioFS](../index.md#experimental-features). +- The Docker Dashboard Volume Management feature now offers the ability to efficiently clean up volumes using multi-select checkboxes. + +### Upgrades + +- [Docker Engine v20.10.13](https://docs.docker.com/engine/release-notes/#201013) +- [Compose v2.3.3](https://github.com/docker/compose/releases/tag/v2.3.3) +- [Buildx 0.8.0](https://github.com/docker/buildx/releases/tag/v0.8.0) +- [containerd v1.4.13](https://github.com/containerd/containerd/releases/tag/v1.4.13) +- [runc v1.0.3](https://github.com/opencontainers/runc/releases/tag/v1.0.3) +- [Go 1.17.8](https://golang.org/doc/go1.17) +- [Linux kernel 5.10.104](https://hub.docker.com/layers/docker/for-desktop-kernel/5.10.104-379cadd2e08e8b25f932380e9fdaab97755357b3/images/sha256-7753b60f4544e5c5eed629d12151a49c8a4b48d98b4fb30e4e65cecc20da484d?context=explore) +- [Qemu 6.2.0](https://wiki.qemu.org/ChangeLog/6.2) + +### Bug fixes and minor changes + +- Fixed uploading diagnostics when an HTTPS proxy is set. +- Fixed the systray menu not displaying all menu items after starting Docker Desktop. Fixes [docker/for-mac#6192](https://github.com/docker/for-mac/issues/6192). +- Fixed a regression about Docker Desktop not starting in background anymore. Fixes [docker/for-mac#6167](https://github.com/docker/for-mac/issues/6167). +- Fixed missing Docker Desktop Dock icon. Fixes [docker/for-mac#6173](https://github.com/docker/for-mac/issues/6173). +- Made checking for updates from the systray menu open the Software updates settings section. +- Used speed up block device access when using the experimental `virtualization.framework`. See [benchmarks](https://github.com/docker/roadmap/issues/7#issuecomment-1050626886). +- Increased default VM memory allocation to half of physical memory (min 2 GB, max 8 GB) for better out-of-the-box performances. +- Fixed copying text from terminal in Quick Start Guide. Fixes [docker/for-win#12444](https://github.com/docker/for-win/issues/12444). + +### Known issues + +- After enabling VirtioFS, containers with processes running with different Unix user IDs may experience caching issues. For example if a process running as `root` queries a file and another process running as user `nginx` tries to access the same file immediately, the `nginx` process will get a "Permission Denied" error. + +## Docker Desktop 4.5.0 +2022-02-10 + +> Download Docker Desktop +> +> [Mac with Intel chip](https://desktop.docker.com/mac/main/amd64/74594/Docker.dmg) | +> [Mac with Apple chip](https://desktop.docker.com/mac/main/arm64/74594/Docker.dmg) + +### Security + - Fixed [CVE-2021-44719](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44719){: target="_blank" rel="noopener" class="_"} where Docker Desktop could be used to access any user file on the host from a container, bypassing the allowed list of shared folders. ### New @@ -63,7 +106,6 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro > [Mac with Intel chip](https://desktop.docker.com/mac/main/amd64/73305/Docker.dmg) | > [Mac with Apple chip](https://desktop.docker.com/mac/main/arm64/73305/Docker.dmg) - ### Security - Fixed [CVE-2021-45449](https://docs.docker.com/security/#cve-2021-45449) that affects users currently on Docker Desktop version 4.3.0 or 4.3.1. diff --git a/desktop/windows/release-notes/index.md b/desktop/windows/release-notes/index.md index 9163ebe01c..a117d0868d 100644 --- a/desktop/windows/release-notes/index.md +++ b/desktop/windows/release-notes/index.md @@ -23,8 +23,8 @@ This page contains information about the new features, improvements, known issue Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/projects/1){: target="_blank" rel="noopener" class="_"} to see what's coming next. -## Docker Desktop 4.5.1 -2022-02-15 +## Docker Desktop 4.6.0 +2022-03-14 > Download Docker Desktop > @@ -32,6 +32,41 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro > Windows](https://desktop.docker.com/win/main/amd64/Docker%20Desktop%20Installer.exe?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-win-amd64){: > .button .primary-btn } +### Security + +- Fixed [CVE-2022-0847](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847){: target="_blank" rel="noopener" class="_"}, aka “Dirty Pipe”, an issue that could enable attackers to modify files in container images on the host, from inside a container. + +### New + +- The Docker Dashboard Volume Management feature now offers the ability to efficiently clean up volumes using multi-select checkboxes. + +### Upgrades + +- [Docker Engine v20.10.13](https://docs.docker.com/engine/release-notes/#201013) +- [Compose v2.3.3](https://github.com/docker/compose/releases/tag/v2.3.3) +- [Buildx 0.8.0](https://github.com/docker/buildx/releases/tag/v0.8.0) +- [containerd v1.4.13](https://github.com/containerd/containerd/releases/tag/v1.4.13) +- [runc v1.0.3](https://github.com/opencontainers/runc/releases/tag/v1.0.3) +- [Go 1.17.8](https://golang.org/doc/go1.17) +- [Linux kernel 5.10.104](https://hub.docker.com/layers/docker/for-desktop-kernel/5.10.104-379cadd2e08e8b25f932380e9fdaab97755357b3/images/sha256-7753b60f4544e5c5eed629d12151a49c8a4b48d98b4fb30e4e65cecc20da484d?context=explore) + +### Bug fixes and minor changes + +- Fixed uploading diagnostics when an HTTPS proxy is set. +- Fixed the UI stuck in `starting` state forever although Docker Desktop is working fine from the command line. +- Fixed missing Docker Desktop systray icon [docker/for-win#12573](https://github.com/docker/for-win/issues/12573) +- Made checking for updates from the systray menu open the Software updates settings section. +- Fixed Registry Access Management under WSL 2 with latest 5.10.60.1 kernel. +- Fixed a UI crash when selecting the containers of a Compose application started from a WSL 2 environment. Fixes [docker/for-win#12567](https://github.com/docker/for-win/issues/12567). +- Fixed copying text from terminal in Quick Start Guide. Fixes [docker/for-win#12444](https://github.com/docker/for-win/issues/12444). + +## Docker Desktop 4.5.1 +2022-02-15 + +> Download Docker Desktop +> +> [For Windows](https://desktop.docker.com/win/main/amd64/74721/Docker%20Desktop%20Installer.exe) + ### Bug fixes and minor changes - Fixed an issue that caused new installations to default to the Hyper-V backend instead of WSL 2. From cb5f0d2aa9e9edc6021ab9c7d4a4a15011dc72db Mon Sep 17 00:00:00 2001 From: Jerae Duffin Date: Tue, 15 Mar 2022 21:38:10 -0500 Subject: [PATCH 05/18] updated virtioFS --- desktop/mac/index.md | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/desktop/mac/index.md b/desktop/mac/index.md index 64c115a9f5..7d370ca077 100644 --- a/desktop/mac/index.md +++ b/desktop/mac/index.md @@ -174,19 +174,17 @@ Select **Use the new Virtualization framework** to allow Docker Desktop to use t #### Enable VirtioFS -Select the **Enable VirtioFS accelerated directory** sharing option to enable VirtioFS. You must install Docker Desktop 4.6 or higher and macOS 12.2 to use VirtioFS. +The 4.6 release of Docker Desktop for Mac lets developers use a new experimental file-sharing implementation called [virtioFS](https://virtio-fs.gitlab.io/){: target='_blank' rel='noopener' class='_'}; the current default is gRPC-FUSE. During testing, virtioFS has reduced the time taken to sync changes between the host and VM up to 90%. For more details, see our < need link for 4.6 blog post>. -VirtioFS is a file system that shares information quicker by utilizing a virtual machine and host kernel located on the same machine. For example, the VirtioFS daemon `virtualization.framework` runs as a separate process on macOS and allows the Linux VM to directly access files on the macOS host. VirtioFS can also take a file and map it into the Linux VM’s memory space, removing the need to copy the entire contents into the VM’s memory and making the file contents quickly accessible from the host. +To enable virtioFS: -VirtioFS helps developers share the source code volumes located on their host with the container. Meaning that changes made on the host automatically propagate to the container without rebuilding the image. -When developers make changes to a file and save it on their host machine, the changes do not sync automatically with those in the container. Due to this, developers use the `docker run -v` command to share the source code volumes located on their host with the container. This causes slower performance for users and also decreases productivity. +1. Verify that you are on the following macOS version: + - macOS 12.2 or later (for Apple Silicon) + - macOS 12.3 or later (for Intel) -When using VirtioFS, changes made to the developers' files located on their host system will quickly sync to the container file system. They can then view their changes instantly in a browser or a page reload. +2. Select **Enable VirtioFS accelerated directory sharing** to enable virtioFS. -> **Note** -> -> Currently, Apple’s VirtioFS implementation on macOS Monterey does not -> include this mapping functionality. +3. Click **Apply & Restart**. ### Kubernetes From 10ece0b9f4f4466719dfbe45680ababf009bb64e Mon Sep 17 00:00:00 2001 From: Jerae Duffin Date: Tue, 15 Mar 2022 21:47:04 -0500 Subject: [PATCH 06/18] updated domain --- single-sign-on/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/single-sign-on/index.md b/single-sign-on/index.md index 76b66efe4c..57e9e40ac6 100644 --- a/single-sign-on/index.md +++ b/single-sign-on/index.md @@ -109,7 +109,7 @@ The following video walks you through the process of configuring SSO. ### Domain control -Click **Add Domain** and specify the corporate domain you’d like to manage with SSO. Domains should be formatted without protocol or www information, for example, yourcompany.com. Docker currently supports one email domain for each organization. +Click **Add Domain** and specify the corporate domain you’d like to manage with SSO. Domains should be formatted without protocol or www information, for example, yourcompany.com. Docker currently supports multiple domains that are part of your IdP. > **Note** > From c8d0d5c8f8fad629217ea7a1ef30160b6406367d Mon Sep 17 00:00:00 2001 From: OusSaidi <58995208+OusSaidi@users.noreply.github.com> Date: Thu, 17 Mar 2022 16:41:46 +0100 Subject: [PATCH 07/18] Fix small typo --- language/java/run-containers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/language/java/run-containers.md b/language/java/run-containers.md index f102375c66..baf210f8f7 100644 --- a/language/java/run-containers.md +++ b/language/java/run-containers.md @@ -143,7 +143,7 @@ $ docker stop trusting_beaver trusting_beaver ``` -Now that our container is stopped, let’s remove it. When you remove a container, the process inside the container will be stopped and the metadata for the container will been removed. +Now that our container is stopped, let’s remove it. When you remove a container, the process inside the container will be stopped and the metadata for the container will be removed. To remove a container, simple run the `docker rm` command passing the container name. You can pass multiple container names to the command using a single command. Again, replace the container names in the following command with the container names from your system. From 0e25106fb0b7bf43a11067506ac32c303c84e3d1 Mon Sep 17 00:00:00 2001 From: Jerae Duffin Date: Wed, 16 Mar 2022 07:47:10 -0500 Subject: [PATCH 08/18] updated virtioFS --- desktop/mac/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/desktop/mac/index.md b/desktop/mac/index.md index 7d370ca077..d5822f0f5a 100644 --- a/desktop/mac/index.md +++ b/desktop/mac/index.md @@ -174,7 +174,7 @@ Select **Use the new Virtualization framework** to allow Docker Desktop to use t #### Enable VirtioFS -The 4.6 release of Docker Desktop for Mac lets developers use a new experimental file-sharing implementation called [virtioFS](https://virtio-fs.gitlab.io/){: target='_blank' rel='noopener' class='_'}; the current default is gRPC-FUSE. During testing, virtioFS has reduced the time taken to sync changes between the host and VM up to 90%. For more details, see our < need link for 4.6 blog post>. + Docker Desktop for Mac lets developers use a new experimental file-sharing implementation called [virtiofS](https://virtio-fs.gitlab.io/){: target='_blank' rel='noopener' class='_'}; the current default is gRPC-FUSE. virtiofs has been found to significantly improve file sharing performance on macOS. For more details, see our blog post [Speed boost achievement unlocked on Docker Desktop 4.6 for Mac](https://www.docker.com/blog/speed-boost-achievement-unlocked-on-docker-desktop-4-6-for-mac/){:target="_blank" rel="noopener" class="_"}. To enable virtioFS: From a3b576c0a8a13ceacff3ced52e7b891d6652257f Mon Sep 17 00:00:00 2001 From: Nicholas Rasi Date: Sat, 19 Mar 2022 18:38:49 +0100 Subject: [PATCH 09/18] Fix Small Typo --- language/nodejs/develop.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/language/nodejs/develop.md b/language/nodejs/develop.md index b0e4b77223..7e5e975bb1 100644 --- a/language/nodejs/develop.md +++ b/language/nodejs/develop.md @@ -86,7 +86,7 @@ $ docker run \ node-docker ``` -The `yoda_notes` at the end of the connection string is the desired name for our database. +The `notes` at the end of the connection string is the desired name for our database. Let’s test that our application is connected to the database and is able to add a note. From 2b7977895e2aa1e1b1ef15d4c3b4c1fba6c5df85 Mon Sep 17 00:00:00 2001 From: Emmanuel Briney Date: Mon, 21 Mar 2022 19:06:22 +0100 Subject: [PATCH 10/18] Docker desktop 4.6.1 release notes Signed-off-by: Emmanuel Briney --- desktop/mac/release-notes/index.md | 22 ++++++++++++++++++++-- desktop/windows/release-notes/index.md | 21 +++++++++++++++++++-- 2 files changed, 39 insertions(+), 4 deletions(-) diff --git a/desktop/mac/release-notes/index.md b/desktop/mac/release-notes/index.md index 1a62a6f6f5..c4ab400062 100644 --- a/desktop/mac/release-notes/index.md +++ b/desktop/mac/release-notes/index.md @@ -23,8 +23,8 @@ This page contains information about the new features, improvements, known issue Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/projects/1){: target="_blank" rel="noopener" class="_"} to see what's coming next. -## Docker Desktop 4.6.0 -2022-03-14 +## Docker Desktop 4.6.1 +2022-03-22 > Download Docker Desktop > @@ -33,6 +33,24 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro > chip](https://desktop.docker.com/mac/main/arm64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-mac-arm64){: > .button .primary-btn } +### Upgrades + +- [Buildx 0.8.1](https://github.com/docker/buildx/releases/tag/v0.8.1) + +### Bug fixes and minor changes + +- Fixed diagnostics upload when there is no HTTP proxy set. Fixes [docker/for-mac#6234](https://github.com/docker/for-mac/issues/6234). +- Removed a false positive "vm is not running" error from self-diagnose. Fixes [docker/for-mac#6233](https://github.com/docker/for-mac/issues/6233). +- Prevented spinning in vpnkit-forwarder filling the logs with error messages. + +## Docker Desktop 4.6.0 +2022-03-14 + +> Download Docker Desktop +> +> [Mac with Intel chip](https://desktop.docker.com/mac/main/amd64/75818/Docker.dmg) | +> [Mac with Apple chip](https://desktop.docker.com/mac/main/arm64/75818/Docker.dmg) + ### Security - Fixed [CVE-2022-0847](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847){: target="_blank" rel="noopener" class="_"}, aka “Dirty Pipe”, an issue that could enable attackers to modify files in container images on the host, from inside a container. diff --git a/desktop/windows/release-notes/index.md b/desktop/windows/release-notes/index.md index a117d0868d..d330a8272b 100644 --- a/desktop/windows/release-notes/index.md +++ b/desktop/windows/release-notes/index.md @@ -23,8 +23,8 @@ This page contains information about the new features, improvements, known issue Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/projects/1){: target="_blank" rel="noopener" class="_"} to see what's coming next. -## Docker Desktop 4.6.0 -2022-03-14 +## Docker Desktop 4.6.1 +2022-03-22 > Download Docker Desktop > @@ -32,6 +32,23 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro > Windows](https://desktop.docker.com/win/main/amd64/Docker%20Desktop%20Installer.exe?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-win-amd64){: > .button .primary-btn } +### Upgrades + +- [Buildx 0.8.1](https://github.com/docker/buildx/releases/tag/v0.8.1) + +### Bug fixes and minor changes + +- Fixed diagnostics upload when there is no HTTP proxy set. Fixes [docker/for-mac#6234](https://github.com/docker/for-mac/issues/6234). +- Removed a false positive "vm is not running" error from self-diagnose. Fixes [docker/for-mac#6233](https://github.com/docker/for-mac/issues/6233). +- Prevented spinning in vpnkit-forwarder filling the logs with error messages. + +## Docker Desktop 4.6.0 +2022-03-14 + +> Download Docker Desktop +> +> [For Windows](https://desktop.docker.com/win/main/amd64/75818/Docker%20Desktop%20Installer.exe) + ### Security - Fixed [CVE-2022-0847](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847){: target="_blank" rel="noopener" class="_"}, aka “Dirty Pipe”, an issue that could enable attackers to modify files in container images on the host, from inside a container. From 09932fda23506867a66c3052f4a28b7fb5a76762 Mon Sep 17 00:00:00 2001 From: Jerae Duffin Date: Tue, 22 Mar 2022 10:18:00 -0500 Subject: [PATCH 11/18] updated user manuals --- desktop/mac/images/whale-x.png | Bin 568 -> 33694 bytes desktop/mac/index.md | 12 ++++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/desktop/mac/images/whale-x.png b/desktop/mac/images/whale-x.png index 60981c9e5cfa60288b14c05f93a24f93d45ce559..4bf96240b9085b36480ab584a6a8d759647e2606 100644 GIT binary patch literal 33694 zcmc$_Rcswh>?ay*!wqxNFgDB#C(N9NnW{P^>+72vo7U}rzfZ9 zr>EyC|mL17$znJ<2|C25xm^{|MIi>ITb zlfAuzwY818xrL#jk+zPmnwq+zqN0?vw1|iZCnu+?tDA?1r>B>Xx3`b4ub-cve?UNB zP*5-s2nr1ii-?Gfii(bnjf;yj&d&Y&7o3-uUszaFTwGdK zR#8+|RZ>}3UR_^V*I3igQrFbh*xJ$D-qqgT+1A$H+}zsO*i>KNP+MD9U0qXIS(R5@ zo|9jko?DQdnH!su35rYd35iIwi%$c4Ow=f^)JvQ;^Zn~!`ZV}`W1zQbWWHo^}1 z;atSdnB!`f>0*n)LX+-%gVtQV#$27+Y^}pctx-m$u}^bw=Xui5Rq5>QBj}!<+FpSiN54yb$z&vF@x|Vp(X95fv7*^ZA zeSAJr$|t>f-1zpGE7gPtAqO?@z~7kr$n_-rRm!pWHUw>i3ys}^*gxBOX@A0aa^bq| z=sXG;@g}8YOH+B5*_ct+!on+(6uH_jW}G$FjGy@f@TlKhiFRqPxZL}#W6P$w(W7Bq zPwxjSGQwdF@lV2`W$K+@a+1$gOsej?dqvl6g5NP89buHMl4XXkmFSYOP8TI$OVhIr zZ5gmrfRm=meveMsn4vT2(BLPKgllJce7Q+*gZ;G40#nj4538tNEOZ?LkG;orYkMP( z%T?KRYbyliqmfvvYX`9IZp<)5#?M%5sn2BBw3IY}#w~X|d?h+as$d%T-X&flkRc6B z$mMZ^3oZN$i}!6HkQh{xLo3nOW9G8K43?Xe(cYrkB~K&K2&9*D$BNlyiq2&azSoJGndIgo$J zV4iC%OS8NDlxcYe_nrBcOzAzG`kpADMXp|K3E7d+t$&v(DuEHfwIw#TK~rcTc@39< zjab20`Y|KV?!)2KT~S6P8eOeSJ-b-1+b1-Bm4PJBBd(^iS@ZDU5TisVRGcO%D*m-TpAL5i! z=Av0(aJsSN$BiAo4vmq@b^m+^^A788uLSDPJ_G#OMXaS%08>;$tSdH38)tDR;+~U& zn*13s7z-6HX)sUD0!jUv=eN}8sR(+$ zMQ~1pY(yxbszU}O;rhCIdUF;Le%vLPPLe=f($vwBCt2yOVI_l=oqltU!9 zU^$-*!mKiDFQ+&cP#G|i3@KKrdRn`1>2%>3>9heL$Q@X*y`T4%ONBR4p!6O(vC^Ut zqr^v(v?E=BDoPCX^FY(jQ_o%F(Rcgzr2v?J=oCgFhDC!UpikM}fUA8kWw?cD418p` zN(5eVpq{AcBdg@)t2C=gv@9bPi&9ea{oHpp%lTAOSN45M7qPh(bDh+;m|wBKC*i3T zlBdf~LumYxYyozmg}9A+zct^?2jo#SI-QDgW{(%LMTk*M`rM>`FI>!IpkXIy=QSa? zMr^>ngB`SQVTi?p!sxd+W{cs?Gi7 zO<OHXpc3lcrHJMB|J(6aQFcU(TAJ zk+4WR!YVrUL((?HybY$8RYUOup$ns2}7Wxk(xneZmj4 zTFuVlVo%n#F5%zoJVn8F zUlfxDhzRQXJ_V_~)w$gtq@o?4%*%_>$5=Q}t8Fn$t?-Y#G!x5yiTxH|>g)wCvn)8+ zBZ~rUj=>ZgZV|A4d5Ob{&UP~Yz9+O^(K3-R4u0% zi$*3|U^y4G+d|*2j|%drZ#fU$WrtH8&Gne?xi?&K-z0(i+m8I*rsX~oLKq zna=#L0@8xjc)O$4q6`{V_7?gmuM4><0wHe+q)mnmmf;!PZ-SaXt+dQ&%RTH#oY}`! z>-cbRCDPgxODE>C_@MzGEKJ|YbBqdRQeor4K+cIT1x7qx7yys9&qx^5{PBuND%y9a z?rAt^&~<&o#4Q;(&Wq@`Y!ei!6X$mC8lXA_ zLP;-Ac_ev4hT&O_ek&VS?T0K=9VCWp2Jef!81O1$v62y4c_?b+1EF}U`4J~80)2Di z#*_#Em(DhF^d3W2RXrLwMfjkOY+53Ya;B}DlbbOxLo}3F$Hb&u$ktpXJUH`X5Z00# zCCGE^NBi7D?vy$0eBnU4B3r#-nG$PmG}N|(2wdmy(7PX4%xd;XL;^`~`Rde5)#<8nW|_w#j{y zSCPD!fgra))bAh(<*JNU47}Dvf(m3-33D`Ypcw&etE-GUi_ZMGlK?{X#I;Yg>Pb=}q_9QiPj*`hC%Ov!d1{40MhX$&R@Wy9^F z)#1o#S$HDp=N|;gaYM2b?zmboI{g^xM|#)9JnOwuO7i)!6Le8uL{Pc}=IL{NMd(?2 z-dRSgZs&2DRx2|CAx12bj^yZJ>qhc)xT|hZvWCEHu>ap*N=~y%^)=b5;}_{AGrL8h zSsP-}V7F-}!h;8db;J7-mIh|RMhL(qR7b2aYifJD@ZSnXiJ6F;HV@0B7@y^zg)*t| z{7gHzwS3Qd(?3)tWPr@Sm41Ck@@!&wzohQv0f3;{LC49V z?EQiPsN>9gH*b$hwLZ0L=mIf>^AaA7hyTeT#tpidZ&0a7)IdCuL) z3d@^Ec8Wv>5f6_gE@|cRe0=h;K#Mrxr;hST3ch$5avnCUWhrR`yUAu$JPNE${JGSi z5w@+uh}X##EBwoyN(`U-IT&wzve-E%N4gXf#7Y@sMa(O4ua+@Z%6xdD%&mIVHG>ae zx}+^jRUwA^ql_z!SCgmmT=i`^wxZQdQ8{prrtdsX8U0*qQ_^8gHHkl_Qgk@;wM3Us znE=3bNn4j*m-idR89~B8A7xO?(K(Q*J)o}1o zIqU&P2*>dsI>sl-*G)(Vq$JOSg6vf${p}209SC`m_HGrDC+zt#1Qzpu?%NrJO?6V* z8pys=5^UR*`o>glxbE7aOTul7^iTy}Gh!q9Oi-jaOfnM3-N~bf z;Kdwi=GHPRip*w|P1KcXa||L|{K~5Qhr}Q=^-{}nK!w(}%Z6>37lGTBxs#aDiQi0F zPPGm5ML@&5?V>PC!_Zx}pt)SJCDEupd(iPW6HDIy>2F>Eb`q}4OI3PDU0%NDjy;{j zu!}}^?yWxD?s)cN^XcE9;#m8c@yH-_0Q|OqJ~wd})c#Datpb~QUtZZ%1zz#pgAPB_ z^R0Yh#nd<@2wgiMGIqkZRhSoly6Q{uhd%QWb~#>Som}DSqs5evuhY}SEA{W0^PH|z zw&UgEEers>o#CF>{HhQCTSnAyJuO`GrTZIrKt-$R1R?))$!=sCU%EDDC8knQ$P<&A z3-Iq`;wyyYKRbPMPHQV=?v9SB#3qyf*E zCUD05f56QD17vQHBtcz6!1YQMCTYO>e^vRv0got=FI}$C;X(-h-e0vh>U9gWIX{$v z++v=d!}DPJkY{*adUZmHP#>n4{9M}W2WO@}nGC!yiyic8YMqa>{Xh2Sx&BA7dHQ(Vl2)tKD}cP;jTl zxu&_`zz~JEX^zZT7|MTDRcb)T@ zU@jrQui@_3ElK|mp?A0C`6jGkM;|lvN)k-V6Nv9Tq_vbk*ZJ18^ky1L&j#7;9E`4w z=Njy<11bD?r=SZ0DF)an4pW9r2^t(q$d;WO%DCoJOveY%{t0qTeNi+U5WUmrcYA!a zpjFW` z^%Xqy5MR#GpbIoG!t4BvV@8gi1KX zm~}}x+^Vm|rbN^8XX3v%m&c+{aid$)3Nae+^=9;$@wC^H8396b{ezoa`3h*B)7~j?$*=aesTW-8X z;7GErSwyi3FPVvrYV0t$WVew~qcO8ycGkJP>ITQmq4V)sJOzjtQ-O+Z7qeHyZ_* zykpt#Bil4;)erTS?#FH))TZw5d_9NnH&A-@7<>L))IV#Efv~KV-;QI`cv@JkOX`g4 zdaWA@s>efEtx>v+sNz*6*p-LA$<8)A&4me`(xx+87bJ%4(ctVDyxV{Q+g3)iH}3PH zJZ(FAxB*{C*P&2hNWlMl{zaDr8BmfZnhGhbrVPe}5Ca}7LBxaqf8tF!uwstAt-U>e ztJ$xB@b+}kTzkL!&1M6KEk*(hgw2<|VH~C||IZ7JR|H_+!GB9K4L%>nr-k^t z)pG>iH=xqkF?m^NFh9T3xTp-R1MoPI`U@uTG1y$^gZN;83KQHwR)N-zmX=@VCRAe& z^+bdJ8y@5KF3I68KeFZ1%x0;qWk!FaMZ7}&Z>M~mG4yu*s@Jypl~W9xUrFq(w!K6_ zqSR&&0t*zR+Xf?++EnpiY__>^L|V~wX*G`4mNMK4V>KO}-|EPb_+>>^j8>qW_`N#w zycxdl|Jfe_o<;gGiU`ReG7)k4E6Dj)`(?Ops%)52ovu{POJz!Q6FP9OYO$(2=~Ao7 zBLlZs{yT`oHlUI78vR@VdwN~+8sW3G$gFjqA3nIUq4eUu^Bh`VqcNxXuqnoDt~AS_ z8;SSe$J10(u^l}^53H4Kel#yO1&LZ9y5v}6XSp6jVwtby=&^6cg8yL$Hwp+O8qgG_ z^4IE#tkH~t)bSrQVfSV?3qr0t(Olm|lV~z(eU{`-ruS4hB?WOd;7=Ae?wSS6%nYW< z6M~aHpp}DT0D}-7D2f4Z)PCa?fq48=?$7G$F$<=iDrm;lm6F%lMx1D8tc-Q+_O~#6 z3_+&saPN#Cc^IfI#TOQ<)7uXqdzKb3E1|EfA-S)0xY#o@-oTGJUS^Uu;Eq_mzka_C zy^NAG^Qo#0Z3-%8N>?e%TshRrRUra`J2i33e^{a&EVVN zv*WNZXg&g`H>%>2bRe)H3vZ7Vh{p-l{p(_gc=~t_@l@A{UPI$Mvvk5sX7b=101N3- zD9FT;&TNrGVsoJ|bTUckbg8~I>#C@O^u-iYu+xTUL$_WMq`z}L(|o28R5Qe_FB8g5 z`E?e@LKtm<8ABPX4N8gqZTpA4wpiaH2*Ke9+x`2GzoAd0y(})A;(E)Dgv%Tc8Rzp+ zyyBxS6;w8PNp;YCUgNgj#|&FsZ0rsXBQuB{DFo@NL$GtK4^%S8l6!EZfkG_oU2NS1 zCM^2G3;-5wrD1eSCzStug)%MS8d-XfkySn8YM|m7rsGxbyizJRX2+*0RFJP;U08GA z%t#VPTH^yuZv$BFt8g>2BDQ|Z`BQdedvme~xY`^gfob?t3Bnb`9d7La7YXPVcV6n_S}|3cE}NVPDvNH75mX%6 zIe1?2HW4k8qNJ*HW(cw-6m=>iRmrTGw-^A=2MOgAP3$_1+oz;=-AO^MsZm4AFEm1c zPW7&}*CMBU|AS&{j9TG>x;myZ8#yh8AzO%4|iAA9qO27Xpi zCkX#UBLP@+;w?F;G?c3Qf{JuYB}%o%HRaSD*eT{|))tcWFUGw9%b6h2)%xFLny1-d z93Ougk!GIT{(hLJWAPY_(Nclw-u9`tgdN-rnRM;`{sqd-2P+AVQSd@MU5fEa(>{Ki zg(a|2rO7#pU%oXxV>8Li@v6x1hx9bk`22uROI8td99O1>*DsXV^-9L>{EPH|mZ$ilQ^ zFQpxA{dS(sE{@DoZX>VB>TOE1Q4DwTO@y^UKEjbxN^jUr`;*t!>Pzv#QO~fQg`yVA~*Y*J%G|x4&E< zKmX(6_h(%mZG`X_Z*+bICB?1baczroTM zKd9`3^N3)PI&Jv@+wf#hs6Zw~B+3mp&Q!dCTIoA3JF2+m+^vMei!%-vUdfyD#(EjB zp4Jq@Pf7(%;|D`H&+!-k29-X$e~$6#I$8Rkx;KM2<;7$)YtsMKtRl0L75k{|EL@oZ zJu}O_HQcpL2{LR{^so_f{V;}@8wzQ%*j$iYlh9%)nA7Wr$}j(cKu!x$!#U z?u-IBN-RFPh60hC(HRv7mc5}5z5?m?;vkF^b=n!yB!@aJ*H10Sn40YJ9zKk;$=pgV zjHIFe_ki?-NdjgbVzAW1R8aUz)!;1LG&u+&$L$;QL*1(;09YxPgfsJpv6%;-UdYQO z%)IH#_}V^Gbr1z2rrHfhn>-(HQX)JOYHk<8*?c-FHoSy|*4jt3ms)Jiu6Um<+p67Q zg!H{h)485&w6nFoKCv@(L!djoq^I{_Qiz7^m)&;jl|3TdY|6OoMThSg zC!jyMIdzg$RNH-4i|)i*@rgW`ix4$vT$PmNN?}Uac&_moI47uhm8ZQJbEjN>PEmNj z+vb4ADmrJ*#Cio4W?x_t?Ny)jOM=1K8?s|^#l=}leXoipSTCvj^7$VkOREVfuEkER z5{tm8Hktx&t#@`Wyr_%|;vU;Hy9xJfY9QjrLe4g5XsjMXBaEOjz{uRD-7lxS;kb73 zk)Mi8Y~A@UR9IF9XZ*PfC*PKX(o$Id+I}>rk)5y0I3a>vxYFL3Uml-sI&|Bn zK^1wH9|6a*nvMY#Ii>sJrNwCZr&q}=Yr^p+l-B923y__@UVND`0c+X8RxAI&Zp;R@ z_x>*Y&l(bxZx>q;(D%RcLisIz0{306y&Ip4TyC&)@f%(NT@Gy(Bekp!(~k2&H=OQC z@l&s8Y)_rePYamwc=dre=j<^xpMVu@^s+NOuu4TMAty|D*#MjXm}GF-J0Gf$i@psb4t~t$SR^MWpUVM{-Uq7n}xHqy#G8=}vES*lvAYKr+IH6!Oq~TTM zz+$;Nf+92i*K7_%3FQre30I--w;4%b0)eg0YiWkng|8X|tYXKn*_6IJiy~4$D0`!F zH>xa#P?eXVdxGjyr8x*&pKv?=X$vp%p(0>V0(J8Dst#K6TjrC?@1i;{H9s|)FwQ4E zf|1rSKdmu(soN?>3m-oXVg(84wH$0eMm0LMrWpHJNfWw5S6;Lx-O{SwS|#V9d@*{G zs(Yu}(+E1_^6{?qRW}J2|EW?Dfz5@``M}Kbb_hASza+r6s8vS2Rmku%BE&<+(RR^J z4gCbWO#3E@M}Zc47c*vbgYbP(12GQ-b%jvu)rw_;Xs=ElUhjlz3P=)PG;jD^229$7 zfoMKpFD7%NIxmfKg8~hmPCi8e@pdSb`G$0~c1K#pK=<6da7sr)_3*tPTMpQ{Lcru2 zq0>lYwwwRne&qfaxeV~2#aG|WLZXe^&hg(2BSak*X_cz6h|om`tUx`c`#T5O@^hs1 z3^yBJ>95HfaH(X`&W$(y)Yh%xH3|@+*G@kfYf7Xx;jTr zWXkhGNh0azT5*<)f{J=g2Ybu!!XcJn(adyTyW}X!R(D{~`Z&QiG5Yu4&I36MT;W?- zj+!SxmLkrfuHR=bkx5~QzMe*OE;H2l7{>O~Bk8VXf@BlCrv>wJ!YtV>ab~yt@z{T* zs8z(pr?Aw478F#9#aiLg6nL5#A&>~>PnTWm-ce-PA1Vrl-Y&El8yFVb_!9I_Sk>ENK6h(LBa zcNCw9hm2sd_*(qlO7CBYtfwUP0kz5_u zKCZNLHd-sqwt1V4ny!1ApC`af?!MfEbukOW{@Qeg-1rprlU#C-OX%On)(@eN*Z$!{ z!Swfq`PXR_&$gROB$$1U-PeSfeDyiMO)T&mzo))a=O=RXypJa-eM4jJ!uliRZil92 zqb|o@lxnuO0D}NS2j?2IvKYZ$%v(&_cXqKU=QO9%NVKQF(Xik}TWAzKQ@BcNxW9XZ3^D8u>sU*C6bBdJjQ z_3?p8f`DNCEIW4~kpmJx9X9#0qHi~BGc_2Dto2tINVCAA)V$uuOrD6u+sCl!RZHoF zic(VMS4WWHSejP#z>BBkxZff&UAQ7DgQeRQaWiHcy)umaEfvv>ezCQkzA6trf22$+ zX52gS3@Ym6{o>eka=J$<{$+Da?TglGGVlZY`uu#4CV%KM?c^MI*L_E5 zCJ}MsbdxgTaCPGe-;yU(NtymvTHlTJ1S95T&zAK~#az%0`}Jhu79ABQqSJbpR!uyC z2Ini2E5Znu z5wl+(Lze~w#QSg7hlCShWCTJStYPj48vjn)6=nG~@du2HZQi1Ugvj=PsJ-Ellxzg& zUQ-~hlm{SwJSg3+KXf|W9&)niTDFi}<$ie{Z+kxcOTo_jo>&*O5DPegu8(_*B=R3- zvmq51IngwLB79%`1I{Is`?_{8@OM5w_y6}o{gV0)%j(6h@W5T(Y0sc6qVMzJrc2s$?hV-;i5jWAKZ-HGYtDs8+i)<(N5(&ZFIlHn#|Cavqe(io) zaNM8}Vtk&xSU5fZRP^aA>)5R1hAas$gOi8^%j#_ge&wvury>_mchW*FfiXrLxV*ThVwz^UJJnXWW3UB6_;^xMC+Z6 zQf(Q|hpsZgKD3Bus8LkA$FFxn1?k~C6npN4jz#Ud$;HkFPQUe;$*pzQCY* zSn#k<3k6!)LaZP~S?S&)U+N_Y>*HMm(9JSIB}mq`JH32}Oi$OVDw)@+ttv=Sc;EDwhqKa6RX9 zXD%G|^3*awzh_J?pPcG9>g8%+5n^aV?#`sC&85XT>#d6 z$+GXtTQ*oj4Om81zZgBSjB*zYR=G&wH#mB&mjIVYtVZuISz2IHT!IG7?xOL!sLbM= zaH7LD8OrER(uG~V!PhBkH(0T33Gr!`f3&1LAXhSztZ$B~*yf+7_XY$j)if-jFq`No z^-bSL`Ttrfw|&jd2s2v2))+OXGdgiY03F#vBs$w{>v70M+IuJBw<- zM2kQ(fzi0JFW?w`C5>fzrf@W%pjKZ$hAMGXk6?`fvdDd+neRR)=X8}UB*@YAbOVpB z`xeP=o^Er!zE*kCT>riLgBS~qXBH-SoF*t6 z^Z}?Y7r=#VxV}}W+REstL?daQ$&I}QFs6ug2i4fRz(JT}NDy$P86erkN8F4kHBW^< zgCua0ZEFW;N7xqH{$%<#dk`Ts>Vd35m-fU`q7I}&xV$ZFF23oENn<@+4Kk^TZO*o) zPO1Vn>EdWN{kt6r406Nbev77VkL+QMTvC9#1>wW}4SKd`W3dq+`jDM73fX3a%)%T{Gv>vEapbz551_^Q2?l~e0U1|l;0 zjm~uzH2yvgk)cd%>?yW#%b7JE7M4vjGj)gON(CHz1ksiSf_xaK!=RieQB$dBmJYWu}Ql&ZNKV)hV!8mE)Fb3M`7Z|>KhNH zd_*%;zdmh~mVuK=KoUSRgAa%!2B4BT=t{tKshf(cCtG$FKBq?b_v(wdM^_iXNqnQz zU(gGDnBZyS2YhLnUekU&X@VjEApP009ne5Wr3))XF{kb^pt42_{! z%`rsDps~?pOLBV2ELJtrPSX|jZ!+UGdq81x97&naIO&PNq%~}{H>u#88QeCAQW+OL zYMEa0B!<59~YH(=suT( zKW&vFiICiktn-dS>t?hW3LFayZp_q++-xEmE&vVlG@0W9nPI$cU+ROqJ|Pa*%@R+{ z{g_o$#ke^Z%}Z`n!W307%L53u3{_F**@%HStW1*0eKLZlo9*u^0g4Nt&6YbTE%O#gzb*&% zTz}p^=e|aVEifIQv(4mxd7_INU^4Q3>=4RykU^Q0sOV1eC3~;ED;=2tz!O`Htc!Yr zs+rWTnT*b2?s^8bESFi7?N_f}I#B6Eat`l%nJYhjQ?YOtPlY=P#a?e0QzXROi3TbBHoNSQ?>1Up=LHhJspAv0>Xqj! z&KJK^7bRKd7c~||wW>nSf}7>#+XYxO)hd39R0tf0FUdQk^@5D`;UHNTzNe@ToMIjk z6HpwN{-GG9qdVAlAVUiA*%Lb$YbasHD{!y(K}{?Lw#2KL7zvS_N9G2+Z}?#7v! zCkDk~pc+Q7-eAY|jJC2c0R!+N{*sN?1qr$`Xs-fPj2=m@Y+PyLV zLVc__1IMU_u=7bCma3yr?}8k+iPCTYJxIRVsHPJ+i}SQT#&Gv4o{J!_n6XkR?E!hJ zqrtl|WOXz({f~RwwB-pKF3e!hRYL$v8c8tnpkWXaCuT4_>xvQ*)yV$`*e%fQ|9ti1 zM~C;bH&$>j=v%nE|G&?7A)$_L?_y)-FId|X=bNkc?teGU-~C?Bb8GT&AB8Tm?VRx? zb9xwTgZqO6VDWHAdV1s*A6&{SWBA&ynKY|xH(SrF&-L{-Q@JgsQ~u#ekn}L3!hv>` zNesu@Gef?^yVbvkM+rN)fBQowWVSy*Nz2)-qTby0wJ8tTjfd;iw%s>2BfE2TZ1DLt zwNJ^nzW(+4ajY8!R|tb4x(ySE9uS5KQ;73!;hzhME+)Yz%1rf}X&6@of+R;1Kz_jw z1IULIeerqCbl;;c=lj8!nheI7+}!qiy#a#PfBdxD{<^e~#Sx1YqctUS&=6g#(ISF` z0JxQJeusmNvNJY9GV|3aUqnNeKpi9@>5H>7Mh=hKG_I9IE2LTB$L;(@Y|IBt)E}r` zCGmw{$?hsEF*VYN(5IpYFl9J{?1fss{Ev|yi@0S1=K|rN!r(!uQ=4hISfrWTqA+m9afcYbcT0&=5HLqJ-{%8LP5*9ZO~DMgx- zQE188OBD-r5%f9Plwxh)KO}g;TY;$Yp4^rhXre>iYO#8iijKP#NS&5`%r3{h*I)bp zbvWsrGJ}0S;c9H4*+K&=Eg;ptzgm2ht|k(RDz;+V9(npZZy%2@;nCEDkk!s$qedjJ z2S7M%%qHWZ9)`5_LHAQNkd{*suXt1C2y;2iV(h8b7u{&9abX%tPE+B|iC8!s?It(5 z9zle_P|YL5d_ca3Gy?-dIphW6486O#9IKYfTYgt1fhpLZ{BA-m`)4k{uk*z=yNYzL z`2~YN`(@hAj)x01tSC?;E|cBJdE8DxbwtTlN5B(dw;yIdDF&33_$}{I9c2O8)Q;Xr z#vqs=j!pO89tI|c@T?D5>@B{3E zl{#YAA01kEvO{TMS`M2Cb#9He@2MTSUy>v0tVyW;i*LP5TE@6A)rn}8#2|e+eMu#6~{i2{yQ~j`=GuE^SblK*cVhIb7*u4BPh~Sud zT!J0G|ErFhjBH+s>Y0x{DQC}q`X zIK}*w+#+)vO%(4_Gx?*;KwAQc2N{)yqKGaLy^BNUIOAAsNjiKea6-pxyNcGLBh#mE z0&H9lvp=tVZ{LONh5Sa94Ax@*s9lBG3ejgaz8DpIUyx(!)B}UY>Q`CTxeZ^7E{tF) zT-<}hej!aZ|0e#^2!M=SYWZo5%d3+0XpBUXCmFDTJN48F(cl7@BwIw&Zv5?HZ+U&H z++03c4b@H%u2HkX;x_6&g+8gQd#}kCaMK2c|GukJxx-v~tsj0d{9;Qx31Zg9!}pO^U3QN}$9oZ(QYGL2SC6l7>Bn@WWyM@rm$ zVmTL%E$J8}-~_ggAiqgdQPV?`nJcJO*m`CXMWXoyISi`^yblrO~H-%jHnSyc+yhrW8Lk*fo- zpwU{oQtoDb0Wp^FfdLg4W0Z_~72i)LzFD2FRPT@Aw|kr>n}ZElrsW*x!1CiFXw-hm}S8l8lWSs@29-`qc+;Ka&P!ZpN#Tt+45!{a z4h1ZcheHxVVgZlZ0HYdoJj#zm{)r{L*g30d!RAJ44tTTWJOhXjYt;a1k|0Y{rPV=n{vkl5*%Qkw}|(7d;5gX1m#wY9KTvHVZK!PuURh==vU-gHEo&w1{Cv_yeZ%J$w8s z=f=^o5Q&n7LGwDJhXBbANAL6Rj?9;;h%|M0xefnULz zU&BajOmvl3CGJf}(2~Unm#VPIGED`I4SG3q#=SqqU!-_c({de|A>X89(Bvd-9wp&9 zIjy#(;PEB09epS|zsq$CJvaw@zTth~pzg4(zdnB$y>IsR*gr+2esK%3{#S_;x=GJX z>4+cNz^^uL?rNroF1a{PuF_eQX}+zlziquxV!{uUzsaq^64nv%{MUfpHd{frHA)O2 z=ha`90g=|ooBV(XU~9bcke5}{;aD_sXv}n!kK^Fxaw%w=@J5>`M40T~lNM98>6HE2 z6KD4N3JuSN6!~*_40Hw}4T2RkI7is=L=7Y^N(cvFxD#5)CMGZ$ikp?A*R$c$M<%PG}EGvB|3>}WFC zWM9vD=GcEy$@NU02p0ExPARv%1Snd%1Sw9?OTPQ}e;XK4^2^dn5Qv&dh17mKou{r;P(YQ4;LDUR+9#%+kt$Td@b{F6 zujV&VjXD@>uPJWBuD>W$rL&0vj8LUZaV3Xo%#E6}T5EJBk;$$G(x83!E>#OBDoRYB zgJ&;xx2W=y2=b~J z5rH9xV&^4GGVF8^MuodaoyVeQj4n5!p;QS$#;ZY-I$3A257Ye?*E|@XY7O@qPvXRQ z^eAEKYBgZ^`0KwAkIdvEK&?HHxAq1JKX~;j!uC&3HN#w6ucpAAqW>ZhrT8}n=^FV- z2KP@&f6!p4dPXUzHJ7FNQxoE!7#YO{KQ)wBm%<58n8!J1x+P{6;;VfQ7lgn* zobUIrmq)I1ok-h@a|ioMM2lSeoa)#drw9Iy`(#aVU7XP$yE;16C_n5s^=aF7pxGXR zVSR=%F8(DpWI0657P)+U(>0wwZ+vuLbXQW^&``(a5hJ!(>v;TR)P!HGp80R>qkJ2|0FB%XSzY3 zL<`H`E%BG>sM-2>YEx&7+h*8;`c_<{$PKK{y=Pe5Kvj6AZyeuPGsLH}{xoKB719Iz zIRd(e;q?87w*CCPhDde<1k4n=yZpQeWVYrrjVQRM?U^mk_q+^k5?`;FrU!eXRfQ-* zn7eyVu&4c<+!8~Z6&)nt0;j*+j+Scmy91OR*N`cdEU5uQt&wjOfvoS5MAzc2T@R&-ANyHH8<{9k)mG@kD+*VP z-yVW>*9OpEm=es+8|kz3vs*`X)_X7gz71Sywi{fITS$bNHS?q(3essZs!flUsdS!k zsyEIM?|Gr&n8$j0xy!0Y&_QS^ThTj@Lj7xy{8d^a^53TnFcs1v9KZoNfM9KY$c;tg z9>x@0#u2GjSzs@qcGpuXmcEol=LGZH!G;RYyr2Tsb*zM!lG{#QGJVbJ+a3E5rcL}G2qFtFB;>9nHtd3ka^s8#AXz5K?1$|z6!P5BoH=p(CeMCZ2 z6ou-gZB=t2O{8gwS#r+;hP(_AOxZW1(@zap2SOQH4 z$f-3LdN708#*9RT3aAhPnD0ew(Pj_gu(xEF(N1DON~Vl8RkpH>+Uf(G~vwsAmP_=Y6?R}{_#NWBH=$A7<5ri1_Myks0?)?julmNA1_MaePU z=;6%J@UkuD4LtHh+`SSjSJVwk@1D2yh9diITy>YQ<5&`hb3X{{8#>Aeer$| zQ@+_>m179~iQj1ET%ekV>la2`F=dmKKYY#(>a~#4rZ;AN*lldAc-;&s<;llzBUDSZ z4bd$EB+*9_r`Jk;wavZ08rjFp-wvD&)vxlVNT582WYoKuwn!&PjbX0Mm+ALdXHcNr zm#Tn|7Lb3%6r-Q8j1?hs(( z65QS0-3ji&A$T_K?i&g2?oN>4?tb~5bKh>&t@H4IIBzpmJ>6^d%<5V5P0u%`K&y^( zs)K{F?<6bEzCsk7R%&x@^P$E%?n#`f_6Awio`VfD;*KQIA0aQFBm2vVXh{ejb;>LW z`S2Yp&9{LRiYZCK?H?y)@$0hdFwovhsu=L6-$LO$^`-Hy^&0!UXkjsco<4;ULa_I* z>=P(oQCKPF*#42YK~iA3gW>kr+c)z@f_{+^{vP0xe!BJ=y~Z-`(103+IDsVGCZYKj zXbLM5Q233>S6Omftv<^%=Tf8w$w==fgz6qeFh4WRG-TuhGwcujtC&(2q)rJx=lY%e z$HRZx9tAy1F#)kc?dZFyhP39DmJ&%SSdTOLT*B=xcJ+$dUH7=!U97o;kndLm+*;A8 zvePu(#{)QDIuk<-6$I(%(Zdk}g2+|XmxP|>Ak5+dFP`bK4sGs9wK8@-u#HPaYRBQk zV1msh@#xVQIeL|Xj50o3K##?;s*!0~q)jME4yb((GU7uvj}>Vt_Z(;+f$Cu=kPY(o zUcNwOVLU{H4lZI(NmRIdbDG}Tx#mp`oy{pU$+;wK5PZf zKQ)inlKghD4Tfq8a%B6l>KI(JuxbV-_G3kwa`2<4f4uM z%gI-pKrAO@<2^nu71xp!wTpf060Co?1<@sB;@IoA&eTL%b;Mnq8NzF-48$%4A4Hg`N>UsX==X|iyncA@N{$PK< zavsW3KE%=@>KUW%jT75U&Z9= z$X`^{_UEj>BdaR-&xcn$-EXv8m&5@u!TUT|TSph?HAKW2gm90LE zv|01u^_$^;2KKv0?_kueE=OcTgKQLyrT5!Y$A`H+E@E*l}fEUayE zBX@NM+8+)Y*t6lOys zenp5tt;=>|qmeXvZk1x)pRLgBwKjX|>iY=s9Bd()y;;8I^<1N_nfh8ea=jF({r=pq zk;~by_Pg5#52<$f-rmLL@8!JpAL`-G?lD#fh2F!Ppo=AHDa8QpT0<5{ym^MGbpGS&C>^qLSV4PhSZ-ns z;h?@YQmY=gBD$`IHYx}*nIBBJ-%iCz4@{mGb1s$?-}HPt+V9V*vPujF8mp=f?61?D zVi&($zl4xe%O^_*gyztV%#%2yNAaq?cvmSR#^A{svDPrGK0N>Y>9_fbfWi<=rG$jz z#Kd`q-&#zmZz8Cab=aohOQAL>)MVW|Mv5Qr@p9JiX{o#Vu9KDC2g{X3ukB*zkSMl& zt+G0NKJF8E_%H?>J9^ zUOEhN510}e#cUjlzy{Ui8kH!{kA+Sh=#yyvDq;pyx{Or>0=?Lv9xr#2iWJ`M z8SP8ue=w8)1jG)UczIN?i?$`Mk)~&00Q^=rXK!|$!?hEV0X6VOdtR2^SifU1M9+hM z9G$zPF`u7v^;-o7qTP_5TKJwC32P!~S!r@2>+{6_ez;iocd-D3-*LvV_S~cbjTs+p z)tLhOgN#8+^2lytMT2lMn_u_oa2nI_%B{jM73{EXY%&mtv9JBn$Eb7!cuQe_HoMR! z8n^xC>wT)4T~^2FNc~cEpv*y?SAmot;#Yl6Y6Z)cCxlykR~HRpk8Zh7JxjLxmUmWe z;{Y8g_$3XE98MappBGXDTAUeyRg|I+4i1VDlgb#1Tr$B@>j(KZG?Et$0>ri!`siX0 ztJ_@{^U-n0nrFA607r^Zw+bGI2qUiKg#2&@y?}06+iw+5F7|K`*;1%c%8jjdgsDOP znrl<1x1kNMJWrXA!}{fFqC`Z@k4FD z*UAGoa7ykNe)BYHdfWnXDmurqMnklMhW||57%q0-^ia#iH|@8%r3W{~?_#tNp6Vmd zE3u2V4o&}>i9^TkbrHfseEs{TE3FUxIOYn`!$Hnm`7F4X z&0o>vHtz#|l9)qV|N5C*NFWFB(EABej%KoE!=D4M$ZhM1^>dTLp5VzU6*hzIuXlcd zTR#qr@!IbX?|HV~-#3q+=d{J@u)5##<%Oq+HRK#DC%@;ni8^}1&xMtNc6fb-&PR(B z^COOIsQ3S=xm$YDC9GDcF;D`=RBAJ;mFmU?f9IVoJ-Ggj0y$4+jJZ(^?Uy@~o^#Vp5iQ;AEzR$4i%L-9i2~!2DsON@gE@Th z#)n$)k?;C*)3464)()_tk1D29b^FD-(YgSlMmiDmcxxJZlMHD=j&zqn4u`G`6sdB) z)w&+|0=MjVDIZ<8PCUq6EKNG`Pg*D3Vf8Avdq-1$F?jB_ZN+xQL6;>GAwB=+|BS9p zBp36e*{p>qBy%B8JoK#GPgV+;hsDuv9CEN-=Rf$6w;BF^UO`TxtelT&nNVRHG=0Cg%iHCVR1 zQm7)x`n0od;cYVWHeF#++Q#q&lUtaF}Uz0w#$S$`!DD4St@Y8z6#`5&B zC(7R7df@Q$5%vzMOaie23vUnIm~L8!Km7LZ#-^z3?#BVa zrz}{R#R|vXQRA<-&)14ID>B3d2nZd}R8iGX;?fkx9{uvo@*htv?|{cKa|FDgqaM#$ z$c{@nEYoaOpFhyll{`P#K5i*%6d^k)F25_%iUB`bU;y5|;ql2TYKKWz5hrvHQKl`?1@pNvdRu?|4?xe?Ieb_2mSV*A^DH8$A+f zrX%5%TO%1WHKW6!o^-Od3y@?~tgEBb#rpZZO;KxUhzgTKhdD;R$5b0~NDETCIWB>1 z4PUO_elb{7PlB?a3oIQjXy%7tH%jrv69qu9R=>+oAGeV3)LA49`I8x+p|F(t;j+Ie zO;(yVO;DO^)SA*rGZFGmPraUwShfNWz0ZS_&73RqPZ8h*pf(@rp71ENVs1rN7OE(v zFBc*oBCYG=Mbx*vd>Z^q1y#9atWChz=@6=l#Hf&kc+~k|nhv>8Vp+{D+DZQKlZo$Q^Q@FS9splT zr(4)?BhLw!l8d@Oz#gkMkR`IFd?_1MGpAXKPIVI^ z1Qg0r{AslDwa$k|l&N1C72wC(3z#FDj&3TvZEQ1I&PYi6U6xfo8k5mi>~lf^Ix|=4 zB(h93vMgE;;TV(2q#jiqm|mSb4GB1#DLdZcpT^ z)667FHGhqQc+*t)w8ORO>CEGyQxgwdY7AR-n2LqQGgcqnscDKf7}Itev3Ho&nDDI` zCwJK=`f3v^kU1vZ8W5VqBXt>>GClrYPnFP?DTd~f7;{bDmD+u$yHSNCU>i=Ku|YAf zU5qWR3#^@CUHq+EKCItrj>$gxsuL1Gr!_Vz{{kXLRYA-;Vznl7fSxD5yF>>$f%vDZ zgA8shzQDF!B>>9GKDHaI~5BzINSnyl@ zxl9AfxAv1P9AOoD- zg)~oFYOtWSPll$gMF$ZH=4hhr1AW1vOECj*CdK2!Laa4gyDhvn*)jt+HF(BMqh8!j z;xJMHwykYCRz+_T3H8p>oFt!*OqQ@mUPBf04x@u&ej={6xv$kSdW9VsEm7BSB&Aoh z(U8}D$|^HKaUN$JyAa#70Kqp7F}1hyY|NndahuKo06K_(mA)qc#*PiRL&g?1qhV#79|@&4mwz#6N--Wofser6XtQ@flYt>~ zsP3^ytrUxpqg*k(K*mjguTrEW3vCYRYSV155*93d1$6X7B#5j|Qz~lsKqx?w3~GXF-$?K%}N$!3g9qIxIZZDNi-+h;8$reO=Y zh+E;36H-Ao9rze4{~L_K39SIxoURx8`G^AyEuM|jEaePGbyRbfp!!|&q>;&iYYap4 zu`_HS3$^$hdL|c9dh{Ir3~XB$Le^^R`}`X+38~P<#eRTh=%@+n3wV45_o!`)$Eoj^QtwKS{y0@;Y#Ye5# zSph{~g#8Tncl4lKh$$4yE|2-<;~Q;^iU!T;>JYIhXffx^m!l2PR>KBm~nyXkU2GITn{OuP)6>*U-ofvPX zysg*aPt?jJ1{q0M{p1I_&M-ySrv6q3$6=uyR8Jdae&oRK6Xk6MzHZOVd6IlE%?WpW z43nNc1hQ05%@#sBq*<_!s`E$py)#arvhAwHHTZ2av0lIx6{Z(*3^=B_@o(H({!sZ$ z^ILGWB4AKbsLw#+$YFO+i=PwJ_QB2$z$uiV53iNoE(NHNk7Igk6>FcwAk;Gu?OPlm zo8Q3UGgvCvI?eyH-W^KQrIK-A(T&9la_Uev_r`{wg=Ucq`P`81iB?k1G559~F%hSl zDKBrudno6WX)2~q>YX^|#rKlPg#W?8^Zi=K(83$(Fa?>UytPWNkV^YsZ2Xc-8QQ_q zxLr)6KKiqmpqv?zj0^@L1K325z{lL$I<2grS7&4TtToy)I0nqgu0IxCSW+xnQ+tzP zhI_>5y1=V|8R8Z?NXBElFYjZW_5d_agJ0H(?8i-#SCdn`5G>t$o9@Ze%a5VEDwBq$3 z4>KEu8VaGJV&tz6$wC4#Y>Ee5HN20kA z3+tur*3JJICJb{MrR~9kZjB+4*EslRjN(7a>Lds(kckw&c;(YaTlbEz<1b={_;%j= zWr>z3q)w5H=37tDE`^JC>Ql+XMg;RJPpXCoyN334&5WW5t%>;iK>@(HwUo>mtdP?kK~FNMTdL zrK-seE(>|c_#{HF5BEDuG@uKN><`MGuDsa~5B(2@l1sMlIxj*3FSjluh!%}ew-u)? z4jwM!D|4N=T%ev`4YgtRb{BJB28D{j>@Gu!a8%ystvtC&^=PyUmsi z^?MfRCcQi13m86b*gA_xCWwFQt##~`6nRa-(J6^gQkXnDrNlTS53@Y)7AK9v@B_P_ zt!i3sp*lBu+^zMj)_kBWMh|B7xDl)ikqJj#-OJu~xz~L>teQr?$kn#lyt>@=?5%(M zn>v_>P1>vtNg13BwIAOmB|Z=9`H!xLNRi$g zY-oT|uAs z{SX1)NpJ`?y!EY4f9uEF_kxJG?%U_5LPh?w(4@O1f%vVXz22n* zIw?z%>bX1;30uwTj@!$@xI4LvF1@+#t_oC#F4nD0A=|f``{y=72hLWffB#nEs$k1I zuNKB`YN}yRzkoK+st`jg1>Q4>YmiG;?L4l^kM=gd#dY>nE zj08lUD`*Y1NrpU{7qaH3Yvx- zLo~rSFNc7V!=3xNHzw&n=kcLC+wYqTnl;K~z$EovpWo;+ zkCfl>#xu*s*a6<#P!7+M0p;yZx$D2t^AiE7(B2K(mzNio+K-*lCe_+>8e+QcZ0MoL zw@~wsz~F(A{fVOsT-3ul%7J&a%{-e=zm$ByP3nvPat*g@`0x^bv>Fwm+%{Z(vN(J8 zcHEs5I9Lf`?ReM6I^TNg)%my{d_KI-_5PQ~0EE}>zMk}u3{`CNJuCXM=vWz2RU_FK z0zU9KN6jf&ig?j|9;mXvSgFQ8+fpGOipow5u)V0+>VrNYkmw^{)w|+tw5xrh^vmV? znHK!L&J;Gb{oRRZ4T3LiY?HJ_pA!%f3AI*&723yU;$;@H+jrT$0`AV^{t5kK7nXbZ zU&LAOPUVtU;I9pvg9xb%)9uYHRrRuHH`{=x3f3-lcC;MOaR(blYflrWe8R z&{?;nI?bC)s}4O!ie>5uCl=pOajw1oK^~3OGI(pKV#874n~Bnw{jFRL7*T^k1|$WW zatC6x)I60a4FX6ySpfwAgLNXxQ)F>^2fOO3xZyC`r_|uWGkXFH@)lgeN&m7K!@c6Y zn)JMXr0$5+vy;gsSyKXG$1m|qOQeoR8AEMxaf*f`p#8gvRK4=lG2C3gR6ZXqJQ7`9 zCcEZhk7k5;76(7nqOx%K-fBYVl%z;|_54V8^d8p@@iRsUs-+ut$pK^}|J}j-X2Ktp z$T7_)HU=D}2+b!^f130epeUM8+;$4gX0It^|G4%ID!mNI`&6e#=K0pO?tfKoPut5X z&3h_W@~T%BB69rLi(S=1^qM(Qaeg4FbP~9&t#@? zQdp7Eo(Oqmj5KU2bR@Jqh4%gp{Mq`Se{JwIa_W3?0x)u^(Qu*VbUg9^oe^0)0!x+C zaaqh&rbeW?B|%%xe1$&Q64?pK2FBFAHIp`abV{_Y6;ln~MV>JBXb>AVf#%<}&N_s} z_?PW)>H$$i-s*4xrAlqg2Ix7);#dr-Y^lC#luXQw5ScR~i?y(PMkj-cRsodV?=rls z3&kkKm1cZ!O-WF(+d)ulMg4p~mWiRzjFI{*F`J-8v=~MjJ4M8n*5OV=wmxaNHN%>f zukRIoL``Sc46YSLWIllthRhUsHb^@Leo#mxU*ezG@~HkG%m$iR3r-)J!|&ool>9k3 zVUjA+Xp(Ad%Cb}p$v#|wR?#NCT%vk6Ww*-4WU>@qb#V+X(G(<^?9yllGIILgJHto) zW-_X$k5t_lcWm9*pX>%9-vn+Y3E-=7)l3!IHL6mBGile@`s;%az9KPgXQB(Bsfm)w z$&9-YO(9oQhu~ufI>L1b@0FKZ!m25it>i}b<`Qxc0(+?kP1N-xlo!}(w8sg|6vM;Lp!#p9DvAWX;f3AaF?`r+(O z=LgefPIm_e%op%fZam>Y!B#3x&;aIq?)oaErn#xeuMXOqFADEapXRDG4`)Nd;&G}G zig+74z}*7H2M@@Rhx_n>zgT0tg(ZHG0oiEu;mCRcK@gOejc{yWx}ofNHFDB? z%JAV3Cac;<7NkEW-kd)lV3EnK3>?Dj_js{MBCF)AEg8<&Q1^B%0f&CO8MDKR2K$|& zk&~Azl1@;)&Z|_!T!dQ}?4D|LcIz$8a|15c%loEJNXkk_L>M8zVz3EcCY51k<#$09 z_4je}1~S>%KML1pgFo!sBlY8;MVJ&CcT9J!?d|V= zVb_}#@69QG{=dHVwvQFieTzEi@+c;i>HA341!K$Y>tvOmGM_%7R+ogs{z*d7b=z6O zrBi+C7`CQHiKOt_iZ3}wHOm#SMz>_zm-PMMJtPeEyqRZi(;cwTLSi3hm67T$F^RiZ zVmRjVCIfh=YR&Ye7UCD5_iN5w_0y8}AKL6ZD~_vzBx2D+i~0dYq5MY_?N3_AX;D*? zj;F=^q`KvNj?KMvLAmC}3pKw`(GAidw+y{iZ_ihGUe_!%6x6WcyJisl$haG4M2fTI zmZCKV3rq6mtAx0Im&ZU+`_fB9t^*BPd77zDk&Zb=!H$MUEDcN^;OdJI;OoMlqjwz} zF3(xbH{D9IAYFI_eQxmd#zB1Ex0gkP+Y)b(EA*3mQy!oRrdk_rKLYOwWooRLc8zrd z7AZAB%Js_cd3%hdp{$~U zG*p>wjbLE9y~g3%fxwnv6I7=Tpa^;ZNvQfkyi0wZF;-&J_wc-8qWokyh0m9yT!Z6v zG~?ezMc+vOK*~b$NPiY1Jq$-C5jJM*DhrDEQT?06kCR4jF!3R_U;Q!f?$0 z<#i=1k1+;Fr@w{Mg79w$*h0wPu)*vgd7omJTomxn2(KKn-wPvH0Y=>+*kS06Gg4So`FK@g}4f#d`j5D~xFpn_{ zTRZ1cJWqLIbhrvLwurAd>nENkqM#3=6eVlO@Q`;75fB6~J{H1{WYPbLLc8BXx6kEe zZ%EC#9E2Yf*0X2p!}iMo3$u{FSMr5A^t+jW$JN+ISc||?@!rRkCrd?JEAPfosXMM4Sq68&*eNtLmhRiF=w+ zy>r~Sz~R=!u56vH9i6IrQT7ZDc%Hc#cV&6*LH)<=u3cLsNnEu=y|Y_r#>E0pm8dlJ zr=}vR%b8N4t(uVCwby`M>I1{ZG#OBpmO*c6gH@7E8Hxwxf5oRIMT3rwH|GN|spl3G z0yY>wO%^D)c2g=*b}I`bc+^dox2%Z2+Qw;# zSI6zMt<8*oCSq~9Yf$L=k_4<07RC1!Z<21UJpcB9ZF9&^v5vitJCtnZrr&E$ew)!c zqKa+w#wb64)wkCGa1gn%W2W2Ox4=udvukvw+c~{MrG`Z z>m1$gkuU@i!iF(t=^tj5#D6@j`+V)>56Oc29+pnU<~{FWTLCcU42I1)@|wa`qct(v ziaV-Ql8Lsa{Z1*_5kcG8iI@7=tXCBp`o1|*nEjKd9x1WV8-$U?H(<4^Kuyfgtw#~H zuLIy>cEoNV$~1f1)zd@jelTL*W5zc1an5>1RL!kf4U^?O$^+y$y=SLW^^zWw3<$ffv%UU zLeb0B*Doe~I%{#{U!3VV-n0PJe}y!gy1s`Dh<Q=CzvT^C{K~c~ccVN-sL<6ZoH~8D%bm)6O z={>*WaydljD3^(k0F2dGDxk|{y;8EoYuzYkg>sK3ue~iidIOXBubgWkrrNp@Cws93 zi?B3|;3gctbfFVuYU+N!FcqpT+E;Bl75cjDmp+{f)~FrWgPhq>NiI?jA4YwqR_$tI zTmlZ;clQw|d9sIXN6jA8O9j>P1QaRt!L`P`kZcwx@T`#ngC06B`R7K5 zbe`@eJN#s9rW10Vd^M8eG&E>+4on%!opl(DYw1H3mVZaYuWdo8ukRt;S#9 zRx78Y@p*-;2I6#n4Pklr_2?ugPDILOd?i?|R65~7}|c>$04Mu&PyY3#AZ3%Y2l^Ruz3sLZDFsz#xuJYdN77Z(?eL53;|=X|?{ zd-c|#d!9N5nB*1~uekX{PVz4^s}YrDs<^mD(lL;Jl`N#TbhW)|k3l%s=-?BS#eEgb zv`F>)q0dl=Iz>=+51-WEl%H+ORXLc*kiH1E%$A#cf|rowuc&dZb{knxu3xC;$=$?& zH`JV%&tN3wQcRZB)`I0H>W@$wQ8{)gfZ;0MYB$$Raup10SdK3@z7 zrBc&Zm#+_bGASytWw(fdclvMdqfOflKR!Eu73qAVf}<6_xSPK(*J$m|d=wmVyVQ=2 zLG&JyqYNy4i_*eHyv+4S`4YywmI~bJ^nNx`25d|xC54U(B^sd4SDaqhHpSVF@fsYN z9vwK@l%Abg@*Sa~$8uBfmVJk{p_!AyaKiX+>I>5e`qrgmWhAUXeP0^Z>cvQo#)iJp zTtQX+%6Uq+w5nQ8iwL?eF&9Z4 zG4u>c?ke-?>fPcxc^D5IkB|aozo9*}S^H79)!o};f?z5h63Lbw!C>tFuV~&!B*^YSMEDv~u|VZP zB!7EqeoX|Wl!<)3Tn!1QUb4s}oIwcW&lsxc-brZ4HfcMgME>`UTcmqnINF9ul0A+m zwO}&J0P#nzvzGNbjFZ{|0SVjse1#C-Y|ZfjTmG=#Ig<4L*97z(10RQF$Gi7cP`Co& z+H_pWqR|YG;?n!&>p(o7PtCHMzTe-apOO*S;eh2TA2SSrvg!`H#tC5F$^HwaXQ9dM z{8}Z*{Y8LTv1?vi1R8vb6pg_%uK-@&J^{aZ7=wjJ^Qg+fZ!sY{f52<)rMMKhx@R+J zZZY~CJmSzHVoc{#8%=V!zRL86@}kH&+-aaKyULmm>)oSW%c+lgK4ZWMUc1_&5SmA` z;>5p2w0LCoe$}(hG4vD#MEN#4bgTv0Fm!|z_XhBSlcRvZ)#$$fV4YUkE%oW>(@7@8 zPc`P5^2>G_NKbFCr1&vVr*8F`2HxNuaA~~^Qoh!5$=6`75*qP|*&j8B=|A^BrGT&Q zl4-kr?@e5Ll|Cu}$~$2eCS^?p&v7{+eSM}E5#Lh$UAJE1hC2M`d{@IbU`@>i&fYmes)=s*9&XR;$E zA^yd#EWPJmVMc{@$aLSI)nqzeLuzx_h=0-3S@*t-b6XCIt_{?MTF-^23fOn=V`LV8 zf~G>~Qum-O3}Z^(aE!Uq;8SxLgp4em&|#}9%#m#M>Q(K4wI6Crw}2AKn2G!4_PLcB zkLl7t!xvs&_v_^D(k%-&Lx@Gbw(~7=Gt#9aG%CMe7wnBHB3ESb>--P9sghX9#EVcX z&-<&13918Poxy3gy6fM|X|Bq~F2I7M7>^@irlWh-n!1Laeal1@_tx4uc>V9FcdL?R zZ152QGhet4glP+(TO4$QmBC(o*dVspgRdpFKXtvYAU~jPGjVJ=%CqIU8Zplv;C7MT z%c`?^>^bS@Ch1oEJ6s`4elf#-rSbiJLJ7~hyr>;DRPpv$2Ji9MW?zpC;c7{4UnfGs zWnHPM3qngw{RMcztu>3cINkV+VH!H^^{ufYRsD<8L8i}W@IBmbV_cx8aP>*Mj}z*j zu=3SQ84~@PfUnvO`A6T@q=usb}R9s6@|(RMy>&%lyY7pKzwSVz3QyS4x#zX>OdyvKYT z#xQjg1s|^MBZm>lg2vhBl@QF+K;bHY1|+T&V1{`q2y2v43^|7wPBK}nn(8QJRMs=@rN@s35Xdf=E^^WjI1k=)BLd2n-!`8;j+4{bxs9BEb&brF|}OPe+(aEx$XrGdXaUp8mvY#Dd!*Gk-*ElK1WDgQ2*6P zK8CG>^zNI{oof>$OuS!~I4lx>q@BF~P-E&@8PumDq6R~-g}ks^JP!Og%sXJ4VnNl4 zEi!jR+MOmo0igKh+qV%BK%*luyGVDD5`_Mk%97r+?CkQg`j#T^9MU7a0tRpPS8@K> z)md50?D|1iKmW_fH5Na|)c5Cce}~yN0-EfAI1pVEvrD|)&`KEU(Y<9>mL}s3XrS4( zA!e~QX|`scH504AId#$d!=EuX=GFacqO!cr?}FDoKCT-bJx~{AIQFTH`h;dt(CJrlDZcz-kOomaiKW!nWB&8M{$;C^>Xo%I znc5W;&&V2BF)HexXNN}lEk;NNhG!ZuC#FNncR6F}?mwyLEkj1!ocVI6 z44Jj+Et9)9$HNP>avj~8&+Jn1qEMtySc8Vl>ow*RW`{a2R zG9J54b_`*;p9=ObeF?M+`c!Qs-(j*g&QcQ5NRrR0mmR{WfHE|Nb;jp0?Dk8` zDNGEQNl<~iCnIcha%=8a)#uN`IQ&|bnoH?@F=Go8uWKh0Hup9S?b<(4!m3%OaF>?G zMizYTj!l}|+OnCJ(s^Par@#QLQPkJxbMELpj%M7M?x6$-}Gh2K)AHc6prne)05$`h+UE0? zOf+L}72K#oh1B3&*87UI;1$}n6mEA5Mg1u&F=5TWrcnr0YROp9m!(N|`YlP8$ukz9 zmq~=)vE%NLAebNfrq;)_3~8;b%&QiVl%-Ahe@RTXZ(zbY2Ps7$(?^C`!vjgk*Q$$+ zL$jjt(}Cto^+F#{)yFYH0V52lrsE zBE4a30u2GC8@A0}bt+9ZxZ$S;jcE8@Qi61v=^HcLml1$Ru&BQ-Mx=9$j0EqKF50=- z5T$w8Cl92!{Ef7%{jo;FQXV?>T3C>l9GX2<*nLf|)I#iZ!7Y`llLV`86h#Vm;+P7V z8lz8dwN=^+YpmLF3sjEJU@ouJii{quM9@OLHiCzcsF3JvH19e$LJwPvEXC)477+qd zZX)<+#YNOh@pPl^8nx7DE;6}rH%rPYNH4lMht_1}21QK6S!gXBq(=8WZTUvpNedJw z1oDns2pG8TPiw@nql0Hn2Jpc1)$k4A| z;z=K?II?QajqmbTJ@k8X;pjFXnVhV_UApNxeO~zIgB%vT1+!(-PlHiG!_hyTz(FMe zXC5bOXFfFCKUHZ#Q3u?ww_L|aLLAi3$+;H2QwNdIG1Qs^1~ecy|eC#Ew~|F=bNwg_aui&1w`C zfO6#sWc(5BUDm>dF}WCQS%!@8l@w2Y90b=TvV1o~t8vMSD3JLeUqEqq{c!Q=>egc} z{<(Q?u%<6conAb4d-f+yu|~s@SzX(&O@`i6~VkOBVRxXo{ z1^-2(4Q5%l4D5EUYsT;Fs*_28bK-9iU#)%gJ=+;#&g+^SK#lfs+WUM{@1+_k z=hr3T8E2Q@x3S(gR*jym2NkAG@urd`-crc-5;>k!Dj}9cCrBt4;wxj(+6XZfL?`x_ zMGEGr^@`VqvTiQKrC`%1Sd^s(yJlxPa-2wrP=rm`7u_06XQ+>{8 zj;d9RyHN0UaH-hz8)3#;u4~pr5#LiJ?S^|3#J-y?WqCUT<{M`1Q|2q#WBVxm3;{>A zz!v9U93Ys$uB?_ z?$7USC?;#)t0B93xoO{y<0PJWc{OImX7a-DcL?z5uTAD+JyWtuU(ZA_NI*z`j&W6N z-hqqDj!S*x-Y?#Yz(F;dX~=I3-;J~(uvx|rbSg=((`IAWnW1kRjeC6X)#W3N3;V%b|< ze#{lTJhPwy9aQ#0PLva{lP&RV-Kz&*baUN}H_NSXW`;Yh-M{v@ z)%{WoKjk%#cyeRUMS3YXD*Z4S#UL7wC|L1gB}N^*8L;c0%)6K3@c1GycEQ3X0#c0h zyzegA^!IE1b3;Lzs7eh*WSlIMrlJ~s}2H`E#TlNnAb;v={K`@9;7!PoZ`ERD=vfx4}5J5G7RS5tg_z4AU zf5PPuQ@@oUyuOA({o(io2y#EM^GhTIm>-t^7l_mW!4MDzbwG58ADWd)s1Sb`9*O=3 zpZ9V;8zsCz3J>L_Cwz6PzC_K77;JMr4aMu{Ga;V9K5EiTm_y6e< zA;#O&#;uFIr|!y+Io#jz^lHi^9bQiNEux@p)tlPscPBv-d#$K{8OM#IKlDxbt;KP9o^@ z(t?u>;LEP&mVT8+!PSllKb}HK%)p`W+4_{@ss+)|)k?%r(wWr#JaMsyY6%H<*+QW` zF+5^61RH&DXo6x&AO+Rgd-;IoNAJ6wUH~*)!n&UB_xe7P<-(-)+v>S@`dF0moYxSHtg2B%(0 z)g$cY&a&*(kjh-@CJQR%(n**j0Id2GACN#(pJv#rLzjiy>VDEyyX!Q)8h?$zLb-7x zVb~g$Y)8Ku*GwI;RNC?;cB!L8l&pRtHhrc>{HtbZ6`WAMPBU>uqU})sx8^7eT?cu} ztemXsNFX`58n=Dz7-!{3p-e}>My>r!=b+T2@npf}#J$R0>v+9GNywv!EZ>ChL`g@|A|GPs09PpH)^T`UUZDEa)}?VdkzAmpdyi_9Bus zj`l-|(?bO%fEmI8Fe9F{VoKm^G>}~P5oZ(l`lnUpMV=zbUm zDt5_(wm?e5DgFg1TN~nCD{c1?g^Jxz7*XGz|0;a?a+zDAuT-69<~YsuWbR>LSLzkh z|Mv0e!ZR3XJhm4-ao_WGRgyZ;9=WfECHI^6_}bioCm{%cMYf;>5Xl57{ooY)e+_@$ zQ&xzN03*$Tg^*zJDKPPWEMOYewWcEcagDJJG7Xz-o;$i-iHATXX1KKzm?)VFfbu&0 zPt_Hp8yj(McJ5U$kQ~tqyIpJiph1TB*Z;2bVz=`W=dq6AkE-ZrJOB8Uc*JV|^n6^`iXv zdiSujHw`c0{~7vJ6B`loH(_FW|GhBK9Xns?N8BaA?HdBiQs`ee&o+pxzsiS4hu3*r z>3#-nzm3DD)V|3}pzLTcpYdtXG%nHVGq ix5P671Ox>4Elc&^VC|+1-Kx(Tgp7oOcs0-{`2PXu6_Qf` literal 568 zcmV-80>}M{P)fzR_r)NKSb;ql>yJlbhPNFQ6DpBC?_qT5sv;S zY1aH$#o8ImNIz{EE!}!Fyg@yQ*6utR-e#OZqWZV*(e!1fwjRA2{#mju$F7inLOxfw zh^o8CqPRtiNsBg6RAxD5t=d6}h4oNRUWnSBu}CPWm6f}Pry#MQ4qqU?Mz(&j5S3+A zv?D&h4*D4@$lgCrCh&|%N3(V^3LBLONXV6B;b|o>aS4Ps%NCYaj3bvG&^x4i&)y9m zGiMEHr!67ltW~7vkJ7UoulC0A_+q_^#_*YtN$Bn!lL1T5Fa*Tsz%Xs`sSm21vTO?t zu=2o2=OB!73Vbm-2flzy(Cg8J_qjqj4zu^c2nSy&(`W59$~hP&;<0NmOkcu8!0pZ2 z^yS=)$KgzzR@(e|eNWze7Vg0sj&KTiiy-9nXeQ@8zF2dme(+*T3JJexG5yTtr-s`3 zaLa*jh-H$H*ASA3JAsJ>kT(0;Xx2?TW#SryA>8J0M}O|XpGSthFNQLl1LM)e&NzAV z5tDvntlM{n>XhRVlT(e5)MCWt*P^1sz?NHo>X5M0pN!}2)h8O7zWVC`0000 Starting with Docker Desktop 4.2.0, the option to turn off the automatic check for updates is available for users on all Docker subscriptions, including Docker Personal and Docker Pro. Update to [Docker Desktop 4.2.0](../mac/release-notes/index.md) to start using this feature. {: .important} -Turn off the check for updates by clearing the **Automatically Check for Updates** check box. This disables notifications in the Docker menu and also the notification badge that appears on the Docker Dashboard. To check for updates manually, select the **Check for updates** option in the Docker menu. +Turn off the check for updates by clearing the **Automatically check for updates** check box. This disables notifications in the Docker menu and also the notification badge that appears on the Docker Dashboard. To check for updates manually, select the **Check for updates** option in the Docker menu. To allow Docker Desktop to automatically download new updates in the background, select **Always download updates**. This downloads newer versions of Docker Desktop when an update becomes available. After downloading the update, click **Apply and Restart** to install the update. You can do this either through the Docker menu or in the **Updates** section in the Docker Dashboard. From 79a1ea88f39f4ba89b604da8c1167e08dbc2edb9 Mon Sep 17 00:00:00 2001 From: Jerae Duffin Date: Tue, 22 Mar 2022 08:14:23 -0500 Subject: [PATCH 12/18] removed a caveat --- docker-hub/registry-access-management.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docker-hub/registry-access-management.md b/docker-hub/registry-access-management.md index 4a7180635e..bc436e34e7 100644 --- a/docker-hub/registry-access-management.md +++ b/docker-hub/registry-access-management.md @@ -8,7 +8,7 @@ Registry Access Management is a feature available to organizations with a Docker > **Note** > -> Registry Access Management is currently offered as a Tech Preview to a closed group of Docker Business customers. +> Registry Access Management is currently offered as a closed beta to a closed group of Docker Business customers. {: .important} ## Configure Registry Access Management permissions @@ -60,7 +60,6 @@ Download Docker Desktop 4.5 or a later release. * Builds such as `docker buildx` using a Kubernetes driver are not restricted * Builds such as `docker buildx` using a custom docker-container driver are not restricted * Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull” - * You must disable HTTP proxy or use a corporate proxy which also blocks the registries * WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series) * Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel) From ba7b5195198b9db01f8a85400e4cbde2c45738fe Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 23 Mar 2022 18:21:34 +0100 Subject: [PATCH 13/18] add /go/storage-driver/ redirect Currently pointing to "select a storage driver", but we may be adding a section about migrating to a different storage driver (for users that are currently using a deprecated storage driver). Signed-off-by: Sebastiaan van Stijn --- go/storage-driver.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 go/storage-driver.md diff --git a/go/storage-driver.md b/go/storage-driver.md new file mode 100644 index 0000000000..7281b67b63 --- /dev/null +++ b/go/storage-driver.md @@ -0,0 +1,6 @@ +--- +title: Information on how configure storage drivers +description: Instructions for configuring (or switching between) storage-drivers. +keywords: Docker, Engine, Daemon, storage-driver +redirect_to: /storage/storagedriver/select-storage-driver/ +--- From a732b44cd4951c0bb8ce18f04aac0d9165994f12 Mon Sep 17 00:00:00 2001 From: Jerae Duffin Date: Wed, 23 Mar 2022 14:20:55 -0500 Subject: [PATCH 14/18] updated windows mac --- desktop/windows/index.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/desktop/windows/index.md b/desktop/windows/index.md index 8cacce2cf3..d73e41f8ec 100644 --- a/desktop/windows/index.md +++ b/desktop/windows/index.md @@ -192,12 +192,11 @@ Updating these settings requires a reconfiguration and reboot of the Linux VM. In WSL 2 mode, you can configure which WSL 2 distributions will have the Docker WSL integration. -By default, the integration will be enabled on your default WSL distribution. +By default, the integration will be enabled on your default WSL distribution. To change your default WSL distro, run `wsl --set-default `. (For example, to set Ubuntu as your default WSL distro, run `wsl --set-default ubuntu`). -You can also select any additional distributions you would like to enable the WSL 2 -integration on. +You can also select any additional distributions you would like to enable the WSL 2 integration on. For more details on configuring Docker Desktop to use WSL 2, see [Docker Desktop WSL 2 backend](wsl.md). From d707cc3ec56225d1e6928045b2f84442524aa2fc Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 23 Mar 2022 21:37:53 +0100 Subject: [PATCH 15/18] engine: add release notes for v20.10.14 Signed-off-by: Sebastiaan van Stijn --- engine/release-notes/index.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/engine/release-notes/index.md b/engine/release-notes/index.md index c7cd703be3..e2be29d763 100644 --- a/engine/release-notes/index.md +++ b/engine/release-notes/index.md @@ -22,6 +22,27 @@ for Docker Engine. # Version 20.10 +## 20.10.14 +2022-03-23 + +This release of Docker Engine updates the default inheritable capabilities for +containers to address [CVE-2022-24769](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24769), +a new version of the `containerd.io` runtime is also included to address the same +issue. + +### Daemon + +- Update the default inheritable capabilities. + +### Builder + +- Update the default inheritable capabilities for containers used during build. + +### Packaging + +- Update containerd (`containerd.io` package) to [v1.5.11](https://github.com/containerd/containerd/releases/tag/v1.5.11). +- Update `docker buildx` to [v0.8.1](https://github.com/docker/buildx/releases/tag/v0.8.1). + ## 20.10.13 2022-03-10 From 35e5f3db990972cb15d6993634f53b62119ef817 Mon Sep 17 00:00:00 2001 From: Mathieu Champlon Date: Thu, 24 Mar 2022 10:51:09 +0100 Subject: [PATCH 16/18] Add CVE-2022-26659 to Docker Desktop release notes --- desktop/windows/release-notes/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/desktop/windows/release-notes/index.md b/desktop/windows/release-notes/index.md index d330a8272b..0a34afa3f6 100644 --- a/desktop/windows/release-notes/index.md +++ b/desktop/windows/release-notes/index.md @@ -52,6 +52,7 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro ### Security - Fixed [CVE-2022-0847](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847){: target="_blank" rel="noopener" class="_"}, aka “Dirty Pipe”, an issue that could enable attackers to modify files in container images on the host, from inside a container. +- Fixed [CVE-2022-26659](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26659){: target="_blank" rel="noopener" class="_"}, which could allow an attacker to overwrite any administrator writable file on the system during the installation or the update of Docker Desktop. ### New From 84d268dec0e76558f6d95a10be19558c0ded5154 Mon Sep 17 00:00:00 2001 From: Jerae Duffin Date: Wed, 23 Mar 2022 08:33:46 -0500 Subject: [PATCH 17/18] updated configure sso --- single-sign-on/faqs.md | 24 ++++++++++++------------ single-sign-on/index.md | 16 +++++++--------- 2 files changed, 19 insertions(+), 21 deletions(-) diff --git a/single-sign-on/faqs.md b/single-sign-on/faqs.md index 7462bee1d0..4d6927fcb8 100644 --- a/single-sign-on/faqs.md +++ b/single-sign-on/faqs.md @@ -39,7 +39,7 @@ You can create a test organization. Companies can set up a new five-seat Busines ### Q: Does SAML authentication require additional attributes? -You must provide an email address as an attribute to authenticate via SAML. The ‘Name’ attribute is currently optional. +You must provide an email address as an attribute to authenticate through SAML. The ‘Name’ attribute is currently optional. ### Q: Does the application recognize the NameID/Unique Identifier in the SAMLResponse Subject? @@ -111,7 +111,7 @@ You can add a bot account to your IDP and create an access token for it to repla ### Q: Does Docker plan to release SAML just in time provisioning? -Our SSO implementation is already "just in time". Admins don't have to create users’ accounts on Hub, they can just enable it on the IdP and have the users log in via their domain email on Hub. +Our SSO implementation is already "just in time". Admins don't have to create users’ accounts on Hub, they can just enable it on the IdP and have the users log in through their domain email on Hub. ### Q: Will there be IdP initiated logins? Does Docker plan to support SSO logins outside of Hub and Desktop? @@ -123,7 +123,7 @@ Yes, generally bot accounts need to be a seat, similar to a regular end user, ha ### Q: Is it possible to connect Docker Hub directly with a Microsoft Azure Active Directory Group? -Yes, Azure AD is supported with SSO for Docker Business, both via a direct integration and via SAML. +Yes, Azure AD is supported with SSO for Docker Business, both through a direct integration and through SAML. ## Adding domain and domain verification @@ -138,7 +138,7 @@ They can do it one time to add it to a connection. If they ever change idPs and ### Q: Is adding Domain required to configure SSO? What domains should I be adding? And how do I add it? -Adding and verifying Domain is required to enable and enforce SSO. Click Add Domain and specify the email domains that are allowed to authenticate via your server. This should include all email domains users will use to access Docker. Public domains are not permitted, such as gmail.com, outlook.com, etc. Also, the email domain should be set as the primary email. +Adding and verifying Domain is required to enable and enforce SSO. Click Add Domain and specify the email domains that are allowed to authenticate through your server. This should include all email domains users will use to access Docker. Public domains are not permitted, such as gmail.com, outlook.com, etc. Also, the email domain should be set as the primary email. ### Q: If users are using their personal email, do they have to convert to using the Org’s domain before they can be invited to join an Org? Is this just a quick change in their Hub account? @@ -179,7 +179,7 @@ Yes. When SSO is enabled, you can access the Docker CLI through Personal Access Before enforcing SSO, you must create PATs for automation systems and CI/CD pipelines and use the tokens instead of a password. -### Q: I have a user working on projects within Docker Desktop but authenticated with personal or no email. After they purchase Docker Business licenses, they will implement and enforce SSO via Okta to manage their users. When this user signs on SSO, is their work on DD compromised/impacted with the migration to the new account? +### Q: I have a user working on projects within Docker Desktop but authenticated with personal or no email. After they purchase Docker Business licenses, they will implement and enforce SSO through Okta to manage their users. When this user signs on SSO, is their work on DD compromised/impacted with the migration to the new account? If they already have their organization email on their account, then it will be migrated to SSO. @@ -191,7 +191,7 @@ SSO enforcement will apply to any domain email user, and automatically add that Yes, they can choose to not enforce, and users have the option to use either Docker ID (standard email/password) or email address (SSO) at the sign-in screen. -### Q: We have enforced SSO, but one of our users is connected to several organizations (and several email-addresses) and is able to bypass SSO and login via userid and password. Why is this happening? +### Q: We have enforced SSO, but one of our users is connected to several organizations (and several email-addresses) and is able to bypass SSO and login through userid and password. Why is this happening? They can bypass SSO if the email they are using to log in doesn't match the organization email being used when SSO is enforced. @@ -206,21 +206,21 @@ However, if you **enforce** SSO: * Service Account domain email addresses must be unaliased and enabled in their IdP * Username/password and personal access token will still work (but only if they exist, which they won't for new accounts) -* Those who know the IdP credentials can sign in as that Service Account via SSO on Hub and create or change the personal access token for that service account. +* Those who know the IdP credentials can sign in as that Service Account through SSO on Hub and create or change the personal access token for that service account. ## Managing users ### Q: How do I manage users when using SSO? -Users are managed through organizations in Docker Hub. When you configure SSO in Docker, you need to make sure an account exists for each user in your IdP account. When a user signs into Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication. +Users are managed through organizations in Docker Hub. When you configure SSO in Docker, you need to make sure an account exists for each user in your IdP account. When a user signs in to Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication. ### Q: Do I need to manually add users to my organization? -No, you don’t need to manually add users to your organization in Docker Hub. You just need to make sure an account for your users exists in your IdP and then invite them to your organization using the Invite Member option in Docker Hub. +No, you don’t need to manually add users to your organization in Docker Hub. You just need to make sure an account for your users exists in your IdP. When users sign in to Docker Hub, they're automatically assigned to the organization using their domain email address. When a user signs into Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication. -### Q: Can users in my organization use different email addresses to authenticate via SSO? +### Q: Can users in my organization use different email addresses to authenticate through SSO? During the SSO setup, you’ll have to specify the company email domains that are allowed to authenticate. All users in your organization must authenticate using the email domain specified during SSO setup. Some of your users may want to maintain a different account for their personal projects. @@ -269,9 +269,9 @@ Additionally, you can use our APIs to complete this process. Admins in the Owners group in the orgs can invite users through Docker Hub UI, by email address (for any user) or by Docker ID (assuming the user has created a user account on Hub already). -### Q: If we add a user manually for the first time, can I register in the dashboard and will the user get an invitation link via email? For example, max.mustermann@zeiss.com. +### Q: If we add a user manually for the first time, can I register in the dashboard and will the user get an invitation link through email? -Yes, if the user is added via email address to an org, they will receive an email invite. If invited via docker ID as an existing user instead, they'll be added to the organization automatically. We'll be adding a new invite flow in the near future that will require an email invite in this situation as well (so the user can choose to opt out). If the org later sets up SSO for [zeiss.com](https://www.zeiss.com/) domain, the user will automatically be added to the domain SSO org next sign in which requires SSO auth with the identity provider (Hub login will automatically redirect to the identity provider). +Yes, if the user is added through email address to an org, they will receive an email invite. If invited through docker ID as an existing user instead, they'll be added to the organization automatically. We'll be adding a new invite flow in the near future that will require an email invite in this situation as well (so the user can choose to opt out). If the org later sets up SSO for [zeiss.com](https://www.zeiss.com/) domain, the user will automatically be added to the domain SSO org next sign in which requires SSO auth with the identity provider (Hub login will automatically redirect to the identity provider). ### Q: Can someone join the organization without an invitation? Is it possible to put specific users to an organization with existing email accounts? diff --git a/single-sign-on/index.md b/single-sign-on/index.md index 57e9e40ac6..05b19c4059 100644 --- a/single-sign-on/index.md +++ b/single-sign-on/index.md @@ -3,11 +3,11 @@ description: Single Sign-on keywords: Single Sign-on, SSO, sign-on title: Configure Single Sign-on --- -This section is for administrators who want to enable Docker Single Sign-on (SSO) for their businesses. Docker SSO allows users to authenticate using their identity providers (IdPs) to access Docker. Docker currently supports SAML 2.0 and Azure AD IdPs through Auth0. You can enable SSO on organization's that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade/){:target="blank" rel="noopener" class=""}. +This section is for administrators who want to enable Docker Single Sign-on (SSO) for their businesses. Docker SSO allows users to authenticate using their identity providers (IdPs) to access Docker. Docker currently supports SAML 2.0 and Azure AD authentication methods. You can enable SSO on organizations that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade/){:target="blank" rel="noopener" class=""}. -When SSO is enabled, users are redirected to your provider’s authentication page to authenticate using SSO. They cannot authenticate using their personal login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign into Docker Hub or Docker Desktop to initiate the SSO authentication process. +When SSO is enabled, users are redirected to your provider’s authentication page to log in. They cannot authenticate using their Docker login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign into Docker Hub or Docker Desktop to initiate the SSO authentication process. -Before enabling SSO in Docker Hub, administrators must work with their identity provider to configure their IdP to work with Docker Hub. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub. +Before enabling SSO in Docker Hub, administrators must configure their identity provider to configure their IdP to work with Docker Hub. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub. After establishing the connection between the IdP server and Docker Hub, administrators log into the organization in Docker Hub and complete the SSO enablement process. See the section **Enable SSO in Docker Hub** for detailed instructions. @@ -16,7 +16,7 @@ To enable SSO in Docker Hub, you need the following information from your identi * **SAML 2.0**: Single Sign-On URL and the X.509 signing certificate * **Azure AD**: Client ID (a unique identifier for your registered AD application), Client Secret (a string used to gain access to your registered Azure AD application), and AD Domain details -We currently support enabling SSO on a single organization. However, we do not support single logout. If you have any users in your organization with a different domain (including social domains), they will be added to the organization as guests. +We currently support enabling SSO on a single organization. However, we do not support single logout. If you have any users in your organization with a different domain (including social domains), they will be added to the organization as guests. Guests will continue to authenticate through Docker with their Docker login credentials (Docker ID and password). ## Prerequisites @@ -145,8 +145,8 @@ To verify ownership of a domain, add a TXT record to your Domain Name System (DN After you’ve completed the SSO configuration process in Docker Hub, you can test the configuration when you log into Docker Hub using an incognito browser. Login using your domain email address and IdP password. You will then get redirected to your identity provider’s login page to authenticate. -1. Authenticate via email instead of using your Docker ID, and test the login process. -2. To authenticate via CLI, your users must have a PAT before you enforce SSO for CLI users. +1. Authenticate through email instead of using your Docker ID, and test the login process. +2. To authenticate through CLI, your users must have a PAT before you enforce SSO for CLI users. ## Enforce SSO in Docker Hub @@ -169,9 +169,7 @@ Admins can force users to authenticate with Docker Desktop by provisioning a reg ## Manage users when SSO is enabled -To add a member to your organization: -1. Create an account for your members in your IdP. -2. Add and invite your members to your organization. +You don’t need to add users to your organization in Docker Hub manually. You just need to make sure an account for your users exists in your IdP. When users sign in to Docker Hub, they're automatically assigned to the organization using their domain email address. > **Note:** > From 5edae78bdd4d9421f23df34d5169a8e7a8349e28 Mon Sep 17 00:00:00 2001 From: Dovydas Lozys <755086+reduktorius@users.noreply.github.com> Date: Fri, 25 Mar 2022 17:58:00 +0000 Subject: [PATCH 18/18] fixes typos --- language/nodejs/run-containers.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/language/nodejs/run-containers.md b/language/nodejs/run-containers.md index f0ed48a538..c61529050a 100644 --- a/language/nodejs/run-containers.md +++ b/language/nodejs/run-containers.md @@ -14,7 +14,7 @@ Work through the steps to build a Node JS image in [Build your Node image](build ## Overview -In the previous module we created our sample application and then we created a Dockerfile that we used to create an image. We created our image using the command `docker build`. Now that we have an image, we can run that image and see if our application is running correctly. +In the previous module we created our sample application and then we created a Dockerfile that we used to create an image. We created our image using the command `docker build`. Now that we have an image, we can run that image and see if our application is running correctly. A container is a normal operating system process except that this process is isolated and has its own file system, its own networking, and its own isolated process tree separate from the host. @@ -162,7 +162,7 @@ ec45285c456d node-docker "docker-entrypoint.s…" 31 minutes ag fb7a41809e5d node-docker "docker-entrypoint.s…" 40 minutes ago Exited (0) 39 minutes ago goofy_khayyam ``` -To remove a container, simple run the `docker rm` command passing the container name. You can pass multiple container names to the command in one command. +To remove a container, simply run the `docker rm` command passing the container name. You can pass multiple container names to the command in one command. Again, make sure you replace the containers names in the below command with the container names from your system. @@ -175,7 +175,7 @@ goofy_khayyam Run the `docker ps --all` command again to see that all containers are gone. -Now let’s address the pesky random name issue. Standard practice is to name your containers for the simple reason that it is easier to identify what is running in the container and what application or service it is associated with. Just like good naming conventions for variables in your code makes it simpler to read. So goes naming your containers. +Now let’s address the pesky random name issue. Standard practice is to name your containers for the simple reason that it is easier to identify what is running in the container and what application or service it is associated with. Just like good naming conventions for variables in your code make it simpler to read, so does naming your containers. To name a container, we just need to pass the `--name` flag to the run command.