Docker 2025新特性详解：镜像类型挂载、版本化调试端点与安全更新

docker-2025-features by josiahsiegel/claude-plugin-marketplace

88 周安装量

23 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/josiahsiegel/claude-plugin-marketplace --skill docker-2025-features

开发运维容器编排 Docker

🇨🇳中文介绍

🚨 关键准则

Windows 文件路径要求

强制要求：在 Windows 上始终对文件路径使用反斜杠

在 Windows 上使用 Edit 或 Write 工具时，必须在文件路径中使用反斜杠 (\)，而不是正斜杠 (/)。

示例：

❌ 错误：D:/repos/project/file.tsx
✅ 正确：D:\repos\project\file.tsx

这适用于：

Edit 工具的 file_path 参数
Write 工具的 file_path 参数
Windows 系统上的所有文件操作

文档编写准则

除非用户明确要求，否则切勿创建新的文档文件。

优先级：更新现有的 README.md 文件，而不是创建新的文档
仓库整洁性：保持仓库根目录整洁 - 除非用户另有要求，否则只保留 README.md
风格：文档应简洁、直接且专业 - 避免 AI 生成的语气

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

Docker 2025 新特性

此技能涵盖了 2025 年引入的最新 Docker 特性，确保您能利用尖端功能提升安全性、性能和开发体验。

Docker Engine 28 特性 (2025)

1. 镜像类型挂载

功能描述： 将镜像目录结构直接挂载到容器内部，无需提取到卷。

将镜像层挂载为只读文件系统
在容器间共享通用数据，避免重复
加快数据密集型容器的启动速度
减少磁盘空间使用

# 挂载整个镜像
docker run --rm \
  --mount type=image,source=mydata:latest,target=/data \
  alpine ls -la /data

# 从镜像挂载特定路径
docker run --rm \
  --mount type=image,source=mydata:latest,image-subpath=/config,target=/app/config \
  alpine cat /app/config/settings.json

只读配置分发
跨容器共享 ML 模型权重
静态资源服务
用于测试的不可变数据集

2. 版本化调试端点

功能描述： 调试端点现在可通过标准版本化 API 路径访问。

之前： 仅可通过根路径访问，如 /debug/vars 现在： 也可通过 /v1.48/debug/vars、/v1.48/debug/pprof/* 访问

/v1.48/debug/vars - 运行时变量
/v1.48/debug/pprof/ - 性能分析索引
/v1.48/debug/pprof/cmdline - 命令行
/v1.48/debug/pprof/profile - CPU 性能分析
/v1.48/debug/pprof/trace - 执行跟踪
/v1.48/debug/pprof/goroutine - Goroutine 堆栈

# 通过版本化 API 访问调试变量
curl --unix-socket /var/run/docker.sock http://localhost/v1.48/debug/vars

# 获取 CPU 性能分析数据
curl --unix-socket /var/run/docker.sock http://localhost/v1.48/debug/pprof/profile?seconds=30 > profile.out

Engine 28.3.3 中的最新版本：

Buildx v0.26.1 - 增强的构建性能
Compose v2.40.3 - 最新的 Compose 特性
BuildKit v0.25.1 - 安全性改进
Go runtime 1.24.8 - 性能优化

CVE-2025-54388： 修复了 firewalld 重载问题，该问题导致即使容器端口绑定到回环地址，仍可能从本地网络访问已发布的容器端口。

影响： 对于绑定到 127.0.0.1 并期望仅限本地主机访问的容器至关重要。

Raspberry Pi OS 32 位 (armhf)：

Docker Engine 28 是支持 armhf 的最后一个主要版本
从 Engine 29 开始，不再提供新的 armhf 软件包
迁移到 64 位操作系统或使用 Engine 28.x LTS

Docker Desktop 4.47 特性 (2025 年 10 月)

功能描述： 模型上下文协议 (MCP) 服务器目录，包含 100 多个经过验证的容器化工具。

发现和搜索 MCP 服务器
一键部署 MCP 工具
与 Docker AI 和 Model Runner 集成
集中管理 AI 代理工具

Docker Hub MCP 目录
Docker Desktop MCP 工具包
网页：https://www.docker.com/mcp-catalog

AI 代理工具发现
工作流自动化
开发环境设置
CI/CD 工具集成

2. Model Runner 增强功能

改进的模型管理界面
增强的推理 API
更好的推理引擎性能
Docker Desktop 中的模型卡片检查
用于监控的 docker model requests 命令

# 列出正在运行的模型
docker model ls

# 查看模型详情 (新增：模型卡片)
docker model inspect llama2-7b

# 监控请求和响应 (新增)
docker model requests llama2-7b

# 性能指标
docker stats $(docker model ls -q)

3. 静默组件更新

功能描述： Docker Desktop 自动更新内部组件，无需完全重启应用程序。

更快的安全补丁应用
对工作流的干扰更少
自动更新 Compose、BuildKit、Containerd
后台更新交付

默认启用
可在设置 > 通用中禁用
仅针对重大更新发送通知

CVE-2025-10657 (v4.47)： 修复了在 4.46.0 版本中，增强容器隔离的 Docker Socket 命令限制不起作用的问题。

CVE-2025-9074 (v4.46)： 修复了恶意容器逃逸漏洞，该漏洞允许在未挂载 socket 的情况下访问 Docker Engine。

Docker Desktop 4.38-4.45 特性

1. Docker AI 助手 (Project Gordon)

功能描述： 集成到 Docker Desktop 和 CLI 中的 AI 驱动助手，用于智能容器开发。

自然语言命令界面
上下文感知的故障排除
自动化的 Dockerfile 优化
实时最佳实践建议
智能错误诊断

# 在 Docker Desktop 设置 > 功能 > Docker AI (Beta) 中启用

# 用自然语言提问
"优化我的 Python Dockerfile"
"为什么我的容器在重启？"
"建议安全的 nginx 配置"

本地模型运行器：

直接在您的机器上运行 AI 模型 (llama.cpp)
无需依赖云 API
保护隐私 (数据保留在本地)
GPU 加速提升性能
支持离线工作

2. 增强容器隔离 (ECI)

功能描述： 额外的安全层，用于限制 Docker socket 访问和容器逃逸途径。

防止未经授权的 Docker socket 访问
默认限制容器能力
阻止常见的逃逸技术
强制执行更严格的资源边界
审计容器操作

# Docker Desktop 设置 > 安全 > 增强容器隔离
# 或通过 CLI：
docker desktop settings set enhancedContainerIsolation=true

多租户环境
安全关键型应用程序
合规性要求 (PCI-DSS、HIPAA)
零信任架构
包含不受信任代码的开发环境

可能会破坏需要 Docker socket 访问的容器
需要 Docker Desktop 4.38+
支持 Windows (WSL2)、macOS、Linux Desktop

功能描述： 内置的 AI 模型执行引擎，允许开发者在本地运行大型语言模型。

无需云服务即可运行 AI 模型
优化的 GPU 加速
保护隐私的推理
支持多种模型格式
与 Docker AI 集成

# 通过 Docker Desktop 扩展安装
# 或使用 CLI：
docker model run llama2-7b

# 查看正在运行的模型：
docker model ls

# 停止模型：
docker model stop MODEL_ID

无 API 成本
完全的数据隐私
离线可用性
更快的推理速度 (本地 GPU)
与开发工作流集成

4. 多节点 Kubernetes 测试

功能描述： 直接在 Docker Desktop 中使用多节点集群测试 Kubernetes 部署。

之前： 仅限单节点 现在： 2-5 节点集群，用于更真实的测试

# Docker Desktop 设置 > Kubernetes > 启用多节点
# 指定节点数量 (2-5)

跨节点测试 Pod 调度
验证亲和性/反亲和性规则
测试网络策略
模拟节点故障
验证 StatefulSets 和 DaemonSets

5. Bake (正式发布)

功能描述： 用于复杂多目标构建的高级构建编排工具。

之前： 实验性功能 现在： 正式发布，可用于生产环境

# docker-bake.hcl
target "app" {
  context = "."
  dockerfile = "Dockerfile"
  tags = ["myapp:latest"]
  platforms = ["linux/amd64", "linux/arm64"]
  cache-from = ["type=registry,ref=myapp:cache"]
  cache-to = ["type=registry,ref=myapp:cache,mode=max"]
}

target "test" {
  inherits = ["app"]
  target = "test"
  output = ["type=local,dest=./coverage"]
}



# 构建所有目标
docker buildx bake

# 构建特定目标
docker buildx bake test

Moby 25 引擎更新

1. 更快的容器启动：

冷启动速度提升 20-30%
改进的层提取
优化的网络初始化

2. 更好的资源管理：

更准确的内存统计
改进的 CPU 限制
更好的 cgroup v2 支持

3. 存储驱动增强：

overlay2 性能改进
更好的磁盘空间管理
更快的镜像拉取

1. 增强的 Seccomp 配置文件：

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_AARCH64"],
  "syscalls": [
    {
      "names": ["read", "write", "exit"],
      "action": "SCMP_ACT_ALLOW"
    }
  ]
}

2. 改进的 AppArmor 集成：

更好的 Docker 配置文件生成
减少误报
增强的日志记录

3. 用户命名空间改进：

更简单的配置
更好的兼容性
性能优化

Docker Compose v2.40.3+ 特性 (2025)

Compose Bridge (转换为 Kubernetes)

功能描述： 通过单个命令将本地的 compose.yaml 文件转换为 Kubernetes 清单文件。

自动将 Compose 服务转换为 Kubernetes 部署
服务到服务映射
卷转换为 PersistentVolumeClaims
生成 ConfigMap 和 Secret
Ingress 配置

# 将 Compose 文件转换为 Kubernetes 清单
docker compose convert --format kubernetes > k8s-manifests.yaml

# 或直接使用 compose-bridge
docker compose-bridge convert docker-compose.yml

# 应用到 Kubernetes 集群
kubectl apply -f k8s-manifests.yaml

# docker-compose.yml
services:
  web:
    image: nginx:latest
    ports:
      - "80:80"
    volumes:
      - data:/usr/share/nginx/html

volumes:
  data:

# 转换为 Kubernetes：
# - 'web' 服务的 Deployment
# - 暴露端口 80 的 Service
# - 'data' 的 PersistentVolumeClaim

从本地开发迁移到 Kubernetes
在本地测试 Kubernetes 部署
CI/CD 流水线转换
多环境部署策略

1. 版本字段已过时：

# 旧 (已弃用)：
version: '3.8'
services:
  app:
    image: nginx

# 新 (2025)：
services:
  app:
    image: nginx

version 字段现在会被忽略，可以省略。

1. Develop Watch 支持 initial_sync：

services:
  app:
    build: .
    develop:
      watch:
        - action: sync
          path: ./src
          target: /app/src
          initial_sync: full  # 新增：启动时同步所有文件

2. Volume 类型：Image：

services:
  app:
    volumes:
      - type: image
        source: mydata:latest
        target: /data
        read_only: true

3. Build Print：

# 调试复杂的构建配置
docker compose build --print > build-config.json

4. Config No-Env-Resolution：

# 查看原始配置，不进行环境变量替换
docker compose config --no-env-resolution

5. Watch with Prune：

# 在 watch 期间自动清理未使用的资源
docker compose watch --prune

6. Run with Quiet：

# 减少输出噪音
docker compose run --quiet app npm test

BuildKit 更新 (2025)

1. Git SHA-256 支持：

# 使用基于 SHA-256 的仓库
ADD https://github.com/user/repo#sha256:abc123... /src

2. 增强的 COPY/ADD --exclude：

# 现已正式可用 (之前仅为实验室功能)
COPY --exclude=*.test.js --exclude=*.md . /app

3. ADD --unpack 支持 --chown：

# 一步完成解压和设置所有权
ADD --unpack=true --chown=appuser:appgroup archive.tar.gz /app

4. Git 查询参数：

# 细粒度 Git 克隆控制
ADD https://github.com/user/repo.git?depth=1&branch=main /src

5. 镜像校验和验证：

# 验证镜像完整性
FROM alpine:3.19@sha256:abc123...
# BuildKit 自动验证校验和

1. 改进的前端验证：

# 始终使用官方的 Docker 前端
# syntax=docker/dockerfile:1

# 使用摘要固定以获得最大安全性
# syntax=docker/dockerfile:1@sha256:ac85f380a63b13dfcefa89046420e1781752bab202122f8f50032edf31be0021

2. 远程缓存改进：

修复了并发问题
更好的循环处理
增强的安全性

2025 特性的最佳实践

有效使用 Docker AI

在查询中提供具体上下文
验证 AI 生成的配置
与传统安全工具结合使用
用于学习和探索

盲目信任 AI 处理安全关键型应用
跳过手动代码审查
忽略安全扫描结果
在没有 Model Runner 的隔离环境中使用

为安全敏感的工作负载启用
首先测试容器的兼容性
记录 socket 访问需求
遵循最小权限原则使用

未测试现有容器就启用
在不了解风险的情况下禁用
不必要地授予 socket 访问权限
忽略审计日志

现代 Compose 文件

从新的 compose 文件中移除 version 字段
使用新特性 (volume type: image, watch 改进)
利用 --print 进行调试
采用 --quiet 以获得更干净的 CI/CD 输出

保留 version 字段 (反正会被忽略)
依赖已弃用的语法
跳过使用 Compose v2.40+ 进行测试
使用过时的文档

升级到 Docker Desktop 4.38+

1. 备份现有配置：

# 导出当前设置
docker context export desktop-linux > backup.tar

2. 更新 Docker Desktop：

从 docker.com 下载最新版本
运行安装程序
如果需要，重启机器

3. 启用新特性：

# 启用 AI 助手 (beta)
docker desktop settings set enableAI=true

# 启用增强容器隔离
docker desktop settings set enhancedContainerIsolation=true

4. 测试现有容器：

# 验证容器在 ECI 下正常工作
docker compose up -d
docker compose ps
docker compose logs

更新 Compose 文件

version: '3.8'

services:
  app:
    image: nginx:latest
    volumes:
      - data:/data

volumes:
  data:

services:
  app:
    image: nginx:1.26.0  # 指定版本
    volumes:
      - data:/data
    develop:
      watch:
        - action: sync
          path: ./config
          target: /etc/nginx/conf.d
          initial_sync: full

volumes:
  data:
    driver: local

2025 特性故障排除

问题： AI 助手无响应 解决方案：

# 检查 Docker Desktop 版本
docker version

# 确保启用了 beta 功能
docker desktop settings get enableAI

# 重启 Docker Desktop

问题： Model Runner 运行缓慢 解决方案：

更新 GPU 驱动程序
增加 Docker Desktop 内存 (设置 > 资源)
关闭其他 GPU 密集型应用程序
使用更小的模型以获得更快的推理速度

增强容器隔离问题

问题： 容器因 socket 权限错误而失败 解决方案：

# 识别 socket 依赖
docker inspect CONTAINER | grep -i socket

# 如果确实需要，显式添加 socket 访问权限
# (在 docker-compose.yml 注释中记录原因)
docker run -v /var/run/docker.sock:/var/run/docker.sock ...

问题： ECI 破坏了 CI/CD 流水线 解决方案：

临时禁用 ECI：docker desktop settings set enhancedContainerIsolation=false
审查哪些容器需要 socket 访问
重构以消除 socket 依赖
重新启用 ECI 并记录例外情况

Compose v2.40 问题

问题： "version field is obsolete" 警告 解决方案：

# 直接移除 version 字段
# 旧：
version: '3.8'
services: ...

# 新：
services: ...

问题： 带有 initial_sync 的 watch 失败 解决方案：

# 检查文件权限
ls -la ./src

# 确保路径正确
docker compose config | grep -A 5 watch

# 验证同步目标在容器中存在
docker compose exec app ls -la /app/src

🇺🇸English

🚨 CRITICAL GUIDELINES

Windows File Path Requirements

MANDATORY: Always Use Backslashes on Windows for File Paths

When using Edit or Write tools on Windows, you MUST use backslashes (\) in file paths, NOT forward slashes (/).

Examples:

❌ WRONG: D:/repos/project/file.tsx
✅ CORRECT: D:\repos\project\file.tsx

This applies to:

Edit tool file_path parameter
Write tool file_path parameter
All file operations on Windows systems

Documentation Guidelines

NEVER create new documentation files unless explicitly requested by the user.

Priority : Update existing README.md files rather than creating new documentation
Repository cleanliness : Keep repository root clean - only README.md unless user requests otherwise
Style : Documentation should be concise, direct, and professional - avoid AI-generated tone
User preference : Only create additional .md files when user specifically asks for documentation

Docker 2025 Features

This skill covers the latest Docker features introduced in 2025, ensuring you leverage cutting-edge capabilities for security, performance, and developer experience.

Docker Engine 28 Features (2025)

1. Image Type Mounts

What it is: Mount an image directory structure directly inside a container without extracting to a volume.

Key capabilities:

Mount image layers as read-only filesystems
Share common data between containers without duplication
Faster startup for data-heavy containers
Reduced disk space usage

How to use:

# Mount entire image
docker run --rm \
  --mount type=image,source=mydata:latest,target=/data \
  alpine ls -la /data

# Mount specific path from image
docker run --rm \
  --mount type=image,source=mydata:latest,image-subpath=/config,target=/app/config \
  alpine cat /app/config/settings.json

Use cases:

Read-only configuration distribution
Shared ML model weights across containers
Static asset serving
Immutable data sets for testing

2. Versioned Debug Endpoints

What it is: Debug endpoints now accessible through standard versioned API paths.

Previously: Only available at root paths like /debug/vars Now: Also accessible at /v1.48/debug/vars, /v1.48/debug/pprof/*

Available endpoints:

/v1.48/debug/vars - Runtime variables
/v1.48/debug/pprof/ - Profiling index
/v1.48/debug/pprof/cmdline - Command line
/v1.48/debug/pprof/profile - CPU profile
/v1.48/debug/pprof/trace - Execution trace
/v1.48/debug/pprof/goroutine - Goroutine stacks

How to use:

# Access debug vars through versioned API
curl --unix-socket /var/run/docker.sock http://localhost/v1.48/debug/vars

# Get CPU profile
curl --unix-socket /var/run/docker.sock http://localhost/v1.48/debug/pprof/profile?seconds=30 > profile.out

3. Component Updates

Latest versions in Engine 28.3.3:

Buildx v0.26.1 - Enhanced build performance
Compose v2.40.3 - Latest compose features
BuildKit v0.25.1 - Security improvements
Go runtime 1.24.8 - Performance optimizations

4. Security Fixes

CVE-2025-54388: Fixed firewalld reload issue where published container ports could be accessed from local network even when bound to loopback.

Impact: Critical for containers binding to 127.0.0.1 expecting localhost-only access.

5. Deprecations

Raspberry Pi OS 32-bit (armhf):

Docker Engine 28 is the last major version supporting armhf
Starting with Engine 29, no new armhf packages
Migrate to 64-bit OS or use Engine 28.x LTS

Docker Desktop 4.47 Features (October 2025)

1. MCP Catalog Integration

What it is: Model Context Protocol (MCP) server catalog with 100+ verified, containerized tools.

Key capabilities:

Discover and search MCP servers
One-click deployment of MCP tools
Integration with Docker AI and Model Runner
Centralized management of AI agent tools

How to access:

Docker Hub MCP Catalog
Docker Desktop MCP Toolkit
Web: https://www.docker.com/mcp-catalog

Use cases:

AI agent tool discovery
Workflow automation
Development environment setup
CI/CD tool integration

2. Model Runner Enhancements

What's new:

Improved UI for model management
Enhanced inference APIs
Better inference engine performance
Model card inspection in Docker Desktop
docker model requests command for monitoring

How to use:

# List running models
docker model ls

# View model details (new: model cards)
docker model inspect llama2-7b

# Monitor requests and responses (NEW)
docker model requests llama2-7b

# Performance metrics
docker stats $(docker model ls -q)

3. Silent Component Updates

What it is: Docker Desktop automatically updates internal components without requiring full application restart.

Benefits:

Faster security patches
Less disruption to workflow
Automatic Compose, BuildKit, Containerd updates
Background update delivery

Configuration:

Enabled by default
Can be disabled in Settings > General
Notifications for major updates only

4. CVE Fixes

CVE-2025-10657 (v4.47): Fixed Enhanced Container Isolation Docker Socket command restrictions not working in 4.46.0.

CVE-2025-9074 (v4.46): Fixed malicious container escape allowing Docker Engine access without mounted socket.

Docker Desktop 4.38-4.45 Features

1. Docker AI Assistant (Project Gordon)

What it is: AI-powered assistant integrated into Docker Desktop and CLI for intelligent container development.

Key capabilities:

Natural language command interface
Context-aware troubleshooting
Automated Dockerfile optimization
Real-time best practice recommendations
Intelligent error diagnosis

How to use:

# Enable in Docker Desktop Settings > Features > Docker AI (Beta)

# Ask questions in natural language
"Optimize my Python Dockerfile"
"Why is my container restarting?"
"Suggest secure nginx configuration"

Local Model Runner:

Runs AI models directly on your machine (llama.cpp)
No cloud API dependencies
Privacy-preserving (data stays local)
GPU acceleration for performance
Works offline

2. Enhanced Container Isolation (ECI)

What it is: Additional security layer that restricts Docker socket access and container escape vectors.

Security benefits:

Prevents unauthorized Docker socket access
Restricts container capabilities by default
Blocks common escape techniques
Enforces stricter resource boundaries
Audits container operations

How to enable:

# Docker Desktop Settings > Security > Enhanced Container Isolation
# Or via CLI:
docker desktop settings set enhancedContainerIsolation=true

Use cases:

Multi-tenant environments
Security-critical applications
Compliance requirements (PCI-DSS, HIPAA)
Zero-trust architectures
Development environments with untrusted code

Compatibility:

May break containers requiring Docker socket access
Requires Docker Desktop 4.38+
Supported on Windows (WSL2), macOS, Linux Desktop

3. Model Runner

What it is: Built-in AI model execution engine allowing developers to run large language models locally.

Features:

Run AI models without cloud services
Optimal GPU acceleration
Privacy-preserving inference
Multiple model format support
Integration with Docker AI

How to use:

# Install via Docker Desktop Extensions
# Or use CLI:
docker model run llama2-7b

# View running models:
docker model ls

# Stop model:
docker model stop MODEL_ID

Benefits:

No API costs
Complete data privacy
Offline availability
Faster inference (local GPU)
Integration with development workflow

4. Multi-Node Kubernetes Testing

What it is: Test Kubernetes deployments with multi-node clusters directly in Docker Desktop.

Previously: Single-node only Now: 2-5 node clusters for realistic testing

How to enable:

# Docker Desktop Settings > Kubernetes > Enable multi-node
# Specify node count (2-5)

Use cases:

Test pod scheduling across nodes
Validate affinity/anti-affinity rules
Test network policies
Simulate node failures
Validate StatefulSets and DaemonSets

5. Bake (General Availability)

What it is: High-level build orchestration tool for complex multi-target builds.

Previously: Experimental Now: Generally available and production-ready

Features:

# docker-bake.hcl
target "app" {
  context = "."
  dockerfile = "Dockerfile"
  tags = ["myapp:latest"]
  platforms = ["linux/amd64", "linux/arm64"]
  cache-from = ["type=registry,ref=myapp:cache"]
  cache-to = ["type=registry,ref=myapp:cache,mode=max"]
}

target "test" {
  inherits = ["app"]
  target = "test"
  output = ["type=local,dest=./coverage"]
}



# Build all targets
docker buildx bake

# Build specific target
docker buildx bake test

Moby 25 Engine Updates

Performance Improvements

1. Faster Container Startup:

20-30% faster cold starts
Improved layer extraction
Optimized network initialization

2. Better Resource Management:

More accurate memory accounting
Improved CPU throttling
Better cgroup v2 support

3. Storage Driver Enhancements:

overlay2 performance improvements
Better disk space management
Faster image pulls

Security Updates

1. Enhanced Seccomp Profiles:

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_AARCH64"],
  "syscalls": [
    {
      "names": ["read", "write", "exit"],
      "action": "SCMP_ACT_ALLOW"
    }
  ]
}

2. Improved AppArmor Integration:

Better Docker profile generation
Reduced false positives
Enhanced logging

3. User Namespace Improvements:

Easier configuration
Better compatibility
Performance optimizations

Docker Compose v2.40.3+ Features (2025)

Compose Bridge (Convert to Kubernetes)

What it is: Convert local compose.yaml files to Kubernetes manifests in a single command.

Key capabilities:

Automatic conversion of Compose services to Kubernetes Deployments
Service-to-Service mapping
Volume conversion to PersistentVolumeClaims
ConfigMap and Secret generation
Ingress configuration

How to use:

# Convert compose file to Kubernetes manifests
docker compose convert --format kubernetes > k8s-manifests.yaml

# Or use compose-bridge directly
docker compose-bridge convert docker-compose.yml

# Apply to Kubernetes cluster
kubectl apply -f k8s-manifests.yaml

Example conversion:

# docker-compose.yml
services:
  web:
    image: nginx:latest
    ports:
      - "80:80"
    volumes:
      - data:/usr/share/nginx/html

volumes:
  data:

# Converts to Kubernetes:
# - Deployment for 'web' service
# - Service exposing port 80
# - PersistentVolumeClaim for 'data'

Use cases:

Local development to Kubernetes migration
Testing Kubernetes deployments locally
CI/CD pipeline conversion
Multi-environment deployment strategies

Breaking Changes

1. Version Field Obsolete:

# OLD (deprecated):
version: '3.8'
services:
  app:
    image: nginx

# NEW (2025):
services:
  app:
    image: nginx

The version field is now ignored and can be omitted.

New Features

1. Develop Watch with initial_sync:

services:
  app:
    build: .
    develop:
      watch:
        - action: sync
          path: ./src
          target: /app/src
          initial_sync: full  # NEW: Sync all files on start

2. Volume Type: Image:

services:
  app:
    volumes:
      - type: image
        source: mydata:latest
        target: /data
        read_only: true

3. Build Print:

# Debug complex build configurations
docker compose build --print > build-config.json

4. Config No-Env-Resolution:

# View raw config without environment variable substitution
docker compose config --no-env-resolution

5. Watch with Prune:

# Automatically prune unused resources during watch
docker compose watch --prune

6. Run with Quiet:

# Reduce output noise
docker compose run --quiet app npm test

BuildKit Updates (2025)

New Features

1. Git SHA-256 Support:

# Use SHA-256 based repositories
ADD https://github.com/user/repo#sha256:abc123... /src

2. Enhanced COPY/ADD --exclude:

# Now generally available (was labs-only)
COPY --exclude=*.test.js --exclude=*.md . /app

3. ADD --unpack with --chown:

# Extract and set ownership in one step
ADD --unpack=true --chown=appuser:appgroup archive.tar.gz /app

4. Git Query Parameters:

# Fine-grained Git clone control
ADD https://github.com/user/repo.git?depth=1&branch=main /src

5. Image Checksum Verification:

# Verify image integrity
FROM alpine:3.19@sha256:abc123...
# BuildKit verifies checksum automatically

Security Enhancements

1. Improved Frontend Verification:

# Always use official Docker frontends
# syntax=docker/dockerfile:1

# Pin with digest for maximum security
# syntax=docker/dockerfile:1@sha256:ac85f380a63b13dfcefa89046420e1781752bab202122f8f50032edf31be0021

2. Remote Cache Improvements:

Fixed concurrency issues
Better loop handling
Enhanced security

Best Practices for 2025 Features

Using Docker AI Effectively

DO:

Provide specific context in queries
Verify AI-generated configurations
Combine with traditional security tools
Use for learning and exploration

DON'T:

Trust AI blindly for security-critical apps
Skip manual code review
Ignore security scan results
Use in air-gapped environments without Model Runner

Enhanced Container Isolation

DO:

Enable for security-sensitive workloads
Test containers for compatibility first
Document socket access requirements
Use with least privilege principles

DON'T:

Enable without testing existing containers
Disable without understanding risks
Grant socket access unnecessarily
Ignore audit logs

Modern Compose Files

DO:

Remove version field from new compose files
Use new features (volume type: image, watch improvements)
Leverage --print for debugging
Adopt --quiet for cleaner CI/CD output

DON'T:

Keep version field (it's ignored anyway)
Rely on deprecated syntax
Skip testing with Compose v2.40+
Use outdated documentation

Migration Guide

Updating to Docker Desktop 4.38+

1. Backup existing configurations:

# Export current settings
docker context export desktop-linux > backup.tar

2. Update Docker Desktop:

Download latest from docker.com
Run installer
Restart machine if required

3. Enable new features:

# Enable AI Assistant (beta)
docker desktop settings set enableAI=true

# Enable Enhanced Container Isolation
docker desktop settings set enhancedContainerIsolation=true

4. Test existing containers:

# Verify containers work with ECI
docker compose up -d
docker compose ps
docker compose logs

Updating Compose Files

Before:

version: '3.8'

services:
  app:
    image: nginx:latest
    volumes:
      - data:/data

volumes:
  data:

After:

services:
  app:
    image: nginx:1.26.0  # Specific version
    volumes:
      - data:/data
    develop:
      watch:
        - action: sync
          path: ./config
          target: /etc/nginx/conf.d
          initial_sync: full

volumes:
  data:
    driver: local

Troubleshooting 2025 Features

Docker AI Issues

Problem: AI Assistant not responding Solution:

# Check Docker Desktop version
docker version

# Ensure beta features enabled
docker desktop settings get enableAI

# Restart Docker Desktop

Problem: Model Runner slow Solution:

Update GPU drivers
Increase Docker Desktop memory (Settings > Resources)
Close other GPU-intensive applications
Use smaller models for faster inference

Enhanced Container Isolation Issues

Problem: Container fails with socket permission error Solution:

# Identify socket dependencies
docker inspect CONTAINER | grep -i socket

# If truly needed, add socket access explicitly
# (Document why in docker-compose.yml comments)
docker run -v /var/run/docker.sock:/var/run/docker.sock ...

Problem: ECI breaks CI/CD pipeline Solution:

Disable ECI temporarily: docker desktop settings set enhancedContainerIsolation=false
Review which containers need socket access
Refactor to eliminate socket dependencies
Re-enable ECI with exceptions documented

Compose v2.40 Issues

Problem: "version field is obsolete" warning Solution:

# Simply remove the version field
# OLD:
version: '3.8'
services: ...

# NEW:
services: ...

Problem: watch with initial_sync fails Solution:

# Check file permissions
ls -la ./src

# Ensure paths are correct
docker compose config | grep -A 5 watch

# Verify sync target exists in container
docker compose exec app ls -la /app/src

Recommended Feature Adoption Timeline

Immediate (Production-Ready):

Bake for complex builds
Compose v2.40 features (remove version field)
Moby 25 engine (via regular Docker updates)
BuildKit improvements (automatic)

Testing (Beta but Stable):

Docker AI for development workflows
Model Runner for local AI testing
Multi-node Kubernetes for pre-production

Evaluation (Security-Critical):

Enhanced Container Isolation (test thoroughly)
ECI with existing production containers
Socket access elimination strategies

This skill ensures you stay current with Docker's 2025 evolution while maintaining stability, security, and production-readiness.

Weekly Installs

Repository

josiahsiegel/cl…ketplace

GitHub Stars

First Seen

Jan 23, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

claude-code64

opencode64

gemini-cli62

codex60

cursor57

github-copilot54

Azure 升级评估与自动化工具 - 轻松迁移 Functions 计划、托管层级和 SKU

104,900 周安装

Docker 2025新特性详解：镜像类型挂载、版本化调试端点与安全更新

🇨🇳中文介绍

🚨 关键准则

Windows 文件路径要求

文档编写准则

相关 Skills

Docker 2025 新特性

Docker Engine 28 特性 (2025)

1. 镜像类型挂载

2. 版本化调试端点

3. 组件更新

4. 安全修复

5. 弃用项

Docker Desktop 4.47 特性 (2025 年 10 月)

1. MCP 目录集成

2. Model Runner 增强功能

3. 静默组件更新

4. CVE 修复

Docker Desktop 4.38-4.45 特性

1. Docker AI 助手 (Project Gordon)

2. 增强容器隔离 (ECI)

3. Model Runner

4. 多节点 Kubernetes 测试

5. Bake (正式发布)

Moby 25 引擎更新

性能改进

安全更新

Docker Compose v2.40.3+ 特性 (2025)

Compose Bridge (转换为 Kubernetes)

破坏性变更

新特性

BuildKit 更新 (2025)

新特性

安全增强

2025 特性的最佳实践

有效使用 Docker AI

增强容器隔离

现代 Compose 文件

迁移指南

升级到 Docker Desktop 4.38+

更新 Compose 文件

2025 特性故障排除

Docker AI 问题

增强容器隔离问题

Compose v2.40 问题

推荐特性采用时间线

🇺🇸English

🚨 CRITICAL GUIDELINES

Windows File Path Requirements

Documentation Guidelines

Docker 2025 Features

Docker Engine 28 Features (2025)

1. Image Type Mounts

2. Versioned Debug Endpoints

3. Component Updates

4. Security Fixes

5. Deprecations

Docker Desktop 4.47 Features (October 2025)

1. MCP Catalog Integration

2. Model Runner Enhancements

3. Silent Component Updates

4. CVE Fixes

Docker Desktop 4.38-4.45 Features

1. Docker AI Assistant (Project Gordon)

2. Enhanced Container Isolation (ECI)

3. Model Runner

4. Multi-Node Kubernetes Testing

5. Bake (General Availability)

Moby 25 Engine Updates

Performance Improvements

Security Updates

Docker Compose v2.40.3+ Features (2025)

Compose Bridge (Convert to Kubernetes)

Breaking Changes

New Features

BuildKit Updates (2025)

New Features

Security Enhancements

Best Practices for 2025 Features

Using Docker AI Effectively