Billing workflow and details for Gordon plan subscription layer. As a
fast follow, a PR that links between Gordon usage docs and billing docs
will be added. This is an interim update until subscription section
overhaul is underway, where Gordon + DHI Select will have their own docs
pages
The Circle CI build_push and build_cache jobs in the Build Cloud CI
docs used a truncated $DOCKER_ variable in the docker login command,
which expands to empty and breaks authentication. Use $DOCKER_ACCOUNT
to match the rest of the file.
Fixes#25214
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Clone mode fails on \\wsl.localhost\... paths because Git's dubious
ownership check makes sbx's repo detection fail. Add a troubleshooting
section with the safe.directory workaround.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
<!--Delete sections as needed -->
## Description
Removed DHI new label. The product is over 1 year old now.
## Related issues or tickets
<!-- Related issues, pull requests, or Jira tickets -->
## Reviews
<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->
- [ ] Editorial review
Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>
The AI governance docs moved from /ai/sandboxes/security/governance/ to
/ai/sandboxes/governance/. Update the reference on the manage-licenses
page to point at the new org policy page.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
## Summary
An audit of docker-agent review comments across recent merged PRs
surfaced two
recurring false positives, both traced to their source:
- The bot's prompt (`.github/workflows/pr-review.yml`) instructed it to
flag
lines over 80 characters, but no such rule exists — markdownlint MD013
is
disabled and STYLE.md never mentions it. The bot itself conceded this
mid-review on a past PR. Removed the instruction.
- STYLE.md's word list banned "enable" yet used it in a ✅ example, so
the bot
flagged every "enable"/"disable" as a violation. Added a note clarifying
that
"turn on/off" is for UI toggles while "enable/disable" is fine in
general
prose.
## Learnings
- The docker-agent PR reviewer is driven by the `additional-prompt`
block in
`.github/workflows/pr-review.yml` (via `docker/cagent-action`), plus
`STYLE.md` and `COMPONENTS.md` loaded as prompt files. That prompt — not
just
the style guides — is the source of truth for what the bot flags, so
review
noise can be tuned there directly.
Generated by Claude Code
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
## Summary
Adds a troubleshooting entry explaining why filesystem operations (e.g.
`git status`) can be slow in direct-mode workspaces, and documents the
`DOCKER_SANDBOXES_ENABLE_VIRTIOFS_CACHE=1` opt-in to enable virtiofs
caching.
Generated by Claude Code
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This PR adds two new migration example guides under
`content/manuals/dhi/migration/examples/` for migrating applications to
Docker Hardened Images (DHI):
- **.NET** (`dotnet.md`)
- **Java** (`java.md`)
Both guides follow the exact same structure as the existing Go, Python,
and Node.js examples, with five Dockerfile variations each:
- Before (Ubuntu)
- Before (Wolfi)
- Before (DOI)
- After (multi-stage) — recommended
- After (single-stage)
The .NET guide uses `dhi.io/dotnet-sdk` for build and
`dhi.io/dotnet-aspnet` for runtime. The Java guide uses `dhi.io/maven`
for build and `dhi.io/eclipse-temurin` for runtime.
The `_index.md` grid is updated to surface both new examples on the
Migration examples landing page.
### Checklist
- [x] Followed the existing format and front-matter conventions
- [x] Used DHI images available in the public DHI catalog
(`dhi.io/dotnet-sdk`, `dhi.io/dotnet-aspnet`, `dhi.io/maven`,
`dhi.io/eclipse-temurin`)
- [x] Updated the examples landing page (`_index.md`)
---------
Co-authored-by: sunnynagavo <sunnynagavo@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Santhosh Reddy Vootukuri (SUNNY) <nagavo@microsoft.com>
Co-authored-by: Craig Osterhout <craig.osterhout@docker.com>
## Description
Step 3 of the push guide listed "Verify the image on Docker Hub" with no
instructions, leaving the workflow incomplete. Added a short prose
explanation directing users to navigate to their repository's **Tags**
tab on Docker Hub to confirm the push succeeded.
## Related issues or tickets
Closes#25004
## Reviews
- [ ] Technical review
- [ ] Editorial review
- [ ] Product review
Adds a Security section to the Docker Desktop release notes documenting
CVE-2026-8936, a VM panic caused by unbounded recursion in the
`grpcfuse` kernel module.
The CNI networking section claimed CNI was "not yet" available in the
default BuildKit image. A built-in bridge network provider with bundled
CNI plugins has shipped since BuildKit v0.13.0 (moby/buildkit#4352), so
the claim is outdated.
Document the bridge mode (--oci-worker-net=bridge) that needs no custom
image, and keep the custom-image path under a "Custom CNI configuration"
subheading. Follow-up to moby/buildkit#6817.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
## Problem
The labeler workflow has been silently skipping labels on some PRs. The
runs show up as `cancelled` rather than `success`.
Root cause is the concurrency config:
```yaml
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
```
The workflow triggers on `pull_request_target`, and for that event
`github.ref` resolves to the **base branch** (`refs/heads/main`), not
the PR head ref. So every labeler run across **all** open PRs lands in
the same concurrency group (`labeler-refs/heads/main`), and
`cancel-in-progress: true` kills whichever run is in flight as soon as
another PR triggers the workflow.
When several PRs are created or updated within seconds of each other,
the earlier runs get cancelled before they finish labeling. Example from
recent runs:
- `sbx-policy-recipes` (cancelled) ← cancelled by `remove-api-header`
(success) seconds later
- `sbx-linux-keychain` (cancelled) ← cancelled by `storage-drivers`
(success) seconds later
## Fix
Key the concurrency group on the PR number instead, falling back to
`github.ref` for non-PR contexts, so each PR gets its own group and runs
no longer cancel each other.
```yaml
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
```
> [!NOTE]
> A separate, rarer class of labeler failures (genuine `failure` status)
was caused by transient GitHub infrastructure errors downloading the
pinned action tarball at the "Set up job" step. Those are not addressed
here as they only need a re-run.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The PR-review bot's prompt instructed it to flag lines over 80 characters,
but no such rule exists in the repo (markdownlint MD013 is disabled and
STYLE.md never mentions it). Remove that instruction from pr-review.yml.
Also clarify the STYLE.md word list so "turn on/off" applies to UI toggles
while "enable/disable" stays acceptable in general prose, matching STYLE.md's
own example. This stops the bot from flagging every "enable" as a violation.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was -u missing in the login command syntax, which would prompt to
provide username and password, but never succeed the login attempt.
<!--Delete sections as needed -->
## Description
<!-- Tell us what you did and why --> I added -u in the login command
syntax, which was missing from the instruction and creating confusion
because it was not complete.
## Related issues or tickets
<!-- Related issues, pull requests, or Jira tickets -->
## Reviews
<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->
- [ ] Technical review
- [ ] Editorial review
- [ ] Product review
The opening note framed the page only as background information without
explaining what the page actually documents. Clarify that it describes the
classic storage drivers, while pointing containerd image store users to the
relevant operational guidance.
Closes#25093
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Kit-defined network rules (allowedDomains/deniedDomains) are ignored when
organization governance is active, since only org rules are evaluated. This
wasn't documented anywhere. Add an IMPORTANT callout in the kit
"Control network access" section and extend the governance precedence section
to account for kit rules.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
## Summary
Restructures the Docker AI Governance documentation under
\`/ai/sandboxes/governance/\` and adds the supporting API reference.
Preview links:
-
https://deploy-preview-25162--docsdocker.netlify.app/ai/sandboxes/governance/
-
https://deploy-preview-25162--docsdocker.netlify.app/reference/api/ai-governance/
### Information architecture
The existing \`security/governance\` and \`security/policy\` pages are
merged into a new top-level \`governance\` section so local-policy and
org-policy sit side by side instead of being split across unrelated
parents:
- \`/ai/sandboxes/governance/\` — section landing; explains local + org
as layered enforcement
- \`/ai/sandboxes/governance/concepts/\` — resource model, rule syntax,
evaluation, precedence
- \`/ai/sandboxes/governance/local/\` — \`sbx policy\` CLI for
individual machines
- \`/ai/sandboxes/governance/org/\` — Admin Console flow (was
\`security/governance.md\`)
- \`/ai/sandboxes/governance/monitoring/\` — \`sbx policy ls\` / \`sbx
policy log\`
### API reference
\`/reference/api/ai-governance/\` renders the Governance OpenAPI spec
vendored at \`content/reference/api/ai-governance/api.yaml\` from
\`docker/governor-services\`. Operations, schemas, examples, and status
codes are fully driven by the spec — future updates land via re-vendor,
not in-repo edits. Anything wrong in the rendered reference should be
fixed upstream and re-vendored here.
The spec has been re-vendored to the latest upstream version, which
updated the server URL to \`hub.docker.com/v2\` and added the
\`/governance/\` prefix to all API paths.
### Review focus
1. The \`/ai/sandboxes/governance/\` landing — does the local + org
framing match how the product is positioned?
2. \`/reference/api/ai-governance/\` — does the rendered spec match the
source of truth, and is anything important missing?
Generated by Claude Code
---------
Co-authored-by: Louis-Arnaud <la.catoire@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
The experimental notice on CLI reference pages was being produced by
running a Hugo shortcode through markdownify. The shortcode template
embeds the icon partial, and the recent migration to multi-line
Heroicons SVGs (commit ee71c80562) pushed the inner SVG path to a
4-space indent inside the expanded HTML. markdownify then re-parsed
that HTML as Markdown and treated the indented lines (the SVG path
plus the trailing </span> and <strong>Experimental</strong>) as a
fenced code block, which is what users see on docs.docker.com.
Replace the markdownify+shortcode round-trip with the rendered HTML
inline, matching the styling of the experimental shortcode but with
no Markdown re-parse.
Fixes#25215
Alexa Kristensen