docker-2025-features

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

🚨 CRITICAL GUIDELINES

🚨 重要指南

Windows File Path Requirements

Windows文件路径要求

MANDATORY: Always Use Backslashes on Windows for File Paths

When using Edit or Write tools on Windows, you MUST use backslashes (

) in file paths, NOT forward slashes (

Examples:

❌ WRONG:
```
D:/repos/project/file.tsx
```
✅ CORRECT:
```
D:\repos\project\file.tsx
```

This applies to:

Edit tool file_path parameter
Write tool file_path parameter
All file operations on Windows systems

强制要求：在Windows系统中始终使用反斜杠表示文件路径

在Windows系统上使用编辑或写入工具时，文件路径必须使用反斜杠（

），而不能使用正斜杠（

）。

示例：

❌ 错误：
```
D:/repos/project/file.tsx
```
✅ 正确：
```
D:\repos\project\file.tsx
```

适用于：

编辑工具的file_path参数
写入工具的file_path参数
Windows系统上的所有文件操作

Documentation Guidelines

文档指南

NEVER create new documentation files unless explicitly requested by the user.

Priority: Update existing README.md files rather than creating new documentation
Repository cleanliness: Keep repository root clean - only README.md unless user requests otherwise
Style: Documentation should be concise, direct, and professional - avoid AI-generated tone
User preference: Only create additional .md files when user specifically asks for documentation

除非用户明确要求，否则切勿创建新的文档文件。

优先级：优先更新现有README.md文件，而非创建新文档
仓库整洁性：保持仓库根目录整洁 - 除非用户要求，否则仅保留README.md
风格：文档应简洁、直接、专业 - 避免AI生成的冗余语气
用户偏好：仅在用户明确要求文档时，才创建额外的.md文件

Docker 2025 Features

Docker 2025功能介绍

This skill covers the latest Docker features introduced in 2025, ensuring you leverage cutting-edge capabilities for security, performance, and developer experience.

本技能涵盖了2025年推出的Docker最新功能，助您充分利用前沿技术提升安全性、性能和开发者体验。

Docker Engine 28 Features (2025)

Docker Engine 28（2025）功能

1. Image Type Mounts

1. 镜像类型挂载

What it is: Mount an image directory structure directly inside a container without extracting to a volume.

Key capabilities:

Mount image layers as read-only filesystems
Share common data between containers without duplication
Faster startup for data-heavy containers
Reduced disk space usage

How to use:

bash

undefined

功能说明： 无需将镜像提取到卷，即可直接将镜像目录结构挂载到容器内部。

核心能力：

将镜像层挂载为只读文件系统
在容器间共享通用数据，避免重复存储
数据密集型容器启动速度更快
减少磁盘空间占用

使用方法：

bash

undefined

Mount entire image

挂载整个镜像

docker run --rm
--mount type=image,source=mydata:latest,target=/data
alpine ls -la /data

Mount specific path from image

挂载镜像中的特定路径

docker run --rm
--mount type=image,source=mydata:latest,image-subpath=/config,target=/app/config
alpine cat /app/config/settings.json


**Use cases:**
- Read-only configuration distribution
- Shared ML model weights across containers
- Static asset serving
- Immutable data sets for testing

docker run --rm
--mount type=image,source=mydata:latest,image-subpath=/config,target=/app/config
alpine cat /app/config/settings.json


**适用场景：**
- 只读配置分发
- 容器间共享机器学习模型权重
- 静态资源服务
- 测试用不可变数据集

2. Versioned Debug Endpoints

2. 版本化调试端点

What it is: Debug endpoints now accessible through standard versioned API paths.

Previously: Only available at root paths like

/debug/vars

Now: Also accessible at

/v1.48/debug/vars

/v1.48/debug/pprof/*

Available endpoints:

```
/v1.48/debug/vars
```
- Runtime variables
```
/v1.48/debug/pprof/
```
- Profiling index
```
/v1.48/debug/pprof/cmdline
```
- Command line
```
/v1.48/debug/pprof/profile
```
- CPU profile
```
/v1.48/debug/pprof/trace
```
- Execution trace
```
/v1.48/debug/pprof/goroutine
```
- Goroutine stacks

How to use:

bash

undefined

功能说明： 调试端点现在可通过标准版本化API路径访问。

之前： 仅可通过根路径访问，如

/debug/vars

现在： 同时支持通过

/v1.48/debug/vars

、

/v1.48/debug/pprof/*

访问

可用端点：

```
/v1.48/debug/vars
```
- 运行时变量
```
/v1.48/debug/pprof/
```
- 性能分析索引
```
/v1.48/debug/pprof/cmdline
```
- 命令行
```
/v1.48/debug/pprof/profile
```
- CPU性能分析
```
/v1.48/debug/pprof/trace
```
- 执行追踪
```
/v1.48/debug/pprof/goroutine
```
- Goroutine堆栈

使用方法：

bash

undefined

Access debug vars through versioned API

通过版本化API访问调试变量

curl --unix-socket /var/run/docker.sock http://localhost/v1.48/debug/vars

Get CPU profile

获取CPU性能分析

curl --unix-socket /var/run/docker.sock http://localhost/v1.48/debug/pprof/profile?seconds=30 > profile.out

undefined

curl --unix-socket /var/run/docker.sock http://localhost/v1.48/debug/pprof/profile?seconds=30 > profile.out

undefined

3. Component Updates

3. 组件更新

Latest versions in Engine 28.3.3:

Buildx v0.26.1 - Enhanced build performance
Compose v2.40.3 - Latest compose features
BuildKit v0.25.1 - Security improvements
Go runtime 1.24.8 - Performance optimizations

Engine 28.3.3中的最新版本：

Buildx v0.26.1 - 增强构建性能
Compose v2.40.3 - 最新Compose功能
BuildKit v0.25.1 - 安全改进
Go运行时1.24.8 - 性能优化

4. Security Fixes

4. 安全修复

CVE-2025-54388: Fixed firewalld reload issue where published container ports could be accessed from local network even when bound to loopback.

Impact: Critical for containers binding to 127.0.0.1 expecting localhost-only access.

CVE-2025-54388： 修复了firewalld重载时，已发布的容器端口即使绑定到环回地址也可被本地网络访问的问题。

影响： 对于绑定到127.0.0.1并期望仅本地访问的容器而言，此修复至关重要。

5. Deprecations

5. 废弃说明

Raspberry Pi OS 32-bit (armhf):

Docker Engine 28 is the last major version supporting armhf
Starting with Engine 29, no new armhf packages
Migrate to 64-bit OS or use Engine 28.x LTS

Raspberry Pi OS 32位（armhf）：

Docker Engine 28是最后一个支持armhf的主要版本
从Engine 29开始，将不再提供新的armhf包
建议迁移到64位系统或使用Engine 28.x LTS版本

Docker Desktop 4.47 Features (October 2025)

Docker Desktop 4.47（2025年10月）功能

1. MCP Catalog Integration

1. MCP目录集成

What it is: Model Context Protocol (MCP) server catalog with 100+ verified, containerized tools.

Key capabilities:

Discover and search MCP servers
One-click deployment of MCP tools
Integration with Docker AI and Model Runner
Centralized management of AI agent tools

How to access:

Docker Hub MCP Catalog
Docker Desktop MCP Toolkit
Web: https://www.docker.com/mcp-catalog

Use cases:

AI agent tool discovery
Workflow automation
Development environment setup
CI/CD tool integration

功能说明： 模型上下文协议（MCP）服务器目录，包含100+经过验证的容器化工具。

核心能力：

发现和搜索MCP服务器
一键部署MCP工具
与Docker AI和Model Runner集成
集中管理AI Agent工具

访问方式：

Docker Hub MCP目录
Docker Desktop MCP工具包
网页：https://www.docker.com/mcp-catalog

适用场景：

AI Agent工具发现
工作流自动化
开发环境搭建
CI/CD工具集成

2. Model Runner Enhancements

2. Model Runner增强

What's new:

Improved UI for model management
Enhanced inference APIs
Better inference engine performance
Model card inspection in Docker Desktop
```
docker model requests
```
command for monitoring

How to use:

bash

undefined

新增功能：

改进的模型管理UI
增强型推理API
更优的推理引擎性能
Docker Desktop中的模型卡片查看
```
docker model requests
```
命令用于监控

使用方法：

bash

undefined

List running models

列出运行中的模型

docker model ls

View model details (new: model cards)

查看模型详情（新增：模型卡片）

docker model inspect llama2-7b

Monitor requests and responses (NEW)

监控请求和响应（新增）

docker model requests llama2-7b

Performance metrics

性能指标

docker stats $(docker model ls -q)

undefined

docker stats $(docker model ls -q)

undefined

3. Silent Component Updates

3. 静默组件更新

What it is: Docker Desktop automatically updates internal components without requiring full application restart.

Benefits:

Faster security patches
Less disruption to workflow
Automatic Compose, BuildKit, Containerd updates
Background update delivery

Configuration:

Enabled by default
Can be disabled in Settings > General
Notifications for major updates only

功能说明： Docker Desktop会自动更新内部组件，无需重启整个应用程序。

优势：

更快的安全补丁推送
减少工作流中断
自动更新Compose、BuildKit、Containerd
后台交付更新

配置：

默认启用
可在设置>常规中禁用
仅对重大更新发送通知

4. CVE Fixes

4. CVE修复

CVE-2025-10657 (v4.47): Fixed Enhanced Container Isolation Docker Socket command restrictions not working in 4.46.0.

CVE-2025-9074 (v4.46): Fixed malicious container escape allowing Docker Engine access without mounted socket.

CVE-2025-10657（v4.47）： 修复了4.46.0版本中增强型容器隔离的Docker Socket命令限制失效的问题。

CVE-2025-9074（v4.46）： 修复了恶意容器可在未挂载Socket的情况下访问Docker Engine的逃逸漏洞。

Docker Desktop 4.38-4.45 Features

Docker Desktop 4.38-4.45功能

1. Docker AI Assistant (Project Gordon)

1. Docker AI助手（Project Gordon）

What it is: AI-powered assistant integrated into Docker Desktop and CLI for intelligent container development.

Key capabilities:

Natural language command interface
Context-aware troubleshooting
Automated Dockerfile optimization
Real-time best practice recommendations
Intelligent error diagnosis

How to use:

bash

undefined

功能说明： 集成到Docker Desktop和CLI中的AI驱动助手，用于智能容器开发。

核心能力：

自然语言命令界面
上下文感知故障排查
自动Dockerfile优化
实时最佳实践建议
智能错误诊断

使用方法：

bash

undefined

Enable in Docker Desktop Settings > Features > Docker AI (Beta)

在Docker Desktop设置>功能>Docker AI（测试版）中启用

Ask questions in natural language

用自然语言提问

"Optimize my Python Dockerfile" "Why is my container restarting?" "Suggest secure nginx configuration"


**Local Model Runner:**
- Runs AI models directly on your machine (llama.cpp)
- No cloud API dependencies
- Privacy-preserving (data stays local)
- GPU acceleration for performance
- Works offline

"优化我的Python Dockerfile" "为什么我的容器一直在重启？" "建议安全的Nginx配置"


**本地模型运行器：**
- 直接在本地机器运行AI模型（llama.cpp）
- 无云API依赖
- 隐私保护（数据保留在本地）
- GPU加速提升性能
- 支持离线使用

2. Enhanced Container Isolation (ECI)

2. 增强型容器隔离（ECI）

What it is: Additional security layer that restricts Docker socket access and container escape vectors.

Security benefits:

Prevents unauthorized Docker socket access
Restricts container capabilities by default
Blocks common escape techniques
Enforces stricter resource boundaries
Audits container operations

How to enable:

bash

undefined

功能说明： 额外的安全层，限制Docker Socket访问和容器逃逸途径。

安全优势：

防止未经授权的Docker Socket访问
默认限制容器权限
阻止常见逃逸技术
强制执行更严格的资源边界
审计容器操作

启用方法：

bash

undefined

Docker Desktop Settings > Security > Enhanced Container Isolation

Docker Desktop设置>安全>增强型容器隔离

Or via CLI:

或通过CLI：

docker desktop settings set enhancedContainerIsolation=true


**Use cases:**
- Multi-tenant environments
- Security-critical applications
- Compliance requirements (PCI-DSS, HIPAA)
- Zero-trust architectures
- Development environments with untrusted code

**Compatibility:**
- May break containers requiring Docker socket access
- Requires Docker Desktop 4.38+
- Supported on Windows (WSL2), macOS, Linux Desktop

docker desktop settings set enhancedContainerIsolation=true


**适用场景：**
- 多租户环境
- 安全关键型应用
- 合规要求（PCI-DSS、HIPAA）
- 零信任架构
- 包含不受信任代码的开发环境

**兼容性：**
- 可能会导致需要Docker Socket访问的容器无法正常运行
- 需要Docker Desktop 4.38+
- 支持Windows（WSL2）、macOS、Linux桌面

3. Model Runner

What it is: Built-in AI model execution engine allowing developers to run large language models locally.

Features:

Run AI models without cloud services
Optimal GPU acceleration
Privacy-preserving inference
Multiple model format support
Integration with Docker AI

How to use:

bash

undefined

功能说明： 内置AI模型执行引擎，允许开发者在本地运行大语言模型。

特性：

无需云服务即可运行AI模型
优化的GPU加速
隐私保护型推理
支持多种模型格式
与Docker AI集成

使用方法：

bash

undefined

Install via Docker Desktop Extensions

通过Docker Desktop扩展安装

Or use CLI:

或使用CLI：

docker model run llama2-7b

View running models:

查看运行中的模型：

docker model ls

Stop model:

停止模型：

docker model stop MODEL_ID


**Benefits:**
- No API costs
- Complete data privacy
- Offline availability
- Faster inference (local GPU)
- Integration with development workflow

docker model stop MODEL_ID


**优势：**
- 无API成本
- 完全的数据隐私
- 离线可用
- 更快的推理速度（本地GPU）
- 与开发工作流集成

4. Multi-Node Kubernetes Testing

4. 多节点Kubernetes测试

What it is: Test Kubernetes deployments with multi-node clusters directly in Docker Desktop.

Previously: Single-node only Now: 2-5 node clusters for realistic testing

How to enable:

bash

undefined

功能说明： 直接在Docker Desktop中使用多节点集群测试Kubernetes部署。

之前： 仅支持单节点 现在： 支持2-5节点集群，用于真实场景测试

启用方法：

bash

undefined

Docker Desktop Settings > Kubernetes > Enable multi-node

Docker Desktop设置>Kubernetes>启用多节点

Specify node count (2-5)

指定节点数量（2-5）


**Use cases:**
- Test pod scheduling across nodes
- Validate affinity/anti-affinity rules
- Test network policies
- Simulate node failures
- Validate StatefulSets and DaemonSets


**适用场景：**
- 测试跨节点的Pod调度
- 验证亲和性/反亲和性规则
- 测试网络策略
- 模拟节点故障
- 验证StatefulSets和DaemonSets

5. Bake (General Availability)

5. Bake（正式可用）

What it is: High-level build orchestration tool for complex multi-target builds.

Previously: Experimental Now: Generally available and production-ready

Features:

hcl

undefined

功能说明： 用于复杂多目标构建的高级构建编排工具。

之前： 实验性功能 现在： 正式可用，可用于生产环境

特性：

hcl

undefined

docker-bake.hcl

target "app" { context = "." dockerfile = "Dockerfile" tags = ["myapp:latest"] platforms = ["linux/amd64", "linux/arm64"] cache-from = ["type=registry,ref=myapp:cache"] cache-to = ["type=registry,ref=myapp:cache,mode=max"] }

target "test" { inherits = ["app"] target = "test" output = ["type=local,dest=./coverage"] }


```bash

target "test" { inherits = ["app"] target = "test" output = ["type=local,dest=./coverage"] }


```bash

Build all targets

构建所有目标

docker buildx bake

Build specific target

构建特定目标

docker buildx bake test

undefined

docker buildx bake test

undefined

Moby 25 Engine Updates

Moby 25引擎更新

Performance Improvements

性能改进

1. Faster Container Startup:

20-30% faster cold starts
Improved layer extraction
Optimized network initialization

2. Better Resource Management:

More accurate memory accounting
Improved CPU throttling
Better cgroup v2 support

3. Storage Driver Enhancements:

overlay2 performance improvements
Better disk space management
Faster image pulls

1. 更快的容器启动速度：

冷启动速度提升20-30%
改进的层提取
优化的网络初始化

2. 更优的资源管理：

更准确的内存统计
改进的CPU限流
更好的cgroup v2支持

3. 存储驱动增强：

overlay2性能改进
更优的磁盘空间管理
更快的镜像拉取

Security Updates

安全更新

1. Enhanced Seccomp Profiles:

json

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_AARCH64"],
  "syscalls": [
    {
      "names": ["read", "write", "exit"],
      "action": "SCMP_ACT_ALLOW"
    }
  ]
}

2. Improved AppArmor Integration:

Better Docker profile generation
Reduced false positives
Enhanced logging

3. User Namespace Improvements:

Easier configuration
Better compatibility
Performance optimizations

1. 增强型Seccomp配置文件：

json

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_AARCH64"],
  "syscalls": [
    {
      "names": ["read", "write", "exit"],
      "action": "SCMP_ACT_ALLOW"
    }
  ]
}

2. 改进的AppArmor集成：

更优的Docker配置文件生成
减少误报
增强的日志记录

3. 用户命名空间改进：

更简单的配置
更好的兼容性
性能优化

Docker Compose v2.40.3+ Features (2025)

Docker Compose v2.40.3+（2025）功能

Compose Bridge (Convert to Kubernetes)

Compose Bridge（转换为Kubernetes）

What it is: Convert local compose.yaml files to Kubernetes manifests in a single command.

Key capabilities:

Automatic conversion of Compose services to Kubernetes Deployments
Service-to-Service mapping
Volume conversion to PersistentVolumeClaims
ConfigMap and Secret generation
Ingress configuration

How to use:

bash

undefined

功能说明： 通过单一命令将本地compose.yaml文件转换为Kubernetes清单。

核心能力：

自动将Compose服务转换为Kubernetes Deployments
服务到服务的映射
将卷转换为PersistentVolumeClaims
生成ConfigMap和Secret
Ingress配置

使用方法：

bash

undefined

Convert compose file to Kubernetes manifests

将Compose文件转换为Kubernetes清单

docker compose convert --format kubernetes > k8s-manifests.yaml

Or use compose-bridge directly

或直接使用compose-bridge

docker compose-bridge convert docker-compose.yml

Apply to Kubernetes cluster

应用到Kubernetes集群

kubectl apply -f k8s-manifests.yaml


**Example conversion:**
```yaml

kubectl apply -f k8s-manifests.yaml


**转换示例：**
```yaml

docker-compose.yml

services: web: image: nginx:latest ports: - "80:80" volumes: - data:/usr/share/nginx/html

volumes: data:

services: web: image: nginx:latest ports: - "80:80" volumes: - data:/usr/share/nginx/html

volumes: data:

Converts to Kubernetes:

转换为Kubernetes资源：

- Deployment for 'web' service

- 'web'服务的Deployment

- Service exposing port 80

- 暴露80端口的Service

- PersistentVolumeClaim for 'data'

- 'data'对应的PersistentVolumeClaim


**Use cases:**
- Local development to Kubernetes migration
- Testing Kubernetes deployments locally
- CI/CD pipeline conversion
- Multi-environment deployment strategies


**适用场景：**
- 从本地开发迁移到Kubernetes
- 本地测试Kubernetes部署
- CI/CD流水线转换
- 多环境部署策略

Breaking Changes

重大变更

1. Version Field Obsolete:

yaml

undefined

1. Version字段已废弃：

yaml

undefined

OLD (deprecated):

旧版（已废弃）：

version: '3.8' services: app: image: nginx

NEW (2025):

新版（2025）：

services: app: image: nginx


The `version` field is now ignored and can be omitted.

services: app: image: nginx


`version`字段现在会被忽略，可省略。

New Features

新增功能

1. Develop Watch with initial_sync:

yaml

services:
  app:
    build: .
    develop:
      watch:
        - action: sync
          path: ./src
          target: /app/src
          initial_sync: full  # NEW: Sync all files on start

2. Volume Type: Image:

yaml

services:
  app:
    volumes:
      - type: image
        source: mydata:latest
        target: /data
        read_only: true

3. Build Print:

bash

undefined

1. Develop Watch with initial_sync：

yaml

services:
  app:
    build: .
    develop:
      watch:
        - action: sync
          path: ./src
          target: /app/src
          initial_sync: full  # 新增：启动时同步所有文件

2. 卷类型：Image：

yaml

services:
  app:
    volumes:
      - type: image
        source: mydata:latest
        target: /data
        read_only: true

3. Build Print：

bash

undefined

Debug complex build configurations

调试复杂构建配置

docker compose build --print > build-config.json


**4. Config No-Env-Resolution:**
```bash

docker compose build --print > build-config.json


**4. Config No-Env-Resolution：**
```bash

View raw config without environment variable substitution

查看未替换环境变量的原始配置

docker compose config --no-env-resolution


**5. Watch with Prune:**
```bash

docker compose config --no-env-resolution


**5. Watch with Prune：**
```bash

Automatically prune unused resources during watch

在watch期间自动清理未使用的资源

docker compose watch --prune


**6. Run with Quiet:**
```bash

docker compose watch --prune


**6. Run with Quiet：**
```bash

Reduce output noise

减少输出噪音

docker compose run --quiet app npm test

undefined

docker compose run --quiet app npm test

undefined

BuildKit Updates (2025)

BuildKit更新（2025）

New Features

新增功能

1. Git SHA-256 Support:

dockerfile

undefined

1. Git SHA-256支持：

dockerfile

undefined

Use SHA-256 based repositories

使用基于SHA-256的仓库

ADD https://github.com/user/repo#sha256:abc123... /src


**2. Enhanced COPY/ADD --exclude:**
```dockerfile

ADD https://github.com/user/repo#sha256:abc123... /src


**2. 增强型COPY/ADD --exclude：**
```dockerfile

Now generally available (was labs-only)

现在正式可用（之前仅实验室版本支持）

COPY --exclude=.test.js --exclude=.md . /app


**3. ADD --unpack with --chown:**
```dockerfile

COPY --exclude=.test.js --exclude=.md . /app


**3. ADD --unpack with --chown：**
```dockerfile

Extract and set ownership in one step

一步完成解压和权限设置

ADD --unpack=true --chown=appuser:appgroup archive.tar.gz /app


**4. Git Query Parameters:**
```dockerfile

ADD --unpack=true --chown=appuser:appgroup archive.tar.gz /app


**4. Git查询参数：**
```dockerfile

Fine-grained Git clone control

细粒度控制Git克隆

ADD https://github.com/user/repo.git?depth=1&branch=main /src


**5. Image Checksum Verification:**
```dockerfile

ADD https://github.com/user/repo.git?depth=1&branch=main /src


**5. 镜像校验和验证：**
```dockerfile

Verify image integrity

验证镜像完整性

FROM alpine:3.19@sha256:abc123...

BuildKit verifies checksum automatically

BuildKit会自动验证校验和

undefined

undefined

Security Enhancements

安全增强

1. Improved Frontend Verification:

dockerfile

undefined

1. 改进的前端验证：

dockerfile

undefined

Always use official Docker frontends

始终使用官方Docker前端

syntax=docker/dockerfile:1

Pin with digest for maximum security

使用摘要固定版本以获得最高安全性

syntax=docker/dockerfile:1@sha256:ac85f380a63b13dfcefa89046420e1781752bab202122f8f50032edf31be0021


**2. Remote Cache Improvements:**
- Fixed concurrency issues
- Better loop handling
- Enhanced security


**2. 远程缓存改进：**
- 修复并发问题
- 更好的循环处理
- 增强的安全性

Best Practices for 2025 Features

2025功能最佳实践

Using Docker AI Effectively

有效使用Docker AI

DO:

Provide specific context in queries
Verify AI-generated configurations
Combine with traditional security tools
Use for learning and exploration

DON'T:

Trust AI blindly for security-critical apps
Skip manual code review
Ignore security scan results
Use in air-gapped environments without Model Runner

建议：

在查询中提供具体上下文
验证AI生成的配置
与传统安全工具结合使用
用于学习和探索

不建议：

对安全关键型应用盲目信任AI
跳过手动代码审查
忽略安全扫描结果
在无Model Runner的离线环境中使用

Enhanced Container Isolation

增强型容器隔离

DO:

Enable for security-sensitive workloads
Test containers for compatibility first
Document socket access requirements
Use with least privilege principles

DON'T:

Enable without testing existing containers
Disable without understanding risks
Grant socket access unnecessarily
Ignore audit logs

建议：

对安全敏感型工作负载启用
先测试容器兼容性
记录Socket访问需求
遵循最小权限原则

不建议：

未测试现有容器就启用
不了解风险就禁用
不必要地授予Socket访问权限
忽略审计日志

Modern Compose Files

现代Compose文件

DO:

Remove version field from new compose files
Use new features (volume type: image, watch improvements)
Leverage --print for debugging
Adopt --quiet for cleaner CI/CD output

DON'T:

Keep version field (it's ignored anyway)
Rely on deprecated syntax
Skip testing with Compose v2.40+
Use outdated documentation

建议：

从新的Compose文件中移除version字段
使用新功能（卷类型：image、watch改进）
利用--print进行调试
采用--quiet获得更简洁的CI/CD输出

不建议：

保留version字段（已被忽略）
依赖已废弃的语法
跳过与Compose v2.40+的测试
使用过时的文档

Migration Guide

迁移指南

Updating to Docker Desktop 4.38+

升级到Docker Desktop 4.38+

1. Backup existing configurations:

bash

undefined

1. 备份现有配置：

bash

undefined

Export current settings

导出当前设置

docker context export desktop-linux > backup.tar


**2. Update Docker Desktop:**
- Download latest from docker.com
- Run installer
- Restart machine if required

**3. Enable new features:**
```bash

docker context export desktop-linux > backup.tar


**2. 更新Docker Desktop：**
- 从docker.com下载最新版本
- 运行安装程序
- 如有需要，重启机器

**3. 启用新功能：**
```bash

Enable AI Assistant (beta)

启用AI助手（测试版）

docker desktop settings set enableAI=true

Enable Enhanced Container Isolation

启用增强型容器隔离

docker desktop settings set enhancedContainerIsolation=true


**4. Test existing containers:**
```bash

docker desktop settings set enhancedContainerIsolation=true


**4. 测试现有容器：**
```bash

Verify containers work with ECI

验证容器在ECI下正常运行

docker compose up -d docker compose ps docker compose logs

undefined

docker compose up -d docker compose ps docker compose logs

undefined

Updating Compose Files

更新Compose文件

Before:

yaml

version: '3.8'

services:
  app:
    image: nginx:latest
    volumes:
      - data:/data

volumes:
  data:

After:

yaml

services:
  app:
    image: nginx:1.26.0  # Specific version
    volumes:
      - data:/data
    develop:
      watch:
        - action: sync
          path: ./config
          target: /etc/nginx/conf.d
          initial_sync: full

volumes:
  data:
    driver: local

更新前：

yaml

version: '3.8'

services:
  app:
    image: nginx:latest
    volumes:
      - data:/data

volumes:
  data:

更新后：

yaml

services:
  app:
    image: nginx:1.26.0  # 指定具体版本
    volumes:
      - data:/data
    develop:
      watch:
        - action: sync
          path: ./config
          target: /etc/nginx/conf.d
          initial_sync: full

volumes:
  data:
    driver: local

Troubleshooting 2025 Features

2025功能故障排查

Docker AI Issues

Docker AI问题

Problem: AI Assistant not responding Solution:

bash

undefined

问题： AI助手无响应 解决方案：

bash

undefined

Check Docker Desktop version

检查Docker Desktop版本

docker version

Ensure beta features enabled

确保测试版功能已启用

docker desktop settings get enableAI

Restart Docker Desktop

重启Docker Desktop


**Problem:** Model Runner slow
**Solution:**
- Update GPU drivers
- Increase Docker Desktop memory (Settings > Resources)
- Close other GPU-intensive applications
- Use smaller models for faster inference


**问题：** Model Runner运行缓慢
**解决方案：**
- 更新GPU驱动
- 增加Docker Desktop内存（设置>资源）
- 关闭其他GPU密集型应用
- 使用更小的模型以获得更快的推理速度

Enhanced Container Isolation Issues

增强型容器隔离问题

Problem: Container fails with socket permission error Solution:

bash

undefined

问题： 容器因Socket权限错误失败 解决方案：

bash

undefined

Identify socket dependencies

识别Socket依赖

docker inspect CONTAINER | grep -i socket

If truly needed, add socket access explicitly

若确实需要，显式添加Socket访问

(Document why in docker-compose.yml comments)

（在docker-compose.yml注释中说明原因）

docker run -v /var/run/docker.sock:/var/run/docker.sock ...


**Problem:** ECI breaks CI/CD pipeline
**Solution:**
- Disable ECI temporarily: `docker desktop settings set enhancedContainerIsolation=false`
- Review which containers need socket access
- Refactor to eliminate socket dependencies
- Re-enable ECI with exceptions documented

docker run -v /var/run/docker.sock:/var/run/docker.sock ...


**问题：** ECI破坏CI/CD流水线
**解决方案：**
- 临时禁用ECI：`docker desktop settings set enhancedContainerIsolation=false`
- 检查哪些容器需要Socket访问
- 重构以消除Socket依赖
- 记录例外情况后重新启用ECI

Compose v2.40 Issues

Compose v2.40问题

Problem: "version field is obsolete" warning Solution:

yaml

undefined

问题： 出现“version field is obsolete”警告 解决方案：

yaml

undefined

Simply remove the version field

只需移除version字段

OLD:

旧版：

version: '3.8' services: ...

NEW:

新版：

services: ...


**Problem:** watch with initial_sync fails
**Solution:**
```bash

services: ...


**问题：** watch with initial_sync失败
**解决方案：**
```bash

Check file permissions

检查文件权限

ls -la ./src

Ensure paths are correct

确保路径正确

docker compose config | grep -A 5 watch

Verify sync target exists in container

验证同步目标在容器中存在

docker compose exec app ls -la /app/src

undefined

docker compose exec app ls -la /app/src

undefined