🚨 CRITICAL GUIDELINES
Windows File Path Requirements
MANDATORY: Always Use Backslashes on Windows for File Paths
When using Edit or Write tools on Windows, you MUST use backslashes (\) in file paths, NOT forward slashes (/).
Examples:
- ❌ WRONG:
D:/repos/project/file.tsx - ✅ CORRECT:
D:\repos\project\file.tsx
This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems
Documentation Guidelines
NEVER create new documentation files unless explicitly requested by the user.
- Priority: Update existing README.md files rather than creating new documentation
- Repository cleanliness: Keep repository root clean - only README.md unless user requests otherwise
- Style: Documentation should be concise, direct, and professional - avoid AI-generated tone
- User preference: Only create additional .md files when user specifically asks for documentation
Docker 2025 Features
This skill covers the latest Docker features introduced in 2025, ensuring you leverage cutting-edge capabilities for security, performance, and developer experience.
Docker Engine 28 Features (2025)
1. Image Type Mounts
What it is: Mount an image directory structure directly inside a container without extracting to a volume.
Key capabilities:
- Mount image layers as read-only filesystems
- Share common data between containers without duplication
- Faster startup for data-heavy containers
- Reduced disk space usage
How to use:
# Mount entire image docker run --rm \ --mount type=image,source=mydata:latest,target=/data \ alpine ls -la /data # Mount specific path from image docker run --rm \ --mount type=image,source=mydata:latest,image-subpath=/config,target=/app/config \ alpine cat /app/config/settings.json
Use cases:
- Read-only configuration distribution
- Shared ML model weights across containers
- Static asset serving
- Immutable data sets for testing
2. Versioned Debug Endpoints
What it is: Debug endpoints now accessible through standard versioned API paths.
Previously: Only available at root paths like /debug/vars
Now: Also accessible at /v1.48/debug/vars, /v1.48/debug/pprof/*
Available endpoints:
/v1.48/debug/vars- Runtime variables/v1.48/debug/pprof/- Profiling index/v1.48/debug/pprof/cmdline- Command line/v1.48/debug/pprof/profile- CPU profile/v1.48/debug/pprof/trace- Execution trace/v1.48/debug/pprof/goroutine- Goroutine stacks
How to use:
# Access debug vars through versioned API curl --unix-socket /var/run/docker.sock http://localhost/v1.48/debug/vars # Get CPU profile curl --unix-socket /var/run/docker.sock http://localhost/v1.48/debug/pprof/profile?seconds=30 > profile.out
3. Component Updates
Latest versions in Engine 28.3.3:
- Buildx v0.26.1 - Enhanced build performance
- Compose v2.40.3 - Latest compose features
- BuildKit v0.25.1 - Security improvements
- Go runtime 1.24.8 - Performance optimizations
4. Security Fixes
CVE-2025-54388: Fixed firewalld reload issue where published container ports could be accessed from local network even when bound to loopback.
Impact: Critical for containers binding to 127.0.0.1 expecting localhost-only access.
5. Deprecations
Raspberry Pi OS 32-bit (armhf):
- Docker Engine 28 is the last major version supporting armhf
- Starting with Engine 29, no new armhf packages
- Migrate to 64-bit OS or use Engine 28.x LTS
Docker Desktop 4.47 Features (October 2025)
1. MCP Catalog Integration
What it is: Model Context Protocol (MCP) server catalog with 100+ verified, containerized tools.
Key capabilities:
- Discover and search MCP servers
- One-click deployment of MCP tools
- Integration with Docker AI and Model Runner
- Centralized management of AI agent tools
How to access:
- Docker Hub MCP Catalog
- Docker Desktop MCP Toolkit
- Web: https://www.docker.com/mcp-catalog
Use cases:
- AI agent tool discovery
- Workflow automation
- Development environment setup
- CI/CD tool integration
2. Model Runner Enhancements
What's new:
- Improved UI for model management
- Enhanced inference APIs
- Better inference engine performance
- Model card inspection in Docker Desktop
docker model requestscommand for monitoring
How to use:
# List running models docker model ls # View model details (new: model cards) docker model inspect llama2-7b # Monitor requests and responses (NEW) docker model requests llama2-7b # Performance metrics docker stats $(docker model ls -q)
3. Silent Component Updates
What it is: Docker Desktop automatically updates internal components without requiring full application restart.
Benefits:
- Faster security patches
- Less disruption to workflow
- Automatic Compose, BuildKit, Containerd updates
- Background update delivery
Configuration:
- Enabled by default
- Can be disabled in Settings > General
- Notifications for major updates only
4. CVE Fixes
CVE-2025-10657 (v4.47): Fixed Enhanced Container Isolation Docker Socket command restrictions not working in 4.46.0.
CVE-2025-9074 (v4.46): Fixed malicious container escape allowing Docker Engine access without mounted socket.
Docker Desktop 4.38-4.45 Features
1. Docker AI Assistant (Project Gordon)
What it is: AI-powered assistant integrated into Docker Desktop and CLI for intelligent container development.
Key capabilities:
- Natural language command interface
- Context-aware troubleshooting
- Automated Dockerfile optimization
- Real-time best practice recommendations
- Intelligent error diagnosis
How to use:
# Enable in Docker Desktop Settings > Features > Docker AI (Beta) # Ask questions in natural language "Optimize my Python Dockerfile" "Why is my container restarting?" "Suggest secure nginx configuration"
Local Model Runner:
- Runs AI models directly on your machine (llama.cpp)
- No cloud API dependencies
- Privacy-preserving (data stays local)
- GPU acceleration for performance
- Works offline
2. Enhanced Container Isolation (ECI)
What it is: Additional security layer that restricts Docker socket access and container escape vectors.
Security benefits:
- Prevents unauthorized Docker socket access
- Restricts container capabilities by default
- Blocks common escape techniques
- Enforces stricter resource boundaries
- Audits container operations
How to enable:
# Docker Desktop Settings > Security > Enhanced Container Isolation # Or via CLI: docker desktop settings set enhancedContainerIsolation=true
Use cases:
- Multi-tenant environments
- Security-critical applications
- Compliance requirements (PCI-DSS, HIPAA)
- Zero-trust architectures
- Development environments with untrusted code
Compatibility:
- May break containers requiring Docker socket access
- Requires Docker Desktop 4.38+
- Supported on Windows (WSL2), macOS, Linux Desktop
3. Model Runner
What it is: Built-in AI model execution engine allowing developers to run large language models locally.
Features:
- Run AI models without cloud services
- Optimal GPU acceleration
- Privacy-preserving inference
- Multiple model format support
- Integration with Docker AI
How to use:
# Install via Docker Desktop Extensions # Or use CLI: docker model run llama2-7b # View running models: docker model ls # Stop model: docker model stop MODEL_ID
Benefits:
- No API costs
- Complete data privacy
- Offline availability
- Faster inference (local GPU)
- Integration with development workflow
4. Multi-Node Kubernetes Testing
What it is: Test Kubernetes deployments with multi-node clusters directly in Docker Desktop.
Previously: Single-node only Now: 2-5 node clusters for realistic testing
How to enable:
# Docker Desktop Settings > Kubernetes > Enable multi-node # Specify node count (2-5)
Use cases:
- Test pod scheduling across nodes
- Validate affinity/anti-affinity rules
- Test network policies
- Simulate node failures
- Validate StatefulSets and DaemonSets
5. Bake (General Availability)
What it is: High-level build orchestration tool for complex multi-target builds.
Previously: Experimental Now: Generally available and production-ready
Features:
# docker-bake.hcl target "app" { context = "." dockerfile = "Dockerfile" tags = ["myapp:latest"] platforms = ["linux/amd64", "linux/arm64"] cache-from = ["type=registry,ref=myapp:cache"] cache-to = ["type=registry,ref=myapp:cache,mode=max"] } target "test" { inherits = ["app"] target = "test" output = ["type=local,dest=./coverage"] }
# Build all targets docker buildx bake # Build specific target docker buildx bake test
Moby 25 Engine Updates
Performance Improvements
1. Faster Container Startup:
- 20-30% faster cold starts
- Improved layer extraction
- Optimized network initialization
2. Better Resource Management:
- More accurate memory accounting
- Improved CPU throttling
- Better cgroup v2 support
3. Storage Driver Enhancements:
- overlay2 performance improvements
- Better disk space management
- Faster image pulls
Security Updates
1. Enhanced Seccomp Profiles:
{ "defaultAction": "SCMP_ACT_ERRNO", "architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_AARCH64"], "syscalls": [ { "names": ["read", "write", "exit"], "action": "SCMP_ACT_ALLOW" } ] }
2. Improved AppArmor Integration:
- Better Docker profile generation
- Reduced false positives
- Enhanced logging
3. User Namespace Improvements:
- Easier configuration
- Better compatibility
- Performance optimizations
Docker Compose v2.40.3+ Features (2025)
Compose Bridge (Convert to Kubernetes)
What it is: Convert local compose.yaml files to Kubernetes manifests in a single command.
Key capabilities:
- Automatic conversion of Compose services to Kubernetes Deployments
- Service-to-Service mapping
- Volume conversion to PersistentVolumeClaims
- ConfigMap and Secret generation
- Ingress configuration
How to use:
# Convert compose file to Kubernetes manifests docker compose convert --format kubernetes > k8s-manifests.yaml # Or use compose-bridge directly docker compose-bridge convert docker-compose.yml # Apply to Kubernetes cluster kubectl apply -f k8s-manifests.yaml
Example conversion:
# docker-compose.yml services: web: image: nginx:latest ports: - "80:80" volumes: - data:/usr/share/nginx/html volumes: data: # Converts to Kubernetes: # - Deployment for 'web' service # - Service exposing port 80 # - PersistentVolumeClaim for 'data'
Use cases:
- Local development to Kubernetes migration
- Testing Kubernetes deployments locally
- CI/CD pipeline conversion
- Multi-environment deployment strategies
Breaking Changes
1. Version Field Obsolete:
# OLD (deprecated): version: '3.8' services: app: image: nginx # NEW (2025): services: app: image: nginx
The version field is now ignored and can be omitted.
New Features
1. Develop Watch with initial_sync:
services: app: build: . develop: watch: - action: sync path: ./src target: /app/src initial_sync: full # NEW: Sync all files on start
2. Volume Type: Image:
services: app: volumes: - type: image source: mydata:latest target: /data read_only: true
3. Build Print:
# Debug complex build configurations docker compose build --print > build-config.json
4. Config No-Env-Resolution:
# View raw config without environment variable substitution docker compose config --no-env-resolution
5. Watch with Prune:
# Automatically prune unused resources during watch docker compose watch --prune
6. Run with Quiet:
# Reduce output noise docker compose run --quiet app npm test
BuildKit Updates (2025)
New Features
1. Git SHA-256 Support:
# Use SHA-256 based repositories ADD https://github.com/user/repo#sha256:abc123... /src
2. Enhanced COPY/ADD --exclude:
# Now generally available (was labs-only) COPY . /app
3. ADD --unpack with --chown:
# Extract and set ownership in one step ADD archive.tar.gz /app
4. Git Query Parameters:
# Fine-grained Git clone control ADD https://github.com/user/repo.git?depth=1&branch=main /src
5. Image Checksum Verification:
# Verify image integrity FROM alpine:3.19@sha256:abc123... # BuildKit verifies checksum automatically
Security Enhancements
1. Improved Frontend Verification:
# Always use official Docker frontends # syntax=docker/dockerfile:1 # Pin with digest for maximum security # syntax=docker/dockerfile:1@sha256:ac85f380a63b13dfcefa89046420e1781752bab202122f8f50032edf31be0021
2. Remote Cache Improvements:
- Fixed concurrency issues
- Better loop handling
- Enhanced security
Best Practices for 2025 Features
Using Docker AI Effectively
DO:
- Provide specific context in queries
- Verify AI-generated configurations
- Combine with traditional security tools
- Use for learning and exploration
DON'T:
- Trust AI blindly for security-critical apps
- Skip manual code review
- Ignore security scan results
- Use in air-gapped environments without Model Runner
Enhanced Container Isolation
DO:
- Enable for security-sensitive workloads
- Test containers for compatibility first
- Document socket access requirements
- Use with least privilege principles
DON'T:
- Enable without testing existing containers
- Disable without understanding risks
- Grant socket access unnecessarily
- Ignore audit logs
Modern Compose Files
DO:
- Remove version field from new compose files
- Use new features (volume type: image, watch improvements)
- Leverage --print for debugging
- Adopt --quiet for cleaner CI/CD output
DON'T:
- Keep version field (it's ignored anyway)
- Rely on deprecated syntax
- Skip testing with Compose v2.40+
- Use outdated documentation
Migration Guide
Updating to Docker Desktop 4.38+
1. Backup existing configurations:
# Export current settings docker context export desktop-linux > backup.tar
2. Update Docker Desktop:
- Download latest from docker.com
- Run installer
- Restart machine if required
3. Enable new features:
# Enable AI Assistant (beta) docker desktop settings set enableAI=true # Enable Enhanced Container Isolation docker desktop settings set enhancedContainerIsolation=true
4. Test existing containers:
# Verify containers work with ECI docker compose up -d docker compose ps docker compose logs
Updating Compose Files
Before:
version: '3.8' services: app: image: nginx:latest volumes: - data:/data volumes: data:
After:
services: app: image: nginx:1.26.0 # Specific version volumes: - data:/data develop: watch: - action: sync path: ./config target: /etc/nginx/conf.d initial_sync: full volumes: data: driver: local
Troubleshooting 2025 Features
Docker AI Issues
Problem: AI Assistant not responding Solution:
# Check Docker Desktop version docker version # Ensure beta features enabled docker desktop settings get enableAI # Restart Docker Desktop
Problem: Model Runner slow Solution:
- Update GPU drivers
- Increase Docker Desktop memory (Settings > Resources)
- Close other GPU-intensive applications
- Use smaller models for faster inference
Enhanced Container Isolation Issues
Problem: Container fails with socket permission error Solution:
# Identify socket dependencies docker inspect CONTAINER | grep -i socket # If truly needed, add socket access explicitly # (Document why in docker-compose.yml comments) docker run -v /var/run/docker.sock:/var/run/docker.sock ...
Problem: ECI breaks CI/CD pipeline Solution:
- Disable ECI temporarily:
docker desktop settings set enhancedContainerIsolation=false - Review which containers need socket access
- Refactor to eliminate socket dependencies
- Re-enable ECI with exceptions documented
Compose v2.40 Issues
Problem: "version field is obsolete" warning Solution:
# Simply remove the version field # OLD: version: '3.8' services: ... # NEW: services: ...
Problem: watch with initial_sync fails Solution:
# Check file permissions ls -la ./src # Ensure paths are correct docker compose config | grep -A 5 watch # Verify sync target exists in container docker compose exec app ls -la /app/src
Recommended Feature Adoption Timeline
Immediate (Production-Ready):
- Bake for complex builds
- Compose v2.40 features (remove version field)
- Moby 25 engine (via regular Docker updates)
- BuildKit improvements (automatic)
Testing (Beta but Stable):
- Docker AI for development workflows
- Model Runner for local AI testing
- Multi-node Kubernetes for pre-production
Evaluation (Security-Critical):
- Enhanced Container Isolation (test thoroughly)
- ECI with existing production containers
- Socket access elimination strategies
This skill ensures you stay current with Docker's 2025 evolution while maintaining stability, security, and production-readiness.