Docker Updates: Networking, Packaging, Rootless, Security, and Swarm Enhancements

- Fix panic on startup in systemd environments [moby/moby#40808](https://github.com/moby/moby/pull/40808) [moby/libnetwork#2544](https://github.com/moby/libnetwork/pull/2544) - Fix issue preventing containers to communicate over macvlan internal network [moby/moby#40596](https://github.com/moby/moby/pull/40596) [moby/libnetwork#2407](https://github.com/moby/libnetwork/pull/2407) - Fix InhibitIPv4 nil panic [moby/moby#40596](https://github.com/moby/moby/pull/40596) - Fix VFP leak in Windows overlay network deletion [moby/moby#40596](https://github.com/moby/moby/pull/40596) [moby/libnetwork#2524](https://github.com/moby/libnetwork/pull/2524) ### Packaging - docker.service: Add multi-user.target to After= in unit file [moby/moby#41297](https://github.com/moby/moby/pull/41297) - docker.service: Allow socket activation [moby/moby#37470](https://github.com/moby/moby/pull/37470) - seccomp: Remove dependency in dockerd on libseccomp [moby/moby#41395](https://github.com/moby/moby/pull/41395) ### Rootless - rootless: graduate from experimental [moby/moby#40759](https://github.com/moby/moby/pull/40759) - Add dockerd-rootless-setuptool.sh [moby/moby#40950](https://github.com/moby/moby/pull/40950) - Support `--exec-opt native.cgroupdriver=systemd` [moby/moby#40486](https://github.com/moby/moby/pull/40486) ### Security - Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc [moby/moby#39612](https://github.com/moby/moby/pull/39612) - seccomp: Whitelist `clock_adjtime`. `CAP_SYS_TIME` is still required for time adjustment [moby/moby#40929](https://github.com/moby/moby/pull/40929) - seccomp: Add openat2 and faccessat2 to default seccomp profile [moby/moby#41353](https://github.com/moby/moby/pull/41353) - seccomp: allow 'rseq' syscall in default seccomp profile [moby/moby#41158](https://github.com/moby/moby/pull/41158) - seccomp: allow syscall membarrier [moby/moby#40731](https://github.com/moby/moby/pull/40731) - seccomp: whitelist io-uring related system calls [moby/moby#39415](https://github.com/moby/moby/pull/39415) - Add default sysctls to allow ping sockets and privileged ports with no capabilities [moby/moby#41030](https://github.com/moby/moby/pull/41030) - Fix seccomp profile for clone syscall [moby/moby#39308](https://github.com/moby/moby/pull/39308) ### Swarm - Add support for swarm jobs [moby/moby#40307](https://github.com/moby/moby/pull/40307) - Add capabilities support to stack/service commands [docker/cli#2687](https://github.com/docker/cli/pull/2687) [docker/cli#2709](https://github.com/docker/cli/pull/2709) [moby/moby#39173](https://github.com/moby/moby/pull/39173) [moby/moby#41249](https://github.com/moby/moby/pull/41249) - Add support for sending down service Running and Desired task counts [moby/moby#39231](https://github.com/moby/moby/pull/39231) - service: support `--mount type=bind,bind-nonrecursive` [moby/moby#38788](https://github.com/moby/moby/pull/38788) - Support ulimits on Swarm services. [moby/moby#41284](https://github.com/moby/moby/pull/41284) [docker/cli#2712](https://github.com/docker/cli/pull/2712) - Fixed an issue where service logs could leak goroutines on the worker [moby/moby#40426](https://github.com/moby/moby/pull/40426)

This section covers a range of updates to Docker, including fixes for networking issues like panics in systemd environments and problems with macvlan networks, as well as addressing a VFP leak in Windows. It highlights packaging changes such as adding multi-user target and socket activation to docker.service, and removing libseccomp dependency. The update graduates rootless mode from experimental status and introduces related tools. Security improvements include fixes for CVE-2019-14271 and enhancements to seccomp profiles. Swarm updates add support for swarm jobs, capabilities, service task counts, bind mounts, ulimits, and a fix for goroutine leaks in service logs.