Containers with network 'br0' can be remotely accessed by WireGuard without the need to configure static router on the home router (gateway)
"Host access to custom networks" must be enabled to allow access
This drops compatibility with newly created templates being installed on 6.0 / 6.1 It does not drop compatibility with installing templates created on 6.0 / 6.1
Basically it just removes the redundant entries in the xml
-allow extra parameters using --net=<network> to overrule default network assignment
- add vpn containers are referenced by name in network assignment
- add update containers reference when vpn container is updated
1. get www-authenticate header for realm, service & scope
2. get token from generated url (realm + query args service & scope)
3. get manifest header Docker-Content-Digest
Also allows access to private docker registries
While I think this was a decent idea, in actual practice there are too many possibilities / permutations of quoting etc that can potentially result in a false positive and prevent the user from executing their container. Net result is that the security routine would have to be continually updated as more legit usages com to light.
Since the whole point of the original change was to prevent repository maintainers from maliciously executing arbitrary commands in the docker run and not to impact end-users at all, this will have to be purely enforced on CA's end instead.
