Merge pull request #48090 from thaJeztah/27.0_backport_48067_fix_specific_ipv6_portmap_proxy_to_ipv4

[27.0 backport] Fix incorrect validation of port mapping
Merge pull request #48086 from thaJeztah/27.0_backport_fix_rootless_pull
2026-01-14 10:58:08 +00:00 · 2024-06-28 23:16:49 +02:00 · 2024-06-28 22:40:07 +02:00 · 2024-06-28 21:11:01 +02:00 · 2024-06-28 21:07:29 +02:00 · 2024-06-28 18:26:59 +02:00
6105 changed files with 229751 additions and 470201 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1,4 @@
-/.git
-
-# build artifacts
-/bundles/
-/cli/winresources/dockerd/winres.json
-/cli/winresources/dockerd/*.syso
+.git
+bundles/
+cli/winresources/**/winres.json
+cli/winresources/**/*.syso
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -19,14 +19,11 @@ Please provide the following information:

 **- How to verify it**

-**- Human readable description for the release notes**
+**- Description for the changelog**
 <!--
 Write a short (one line) summary that describes the changes in this
 pull request for inclusion in the changelog.
-It must be placed inside the below triple backticks section.
-
-NOTE: Only fill this section if changes introduced in this PR are user-facing.
-The PR must have a relevant impact/ label.
+It must be placed inside the below triple backticks section:
 -->
 ```markdown changelog

--- a/.github/workflows/.dco.yml
+++ b/.github/workflows/.dco.yml
@@ -3,25 +3,15 @@ name: .dco

 # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 on:
  workflow_call:

 env:
-  ALPINE_VERSION: "3.21"
+  ALPINE_VERSION: 3.16

 jobs:
  run:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10 # guardrails timeout for the whole job
+    runs-on: ubuntu-20.04
    steps:
      -
        name: Checkout
@@ -49,12 +39,10 @@ jobs:
        name: Validate
        run: |
          docker run --rm \
-            --quiet \
-            -v ./:/workspace \
-            -w /workspace \
+            -v "$(pwd):/workspace" \
            -e VALIDATE_REPO \
            -e VALIDATE_BRANCH \
-            alpine:${{ env.ALPINE_VERSION }} sh -c 'apk add --no-cache -q bash git openssh-client && git config --system --add safe.directory /workspace && hack/validate/dco'
+            alpine:${{ env.ALPINE_VERSION }} sh -c 'apk add --no-cache -q bash git openssh-client && git config --system --add safe.directory /workspace && cd /workspace && hack/validate/dco'
        env:
          VALIDATE_REPO: ${{ github.server_url }}/${{ github.repository }}.git
          VALIDATE_BRANCH: ${{ steps.base-ref.outputs.result }}
--- a/.github/workflows/.test-prepare.yml
+++ b/.github/workflows/.test-prepare.yml
@@ -3,15 +3,6 @@ name: .test-prepare

 # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 on:
  workflow_call:
    outputs:
@@ -21,8 +12,7 @@ on:

 jobs:
  run:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-20.04
    outputs:
      matrix: ${{ steps.set.outputs.matrix }}
    steps:
--- a/.github/workflows/.test-unit.yml
+++ b/.github/workflows/.test-unit.yml
@@ -1,123 +0,0 @@
-# reusable workflow
-name: .test-unit
-
-# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025
-
-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
-on:
-  workflow_call:
-
-env:
-  GO_VERSION: "1.24.9"
-  GOTESTLIST_VERSION: v0.3.1
-  TESTSTAT_VERSION: v0.1.25
-  SETUP_BUILDX_VERSION: edge
-  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
-
-jobs:
-  unit:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    strategy:
-      fail-fast: false
-      matrix:
-        mode:
-          - ""
-          - firewalld
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up runner
-        uses: ./.github/actions/setup-runner
-      -
-        name: Prepare
-        run: |
-          CACHE_DEV_SCOPE=dev
-          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "FIREWALLD=true" >> $GITHUB_ENV
-            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
-          fi
-          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Build dev image
-        uses: docker/bake-action@v6
-        with:
-          targets: dev
-          set: |
-            dev.cache-from=type=gha,scope=${{ env.CACHE_DEV_SCOPE }}
-      -
-        name: Test
-        run: |
-          make -o build test-unit
-      -
-        name: Prepare reports
-        if: always()
-        run: |
-          mkdir -p bundles /tmp/reports
-          find bundles -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
-          tar -xzf /tmp/reports.tar.gz -C /tmp/reports
-          sudo chown -R $(id -u):$(id -g) /tmp/reports
-          tree -nh /tmp/reports
-      -
-        name: Send to Codecov
-        uses: codecov/codecov-action@v4
-        with:
-          directory: ./bundles
-          env_vars: RUNNER_OS
-          flags: unit
-          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
-      -
-        name: Upload reports
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: test-reports-unit--${{ matrix.mode }}
-          path: /tmp/reports/*
-          retention-days: 1
-
-  unit-report:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: always()
-    needs:
-      - unit
-    steps:
-      -
-        name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-      -
-        name: Download reports
-        uses: actions/download-artifact@v4
-        with:
-          pattern: test-reports-unit-*
-          path: /tmp/reports
-      -
-        name: Install teststat
-        run: |
-          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
-      -
-        name: Create summary
-        run: |
-          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -3,15 +3,6 @@ name: .test

 # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 on:
  workflow_call:
    inputs:
@@ -21,21 +12,104 @@ on:
        default: "graphdriver"

 env:
-  GO_VERSION: "1.24.9"
+  GO_VERSION: "1.21.9"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  ITG_CLI_MATRIX_SIZE: 6
  DOCKER_EXPERIMENTAL: 1
  DOCKER_GRAPHDRIVER: ${{ inputs.storage == 'snapshotter' && 'overlayfs' || 'overlay2' }}
  TEST_INTEGRATION_USE_SNAPSHOTTER: ${{ inputs.storage == 'snapshotter' && '1' || '' }}
-  SETUP_BUILDX_VERSION: edge
+  SETUP_BUILDX_VERSION: latest
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
-  docker-py:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+  unit:
+    runs-on: ubuntu-20.04
    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 120
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up runner
+        uses: ./.github/actions/setup-runner
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.SETUP_BUILDX_VERSION }}
+          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build dev image
+        uses: docker/bake-action@v4
+        with:
+          targets: dev
+          set: |
+            dev.cache-from=type=gha,scope=dev
+      -
+        name: Test
+        run: |
+          make -o build test-unit
+      -
+        name: Prepare reports
+        if: always()
+        run: |
+          mkdir -p bundles /tmp/reports
+          find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
+          tar -xzf /tmp/reports.tar.gz -C /tmp/reports
+          sudo chown -R $(id -u):$(id -g) /tmp/reports
+          tree -nh /tmp/reports
+      -
+        name: Send to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          directory: ./bundles
+          env_vars: RUNNER_OS
+          flags: unit
+          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
+      -
+        name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-reports-unit-${{ inputs.storage }}
+          path: /tmp/reports/*
+          retention-days: 1
+
+  unit-report:
+    runs-on: ubuntu-20.04
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 10
+    if: always()
+    needs:
+      - unit
+    steps:
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      -
+        name: Download reports
+        uses: actions/download-artifact@v4
+        with:
+          name: test-reports-unit-${{ inputs.storage }}
+          path: /tmp/reports
+      -
+        name: Install teststat
+        run: |
+          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
+      -
+        name: Create summary
+        run: |
+          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
+
+  docker-py:
+    runs-on: ubuntu-20.04
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 120
    steps:
      -
        name: Checkout
@@ -55,7 +129,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -63,7 +137,7 @@ jobs:
      -
        name: Test
        run: |
-          make TEST_SKIP_INTEGRATION_CLI=1 -o build test-docker-py
+          make -o build test-docker-py
      -
        name: Prepare reports
        if: always()
@@ -90,9 +164,9 @@ jobs:
          retention-days: 1

  integration-flaky:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-20.04
    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 120
    steps:
      -
        name: Checkout
@@ -109,7 +183,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -121,50 +195,21 @@ jobs:
        env:
          TEST_SKIP_INTEGRATION_CLI: 1

-  integration-prepare:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10 # guardrails timeout for the whole job
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    outputs:
-      includes: ${{ steps.set.outputs.includes }}
-    steps:
-      -
-        name: Create matrix includes
-        id: set
-        uses: actions/github-script@v7
-        with:
-          script: |
-            let includes = [
-              { os: 'ubuntu-22.04', mode: '' },
-              { os: 'ubuntu-22.04', mode: 'rootless' },
-              { os: 'ubuntu-22.04', mode: 'systemd' },
-              { os: 'ubuntu-24.04', mode: '' },
-              // { os: 'ubuntu-24.04', mode: 'rootless' },  // FIXME: https://github.com/moby/moby/pull/49579#issuecomment-2698622223
-              { os: 'ubuntu-24.04', mode: 'systemd' },
-              // { os: 'ubuntu-24.04', mode: 'rootless-systemd' }, // FIXME: https://github.com/moby/moby/issues/44084
-            ];
-            if ("${{ inputs.storage }}" == "snapshotter") {
-              includes.push({ os: 'ubuntu-24.04', mode: 'firewalld' });
-            }
-            await core.group(`Set matrix`, async () => {
-              core.info(`matrix: ${JSON.stringify(includes)}`);
-              core.setOutput('includes', JSON.stringify(includes));
-            });
-      -
-        name: Show matrix
-        run: |
-          echo ${{ steps.set.outputs.includes }}
-
  integration:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    needs:
-      - integration-prepare
+    timeout-minutes: 120
    strategy:
      fail-fast: false
      matrix:
-        include: ${{ fromJson(needs.integration-prepare.outputs.includes) }}
+        os:
+          - ubuntu-20.04
+          - ubuntu-22.04
+        mode:
+          - ""
+          - rootless
+          - systemd
+          #- rootless-systemd FIXME: https://github.com/moby/moby/issues/44084
    steps:
      -
        name: Checkout
@@ -186,10 +231,6 @@ jobs:
            echo "SYSTEMD=true" >> $GITHUB_ENV
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}systemd"
          fi
-          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "FIREWALLD=true" >> $GITHUB_ENV
-            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
-          fi
          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
@@ -200,7 +241,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -253,9 +294,9 @@ jobs:
          retention-days: 1

  integration-report:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10
+    runs-on: ubuntu-20.04
    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 10
    if: always()
    needs:
      - integration
@@ -265,7 +306,6 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
@@ -283,11 +323,10 @@ jobs:
          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY

  integration-cli-prepare:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-20.04
    continue-on-error: ${{ github.event_name != 'pull_request' }}
    outputs:
-      matrix: ${{ steps.set.outputs.matrix }}
+      matrix: ${{ steps.tests.outputs.matrix }}
    steps:
      -
        name: Checkout
@@ -297,13 +336,12 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache: false
      -
        name: Install gotestlist
        run:
          go install github.com/crazy-max/gotestlist/cmd/gotestlist@${{ env.GOTESTLIST_VERSION }}
      -
-        name: Create test matrix
+        name: Create matrix
        id: tests
        working-directory: ./integration-cli
        run: |
@@ -315,53 +353,20 @@ jobs:
          matrix="$(gotestlist -d ${{ env.ITG_CLI_MATRIX_SIZE }} -o "./..." -o "DockerSwarmSuite" -o "DockerNetworkSuite|DockerExternalVolumeSuite" ./...)"
          echo "matrix=$matrix" >> $GITHUB_OUTPUT
      -
-        name: Create gha matrix
-        id: set
-        uses: actions/github-script@v7
-        with:
-          script: |
-            let matrix = {
-              test: ${{ steps.tests.outputs.matrix }},
-              include: [],
-            };
-            // For some reasons, GHA doesn't combine a dynamically defined
-            // 'include' with other matrix variables that aren't part of the
-            // include items.
-            // Moreover, since the goal is to run only relevant tests with
-            // firewalld enabled to minimize the number of CI jobs, we
-            // statically define the list of test suites that we want to run.
-            if ("${{ inputs.storage }}" == "snapshotter") {
-              matrix.include.push({
-                'mode': 'firewalld',
-                'test': 'DockerCLINetworkSuite|DockerCLIPortSuite|DockerDaemonSuite'
-              });
-              matrix.include.push({
-                'mode': 'firewalld',
-                'test': 'DockerSwarmSuite'
-              });
-              matrix.include.push({
-                'mode': 'firewalld',
-                'test': 'DockerNetworkSuite'
-              });
-            }
-            await core.group(`Set matrix`, async () => {
-              core.info(`matrix: ${JSON.stringify(matrix)}`);
-              core.setOutput('matrix', JSON.stringify(matrix));
-            });
-      -
-        name: Show final gha matrix
+        name: Show matrix
        run: |
-          echo ${{ steps.set.outputs.matrix }}
+          echo ${{ steps.tests.outputs.matrix }}

  integration-cli:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-20.04
    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 120
    needs:
      - integration-cli-prepare
    strategy:
      fail-fast: false
-      matrix: ${{ fromJson(needs.integration-cli-prepare.outputs.matrix) }}
+      matrix:
+        test: ${{ fromJson(needs.integration-cli-prepare.outputs.matrix) }}
    steps:
      -
        name: Checkout
@@ -372,15 +377,6 @@ jobs:
      -
        name: Set up tracing
        uses: ./.github/actions/setup-tracing
-      -
-        name: Prepare
-        run: |
-          CACHE_DEV_SCOPE=dev
-          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "FIREWALLD=true" >> $GITHUB_ENV
-            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
-          fi
-          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
@@ -390,7 +386,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -442,9 +438,9 @@ jobs:
          retention-days: 1

  integration-cli-report:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10
+    runs-on: ubuntu-20.04
    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 10
    if: always()
    needs:
      - integration-cli
@@ -454,7 +450,6 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
--- a/.github/workflows/.windows.yml
+++ b/.github/workflows/.windows.yml
@@ -3,15 +3,6 @@ name: .windows

 # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 on:
  workflow_call:
    inputs:
@@ -28,12 +19,12 @@ on:
        default: false

 env:
-  GO_VERSION: "1.24.9"
+  GO_VERSION: "1.21.11"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
+  WINDOWS_BASE_TAG_2019: ltsc2019
  WINDOWS_BASE_TAG_2022: ltsc2022
-  WINDOWS_BASE_TAG_2025: ltsc2025
  TEST_IMAGE_NAME: moby:test
  TEST_CTN_NAME: moby
  DOCKER_BUILDKIT: 0
@@ -42,7 +33,6 @@ env:
 jobs:
  build:
    runs-on: ${{ inputs.os }}
-    timeout-minutes: 120 # guardrails timeout for the whole job
    env:
      GOPATH: ${{ github.workspace }}\go
      GOBIN: ${{ github.workspace }}\go\bin
@@ -65,11 +55,23 @@ jobs:
        run: |
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
-          If ("${{ inputs.os }}" -eq "windows-2025") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2019") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
+      -
+        name: Cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~\AppData\Local\go-build
+            ~\go\pkg\mod
+            ${{ github.workspace }}\go-build
+            ${{ env.GOPATH }}\pkg\mod
+          key: ${{ inputs.os }}-${{ github.job }}-${{ hashFiles('**/vendor.sum') }}
+          restore-keys: |
+            ${{ inputs.os }}-${{ github.job }}-
      -
        name: Docker info
        run: |
@@ -80,12 +82,15 @@ jobs:
          & docker build `
            --build-arg WINDOWS_BASE_IMAGE `
            --build-arg WINDOWS_BASE_IMAGE_TAG `
+            --build-arg GO_VERSION `
            -t ${{ env.TEST_IMAGE_NAME }} `
            -f Dockerfile.windows .
      -
        name: Build binaries
        run: |
          & docker run --name ${{ env.TEST_CTN_NAME }} -e "DOCKER_GITCOMMIT=${{ github.sha }}" `
+              -v "${{ github.workspace }}\go-build:C:\Users\ContainerAdministrator\AppData\Local\go-build" `
+              -v "${{ github.workspace }}\go\pkg\mod:C:\gopath\pkg\mod" `
              ${{ env.TEST_IMAGE_NAME }} hack\make.ps1 -Daemon -Client
      -
        name: Copy artifacts
@@ -107,7 +112,7 @@ jobs:

  unit-test:
    runs-on: ${{ inputs.os }}
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    timeout-minutes: 120
    env:
      GOPATH: ${{ github.workspace }}\go
      GOBIN: ${{ github.workspace }}\go\bin
@@ -130,11 +135,23 @@ jobs:
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
          New-Item -ItemType "directory" -Path "bundles"
-          If ("${{ inputs.os }}" -eq "windows-2025") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2019") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
+      -
+        name: Cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~\AppData\Local\go-build
+            ~\go\pkg\mod
+            ${{ github.workspace }}\go-build
+            ${{ env.GOPATH }}\pkg\mod
+          key: ${{ inputs.os }}-${{ github.job }}-${{ hashFiles('**/vendor.sum') }}
+          restore-keys: |
+            ${{ inputs.os }}-${{ github.job }}-
      -
        name: Docker info
        run: |
@@ -145,12 +162,15 @@ jobs:
          & docker build `
            --build-arg WINDOWS_BASE_IMAGE `
            --build-arg WINDOWS_BASE_IMAGE_TAG `
+            --build-arg GO_VERSION `
            -t ${{ env.TEST_IMAGE_NAME }} `
            -f Dockerfile.windows .
      -
        name: Test
        run: |
          & docker run --name ${{ env.TEST_CTN_NAME }} -e "DOCKER_GITCOMMIT=${{ github.sha }}" `
+            -v "${{ github.workspace }}\go-build:C:\Users\ContainerAdministrator\AppData\Local\go-build" `
+            -v "${{ github.workspace }}\go\pkg\mod:C:\gopath\pkg\mod" `
            -v "${{ env.GOPATH }}\src\github.com\docker\docker\bundles:C:\gopath\src\github.com\docker\docker\bundles" `
            ${{ env.TEST_IMAGE_NAME }} hack\make.ps1 -TestUnit
      -
@@ -173,8 +193,7 @@ jobs:
          retention-days: 1

  unit-test-report:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-latest
    if: always()
    needs:
      - unit-test
@@ -184,7 +203,6 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache: false
      -
        name: Download artifacts
        uses: actions/download-artifact@v4
@@ -201,8 +219,7 @@ jobs:
          find /tmp/artifacts -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY

  integration-test-prepare:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.tests.outputs.matrix }}
    steps:
@@ -214,7 +231,6 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache: false
      -
        name: Install gotestlist
        run:
@@ -237,8 +253,8 @@ jobs:

  integration-test:
    runs-on: ${{ inputs.os }}
-    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
+    timeout-minutes: 120
    needs:
      - build
      - integration-test-prepare
@@ -267,12 +283,6 @@ jobs:
        uses: actions/checkout@v4
        with:
          path: ${{ env.GOPATH }}/src/github.com/docker/docker
-      -
-        name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
      -
        name: Set up Jaeger
        run: |
@@ -297,8 +307,8 @@ jobs:
        name: Init
        run: |
          New-Item -ItemType "directory" -Path "bundles"
-          If ("${{ inputs.os }}" -eq "windows-2025") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2019") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
@@ -325,12 +335,33 @@ jobs:
            $ErrorActionPreference = "Stop"
            Write-Host "Service removed"
          }
+      -
+        name: Starting containerd
+        if: matrix.runtime == 'containerd'
+        run: |
+          Write-Host "Generating config"
+          & "${{ env.BIN_OUT }}\containerd.exe" config default | Out-File "$env:TEMP\ctn.toml" -Encoding ascii
+          Write-Host "Creating service"
+          New-Item -ItemType Directory "$env:TEMP\ctn-root" -ErrorAction SilentlyContinue | Out-Null
+          New-Item -ItemType Directory "$env:TEMP\ctn-state" -ErrorAction SilentlyContinue | Out-Null
+          Start-Process -Wait "${{ env.BIN_OUT }}\containerd.exe" `
+            -ArgumentList "--log-level=debug", `
+              "--config=$env:TEMP\ctn.toml", `
+              "--address=\\.\pipe\containerd-containerd", `
+              "--root=$env:TEMP\ctn-root", `
+              "--state=$env:TEMP\ctn-state", `
+              "--log-file=$env:TEMP\ctn.log", `
+              "--register-service"
+          Write-Host "Starting service"
+          Start-Service -Name containerd
+          Start-Sleep -Seconds 5
+          Write-Host "Service started successfully!"
      -
        name: Starting test daemon
        run: |
          Write-Host "Creating service"
          If ("${{ matrix.runtime }}" -eq "containerd") {
-            $runtimeArg="--default-runtime=io.containerd.runhcs.v1"
+            $runtimeArg="--containerd=\\.\pipe\containerd-containerd"
            echo "DOCKER_WINDOWS_CONTAINERD_RUNTIME=1" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
          New-Item -ItemType Directory "$env:TEMP\moby-root" -ErrorAction SilentlyContinue | Out-Null
@@ -370,17 +401,6 @@ jobs:
            Start-Sleep -Seconds 1
          }
          Write-Host "Test daemon started and replied!"
-          If ("${{ matrix.runtime }}" -eq "containerd") {
-            $containerdProcesses = Get-Process -Name containerd -ErrorAction:SilentlyContinue
-            If (-not $containerdProcesses) {
-              Throw "containerd process is not running"
-            } else {
-              foreach ($process in $containerdProcesses) {
-                $processPath = (Get-Process -Id $process.Id -FileVersionInfo).FileName
-                Write-Output "Running containerd instance binary Path: $($processPath)"
-              }
-            }
-          }
        env:
          DOCKER_HOST: npipe:////./pipe/docker_engine
      -
@@ -404,6 +424,11 @@ jobs:
          & "${{ env.BIN_OUT }}\docker" images
        env:
          DOCKER_HOST: npipe:////./pipe/docker_engine
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
      -
        name: Test integration
        if: matrix.test == './...'
@@ -439,6 +464,19 @@ jobs:
          & "${{ env.BIN_OUT }}\docker" info
        env:
          DOCKER_HOST: npipe:////./pipe/docker_engine
+      -
+        name: Stop containerd
+        if: always() && matrix.runtime == 'containerd'
+        run: |
+          $ErrorActionPreference = "SilentlyContinue"
+          Stop-Service -Force -Name containerd
+          $ErrorActionPreference = "Stop"
+      -
+        name: Containerd logs
+        if: always() && matrix.runtime == 'containerd'
+        run: |
+          Copy-Item "$env:TEMP\ctn.log" -Destination ".\bundles\containerd.log"
+          Get-Content "$env:TEMP\ctn.log" | Out-Host
      -
        name: Stop daemon
        if: always()
@@ -474,8 +512,7 @@ jobs:
          retention-days: 1

  integration-test-report:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-latest
    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
    if: always()
    needs:
@@ -497,7 +534,6 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
--- a/.github/workflows/arm64.yml
+++ b/.github/workflows/arm64.yml
@@ -1,286 +0,0 @@
-name: arm64
-
-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - 'master'
-      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
-  pull_request:
-
-env:
-  GO_VERSION: "1.24.9"
-  TESTSTAT_VERSION: v0.1.25
-  DESTDIR: ./build
-  SETUP_BUILDX_VERSION: edge
-  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
-  DOCKER_EXPERIMENTAL: 1
-
-jobs:
-  validate-dco:
-    uses: ./.github/workflows/.dco.yml
-
-  build:
-    runs-on: ubuntu-24.04-arm
-    timeout-minutes: 20 # guardrails timeout for the whole job
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
-    needs:
-      - validate-dco
-    strategy:
-      fail-fast: false
-      matrix:
-        target:
-          - binary
-          - dynbinary
-    steps:
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Build
-        uses: docker/bake-action@v6
-        with:
-          targets: ${{ matrix.target }}
-      -
-        name: List artifacts
-        run: |
-          tree -nh ${{ env.DESTDIR }}
-      -
-        name: Check artifacts
-        run: |
-          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
-
-  build-dev:
-    runs-on: ubuntu-24.04-arm
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
-    needs:
-      - validate-dco
-    steps:
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Build dev image
-        uses: docker/bake-action@v6
-        with:
-          targets: dev
-          set: |
-            *.cache-from=type=gha,scope=dev-arm64
-            *.cache-to=type=gha,scope=dev-arm64
-            *.output=type=cacheonly
-
-  test-unit:
-    runs-on: ubuntu-24.04-arm
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
-    needs:
-      - build-dev
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up runner
-        uses: ./.github/actions/setup-runner
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      -
-        name: Build dev image
-        uses: docker/bake-action@v6
-        with:
-          targets: dev
-          set: |
-            dev.cache-from=type=gha,scope=dev-arm64
-      -
-        name: Test
-        run: |
-          make -o build test-unit
-      -
-        name: Prepare reports
-        if: always()
-        run: |
-          mkdir -p bundles /tmp/reports
-          find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
-          tar -xzf /tmp/reports.tar.gz -C /tmp/reports
-          sudo chown -R $(id -u):$(id -g) /tmp/reports
-          tree -nh /tmp/reports
-      -
-        name: Send to Codecov
-        uses: codecov/codecov-action@v4
-        with:
-          directory: ./bundles
-          env_vars: RUNNER_OS
-          flags: unit
-          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
-      -
-        name: Upload reports
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: test-reports-unit-arm64-graphdriver
-          path: /tmp/reports/*
-          retention-days: 1
-
-  test-unit-report:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: always() && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only'))
-    needs:
-      - test-unit
-    steps:
-      -
-        name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-      -
-        name: Download reports
-        uses: actions/download-artifact@v4
-        with:
-          pattern: test-reports-unit-arm64-*
-          path: /tmp/reports
-      -
-        name: Install teststat
-        run: |
-          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
-      -
-        name: Create summary
-        run: |
-          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
-
-  test-integration:
-    runs-on: ubuntu-24.04-arm
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
-    needs:
-      - build-dev
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up runner
-        uses: ./.github/actions/setup-runner
-      -
-        name: Set up tracing
-        uses: ./.github/actions/setup-tracing
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      -
-        name: Build dev image
-        uses: docker/bake-action@v6
-        with:
-          targets: dev
-          set: |
-            dev.cache-from=type=gha,scope=dev-arm64
-      -
-        name: Test
-        run: |
-          make -o build test-integration
-        env:
-          TEST_SKIP_INTEGRATION_CLI: 1
-          TESTCOVERAGE: 1
-      -
-        name: Prepare reports
-        if: always()
-        run: |
-          reportsPath="/tmp/reports/arm64-graphdriver"
-          mkdir -p bundles $reportsPath
-          find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
-          tar -xzf /tmp/reports.tar.gz -C $reportsPath
-          sudo chown -R $(id -u):$(id -g) $reportsPath
-          tree -nh $reportsPath
-          curl -sSLf localhost:16686/api/traces?service=integration-test-client > $reportsPath/jaeger-trace.json
-      -
-        name: Send to Codecov
-        uses: codecov/codecov-action@v4
-        with:
-          directory: ./bundles/test-integration
-          env_vars: RUNNER_OS
-          flags: integration
-          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
-      -
-        name: Test daemon logs
-        if: always()
-        run: |
-          cat bundles/test-integration/docker.log
-      -
-        name: Upload reports
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: test-reports-integration-arm64-graphdriver
-          path: /tmp/reports/*
-          retention-days: 1
-
-  test-integration-report:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: always() && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only'))
-    needs:
-      - test-integration
-    steps:
-      -
-        name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-      -
-        name: Download reports
-        uses: actions/download-artifact@v4
-        with:
-          path: /tmp/reports
-          pattern: test-reports-integration-arm64-*
-          merge-multiple: true
-      -
-        name: Install teststat
-        run: |
-          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
-      -
-        name: Create summary
-        run: |
-          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/bin-image.yml
+++ b/.github/workflows/bin-image.yml
@@ -1,14 +1,5 @@
 name: bin-image

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -19,7 +10,6 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
    tags:
      - 'v*'
  pull_request:
@@ -31,7 +21,7 @@ env:
  PLATFORM: Moby Engine - Nightly
  PRODUCT: moby-bin
  PACKAGER_NAME: The Moby Project
-  SETUP_BUILDX_VERSION: edge
+  SETUP_BUILDX_VERSION: latest
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
@@ -40,9 +30,7 @@ jobs:
    uses: ./.github/workflows/.dco.yml

  prepare:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20 # guardrails timeout for the whole job
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+    runs-on: ubuntu-20.04
    outputs:
      platforms: ${{ steps.platforms.outputs.matrix }}
    steps:
@@ -60,18 +48,19 @@ jobs:
          ## push semver tag v23.0.0
          # moby/moby-bin:23.0.0
          # moby/moby-bin:latest
-          ## push semver prerelease tag v23.0.0-beta.1
+          ## push semver prelease tag v23.0.0-beta.1
          # moby/moby-bin:23.0.0-beta.1
          ## push on master
          # moby/moby-bin:master
          ## push on 23.0 branch
          # moby/moby-bin:23.0
+          ## any push
+          # moby/moby-bin:sha-ad132f5
          tags: |
            type=semver,pattern={{version}}
            type=ref,event=branch
            type=ref,event=pr
-            type=semver,pattern={{major}}
-            type=semver,pattern={{major}}.{{minor}}
+            type=sha
      -
        name: Rename meta bake definition file
        # see https://github.com/docker/metadata-action/issues/381#issuecomment-1918607161
@@ -93,27 +82,26 @@ jobs:
          echo "matrix=$(docker buildx bake bin-image-cross --print | jq -cr '.target."bin-image-cross".platforms')" >>${GITHUB_OUTPUT}

  build:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20 # guardrails timeout for the whole job
-    if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only')) }}
+    runs-on: ubuntu-20.04
    needs:
      - validate-dco
      - prepare
+    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled')
    strategy:
      fail-fast: false
      matrix:
        platform: ${{ fromJson(needs.prepare.outputs.platforms) }}
    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
      -
        name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
      -
        name: Download meta bake definition
        uses: actions/download-artifact@v4
@@ -140,9 +128,8 @@ jobs:
      -
        name: Build
        id: bake
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
-          source: .
          files: |
            ./docker-bake.hcl
            /tmp/bake-meta.json
@@ -169,11 +156,10 @@ jobs:
          retention-days: 1

  merge:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 40 # guardrails timeout for the whole job
-    if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby' }}
+    runs-on: ubuntu-20.04
    needs:
      - build
+    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby'
    steps:
      -
        name: Download meta bake definition
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -1,14 +1,5 @@
 name: buildkit

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -19,26 +10,26 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
  pull_request:

 env:
-  GO_VERSION: "1.24.9"
+  GO_VERSION: "1.21.11"
  DESTDIR: ./build
-  SETUP_BUILDX_VERSION: edge
+  SETUP_BUILDX_VERSION: latest
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
  validate-dco:
    uses: ./.github/workflows/.dco.yml

-  build-linux:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+  build:
+    runs-on: ubuntu-20.04
    needs:
      - validate-dco
    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
@@ -48,7 +39,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: binary
      -
@@ -60,12 +51,11 @@ jobs:
          if-no-files-found: error
          retention-days: 1

-  test-linux:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+  test:
+    runs-on: ubuntu-20.04
+    timeout-minutes: 120
    needs:
-      - build-linux
+      - build
    env:
      TEST_IMAGE_BUILD: "0"
      TEST_IMAGE_ID: "buildkit-tests"
@@ -103,12 +93,6 @@ jobs:
        uses: actions/checkout@v4
        with:
          path: moby
-      -
-        name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
      -
        name: BuildKit ref
        run: |
@@ -146,9 +130,8 @@ jobs:
          docker info
      -
        name: Build test image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
-          source: .
          workdir: ./buildkit
          targets: integration-tests
          set: |
@@ -164,210 +147,3 @@ jobs:
          TESTPKGS: "./${{ matrix.pkg }}"
          TESTFLAGS: "-v --parallel=1 --timeout=30m --run=//worker=${{ matrix.worker }}$"
        working-directory: buildkit
-
-  build-windows:
-    runs-on: windows-2022
-    timeout-minutes: 120
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
-    needs:
-      - validate-dco
-    env:
-      GOPATH: ${{ github.workspace }}\go
-      GOBIN: ${{ github.workspace }}\go\bin
-      BIN_OUT: ${{ github.workspace }}\out
-      WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
-      WINDOWS_BASE_TAG_2022: ltsc2022
-      TEST_IMAGE_NAME: moby:test
-      TEST_CTN_NAME: moby
-    defaults:
-      run:
-        working-directory: ${{ env.GOPATH }}/src/github.com/docker/docker
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          path: ${{ env.GOPATH }}/src/github.com/docker/docker
-
-      - name: Env
-        run: |
-          Get-ChildItem Env: | Out-String
-
-      - name: Moby - Init
-        run: |
-          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
-          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
-          echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-
-      - name: Docker info
-        run: |
-          docker info
-
-      - name: Build base image
-        run: |
-          & docker build `
-            --build-arg WINDOWS_BASE_IMAGE `
-            --build-arg WINDOWS_BASE_IMAGE_TAG `
-            -t ${{ env.TEST_IMAGE_NAME }} `
-            -f Dockerfile.windows .
-
-      - name: Build binaries
-        run: |
-          & docker run --name ${{ env.TEST_CTN_NAME }} -e "DOCKER_GITCOMMIT=${{ github.sha }}" `
-              -v "${{ github.workspace }}\go-build:C:\Users\ContainerAdministrator\AppData\Local\go-build" `
-              -v "${{ github.workspace }}\go\pkg\mod:C:\gopath\pkg\mod" `
-              ${{ env.TEST_IMAGE_NAME }} hack\make.ps1 -Daemon -Client
-          go install github.com/distribution/distribution/v3/cmd/registry@latest
-
-      - name: Checkout BuildKit
-        uses: actions/checkout@v4
-        with:
-          repository: moby/buildkit
-          ref: master
-          path: buildkit
-
-      - name: Add buildctl to binaries
-        run: |
-          go install ./cmd/buildctl
-        working-directory: buildkit
-
-      - name: Copy artifacts
-        run: |
-          New-Item -ItemType "directory" -Path "${{ env.BIN_OUT }}"
-          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\gopath\src\github.com\docker\docker\bundles\docker.exe" ${{ env.BIN_OUT }}\
-          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\gopath\src\github.com\docker\docker\bundles\dockerd.exe" ${{ env.BIN_OUT }}\
-          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\gopath\bin\gotestsum.exe" ${{ env.BIN_OUT }}\
-          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\containerd\bin\containerd.exe" ${{ env.BIN_OUT }}\
-          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\containerd\bin\containerd-shim-runhcs-v1.exe" ${{ env.BIN_OUT }}\
-          cp ${{ env.GOPATH }}\bin\registry.exe ${{ env.BIN_OUT }}
-          cp ${{ env.GOPATH }}\bin\buildctl.exe ${{ env.BIN_OUT }}
-
-      - name: Upload artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: build-windows
-          path: ${{ env.BIN_OUT }}/*
-          if-no-files-found: error
-          retention-days: 2
-
-  test-windows:
-    runs-on: windows-2022
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
-    needs:
-      - build-windows
-    env:
-      TEST_IMAGE_BUILD: "0"
-      TEST_IMAGE_ID: "buildkit-tests"
-      GOPATH: ${{ github.workspace }}\go
-      GOBIN: ${{ github.workspace }}\go\bin
-      BIN_OUT: ${{ github.workspace }}\out
-      TESTFLAGS: "-v --timeout=90m"
-      TEST_DOCKERD: "1"
-    strategy:
-      fail-fast: false
-      matrix:
-        worker:
-          - dockerd-containerd
-        pkg:
-          - ./client#1-4
-          - ./client#2-4
-          - ./client#3-4
-          - ./client#4-4
-          - ./cmd/buildctl
-          - ./frontend
-          - ./frontend/dockerfile#1-12
-          - ./frontend/dockerfile#2-12
-          - ./frontend/dockerfile#3-12
-          - ./frontend/dockerfile#4-12
-          - ./frontend/dockerfile#5-12
-          - ./frontend/dockerfile#6-12
-          - ./frontend/dockerfile#7-12
-          - ./frontend/dockerfile#8-12
-          - ./frontend/dockerfile#9-12
-          - ./frontend/dockerfile#10-12
-          - ./frontend/dockerfile#11-12
-          - ./frontend/dockerfile#12-12
-    steps:
-      - name: Prepare
-        shell: bash
-        run: |
-          disabledFeatures="cache_backend_azblob,cache_backend_s3"
-          if [ "${{ matrix.worker }}" = "dockerd" ]; then
-            disabledFeatures="${disabledFeatures},merge_diff"
-          fi
-          echo "BUILDKIT_TEST_DISABLE_FEATURES=${disabledFeatures}" >> $GITHUB_ENV
-
-      - name: Expose GitHub Runtime
-        uses: crazy-max/ghaction-github-runtime@v3
-
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          path: moby
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-
-      - name: BuildKit ref
-        shell: bash
-        run: |
-          echo "$(./hack/buildkit-ref)" >> $GITHUB_ENV
-        working-directory: moby
-
-      - name: Checkout BuildKit ${{ env.BUILDKIT_REF }}
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ env.BUILDKIT_REPO }}
-          ref: ${{ env.BUILDKIT_REF }}
-          path: buildkit
-
-      - name: Download Moby artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: build-windows
-          path: ${{ env.BIN_OUT }}
-
-      - name: Add binaries to PATH
-        run: |
-          ls ${{ env.BIN_OUT }}
-          Write-Output "${{ env.BIN_OUT }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-
-      - name: Test Prep
-        shell: bash
-        run: |
-          TESTPKG=$(echo "${{ matrix.pkg }}" | awk '-F#' '{print $1}')
-          echo "TESTPKG=$TESTPKG" >> $GITHUB_ENV
-          echo "TEST_REPORT_NAME=${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.worker }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
-          testFlags="${{ env.TESTFLAGS }}"
-          testSlice=$(echo "${{ matrix.pkg }}" | awk '-F#' '{print $2}')
-          testSliceOffset=""
-          if [ -n "$testSlice" ]; then
-           testSliceOffset="slice=$testSlice/"
-          fi
-          if [ -n "${{ matrix.worker }}" ]; then
-           testFlags="${testFlags} --run=TestIntegration/$testSliceOffset.*/worker=${{ matrix.worker }}"
-          fi
-          echo "TESTFLAGS=${testFlags}" >> $GITHUB_ENV
-
-      - name: Test
-        shell: bash
-        run: |
-          mkdir -p ./bin/testreports
-          gotestsum \
-            --jsonfile="./bin/testreports/go-test-report-${{ env.TEST_REPORT_NAME }}.json" \
-            --junitfile="./bin/testreports/junit-report-${{ env.TEST_REPORT_NAME }}.xml" \
-            --packages="${{ env.TESTPKG }}" \
-            -- \
-              "-mod=vendor" \
-              "-coverprofile" "./bin/testreports/coverage-${{ env.TEST_REPORT_NAME }}.txt" \
-              "-covermode" "atomic" ${{ env.TESTFLAGS }}
-        working-directory: buildkit
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,14 +1,5 @@
 name: ci

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -19,12 +10,11 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
  pull_request:

 env:
  DESTDIR: ./build
-  SETUP_BUILDX_VERSION: edge
+  SETUP_BUILDX_VERSION: latest
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
@@ -32,8 +22,7 @@ jobs:
    uses: ./.github/workflows/.dco.yml

  build:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20 # guardrails timeout for the whole job
+    runs-on: ubuntu-20.04
    needs:
      - validate-dco
    strategy:
@@ -43,6 +32,11 @@ jobs:
          - binary
          - dynbinary
    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
@@ -52,7 +46,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: ${{ matrix.target }}
      -
@@ -65,9 +59,7 @@ jobs:
          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +

  prepare-cross:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20 # guardrails timeout for the whole job
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+    runs-on: ubuntu-latest
    needs:
      - validate-dco
    outputs:
@@ -88,9 +80,7 @@ jobs:
          echo ${{ steps.platforms.outputs.matrix }}

  cross:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20 # guardrails timeout for the whole job
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+    runs-on: ubuntu-20.04
    needs:
      - validate-dco
      - prepare-cross
@@ -99,6 +89,11 @@ jobs:
      matrix:
        platform: ${{ fromJson(needs.prepare-cross.outputs.matrix) }}
    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
      -
        name: Prepare
        run: |
@@ -113,7 +108,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: all
          set: |
@@ -126,55 +121,3 @@ jobs:
        name: Check artifacts
        run: |
          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
-
-  govulncheck:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    # Always run security checks, even with 'ci/validate-only' label
-    permissions:
-      # required to write sarif report
-      security-events: write
-      # required to check out the repository
-      contents: read
-    steps:
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Run
-        uses: docker/bake-action@v6
-        with:
-          targets: govulncheck
-        env:
-          GOVULNCHECK_FORMAT: sarif
-      -
-        name: Upload SARIF report
-        if: ${{ github.event_name != 'pull_request' && github.repository == 'moby/moby' }}
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ env.DESTDIR }}/govulncheck.out
-
-  build-dind:
-    runs-on: ubuntu-24.04
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
-    needs:
-      - validate-dco
-    steps:
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Build dind image
-        uses: docker/bake-action@v6
-        with:
-          targets: dind
-          set: |
-            *.output=type=cacheonly
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,75 +0,0 @@
-name: codeql
-
-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
-on:
-  push:
-    branches:
-      - 'master'
-      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
-    tags:
-      - 'v*'
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: ["master"]
-  schedule:
-    #        ┌───────────── minute (0 - 59)
-    #        │ ┌───────────── hour (0 - 23)
-    #        │ │ ┌───────────── day of the month (1 - 31)
-    #        │ │ │ ┌───────────── month (1 - 12)
-    #        │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday)
-    #        │ │ │ │ │
-    #        │ │ │ │ │
-    #        │ │ │ │ │
-    #        * * * * *
-    - cron: '0 9 * * 4'
-
-env:
-  GO_VERSION: "1.24.9"
-
-jobs:
-  codeql:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 2
-      # CodeQL 2.16.4's auto-build added support for multi-module repositories,
-      # and is trying to be smart by searching for modules in every directory,
-      # including vendor directories. If no module is found, it's creating one
-      # which is ... not what we want, so let's give it a "go.mod".
-      # see: https://github.com/docker/cli/pull/4944#issuecomment-2002034698
-      - name: Create go.mod
-        run: |
-          ln -s vendor.mod go.mod
-          ln -s vendor.sum go.sum
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: go
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-        with:
-          category: "/language:go"
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,14 +1,5 @@
 name: test

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -19,14 +10,13 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
  pull_request:

 env:
-  GO_VERSION: "1.24.9"
+  GO_VERSION: "1.21.11"
  GIT_PAGER: "cat"
  PAGER: "cat"
-  SETUP_BUILDX_VERSION: edge
+  SETUP_BUILDX_VERSION: latest
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
@@ -34,8 +24,7 @@ jobs:
    uses: ./.github/workflows/.dco.yml

  build-dev:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-20.04
    needs:
      - validate-dco
    strategy:
@@ -44,7 +33,6 @@ jobs:
        mode:
          - ""
          - systemd
-          - firewalld
    steps:
      -
        name: Prepare
@@ -52,6 +40,9 @@ jobs:
          if [ "${{ matrix.mode }}" = "systemd" ]; then
            echo "SYSTEMD=true" >> $GITHUB_ENV
          fi
+      -
+        name: Checkout
+        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
@@ -61,16 +52,15 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
            *.cache-from=type=gha,scope=dev${{ matrix.mode }}
-            *.cache-to=type=gha,scope=dev${{ matrix.mode }}
+            *.cache-to=type=gha,scope=dev${{ matrix.mode }},mode=max
            *.output=type=cacheonly

  test:
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - build-dev
      - validate-dco
@@ -85,17 +75,8 @@ jobs:
    with:
      storage: ${{ matrix.storage }}

-  test-unit:
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
-    needs:
-      - build-dev
-      - validate-dco
-    uses: ./.github/workflows/.test-unit.yml
-    secrets: inherit
-
  validate-prepare:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10 # guardrails timeout for the whole job
+    runs-on: ubuntu-20.04
    needs:
      - validate-dco
    outputs:
@@ -116,8 +97,8 @@ jobs:
          echo ${{ steps.scripts.outputs.matrix }}

  validate:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 30 # guardrails timeout for the whole job
+    runs-on: ubuntu-20.04
+    timeout-minutes: 120
    needs:
      - validate-prepare
      - build-dev
@@ -143,7 +124,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -154,9 +135,7 @@ jobs:
          make -o build validate-${{ matrix.script }}

  smoke-prepare:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10 # guardrails timeout for the whole job
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+    runs-on: ubuntu-20.04
    needs:
      - validate-dco
    outputs:
@@ -177,9 +156,7 @@ jobs:
          echo ${{ steps.platforms.outputs.matrix }}

  smoke:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20 # guardrails timeout for the whole job
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+    runs-on: ubuntu-20.04
    needs:
      - smoke-prepare
    strategy:
@@ -187,6 +164,9 @@ jobs:
      matrix:
        platform: ${{ fromJson(needs.smoke-prepare.outputs.matrix) }}
    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
      -
        name: Prepare
        run: |
@@ -204,7 +184,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Test
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: binary-smoketest
          set: |
--- a/.github/workflows/validate-pr.yml
+++ b/.github/workflows/validate-pr.yml
@@ -1,22 +1,12 @@
 name: validate-pr

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 on:
  pull_request:
-    types: [opened, edited, labeled, unlabeled, synchronize]
+    types: [opened, edited, labeled, unlabeled]

 jobs:
  check-area-label:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-20.04
    steps:
      - name: Missing `area/` label
        if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
@@ -27,10 +17,9 @@ jobs:
        run: exit 0

  check-changelog:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/')
+    runs-on: ubuntu-20.04
    env:
-      HAS_IMPACT_LABEL: ${{ contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') }}
      PR_BODY: |
        ${{ github.event.pull_request.body }}
    steps:
@@ -42,47 +31,32 @@ jobs:
          # Strip empty lines
          desc=$(echo "$block" |  awk NF)

-          if [ "$HAS_IMPACT_LABEL" = "true" ]; then
-            if [ -z "$desc" ]; then
-              echo "::error::Changelog section is empty. Please provide a description for the changelog."
-              exit 1
-            fi
+          if [ -z "$desc" ]; then
+            echo "::error::Changelog section is empty. Please provide a description for the changelog."
+            exit 1
+          fi

-            len=$(echo -n "$desc" | wc -c)
-            if [[ $len -le 6 ]]; then
-              echo "::error::Description looks too short: $desc"
-              exit 1
-            fi
-          else
-            if [ -n "$desc" ]; then
-              echo "::error::PR has a changelog description, but no changelog label"
-              echo "::error::Please add the relevant 'impact/' label to the PR or remove the changelog description"
-              exit 1
-            fi
+          len=$(echo -n "$desc" | wc -c)
+          if [[ $len -le 6 ]]; then
+            echo "::error::Description looks too short: $desc"
+            exit 1
          fi

          echo "This PR will be included in the release notes with the following note:"
          echo "$desc"

  check-pr-branch:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-20.04
    env:
      PR_TITLE: ${{ github.event.pull_request.title }}
    steps:
      # Backports or PR that target a release branch directly should mention the target branch in the title, for example:
      # [X.Y backport] Some change that needs backporting to X.Y
      # [X.Y] Change directly targeting the X.Y branch
-      - name: Check release branch
+      - name: Get branch from PR title
        id: title_branch
-        run: |
-          # get the intended major version prefix ("[27.1 backport]" -> "27.") from the PR title.
-          [[ "$PR_TITLE" =~ ^\[([0-9]*\.)[^]]*\] ]] && branch="${BASH_REMATCH[1]}"
+        run: echo "$PR_TITLE" | sed -n 's/^\[\([0-9]*\.[0-9]*\)[^]]*\].*/branch=\1/p' >> $GITHUB_OUTPUT

-          # get major version prefix from the release branch ("27.x -> "27.")
-          [[ "$GITHUB_BASE_REF" =~ ^([0-9]*\.) ]] && target_branch="${BASH_REMATCH[1]}" || target_branch="$GITHUB_BASE_REF"
-
-          if [[ "$target_branch" != "$branch" ]] && ! [[ "$GITHUB_BASE_REF" == "master" && "$branch" == "" ]]; then
-              echo "::error::PR is opened against the $GITHUB_BASE_REF branch, but its title suggests otherwise."
-              exit 1
-          fi
+      - name: Check release branch
+        if: github.event.pull_request.base.ref != steps.title_branch.outputs.branch && !(github.event.pull_request.base.ref == 'master' && steps.title_branch.outputs.branch == '')
+        run: echo "::error::PR title suggests targetting the ${{ steps.title_branch.outputs.branch }} branch, but is opened against ${{ github.event.pull_request.base.ref }}" && exit 1
--- a/.github/workflows/windows-2019.yml
+++ b/.github/workflows/windows-2019.yml
@@ -0,0 +1,33 @@
+name: windows-2019
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  schedule:
+    - cron: '0 10 * * *'
+  workflow_dispatch:
+
+jobs:
+  validate-dco:
+    uses: ./.github/workflows/.dco.yml
+
+  test-prepare:
+    uses: ./.github/workflows/.test-prepare.yml
+    needs:
+      - validate-dco
+
+  run:
+    needs:
+      - test-prepare
+    uses: ./.github/workflows/.windows.yml
+    secrets: inherit
+    strategy:
+      fail-fast: false
+      matrix:
+        storage: ${{ fromJson(needs.test-prepare.outputs.matrix) }}
+    with:
+      os: windows-2019
+      storage: ${{ matrix.storage }}
+      send_coverage: false
--- a/.github/workflows/windows-2022.yml
+++ b/.github/workflows/windows-2022.yml
@@ -1,22 +1,16 @@
 name: windows-2022

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

 on:
-  schedule:
-    - cron: '0 10 * * *'
  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - '[0-9]+.[0-9]+'
+  pull_request:

 jobs:
  validate-dco:
@@ -28,7 +22,6 @@ jobs:
      - validate-dco

  run:
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - test-prepare
    uses: ./.github/workflows/.windows.yml
--- a/.github/workflows/windows-2025.yml
+++ b/.github/workflows/windows-2025.yml
@@ -1,47 +0,0 @@
-name: windows-2025
-
-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - 'master'
-      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
-  pull_request:
-
-jobs:
-  validate-dco:
-    uses: ./.github/workflows/.dco.yml
-
-  test-prepare:
-    uses: ./.github/workflows/.test-prepare.yml
-    needs:
-      - validate-dco
-
-  run:
-    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
-    needs:
-      - test-prepare
-    uses: ./.github/workflows/.windows.yml
-    secrets: inherit
-    strategy:
-      fail-fast: false
-      matrix:
-        storage: ${{ fromJson(needs.test-prepare.outputs.matrix) }}
-    with:
-      os: windows-2025
-      storage: ${{ matrix.storage }}
-      send_coverage: false
--- a/.gitignore
+++ b/.gitignore
@@ -14,9 +14,10 @@ thumbs.db
 .editorconfig

 # build artifacts
-/bundles/
-/cli/winresources/dockerd/*.syso
-/cli/winresources/dockerd/winres.json
+bundles/
+cli/winresources/*/*.syso
+cli/winresources/*/winres.json
+contrib/builder/rpm/*/changelog

 # ci artifacts
 *.exe
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,350 +1,149 @@
-version: "2"
-
-run:
-  # prevent golangci-lint from deducting the go version to lint for through go.mod,
-  # which causes it to fallback to go1.17 semantics.
-  go: "1.24.9"
-  concurrency: 2
-  # Only supported with go modules enabled (build flag -mod=vendor only valid when using modules)
-  # modules-download-mode: vendor
-
-formatters:
-  enable:
-    - gofmt
-    - goimports
-
 linters:
  enable:
-    - asasalint                 # Detects "[]any" used as argument for variadic "func(...any)".
-    - copyloopvar               # Detects places where loop variables are copied.
    - depguard
-    - dogsled                   # Detects assignments with too many blank identifiers.
-    - dupword                   # Detects duplicate words.
-    - durationcheck             # Detect cases where two time.Duration values are being multiplied in possibly erroneous ways.
-    - errorlint                 # Detects code that will cause problems with the error wrapping scheme introduced in Go 1.13.
-    - errchkjson                # Detects unsupported types passed to json encoding functions and reports if checks for the returned error can be omitted.
-    - exhaustive                # Detects missing options in enum switch statements.
-    - exptostd                  # Detects functions from golang.org/x/exp/ that can be replaced by std functions.
-    - fatcontext                # Detects nested contexts in loops and function literals.
-    - forbidigo
-    - gocheckcompilerdirectives # Detects invalid go compiler directive comments (//go:).
-    - gocritic                  # Detects for bugs, performance and style issues.
-    - gosec                     # Detects security problems.
+    - dupword         # Checks for duplicate words in the source code.
+    - goimports
+    - gosec
+    - gosimple
    - govet
-    - iface                     # Detects incorrect use of interfaces. Currently only used for "identical" interfaces in the same package.
    - importas
    - ineffassign
-    - makezero                  # Finds slice declarations with non-zero initial length.
-    - mirror                    # Detects wrong mirror patterns of bytes/strings usage.
-    - misspell                  # Detects commonly misspelled English words in comments.
-    - nakedret                  # Detects uses of naked returns.
-    - nilnesserr                # Detects returning nil errors. It combines the features of nilness and nilerr,
-    - nosprintfhostport         # Detects misuse of Sprintf to construct a host with port in a URL.
-    - reassign                  # Detects reassigning a top-level variable in another package.
-    - revive                    # Metalinter; drop-in replacement for golint.
-    - spancheck                 # Detects mistakes with OpenTelemetry/Census spans.
+    - misspell
+    - revive
    - staticcheck
-    - thelper
-    - unconvert                 # Detects unnecessary type conversions.
+    - typecheck
+    - unconvert
    - unused
-    - usestdlibvars             # Detects the possibility to use variables/constants from the Go standard library.
-    - wastedassign              # Detects wasted assignment statements.

  disable:
    - errcheck
-    - spancheck # FIXME

-  settings:
-    depguard:
-      rules:
-        main:
-          deny:
-            - pkg: "github.com/stretchr/testify/assert"
-              desc: Use "gotest.tools/v3/assert" instead
-            - pkg: "github.com/stretchr/testify/require"
-              desc: Use "gotest.tools/v3/assert" instead
-            - pkg: "github.com/stretchr/testify/suite"
-              desc: Do not use
-            - pkg: "github.com/containerd/containerd/pkg/userns"
-              desc: Use github.com/moby/sys/userns instead.
-            - pkg: "github.com/tonistiigi/fsutil"
-              desc: The fsutil module does not have a stable API, so we should not have a direct dependency unless necessary.
+  run:
+    concurrency: 2
+    modules-download-mode: vendor

-    dupword:
-      ignore:
-        - "true"    # some tests use this as expected output
-        - "false"   # some tests use this as expected output
-        - "root"    # for tests using "ls" output with files owned by "root:root"
+    skip-dirs:
+      - docs

-    errorlint:
-      # Check whether fmt.Errorf uses the %w verb for formatting errors.
-      # See the https://github.com/polyfloyd/go-errorlint for caveats.
-      errorf: false
-      # Check for plain type assertions and type switches.
-      asserts: false
+linters-settings:
+  dupword:
+    ignore:
+      - "true"    # some tests use this as expected output
+      - "false"   # some tests use this as expected output
+      - "root"    # for tests using "ls" output with files owned by "root:root"
+  importas:
+    # Do not allow unaliased imports of aliased packages.
+    no-unaliased: true

-    exhaustive:
-      # Program elements to check for exhaustiveness.
-      # Default: [ switch ]
-      check:
-        - switch
-        # - map # TODO(thaJeztah): also enable for maps
-      # Presence of "default" case in switch statements satisfies exhaustiveness,
-      # even if all enum members are not listed.
-      # Default: false
-      #
-      # TODO(thaJeztah): consider not allowing this to catch new values being added (and falling through to "default")
-      default-signifies-exhaustive: true
-
-    forbidigo:
-      forbid:
-        - pkg: ^sync/atomic$
-          pattern: ^atomic\.(Add|CompareAndSwap|Load|Store|Swap).
-          msg: Go 1.19 atomic types should be used instead.
-        - pkg: ^regexp$
-          pattern: ^regexp\.MustCompile
-          msg: Use internal/lazyregexp.New instead.
-        - pkg: github.com/vishvananda/netlink$
-          pattern: ^netlink\.(Handle\.)?(AddrList|BridgeVlanList|ChainList|ClassList|ConntrackTableList|ConntrackDeleteFilter$|ConntrackDeleteFilters|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByName|LinkByAlias|LinkList|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteList|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList|XfrmPolicyList|XfrmStateList)
-          msg: Use internal nlwrap package for EINTR handling.
-        - pkg: github.com/docker/docker/internal/nlwrap$
-          pattern: ^nlwrap.Handle.(BridgeVlanList|ChainList|ClassList|ConntrackDeleteFilter$|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByAlias|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList)
-          msg: Add a wrapper to nlwrap.Handle for EINTR handling and update the list in .golangci.yml.
-      analyze-types: true
-
-    gocritic:
-      disabled-checks:
-        - appendAssign
-        - appendCombine
-        - assignOp
-        - builtinShadow
-        - builtinShadowDecl
-        - captLocal
-        - commentedOutCode
-        - deferInLoop
-        - dupImport
-        - dupSubExpr
-        - elseif
-        - emptyFallthrough
-        - equalFold
-        - evalOrder
-        - exitAfterDefer
-        - exposedSyncMutex
-        - filepathJoin
-        - hexLiteral
-        - hugeParam
-        - ifElseChain
-        - importShadow
-        - indexAlloc
-        - methodExprCall
-        - nestingReduce
-        - nilValReturn
-        - octalLiteral
-        - paramTypeCombine
-        - preferStringWriter
-        - ptrToRefParam
-        - rangeValCopy
-        - redundantSprint
-        - regexpMust
-        - regexpSimplify
-        - singleCaseSwitch
-        - sloppyReassign
-        - stringXbytes
-        - typeAssertChain
-        - typeDefFirst
-        - typeUnparen
-        - uncheckedInlineErr
-        - unlambda
-        - unnamedResult
-        - unnecessaryDefer
-        - unslice
-        - valSwap
-        - whyNoLint
-      enable-all: true
-
-    gosec:
-      excludes:
-        - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
-        - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/moby/moby/issues/48358)
-        - G204 # G204: Subprocess launched with variable; too many false positives.
-        - G301 # G301: Expect directory permissions to be 0750 or less (also EXC0009); too restrictive
-        - G302 # G302: Expect file permissions to be 0600 or less (also EXC0009); too restrictive
-        - G304 # G304: Potential file inclusion via variable.
-        - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
-        - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
-        - G504 # G504: Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386); (only affects go < 1.6.3)
-
-    govet:
-      enable-all: true
-      disable:
-        - fieldalignment # TODO: evaluate which ones should be updated.
-
-    importas:
-      # Do not allow unaliased imports of aliased packages.
-      no-unaliased: true
-
-      alias:
-          # Enforce alias to prevent it accidentally being used instead of our
-          # own errdefs package (or vice-versa).
-        - pkg: github.com/containerd/errdefs
-          alias: cerrdefs
-        - pkg: github.com/containerd/containerd/images
-          alias: c8dimages
-        - pkg: github.com/opencontainers/image-spec/specs-go/v1
-          alias: ocispec
-        - pkg: go.etcd.io/bbolt
-          alias: bolt
-          # Enforce that gotest.tools/v3/assert/cmp is always aliased as "is"
-        - pkg: gotest.tools/v3/assert/cmp
-          alias: is
-
-    nakedret:
-      # Disallow naked returns if func has more lines of code than this setting.
-      # Default: 30
-      max-func-lines: 0
-
-    revive:
-      rules:
-          # FIXME make sure all packages have a description. Currently, there's many packages without.
-        - name: package-comments
-          disabled: true
-
-    staticcheck:
-      checks:
-        - all
-        - -QF1008 # Omit embedded fields from selector expression; https://staticcheck.dev/docs/checks/#QF1008
-        - -ST1000 # Incorrect or missing package comment; https://staticcheck.dev/docs/checks/#ST1000
-        - -ST1003 # Poorly chosen identifier; https://staticcheck.dev/docs/checks/#ST1003
-        - -ST1005 # Incorrectly formatted error string; https://staticcheck.dev/docs/checks/#ST1005
-
-    spancheck:
-      # Default: ["end"]
-      checks:
-        - end             # check that `span.End()` is called
-        - record-error    # check that `span.RecordError(err)` is called when an error is returned
-        - set-status      # check that `span.SetStatus(codes.Error, msg)` is called when an error is returned
-
-    thelper:
-      test:
-        # Check *testing.T is first param (or after context.Context) of helper function.
-        first: false
-        # Check t.Helper() begins helper function.
-        begin: false
-      benchmark:
-        # Check *testing.B is first param (or after context.Context) of helper function.
-        first: false
-        # Check b.Helper() begins helper function.
-        begin: false
-      tb:
-        # Check *testing.TB is first param (or after context.Context) of helper function.
-        first: false
-        # Check *testing.TB param has name tb.
-        name: false
-        # Check tb.Helper() begins helper function.
-        begin: false
-      fuzz:
-        # Check *testing.F is first param (or after context.Context) of helper function.
-        first: false
-        # Check f.Helper() begins helper function.
-        begin: false
-
-    usestdlibvars:
-      # Suggest the use of http.MethodXX.
-      http-method: true
-      # Suggest the use of http.StatusXX.
-      http-status-code: true
-
-  exclusions:
-    paths:
-      - volume/drivers/proxy.go # TODO: this is a generated file but with an invalid header, see https://github.com/moby/moby/pull/46274
+    alias:
+      # Enforce alias to prevent it accidentally being used instead of our
+      # own errdefs package (or vice-versa).
+      - pkg: github.com/containerd/errdefs
+        alias: cerrdefs
+      - pkg: github.com/opencontainers/image-spec/specs-go/v1
+        alias: ocispec

+  govet:
+    check-shadowing: false
+  depguard:
    rules:
-        # We prefer to use an "linters.exclusions.rules" so that new "default" exclusions are not
-        # automatically inherited. We can decide whether or not to follow upstream
-        # defaults when updating golang-ci-lint versions.
-        # Unfortunately, this means we have to copy the whole exclusion pattern, as
-        # (unlike the "include" option), the "exclude" option does not take exclusion
-        # ID's.
-        #
-        # These exclusion patterns are copied from the default excludes at:
-        # https://github.com/golangci/golangci-lint/blob/v1.61.0/pkg/config/issues.go#L11-L104
-        #
-        # The default list of exclusions can be found at:
-        # https://golangci-lint.run/usage/false-positives/#default-exclusions
-
-        # Exclude some linters from running on tests files.
-      - path: _test\.go
-        linters:
-          - errcheck
-
-      - text: "G404: Use of weak random number generator"
-        path: _test\.go
-        linters:
-          - gosec
-
-        # Suppress golint complaining about generated types in api/types/
-      - text: "type name will be used as (container|volume)\\.(Container|Volume).* by other packages, and that stutters; consider calling this"
-        path: "api/types/(volume|container)/"
-        linters:
-          - revive
-
-        # FIXME: ignoring unused assigns to ctx for now; too many hits in libnetwork/xxx functions that setup traces
-      - text: "assigned to ctx, but never used afterwards"
-        linters:
-          - wastedassign
-
-      - text: "ineffectual assignment to ctx"
-        source: "ctx[, ].*=.*\\(ctx[,)]"
-        linters:
-          - ineffassign
-
-      - text: "SA4006: this value of ctx is never used"
-        source: "ctx[, ].*=.*\\(ctx[,)]"
-        linters:
-          - staticcheck
-
-        # FIXME(thaJeztah): ignoring these transitional utilities until BuildKit is vendored with https://github.com/moby/moby/pull/49743
-      - text: "SA1019: idtools\\.(ToUserIdentityMapping|FromUserIdentityMapping|IdentityMapping) is deprecated"
-        linters:
-          - staticcheck
-
-        # Ignore "nested context in function literal (fatcontext)" as we intentionally set up tracing on a base-context for tests.
-        # FIXME(thaJeztah): see if there's a more iodiomatic way to do this.
-      - text: 'nested context in function literal'
-        path: '((main|check)_(linux_|)test\.go)|testutil/helpers\.go'
-        linters:
-          - fatcontext
-
-      - text: '^shadow: declaration of "(ctx|err|ok)" shadows declaration'
-        linters:
-          - govet
-      - text: '^shadow: declaration of "(out)" shadows declaration'
-        path: _test\.go
-        linters:
-          - govet
-      - text: 'use of `regexp.MustCompile` forbidden'
-        path: _test\.go
-        linters:
-          - forbidigo
-      - text: 'use of `regexp.MustCompile` forbidden'
-        path: "internal/lazyregexp"
-        linters:
-          - forbidigo
-      - text: 'use of `regexp.MustCompile` forbidden'
-        path: "libnetwork/cmd/networkdb-test/dbclient"
-        linters:
-          - forbidigo
-      
-      # Ignore deprecated disk usage type warnings which will be moved internal to the daemon backend in the next major release.
-      - text: "SA1019: ((buildtypes|build).CacheDiskUsage|(container|containertypes|image|volume|volumetypes).DiskUsage) is deprecated"
-        linters:
-          - staticcheck
-
-    # Log a warning if an exclusion rule is unused.
-    # Default: false
-    warn-unused: true
-
+      main:
+        deny:
+          - pkg: io/ioutil
+            desc: The io/ioutil package has been deprecated, see https://go.dev/doc/go1.16#ioutil
+          - pkg: "github.com/stretchr/testify/assert"
+            desc: Use "gotest.tools/v3/assert" instead
+          - pkg: "github.com/stretchr/testify/require"
+            desc: Use "gotest.tools/v3/assert" instead
+          - pkg: "github.com/stretchr/testify/suite"
+            desc: Do not use
+          - pkg: github.com/containerd/containerd/errdefs
+            desc: The errdefs package has moved to a separate module, https://github.com/containerd/errdefs
+          - pkg: github.com/containerd/containerd/log
+            desc: The logs package has moved to a separate module, https://github.com/containerd/log
+  revive:
+    rules:
+      # FIXME make sure all packages have a description. Currently, there's many packages without.
+      - name: package-comments
+        disabled: true
 issues:
+  # The default exclusion rules are a bit too permissive, so copying the relevant ones below
+  exclude-use-default: false
+
+  exclude-rules:
+    # We prefer to use an "exclude-list" so that new "default" exclusions are not
+    # automatically inherited. We can decide whether or not to follow upstream
+    # defaults when updating golang-ci-lint versions.
+    # Unfortunately, this means we have to copy the whole exclusion pattern, as
+    # (unlike the "include" option), the "exclude" option does not take exclusion
+    # ID's.
+    #
+    # These exclusion patterns are copied from the default excluses at:
+    # https://github.com/golangci/golangci-lint/blob/v1.46.2/pkg/config/issues.go#L10-L104
+
+    # EXC0001
+    - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*print(f|ln)?|os\\.(Un)?Setenv). is not checked"
+      linters:
+        - errcheck
+    # EXC0006
+    - text: "Use of unsafe calls should be audited"
+      linters:
+        - gosec
+    # EXC0007
+    - text: "Subprocess launch(ed with variable|ing should be audited)"
+      linters:
+        - gosec
+    # EXC0008
+    # TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close" (gosec)
+    - text: "(G104|G307)"
+      linters:
+        - gosec
+    # EXC0009
+    - text: "(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
+      linters:
+        - gosec
+    # EXC0010
+    - text: "Potential file inclusion via variable"
+      linters:
+        - gosec
+
+    # Looks like the match in "EXC0007" above doesn't catch this one
+    # TODO: consider upstreaming this to golangci-lint's default exclusion rules
+    - text: "G204: Subprocess launched with a potential tainted input or cmd arguments"
+      linters:
+        - gosec
+    # Looks like the match in "EXC0009" above doesn't catch this one
+    # TODO: consider upstreaming this to golangci-lint's default exclusion rules
+    - text: "G306: Expect WriteFile permissions to be 0600 or less"
+      linters:
+        - gosec
+
+    # Exclude some linters from running on tests files.
+    - path: _test\.go
+      linters:
+        - errcheck
+        - gosec
+
+    # Suppress golint complaining about generated types in api/types/
+    - text: "type name will be used as (container|volume)\\.(Container|Volume).* by other packages, and that stutters; consider calling this"
+      path: "api/types/(volume|container)/"
+      linters:
+        - revive
+    # FIXME temporarily suppress these (see https://github.com/gotestyourself/gotest.tools/issues/272)
+    - text: "SA1019: (assert|cmp|is)\\.ErrorType is deprecated"
+      linters:
+        - staticcheck
+
+    - text: "ineffectual assignment to ctx"
+      source: "ctx[, ].*=.*\\(ctx[,)]"
+      linters:
+        - ineffassign
+
+    - text: "SA4006: this value of `ctx` is never used"
+      source: "ctx[, ].*=.*\\(ctx[,)]"
+      linters:
+        - staticcheck
+
  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
  max-issues-per-linter: 0

--- a/.mailmap
+++ b/.mailmap
@@ -94,9 +94,6 @@ Arnaud Rebillout <arnaud.rebillout@collabora.com>
 Arnaud Rebillout <arnaud.rebillout@collabora.com> <elboulangero@gmail.com>
 Arthur Gautier <baloo@gandi.net> <superbaloo+registrations.github@superbaloo.net>
 Artur Meyster <arthurfbi@yahoo.com>
-Austin Vazquez <austin.vazquez.dev@gmail.com>
-Austin Vazquez <austin.vazquez.dev@gmail.com> <55906459+austinvazquez@users.noreply.github.com>
-Austin Vazquez <austin.vazquez.dev@gmail.com> <macedonv@amazon.com>
 Avi Miller <avi.miller@oracle.com> <avi.miller@gmail.com>
 Ben Bonnefoy <frenchben@docker.com>
 Ben Golub <ben.golub@dotcloud.com>
@@ -139,7 +136,6 @@ Chen Mingjie <chenmingjie0828@163.com>
 Chen Qiu <cheney-90@hotmail.com>
 Chen Qiu <cheney-90@hotmail.com> <21321229@zju.edu.cn>
 Chengfei Shang <cfshang@alauda.io>
-Chengyu Zhu <hudson@cyzhu.com>
 Chentianze <cmoman@126.com>
 Chris Dias <cdias@microsoft.com>
 Chris McKinnel <chris.mckinnel@tangentlabs.co.uk>
@@ -511,7 +507,6 @@ Moorthy RS <rsmoorthy@gmail.com> <rsmoorthy@users.noreply.github.com>
 Moysés Borges <moysesb@gmail.com>
 Moysés Borges <moysesb@gmail.com> <moyses.furtado@wplex.com.br>
 mrfly <mr.wrfly@gmail.com> <wrfly@users.noreply.github.com>
-Myeongjoon Kim <kimmj8409@gmail.com>
 Nace Oroz <orkica@gmail.com>
 Natasha Jarus <linuxmercedes@gmail.com>
 Nathan LeClaire <nathan.leclaire@docker.com> <nathan.leclaire@gmail.com>
@@ -534,8 +529,6 @@ Ouyang Liduo <oyld0210@163.com>
 Patrick St. laurent <patrick@saint-laurent.us>
 Patrick Stapleton <github@gdi2290.com>
 Paul Liljenberg <liljenberg.paul@gmail.com> <letters@paulnotcom.se>
-Paweł Gronowski <pawel.gronowski@docker.com>
-Paweł Gronowski <pawel.gronowski@docker.com> <me@woland.xyz>
 Pavel Tikhomirov <ptikhomirov@virtuozzo.com> <ptikhomirov@parallels.com>
 Pawel Konczalski <mail@konczalski.de>
 Peter Choi <phkchoi89@gmail.com> <reikani@Peters-MacBook-Pro.local>
@@ -563,8 +556,6 @@ Robert Terhaar <rterhaar@atlanticdynamic.com> <robbyt@users.noreply.github.com>
 Roberto G. Hashioka <roberto.hashioka@docker.com> <roberto_hashioka@hotmail.com>
 Roberto Muñoz Fernández <robertomf@gmail.com> <roberto.munoz.fernandez.contractor@bbva.com>
 Robin Thoni <robin@rthoni.com>
-Rodrigo Campos <rodrigoca@microsoft.com>
-Rodrigo Campos <rodrigoca@microsoft.com> <rodrigo@kinvolk.io>
 Roman Dudin <katrmr@gmail.com> <decadent@users.noreply.github.com>
 Rong Zhang <rongzhang@alauda.io>
 Rongxiang Song <tinysong1226@gmail.com>
--- a/44
+++ b/44
@@ -2,10 +2,7 @@
 # This file lists all contributors to the repository.
 # See hack/generate-authors.sh to make modifications.

-17neverends <ionianrise@gmail.com>
-7sunarni <710720732@qq.com>
 Aanand Prasad <aanand.prasad@gmail.com>
-Aarni Koskela <akx@iki.fi>
 Aaron Davidson <aaron@databricks.com>
 Aaron Feng <aaron.feng@gmail.com>
 Aaron Hnatiw <aaron@griddio.com>
@@ -14,7 +11,6 @@ Aaron L. Xu <liker.xu@foxmail.com>
 Aaron Lehmann <alehmann@netflix.com>
 Aaron Welch <welch@packet.net>
 Aaron Yoshitake <airandfingers@gmail.com>
-Abdur Rehman <abdur_rehman@mentor.com>
 Abel Muiño <amuino@gmail.com>
 Abhijeet Kasurde <akasurde@redhat.com>
 Abhinandan Prativadi <aprativadi@gmail.com>
@@ -28,11 +24,9 @@ Adam Avilla <aavilla@yp.com>
 Adam Dobrawy <naczelnik@jawnosc.tk>
 Adam Eijdenberg <adam.eijdenberg@gmail.com>
 Adam Kunk <adam.kunk@tiaa-cref.org>
-Adam Lamers <adam.lamers@wmsdev.pl>
 Adam Miller <admiller@redhat.com>
 Adam Mills <adam@armills.info>
 Adam Pointer <adam.pointer@skybettingandgaming.com>
-Adam Simon <adamsimon85100@gmail.com>
 Adam Singer <financeCoding@gmail.com>
 Adam Thornton <adam.thornton@maryville.com>
 Adam Walz <adam@adamwalz.net>
@@ -125,7 +119,6 @@ amangoel <amangoel@gmail.com>
 Amen Belayneh <amenbelayneh@gmail.com>
 Ameya Gawde <agawde@mirantis.com>
 Amir Goldstein <amir73il@aquasec.com>
-AmirBuddy <badinlu.amirhossein@gmail.com>
 Amit Bakshi <ambakshi@gmail.com>
 Amit Krishnan <amit.krishnan@oracle.com>
 Amit Shukla <amit.shukla@docker.com>
@@ -175,7 +168,6 @@ Andrey Kolomentsev <andrey.kolomentsev@docker.com>
 Andrey Petrov <andrey.petrov@shazow.net>
 Andrey Stolbovsky <andrey.stolbovsky@gmail.com>
 André Martins <aanm90@gmail.com>
-Andrés Maldonado <maldonado@codelutin.com>
 Andy Chambers <anchambers@paypal.com>
 andy diller <dillera@gmail.com>
 Andy Goldstein <agoldste@redhat.com>
@@ -190,7 +182,6 @@ Anes Hasicic <anes.hasicic@gmail.com>
 Angel Velazquez <angelcar@amazon.com>
 Anil Belur <askb23@gmail.com>
 Anil Madhavapeddy <anil@recoil.org>
-Anirudh Aithal <aithal@amazon.com>
 Ankit Jain <ajatkj@yahoo.co.in>
 Ankush Agarwal <ankushagarwal11@gmail.com>
 Anonmily <michelle@michelleliu.io>
@@ -228,8 +219,7 @@ Artur Meyster <arthurfbi@yahoo.com>
 Arun Gupta <arun.gupta@gmail.com>
 Asad Saeeduddin <masaeedu@gmail.com>
 Asbjørn Enge <asbjorn@hanafjedle.net>
-Ashly Mathew <ashly.mathew@sap.com>
-Austin Vazquez <austin.vazquez.dev@gmail.com>
+Austin Vazquez <macedonv@amazon.com>
 averagehuman <averagehuman@users.noreply.github.com>
 Avi Das <andas222@gmail.com>
 Avi Kivity <avi@scylladb.com>
@@ -295,7 +285,6 @@ Brandon Liu <bdon@bdon.org>
 Brandon Philips <brandon.philips@coreos.com>
 Brandon Rhodes <brandon@rhodesmill.org>
 Brendan Dixon <brendand@microsoft.com>
-Brendon Smith <bws@bws.bio>
 Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 Brent Salisbury <brent.salisbury@docker.com>
 Brett Higgins <brhiggins@arbor.net>
@@ -350,14 +339,12 @@ Casey Bisson <casey.bisson@joyent.com>
 Catalin Pirvu <pirvu.catalin94@gmail.com>
 Ce Gao <ce.gao@outlook.com>
 Cedric Davies <cedricda@microsoft.com>
-Cesar Talledo <cesar.talledo@docker.com>
 Cezar Sa Espinola <cezarsa@gmail.com>
 Chad Swenson <chadswen@gmail.com>
 Chance Zibolski <chance.zibolski@gmail.com>
 Chander Govindarajan <chandergovind@gmail.com>
 Chanhun Jeong <keyolk@gmail.com>
 Chao Wang <wangchao.fnst@cn.fujitsu.com>
-Charity Kathure <ckathure@microsoft.com>
 Charles Chan <charleswhchan@users.noreply.github.com>
 Charles Hooper <charles.hooper@dotcloud.com>
 Charles Law <claw@conduce.com>
@@ -379,7 +366,6 @@ Chen Qiu <cheney-90@hotmail.com>
 Cheng-mean Liu <soccerl@microsoft.com>
 Chengfei Shang <cfshang@alauda.io>
 Chengguang Xu <cgxu519@gmx.com>
-Chengyu Zhu <hudson@cyzhu.com>
 Chentianze <cmoman@126.com>
 Chenyang Yan <memory.yancy@gmail.com>
 chenyuzhu <chenyuzhi@oschina.cn>
@@ -494,7 +480,6 @@ Daniel Farrell <dfarrell@redhat.com>
 Daniel Garcia <daniel@danielgarcia.info>
 Daniel Gasienica <daniel@gasienica.ch>
 Daniel Grunwell <mwgrunny@gmail.com>
-Daniel Guns <danbguns@gmail.com>
 Daniel Helfand <helfand.4@gmail.com>
 Daniel Hiltgen <daniel.hiltgen@docker.com>
 Daniel J Walsh <dwalsh@redhat.com>
@@ -778,7 +763,6 @@ Frank Macreery <frank@macreery.com>
 Frank Rosquin <frank.rosquin+github@gmail.com>
 Frank Villaro-Dixon <frank.villarodixon@merkle.com>
 Frank Yang <yyb196@gmail.com>
-François Scala <github@arcenik.net>
 Fred Lifton <fred.lifton@docker.com>
 Frederick F. Kautz IV <fkautz@redhat.com>
 Frederico F. de Oliveira <FreddieOliveira@users.noreply.github.com>
@@ -814,7 +798,6 @@ GennadySpb <lipenkov@gmail.com>
 Geoff Levand <geoff@infradead.org>
 Geoffrey Bachelet <grosfrais@gmail.com>
 Geon Kim <geon0250@gmail.com>
-George Adams <georgeadams1995@gmail.com>
 George Kontridze <george@bugsnag.com>
 George Ma <mayangang@outlook.com>
 George MacRorie <gmacr31@gmail.com>
@@ -843,7 +826,6 @@ Gopikannan Venugopalsamy <gopikannan.venugopalsamy@gmail.com>
 Gosuke Miyashita <gosukenator@gmail.com>
 Gou Rao <gou@portworx.com>
 Govinda Fichtner <govinda.fichtner@googlemail.com>
-Grace Choi <grace.54109@gmail.com>
 Grant Millar <rid@cylo.io>
 Grant Reaber <grant.reaber@gmail.com>
 Graydon Hoare <graydon@pobox.com>
@@ -984,7 +966,6 @@ James Nugent <james@jen20.com>
 James Sanders <james3sanders@gmail.com>
 James Turnbull <james@lovedthanlost.net>
 James Watkins-Harvey <jwatkins@progi-media.com>
-Jameson Hyde <jameson.hyde@docker.com>
 Jamie Hannaford <jamie@limetree.org>
 Jamshid Afshar <jafshar@yahoo.com>
 Jan Breig <git@pygos.space>
@@ -1083,16 +1064,13 @@ Jim Perrin <jperrin@centos.org>
 Jimmy Cuadra <jimmy@jimmycuadra.com>
 Jimmy Puckett <jimmy.puckett@spinen.com>
 Jimmy Song <rootsongjc@gmail.com>
-jinjiadu <jinjiadu@aliyun.com>
 Jinsoo Park <cellpjs@gmail.com>
 Jintao Zhang <zhangjintao9020@gmail.com>
 Jiri Appl <jiria@microsoft.com>
 Jiri Popelka <jpopelka@redhat.com>
 Jiuyue Ma <majiuyue@huawei.com>
 Jiří Župka <jzupka@redhat.com>
-jjimbo137 <115816493+jjimbo137@users.noreply.github.com>
 Joakim Roubert <joakim.roubert@axis.com>
-Joan Grau <grautxo.dev@proton.me>
 Joao Fernandes <joao.fernandes@docker.com>
 Joao Trindade <trindade.joao@gmail.com>
 Joe Beda <joe.github@bedafamily.com>
@@ -1177,7 +1155,6 @@ Josiah Kiehl <jkiehl@riotgames.com>
 José Tomás Albornoz <jojo@eljojo.net>
 Joyce Jang <mail@joycejang.com>
 JP <jpellerin@leapfrogonline.com>
-JSchltggr <jschltggr@gmail.com>
 Julian Taylor <jtaylor.debian@googlemail.com>
 Julien Barbier <write0@gmail.com>
 Julien Bisconti <veggiemonk@users.noreply.github.com>
@@ -1212,7 +1189,6 @@ K. Heller <pestophagous@gmail.com>
 Kai Blin <kai@samba.org>
 Kai Qiang Wu (Kennan) <wkq5325@gmail.com>
 Kaijie Chen <chen@kaijie.org>
-Kaita Nakamura <kaita.nakamura0830@gmail.com>
 Kamil Domański <kamil@domanski.co>
 Kamjar Gerami <kami.gerami@gmail.com>
 Kanstantsin Shautsou <kanstantsin.sha@gmail.com>
@@ -1287,7 +1263,6 @@ Krasi Georgiev <krasi@vip-consult.solutions>
 Krasimir Georgiev <support@vip-consult.co.uk>
 Kris-Mikael Krister <krismikael@protonmail.com>
 Kristian Haugene <kristian.haugene@capgemini.com>
-Kristian Heljas <kristian@kristian.ee>
 Kristina Zabunova <triara.xiii@gmail.com>
 Krystian Wojcicki <kwojcicki@sympatico.ca>
 Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
@@ -1314,7 +1289,6 @@ Laura Brehm <laurabrehm@hey.com>
 Laura Frank <ljfrank@gmail.com>
 Laurent Bernaille <laurent.bernaille@datadoghq.com>
 Laurent Erignoux <lerignoux@gmail.com>
-Laurent Goderre <laurent.goderre@docker.com>
 Laurie Voss <github@seldo.com>
 Leandro Motta Barros <lmb@stackedboxes.org>
 Leandro Siqueira <leandro.siqueira@gmail.com>
@@ -1395,7 +1369,6 @@ Madhan Raj Mookkandy <MadhanRaj.Mookkandy@microsoft.com>
 Madhav Puri <madhav.puri@gmail.com>
 Madhu Venugopal <mavenugo@gmail.com>
 Mageee <fangpuyi@foxmail.com>
-maggie44 <64841595+maggie44@users.noreply.github.com>
 Mahesh Tiyyagura <tmahesh@gmail.com>
 malnick <malnick@gmail..com>
 Malte Janduda <mail@janduda.net>
@@ -1489,7 +1462,6 @@ Matthias Kühnle <git.nivoc@neverbox.com>
 Matthias Rampke <mr@soundcloud.com>
 Matthieu Fronton <m@tthieu.fr>
 Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
-Matthieu MOREL <matthieu.morel35@gmail.com>
 Mattias Jernberg <nostrad@gmail.com>
 Mauricio Garavaglia <mauricio@medallia.com>
 mauriyouth <mauriyouth@gmail.com>
@@ -1607,7 +1579,6 @@ Muayyad Alsadi <alsadi@gmail.com>
 Muhammad Zohaib Aslam <zohaibse011@gmail.com>
 Mustafa Akın <mustafa91@gmail.com>
 Muthukumar R <muthur@gmail.com>
-Myeongjoon Kim <kimmj8409@gmail.com>
 Máximo Cuadros <mcuadros@gmail.com>
 Médi-Rémi Hashim <medimatrix@users.noreply.github.com>
 Nace Oroz <orkica@gmail.com>
@@ -1622,7 +1593,6 @@ Natasha Jarus <linuxmercedes@gmail.com>
 Nate Brennand <nate.brennand@clever.com>
 Nate Eagleson <nate@nateeag.com>
 Nate Jones <nate@endot.org>
-Nathan Baulch <nathan.baulch@gmail.com>
 Nathan Carlson <carl4403@umn.edu>
 Nathan Herald <me@nathanherald.com>
 Nathan Hsieh <hsieh.nathan@gmail.com>
@@ -1685,7 +1655,6 @@ Nuutti Kotivuori <naked@iki.fi>
 nzwsch <hi@nzwsch.com>
 O.S. Tezer <ostezer@gmail.com>
 objectified <objectified@gmail.com>
-Octol1ttle <l1ttleofficial@outlook.com>
 Odin Ugedal <odin@ugedal.com>
 Oguz Bilgic <fisyonet@gmail.com>
 Oh Jinkyun <tintypemolly@gmail.com>
@@ -1720,7 +1689,6 @@ Patrick Hemmer <patrick.hemmer@gmail.com>
 Patrick St. laurent <patrick@saint-laurent.us>
 Patrick Stapleton <github@gdi2290.com>
 Patrik Cyvoct <patrik@ptrk.io>
-Patrik Leifert <patrikleifert@hotmail.com>
 pattichen <craftsbear@gmail.com>
 Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
 Paul <paul9869@gmail.com>
@@ -1795,7 +1763,6 @@ Pierre Carrier <pierre@meteor.com>
 Pierre Dal-Pra <dalpra.pierre@gmail.com>
 Pierre Wacrenier <pierre.wacrenier@gmail.com>
 Pierre-Alain RIVIERE <pariviere@ippon.fr>
-pinglanlu <pinglanlu@outlook.com>
 Piotr Bogdan <ppbogdan@gmail.com>
 Piotr Karbowski <piotr.karbowski@protonmail.ch>
 Porjo <porjo38@yahoo.com.au>
@@ -1823,7 +1790,6 @@ Quentin Tayssier <qtayssier@gmail.com>
 r0n22 <cameron.regan@gmail.com>
 Rachit Sharma <rachitsharma613@gmail.com>
 Radostin Stoyanov <rstoyanov1@gmail.com>
-Rafael Fernández López <ereslibre@ereslibre.es>
 Rafal Jeczalik <rjeczalik@gmail.com>
 Rafe Colton <rafael.colton@gmail.com>
 Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
@@ -1879,7 +1845,6 @@ Robert Obryk <robryk@gmail.com>
 Robert Schneider <mail@shakeme.info>
 Robert Shade <robert.shade@gmail.com>
 Robert Stern <lexandro2000@gmail.com>
-Robert Sturla <robertsturla@outlook.com>
 Robert Terhaar <rterhaar@atlanticdynamic.com>
 Robert Wallis <smilingrob@gmail.com>
 Robert Wang <robert@arctic.tw>
@@ -1891,7 +1856,7 @@ Robin Speekenbrink <robin@kingsquare.nl>
 Robin Thoni <robin@rthoni.com>
 robpc <rpcann@gmail.com>
 Rodolfo Carvalho <rhcarvalho@gmail.com>
-Rodrigo Campos <rodrigoca@microsoft.com>
+Rodrigo Campos <rodrigo@kinvolk.io>
 Rodrigo Vaz <rodrigo.vaz@gmail.com>
 Roel Van Nyen <roel.vannyen@gmail.com>
 Roger Peppe <rogpeppe@gmail.com>
@@ -2030,7 +1995,6 @@ Sevki Hasirci <s@sevki.org>
 Shane Canon <scanon@lbl.gov>
 Shane da Silva <shane@dasilva.io>
 Shaun Kaasten <shaunk@gmail.com>
-Shaun Thompson <shaun.thompson@docker.com>
 shaunol <shaunol@gmail.com>
 Shawn Landden <shawn@churchofgit.com>
 Shawn Siefkas <shawn.siefkas@meredith.com>
@@ -2049,7 +2013,6 @@ Shijun Qin <qinshijun16@mails.ucas.ac.cn>
 Shishir Mahajan <shishir.mahajan@redhat.com>
 Shoubhik Bose <sbose78@gmail.com>
 Shourya Sarcar <shourya.sarcar@gmail.com>
-Shreenidhi Shedi <shreenidhi.shedi@broadcom.com>
 Shu-Wai Chow <shu-wai.chow@seattlechildrens.org>
 shuai-z <zs.broccoli@gmail.com>
 Shukui Yang <yangshukui@huawei.com>
@@ -2137,7 +2100,6 @@ Sébastien Stormacq <sebsto@users.noreply.github.com>
 Sören Tempel <soeren+git@soeren-tempel.net>
 Tabakhase <mail@tabakhase.com>
 Tadej Janež <tadej.j@nez.si>
-Tadeusz Dudkiewicz <tadeusz.dudkiewicz@rtbhouse.com>
 Takuto Sato <tockn.jp@gmail.com>
 tang0th <tang0th@gmx.com>
 Tangi Colin <tangicolin@gmail.com>
@@ -2145,7 +2107,6 @@ Tatsuki Sugiura <sugi@nemui.org>
 Tatsushi Inagaki <e29253@jp.ibm.com>
 Taylan Isikdemir <taylani@google.com>
 Taylor Jones <monitorjbl@gmail.com>
-tcpdumppy <847462026@qq.com>
 Ted M. Young <tedyoung@gmail.com>
 Tehmasp Chaudhri <tehmasp@gmail.com>
 Tejaswini Duggaraju <naduggar@microsoft.com>
@@ -2430,7 +2391,6 @@ You-Sheng Yang (楊有勝) <vicamo@gmail.com>
 youcai <omegacoleman@gmail.com>
 Youcef YEKHLEF <yyekhlef@gmail.com>
 Youfu Zhang <zhangyoufu@gmail.com>
-YR Chen <stevapple@icloud.com>
 Yu Changchun <yuchangchun1@huawei.com>
 Yu Chengxia <yuchengxia@huawei.com>
 Yu Peng <yu.peng36@zte.com.cn>
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -83,39 +83,6 @@ contributions, see [the advanced contribution
 section](https://docs.docker.com/opensource/workflow/advanced-contributing/) in
 the contributors guide.

-### Where to put your changes
-
-You can make changes to any Go package within Moby outside of the vendor directory. There are no
-restrictions on packages but a few guidelines to follow for deciding on making these changes.
-When adding new packages, first consider putting them in an internal directory to prevent
-unintended importing from other modules. Code changes should either go under `api`, `client`,
-or `daemon` modules, or one of the integration test directories.
-
-Try to put a new package under the appropriate directories. The root directory is reserved for
-configuration and build files, no source files will be accepted in the root.
-
- `api` - All types shared by client and daemon along with swagger definitions.
- `client` - All Go files for the docker client
- `contrib` - Files, configurations, and packages related to external tools or libraries
- `daemon` - All Go files and packages for building the daemon
- `docs` - All Moby technical documentation using markdown
- `hack` - All scripts used for testing, development, and CI
- `integration` - Testing the integration of the API, client, and daemon
- `integration-cli` - Deprecated integration tests of the docker cli with the daemon, no new tests allowed
- `pkg` - Legacy Go packages used externally, no new packages should be added here
- `project` - All files related to Moby project governance
- `vendor` - Autogenerated vendor files from `make vendor` command, do not manually edit files here
-
-The daemon module has many subpackages. Consider putting new packages under one of these
-directories.
-
- `daemon/cmd` - All Go main packages and the packages used only for that main package
- `daemon/internal` - All utility packages used by daemon and not intended for external use
- `daemon/man`- All Moby reference manuals used for the `man` command
- `daemon/plugins` - All included daemon plugins which are intended to be registered via init
- `daemon/pkg` - All libraries used by daemon and for integration testing
- `daemon/version` - Version package with the current daemon version
-
 ### Connect with other Moby Project contributors

 <table class="tg">
--- a/179
+++ b/179
@@ -1,46 +1,32 @@
-# syntax=docker/dockerfile:1
+# syntax=docker/dockerfile:1.7

-ARG GO_VERSION=1.24.9
+ARG GO_VERSION=1.21.11
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
-ARG XX_VERSION=1.6.1
+ARG XX_VERSION=1.4.0

-# VPNKIT_VERSION is the version of the vpnkit binary which is used as a fallback
-# network driver for rootless.
-ARG VPNKIT_VERSION=0.6.0
+ARG VPNKIT_VERSION=0.5.0

-# DOCKERCLI_VERSION is the version of the CLI to install in the dev-container.
-ARG DOCKERCLI_VERSION=v28.2.2
 ARG DOCKERCLI_REPOSITORY="https://github.com/docker/cli.git"
-
+ARG DOCKERCLI_VERSION=v27.0.2
 # cli version used for integration-cli tests
 ARG DOCKERCLI_INTEGRATION_REPOSITORY="https://github.com/docker/cli.git"
-ARG DOCKERCLI_INTEGRATION_VERSION=v18.06.3-ce
-
-# BUILDX_VERSION is the version of buildx to install in the dev container.
-ARG BUILDX_VERSION=0.24.0
-
-# COMPOSE_VERSION is the version of compose to install in the dev container.
-ARG COMPOSE_VERSION=v2.36.2
+ARG DOCKERCLI_INTEGRATION_VERSION=v17.06.2-ce
+ARG BUILDX_VERSION=0.15.1
+ARG COMPOSE_VERSION=v2.28.1

 ARG SYSTEMD="false"
-ARG FIREWALLD="false"
 ARG DOCKER_STATIC=1

 # REGISTRY_VERSION specifies the version of the registry to download from
 # https://hub.docker.com/r/distribution/distribution. This version of
 # the registry is used to test schema 2 manifests. Generally,  the version
 # specified here should match a current release.
-ARG REGISTRY_VERSION=3.0.0
+ARG REGISTRY_VERSION=2.8.3

 # delve is currently only supported on linux/amd64 and linux/arm64;
-# https://github.com/go-delve/delve/blob/v1.24.1/pkg/proc/native/support_sentinel.go#L1
-# https://github.com/go-delve/delve/blob/v1.24.1/pkg/proc/native/support_sentinel_linux.go#L1
-#
-# ppc64le support was added in v1.21.1, but is still experimental, and requires
-# the "-tags exp.linuxppc64le" build-tag to be set:
-# https://github.com/go-delve/delve/commit/71f12207175a1cc09668f856340d8a543c87dcca
-ARG DELVE_SUPPORTED=${TARGETPLATFORM#linux/amd64} DELVE_SUPPORTED=${DELVE_SUPPORTED#linux/arm64} DELVE_SUPPORTED=${DELVE_SUPPORTED#linux/ppc64le}
+# https://github.com/go-delve/delve/blob/v1.8.1/pkg/proc/native/support_sentinel.go#L1-L6
+ARG DELVE_SUPPORTED=${TARGETPLATFORM#linux/amd64} DELVE_SUPPORTED=${DELVE_SUPPORTED#linux/arm64}
 ARG DELVE_SUPPORTED=${DELVE_SUPPORTED:+"unsupported"}
 ARG DELVE_SUPPORTED=${DELVE_SUPPORTED:-"supported"}

@@ -57,11 +43,6 @@ COPY --from=build-dummy /build /build
 # base
 FROM --platform=$BUILDPLATFORM ${GOLANG_IMAGE} AS base
 COPY --from=xx / /
-# Disable collecting local telemetry, as collected by Go and Delve;
-#
-# - https://github.com/go-delve/delve/blob/v1.24.1/CHANGELOG.md#1231-2024-09-23
-# - https://go.dev/doc/telemetry#background
-RUN go telemetry off && [ "$(go telemetry)" = "off" ] || { echo "Failed to disable Go telemetry"; exit 1; }
 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN apt-get update && apt-get install --no-install-recommends -y file
 ENV GO111MODULE=off
@@ -78,8 +59,41 @@ RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \
        && /build/criu --version

 # registry
-FROM distribution/distribution:$REGISTRY_VERSION AS registry
-RUN mkdir /build && mv /bin/registry /build/registry
+FROM base AS registry-src
+WORKDIR /usr/src/registry
+RUN git init . && git remote add origin "https://github.com/distribution/distribution.git"
+
+FROM base AS registry
+WORKDIR /go/src/github.com/docker/distribution
+
+# REGISTRY_VERSION_SCHEMA1 specifies the version of the registry to build and
+# install from the https://github.com/docker/distribution repository. This is
+# an older (pre v2.3.0) version of the registry that only supports schema1
+# manifests. This version of the registry is not working on arm64, so installation
+# is skipped on that architecture.
+ARG REGISTRY_VERSION_SCHEMA1=v2.1.0
+ARG TARGETPLATFORM
+RUN --mount=from=registry-src,src=/usr/src/registry,rw \
+    --mount=type=cache,target=/root/.cache/go-build,id=registry-build-$TARGETPLATFORM \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=tmpfs,target=/go/src <<EOT
+  set -ex
+  export GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH"
+  # Make the /build directory no matter what so that it doesn't fail on arm64 or
+  # any other platform where we don't build this registry
+  mkdir /build
+  case $TARGETPLATFORM in
+    linux/amd64|linux/arm/v7|linux/ppc64le|linux/s390x)
+      git fetch -q --depth 1 origin "${REGISTRY_VERSION_SCHEMA1}" +refs/tags/*:refs/tags/*
+      git checkout -q FETCH_HEAD
+      CGO_ENABLED=0 xx-go build -o /build/registry-v2-schema1 -v ./cmd/registry
+      xx-verify /build/registry-v2-schema1
+      ;;
+  esac
+EOT
+
+FROM distribution/distribution:$REGISTRY_VERSION AS registry-v2
+RUN mkdir /build && mv /bin/registry /build/registry-v2

 # go-swagger
 FROM base AS swagger-src
@@ -123,9 +137,7 @@ RUN /download-frozen-image-v2.sh /build \
        busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
        debian:bookworm-slim@sha256:2bc5c236e9b262645a323e9088dfa3bb1ecb16cc75811daf40a23a824d665be9 \
        hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
-        arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1 \
-        hello-world:amd64@sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042 \
-        hello-world:arm64@sha256:963612c5503f3f1674f315c67089dee577d8cc6afc18565e0b4183ae355fb343
+        arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1

 # delve
 FROM base AS delve-src
@@ -135,7 +147,7 @@ RUN git init . && git remote add origin "https://github.com/go-delve/delve.git"
 # from the https://github.com/go-delve/delve repository.
 # It can be used to run Docker with a possibility of
 # attaching debugger to it.
-ARG DELVE_VERSION=v1.24.1
+ARG DELVE_VERSION=v1.21.1
 RUN git fetch -q --depth 1 origin "${DELVE_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS delve-supported
@@ -152,6 +164,19 @@ EOT
 FROM binary-dummy AS delve-unsupported
 FROM delve-${DELVE_SUPPORTED} AS delve

+FROM base AS tomll
+# GOTOML_VERSION specifies the version of the tomll binary to build and install
+# from the https://github.com/pelletier/go-toml repository. This binary is used
+# in CI in the hack/validate/toml script.
+#
+# When updating this version, consider updating the github.com/pelletier/go-toml
+# dependency in vendor.mod accordingly.
+ARG GOTOML_VERSION=v1.8.1
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+        GOBIN=/build/ GO111MODULE=on go install "github.com/pelletier/go-toml/cmd/tomll@${GOTOML_VERSION}" \
+     && /build/tomll --help
+
 FROM base AS gowinres
 # GOWINRES_VERSION defines go-winres tool version
 ARG GOWINRES_VERSION=v0.3.1
@@ -171,7 +196,7 @@ RUN git init . && git remote add origin "https://github.com/containerd/container
 # When updating the binary version you may also need to update the vendor
 # version to pick up bug fixes or new APIs, however, usually the Go packages
 # are built from a commit from the master branch.
-ARG CONTAINERD_VERSION=v1.7.29
+ARG CONTAINERD_VERSION=v1.7.18
 RUN git fetch -q --depth 1 origin "${CONTAINERD_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS containerd-build
@@ -181,6 +206,8 @@ RUN --mount=type=cache,sharing=locked,id=moby-containerd-aptlib,target=/var/lib/
    --mount=type=cache,sharing=locked,id=moby-containerd-aptcache,target=/var/cache/apt \
        apt-get update && xx-apt-get install -y --no-install-recommends \
            gcc \
+            libbtrfs-dev \
+            libsecret-1-dev \
            pkg-config
 ARG DOCKER_STATIC
 RUN --mount=from=containerd-src,src=/usr/src/containerd,rw \
@@ -202,15 +229,14 @@ FROM binary-dummy AS containerd-windows
 FROM containerd-${TARGETOS} AS containerd

 FROM base AS golangci_lint
-ARG GOLANGCI_LINT_VERSION=v2.1.5
+ARG GOLANGCI_LINT_VERSION=v1.59.1
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/v2/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
+        GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
     && /build/golangci-lint --version

 FROM base AS gotestsum
-# GOTESTSUM_VERSION is the version of gotest.tools/gotestsum to install.
-ARG GOTESTSUM_VERSION=v1.12.3
+ARG GOTESTSUM_VERSION=v1.8.2
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
        GOBIN=/build/ GO111MODULE=on go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
@@ -239,8 +265,7 @@ RUN --mount=source=hack/dockerfile/cli.sh,target=/download-or-build-cli.sh \
    --mount=type=cache,target=/root/.cache/go-build,id=dockercli-build-$TARGETPLATFORM \
        rm -f ./.git/*.lock \
     && /download-or-build-cli.sh ${DOCKERCLI_VERSION} ${DOCKERCLI_REPOSITORY} /build \
-     && /build/docker --version \
-     && /build/docker completion bash >/completion.bash
+     && /build/docker --version

 FROM base AS dockercli-integration
 WORKDIR /go/src/github.com/docker/cli
@@ -260,8 +285,9 @@ WORKDIR /usr/src/runc
 RUN git init . && git remote add origin "https://github.com/opencontainers/runc.git"
 # RUNC_VERSION should match the version that is used by the containerd version
 # that is used. If you need to update runc, open a pull request in the containerd
-# project first, and update both after that is merged.
-ARG RUNC_VERSION=v1.3.3
+# project first, and update both after that is merged. When updating RUNC_VERSION,
+# consider updating runc in vendor.mod accordingly.
+ARG RUNC_VERSION=v1.1.13
 RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS runc-build
@@ -270,6 +296,7 @@ ARG TARGETPLATFORM
 RUN --mount=type=cache,sharing=locked,id=moby-runc-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-runc-aptcache,target=/var/cache/apt \
        apt-get update && xx-apt-get install -y --no-install-recommends \
+            dpkg-dev \
            gcc \
            libc6-dev \
            libseccomp-dev \
@@ -329,7 +356,7 @@ FROM base AS rootlesskit-src
 WORKDIR /usr/src/rootlesskit
 RUN git init . && git remote add origin "https://github.com/rootless-containers/rootlesskit.git"
 # When updating, also update vendor.mod and hack/dockerfile/install/rootlesskit.installer accordingly.
-ARG ROOTLESSKIT_VERSION=v2.3.4
+ARG ROOTLESSKIT_VERSION=v2.0.2
 RUN git fetch -q --depth 1 origin "${ROOTLESSKIT_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS rootlesskit-build
@@ -350,6 +377,8 @@ RUN --mount=from=rootlesskit-src,src=/usr/src/rootlesskit,rw \
  export CGO_ENABLED=$([ "$DOCKER_STATIC" = "1" ] && echo "0" || echo "1")
  xx-go build -o /build/rootlesskit -ldflags="$([ "$DOCKER_STATIC" != "1" ] && echo "-linkmode=external")" ./cmd/rootlesskit
  xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /build/rootlesskit
+  xx-go build -o /build/rootlesskit-docker-proxy -ldflags="$([ "$DOCKER_STATIC" != "1" ] && echo "-linkmode=external")" ./cmd/rootlesskit-docker-proxy
+  xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /build/rootlesskit-docker-proxy
 EOT
 COPY --link ./contrib/dockerd-rootless.sh /build/
 COPY --link ./contrib/dockerd-rootless-setuptool.sh /build/
@@ -359,8 +388,7 @@ FROM binary-dummy AS rootlesskit-windows
 FROM rootlesskit-${TARGETOS} AS rootlesskit

 FROM base AS crun
-# CRUN_VERSION is the version of crun to install in the dev-container.
-ARG CRUN_VERSION=1.21
+ARG CRUN_VERSION=1.12
 RUN --mount=type=cache,sharing=locked,id=moby-crun-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-crun-aptcache,target=/var/cache/apt \
        apt-get update && apt-get install -y --no-install-recommends \
@@ -372,6 +400,7 @@ RUN --mount=type=cache,sharing=locked,id=moby-crun-aptlib,target=/var/lib/apt \
            libseccomp-dev \
            libsystemd-dev \
            libtool \
+            libudev-dev \
            libyajl-dev \
            python3 \
            ;
@@ -391,8 +420,8 @@ FROM scratch AS vpnkit-linux-arm
 FROM scratch AS vpnkit-linux-ppc64le
 FROM scratch AS vpnkit-linux-riscv64
 FROM scratch AS vpnkit-linux-s390x
-FROM moby/vpnkit-bin:${VPNKIT_VERSION} AS vpnkit-linux-amd64
-FROM moby/vpnkit-bin:${VPNKIT_VERSION} AS vpnkit-linux-arm64
+FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-linux-amd64
+FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-linux-arm64
 FROM vpnkit-linux-${TARGETARCH} AS vpnkit-linux
 FROM vpnkit-${TARGETOS} AS vpnkit

@@ -424,16 +453,18 @@ FROM binary-dummy AS containerutil-linux
 FROM containerutil-build AS containerutil-windows-amd64
 FROM containerutil-windows-${TARGETARCH} AS containerutil-windows
 FROM containerutil-${TARGETOS} AS containerutil
-FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx
-FROM docker/compose-bin:${COMPOSE_VERSION} AS compose
+FROM docker/buildx-bin:${BUILDX_VERSION} as buildx
+FROM docker/compose-bin:${COMPOSE_VERSION} as compose

 FROM base AS dev-systemd-false
 COPY --link --from=frozen-images /build/ /docker-frozen-images
 COPY --link --from=swagger       /build/ /usr/local/bin/
 COPY --link --from=delve         /build/ /usr/local/bin/
+COPY --link --from=tomll         /build/ /usr/local/bin/
 COPY --link --from=gowinres      /build/ /usr/local/bin/
 COPY --link --from=tini          /build/ /usr/local/bin/
 COPY --link --from=registry      /build/ /usr/local/bin/
+COPY --link --from=registry-v2   /build/ /usr/local/bin/

 # Skip the CRIU stage for now, as the opensuse package repository is sometimes
 # unstable, and we're currently not using it in CI.
@@ -473,23 +504,16 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
            systemd-sysv
 ENTRYPOINT ["hack/dind-systemd"]

-FROM dev-systemd-${SYSTEMD} AS dev-firewalld-false
-
-FROM dev-systemd-true AS dev-firewalld-true
-RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
-    --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
-        apt-get update && apt-get install -y --no-install-recommends \
-            firewalld
-
-FROM dev-firewalld-${FIREWALLD} AS dev-base
+FROM dev-systemd-${SYSTEMD} AS dev-base
 RUN groupadd -r docker
 RUN useradd --create-home --gid docker unprivilegeduser \
 && mkdir -p /home/unprivilegeduser/.local/share/docker \
 && chown -R unprivilegeduser /home/unprivilegeduser
 # Let us use a .bashrc file
 RUN ln -sfv /go/src/github.com/docker/docker/.bashrc ~/.bashrc
-# Activate bash completion
+# Activate bash completion and include Docker's completion if mounted with DOCKER_BASH_COMPLETION_PATH
 RUN echo "source /usr/share/bash-completion/bash_completion" >> /etc/bash.bashrc
+RUN ln -s /usr/local/completion/bash/docker /etc/bash_completion.d/docker
 RUN ldconfig
 # Set dev environment as safe git directory to prevent "dubious ownership" errors
 # when bind-mounting the source into the dev-container. See https://github.com/moby/moby/pull/44930
@@ -505,16 +529,13 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
            inetutils-ping \
            iproute2 \
            iptables \
-            nftables \
            jq \
            libcap2-bin \
            libnet1 \
            libnl-3-200 \
            libprotobuf-c1 \
            libyajl2 \
-            nano \
            net-tools \
-            netcat-openbsd \
            patch \
            pigz \
            sudo \
@@ -527,16 +548,24 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
            xz-utils \
            zip \
            zstd
+# Switch to use iptables instead of nftables (to match the CI hosts)
+# TODO use some kind of runtime auto-detection instead if/when nftables is supported (https://github.com/moby/moby/issues/26824)
+RUN update-alternatives --set iptables  /usr/sbin/iptables-legacy  || true \
+ && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \
+ && update-alternatives --set arptables /usr/sbin/arptables-legacy || true
 RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
        apt-get update && apt-get install --no-install-recommends -y \
            gcc \
            pkg-config \
+            dpkg-dev \
+            libapparmor-dev \
            libseccomp-dev \
+            libsecret-1-dev \
            libsystemd-dev \
+            libudev-dev \
            yamllint
 COPY --link --from=dockercli             /build/ /usr/local/cli
-COPY --link --from=dockercli             /completion.bash /etc/bash_completion.d/docker
 COPY --link --from=dockercli-integration /build/ /usr/local/cli-integration

 FROM base AS build
@@ -554,10 +583,14 @@ ARG TARGETPLATFORM
 RUN --mount=type=cache,sharing=locked,id=moby-build-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-build-aptcache,target=/var/cache/apt \
        xx-apt-get install --no-install-recommends -y \
+            dpkg-dev \
            gcc \
+            libapparmor-dev \
            libc6-dev \
            libseccomp-dev \
+            libsecret-1-dev \
            libsystemd-dev \
+            libudev-dev \
            pkg-config
 ARG DOCKER_BUILDTAGS
 ARG DOCKER_DEBUG
@@ -580,13 +613,14 @@ RUN <<EOT
 EOT
 RUN --mount=type=bind,target=.,rw \
    --mount=type=tmpfs,target=cli/winresources/dockerd \
+    --mount=type=tmpfs,target=cli/winresources/docker-proxy \
    --mount=type=cache,target=/root/.cache/go-build,id=moby-build-$TARGETPLATFORM <<EOT
  set -e
  target=$([ "$DOCKER_STATIC" = "1" ] && echo "binary" || echo "dynbinary")
  xx-go --wrap
  PKG_CONFIG=$(xx-go env PKG_CONFIG) ./hack/make.sh $target
  xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /tmp/bundles/${target}-daemon/dockerd$([ "$(xx-info os)" = "windows" ] && echo ".exe")
-  [ "$(xx-info os)" != "linux" ] || xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /tmp/bundles/${target}-daemon/docker-proxy
+  xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /tmp/bundles/${target}-daemon/docker-proxy$([ "$(xx-info os)" = "windows" ] && echo ".exe")
  mkdir /build
  mv /tmp/bundles/${target}-daemon/* /build/
 EOT
@@ -614,7 +648,7 @@ COPY --link --from=build         /build  /
 # smoke tests
 # usage:
 # > docker buildx bake binary-smoketest
-FROM base AS smoketest
+FROM --platform=$TARGETPLATFORM base AS smoketest
 WORKDIR /usr/local/bin
 COPY --from=build /build .
 RUN <<EOT
@@ -630,15 +664,6 @@ FROM dev-base AS devcontainer
 COPY --link . .
 COPY --link --from=gopls         /build/ /usr/local/bin/

-# usage:
-# > docker buildx bake dind
-# > docker run -d --restart always --privileged --name devdind -p 12375:2375 docker-dind --debug --host=tcp://0.0.0.0:2375 --tlsverify=false
-FROM docker:dind AS dind
-COPY --link --from=dockercli /build/docker /usr/local/bin/
-COPY --link --from=buildx    /buildx /usr/local/libexec/docker/cli-plugins/docker-buildx
-COPY --link --from=compose   /docker-compose /usr/local/libexec/docker/cli-plugins/docker-compose
-COPY --link --from=all       / /usr/local/bin/
-
 # usage:
 # > make shell
 # > SYSTEMD=true make shell
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@@ -5,7 +5,7 @@

 # This represents the bare minimum required to build and test Docker.

-ARG GO_VERSION=1.24.9
+ARG GO_VERSION=1.21.11

 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
@@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 		curl \
 		cmake \
 		git \
+		libapparmor-dev \
 		libseccomp-dev \
 		ca-certificates \
 		e2fsprogs \
@@ -35,10 +36,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 		vim-common \
 	&& rm -rf /var/lib/apt/lists/*

-# Install runc, containerd, and tini
+# Install runc, containerd, tini and docker-proxy
 # Please edit hack/dockerfile/install/<name>.installer to update them.
 COPY hack/dockerfile/install hack/dockerfile/install
-RUN set -e; for i in runc containerd tini dockercli; \
+RUN for i in runc containerd tini proxy dockercli; \
 		do hack/dockerfile/install/install.sh $i; \
 	done
 ENV PATH=/usr/local/cli:$PATH
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -161,14 +161,10 @@ FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

-ARG GO_VERSION=1.24.9
-
-# GOTESTSUM_VERSION is the version of gotest.tools/gotestsum to install.
-ARG GOTESTSUM_VERSION=v1.12.3
-
-# GOWINRES_VERSION is the version of go-winres to install.
-ARG GOWINRES_VERSION=v0.3.3
-ARG CONTAINERD_VERSION=v1.7.29
+ARG GO_VERSION=1.21.11
+ARG GOTESTSUM_VERSION=v1.8.2
+ARG GOWINRES_VERSION=v0.3.1
+ARG CONTAINERD_VERSION=v1.7.18

 # Environment variable notes:
 #  - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
@@ -259,11 +255,14 @@ RUN `
  Remove-Item C:\gitsetup.zip; `
  `
  Write-Host INFO: Downloading containerd; `
+  Install-Package -Force 7Zip4PowerShell; `
  $location='https://github.com/containerd/containerd/releases/download/'+$Env:CONTAINERD_VERSION+'/containerd-'+$Env:CONTAINERD_VERSION.TrimStart('v')+'-windows-amd64.tar.gz'; `
  Download-File $location C:\containerd.tar.gz; `
  New-Item -Path C:\containerd -ItemType Directory; `
-  tar -xzf C:\containerd.tar.gz -C C:\containerd; `
+  Expand-7Zip C:\containerd.tar.gz C:\; `
+  Expand-7Zip C:\containerd.tar C:\containerd; `
  Remove-Item C:\containerd.tar.gz; `
+  Remove-Item C:\containerd.tar; `
  `
  # Ensure all directories exist that we will require below....
  $srcDir = """$Env:GOPATH`\src\github.com\docker\docker\bundles"""; `
--- a/165
+++ b/165
@@ -0,0 +1,165 @@
+#!groovy
+pipeline {
+    agent none
+
+    options {
+        buildDiscarder(logRotator(daysToKeepStr: '30'))
+        timeout(time: 2, unit: 'HOURS')
+        timestamps()
+    }
+    parameters {
+        booleanParam(name: 'arm64', defaultValue: true, description: 'ARM (arm64) Build/Test')
+        booleanParam(name: 'dco', defaultValue: true, description: 'Run the DCO check')
+    }
+    environment {
+        DOCKER_BUILDKIT     = '1'
+        DOCKER_EXPERIMENTAL = '1'
+        DOCKER_GRAPHDRIVER  = 'overlay2'
+        CHECK_CONFIG_COMMIT = '33a3680e08d1007e72c3b3f1454f823d8e9948ee'
+        TESTDEBUG           = '0'
+        TIMEOUT             = '120m'
+    }
+    stages {
+        stage('pr-hack') {
+            when { changeRequest() }
+            steps {
+                script {
+                    echo "Workaround for PR auto-cancel feature. Borrowed from https://issues.jenkins-ci.org/browse/JENKINS-43353"
+                    def buildNumber = env.BUILD_NUMBER as int
+                    if (buildNumber > 1) milestone(buildNumber - 1)
+                    milestone(buildNumber)
+                }
+            }
+        }
+        stage('DCO-check') {
+            when {
+                beforeAgent true
+                expression { params.dco }
+            }
+            agent { label 'arm64 && ubuntu-2004' }
+            steps {
+                sh '''
+                docker run --rm \
+                  -v "$WORKSPACE:/workspace" \
+                  -e VALIDATE_REPO=${GIT_URL} \
+                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
+                  alpine sh -c 'apk add --no-cache -q bash git openssh-client && git config --system --add safe.directory /workspace && cd /workspace && hack/validate/dco'
+                '''
+            }
+        }
+        stage('Build') {
+            parallel {
+                stage('arm64') {
+                    when {
+                        beforeAgent true
+                        expression { params.arm64 }
+                    }
+                    agent { label 'arm64 && ubuntu-2004' }
+                    environment {
+                        TEST_SKIP_INTEGRATION_CLI = '1'
+                    }
+
+                    stages {
+                        stage("Print info") {
+                            steps {
+                                sh 'docker version'
+                                sh 'docker info'
+                                sh '''
+                                echo "check-config.sh version: ${CHECK_CONFIG_COMMIT}"
+                                curl -fsSL -o ${WORKSPACE}/check-config.sh "https://raw.githubusercontent.com/moby/moby/${CHECK_CONFIG_COMMIT}/contrib/check-config.sh" \
+                                && bash ${WORKSPACE}/check-config.sh || true
+                                '''
+                            }
+                        }
+                        stage("Build dev image") {
+                            steps {
+                                sh 'docker build --force-rm -t docker:${GIT_COMMIT} .'
+                            }
+                        }
+                        stage("Unit tests") {
+                            steps {
+                                sh '''
+                                sudo modprobe ip6table_filter
+                                '''
+                                sh '''
+                                docker run --rm -t --privileged \
+                                  -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
+                                  --name docker-pr$BUILD_NUMBER \
+                                  -e DOCKER_EXPERIMENTAL \
+                                  -e DOCKER_GITCOMMIT=${GIT_COMMIT} \
+                                  -e DOCKER_GRAPHDRIVER \
+                                  -e VALIDATE_REPO=${GIT_URL} \
+                                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
+                                  docker:${GIT_COMMIT} \
+                                  hack/test/unit
+                                '''
+                            }
+                            post {
+                                always {
+                                    junit testResults: 'bundles/junit-report*.xml', allowEmptyResults: true
+                                }
+                            }
+                        }
+                        stage("Integration tests") {
+                            environment { TEST_SKIP_INTEGRATION_CLI = '1' }
+                            steps {
+                                sh '''
+                                docker run --rm -t --privileged \
+                                  -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
+                                  --name docker-pr$BUILD_NUMBER \
+                                  -e DOCKER_EXPERIMENTAL \
+                                  -e DOCKER_GITCOMMIT=${GIT_COMMIT} \
+                                  -e DOCKER_GRAPHDRIVER \
+                                  -e TESTDEBUG \
+                                  -e TEST_INTEGRATION_USE_SNAPSHOTTER \
+                                  -e TEST_SKIP_INTEGRATION_CLI \
+                                  -e TIMEOUT \
+                                  -e VALIDATE_REPO=${GIT_URL} \
+                                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
+                                  docker:${GIT_COMMIT} \
+                                  hack/make.sh \
+                                    dynbinary \
+                                    test-integration
+                                '''
+                            }
+                            post {
+                                always {
+                                    junit testResults: 'bundles/**/*-report.xml', allowEmptyResults: true
+                                }
+                            }
+                        }
+                    }
+
+                    post {
+                        always {
+                            sh '''
+                            echo "Ensuring container killed."
+                            docker rm -vf docker-pr$BUILD_NUMBER || true
+                            '''
+
+                            sh '''
+                            echo "Chowning /workspace to jenkins user"
+                            docker run --rm -v "$WORKSPACE:/workspace" busybox chown -R "$(id -u):$(id -g)" /workspace
+                            '''
+
+                            catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE', message: 'Failed to create bundles.tar.gz') {
+                                sh '''
+                                bundleName=arm64-integration
+                                echo "Creating ${bundleName}-bundles.tar.gz"
+                                # exclude overlay2 directories
+                                find bundles -path '*/root/*overlay2' -prune -o -type f \\( -name '*-report.json' -o -name '*.log' -o -name '*.prof' -o -name '*-report.xml' \\) -print | xargs tar -czf ${bundleName}-bundles.tar.gz
+                                '''
+
+                                archiveArtifacts artifacts: '*-bundles.tar.gz', allowEmptyArchive: true
+                            }
+                        }
+                        cleanup {
+                            sh 'make clean'
+                            deleteDir()
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
--- a/610
+++ b/610
@@ -1,33 +1,585 @@
 # Moby maintainers file
 #
-# See project/GOVERNANCE.md for committer versus reviewer roles
+# This file describes the maintainer groups within the moby/moby project.
+# More detail on Moby project governance is available in the
+# project/GOVERNANCE.md file found in this repository.
 #
-# COMMITTERS
-# GitHub ID, Name, Email address, GPG fingerprint
-"akerouanton","Albin Kerouanton","albinker@gmail.com"
-"AkihiroSuda","Akihiro Suda","akihiro.suda.cz@hco.ntt.co.jp"
-"austinvazquez","Austin Vazquez","macedonv@amazon.com"
-"corhere","Cory Snider","csnider@mirantis.com"
-"cpuguy83","Brian Goff","cpuguy83@gmail.com"
-"robmry","Rob Murray","rob.murray@docker.com"
-"thaJeztah","Sebastiaan van Stijn","github@gone.nl"
-"tianon","Tianon Gravi","admwiggin@gmail.com"
-"tonistiigi","Tõnis Tiigi","tonis@docker.com"
-"vvoland","Paweł Gronowski","pawel.gronowski@docker.com"
+# It is structured to be consumable by both humans and programs.
+# To extract its contents programmatically, use any TOML-compliant
+# parser.
 #
-# REVIEWERS
-# GitHub ID, Name, Email address, GPG fingerprint
-"coolljt0725","Lei Jitang","leijitang@huawei.com"
-"crazy-max","Kevin Alvarez","contact@crazymax.dev"
-"dmcgowan","Derek McGowan","derek@mcgstyle.net"
-"estesp","Phil Estes","estesp@linux.vnet.ibm.com"
-"justincormack","Justin Cormack","justin.cormack@docker.com"
-"kolyshkin","Kir Kolyshkin","kolyshkin@gmail.com"
-"laurazard","Laura Brehm","laurabrehm@hey.com"
-"neersighted","Bjorn Neergaard","bjorn@neersighted.com"
-"rumpl","Djordje Lukic","djordje.lukic@docker.com"
-"samuelkarp","Samuel Karp","me@samuelkarp.com"
-"stevvooe","Stephen Day","stephen.day@docker.com"
-"thompson-shaun","Shaun Thompson","shaun.thompson@docker.com"
-"tiborvass","Tibor Vass","tibor@docker.com"
-"unclejack","Cristian Staretu","cristian.staretu@gmail.com"
+# TODO(estesp): This file should not necessarily depend on docker/opensource
+# This file is compiled into the MAINTAINERS file in docker/opensource.
+#
+[Org]
+
+	[Org."Core maintainers"]
+
+	# The Core maintainers are the ghostbusters of the project: when there's a problem others
+	# can't solve, they show up and fix it with bizarre devices and weaponry.
+	# They have final say on technical implementation and coding style.
+	# They are ultimately responsible for quality in all its forms: usability polish,
+	# bugfixes, performance, stability, etc. When ownership  can cleanly be passed to
+	# a subsystem, they are responsible for doing so and holding the
+	# subsystem maintainers accountable. If ownership is unclear, they are the de facto owners.
+
+		people = [
+			"akerouanton",
+			"akihirosuda",
+			"anusha",
+			"coolljt0725",
+			"corhere",
+			"cpuguy83",
+			"crazy-max",
+			"estesp",
+			"johnstep",
+			"justincormack",
+			"kolyshkin",
+			"laurazard",
+			"mhbauer",
+			"neersighted",
+			"robmry",
+			"rumpl",
+			"runcom",
+			"samuelkarp",
+			"stevvooe",
+			"thajeztah",
+			"tianon",
+			"tibor",
+			"tonistiigi",
+			"unclejack",
+			"vdemeester",
+			"vieux",
+			"vvoland",
+			"yongtang"
+		]
+
+	[Org.Curators]
+
+	# The curators help ensure that incoming issues and pull requests are properly triaged and
+	# that our various contribution and reviewing processes are respected. With their knowledge of
+	# the repository activity, they can also guide contributors to relevant material or
+	# discussions.
+	#
+	# They are neither code nor docs reviewers, so they are never expected to merge. They can
+	# however:
+	# - close an issue or pull request when it's an exact duplicate
+	# - close an issue or pull request when it's inappropriate or off-topic
+
+		people = [
+			"alexellis",
+			"andrewhsu",
+			"bsousaa",
+			"dmcgowan",
+			"fntlnz",
+			"gianarb",
+			"olljanat",
+			"programmerq",
+			"ripcurld",
+			"sam-thibault",
+			"samwhited",
+			"thajeztah"
+		]
+
+	[Org.Alumni]
+
+	# This list contains maintainers that are no longer active on the project.
+	# It is thanks to these people that the project has become what it is today.
+	# Thank you!
+
+		people = [
+			# Aaron Lehmann was a maintainer for swarmkit, the registry, and the engine,
+			# and contributed many improvements, features, and bugfixes in those areas,
+			# among which "automated service rollbacks", templated secrets and configs,
+			# and resumable image layer downloads.
+			"aaronlehmann",
+
+			# Harald Albers is the mastermind behind the bash completion scripts for the
+			# Docker CLI. The completion scripts moved to the Docker CLI repository, so
+			# you can now find him perform his magic in the https://github.com/docker/cli repository.
+			"albers",
+
+			# Andrea Luzzardi started contributing to the Docker codebase in the "dotCloud"
+			# era, even before it was called "Docker". He is one of the architects of both
+			# Swarm and SwarmKit, and its integration into the Docker engine.
+			"aluzzardi",
+			
+			# David Calavera contributed many features to Docker, such as an improved
+			# event system, dynamic configuration reloading, volume plugins, fancy
+			# new templating options, and an external client credential store. As a
+			# maintainer, David was release captain for Docker 1.8, and competing
+			# with Jess Frazelle to be "top dream killer".
+			# David is now doing amazing stuff as CTO for https://www.netlify.com,
+			# and tweets as @calavera.
+			"calavera",
+
+			# Michael Crosby was "chief maintainer" of the Docker project.
+			# During his time as a maintainer, Michael contributed to many
+			# milestones of the project; he was release captain of Docker v1.0.0,
+			# started the development of "libcontainer" (what later became runc)
+			# and containerd, as well as demoing cool hacks such as live migrating
+			# a game server container with checkpoint/restore.
+			#
+			# Michael is currently a maintainer of containerd, but you may see
+			# him around in other projects on GitHub.
+			"crosbymichael",
+
+			# Before becoming a maintainer, Daniel Nephin was a core contributor
+			# to "Fig" (now known as Docker Compose). As a maintainer for both the
+			# Engine and Docker CLI, Daniel contributed many features, among which
+			# the `docker stack` commands, allowing users to deploy their Docker
+			# Compose projects as a Swarm service.
+			"dnephin",
+
+			# Doug Davis contributed many features and fixes for the classic builder,
+			# such as "wildcard" copy, the dockerignore file, custom paths/names
+			# for the Dockerfile, as well as enhancements to the API and documentation.
+			# Follow Doug on Twitter, where he tweets as @duginabox.
+			"duglin",
+
+			# As a maintainer, Erik was responsible for the "builder", and
+			# started the first designs for the new networking model in
+			# Docker. Erik is now working on all kinds of plugins for Docker
+			# (https://github.com/contiv) and various open source projects
+			# in his own repository https://github.com/erikh. You may
+			# still stumble into him in our issue tracker, or on IRC.
+			"erikh",
+
+			# Evan Hazlett is the creator of the Shipyard and Interlock open source projects,
+			# and the author of "Orca", which became the foundation of Docker Universal Control
+			# Plane (UCP). As a maintainer, Evan helped integrating SwarmKit (secrets, tasks)
+			# into the Docker engine.
+			"ehazlett",
+
+			# Arnaud Porterie (AKA "icecrime") was in charge of maintaining the maintainers.
+			# As a maintainer, he made life easier for contributors to the Docker open-source
+			# projects, bringing order in the chaos by designing a triage- and review workflow
+			# using labels (see https://icecrime.net/technology/a-structured-approach-to-labeling/),
+			# and automating the hell out of things with his buddies GordonTheTurtle and Poule
+			# (a chicken!).
+			# 
+			# A lesser-known fact is that he created the first commit in the libnetwork repository
+			# even though he didn't know anything about it. Some say, he's now selling stuff on
+			# the internet ;-)
+			"icecrime",
+
+			# After a false start with his first PR being rejected, James Turnbull became a frequent
+			# contributor to the documentation, and became a docs maintainer on December 5, 2013. As
+			# a maintainer, James lifted the docs to a higher standard, and introduced the community
+			# guidelines ("three strikes"). James is currently changing the world as CTO of https://www.empatico.org,
+			# meanwhile authoring various books that are worth checking out. You can find him on Twitter,
+			# rambling as @kartar, and although no longer active as a maintainer, he's always "game" to
+			# help out reviewing docs PRs, so you may still see him around in the repository.
+			"jamtur01",
+
+			# Jessica Frazelle, also known as the "Keyser Söze of containers",
+			# runs *everything* in containers. She started contributing to
+			# Docker with a (fun fun) change involving both iptables and regular
+			# expressions (coz, YOLO!) on July 10, 2014
+			# https://github.com/docker/docker/pull/6950/commits/f3a68ffa390fb851115c77783fa4031f1d3b2995.
+			# Jess was Release Captain for Docker 1.4, 1.6 and 1.7, and contributed
+			# many features and improvement, among which "seccomp profiles" (making
+			# containers a lot more secure). Besides being a maintainer, she
+			# set up the CI infrastructure for the project, giving everyone
+			# something to shout at if a PR failed ("noooo Janky!").
+			# Be sure you don't miss her talks at a conference near you (a must-see),
+			# read her blog at https://blog.jessfraz.com (a must-read), and
+			# check out her open source projects on GitHub https://github.com/jessfraz (a must-try).
+			"jessfraz",
+
+			# As a maintainer, John Howard managed to make the impossible possible;
+			# to run Docker on Windows. After facing many challenges, teaching
+			# fellow-maintainers that 'Windows is not Linux', and many changes in
+			# Windows Server to facilitate containers, native Windows containers
+			# saw the light of day in 2015.
+			#
+			# John is now enjoying life without containers: playing piano, painting,
+			# and walking his dogs, but you may occasionally see him drop by on GitHub.
+			"lowenna",
+
+			# Alexander Morozov contributed many features to Docker, worked on the premise of 
+			# what later became containerd (and worked on that too), and made a "stupid" Go
+			# vendor tool specifically for docker/docker needs: vndr (https://github.com/LK4D4/vndr).
+			# Not many know that Alexander is a master negotiator, being able to change course
+			# of action with a single "Nope, we're not gonna do that".
+			"lk4d4",
+
+			# Madhu Venugopal was part of the SocketPlane team that joined Docker.
+			# As a maintainer, he was working with Jana for the Container Network
+			# Model (CNM) implemented through libnetwork, and the "routing mesh" powering
+			# Swarm mode networking.
+			"mavenugo",
+
+			# As a maintainer, Kenfe-Mickaël Laventure worked on the container runtime,
+			# integrating containerd 1.0 with the daemon, and adding support for custom
+			# OCI runtimes, as well as implementing the `docker prune` subcommands,
+			# which was a welcome feature to be added. You can keep up with Mickaél on
+			# Twitter (@kmlaventure).
+			"mlaventure",
+
+			# As a docs maintainer, Mary Anthony contributed greatly to the Docker
+			# docs. She wrote the Docker Contributor Guide and Getting Started
+			# Guides. She helped create a doc build system independent of
+			# docker/docker project, and implemented a new docs.docker.com theme and
+			# nav for 2015 Dockercon. Fun fact: the most inherited layer in DockerHub
+			# public repositories was originally referenced in
+			# maryatdocker/docker-whale back in May 2015.
+			"moxiegirl",
+
+			# Jana Radhakrishnan was part of the SocketPlane team that joined Docker.
+			# As a maintainer, he was the lead architect for the Container Network
+			# Model (CNM) implemented through libnetwork, and the "routing mesh" powering
+			# Swarm mode networking.
+			#
+			# Jana started new adventures in networking, but you can find him tweeting as @mrjana,
+			# coding on GitHub https://github.com/mrjana, and he may be hiding on the Docker Community
+			# slack channel :-)
+			"mrjana",
+
+			# Sven Dowideit became a well known person in the Docker ecosphere, building
+			# boot2docker, and became a regular contributor to the project, starting as
+			# early as October 2013 (https://github.com/docker/docker/pull/2119), to become
+			# a maintainer less than two months later (https://github.com/docker/docker/pull/3061).
+			#
+			# As a maintainer, Sven took on the task to convert the documentation from
+			# ReStructuredText to Markdown, migrate to Hugo for generating the docs, and
+			# writing tooling for building, testing, and publishing them.
+			#
+			# If you're not in the occasion to visit "the Australian office", you
+			# can keep up with Sven on Twitter (@SvenDowideit), his blog http://fosiki.com,
+			# and of course on GitHub.
+			"sven",
+
+			# Vincent "vbatts!" Batts made his first contribution to the project
+			# in November 2013, to become a maintainer a few months later, on
+			# May 10, 2014 (https://github.com/docker/docker/commit/d6e666a87a01a5634c250358a94c814bf26cb778).
+			# As a maintainer, Vincent made important contributions to core elements
+			# of Docker, such as "distribution" (tarsum) and graphdrivers (btrfs, devicemapper).
+			# He also contributed the "tar-split" library, an important element
+			# for the content-addressable store.
+			# Vincent is currently a member of the Open Containers Initiative
+			# Technical Oversight Board (TOB), besides his work at Red Hat and
+			# Project Atomic. You can still find him regularly hanging out in
+			# our repository and the #docker-dev and #docker-maintainers IRC channels
+			# for a chat, as he's always a lot of fun.
+			"vbatts",
+
+			# Vishnu became a maintainer to help out on the daemon codebase and
+			# libcontainer integration. He's currently involved in the
+			# Open Containers Initiative, working on the specifications,
+			# besides his work on cAdvisor and Kubernetes for Google.
+			"vishh"
+		]
+
+[people]
+
+# A reference list of all people associated with the project.
+# All other sections should refer to people by their canonical key
+# in the people section.
+
+	# ADD YOURSELF HERE IN ALPHABETICAL ORDER
+
+	[people.aaronlehmann]
+	Name = "Aaron Lehmann"
+	Email = "aaron.lehmann@docker.com"
+	GitHub = "aaronlehmann"
+
+	[people.akerouanton]
+	Name = "Albin Kerouanton"
+	Email = "albinker@gmail.com"
+	GitHub = "akerouanton"
+
+	[people.alexellis]
+	Name = "Alex Ellis"
+	Email = "alexellis2@gmail.com"
+	GitHub = "alexellis"
+
+	[people.akihirosuda]
+	Name = "Akihiro Suda"
+	Email = "akihiro.suda.cz@hco.ntt.co.jp"
+	GitHub = "AkihiroSuda"
+
+	[people.aluzzardi]
+	Name = "Andrea Luzzardi"
+	Email = "al@docker.com"
+	GitHub = "aluzzardi"
+
+	[people.albers]
+	Name = "Harald Albers"
+	Email = "github@albersweb.de"
+	GitHub = "albers"
+
+	[people.andrewhsu]
+	Name = "Andrew Hsu"
+	Email = "andrewhsu@docker.com"
+	GitHub = "andrewhsu"
+
+	[people.anusha]
+	Name = "Anusha Ragunathan"
+	Email = "anusha@docker.com"
+	GitHub = "anusha-ragunathan"
+	
+	[people.bsousaa]
+	Name = "Bruno de Sousa"
+	Email = "bruno.sousa@docker.com"
+	GitHub = "bsousaa"
+
+	[people.calavera]
+	Name = "David Calavera"
+	Email = "david.calavera@gmail.com"
+	GitHub = "calavera"
+
+	[people.coolljt0725]
+	Name = "Lei Jitang"
+	Email = "leijitang@huawei.com"
+	GitHub = "coolljt0725"
+
+	[people.corhere]
+	Name = "Cory Snider"
+	Email = "csnider@mirantis.com"
+	GitHub = "corhere"
+
+	[people.cpuguy83]
+	Name = "Brian Goff"
+	Email = "cpuguy83@gmail.com"
+	GitHub = "cpuguy83"
+
+	[people.crazy-max]
+	Name = "Kevin Alvarez"
+	Email = "contact@crazymax.dev"
+	GitHub = "crazy-max"
+
+	[people.crosbymichael]
+	Name = "Michael Crosby"
+	Email = "crosbymichael@gmail.com"
+	GitHub = "crosbymichael"
+
+	[people.dnephin]
+	Name = "Daniel Nephin"
+	Email = "dnephin@gmail.com"
+	GitHub = "dnephin"
+
+	[people.dmcgowan]
+	Name = "Derek McGowan"
+	Email = "derek@mcgstyle.net"
+	GitHub = "dmcgowan"
+
+	[people.duglin]
+	Name = "Doug Davis"
+	Email = "dug@us.ibm.com"
+	GitHub = "duglin"
+
+	[people.ehazlett]
+	Name = "Evan Hazlett"
+	Email = "ejhazlett@gmail.com"
+	GitHub = "ehazlett"
+
+	[people.erikh]
+	Name = "Erik Hollensbe"
+	Email = "erik@docker.com"
+	GitHub = "erikh"
+
+	[people.estesp]
+	Name = "Phil Estes"
+	Email = "estesp@linux.vnet.ibm.com"
+	GitHub = "estesp"
+
+	[people.fntlnz]
+	Name = "Lorenzo Fontana"
+	Email = "fontanalorenz@gmail.com"
+	GitHub = "fntlnz"
+
+	[people.gianarb]
+	Name = "Gianluca Arbezzano"
+	Email = "ga@thumpflow.com"
+	GitHub = "gianarb"
+
+	[people.icecrime]
+	Name = "Arnaud Porterie"
+	Email = "icecrime@gmail.com"
+	GitHub = "icecrime"
+
+	[people.jamtur01]
+	Name = "James Turnbull"
+	Email = "james@lovedthanlost.net"
+	GitHub = "jamtur01"
+
+	[people.jessfraz]
+	Name = "Jessie Frazelle"
+	Email = "jess@linux.com"
+	GitHub = "jessfraz"
+
+	[people.johnstep]
+	Name = "John Stephens"
+	Email = "johnstep@docker.com"
+	GitHub = "johnstep"
+
+	[people.justincormack]
+	Name = "Justin Cormack"
+	Email = "justin.cormack@docker.com"
+	GitHub = "justincormack"
+
+	[people.kolyshkin]
+	Name = "Kir Kolyshkin"
+	Email = "kolyshkin@gmail.com"
+	GitHub = "kolyshkin"
+
+	[people.laurazard]
+	Name = "Laura Brehm"
+	Email = "laura.brehm@docker.com"
+	GitHub = "laurazard"
+
+	[people.lk4d4]
+	Name = "Alexander Morozov"
+	Email = "lk4d4@docker.com"
+	GitHub = "lk4d4"
+
+	[people.lowenna]
+	Name = "John Howard"
+	Email = "github@lowenna.com"
+	GitHub = "lowenna"
+
+	[people.mavenugo]
+	Name = "Madhu Venugopal"
+	Email = "madhu@docker.com"
+	GitHub = "mavenugo"
+
+	[people.mhbauer]
+	Name = "Morgan Bauer"
+	Email = "mbauer@us.ibm.com"
+	GitHub = "mhbauer"
+
+	[people.mlaventure]
+	Name = "Kenfe-Mickaël Laventure"
+	Email = "mickael.laventure@gmail.com"
+	GitHub = "mlaventure"
+
+	[people.moxiegirl]
+	Name = "Mary Anthony"
+	Email = "mary.anthony@docker.com"
+	GitHub = "moxiegirl"
+
+	[people.mrjana]
+	Name = "Jana Radhakrishnan"
+	Email = "mrjana@docker.com"
+	GitHub = "mrjana"
+
+	[people.neersighted]
+	Name = "Bjorn Neergaard"
+	Email = "bjorn@neersighted.com"
+	GitHub = "neersighted"
+
+	[people.olljanat]
+	Name = "Olli Janatuinen"
+	Email = "olli.janatuinen@gmail.com"
+	GitHub = "olljanat"
+
+	[people.programmerq]
+	Name = "Jeff Anderson"
+	Email = "jeff@docker.com"
+	GitHub = "programmerq"
+
+	[people.robmry]
+	Name = "Rob Murray"
+	Email = "rob.murray@docker.com"
+	GitHub = "robmry"
+
+	[people.ripcurld]
+	Name = "Boaz Shuster"
+	Email = "ripcurld.github@gmail.com"
+	GitHub = "ripcurld"
+
+	[people.rumpl]
+	Name = "Djordje Lukic"
+	Email = "djordje.lukic@docker.com"
+	GitHub = "rumpl"
+
+	[people.runcom]
+	Name = "Antonio Murdaca"
+	Email = "runcom@redhat.com"
+	GitHub = "runcom"
+
+	[people.sam-thibault]
+	Name = "Sam Thibault"
+	Email = "sam.thibault@docker.com"
+	GitHub = "sam-thibault"
+
+	[people.samuelkarp]
+	Name = "Samuel Karp"
+	Email = "me@samuelkarp.com"
+	GitHub = "samuelkarp"
+
+	[people.samwhited]
+	Name = "Sam Whited"
+	Email = "sam@samwhited.com"
+	GitHub = "samwhited"
+
+	[people.shykes]
+	Name = "Solomon Hykes"
+	Email = "solomon@docker.com"
+	GitHub = "shykes"
+
+	[people.stevvooe]
+	Name = "Stephen Day"
+	Email = "stephen.day@docker.com"
+	GitHub = "stevvooe"
+
+	[people.sven]
+	Name = "Sven Dowideit"
+	Email = "SvenDowideit@home.org.au"
+	GitHub = "SvenDowideit"
+
+	[people.thajeztah]
+	Name = "Sebastiaan van Stijn"
+	Email = "github@gone.nl"
+	GitHub = "thaJeztah"
+
+	[people.tianon]
+	Name = "Tianon Gravi"
+	Email = "admwiggin@gmail.com"
+	GitHub = "tianon"
+
+	[people.tibor]
+	Name = "Tibor Vass"
+	Email = "tibor@docker.com"
+	GitHub = "tiborvass"
+
+	[people.tonistiigi]
+	Name = "Tõnis Tiigi"
+	Email = "tonis@docker.com"
+	GitHub = "tonistiigi"
+
+	[people.unclejack]
+	Name = "Cristian Staretu"
+	Email = "cristian.staretu@gmail.com"
+	GitHub = "unclejack"
+
+	[people.vbatts]
+	Name = "Vincent Batts"
+	Email = "vbatts@redhat.com"
+	GitHub = "vbatts"
+
+	[people.vdemeester]
+	Name = "Vincent Demeester"
+	Email = "vincent@sbr.pm"
+	GitHub = "vdemeester"
+
+	[people.vieux]
+	Name = "Victor Vieux"
+	Email = "vieux@docker.com"
+	GitHub = "vieux"
+
+	[people.vishh]
+	Name = "Vishnu Kannan"
+	Email = "vishnuk@google.com"
+	GitHub = "vishh"
+	
+	[people.vvoland]
+	Name = "Paweł Gronowski"
+	Email = "pawel.gronowski@docker.com"
+	GitHub = "vvoland"
+
+	[people.yongtang]
+	Name = "Yong Tang"
+	Email = "yong.tang.github@outlook.com"
+	GitHub = "yongtang"
--- a/35
+++ b/35
@@ -1,6 +1,10 @@
 DOCKER ?= docker
 BUILDX ?= $(DOCKER) buildx

+# set the graph driver as the current graphdriver if not set
+DOCKER_GRAPHDRIVER := $(if $(DOCKER_GRAPHDRIVER),$(DOCKER_GRAPHDRIVER),$(shell docker info -f '{{ .Driver }}' 2>&1))
+export DOCKER_GRAPHDRIVER
+
 DOCKER_GITCOMMIT := $(shell git rev-parse HEAD)
 export DOCKER_GITCOMMIT

@@ -31,6 +35,7 @@ DOCKER_ENVS := \
 	-e DOCKER_BUILD_OPTS \
 	-e DOCKER_BUILD_PKGS \
 	-e DOCKER_BUILDKIT \
+	-e DOCKER_BASH_COMPLETION_PATH \
 	-e DOCKER_CLI_PATH \
 	-e DOCKERCLI_VERSION \
 	-e DOCKERCLI_REPOSITORY \
@@ -49,7 +54,6 @@ DOCKER_ENVS := \
 	-e DOCKER_USERLANDPROXY \
 	-e DOCKERD_ARGS \
 	-e DELVE_PORT \
-	-e FIREWALLD \
 	-e GITHUB_ACTIONS \
 	-e TEST_FORCE_VALIDATE \
 	-e TEST_INTEGRATION_DIR \
@@ -57,6 +61,7 @@ DOCKER_ENVS := \
 	-e TEST_INTEGRATION_FAIL_FAST \
 	-e TEST_SKIP_INTEGRATION \
 	-e TEST_SKIP_INTEGRATION_CLI \
+	-e TEST_IGNORE_CGROUP_CHECK \
 	-e TESTCOVERAGE \
 	-e TESTDEBUG \
 	-e TESTDIRS \
@@ -83,11 +88,11 @@ DOCKER_ENVS := \
 # to allow `make BIND_DIR=. shell` or `make BIND_DIR= test`
 # (default to no bind mount if DOCKER_HOST is set)
 # note: BINDDIR is supported for backwards-compatibility here
-BIND_DIR := $(if $(BINDDIR),$(BINDDIR),$(if $(DOCKER_HOST),,.))
+BIND_DIR := $(if $(BINDDIR),$(BINDDIR),$(if $(DOCKER_HOST),,bundles))

-# DOCKER_MOUNT can be overridden, but use at your own risk!
+# DOCKER_MOUNT can be overriden, but use at your own risk!
 ifndef DOCKER_MOUNT
-DOCKER_MOUNT := $(if $(BIND_DIR),-v "$(BIND_DIR):/go/src/github.com/docker/docker/$(BIND_DIR)")
+DOCKER_MOUNT := $(if $(BIND_DIR),-v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/docker/docker/$(BIND_DIR)")
 DOCKER_MOUNT := $(if $(DOCKER_BINDDIR_MOUNT_OPTS),$(DOCKER_MOUNT):$(DOCKER_BINDDIR_MOUNT_OPTS),$(DOCKER_MOUNT))

 # This allows the test suite to be able to run without worrying about the underlying fs used by the container running the daemon (e.g. aufs-on-aufs), so long as the host running the container is running a supported fs.
@@ -97,14 +102,8 @@ DOCKER_MOUNT := $(if $(DOCKER_MOUNT),$(DOCKER_MOUNT),-v /go/src/github.com/docke

 DOCKER_MOUNT_CACHE := -v docker-dev-cache:/root/.cache -v docker-mod-cache:/go/pkg/mod/
 DOCKER_MOUNT_CLI := $(if $(DOCKER_CLI_PATH),-v $(shell dirname $(DOCKER_CLI_PATH)):/usr/local/cli,)
-
-ifdef BIND_GIT
-	# Gets the common .git directory (even from inside a git worktree)
-	GITDIR := $(shell realpath $(shell git rev-parse --git-common-dir))
-	MOUNT_GITDIR := $(if $(GITDIR),-v "$(GITDIR):$(GITDIR)")
-endif
-
-DOCKER_MOUNT := $(DOCKER_MOUNT) $(DOCKER_MOUNT_CACHE) $(DOCKER_MOUNT_CLI) $(DOCKER_MOUNT_BASH_COMPLETION) $(MOUNT_GITDIR)
+DOCKER_MOUNT_BASH_COMPLETION := $(if $(DOCKER_BASH_COMPLETION_PATH),-v $(shell dirname $(DOCKER_BASH_COMPLETION_PATH)):/usr/local/completion/bash,)
+DOCKER_MOUNT := $(DOCKER_MOUNT) $(DOCKER_MOUNT_CACHE) $(DOCKER_MOUNT_CLI) $(DOCKER_MOUNT_BASH_COMPLETION)
 endif # ifndef DOCKER_MOUNT

 # This allows to set the docker-dev container name
@@ -149,9 +148,6 @@ DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_INTEGRATION_REPOSITORY
 ifdef DOCKER_SYSTEMD
 DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true
 endif
-ifdef FIREWALLD
-DOCKER_BUILD_ARGS += --build-arg=FIREWALLD=true
-endif

 BUILD_OPTS := ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS}
 BUILD_CMD := $(BUILDX) build
@@ -203,7 +199,7 @@ build: shell_target := --target=dev-base
 else
 build: shell_target := --target=dev
 endif
-build: validate-bind-dir bundles
+build: bundles
 	$(BUILD_CMD) $(BUILD_OPTS) $(shell_target) --load -t "$(DOCKER_IMAGE)" .

 .PHONY: shell
@@ -284,10 +280,3 @@ generate-files:
 		--file "./hack/dockerfiles/generate-files.Dockerfile" .
 	cp -R "$($@_TMP_OUT)"/. .
 	rm -rf "$($@_TMP_OUT)"/*
-
-.PHONY: validate-bind-dir
-validate-bind-dir:
-	@case "$(BIND_DIR)" in \
-		".."*|"/"*) echo "Make needs to be run from the project-root directory, with BIND_DIR set to \".\" or a subdir"; \
-		exit 1 ;; \
-	esac
--- a/README.md
+++ b/README.md
@@ -1,11 +1,6 @@
 The Moby Project
 ================

-[![PkgGoDev](https://pkg.go.dev/badge/github.com/docker/docker)](https://pkg.go.dev/github.com/docker/docker)
-[![Go Report Card](https://goreportcard.com/badge/github.com/docker/docker)](https://goreportcard.com/report/github.com/docker/docker)
-[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/moby/moby/badge)](https://scorecard.dev/viewer/?uri=github.com/moby/moby)
-
-
 ![Moby Project logo](docs/static_files/moby-project-logo.png "The Moby Project")

 Moby is an open-source project created by Docker to enable and accelerate software containerization.
@@ -37,7 +32,7 @@ New projects can be added if they fit with the community goals. Docker is commit
 However, other projects are also encouraged to use Moby as an upstream, and to reuse the components in diverse ways, and all these uses will be treated in the same way. External maintainers and contributors are welcomed.

 The Moby project is not intended as a location for support or feature requests for Docker products, but as a place for contributors to work on open source code, fix bugs, and make the code more useful.
-The releases are supported by the maintainers, community and users, on a best efforts basis only. For customers who want enterprise or commercial support, [Docker Desktop](https://www.docker.com/products/docker-desktop/) and [Mirantis Container Runtime](https://www.mirantis.com/software/mirantis-container-runtime/) are the appropriate products for these use cases.
+The releases are supported by the maintainers, community and users, on a best efforts basis only, and are not intended for customers who want enterprise or commercial support; Docker EE is the appropriate product for these use cases.

 -----

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,42 +1,9 @@
-# Security Policy
+# Reporting security issues

-The maintainers of the Moby project take security seriously. If you discover
-a security issue, please bring it to their attention right away!
+The Moby maintainers take security seriously. If you discover a security issue, please bring it to their attention right away!

-## Reporting a Vulnerability
+### Reporting a Vulnerability

-Please **DO NOT** file a public issue, instead send your report privately
-to [security@docker.com](mailto:security@docker.com).
+Please **DO NOT** file a public issue, instead send your report privately to security@docker.com.

-Reporter(s) can expect a response within 72 hours, acknowledging the issue was
-received.
-
-## Review Process
-
-After receiving the report, an initial triage and technical analysis is
-performed to confirm the report and determine its scope. We may request
-additional information in this stage of the process.
-
-Once a reviewer has confirmed the relevance of the report, a draft security
-advisory will be created on GitHub. The draft advisory will be used to discuss
-the issue with maintainers, the reporter(s), and where applicable, other
-affected parties under embargo.
-
-If the vulnerability is accepted, a timeline for developing a patch, public
-disclosure, and patch release will be determined. If there is an embargo period
-on public disclosure before the patch release, the reporter(s) are expected to
-participate in the discussion of the timeline and abide by agreed upon dates
-for public disclosure.
-
-## Accreditation
-
-Security reports are greatly appreciated and we will publicly thank you,
-although we will keep your name confidential if you request it. We also like to
-send gifts - if you're into swag, make sure to let us know. We do not currently
-offer a paid security bounty program at this time.
-
-## Supported Versions
-
-This project uses long-lived branches to maintain releases. Refer to
-[BRANCHES-AND-TAGS.md](project/BRANCHES-AND-TAGS.md) in the default branch to
-learn about the current maintenance status of each branch.
+Security reports are greatly appreciated and we will publicly thank you for it, although we keep your name confidential if you request it. We also like to send gifts—if you're into schwag, make sure to let us know. We currently do not offer a paid security bounty program, but are not ruling it out in the future.
--- a/TESTING.md
+++ b/TESTING.md
@@ -121,6 +121,6 @@ automatically set the other above mentioned environment variables accordingly.
 You can change a version of golang used for building stuff that is being tested
 by setting `GO_VERSION` variable, for example:

-```bash
-make GO_VERSION=1.24.8 test
+```
+make GO_VERSION=1.12.8 test
 ```
--- a/api/common.go
+++ b/api/common.go
@@ -1,9 +1,9 @@
-package api
+package api // import "github.com/docker/docker/api"

 // Common constants for daemon and client.
 const (
 	// DefaultVersion of the current REST API.
-	DefaultVersion = "1.51"
+	DefaultVersion = "1.46"

 	// MinSupportedAPIVersion is the minimum API version that can be supported
 	// by the API server, specified as "major.minor". Note that the daemon
--- a/api/server/backend/build/backend.go
+++ b/api/server/backend/build/backend.go
@@ -1,4 +1,4 @@
-package build
+package build // import "github.com/docker/docker/api/server/backend/build"

 import (
 	"context"
@@ -6,8 +6,8 @@ import (
 	"strconv"

 	"github.com/distribution/reference"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/builder"
 	buildkit "github.com/docker/docker/builder/builder-next"
@@ -52,52 +52,54 @@ func (b *Backend) RegisterGRPC(s *grpc.Server) {
 // Build builds an image from a Source
 func (b *Backend) Build(ctx context.Context, config backend.BuildConfig) (string, error) {
 	options := config.Options
-	useBuildKit := options.Version == build.BuilderBuildKit
+	useBuildKit := options.Version == types.BuilderBuildKit

 	tags, err := sanitizeRepoAndTags(options.Tags)
 	if err != nil {
 		return "", err
 	}

-	var buildResult *builder.Result
+	var build *builder.Result
 	if useBuildKit {
-		buildResult, err = b.buildkit.Build(ctx, config)
+		build, err = b.buildkit.Build(ctx, config)
 		if err != nil {
 			return "", err
 		}
 	} else {
-		buildResult, err = b.builder.Build(ctx, config)
+		build, err = b.builder.Build(ctx, config)
 		if err != nil {
 			return "", err
 		}
 	}

-	if buildResult == nil {
+	if build == nil {
 		return "", nil
 	}

-	imageID := buildResult.ImageID
+	imageID := build.ImageID
 	if options.Squash {
-		if imageID, err = squashBuild(buildResult, b.imageComponent); err != nil {
+		if imageID, err = squashBuild(build, b.imageComponent); err != nil {
 			return "", err
 		}
 		if config.ProgressWriter.AuxFormatter != nil {
-			if err = config.ProgressWriter.AuxFormatter.Emit("moby.image.id", build.Result{ID: imageID}); err != nil {
+			if err = config.ProgressWriter.AuxFormatter.Emit("moby.image.id", types.BuildResult{ID: imageID}); err != nil {
 				return "", err
 			}
 		}
 	}

-	if imageID != "" && !useBuildKit {
+	if !useBuildKit {
 		stdout := config.ProgressWriter.StdoutFormatter
-		_, _ = fmt.Fprintf(stdout, "Successfully built %s\n", stringid.TruncateID(imageID))
+		fmt.Fprintf(stdout, "Successfully built %s\n", stringid.TruncateID(imageID))
+	}
+	if imageID != "" && !useBuildKit {
 		err = tagImages(ctx, b.imageComponent, config.ProgressWriter.StdoutFormatter, image.ID(imageID), tags)
 	}
 	return imageID, err
 }

 // PruneCache removes all cached build sources
-func (b *Backend) PruneCache(ctx context.Context, opts build.CachePruneOptions) (*build.CachePruneReport, error) {
+func (b *Backend) PruneCache(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error) {
 	buildCacheSize, cacheIDs, err := b.buildkit.Prune(ctx, opts)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to prune build cache")
@@ -107,7 +109,7 @@ func (b *Backend) PruneCache(ctx context.Context, opts build.CachePruneOptions)
 			"reclaimed": strconv.FormatInt(buildCacheSize, 10),
 		},
 	})
-	return &build.CachePruneReport{SpaceReclaimed: uint64(buildCacheSize), CachesDeleted: cacheIDs}, nil
+	return &types.BuildCachePruneReport{SpaceReclaimed: uint64(buildCacheSize), CachesDeleted: cacheIDs}, nil
 }

 // Cancel cancels the build by ID
--- a/api/server/backend/build/tag.go
+++ b/api/server/backend/build/tag.go
@@ -1,4 +1,4 @@
-package build
+package build // import "github.com/docker/docker/api/server/backend/build"

 import (
 	"context"
@@ -24,7 +24,7 @@ func tagImages(ctx context.Context, ic ImageComponent, stdout io.Writer, imageID
 // sanitizeRepoAndTags parses the raw "t" parameter received from the client
 // to a slice of repoAndTag. It removes duplicates, and validates each name
 // to not contain a digest.
-func sanitizeRepoAndTags(names []string) (repoAndTags []reference.Named, _ error) {
+func sanitizeRepoAndTags(names []string) (repoAndTags []reference.Named, err error) {
 	uniqNames := map[string]struct{}{}
 	for _, repo := range names {
 		if repo == "" {
--- a/api/server/httpstatus/status.go
+++ b/api/server/httpstatus/status.go
@@ -1,4 +1,4 @@
-package httpstatus
+package httpstatus // import "github.com/docker/docker/api/server/httpstatus"

 import (
 	"context"
@@ -8,10 +8,15 @@ import (
 	cerrdefs "github.com/containerd/errdefs"
 	"github.com/containerd/log"
 	"github.com/docker/distribution/registry/api/errcode"
+	"github.com/docker/docker/errdefs"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )

+type causer interface {
+	Cause() error
+}
+
 // FromError retrieves status code from error message.
 func FromError(err error) int {
 	if err == nil {
@@ -19,55 +24,48 @@ func FromError(err error) int {
 		return http.StatusInternalServerError
 	}

-	// Resolve the error to ensure status is chosen from the first outermost error
-	rerr := cerrdefs.Resolve(err)
+	// Stop right there
+	// Are you sure you should be adding a new error class here? Do one of the existing ones work?

 	// Note that the below functions are already checking the error causal chain for matches.
-	// Only check errors from the errdefs package, no new error type checking may be added
 	switch {
-	case cerrdefs.IsNotFound(rerr):
+	case errdefs.IsNotFound(err):
 		return http.StatusNotFound
-	case cerrdefs.IsInvalidArgument(rerr):
+	case errdefs.IsInvalidParameter(err):
 		return http.StatusBadRequest
-	case cerrdefs.IsConflict(rerr):
+	case errdefs.IsConflict(err):
 		return http.StatusConflict
-	case cerrdefs.IsUnauthorized(rerr):
+	case errdefs.IsUnauthorized(err):
 		return http.StatusUnauthorized
-	case cerrdefs.IsUnavailable(rerr):
+	case errdefs.IsUnavailable(err):
 		return http.StatusServiceUnavailable
-	case cerrdefs.IsPermissionDenied(rerr):
+	case errdefs.IsForbidden(err):
 		return http.StatusForbidden
-	case cerrdefs.IsNotModified(rerr):
+	case errdefs.IsNotModified(err):
 		return http.StatusNotModified
-	case cerrdefs.IsNotImplemented(rerr):
+	case errdefs.IsNotImplemented(err):
 		return http.StatusNotImplemented
-	case cerrdefs.IsInternal(rerr) || cerrdefs.IsDataLoss(rerr) || cerrdefs.IsDeadlineExceeded(rerr) || cerrdefs.IsCanceled(rerr):
+	case errdefs.IsSystem(err) || errdefs.IsUnknown(err) || errdefs.IsDataLoss(err) || errdefs.IsDeadline(err) || errdefs.IsCancelled(err):
 		return http.StatusInternalServerError
 	default:
 		if statusCode := statusCodeFromGRPCError(err); statusCode != http.StatusInternalServerError {
 			return statusCode
 		}
+		if statusCode := statusCodeFromContainerdError(err); statusCode != http.StatusInternalServerError {
+			return statusCode
+		}
 		if statusCode := statusCodeFromDistributionError(err); statusCode != http.StatusInternalServerError {
 			return statusCode
 		}
-		switch e := err.(type) {
-		case interface{ Unwrap() error }:
-			return FromError(e.Unwrap())
-		case interface{ Unwrap() []error }:
-			for _, ue := range e.Unwrap() {
-				if statusCode := FromError(ue); statusCode != http.StatusInternalServerError {
-					return statusCode
-				}
-			}
+		if e, ok := err.(causer); ok {
+			return FromError(e.Cause())
 		}

-		if !cerrdefs.IsUnknown(err) {
-			log.G(context.TODO()).WithFields(log.Fields{
-				"module":     "api",
-				"error":      err,
-				"error_type": fmt.Sprintf("%T", err),
-			}).Debug("FIXME: Got an API for which error does not match any expected type!!!")
-		}
+		log.G(context.TODO()).WithFields(log.Fields{
+			"module":     "api",
+			"error":      err,
+			"error_type": fmt.Sprintf("%T", err),
+		}).Debug("FIXME: Got an API for which error does not match any expected type!!!")

 		return http.StatusInternalServerError
 	}
@@ -122,3 +120,24 @@ func statusCodeFromDistributionError(err error) int {
 	}
 	return http.StatusInternalServerError
 }
+
+// statusCodeFromContainerdError returns status code for containerd errors when
+// consumed directly (not through gRPC)
+func statusCodeFromContainerdError(err error) int {
+	switch {
+	case cerrdefs.IsInvalidArgument(err):
+		return http.StatusBadRequest
+	case cerrdefs.IsNotFound(err):
+		return http.StatusNotFound
+	case cerrdefs.IsAlreadyExists(err):
+		return http.StatusConflict
+	case cerrdefs.IsFailedPrecondition(err):
+		return http.StatusPreconditionFailed
+	case cerrdefs.IsUnavailable(err):
+		return http.StatusServiceUnavailable
+	case cerrdefs.IsNotImplemented(err):
+		return http.StatusNotImplemented
+	default:
+		return http.StatusInternalServerError
+	}
+}
--- a/api/server/httputils/decoder.go
+++ b/api/server/httputils/decoder.go
@@ -1,4 +1,4 @@
-package httputils
+package httputils // import "github.com/docker/docker/api/server/httputils"

 import (
 	"io"
--- a/api/server/httputils/form.go
+++ b/api/server/httputils/form.go
@@ -1,4 +1,4 @@
-package httputils
+package httputils // import "github.com/docker/docker/api/server/httputils"

 import (
 	"encoding/json"
@@ -16,12 +16,8 @@ import (

 // BoolValue transforms a form value in different formats into a boolean type.
 func BoolValue(r *http.Request, k string) bool {
-	switch strings.ToLower(strings.TrimSpace(r.FormValue(k))) {
-	case "", "0", "no", "false", "none":
-		return false
-	default:
-		return true
-	}
+	s := strings.ToLower(strings.TrimSpace(r.FormValue(k)))
+	return !(s == "" || s == "0" || s == "no" || s == "false" || s == "none")
 }

 // BoolValueOrDefault returns the default bool passed if the query param is
@@ -33,29 +29,6 @@ func BoolValueOrDefault(r *http.Request, k string, d bool) bool {
 	return BoolValue(r, k)
 }

-// Uint32Value parses a form value into an uint32 type. It returns an error
-// if the field is not set, empty, incorrectly formatted, or out of range.
-func Uint32Value(r *http.Request, field string) (uint32, error) {
-	// strconv.ParseUint returns an "strconv.ErrSyntax" for negative values,
-	// not an "out of range". Strip the prefix before parsing, and use it
-	// later to detect valid, but negative values.
-	v, isNeg := strings.CutPrefix(r.Form.Get(field), "-")
-	if v == "" || v[0] == '+' {
-		// Fast-path for invalid values.
-		return 0, strconv.ErrSyntax
-	}
-
-	i, err := strconv.ParseUint(v, 10, 32)
-	if err != nil {
-		// Unwrap to remove the 'strconv.ParseUint: parsing "some-invalid-value":' prefix.
-		return 0, errors.Unwrap(err)
-	}
-	if isNeg {
-		return 0, strconv.ErrRange
-	}
-	return uint32(i), nil
-}
-
 // Int64ValueOrZero parses a form value into an int64 type.
 // It returns 0 if the parsing fails.
 func Int64ValueOrZero(r *http.Request, k string) int64 {
@@ -162,22 +135,3 @@ func DecodePlatform(platformJSON string) (*ocispec.Platform, error) {

 	return &p, nil
 }
-
-// DecodePlatforms decodes the OCI platform JSON string into a Platform struct.
-//
-// Typically, the argument is a value of: r.Form["platform"]
-func DecodePlatforms(platformJSONs []string) ([]ocispec.Platform, error) {
-	if len(platformJSONs) == 0 {
-		return nil, nil
-	}
-
-	var output []ocispec.Platform
-	for _, platform := range platformJSONs {
-		p, err := DecodePlatform(platform)
-		if err != nil {
-			return nil, err
-		}
-		output = append(output, *p)
-	}
-	return output, nil
-}
--- a/api/server/httputils/form_test.go
+++ b/api/server/httputils/form_test.go
@@ -1,16 +1,16 @@
-package httputils
+package httputils // import "github.com/docker/docker/api/server/httputils"

 import (
-	"math"
+	"encoding/json"
 	"net/http"
 	"net/url"
-	"strconv"
 	"testing"

-	cerrdefs "github.com/containerd/errdefs"
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/docker/errdefs"
+
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"gotest.tools/v3/assert"
-	is "gotest.tools/v3/assert/cmp"
 )

 func TestBoolValue(t *testing.T) {
@@ -30,7 +30,7 @@ func TestBoolValue(t *testing.T) {
 	for c, e := range cases {
 		v := url.Values{}
 		v.Set("test", c)
-		r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
+		r, _ := http.NewRequest(http.MethodPost, "", nil)
 		r.Form = v

 		a := BoolValue(r, "test")
@@ -41,14 +41,14 @@ func TestBoolValue(t *testing.T) {
 }

 func TestBoolValueOrDefault(t *testing.T) {
-	r, _ := http.NewRequest(http.MethodGet, "", http.NoBody)
+	r, _ := http.NewRequest(http.MethodGet, "", nil)
 	if !BoolValueOrDefault(r, "queryparam", true) {
 		t.Fatal("Expected to get true default value, got false")
 	}

 	v := url.Values{}
 	v.Set("param", "")
-	r, _ = http.NewRequest(http.MethodGet, "", http.NoBody)
+	r, _ = http.NewRequest(http.MethodGet, "", nil)
 	r.Form = v
 	if BoolValueOrDefault(r, "param", true) {
 		t.Fatal("Expected not to get true")
@@ -66,7 +66,7 @@ func TestInt64ValueOrZero(t *testing.T) {
 	for c, e := range cases {
 		v := url.Values{}
 		v.Set("test", c)
-		r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
+		r, _ := http.NewRequest(http.MethodPost, "", nil)
 		r.Form = v

 		a := Int64ValueOrZero(r, "test")
@@ -86,7 +86,7 @@ func TestInt64ValueOrDefault(t *testing.T) {
 	for c, e := range cases {
 		v := url.Values{}
 		v.Set("test", c)
-		r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
+		r, _ := http.NewRequest(http.MethodPost, "", nil)
 		r.Form = v

 		a, err := Int64ValueOrDefault(r, "test", -1)
@@ -102,7 +102,7 @@ func TestInt64ValueOrDefault(t *testing.T) {
 func TestInt64ValueOrDefaultWithError(t *testing.T) {
 	v := url.Values{}
 	v.Set("test", "invalid")
-	r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
+	r, _ := http.NewRequest(http.MethodPost, "", nil)
 	r.Form = v

 	_, err := Int64ValueOrDefault(r, "test", -1)
@@ -111,125 +111,22 @@ func TestInt64ValueOrDefaultWithError(t *testing.T) {
 	}
 }

-func TestUint32Value(t *testing.T) {
-	const valueNotSet = "unset"
+func TestParsePlatformInvalid(t *testing.T) {
+	for _, tc := range []ocispec.Platform{
+		{
+			OSVersion:  "1.2.3",
+			OSFeatures: []string{"a", "b"},
+		},
+		{OSVersion: "12.0"},
+		{OS: "linux"},
+		{Architecture: "amd64"},
+	} {
+		t.Run(platforms.Format(tc), func(t *testing.T) {
+			js, err := json.Marshal(tc)
+			assert.NilError(t, err)

-	tests := []struct {
-		value       string
-		expected    uint32
-		expectedErr error
-	}{
-		{
-			value:    "0",
-			expected: 0,
-		},
-		{
-			value:    strconv.FormatUint(math.MaxUint32, 10),
-			expected: math.MaxUint32,
-		},
-		{
-			value:       valueNotSet,
-			expectedErr: strconv.ErrSyntax,
-		},
-		{
-			value:       "",
-			expectedErr: strconv.ErrSyntax,
-		},
-		{
-			value:       "-1",
-			expectedErr: strconv.ErrRange,
-		},
-		{
-			value:       "4294967296", // MaxUint32+1
-			expectedErr: strconv.ErrRange,
-		},
-		{
-			value:       "not-a-number",
-			expectedErr: strconv.ErrSyntax,
-		},
-	}
-	for _, tc := range tests {
-		t.Run(tc.value, func(t *testing.T) {
-			r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
-			r.Form = url.Values{}
-			if tc.value != valueNotSet {
-				r.Form.Set("field", tc.value)
-			}
-			out, err := Uint32Value(r, "field")
-			assert.Check(t, is.Equal(tc.expected, out))
-			assert.Check(t, is.ErrorIs(err, tc.expectedErr))
-		})
-	}
-}
-
-func TestDecodePlatform(t *testing.T) {
-	tests := []struct {
-		doc          string
-		platformJSON string
-		expected     *ocispec.Platform
-		expectedErr  string
-	}{
-		{
-			doc:         "empty platform",
-			expectedErr: `failed to parse platform: unexpected end of JSON input`,
-		},
-		{
-			doc:          "not JSON",
-			platformJSON: `linux/ams64`,
-			expectedErr:  `failed to parse platform: invalid character 'l' looking for beginning of value`,
-		},
-		{
-			doc:          "malformed JSON",
-			platformJSON: `{"architecture"`,
-			expectedErr:  `failed to parse platform: unexpected end of JSON input`,
-		},
-		{
-			doc:          "missing os",
-			platformJSON: `{"architecture":"amd64","os":""}`,
-			expectedErr:  `both OS and Architecture must be provided`,
-		},
-		{
-			doc:          "variant without architecture",
-			platformJSON: `{"architecture":"","os":"","variant":"v7"}`,
-			expectedErr:  `optional platform fields provided, but OS and Architecture are missing`,
-		},
-		{
-			doc:          "missing architecture",
-			platformJSON: `{"architecture":"","os":"linux"}`,
-			expectedErr:  `both OS and Architecture must be provided`,
-		},
-		{
-			doc:          "os.version without os and architecture",
-			platformJSON: `{"architecture":"","os":"","os.version":"12.0"}`,
-			expectedErr:  `optional platform fields provided, but OS and Architecture are missing`,
-		},
-		{
-			doc:          "os.features without os and architecture",
-			platformJSON: `{"architecture":"","os":"","os.features":["a","b"]}`,
-			expectedErr:  `optional platform fields provided, but OS and Architecture are missing`,
-		},
-		{
-			doc:          "valid platform",
-			platformJSON: `{"architecture":"arm64","os":"linux","os.version":"12.0", "os.features":["a","b"], "variant": "v7"}`,
-			expected: &ocispec.Platform{
-				Architecture: "arm64",
-				OS:           "linux",
-				OSVersion:    "12.0",
-				OSFeatures:   []string{"a", "b"},
-				Variant:      "v7",
-			},
-		},
-	}
-	for _, tc := range tests {
-		t.Run(tc.doc, func(t *testing.T) {
-			p, err := DecodePlatform(tc.platformJSON)
-			assert.Check(t, is.DeepEqual(p, tc.expected))
-			if tc.expectedErr != "" {
-				assert.Check(t, cerrdefs.IsInvalidArgument(err))
-				assert.Check(t, is.Error(err, tc.expectedErr))
-			} else {
-				assert.Check(t, err)
-			}
+			_, err = DecodePlatform(string(js))
+			assert.Check(t, errdefs.IsInvalidParameter(err))
 		})
 	}
 }
--- a/api/server/httputils/httputils.go
+++ b/api/server/httputils/httputils.go
@@ -1,4 +1,4 @@
-package httputils
+package httputils // import "github.com/docker/docker/api/server/httputils"

 import (
 	"context"
@@ -74,7 +74,7 @@ func ReadJSON(r *http.Request, out interface{}) error {
 	err = dec.Decode(out)
 	defer r.Body.Close()
 	if err != nil {
-		if errors.Is(err, io.EOF) {
+		if err == io.EOF {
 			return errdefs.InvalidParameter(errors.New("invalid JSON: got EOF while reading request body"))
 		}
 		return errdefs.InvalidParameter(errors.Wrap(err, "invalid JSON"))
--- a/api/server/httputils/httputils_test.go
+++ b/api/server/httputils/httputils_test.go
@@ -1,4 +1,4 @@
-package httputils
+package httputils // import "github.com/docker/docker/api/server/httputils"

 import (
 	"net/http"
@@ -33,7 +33,7 @@ func TestJsonContentType(t *testing.T) {

 func TestReadJSON(t *testing.T) {
 	t.Run("nil body", func(t *testing.T) {
-		req, err := http.NewRequest(http.MethodPost, "https://example.com/some/path", http.NoBody)
+		req, err := http.NewRequest(http.MethodPost, "https://example.com/some/path", nil)
 		if err != nil {
 			t.Error(err)
 		}
--- a/api/server/httputils/write_log_stream.go
+++ b/api/server/httputils/write_log_stream.go
@@ -1,4 +1,4 @@
-package httputils
+package httputils // import "github.com/docker/docker/api/server/httputils"

 import (
 	"context"
@@ -11,13 +11,10 @@ import (
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/docker/docker/pkg/stdcopy"
 )

-// rfc3339NanoFixed is time.RFC3339Nano with nanoseconds padded using zeros to
-// ensure the formatted time isalways the same number of characters.
-const rfc3339NanoFixed = "2006-01-02T15:04:05.000000000Z07:00"
-
 // WriteLogStream writes an encoded byte stream of log messages from the
 // messages channel, multiplexing them with a stdcopy.Writer if mux is true
 func WriteLogStream(_ context.Context, w http.ResponseWriter, msgs <-chan *backend.LogMessage, config *container.LogsOptions, mux bool) {
@@ -56,7 +53,7 @@ func WriteLogStream(_ context.Context, w http.ResponseWriter, msgs <-chan *backe
 			logLine = append(logLine, msg.Line...)
 		}
 		if config.Timestamps {
-			logLine = append([]byte(msg.Timestamp.Format(rfc3339NanoFixed)+" "), logLine...)
+			logLine = append([]byte(msg.Timestamp.Format(jsonmessage.RFC3339NanoFixed)+" "), logLine...)
 		}
 		if msg.Source == "stdout" && config.ShowStdout {
 			_, _ = outStream.Write(logLine)
--- a/api/server/middleware.go
+++ b/api/server/middleware.go
@@ -1,4 +1,4 @@
-package server
+package server // import "github.com/docker/docker/api/server"

 import (
 	"github.com/containerd/log"
--- a/api/server/middleware/cors.go
+++ b/api/server/middleware/cors.go
@@ -0,0 +1,42 @@
+package middleware // import "github.com/docker/docker/api/server/middleware"
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/containerd/log"
+	"github.com/docker/docker/api/types/registry"
+)
+
+// CORSMiddleware injects CORS headers to each request
+// when it's configured.
+//
+// Deprecated: CORS headers should not be set on the API. This feature will be removed in the next release.
+type CORSMiddleware struct {
+	defaultHeaders string
+}
+
+// NewCORSMiddleware creates a new CORSMiddleware with default headers.
+//
+// Deprecated: CORS headers should not be set on the API. This feature will be removed in the next release.
+func NewCORSMiddleware(d string) CORSMiddleware {
+	return CORSMiddleware{defaultHeaders: d}
+}
+
+// WrapHandler returns a new handler function wrapping the previous one in the request chain.
+func (c CORSMiddleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		// If "api-cors-header" is not given, but "api-enable-cors" is true, we set cors to "*"
+		// otherwise, all head values will be passed to HTTP handler
+		corsHeaders := c.defaultHeaders
+		if corsHeaders == "" {
+			corsHeaders = "*"
+		}
+
+		log.G(ctx).Debugf("CORS header is enabled and set to: %s", corsHeaders)
+		w.Header().Add("Access-Control-Allow-Origin", corsHeaders)
+		w.Header().Add("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, "+registry.AuthHeader)
+		w.Header().Add("Access-Control-Allow-Methods", "HEAD, GET, POST, DELETE, PUT, OPTIONS")
+		return handler(ctx, w, r, vars)
+	}
+}
--- a/api/server/middleware/debug.go
+++ b/api/server/middleware/debug.go
@@ -1,4 +1,4 @@
-package middleware
+package middleware // import "github.com/docker/docker/api/server/middleware"

 import (
 	"bufio"
@@ -9,46 +9,24 @@ import (
 	"strings"

 	"github.com/containerd/log"
-	"github.com/docker/docker/api/server/httpstatus"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/pkg/ioutils"
-	"github.com/sirupsen/logrus"
 )

 // DebugRequestMiddleware dumps the request to logger
 func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-		logger := log.G(ctx)
-
-		// Use a variable for fields to prevent overhead of repeatedly
-		// calling WithFields.
-		fields := log.Fields{
-			"module":      "api",
-			"method":      r.Method,
-			"request-url": r.RequestURI,
-			"vars":        vars,
-		}
-		handleWithLogs := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-			logger.WithFields(fields).Debugf("handling %s request", r.Method)
-			err := handler(ctx, w, r, vars)
-			if err != nil {
-				// TODO(thaJeztah): unify this with Server.makeHTTPHandler, which also logs internal server errors as error-log. See https://github.com/moby/moby/pull/48740#discussion_r1816675574
-				fields["error-response"] = err
-				fields["status"] = httpstatus.FromError(err)
-				logger.WithFields(fields).Debugf("error response for %s request", r.Method)
-			}
-			return err
-		}
+		log.G(ctx).Debugf("Calling %s %s", r.Method, r.RequestURI)

 		if r.Method != http.MethodPost {
-			return handleWithLogs(ctx, w, r, vars)
+			return handler(ctx, w, r, vars)
 		}
 		if err := httputils.CheckForJSON(r); err != nil {
-			return handleWithLogs(ctx, w, r, vars)
+			return handler(ctx, w, r, vars)
 		}
 		maxBodySize := 4096 // 4KB
 		if r.ContentLength > int64(maxBodySize) {
-			return handleWithLogs(ctx, w, r, vars)
+			return handler(ctx, w, r, vars)
 		}

 		body := r.Body
@@ -58,25 +36,21 @@ func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWri
 		b, err := bufReader.Peek(maxBodySize)
 		if err != io.EOF {
 			// either there was an error reading, or the buffer is full (in which case the request is too large)
-			return handleWithLogs(ctx, w, r, vars)
+			return handler(ctx, w, r, vars)
 		}

 		var postForm map[string]interface{}
 		if err := json.Unmarshal(b, &postForm); err == nil {
 			maskSecretKeys(postForm)
-			// TODO(thaJeztah): is there a better way to detect if we're using JSON-formatted logs?
-			if _, ok := logger.Logger.Formatter.(*logrus.JSONFormatter); ok {
-				fields["form-data"] = postForm
+			formStr, errMarshal := json.Marshal(postForm)
+			if errMarshal == nil {
+				log.G(ctx).Debugf("form data: %s", string(formStr))
 			} else {
-				if data, err := json.Marshal(postForm); err != nil {
-					fields["form-data"] = postForm
-				} else {
-					fields["form-data"] = string(data)
-				}
+				log.G(ctx).Debugf("form data: %q", postForm)
 			}
 		}

-		return handleWithLogs(ctx, w, r, vars)
+		return handler(ctx, w, r, vars)
 	}
 }

--- a/api/server/middleware/debug_test.go
+++ b/api/server/middleware/debug_test.go
@@ -1,4 +1,4 @@
-package middleware
+package middleware // import "github.com/docker/docker/api/server/middleware"

 import (
 	"testing"
--- a/api/server/middleware/experimental.go
+++ b/api/server/middleware/experimental.go
@@ -1,4 +1,4 @@
-package middleware
+package middleware // import "github.com/docker/docker/api/server/middleware"

 import (
 	"context"
--- a/api/server/middleware/middleware.go
+++ b/api/server/middleware/middleware.go
@@ -1,4 +1,4 @@
-package middleware
+package middleware // import "github.com/docker/docker/api/server/middleware"

 import (
 	"context"
--- a/api/server/middleware/version.go
+++ b/api/server/middleware/version.go
@@ -1,4 +1,4 @@
-package middleware
+package middleware // import "github.com/docker/docker/api/server/middleware"

 import (
 	"context"
@@ -67,8 +67,8 @@ func (e versionUnsupportedError) InvalidParameter() {}
 func (v VersionMiddleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 		w.Header().Set("Server", fmt.Sprintf("Docker/%s (%s)", v.serverVersion, runtime.GOOS))
-		w.Header().Set("Api-Version", v.defaultAPIVersion)
-		w.Header().Set("Ostype", runtime.GOOS)
+		w.Header().Set("API-Version", v.defaultAPIVersion)
+		w.Header().Set("OSType", runtime.GOOS)

 		apiVersion := vars["version"]
 		if apiVersion == "" {
--- a/api/server/middleware/version_test.go
+++ b/api/server/middleware/version_test.go
@@ -1,4 +1,4 @@
-package middleware
+package middleware // import "github.com/docker/docker/api/server/middleware"

 import (
 	"context"
@@ -56,6 +56,7 @@ func TestNewVersionMiddlewareValidation(t *testing.T) {
 	}

 	for _, tc := range tests {
+		tc := tc
 		t.Run(tc.doc, func(t *testing.T) {
 			_, err := NewVersionMiddleware("1.2.3", tc.defaultVersion, tc.minVersion)
 			if tc.expectedErr == "" {
@@ -79,7 +80,7 @@ func TestVersionMiddlewareVersion(t *testing.T) {
 	assert.NilError(t, err)
 	h := m.WrapHandler(handler)

-	req, _ := http.NewRequest(http.MethodGet, "/containers/json", http.NoBody)
+	req, _ := http.NewRequest(http.MethodGet, "/containers/json", nil)
 	resp := httptest.NewRecorder()
 	ctx := context.Background()

@@ -121,7 +122,7 @@ func TestVersionMiddlewareVersion(t *testing.T) {
 func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
 	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 		v := httputils.VersionFromContext(ctx)
-		assert.Check(t, v != "")
+		assert.Check(t, len(v) != 0)
 		return nil
 	}

@@ -129,7 +130,7 @@ func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
 	assert.NilError(t, err)
 	h := m.WrapHandler(handler)

-	req, _ := http.NewRequest(http.MethodGet, "/containers/json", http.NoBody)
+	req, _ := http.NewRequest(http.MethodGet, "/containers/json", nil)
 	resp := httptest.NewRecorder()
 	ctx := context.Background()

@@ -140,6 +141,6 @@ func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
 	hdr := resp.Result().Header
 	assert.Check(t, is.Contains(hdr.Get("Server"), "Docker/1.2.3"))
 	assert.Check(t, is.Contains(hdr.Get("Server"), runtime.GOOS))
-	assert.Check(t, is.Equal(hdr.Get("Api-Version"), api.DefaultVersion))
-	assert.Check(t, is.Equal(hdr.Get("Ostype"), runtime.GOOS))
+	assert.Check(t, is.Equal(hdr.Get("API-Version"), api.DefaultVersion))
+	assert.Check(t, is.Equal(hdr.Get("OSType"), runtime.GOOS))
 }
--- a/api/server/router/build/backend.go
+++ b/api/server/router/build/backend.go
@@ -1,10 +1,10 @@
-package build
+package build // import "github.com/docker/docker/api/server/router/build"

 import (
 	"context"

+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/build"
 )

 // Backend abstracts an image builder whose only purpose is to build an image referenced by an imageID.
@@ -13,8 +13,8 @@ type Backend interface {
 	// TODO: make this return a reference instead of string
 	Build(context.Context, backend.BuildConfig) (string, error)

-	// PruneCache prunes the build cache.
-	PruneCache(context.Context, build.CachePruneOptions) (*build.CachePruneReport, error)
+	// Prune build cache
+	PruneCache(context.Context, types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error)
 	Cancel(context.Context, string) error
 }

--- a/api/server/router/build/build.go
+++ b/api/server/router/build/build.go
@@ -1,10 +1,10 @@
-package build
+package build // import "github.com/docker/docker/api/server/router/build"

 import (
 	"runtime"

 	"github.com/docker/docker/api/server/router"
-	"github.com/docker/docker/api/types/build"
+	"github.com/docker/docker/api/types"
 )

 // buildRouter is a router to talk with the build controller
@@ -25,15 +25,15 @@ func NewRouter(b Backend, d experimentalProvider) router.Router {
 }

 // Routes returns the available routers to the build controller
-func (br *buildRouter) Routes() []router.Route {
-	return br.routes
+func (r *buildRouter) Routes() []router.Route {
+	return r.routes
 }

-func (br *buildRouter) initRoutes() {
-	br.routes = []router.Route{
-		router.NewPostRoute("/build", br.postBuild),
-		router.NewPostRoute("/build/prune", br.postPrune),
-		router.NewPostRoute("/build/cancel", br.postCancel),
+func (r *buildRouter) initRoutes() {
+	r.routes = []router.Route{
+		router.NewPostRoute("/build", r.postBuild),
+		router.NewPostRoute("/build/prune", r.postPrune),
+		router.NewPostRoute("/build/cancel", r.postCancel),
 	}
 }

@@ -46,22 +46,15 @@ func (br *buildRouter) initRoutes() {
 //
 // This value is only a recommendation as advertised by the daemon, and it is
 // up to the client to choose which builder to use.
-func BuilderVersion(features map[string]bool) build.BuilderVersion {
+func BuilderVersion(features map[string]bool) types.BuilderVersion {
 	// TODO(thaJeztah) move the default to daemon/config
-	bv := build.BuilderBuildKit
 	if runtime.GOOS == "windows" {
-		// BuildKit is not yet the default on Windows.
-		bv = build.BuilderV1
+		return types.BuilderV1
 	}

-	// Allow the features field in the daemon config to override the
-	// default builder to advertise.
-	if enable, ok := features["buildkit"]; ok {
-		if enable {
-			bv = build.BuilderBuildKit
-		} else {
-			bv = build.BuilderV1
-		}
+	bv := types.BuilderBuildKit
+	if v, ok := features["buildkit"]; ok && !v {
+		bv = types.BuilderV1
 	}
 	return bv
 }
--- a/api/server/router/build/build_routes.go
+++ b/api/server/router/build/build_routes.go
@@ -1,4 +1,4 @@
-package build
+package build // import "github.com/docker/docker/api/server/router/build"

 import (
 	"bufio"
@@ -13,12 +13,11 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"syscall"

 	"github.com/containerd/log"
 	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/registry"
@@ -35,9 +34,9 @@ type invalidParam struct {

 func (e invalidParam) InvalidParameter() {}

-func newImageBuildOptions(ctx context.Context, r *http.Request) (*build.ImageBuildOptions, error) {
-	options := &build.ImageBuildOptions{
-		Version:        build.BuilderV1, // Builder V1 is the default, but can be overridden
+func newImageBuildOptions(ctx context.Context, r *http.Request) (*types.ImageBuildOptions, error) {
+	options := &types.ImageBuildOptions{
+		Version:        types.BuilderV1, // Builder V1 is the default, but can be overridden
 		Dockerfile:     r.FormValue("dockerfile"),
 		SuppressOutput: httputils.BoolValue(r, "q"),
 		NoCache:        httputils.BoolValue(r, "nocache"),
@@ -81,7 +80,7 @@ func newImageBuildOptions(ctx context.Context, r *http.Request) (*build.ImageBui
 	if versions.GreaterThanOrEqualTo(version, "1.40") {
 		outputsJSON := r.FormValue("outputs")
 		if outputsJSON != "" {
-			var outputs []build.ImageBuildOutput
+			var outputs []types.ImageBuildOutput
 			if err := json.Unmarshal([]byte(outputsJSON), &outputs); err != nil {
 				return nil, invalidParam{errors.Wrap(err, "invalid outputs specified")}
 			}
@@ -159,12 +158,12 @@ func newImageBuildOptions(ctx context.Context, r *http.Request) (*build.ImageBui
 	return options, nil
 }

-func parseVersion(s string) (build.BuilderVersion, error) {
-	switch build.BuilderVersion(s) {
-	case build.BuilderV1:
-		return build.BuilderV1, nil
-	case build.BuilderBuildKit:
-		return build.BuilderBuildKit, nil
+func parseVersion(s string) (types.BuilderVersion, error) {
+	switch types.BuilderVersion(s) {
+	case types.BuilderV1:
+		return types.BuilderV1, nil
+	case types.BuilderBuildKit:
+		return types.BuilderBuildKit, nil
 	default:
 		return "", invalidParam{errors.Errorf("invalid version %q", s)}
 	}
@@ -178,56 +177,19 @@ func (br *buildRouter) postPrune(ctx context.Context, w http.ResponseWriter, r *
 	if err != nil {
 		return err
 	}
-
-	opts := build.CachePruneOptions{
-		All:     httputils.BoolValue(r, "all"),
-		Filters: fltrs,
+	ksfv := r.FormValue("keep-storage")
+	if ksfv == "" {
+		ksfv = "0"
+	}
+	ks, err := strconv.Atoi(ksfv)
+	if err != nil {
+		return invalidParam{errors.Wrapf(err, "keep-storage is in bytes and expects an integer, got %v", ksfv)}
 	}

-	parseBytesFromFormValue := func(name string) (int64, error) {
-		if fv := r.FormValue(name); fv != "" {
-			bs, err := strconv.Atoi(fv)
-			if err != nil {
-				return 0, invalidParam{errors.Wrapf(err, "%s is in bytes and expects an integer, got %v", name, fv)}
-			}
-			return int64(bs), nil
-		}
-		return 0, nil
-	}
-
-	version := httputils.VersionFromContext(ctx)
-	if versions.GreaterThanOrEqualTo(version, "1.48") {
-		if bs, err := parseBytesFromFormValue("reserved-space"); err != nil {
-			return err
-		} else {
-			if bs == 0 {
-				// Deprecated parameter. Only checked if reserved-space is not used.
-				bs, err = parseBytesFromFormValue("keep-storage")
-				if err != nil {
-					return err
-				}
-			}
-			opts.ReservedSpace = bs
-		}
-
-		if bs, err := parseBytesFromFormValue("max-used-space"); err != nil {
-			return err
-		} else {
-			opts.MaxUsedSpace = bs
-		}
-
-		if bs, err := parseBytesFromFormValue("min-free-space"); err != nil {
-			return err
-		} else {
-			opts.MinFreeSpace = bs
-		}
-	} else {
-		// Only keep-storage was valid in pre-1.48 versions.
-		if bs, err := parseBytesFromFormValue("keep-storage"); err != nil {
-			return err
-		} else {
-			opts.ReservedSpace = bs
-		}
+	opts := types.BuildCachePruneOptions{
+		All:         httputils.BoolValue(r, "all"),
+		Filters:     fltrs,
+		KeepStorage: int64(ks),
 	}

 	report, err := br.backend.PruneCache(ctx, opts)
@@ -282,9 +244,8 @@ func (br *buildRouter) postBuild(ctx context.Context, w http.ResponseWriter, r *
 			return err
 		}
 		_, err = output.Write(streamformatter.FormatError(err))
-		// don't log broken pipe errors as this is the normal case when a client aborts.
-		if err != nil && !errors.Is(err, syscall.EPIPE) {
-			log.G(ctx).WithError(err).Warn("could not write error response")
+		if err != nil {
+			log.G(ctx).Warnf("could not write error response: %v", err)
 		}
 		return nil
 	}
@@ -319,9 +280,6 @@ func (br *buildRouter) postBuild(ctx context.Context, w http.ResponseWriter, r *
 		ProgressWriter: buildProgressWriter(out, wantAux, createProgressReader),
 	})
 	if err != nil {
-		if errors.Is(err, context.Canceled) {
-			log.G(ctx).Debug("build canceled")
-		}
 		return errf(err)
 	}

@@ -353,14 +311,14 @@ type syncWriter struct {
 	mu sync.Mutex
 }

-func (s *syncWriter) Write(b []byte) (int, error) {
+func (s *syncWriter) Write(b []byte) (count int, err error) {
 	s.mu.Lock()
-	defer s.mu.Unlock()
-	return s.w.Write(b)
+	count, err = s.w.Write(b)
+	s.mu.Unlock()
+	return
 }

 func buildProgressWriter(out io.Writer, wantAux bool, createProgressReader func(io.ReadCloser) io.ReadCloser) backend.ProgressWriter {
-	// see https://github.com/moby/moby/pull/21406
 	out = &syncWriter{w: out}

 	var aux *streamformatter.AuxFormatter
@@ -381,12 +339,8 @@ type flusher interface {
 	Flush()
 }

-type nopFlusher struct{}
-
-func (f *nopFlusher) Flush() {}
-
 func wrapOutputBufferedUntilRequestRead(rc io.ReadCloser, out io.Writer) (io.ReadCloser, io.Writer) {
-	var fl flusher = &nopFlusher{}
+	var fl flusher = &ioutils.NopFlusher{}
 	if f, ok := out.(flusher); ok {
 		fl = f
 	}
--- a/api/server/router/checkpoint/backend.go
+++ b/api/server/router/checkpoint/backend.go
@@ -1,4 +1,4 @@
-package checkpoint
+package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"

 import "github.com/docker/docker/api/types/checkpoint"

--- a/api/server/router/checkpoint/checkpoint.go
+++ b/api/server/router/checkpoint/checkpoint.go
@@ -1,4 +1,4 @@
-package checkpoint
+package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"

 import (
 	"github.com/docker/docker/api/server/httputils"
@@ -23,14 +23,14 @@ func NewRouter(b Backend, decoder httputils.ContainerDecoder) router.Router {
 }

 // Routes returns the available routers to the checkpoint controller
-func (cr *checkpointRouter) Routes() []router.Route {
-	return cr.routes
+func (r *checkpointRouter) Routes() []router.Route {
+	return r.routes
 }

-func (cr *checkpointRouter) initRoutes() {
-	cr.routes = []router.Route{
-		router.NewGetRoute("/containers/{name:.*}/checkpoints", cr.getContainerCheckpoints, router.Experimental),
-		router.NewPostRoute("/containers/{name:.*}/checkpoints", cr.postContainerCheckpoint, router.Experimental),
-		router.NewDeleteRoute("/containers/{name}/checkpoints/{checkpoint}", cr.deleteContainerCheckpoint, router.Experimental),
+func (r *checkpointRouter) initRoutes() {
+	r.routes = []router.Route{
+		router.NewGetRoute("/containers/{name:.*}/checkpoints", r.getContainerCheckpoints, router.Experimental),
+		router.NewPostRoute("/containers/{name:.*}/checkpoints", r.postContainerCheckpoint, router.Experimental),
+		router.NewDeleteRoute("/containers/{name}/checkpoints/{checkpoint}", r.deleteContainerCheckpoint, router.Experimental),
 	}
 }
--- a/api/server/router/checkpoint/checkpoint_routes.go
+++ b/api/server/router/checkpoint/checkpoint_routes.go
@@ -1,4 +1,4 @@
-package checkpoint
+package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"

 import (
 	"context"
@@ -8,7 +8,7 @@ import (
 	"github.com/docker/docker/api/types/checkpoint"
 )

-func (cr *checkpointRouter) postContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *checkpointRouter) postContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -18,7 +18,7 @@ func (cr *checkpointRouter) postContainerCheckpoint(ctx context.Context, w http.
 		return err
 	}

-	err := cr.backend.CheckpointCreate(vars["name"], options)
+	err := s.backend.CheckpointCreate(vars["name"], options)
 	if err != nil {
 		return err
 	}
@@ -27,30 +27,27 @@ func (cr *checkpointRouter) postContainerCheckpoint(ctx context.Context, w http.
 	return nil
 }

-func (cr *checkpointRouter) getContainerCheckpoints(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *checkpointRouter) getContainerCheckpoints(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

-	checkpoints, err := cr.backend.CheckpointList(vars["name"], checkpoint.ListOptions{
+	checkpoints, err := s.backend.CheckpointList(vars["name"], checkpoint.ListOptions{
 		CheckpointDir: r.Form.Get("dir"),
 	})
 	if err != nil {
 		return err
 	}
-	if checkpoints == nil {
-		checkpoints = []checkpoint.Summary{}
-	}

 	return httputils.WriteJSON(w, http.StatusOK, checkpoints)
 }

-func (cr *checkpointRouter) deleteContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *checkpointRouter) deleteContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

-	err := cr.backend.CheckpointDelete(vars["name"], checkpoint.DeleteOptions{
+	err := s.backend.CheckpointDelete(vars["name"], checkpoint.DeleteOptions{
 		CheckpointDir: r.Form.Get("dir"),
 		CheckpointID:  vars["checkpoint"],
 	})
--- a/api/server/router/container/backend.go
+++ b/api/server/router/container/backend.go
@@ -1,20 +1,22 @@
-package container
+package container // import "github.com/docker/docker/api/server/router/container"

 import (
 	"context"
 	"io"

+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
-	"github.com/moby/go-archive"
+	containerpkg "github.com/docker/docker/container"
+	"github.com/docker/docker/pkg/archive"
 )

 // execBackend includes functions to implement to provide exec functionality.
 type execBackend interface {
 	ContainerExecCreate(name string, options *container.ExecOptions) (string, error)
 	ContainerExecInspect(id string) (*backend.ExecInspect, error)
-	ContainerExecResize(ctx context.Context, name string, height, width uint32) error
+	ContainerExecResize(name string, height, width int) error
 	ContainerExecStart(ctx context.Context, name string, options backend.ExecStartConfig) error
 	ExecExists(name string) (bool, error)
 }
@@ -33,24 +35,24 @@ type stateBackend interface {
 	ContainerKill(name string, signal string) error
 	ContainerPause(name string) error
 	ContainerRename(oldName, newName string) error
-	ContainerResize(ctx context.Context, name string, height, width uint32) error
+	ContainerResize(name string, height, width int) error
 	ContainerRestart(ctx context.Context, name string, options container.StopOptions) error
 	ContainerRm(name string, config *backend.ContainerRmConfig) error
 	ContainerStart(ctx context.Context, name string, checkpoint string, checkpointDir string) error
 	ContainerStop(ctx context.Context, name string, options container.StopOptions) error
 	ContainerUnpause(name string) error
-	ContainerUpdate(name string, hostConfig *container.HostConfig) (container.UpdateResponse, error)
-	ContainerWait(ctx context.Context, name string, condition container.WaitCondition) (<-chan container.StateStatus, error)
+	ContainerUpdate(name string, hostConfig *container.HostConfig) (container.ContainerUpdateOKBody, error)
+	ContainerWait(ctx context.Context, name string, condition containerpkg.WaitCondition) (<-chan containerpkg.StateStatus, error)
 }

 // monitorBackend includes functions to implement to provide containers monitoring functionality.
 type monitorBackend interface {
 	ContainerChanges(ctx context.Context, name string) ([]archive.Change, error)
-	ContainerInspect(ctx context.Context, name string, options backend.ContainerInspectOptions) (*container.InspectResponse, error)
+	ContainerInspect(ctx context.Context, name string, size bool, version string) (interface{}, error)
 	ContainerLogs(ctx context.Context, name string, config *container.LogsOptions) (msgs <-chan *backend.LogMessage, tty bool, err error)
 	ContainerStats(ctx context.Context, name string, config *backend.ContainerStatsConfig) error
-	ContainerTop(name string, psArgs string) (*container.TopResponse, error)
-	Containers(ctx context.Context, config *container.ListOptions) ([]*container.Summary, error)
+	ContainerTop(name string, psArgs string) (*container.ContainerTopOKBody, error)
+	Containers(ctx context.Context, config *container.ListOptions) ([]*types.Container, error)
 }

 // attachBackend includes function to implement to provide container attaching functionality.
--- a/api/server/router/container/container.go
+++ b/api/server/router/container/container.go
@@ -1,4 +1,4 @@
-package container
+package container // import "github.com/docker/docker/api/server/router/container"

 import (
 	"github.com/docker/docker/api/server/httputils"
@@ -25,47 +25,47 @@ func NewRouter(b Backend, decoder httputils.ContainerDecoder, cgroup2 bool) rout
 }

 // Routes returns the available routes to the container controller
-func (c *containerRouter) Routes() []router.Route {
-	return c.routes
+func (r *containerRouter) Routes() []router.Route {
+	return r.routes
 }

 // initRoutes initializes the routes in container router
-func (c *containerRouter) initRoutes() {
-	c.routes = []router.Route{
+func (r *containerRouter) initRoutes() {
+	r.routes = []router.Route{
 		// HEAD
-		router.NewHeadRoute("/containers/{name:.*}/archive", c.headContainersArchive),
+		router.NewHeadRoute("/containers/{name:.*}/archive", r.headContainersArchive),
 		// GET
-		router.NewGetRoute("/containers/json", c.getContainersJSON),
-		router.NewGetRoute("/containers/{name:.*}/export", c.getContainersExport),
-		router.NewGetRoute("/containers/{name:.*}/changes", c.getContainersChanges),
-		router.NewGetRoute("/containers/{name:.*}/json", c.getContainersByName),
-		router.NewGetRoute("/containers/{name:.*}/top", c.getContainersTop),
-		router.NewGetRoute("/containers/{name:.*}/logs", c.getContainersLogs),
-		router.NewGetRoute("/containers/{name:.*}/stats", c.getContainersStats),
-		router.NewGetRoute("/containers/{name:.*}/attach/ws", c.wsContainersAttach),
-		router.NewGetRoute("/exec/{id:.*}/json", c.getExecByID),
-		router.NewGetRoute("/containers/{name:.*}/archive", c.getContainersArchive),
+		router.NewGetRoute("/containers/json", r.getContainersJSON),
+		router.NewGetRoute("/containers/{name:.*}/export", r.getContainersExport),
+		router.NewGetRoute("/containers/{name:.*}/changes", r.getContainersChanges),
+		router.NewGetRoute("/containers/{name:.*}/json", r.getContainersByName),
+		router.NewGetRoute("/containers/{name:.*}/top", r.getContainersTop),
+		router.NewGetRoute("/containers/{name:.*}/logs", r.getContainersLogs),
+		router.NewGetRoute("/containers/{name:.*}/stats", r.getContainersStats),
+		router.NewGetRoute("/containers/{name:.*}/attach/ws", r.wsContainersAttach),
+		router.NewGetRoute("/exec/{id:.*}/json", r.getExecByID),
+		router.NewGetRoute("/containers/{name:.*}/archive", r.getContainersArchive),
 		// POST
-		router.NewPostRoute("/containers/create", c.postContainersCreate),
-		router.NewPostRoute("/containers/{name:.*}/kill", c.postContainersKill),
-		router.NewPostRoute("/containers/{name:.*}/pause", c.postContainersPause),
-		router.NewPostRoute("/containers/{name:.*}/unpause", c.postContainersUnpause),
-		router.NewPostRoute("/containers/{name:.*}/restart", c.postContainersRestart),
-		router.NewPostRoute("/containers/{name:.*}/start", c.postContainersStart),
-		router.NewPostRoute("/containers/{name:.*}/stop", c.postContainersStop),
-		router.NewPostRoute("/containers/{name:.*}/wait", c.postContainersWait),
-		router.NewPostRoute("/containers/{name:.*}/resize", c.postContainersResize),
-		router.NewPostRoute("/containers/{name:.*}/attach", c.postContainersAttach),
-		router.NewPostRoute("/containers/{name:.*}/exec", c.postContainerExecCreate),
-		router.NewPostRoute("/exec/{name:.*}/start", c.postContainerExecStart),
-		router.NewPostRoute("/exec/{name:.*}/resize", c.postContainerExecResize),
-		router.NewPostRoute("/containers/{name:.*}/rename", c.postContainerRename),
-		router.NewPostRoute("/containers/{name:.*}/update", c.postContainerUpdate),
-		router.NewPostRoute("/containers/prune", c.postContainersPrune),
-		router.NewPostRoute("/commit", c.postCommit),
+		router.NewPostRoute("/containers/create", r.postContainersCreate),
+		router.NewPostRoute("/containers/{name:.*}/kill", r.postContainersKill),
+		router.NewPostRoute("/containers/{name:.*}/pause", r.postContainersPause),
+		router.NewPostRoute("/containers/{name:.*}/unpause", r.postContainersUnpause),
+		router.NewPostRoute("/containers/{name:.*}/restart", r.postContainersRestart),
+		router.NewPostRoute("/containers/{name:.*}/start", r.postContainersStart),
+		router.NewPostRoute("/containers/{name:.*}/stop", r.postContainersStop),
+		router.NewPostRoute("/containers/{name:.*}/wait", r.postContainersWait),
+		router.NewPostRoute("/containers/{name:.*}/resize", r.postContainersResize),
+		router.NewPostRoute("/containers/{name:.*}/attach", r.postContainersAttach),
+		router.NewPostRoute("/containers/{name:.*}/exec", r.postContainerExecCreate),
+		router.NewPostRoute("/exec/{name:.*}/start", r.postContainerExecStart),
+		router.NewPostRoute("/exec/{name:.*}/resize", r.postContainerExecResize),
+		router.NewPostRoute("/containers/{name:.*}/rename", r.postContainerRename),
+		router.NewPostRoute("/containers/{name:.*}/update", r.postContainerUpdate),
+		router.NewPostRoute("/containers/prune", r.postContainersPrune),
+		router.NewPostRoute("/commit", r.postCommit),
 		// PUT
-		router.NewPutRoute("/containers/{name:.*}/archive", c.putContainersArchive),
+		router.NewPutRoute("/containers/{name:.*}/archive", r.putContainersArchive),
 		// DELETE
-		router.NewDeleteRoute("/containers/{name:.*}", c.deleteContainers),
+		router.NewDeleteRoute("/containers/{name:.*}", r.deleteContainers),
 	}
 }
--- a/api/server/router/container/container_routes.go
+++ b/api/server/router/container/container_routes.go
@@ -1,4 +1,4 @@
-package container
+package container // import "github.com/docker/docker/api/server/router/container"

 import (
 	"context"
@@ -10,8 +10,8 @@ import (
 	"strconv"
 	"strings"

+	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/log"
-	"github.com/containerd/platforms"
 	"github.com/docker/docker/api/server/httpstatus"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types"
@@ -21,6 +21,7 @@ import (
 	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/versions"
+	containerpkg "github.com/docker/docker/container"
 	networkSettings "github.com/docker/docker/daemon/network"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/libnetwork/netlabel"
@@ -32,7 +33,7 @@ import (
 	"golang.org/x/net/websocket"
 )

-func (c *containerRouter) postCommit(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postCommit(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -48,7 +49,7 @@ func (c *containerRouter) postCommit(ctx context.Context, w http.ResponseWriter,
 	// are discarded here, but decoder.DecodeConfig also performs validation,
 	// so a request containing those additional fields would result in a
 	// validation error.
-	config, _, _, err := c.decoder.DecodeConfig(r.Body)
+	config, _, _, err := s.decoder.DecodeConfig(r.Body)
 	if err != nil && !errors.Is(err, io.EOF) { // Do not fail if body is empty.
 		return err
 	}
@@ -58,7 +59,7 @@ func (c *containerRouter) postCommit(ctx context.Context, w http.ResponseWriter,
 		return errdefs.InvalidParameter(err)
 	}

-	imgID, err := c.backend.CreateImageFromContainer(ctx, r.Form.Get("container"), &backend.CreateImageConfig{
+	imgID, err := s.backend.CreateImageFromContainer(ctx, r.Form.Get("container"), &backend.CreateImageConfig{
 		Pause:   httputils.BoolValueOrDefault(r, "pause", true), // TODO(dnephin): remove pause arg, and always pause in backend
 		Tag:     ref,
 		Author:  r.Form.Get("author"),
@@ -70,10 +71,10 @@ func (c *containerRouter) postCommit(ctx context.Context, w http.ResponseWriter,
 		return err
 	}

-	return httputils.WriteJSON(w, http.StatusCreated, &container.CommitResponse{ID: imgID})
+	return httputils.WriteJSON(w, http.StatusCreated, &types.IDResponse{ID: imgID})
 }

-func (c *containerRouter) getContainersJSON(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) getContainersJSON(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -98,7 +99,7 @@ func (c *containerRouter) getContainersJSON(ctx context.Context, w http.Response
 		config.Limit = limit
 	}

-	containers, err := c.backend.Containers(ctx, config)
+	containers, err := s.backend.Containers(ctx, config)
 	if err != nil {
 		return err
 	}
@@ -112,17 +113,10 @@ func (c *containerRouter) getContainersJSON(ctx context.Context, w http.Response
 		}
 	}

-	if versions.LessThan(version, "1.48") {
-		// ImageManifestDescriptor information was added in API 1.48
-		for _, c := range containers {
-			c.ImageManifestDescriptor = nil
-		}
-	}
-
 	return httputils.WriteJSON(w, http.StatusOK, containers)
 }

-func (c *containerRouter) getContainersStats(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) getContainersStats(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -136,7 +130,7 @@ func (c *containerRouter) getContainersStats(ctx context.Context, w http.Respons
 		oneShot = httputils.BoolValueOrDefault(r, "one-shot", false)
 	}

-	return c.backend.ContainerStats(ctx, vars["name"], &backend.ContainerStatsConfig{
+	return s.backend.ContainerStats(ctx, vars["name"], &backend.ContainerStatsConfig{
 		Stream:  stream,
 		OneShot: oneShot,
 		OutStream: func() io.Writer {
@@ -152,7 +146,7 @@ func (c *containerRouter) getContainersStats(ctx context.Context, w http.Respons
 	})
 }

-func (c *containerRouter) getContainersLogs(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) getContainersLogs(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -163,7 +157,7 @@ func (c *containerRouter) getContainersLogs(ctx context.Context, w http.Response
 	// any error after the stream starts (i.e. container not found, wrong parameters)
 	// with the appropriate status code.
 	stdout, stderr := httputils.BoolValue(r, "stdout"), httputils.BoolValue(r, "stderr")
-	if !stdout && !stderr {
+	if !(stdout || stderr) {
 		return errdefs.InvalidParameter(errors.New("Bad parameters: you must choose at least one stream"))
 	}

@@ -179,7 +173,7 @@ func (c *containerRouter) getContainersLogs(ctx context.Context, w http.Response
 		Details:    httputils.BoolValue(r, "details"),
 	}

-	msgs, tty, err := c.backend.ContainerLogs(ctx, containerName, logsConfig)
+	msgs, tty, err := s.backend.ContainerLogs(ctx, containerName, logsConfig)
 	if err != nil {
 		return err
 	}
@@ -198,11 +192,11 @@ func (c *containerRouter) getContainersLogs(ctx context.Context, w http.Response
 	return nil
 }

-func (c *containerRouter) getContainersExport(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	return c.backend.ContainerExport(ctx, vars["name"], w)
+func (s *containerRouter) getContainersExport(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	return s.backend.ContainerExport(ctx, vars["name"], w)
 }

-func (c *containerRouter) postContainersStart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersStart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	ctx, span := otel.Tracer("").Start(ctx, "containerRouter.postContainersStart")
 	defer span.End()

@@ -222,7 +216,7 @@ func (c *containerRouter) postContainersStart(ctx context.Context, w http.Respon
 		return err
 	}

-	if err := c.backend.ContainerStart(ctx, vars["name"], r.Form.Get("checkpoint"), r.Form.Get("checkpoint-dir")); err != nil {
+	if err := s.backend.ContainerStart(ctx, vars["name"], r.Form.Get("checkpoint"), r.Form.Get("checkpoint-dir")); err != nil {
 		return err
 	}

@@ -230,7 +224,7 @@ func (c *containerRouter) postContainersStart(ctx context.Context, w http.Respon
 	return nil
 }

-func (c *containerRouter) postContainersStop(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersStop(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -250,7 +244,7 @@ func (c *containerRouter) postContainersStop(ctx context.Context, w http.Respons
 		options.Timeout = &valSeconds
 	}

-	if err := c.backend.ContainerStop(ctx, vars["name"], options); err != nil {
+	if err := s.backend.ContainerStop(ctx, vars["name"], options); err != nil {
 		return err
 	}

@@ -258,13 +252,13 @@ func (c *containerRouter) postContainersStop(ctx context.Context, w http.Respons
 	return nil
 }

-func (c *containerRouter) postContainersKill(_ context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersKill(_ context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

 	name := vars["name"]
-	if err := c.backend.ContainerKill(name, r.Form.Get("signal")); err != nil {
+	if err := s.backend.ContainerKill(name, r.Form.Get("signal")); err != nil {
 		return errors.Wrapf(err, "cannot kill container: %s", name)
 	}

@@ -272,7 +266,7 @@ func (c *containerRouter) postContainersKill(_ context.Context, w http.ResponseW
 	return nil
 }

-func (c *containerRouter) postContainersRestart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersRestart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -292,7 +286,7 @@ func (c *containerRouter) postContainersRestart(ctx context.Context, w http.Resp
 		options.Timeout = &valSeconds
 	}

-	if err := c.backend.ContainerRestart(ctx, vars["name"], options); err != nil {
+	if err := s.backend.ContainerRestart(ctx, vars["name"], options); err != nil {
 		return err
 	}

@@ -300,12 +294,12 @@ func (c *containerRouter) postContainersRestart(ctx context.Context, w http.Resp
 	return nil
 }

-func (c *containerRouter) postContainersPause(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersPause(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

-	if err := c.backend.ContainerPause(vars["name"]); err != nil {
+	if err := s.backend.ContainerPause(vars["name"]); err != nil {
 		return err
 	}

@@ -314,12 +308,12 @@ func (c *containerRouter) postContainersPause(ctx context.Context, w http.Respon
 	return nil
 }

-func (c *containerRouter) postContainersUnpause(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersUnpause(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

-	if err := c.backend.ContainerUnpause(vars["name"]); err != nil {
+	if err := s.backend.ContainerUnpause(vars["name"]); err != nil {
 		return err
 	}

@@ -328,7 +322,7 @@ func (c *containerRouter) postContainersUnpause(ctx context.Context, w http.Resp
 	return nil
 }

-func (c *containerRouter) postContainersWait(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersWait(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	// Behavior changed in version 1.30 to handle wait condition and to
 	// return headers immediately.
 	version := httputils.VersionFromContext(ctx)
@@ -336,7 +330,7 @@ func (c *containerRouter) postContainersWait(ctx context.Context, w http.Respons
 	legacyRemovalWaitPre134 := false

 	// The wait condition defaults to "not-running".
-	waitCondition := container.WaitConditionNotRunning
+	waitCondition := containerpkg.WaitConditionNotRunning
 	if !legacyBehaviorPre130 {
 		if err := httputils.ParseForm(r); err != nil {
 			return err
@@ -344,11 +338,11 @@ func (c *containerRouter) postContainersWait(ctx context.Context, w http.Respons
 		if v := r.Form.Get("condition"); v != "" {
 			switch container.WaitCondition(v) {
 			case container.WaitConditionNotRunning:
-				waitCondition = container.WaitConditionNotRunning
+				waitCondition = containerpkg.WaitConditionNotRunning
 			case container.WaitConditionNextExit:
-				waitCondition = container.WaitConditionNextExit
+				waitCondition = containerpkg.WaitConditionNextExit
 			case container.WaitConditionRemoved:
-				waitCondition = container.WaitConditionRemoved
+				waitCondition = containerpkg.WaitConditionRemoved
 				legacyRemovalWaitPre134 = versions.LessThan(version, "1.34")
 			default:
 				return errdefs.InvalidParameter(errors.Errorf("invalid condition: %q", v))
@@ -356,7 +350,7 @@ func (c *containerRouter) postContainersWait(ctx context.Context, w http.Respons
 		}
 	}

-	waitC, err := c.backend.ContainerWait(ctx, vars["name"], waitCondition)
+	waitC, err := s.backend.ContainerWait(ctx, vars["name"], waitCondition)
 	if err != nil {
 		return err
 	}
@@ -393,8 +387,8 @@ func (c *containerRouter) postContainersWait(ctx context.Context, w http.Respons
 	})
 }

-func (c *containerRouter) getContainersChanges(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	changes, err := c.backend.ContainerChanges(ctx, vars["name"])
+func (s *containerRouter) getContainersChanges(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	changes, err := s.backend.ContainerChanges(ctx, vars["name"])
 	if err != nil {
 		return err
 	}
@@ -402,12 +396,12 @@ func (c *containerRouter) getContainersChanges(ctx context.Context, w http.Respo
 	return httputils.WriteJSON(w, http.StatusOK, changes)
 }

-func (c *containerRouter) getContainersTop(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) getContainersTop(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

-	procList, err := c.backend.ContainerTop(vars["name"], r.Form.Get("ps_args"))
+	procList, err := s.backend.ContainerTop(vars["name"], r.Form.Get("ps_args"))
 	if err != nil {
 		return err
 	}
@@ -415,21 +409,21 @@ func (c *containerRouter) getContainersTop(ctx context.Context, w http.ResponseW
 	return httputils.WriteJSON(w, http.StatusOK, procList)
 }

-func (c *containerRouter) postContainerRename(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainerRename(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

 	name := vars["name"]
 	newName := r.Form.Get("name")
-	if err := c.backend.ContainerRename(name, newName); err != nil {
+	if err := s.backend.ContainerRename(name, newName); err != nil {
 		return err
 	}
 	w.WriteHeader(http.StatusNoContent)
 	return nil
 }

-func (c *containerRouter) postContainerUpdate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainerUpdate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -461,7 +455,7 @@ func (c *containerRouter) postContainerUpdate(ctx context.Context, w http.Respon
 	}

 	name := vars["name"]
-	resp, err := c.backend.ContainerUpdate(name, hostConfig)
+	resp, err := s.backend.ContainerUpdate(name, hostConfig)
 	if err != nil {
 		return err
 	}
@@ -469,7 +463,7 @@ func (c *containerRouter) postContainerUpdate(ctx context.Context, w http.Respon
 	return httputils.WriteJSON(w, http.StatusOK, resp)
 }

-func (c *containerRouter) postContainersCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -479,7 +473,7 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo

 	name := r.Form.Get("name")

-	config, hostConfig, networkingConfig, err := c.decoder.DecodeConfig(r.Body)
+	config, hostConfig, networkingConfig, err := s.decoder.DecodeConfig(r.Body)
 	if err != nil {
 		if errors.Is(err, io.EOF) {
 			return errdefs.InvalidParameter(errors.New("invalid JSON: got EOF while reading request body"))
@@ -531,7 +525,7 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 		}

 		// Ignore KernelMemoryTCP because it was added in API 1.40.
-		hostConfig.KernelMemoryTCP = 0 //nolint:staticcheck // ignore SA1019 This field is still used for legacy support.
+		hostConfig.KernelMemoryTCP = 0

 		// Older clients (API < 1.40) expects the default to be shareable, make them happy
 		if hostConfig.IpcMode.IsEmpty() {
@@ -541,7 +535,7 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo

 	if versions.LessThan(version, "1.41") {
 		// Older clients expect the default to be "host" on cgroup v1 hosts
-		if !c.cgroup2 && hostConfig.CgroupnsMode.IsEmpty() {
+		if !s.cgroup2 && hostConfig.CgroupnsMode.IsEmpty() {
 			hostConfig.CgroupnsMode = container.CgroupnsModeHost
 		}
 	}
@@ -649,23 +643,7 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 		}
 	}

-	if versions.LessThan(version, "1.48") {
-		for _, epConfig := range networkingConfig.EndpointsConfig {
-			// Before 1.48, all endpoints had the same priority, so
-			// reinitialize this field.
-			epConfig.GwPriority = 0
-		}
-		for _, m := range hostConfig.Mounts {
-			if m.Type == mount.TypeImage {
-				return errdefs.InvalidParameter(errors.New(`Mount type "Image" needs API v1.48 or newer`))
-			}
-		}
-	}
-
 	var warnings []string
-	if warn := handleVolumeDriverBC(version, hostConfig); warn != "" {
-		warnings = append(warnings, warn)
-	}
 	if warn, err := handleMACAddressBC(config, hostConfig, networkingConfig, version); err != nil {
 		return err
 	} else if warn != "" {
@@ -686,7 +664,7 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 		hostConfig.PidsLimit = nil
 	}

-	ccr, err := c.backend.ContainerCreate(ctx, backend.ContainerCreateConfig{
+	ccr, err := s.backend.ContainerCreate(ctx, backend.ContainerCreateConfig{
 		Name:                        name,
 		Config:                      config,
 		HostConfig:                  hostConfig,
@@ -694,12 +672,6 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 		Platform:                    platform,
 		DefaultReadOnlyNonRecursive: defaultReadOnlyNonRecursive,
 	})
-
-	// Log warnings for debugging, regardless if the request was successful or not.
-	if len(ccr.Warnings) > 0 {
-		log.G(ctx).WithField("warnings", ccr.Warnings).Debug("warnings encountered during container create request")
-	}
-
 	if err != nil {
 		return err
 	}
@@ -707,27 +679,6 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 	return httputils.WriteJSON(w, http.StatusCreated, ccr)
 }

-// handleVolumeDriverBC handles the use of the container-wide "VolumeDriver"
-// option when the Mounts API is used for volumes. It produces a warning
-// on API 1.48 and up. Older versions of the API did not produce a warning,
-// but the CLI would do so.
-func handleVolumeDriverBC(version string, hostConfig *container.HostConfig) (warning string) {
-	if hostConfig.VolumeDriver == "" || versions.LessThan(version, "1.48") {
-		return ""
-	}
-	for _, m := range hostConfig.Mounts {
-		if m.Type != mount.TypeVolume {
-			continue
-		}
-		if m.VolumeOptions != nil && m.VolumeOptions.DriverConfig != nil && m.VolumeOptions.DriverConfig.Name != "" {
-			// Driver was configured for this mount, so no ambiguity.
-			continue
-		}
-		return "WARNING: the container-wide volume-driver configuration is ignored for volumes specified via 'mount'. Use '--mount type=volume,volume-driver=...' instead"
-	}
-	return ""
-}
-
 // handleMACAddressBC takes care of backward-compatibility for the container-wide MAC address by mutating the
 // networkingConfig to set the endpoint-specific MACAddress field introduced in API v1.44. It returns a warning message
 // or an error if the container-wide field was specified for API >= v1.44.
@@ -819,8 +770,8 @@ func handleSysctlBC(
 			// Find the EndpointConfig to migrate settings to, if not already found.
 			if ep == nil {
 				// Per-endpoint sysctls were introduced in API version 1.46. Migration is
-				// needed, but refuse to do it automatically for API 1.48 and newer.
-				if versions.GreaterThan(version, "1.47") {
+				// needed, but refuse to do it automatically for newer versions of the API.
+				if versions.GreaterThan(version, "1.46") {
 					return "", fmt.Errorf("interface specific sysctl setting %q must be supplied using driver option '%s'",
 						k, netlabel.EndpointSysctls)
 				}
@@ -920,7 +871,7 @@ func epConfigForNetMode(
 	return ep, nil
 }

-func (c *containerRouter) deleteContainers(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) deleteContainers(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -932,7 +883,7 @@ func (c *containerRouter) deleteContainers(ctx context.Context, w http.ResponseW
 		RemoveLink:   httputils.BoolValue(r, "link"),
 	}

-	if err := c.backend.ContainerRm(name, config); err != nil {
+	if err := s.backend.ContainerRm(name, config); err != nil {
 		return err
 	}

@@ -941,35 +892,39 @@ func (c *containerRouter) deleteContainers(ctx context.Context, w http.ResponseW
 	return nil
 }

-func (c *containerRouter) postContainersResize(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersResize(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

-	height, err := httputils.Uint32Value(r, "h")
+	height, err := strconv.Atoi(r.Form.Get("h"))
 	if err != nil {
-		return errdefs.InvalidParameter(errors.Wrapf(err, "invalid resize height %q", r.Form.Get("h")))
+		return errdefs.InvalidParameter(err)
 	}
-	width, err := httputils.Uint32Value(r, "w")
+	width, err := strconv.Atoi(r.Form.Get("w"))
 	if err != nil {
-		return errdefs.InvalidParameter(errors.Wrapf(err, "invalid resize width %q", r.Form.Get("w")))
+		return errdefs.InvalidParameter(err)
 	}

-	return c.backend.ContainerResize(ctx, vars["name"], height, width)
+	return s.backend.ContainerResize(vars["name"], height, width)
 }

-func (c *containerRouter) postContainersAttach(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
+func (s *containerRouter) postContainersAttach(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	err := httputils.ParseForm(r)
+	if err != nil {
 		return err
 	}
 	containerName := vars["name"]
+
+	_, upgrade := r.Header["Upgrade"]
+	detachKeys := r.FormValue("detachKeys")
+
 	hijacker, ok := w.(http.Hijacker)
 	if !ok {
 		return errdefs.InvalidParameter(errors.Errorf("error attaching to container %s, hijack connection missing", containerName))
 	}

 	contentType := types.MediaTypeRawStream
-	_, upgrade := r.Header["Upgrade"]
 	setupStreams := func(multiplexed bool, cancel func()) (io.ReadCloser, io.Writer, io.Writer, error) {
 		conn, _, err := hijacker.Hijack()
 		if err != nil {
@@ -983,11 +938,9 @@ func (c *containerRouter) postContainersAttach(ctx context.Context, w http.Respo
 			if multiplexed && versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.42") {
 				contentType = types.MediaTypeMultiplexedStream
 			}
-			// FIXME(thaJeztah): we should not ignore errors here; see https://github.com/moby/moby/pull/48359#discussion_r1725562802
-			fmt.Fprintf(conn, "HTTP/1.1 101 UPGRADED\r\nContent-Type: %v\r\nConnection: Upgrade\r\nUpgrade: tcp\r\n\r\n", contentType)
+			fmt.Fprintf(conn, "HTTP/1.1 101 UPGRADED\r\nContent-Type: "+contentType+"\r\nConnection: Upgrade\r\nUpgrade: tcp\r\n\r\n")
 		} else {
-			// FIXME(thaJeztah): we should not ignore errors here; see https://github.com/moby/moby/pull/48359#discussion_r1725562802
-			fmt.Fprint(conn, "HTTP/1.1 200 OK\r\nContent-Type: application/vnd.docker.raw-stream\r\n\r\n")
+			fmt.Fprintf(conn, "HTTP/1.1 200 OK\r\nContent-Type: application/vnd.docker.raw-stream\r\n\r\n")
 		}

 		go notifyClosed(ctx, conn, cancel)
@@ -999,16 +952,18 @@ func (c *containerRouter) postContainersAttach(ctx context.Context, w http.Respo
 		return ioutils.NewReadCloserWrapper(conn, closer), conn, conn, nil
 	}

-	if err := c.backend.ContainerAttach(containerName, &backend.ContainerAttachConfig{
+	attachConfig := &backend.ContainerAttachConfig{
 		GetStreams: setupStreams,
 		UseStdin:   httputils.BoolValue(r, "stdin"),
 		UseStdout:  httputils.BoolValue(r, "stdout"),
 		UseStderr:  httputils.BoolValue(r, "stderr"),
 		Logs:       httputils.BoolValue(r, "logs"),
 		Stream:     httputils.BoolValue(r, "stream"),
-		DetachKeys: r.FormValue("detachKeys"),
+		DetachKeys: detachKeys,
 		MuxStreams: true,
-	}); err != nil {
+	}
+
+	if err = s.backend.ContainerAttach(containerName, attachConfig); err != nil {
 		log.G(ctx).WithError(err).Errorf("Handler for %s %s returned error", r.Method, r.URL.Path)
 		// Remember to close stream if error happens
 		conn, _, errHijack := hijacker.Hijack()
@@ -1024,12 +979,15 @@ func (c *containerRouter) postContainersAttach(ctx context.Context, w http.Respo
 	return nil
 }

-func (c *containerRouter) wsContainersAttach(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) wsContainersAttach(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
 	containerName := vars["name"]

+	var err error
+	detachKeys := r.FormValue("detachKeys")
+
 	done := make(chan struct{})
 	started := make(chan struct{})

@@ -1066,16 +1024,18 @@ func (c *containerRouter) wsContainersAttach(ctx context.Context, w http.Respons
 		useStderr = httputils.BoolValue(r, "stderr")
 	}

-	err := c.backend.ContainerAttach(containerName, &backend.ContainerAttachConfig{
+	attachConfig := &backend.ContainerAttachConfig{
 		GetStreams: setupStreams,
 		UseStdin:   useStdin,
 		UseStdout:  useStdout,
 		UseStderr:  useStderr,
 		Logs:       httputils.BoolValue(r, "logs"),
 		Stream:     httputils.BoolValue(r, "stream"),
-		DetachKeys: r.FormValue("detachKeys"),
+		DetachKeys: detachKeys,
 		MuxStreams: false, // never multiplex, as we rely on websocket to manage distinct streams
-	})
+	}
+
+	err = s.backend.ContainerAttach(containerName, attachConfig)
 	close(done)
 	select {
 	case <-started:
@@ -1090,7 +1050,7 @@ func (c *containerRouter) wsContainersAttach(ctx context.Context, w http.Respons
 	return err
 }

-func (c *containerRouter) postContainersPrune(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersPrune(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -1100,7 +1060,7 @@ func (c *containerRouter) postContainersPrune(ctx context.Context, w http.Respon
 		return err
 	}

-	pruneReport, err := c.backend.ContainersPrune(ctx, pruneFilters)
+	pruneReport, err := s.backend.ContainersPrune(ctx, pruneFilters)
 	if err != nil {
 		return err
 	}
--- a/api/server/router/container/container_routes_test.go
+++ b/api/server/router/container/container_routes_test.go
@@ -275,7 +275,7 @@ func TestHandleSysctlBC(t *testing.T) {
 		},
 		{
 			name:        "migration disabled for newer api",
-			apiVersion:  "1.48",
+			apiVersion:  "1.47",
 			networkMode: "mynet",
 			sysctls: map[string]string{
 				"net.ipv6.conf.eth0.accept_ra": "2",
--- a/api/server/router/container/copy.go
+++ b/api/server/router/container/copy.go
@@ -1,4 +1,4 @@
-package container
+package container // import "github.com/docker/docker/api/server/router/container"

 import (
 	"compress/flate"
@@ -29,13 +29,13 @@ func setContainerPathStatHeader(stat *container.PathStat, header http.Header) er
 	return nil
 }

-func (c *containerRouter) headContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) headContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	v, err := httputils.ArchiveFormValues(r, vars)
 	if err != nil {
 		return err
 	}

-	stat, err := c.backend.ContainerStatPath(v.Name, v.Path)
+	stat, err := s.backend.ContainerStatPath(v.Name, v.Path)
 	if err != nil {
 		return err
 	}
@@ -66,13 +66,13 @@ func writeCompressedResponse(w http.ResponseWriter, r *http.Request, body io.Rea
 	return err
 }

-func (c *containerRouter) getContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) getContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	v, err := httputils.ArchiveFormValues(r, vars)
 	if err != nil {
 		return err
 	}

-	tarArchive, stat, err := c.backend.ContainerArchivePath(v.Name, v.Path)
+	tarArchive, stat, err := s.backend.ContainerArchivePath(v.Name, v.Path)
 	if err != nil {
 		return err
 	}
@@ -86,7 +86,7 @@ func (c *containerRouter) getContainersArchive(ctx context.Context, w http.Respo
 	return writeCompressedResponse(w, r, tarArchive)
 }

-func (c *containerRouter) putContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) putContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	v, err := httputils.ArchiveFormValues(r, vars)
 	if err != nil {
 		return err
@@ -95,5 +95,5 @@ func (c *containerRouter) putContainersArchive(ctx context.Context, w http.Respo
 	noOverwriteDirNonDir := httputils.BoolValue(r, "noOverwriteDirNonDir")
 	copyUIDGID := httputils.BoolValue(r, "copyUIDGID")

-	return c.backend.ContainerExtractToDir(v.Name, v.Path, copyUIDGID, noOverwriteDirNonDir, r.Body)
+	return s.backend.ContainerExtractToDir(v.Name, v.Path, copyUIDGID, noOverwriteDirNonDir, r.Body)
 }
--- a/api/server/router/container/exec.go
+++ b/api/server/router/container/exec.go
@@ -1,10 +1,11 @@
-package container
+package container // import "github.com/docker/docker/api/server/router/container"

 import (
 	"context"
 	"fmt"
 	"io"
 	"net/http"
+	"strconv"

 	"github.com/containerd/log"
 	"github.com/docker/docker/api/server/httputils"
@@ -14,11 +15,10 @@ import (
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/pkg/stdcopy"
-	"github.com/pkg/errors"
 )

-func (c *containerRouter) getExecByID(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	eConfig, err := c.backend.ContainerExecInspect(vars["id"])
+func (s *containerRouter) getExecByID(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	eConfig, err := s.backend.ContainerExecInspect(vars["id"])
 	if err != nil {
 		return err
 	}
@@ -34,7 +34,7 @@ func (execCommandError) Error() string {

 func (execCommandError) InvalidParameter() {}

-func (c *containerRouter) postContainerExecCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainerExecCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -55,19 +55,19 @@ func (c *containerRouter) postContainerExecCreate(ctx context.Context, w http.Re
 	}

 	// Register an instance of Exec in container.
-	id, err := c.backend.ContainerExecCreate(vars["name"], execConfig)
+	id, err := s.backend.ContainerExecCreate(vars["name"], execConfig)
 	if err != nil {
 		log.G(ctx).Errorf("Error setting up exec command in container %s: %v", vars["name"], err)
 		return err
 	}

-	return httputils.WriteJSON(w, http.StatusCreated, &container.ExecCreateResponse{
+	return httputils.WriteJSON(w, http.StatusCreated, &types.IDResponse{
 		ID: id,
 	})
 }

 // TODO(vishh): Refactor the code to avoid having to specify stream config as part of both create and start.
-func (c *containerRouter) postContainerExecStart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainerExecStart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -83,7 +83,7 @@ func (c *containerRouter) postContainerExecStart(ctx context.Context, w http.Res
 		return err
 	}

-	if exists, err := c.backend.ExecExists(execName); !exists {
+	if exists, err := s.backend.ExecExists(execName); !exists {
 		return err
 	}

@@ -138,7 +138,7 @@ func (c *containerRouter) postContainerExecStart(ctx context.Context, w http.Res
 	// Now run the user process in container.
 	//
 	// TODO: Maybe we should we pass ctx here if we're not detaching?
-	err := c.backend.ContainerExecStart(context.Background(), execName, backend.ExecStartConfig{
+	err := s.backend.ContainerExecStart(context.Background(), execName, backend.ExecStartConfig{
 		Stdin:       stdin,
 		Stdout:      stdout,
 		Stderr:      stderr,
@@ -154,18 +154,18 @@ func (c *containerRouter) postContainerExecStart(ctx context.Context, w http.Res
 	return nil
 }

-func (c *containerRouter) postContainerExecResize(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainerExecResize(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
-	height, err := httputils.Uint32Value(r, "h")
+	height, err := strconv.Atoi(r.Form.Get("h"))
 	if err != nil {
-		return errdefs.InvalidParameter(errors.Wrapf(err, "invalid resize height %q", r.Form.Get("h")))
+		return errdefs.InvalidParameter(err)
 	}
-	width, err := httputils.Uint32Value(r, "w")
+	width, err := strconv.Atoi(r.Form.Get("w"))
 	if err != nil {
-		return errdefs.InvalidParameter(errors.Wrapf(err, "invalid resize width %q", r.Form.Get("w")))
+		return errdefs.InvalidParameter(err)
 	}

-	return c.backend.ContainerExecResize(ctx, vars["name"], height, width)
+	return s.backend.ContainerExecResize(vars["name"], height, width)
 }
--- a/api/server/router/container/inspect.go
+++ b/api/server/router/container/inspect.go
@@ -1,41 +1,21 @@
-// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.23
-
-package container
+package container // import "github.com/docker/docker/api/server/router/container"

 import (
 	"context"
 	"net/http"

 	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/versions"
-	"github.com/docker/docker/internal/sliceutil"
-	"github.com/docker/docker/pkg/stringid"
 )

 // getContainersByName inspects container's configuration and serializes it as json.
-func (c *containerRouter) getContainersByName(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	ctr, err := c.backend.ContainerInspect(ctx, vars["name"], backend.ContainerInspectOptions{
-		Size: httputils.BoolValue(r, "size"),
-	})
+func (s *containerRouter) getContainersByName(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	displaySize := httputils.BoolValue(r, "size")
+
+	version := httputils.VersionFromContext(ctx)
+	json, err := s.backend.ContainerInspect(ctx, vars["name"], displaySize, version)
 	if err != nil {
 		return err
 	}

-	version := httputils.VersionFromContext(ctx)
-	if versions.LessThan(version, "1.45") {
-		shortCID := stringid.TruncateID(ctr.ID)
-		for nwName, ep := range ctr.NetworkSettings.Networks {
-			if container.NetworkMode(nwName).IsUserDefined() {
-				ep.Aliases = sliceutil.Dedup(append(ep.Aliases, shortCID, ctr.Config.Hostname))
-			}
-		}
-	}
-	if versions.LessThan(version, "1.48") {
-		ctr.ImageManifestDescriptor = nil
-	}
-
-	return httputils.WriteJSON(w, http.StatusOK, ctr)
+	return httputils.WriteJSON(w, http.StatusOK, json)
 }
--- a/api/server/router/debug/debug.go
+++ b/api/server/router/debug/debug.go
@@ -1,4 +1,4 @@
-package debug
+package debug // import "github.com/docker/docker/api/server/router/debug"

 import (
 	"context"
@@ -24,13 +24,13 @@ type debugRouter struct {

 func (r *debugRouter) initRoutes() {
 	r.routes = []router.Route{
-		router.NewGetRoute("/debug/vars", frameworkAdaptHandler(expvar.Handler())),
-		router.NewGetRoute("/debug/pprof/", frameworkAdaptHandlerFunc(pprof.Index)),
-		router.NewGetRoute("/debug/pprof/cmdline", frameworkAdaptHandlerFunc(pprof.Cmdline)),
-		router.NewGetRoute("/debug/pprof/profile", frameworkAdaptHandlerFunc(pprof.Profile)),
-		router.NewGetRoute("/debug/pprof/symbol", frameworkAdaptHandlerFunc(pprof.Symbol)),
-		router.NewGetRoute("/debug/pprof/trace", frameworkAdaptHandlerFunc(pprof.Trace)),
-		router.NewGetRoute("/debug/pprof/{name}", handlePprof),
+		router.NewGetRoute("/vars", frameworkAdaptHandler(expvar.Handler())),
+		router.NewGetRoute("/pprof/", frameworkAdaptHandlerFunc(pprof.Index)),
+		router.NewGetRoute("/pprof/cmdline", frameworkAdaptHandlerFunc(pprof.Cmdline)),
+		router.NewGetRoute("/pprof/profile", frameworkAdaptHandlerFunc(pprof.Profile)),
+		router.NewGetRoute("/pprof/symbol", frameworkAdaptHandlerFunc(pprof.Symbol)),
+		router.NewGetRoute("/pprof/trace", frameworkAdaptHandlerFunc(pprof.Trace)),
+		router.NewGetRoute("/pprof/{name}", handlePprof),
 	}
 }

--- a/api/server/router/debug/debug_routes.go
+++ b/api/server/router/debug/debug_routes.go
@@ -1,4 +1,4 @@
-package debug
+package debug // import "github.com/docker/docker/api/server/router/debug"

 import (
 	"context"
--- a/api/server/router/distribution/backend.go
+++ b/api/server/router/distribution/backend.go
@@ -1,4 +1,4 @@
-package distribution
+package distribution // import "github.com/docker/docker/api/server/router/distribution"

 import (
 	"context"
--- a/api/server/router/distribution/distribution.go
+++ b/api/server/router/distribution/distribution.go
@@ -1,4 +1,4 @@
-package distribution
+package distribution // import "github.com/docker/docker/api/server/router/distribution"

 import "github.com/docker/docker/api/server/router"

@@ -18,14 +18,14 @@ func NewRouter(backend Backend) router.Router {
 }

 // Routes returns the available routes
-func (dr *distributionRouter) Routes() []router.Route {
-	return dr.routes
+func (r *distributionRouter) Routes() []router.Route {
+	return r.routes
 }

 // initRoutes initializes the routes in the distribution router
-func (dr *distributionRouter) initRoutes() {
-	dr.routes = []router.Route{
+func (r *distributionRouter) initRoutes() {
+	r.routes = []router.Route{
 		// GET
-		router.NewGetRoute("/distribution/{name:.*}/json", dr.getDistributionInfo),
+		router.NewGetRoute("/distribution/{name:.*}/json", r.getDistributionInfo),
 	}
 }
--- a/api/server/router/distribution/distribution_routes.go
+++ b/api/server/router/distribution/distribution_routes.go
@@ -1,9 +1,10 @@
-package distribution
+package distribution // import "github.com/docker/docker/api/server/router/distribution"

 import (
 	"context"
 	"encoding/json"
 	"net/http"
+	"os"

 	"github.com/distribution/reference"
 	"github.com/docker/distribution"
@@ -18,7 +19,7 @@ import (
 	"github.com/pkg/errors"
 )

-func (dr *distributionRouter) getDistributionInfo(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *distributionRouter) getDistributionInfo(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -44,7 +45,7 @@ func (dr *distributionRouter) getDistributionInfo(ctx context.Context, w http.Re
 	// For a search it is not an error if no auth was given. Ignore invalid
 	// AuthConfig to increase compatibility with the existing API.
 	authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))
-	repos, err := dr.backend.GetRepositories(ctx, namedRef, authConfig)
+	repos, err := s.backend.GetRepositories(ctx, namedRef, authConfig)
 	if err != nil {
 		return err
 	}
@@ -65,7 +66,7 @@ func (dr *distributionRouter) getDistributionInfo(ctx context.Context, w http.Re
 	// - https://github.com/moby/moby/blob/12c7411b6b7314bef130cd59f1c7384a7db06d0b/distribution/pull.go#L76-L152
 	var lastErr error
 	for _, repo := range repos {
-		distributionInspect, err := dr.fetchManifest(ctx, repo, namedRef)
+		distributionInspect, err := s.fetchManifest(ctx, repo, namedRef)
 		if err != nil {
 			lastErr = err
 			continue
@@ -75,7 +76,7 @@ func (dr *distributionRouter) getDistributionInfo(ctx context.Context, w http.Re
 	return lastErr
 }

-func (dr *distributionRouter) fetchManifest(ctx context.Context, distrepo distribution.Repository, namedRef reference.Named) (registry.DistributionInspect, error) {
+func (s *distributionRouter) fetchManifest(ctx context.Context, distrepo distribution.Repository, namedRef reference.Named) (registry.DistributionInspect, error) {
 	var distributionInspect registry.DistributionInspect
 	if canonicalRef, ok := namedRef.(reference.Canonical); !ok {
 		namedRef = reference.TagNameOnly(namedRef)
@@ -108,14 +109,14 @@ func (dr *distributionRouter) fetchManifest(ctx context.Context, distrepo distri
 	}
 	mnfst, err := mnfstsrvc.Get(ctx, distributionInspect.Descriptor.Digest)
 	if err != nil {
-		switch {
-		case errors.Is(err, reference.ErrReferenceInvalidFormat),
-			errors.Is(err, reference.ErrTagInvalidFormat),
-			errors.Is(err, reference.ErrDigestInvalidFormat),
-			errors.Is(err, reference.ErrNameContainsUppercase),
-			errors.Is(err, reference.ErrNameEmpty),
-			errors.Is(err, reference.ErrNameTooLong),
-			errors.Is(err, reference.ErrNameNotCanonical):
+		switch err {
+		case reference.ErrReferenceInvalidFormat,
+			reference.ErrTagInvalidFormat,
+			reference.ErrDigestInvalidFormat,
+			reference.ErrNameContainsUppercase,
+			reference.ErrNameEmpty,
+			reference.ErrNameTooLong,
+			reference.ErrNameNotCanonical:
 			return registry.DistributionInspect{}, errdefs.InvalidParameter(err)
 		}
 		return registry.DistributionInspect{}, err
@@ -153,10 +154,15 @@ func (dr *distributionRouter) fetchManifest(ctx context.Context, distrepo distri
 				distributionInspect.Platforms = append(distributionInspect.Platforms, platform)
 			}
 		}
-
-	// TODO(thaJeztah); we only use this to produce a nice error, but as a result, we can't remove libtrust as dependency - see if we can reduce the dependencies, but still able to detect it's a deprecated manifest
 	case *schema1.SignedManifest:
-		return registry.DistributionInspect{}, distributionpkg.DeprecatedSchema1ImageError(namedRef)
+		if os.Getenv("DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE") == "" {
+			return registry.DistributionInspect{}, distributionpkg.DeprecatedSchema1ImageError(namedRef)
+		}
+		platform := ocispec.Platform{
+			Architecture: mnfstObj.Architecture,
+			OS:           "linux",
+		}
+		distributionInspect.Platforms = append(distributionInspect.Platforms, platform)
 	}
 	return distributionInspect, nil
 }
--- a/api/server/router/experimental.go
+++ b/api/server/router/experimental.go
@@ -1,4 +1,4 @@
-package router
+package router // import "github.com/docker/docker/api/server/router"

 import (
 	"context"
--- a/api/server/router/grpc/backend.go
+++ b/api/server/router/grpc/backend.go
@@ -1,4 +1,4 @@
-package grpc
+package grpc // import "github.com/docker/docker/api/server/router/grpc"

 import "google.golang.org/grpc"

--- a/api/server/router/grpc/grpc.go
+++ b/api/server/router/grpc/grpc.go
@@ -1,7 +1,7 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.23
+//go:build go1.21

-package grpc
+package grpc // import "github.com/docker/docker/api/server/router/grpc"

 import (
 	"context"
@@ -9,14 +9,13 @@ import (
 	"os"
 	"strings"

-	"github.com/containerd/containerd/v2/defaults"
 	"github.com/containerd/log"
 	"github.com/docker/docker/api/server/router"
-	"github.com/docker/docker/internal/otelutil"
 	"github.com/moby/buildkit/util/grpcerrors"
 	"github.com/moby/buildkit/util/stack"
 	"github.com/moby/buildkit/util/tracing"
 	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
+	"go.opentelemetry.io/otel"
 	"golang.org/x/net/http2"
 	"google.golang.org/grpc"
 )
@@ -29,13 +28,10 @@ type grpcRouter struct {

 // NewRouter initializes a new grpc http router
 func NewRouter(backends ...Backend) router.Router {
-	tp, _ := otelutil.NewTracerProvider(context.Background(), false)
 	opts := []grpc.ServerOption{
-		grpc.StatsHandler(tracing.ServerStatsHandler(otelgrpc.WithTracerProvider(tp))),
+		grpc.StatsHandler(tracing.ServerStatsHandler(otelgrpc.WithTracerProvider(otel.GetTracerProvider()))),
 		grpc.ChainUnaryInterceptor(unaryInterceptor, grpcerrors.UnaryServerInterceptor),
 		grpc.StreamInterceptor(grpcerrors.StreamServerInterceptor),
-		grpc.MaxRecvMsgSize(defaults.DefaultMaxRecvMsgSize),
-		grpc.MaxSendMsgSize(defaults.DefaultMaxSendMsgSize),
 	}

 	r := &grpcRouter{
@@ -60,7 +56,7 @@ func (gr *grpcRouter) initRoutes() {
 	}
 }

-func unaryInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp any, _ error) {
+func unaryInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp any, err error) {
 	// This method is used by the clients to send their traces to buildkit so they can be included
 	// in the daemon trace and stored in the build history record. This method can not be traced because
 	// it would cause an infinite loop.
@@ -68,11 +64,11 @@ func unaryInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo,
 		return handler(ctx, req)
 	}

-	resp, err := handler(ctx, req)
+	resp, err = handler(ctx, req)
 	if err != nil {
 		log.G(ctx).WithError(err).Error(info.FullMethod)
 		if log.GetLevel() >= log.DebugLevel {
-			_, _ = fmt.Fprintf(os.Stderr, "%+v", stack.Formatter(grpcerrors.FromGRPC(err)))
+			fmt.Fprintf(os.Stderr, "%+v", stack.Formatter(grpcerrors.FromGRPC(err)))
 		}
 	}
 	return resp, err
--- a/api/server/router/grpc/grpc_routes.go
+++ b/api/server/router/grpc/grpc_routes.go
@@ -1,4 +1,4 @@
-package grpc
+package grpc // import "github.com/docker/docker/api/server/router/grpc"

 import (
 	"context"
--- a/api/server/router/image/backend.go
+++ b/api/server/router/image/backend.go
@@ -1,4 +1,4 @@
-package image
+package image // import "github.com/docker/docker/api/server/router/image"

 import (
 	"context"
@@ -22,19 +22,18 @@ type Backend interface {
 }

 type imageBackend interface {
-	ImageDelete(ctx context.Context, imageRef string, options image.RemoveOptions) ([]image.DeleteResponse, error)
-	ImageHistory(ctx context.Context, imageName string, platform *ocispec.Platform) ([]*image.HistoryResponseItem, error)
+	ImageDelete(ctx context.Context, imageRef string, force, prune bool) ([]image.DeleteResponse, error)
+	ImageHistory(ctx context.Context, imageName string) ([]*image.HistoryResponseItem, error)
 	Images(ctx context.Context, opts image.ListOptions) ([]*image.Summary, error)
 	GetImage(ctx context.Context, refOrID string, options backend.GetImageOpts) (*dockerimage.Image, error)
-	ImageInspect(ctx context.Context, refOrID string, options backend.ImageInspectOpts) (*image.InspectResponse, error)
 	TagImage(ctx context.Context, id dockerimage.ID, newRef reference.Named) error
 	ImagesPrune(ctx context.Context, pruneFilters filters.Args) (*image.PruneReport, error)
 }

 type importExportBackend interface {
-	LoadImage(ctx context.Context, inTar io.ReadCloser, platform *ocispec.Platform, outStream io.Writer, quiet bool) error
+	LoadImage(ctx context.Context, inTar io.ReadCloser, outStream io.Writer, quiet bool) error
 	ImportImage(ctx context.Context, ref reference.Named, platform *ocispec.Platform, msg string, layerReader io.Reader, changes []string) (dockerimage.ID, error)
-	ExportImage(ctx context.Context, names []string, platform *ocispec.Platform, outStream io.Writer) error
+	ExportImage(ctx context.Context, names []string, outStream io.Writer) error
 }

 type registryBackend interface {
--- a/api/server/router/image/image.go
+++ b/api/server/router/image/image.go
@@ -1,21 +1,30 @@
-package image
+package image // import "github.com/docker/docker/api/server/router/image"

 import (
 	"github.com/docker/docker/api/server/router"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/reference"
 )

 // imageRouter is a router to talk with the image controller
 type imageRouter struct {
-	backend  Backend
-	searcher Searcher
-	routes   []router.Route
+	backend          Backend
+	searcher         Searcher
+	referenceBackend reference.Store
+	imageStore       image.Store
+	layerStore       layer.Store
+	routes           []router.Route
 }

 // NewRouter initializes a new image router
-func NewRouter(backend Backend, searcher Searcher) router.Router {
+func NewRouter(backend Backend, searcher Searcher, referenceBackend reference.Store, imageStore image.Store, layerStore layer.Store) router.Router {
 	ir := &imageRouter{
-		backend:  backend,
-		searcher: searcher,
+		backend:          backend,
+		searcher:         searcher,
+		referenceBackend: referenceBackend,
+		imageStore:       imageStore,
+		layerStore:       layerStore,
 	}
 	ir.initRoutes()
 	return ir
--- a/api/server/router/image/image_routes.go
+++ b/api/server/router/image/image_routes.go
@@ -1,4 +1,4 @@
-package image
+package image // import "github.com/docker/docker/api/server/router/image"

 import (
 	"context"
@@ -10,10 +10,11 @@ import (
 	"strings"
 	"time"

-	"github.com/containerd/platforms"
+	"github.com/containerd/containerd/platforms"
 	"github.com/distribution/reference"
 	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/filters"
 	imagetypes "github.com/docker/docker/api/types/image"
@@ -100,8 +101,6 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit

 		// For a pull it is not an error if no auth was given. Ignore invalid
 		// AuthConfig to increase compatibility with the existing API.
-		//
-		// TODO(thaJeztah): accept empty values but return an error when failing to decode.
 		authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))
 		progressErr = ir.backend.PullImage(ctx, ref, platform, metaHeaders, authConfig, output)
 	} else { // import
@@ -112,7 +111,7 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit
 			return errdefs.InvalidParameter(err)
 		}

-		if comment == "" {
+		if len(comment) == 0 {
 			comment = "Imported from " + src
 		}

@@ -143,7 +142,7 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit
 		id, progressErr = ir.backend.ImportImage(ctx, tagRef, platform, comment, layerReader, r.Form["changes"])

 		if progressErr == nil {
-			_, _ = output.Write(streamformatter.FormatStatus("", "%v", id.String()))
+			output.Write(streamformatter.FormatStatus("", id.String()))
 		}
 	}
 	if progressErr != nil {
@@ -167,11 +166,19 @@ func (ir *imageRouter) postImagesPush(ctx context.Context, w http.ResponseWriter
 		return err
 	}

-	// Handle the authConfig as a header, but ignore invalid AuthConfig
-	// to increase compatibility with the existing API.
-	//
-	// TODO(thaJeztah): accept empty values but return an error when failing to decode.
-	authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))
+	var authConfig *registry.AuthConfig
+	if authEncoded := r.Header.Get(registry.AuthHeader); authEncoded != "" {
+		// the new format is to handle the authConfig as a header. Ignore invalid
+		// AuthConfig to increase compatibility with the existing API.
+		authConfig, _ = registry.DecodeAuthConfig(authEncoded)
+	} else {
+		// the old format is supported for compatibility if there was no authConfig header
+		var err error
+		authConfig, err = registry.DecodeAuthConfigBody(r.Body)
+		if err != nil {
+			return errors.Wrap(err, "bad parameters and missing X-Registry-Auth")
+		}
+	}

 	output := ioutils.NewWriteFlusher(w)
 	defer output.Close()
@@ -213,6 +220,7 @@ func (ir *imageRouter) postImagesPush(ctx context.Context, w http.ResponseWriter
 			}
 			platform = p
 		}
+
 	}

 	if err := ir.backend.PushImage(ctx, ref, platform, metaHeaders, authConfig, output); err != nil {
@@ -240,22 +248,7 @@ func (ir *imageRouter) getImagesGet(ctx context.Context, w http.ResponseWriter,
 		names = r.Form["names"]
 	}

-	var platform *ocispec.Platform
-	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.48") {
-		if formPlatforms := r.Form["platform"]; len(formPlatforms) > 1 {
-			// TODO(thaJeztah): remove once we support multiple platforms: see https://github.com/moby/moby/issues/48759
-			return errdefs.InvalidParameter(errors.New("multiple platform parameters not supported"))
-		}
-		if formPlatform := r.Form.Get("platform"); formPlatform != "" {
-			p, err := httputils.DecodePlatform(formPlatform)
-			if err != nil {
-				return err
-			}
-			platform = p
-		}
-	}
-
-	if err := ir.backend.ExportImage(ctx, names, platform, output); err != nil {
+	if err := ir.backend.ExportImage(ctx, names, output); err != nil {
 		if !output.Flushed() {
 			return err
 		}
@@ -268,28 +261,13 @@ func (ir *imageRouter) postImagesLoad(ctx context.Context, w http.ResponseWriter
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
-
-	var platform *ocispec.Platform
-	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.48") {
-		if formPlatforms := r.Form["platform"]; len(formPlatforms) > 1 {
-			// TODO(thaJeztah): remove once we support multiple platforms: see https://github.com/moby/moby/issues/48759
-			return errdefs.InvalidParameter(errors.New("multiple platform parameters not supported"))
-		}
-		if formPlatform := r.Form.Get("platform"); formPlatform != "" {
-			p, err := httputils.DecodePlatform(formPlatform)
-			if err != nil {
-				return err
-			}
-			platform = p
-		}
-	}
 	quiet := httputils.BoolValueOrDefault(r, "quiet", true)

 	w.Header().Set("Content-Type", "application/json")

 	output := ioutils.NewWriteFlusher(w)
 	defer output.Close()
-	if err := ir.backend.LoadImage(ctx, r.Body, platform, output, quiet); err != nil {
+	if err := ir.backend.LoadImage(ctx, r.Body, output, quiet); err != nil {
 		_, _ = output.Write(streamformatter.FormatError(err))
 	}
 	return nil
@@ -317,20 +295,7 @@ func (ir *imageRouter) deleteImages(ctx context.Context, w http.ResponseWriter,
 	force := httputils.BoolValue(r, "force")
 	prune := !httputils.BoolValue(r, "noprune")

-	var platforms []ocispec.Platform
-	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.50") {
-		p, err := httputils.DecodePlatforms(r.Form["platforms"])
-		if err != nil {
-			return err
-		}
-		platforms = p
-	}
-
-	list, err := ir.backend.ImageDelete(ctx, name, imagetypes.RemoveOptions{
-		Force:         force,
-		PruneChildren: prune,
-		Platforms:     platforms,
-	})
+	list, err := ir.backend.ImageDelete(ctx, name, force, prune)
 	if err != nil {
 		return err
 	}
@@ -339,51 +304,14 @@ func (ir *imageRouter) deleteImages(ctx context.Context, w http.ResponseWriter,
 }

 func (ir *imageRouter) getImagesByName(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	var manifests bool
-	if r.Form.Get("manifests") != "" && versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.48") {
-		manifests = httputils.BoolValue(r, "manifests")
-	}
-
-	var platform *ocispec.Platform
-	if r.Form.Get("platform") != "" && versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.49") {
-		p, err := httputils.DecodePlatform(r.Form.Get("platform"))
-		if err != nil {
-			return errdefs.InvalidParameter(err)
-		}
-		platform = p
-	}
-
-	if manifests && platform != nil {
-		return errdefs.InvalidParameter(errors.New("conflicting options: manifests and platform options cannot both be set"))
-	}
-
-	resp, err := ir.backend.ImageInspect(ctx, vars["name"], backend.ImageInspectOpts{
-		Manifests: manifests,
-		Platform:  platform,
-	})
+	img, err := ir.backend.GetImage(ctx, vars["name"], backend.GetImageOpts{Details: true})
 	if err != nil {
 		return err
 	}

-	// inspectResponse preserves fields in the response that have an
-	// "omitempty" in the OCI spec, but didn't omit such fields in
-	// legacy responses before API v1.50.
-	imageInspect := &inspectCompatResponse{
-		InspectResponse: resp,
-		legacyConfig:    legacyConfigFields["current"],
-	}
-
-	// Make sure we output empty arrays instead of nil. While Go nil slice is functionally equivalent to an empty slice,
-	// it matters for the JSON representation.
-	if imageInspect.RepoTags == nil {
-		imageInspect.RepoTags = []string{}
-	}
-	if imageInspect.RepoDigests == nil {
-		imageInspect.RepoDigests = []string{}
+	imageInspect, err := ir.toImageInspect(img)
+	if err != nil {
+		return err
 	}

 	version := httputils.VersionFromContext(ctx)
@@ -400,14 +328,75 @@ func (ir *imageRouter) getImagesByName(ctx context.Context, w http.ResponseWrite
 		imageInspect.Container = ""        //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
 		imageInspect.ContainerConfig = nil //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
 	}
-	if versions.LessThan(version, "1.48") {
-		imageInspect.Descriptor = nil
-	}
-	if versions.LessThan(version, "1.50") {
-		imageInspect.legacyConfig = legacyConfigFields["v1.49"]
+	return httputils.WriteJSON(w, http.StatusOK, imageInspect)
+}
+
+func (ir *imageRouter) toImageInspect(img *image.Image) (*types.ImageInspect, error) {
+	var repoTags, repoDigests []string
+	for _, ref := range img.Details.References {
+		switch ref.(type) {
+		case reference.NamedTagged:
+			repoTags = append(repoTags, reference.FamiliarString(ref))
+		case reference.Canonical:
+			repoDigests = append(repoDigests, reference.FamiliarString(ref))
+		}
 	}

-	return httputils.WriteJSON(w, http.StatusOK, imageInspect)
+	comment := img.Comment
+	if len(comment) == 0 && len(img.History) > 0 {
+		comment = img.History[len(img.History)-1].Comment
+	}
+
+	// Make sure we output empty arrays instead of nil.
+	if repoTags == nil {
+		repoTags = []string{}
+	}
+	if repoDigests == nil {
+		repoDigests = []string{}
+	}
+
+	var created string
+	if img.Created != nil {
+		created = img.Created.Format(time.RFC3339Nano)
+	}
+
+	return &types.ImageInspect{
+		ID:              img.ID().String(),
+		RepoTags:        repoTags,
+		RepoDigests:     repoDigests,
+		Parent:          img.Parent.String(),
+		Comment:         comment,
+		Created:         created,
+		Container:       img.Container,        //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
+		ContainerConfig: &img.ContainerConfig, //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
+		DockerVersion:   img.DockerVersion,
+		Author:          img.Author,
+		Config:          img.Config,
+		Architecture:    img.Architecture,
+		Variant:         img.Variant,
+		Os:              img.OperatingSystem(),
+		OsVersion:       img.OSVersion,
+		Size:            img.Details.Size,
+		GraphDriver: types.GraphDriverData{
+			Name: img.Details.Driver,
+			Data: img.Details.Metadata,
+		},
+		RootFS: rootFSToAPIType(img.RootFS),
+		Metadata: imagetypes.Metadata{
+			LastTagTime: img.Details.LastUpdated,
+		},
+	}, nil
+}
+
+func rootFSToAPIType(rootfs *image.RootFS) types.RootFS {
+	var layers []string
+	for _, l := range rootfs.DiffIDs {
+		layers = append(layers, l.String())
+	}
+	return types.RootFS{
+		Type:   rootfs.Type,
+		Layers: layers,
+	}
 }

 func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
@@ -435,16 +424,10 @@ func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter,
 		sharedSize = httputils.BoolValue(r, "shared-size")
 	}

-	var manifests bool
-	if versions.GreaterThanOrEqualTo(version, "1.47") {
-		manifests = httputils.BoolValue(r, "manifests")
-	}
-
 	images, err := ir.backend.Images(ctx, imagetypes.ListOptions{
 		All:        httputils.BoolValue(r, "all"),
 		Filters:    imageFilters,
 		SharedSize: sharedSize,
-		Manifests:  manifests,
 	})
 	if err != nil {
 		return err
@@ -452,8 +435,6 @@ func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter,

 	useNone := versions.LessThan(version, "1.43")
 	withVirtualSize := versions.LessThan(version, "1.44")
-	noDescriptor := versions.LessThan(version, "1.48")
-	noContainers := versions.LessThan(version, "1.51")
 	for _, img := range images {
 		if useNone {
 			if len(img.RepoTags) == 0 && len(img.RepoDigests) == 0 {
@@ -471,33 +452,13 @@ func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter,
 		if withVirtualSize {
 			img.VirtualSize = img.Size //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.44.
 		}
-		if noDescriptor {
-			img.Descriptor = nil
-		}
-		if noContainers {
-			img.Containers = -1
-		}
 	}

 	return httputils.WriteJSON(w, http.StatusOK, images)
 }

 func (ir *imageRouter) getImagesHistory(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	var platform *ocispec.Platform
-	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.48") {
-		if formPlatform := r.Form.Get("platform"); formPlatform != "" {
-			p, err := httputils.DecodePlatform(formPlatform)
-			if err != nil {
-				return err
-			}
-			platform = p
-		}
-	}
-	history, err := ir.backend.ImageHistory(ctx, vars["name"], platform)
+	history, err := ir.backend.ImageHistory(ctx, vars["name"])
 	if err != nil {
 		return err
 	}
--- a/api/server/router/image/inspect_response.go
+++ b/api/server/router/image/inspect_response.go
@@ -1,88 +0,0 @@
-// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.23
-
-package image
-
-import (
-	"encoding/json"
-	"maps"
-
-	"github.com/docker/docker/api/types/image"
-)
-
-// legacyConfigFields defines legacy image-config fields to include in
-// API responses on older API versions.
-var legacyConfigFields = map[string]map[string]any{
-	// Legacy fields for API v1.49 and lower. These fields are deprecated
-	// and omitted in newer API versions; see https://github.com/moby/moby/pull/48457
-	"v1.49": {
-		"AttachStderr": false,
-		"AttachStdin":  false,
-		"AttachStdout": false,
-		"Cmd":          nil,
-		"Domainname":   "",
-		"Entrypoint":   nil,
-		"Env":          nil,
-		"Hostname":     "",
-		"Image":        "",
-		"Labels":       nil,
-		"OnBuild":      nil,
-		"OpenStdin":    false,
-		"StdinOnce":    false,
-		"Tty":          false,
-		"User":         "",
-		"Volumes":      nil,
-		"WorkingDir":   "",
-	},
-	// Legacy fields for current API versions (v1.50 and up). These fields
-	// did not have an "omitempty" and were always included in the response,
-	// even if not set; see https://github.com/moby/moby/issues/50134
-	"current": {
-		"Cmd":        nil,
-		"Entrypoint": nil,
-		"Env":        nil,
-		"Labels":     nil,
-		"OnBuild":    nil,
-		"User":       "",
-		"Volumes":    nil,
-		"WorkingDir": "",
-	},
-}
-
-// inspectCompatResponse is a wrapper around [image.InspectResponse] with a
-// custom marshal function for legacy [api/types/container.Config} fields
-// that have been removed, or did not have omitempty.
-type inspectCompatResponse struct {
-	*image.InspectResponse
-	legacyConfig map[string]any
-}
-
-// MarshalJSON implements a custom marshaler to include legacy fields
-// in API responses.
-func (ir *inspectCompatResponse) MarshalJSON() ([]byte, error) {
-	type tmp *image.InspectResponse
-	base, err := json.Marshal((tmp)(ir.InspectResponse))
-	if err != nil {
-		return nil, err
-	}
-	if len(ir.legacyConfig) == 0 {
-		return base, nil
-	}
-
-	type resp struct {
-		*image.InspectResponse
-		Config map[string]any
-	}
-
-	var merged resp
-	err = json.Unmarshal(base, &merged)
-	if err != nil {
-		return base, nil
-	}
-
-	// prevent mutating legacyConfigFields.
-	cfg := maps.Clone(ir.legacyConfig)
-	maps.Copy(cfg, merged.Config)
-	merged.Config = cfg
-	return json.Marshal(merged)
-}
--- a/api/server/router/image/inspect_response_test.go
+++ b/api/server/router/image/inspect_response_test.go
@@ -1,74 +0,0 @@
-package image
-
-import (
-	"encoding/json"
-	"testing"
-
-	"github.com/docker/docker/api/types/image"
-	dockerspec "github.com/moby/docker-image-spec/specs-go/v1"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"gotest.tools/v3/assert"
-	is "gotest.tools/v3/assert/cmp"
-)
-
-func TestInspectResponse(t *testing.T) {
-	tests := []struct {
-		doc          string
-		cfg          *ocispec.ImageConfig
-		legacyConfig map[string]any
-		expected     string
-	}{
-		{
-			doc:      "empty",
-			expected: `null`,
-		},
-		{
-			doc: "no legacy config",
-			cfg: &ocispec.ImageConfig{
-				Cmd:        []string{"/bin/sh"},
-				StopSignal: "SIGQUIT",
-			},
-			expected: `{"Cmd":["/bin/sh"],"StopSignal":"SIGQUIT"}`,
-		},
-		{
-			doc: "api < v1.50",
-			cfg: &ocispec.ImageConfig{
-				Cmd:        []string{"/bin/sh"},
-				StopSignal: "SIGQUIT",
-			},
-			legacyConfig: legacyConfigFields["v1.49"],
-			expected:     `{"AttachStderr":false,"AttachStdin":false,"AttachStdout":false,"Cmd":["/bin/sh"],"Domainname":"","Entrypoint":null,"Env":null,"Hostname":"","Image":"","Labels":null,"OnBuild":null,"OpenStdin":false,"StdinOnce":false,"StopSignal":"SIGQUIT","Tty":false,"User":"","Volumes":null,"WorkingDir":""}`,
-		},
-		{
-			doc: "api >= v1.50",
-			cfg: &ocispec.ImageConfig{
-				Cmd:        []string{"/bin/sh"},
-				StopSignal: "SIGQUIT",
-			},
-			legacyConfig: legacyConfigFields["current"],
-			expected:     `{"Cmd":["/bin/sh"],"Entrypoint":null,"Env":null,"Labels":null,"OnBuild":null,"StopSignal":"SIGQUIT","User":"","Volumes":null,"WorkingDir":""}`,
-		},
-	}
-	for _, tc := range tests {
-		t.Run(tc.doc, func(t *testing.T) {
-			imgInspect := &image.InspectResponse{}
-			if tc.cfg != nil {
-				// Verify that fields that are set override the legacy values,
-				// or appended if not part of the legacy values.
-				imgInspect.Config = &dockerspec.DockerOCIImageConfig{
-					ImageConfig: *tc.cfg,
-				}
-			}
-			out, err := json.Marshal(&inspectCompatResponse{
-				InspectResponse: imgInspect,
-				legacyConfig:    tc.legacyConfig,
-			})
-			assert.NilError(t, err)
-
-			var outMap struct{ Config json.RawMessage }
-			err = json.Unmarshal(out, &outMap)
-			assert.NilError(t, err)
-			assert.Check(t, is.Equal(string(outMap.Config), tc.expected))
-		})
-	}
-}
--- a/api/server/router/local.go
+++ b/api/server/router/local.go
@@ -1,4 +1,4 @@
-package router
+package router // import "github.com/docker/docker/api/server/router"

 import (
 	"net/http"
--- a/api/server/router/network/backend.go
+++ b/api/server/router/network/backend.go
@@ -1,4 +1,4 @@
-package network
+package network // import "github.com/docker/docker/api/server/router/network"

 import (
 	"context"
@@ -12,7 +12,7 @@ import (
 // to provide network specific functionality.
 type Backend interface {
 	GetNetworks(filters.Args, backend.NetworkListConfig) ([]network.Inspect, error)
-	CreateNetwork(ctx context.Context, nc network.CreateRequest) (*network.CreateResponse, error)
+	CreateNetwork(nc network.CreateRequest) (*network.CreateResponse, error)
 	ConnectContainerToNetwork(ctx context.Context, containerName, networkName string, endpointConfig *network.EndpointSettings) error
 	DisconnectContainerFromNetwork(containerName string, networkName string, force bool) error
 	DeleteNetwork(networkID string) error
--- a/api/server/router/network/network.go
+++ b/api/server/router/network/network.go
@@ -1,4 +1,4 @@
-package network
+package network // import "github.com/docker/docker/api/server/router/network"

 import (
 	"github.com/docker/docker/api/server/router"
@@ -22,22 +22,22 @@ func NewRouter(b Backend, c ClusterBackend) router.Router {
 }

 // Routes returns the available routes to the network controller
-func (n *networkRouter) Routes() []router.Route {
-	return n.routes
+func (r *networkRouter) Routes() []router.Route {
+	return r.routes
 }

-func (n *networkRouter) initRoutes() {
-	n.routes = []router.Route{
+func (r *networkRouter) initRoutes() {
+	r.routes = []router.Route{
 		// GET
-		router.NewGetRoute("/networks", n.getNetworksList),
-		router.NewGetRoute("/networks/", n.getNetworksList),
-		router.NewGetRoute("/networks/{id:.+}", n.getNetwork),
+		router.NewGetRoute("/networks", r.getNetworksList),
+		router.NewGetRoute("/networks/", r.getNetworksList),
+		router.NewGetRoute("/networks/{id:.+}", r.getNetwork),
 		// POST
-		router.NewPostRoute("/networks/create", n.postNetworkCreate),
-		router.NewPostRoute("/networks/{id:.*}/connect", n.postNetworkConnect),
-		router.NewPostRoute("/networks/{id:.*}/disconnect", n.postNetworkDisconnect),
-		router.NewPostRoute("/networks/prune", n.postNetworksPrune),
+		router.NewPostRoute("/networks/create", r.postNetworkCreate),
+		router.NewPostRoute("/networks/{id:.*}/connect", r.postNetworkConnect),
+		router.NewPostRoute("/networks/{id:.*}/disconnect", r.postNetworkDisconnect),
+		router.NewPostRoute("/networks/prune", r.postNetworksPrune),
 		// DELETE
-		router.NewDeleteRoute("/networks/{id:.*}", n.deleteNetwork),
+		router.NewDeleteRoute("/networks/{id:.*}", r.deleteNetwork),
 	}
 }
--- a/api/server/router/network/network_routes.go
+++ b/api/server/router/network/network_routes.go
@@ -1,4 +1,4 @@
-package network
+package network // import "github.com/docker/docker/api/server/router/network"

 import (
 	"context"
@@ -75,13 +75,13 @@ func (e invalidRequestError) Error() string {

 func (e invalidRequestError) InvalidParameter() {}

-type ambiguousResultsError string
+type ambigousResultsError string

-func (e ambiguousResultsError) Error() string {
+func (e ambigousResultsError) Error() string {
 	return "network " + string(e) + " is ambiguous"
 }

-func (ambiguousResultsError) InvalidParameter() {}
+func (ambigousResultsError) InvalidParameter() {}

 func (n *networkRouter) getNetwork(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
@@ -145,7 +145,7 @@ func (n *networkRouter) getNetwork(ctx context.Context, w http.ResponseWriter, r
 			// ex: overlay/partial_ID or name/swarm_scope
 			if nwv, ok := listByPartialID[nwk.ID]; ok {
 				nwk = nwv
-			} else if nwv, ok = listByFullName[nwk.ID]; ok {
+			} else if nwv, ok := listByFullName[nwk.ID]; ok {
 				nwk = nwv
 			}
 			return httputils.WriteJSON(w, http.StatusOK, nwk)
@@ -182,7 +182,7 @@ func (n *networkRouter) getNetwork(ctx context.Context, w http.ResponseWriter, r
 		}
 	}
 	if len(listByFullName) > 1 {
-		return errors.Wrapf(ambiguousResultsError(term), "%d matches found based on name", len(listByFullName))
+		return errors.Wrapf(ambigousResultsError(term), "%d matches found based on name", len(listByFullName))
 	}

 	// Find based on partial ID, returns true only if no duplicates
@@ -192,7 +192,7 @@ func (n *networkRouter) getNetwork(ctx context.Context, w http.ResponseWriter, r
 		}
 	}
 	if len(listByPartialID) > 1 {
-		return errors.Wrapf(ambiguousResultsError(term), "%d matches found based on ID prefix", len(listByPartialID))
+		return errors.Wrapf(ambigousResultsError(term), "%d matches found based on ID prefix", len(listByPartialID))
 	}

 	return libnetwork.ErrNoSuchNetwork(term)
@@ -212,18 +212,11 @@ func (n *networkRouter) postNetworkCreate(ctx context.Context, w http.ResponseWr
 		return libnetwork.NetworkNameError(create.Name)
 	}

-	version := httputils.VersionFromContext(ctx)
-
-	// EnableIPv4 was introduced in API 1.48.
-	if versions.LessThan(version, "1.48") {
-		create.EnableIPv4 = nil
-	}
-
 	// For a Swarm-scoped network, this call to backend.CreateNetwork is used to
 	// validate the configuration. The network will not be created but, if the
 	// configuration is valid, ManagerRedirectError will be returned and handled
 	// below.
-	nw, err := n.backend.CreateNetwork(ctx, create)
+	nw, err := n.backend.CreateNetwork(create)
 	if err != nil {
 		if _, ok := err.(libnetwork.ManagerRedirectError); !ok {
 			return err
--- a/api/server/router/plugin/backend.go
+++ b/api/server/router/plugin/backend.go
@@ -1,4 +1,4 @@
-package plugin
+package plugin // import "github.com/docker/docker/api/server/router/plugin"

 import (
 	"context"
--- a/api/server/router/plugin/plugin.go
+++ b/api/server/router/plugin/plugin.go
@@ -1,4 +1,4 @@
-package plugin
+package plugin // import "github.com/docker/docker/api/server/router/plugin"

 import "github.com/docker/docker/api/server/router"

@@ -18,22 +18,22 @@ func NewRouter(b Backend) router.Router {
 }

 // Routes returns the available routers to the plugin controller
-func (pr *pluginRouter) Routes() []router.Route {
-	return pr.routes
+func (r *pluginRouter) Routes() []router.Route {
+	return r.routes
 }

-func (pr *pluginRouter) initRoutes() {
-	pr.routes = []router.Route{
-		router.NewGetRoute("/plugins", pr.listPlugins),
-		router.NewGetRoute("/plugins/{name:.*}/json", pr.inspectPlugin),
-		router.NewGetRoute("/plugins/privileges", pr.getPrivileges),
-		router.NewDeleteRoute("/plugins/{name:.*}", pr.removePlugin),
-		router.NewPostRoute("/plugins/{name:.*}/enable", pr.enablePlugin),
-		router.NewPostRoute("/plugins/{name:.*}/disable", pr.disablePlugin),
-		router.NewPostRoute("/plugins/pull", pr.pullPlugin),
-		router.NewPostRoute("/plugins/{name:.*}/push", pr.pushPlugin),
-		router.NewPostRoute("/plugins/{name:.*}/upgrade", pr.upgradePlugin),
-		router.NewPostRoute("/plugins/{name:.*}/set", pr.setPlugin),
-		router.NewPostRoute("/plugins/create", pr.createPlugin),
+func (r *pluginRouter) initRoutes() {
+	r.routes = []router.Route{
+		router.NewGetRoute("/plugins", r.listPlugins),
+		router.NewGetRoute("/plugins/{name:.*}/json", r.inspectPlugin),
+		router.NewGetRoute("/plugins/privileges", r.getPrivileges),
+		router.NewDeleteRoute("/plugins/{name:.*}", r.removePlugin),
+		router.NewPostRoute("/plugins/{name:.*}/enable", r.enablePlugin),
+		router.NewPostRoute("/plugins/{name:.*}/disable", r.disablePlugin),
+		router.NewPostRoute("/plugins/pull", r.pullPlugin),
+		router.NewPostRoute("/plugins/{name:.*}/push", r.pushPlugin),
+		router.NewPostRoute("/plugins/{name:.*}/upgrade", r.upgradePlugin),
+		router.NewPostRoute("/plugins/{name:.*}/set", r.setPlugin),
+		router.NewPostRoute("/plugins/create", r.createPlugin),
 	}
 }
--- a/api/server/router/plugin/plugin_routes.go
+++ b/api/server/router/plugin/plugin_routes.go
@@ -1,4 +1,4 @@
-package plugin
+package plugin // import "github.com/docker/docker/api/server/router/plugin"

 import (
 	"context"
--- a/api/server/router/router.go
+++ b/api/server/router/router.go
@@ -1,4 +1,4 @@
-package router
+package router // import "github.com/docker/docker/api/server/router"

 import "github.com/docker/docker/api/server/httputils"

--- a/api/server/router/session/backend.go
+++ b/api/server/router/session/backend.go
@@ -1,4 +1,4 @@
-package session
+package session // import "github.com/docker/docker/api/server/router/session"

 import (
 	"context"
--- a/api/server/router/session/session.go
+++ b/api/server/router/session/session.go
@@ -1,4 +1,4 @@
-package session
+package session // import "github.com/docker/docker/api/server/router/session"

 import "github.com/docker/docker/api/server/router"

@@ -18,12 +18,12 @@ func NewRouter(b Backend) router.Router {
 }

 // Routes returns the available routers to the session controller
-func (sr *sessionRouter) Routes() []router.Route {
-	return sr.routes
+func (r *sessionRouter) Routes() []router.Route {
+	return r.routes
 }

-func (sr *sessionRouter) initRoutes() {
-	sr.routes = []router.Route{
-		router.NewPostRoute("/session", sr.startSession),
+func (r *sessionRouter) initRoutes() {
+	r.routes = []router.Route{
+		router.NewPostRoute("/session", r.startSession),
 	}
 }
--- a/api/server/router/session/session_routes.go
+++ b/api/server/router/session/session_routes.go
@@ -1,4 +1,4 @@
-package session
+package session // import "github.com/docker/docker/api/server/router/session"

 import (
 	"context"
--- a/api/server/router/swarm/backend.go
+++ b/api/server/router/swarm/backend.go
@@ -1,8 +1,9 @@
-package swarm
+package swarm // import "github.com/docker/docker/api/server/router/swarm"

 import (
 	"context"

+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/swarm"
@@ -17,24 +18,24 @@ type Backend interface {
 	Update(uint64, swarm.Spec, swarm.UpdateFlags) error
 	GetUnlockKey() (string, error)
 	UnlockSwarm(req swarm.UnlockRequest) error
-	GetServices(swarm.ServiceListOptions) ([]swarm.Service, error)
+	GetServices(types.ServiceListOptions) ([]swarm.Service, error)
 	GetService(idOrName string, insertDefaults bool) (swarm.Service, error)
 	CreateService(swarm.ServiceSpec, string, bool) (*swarm.ServiceCreateResponse, error)
-	UpdateService(string, uint64, swarm.ServiceSpec, swarm.ServiceUpdateOptions, bool) (*swarm.ServiceUpdateResponse, error)
+	UpdateService(string, uint64, swarm.ServiceSpec, types.ServiceUpdateOptions, bool) (*swarm.ServiceUpdateResponse, error)
 	RemoveService(string) error
 	ServiceLogs(context.Context, *backend.LogSelector, *container.LogsOptions) (<-chan *backend.LogMessage, error)
-	GetNodes(swarm.NodeListOptions) ([]swarm.Node, error)
+	GetNodes(types.NodeListOptions) ([]swarm.Node, error)
 	GetNode(string) (swarm.Node, error)
 	UpdateNode(string, uint64, swarm.NodeSpec) error
 	RemoveNode(string, bool) error
-	GetTasks(swarm.TaskListOptions) ([]swarm.Task, error)
+	GetTasks(types.TaskListOptions) ([]swarm.Task, error)
 	GetTask(string) (swarm.Task, error)
-	GetSecrets(opts swarm.SecretListOptions) ([]swarm.Secret, error)
+	GetSecrets(opts types.SecretListOptions) ([]swarm.Secret, error)
 	CreateSecret(s swarm.SecretSpec) (string, error)
 	RemoveSecret(idOrName string) error
 	GetSecret(id string) (swarm.Secret, error)
 	UpdateSecret(idOrName string, version uint64, spec swarm.SecretSpec) error
-	GetConfigs(opts swarm.ConfigListOptions) ([]swarm.Config, error)
+	GetConfigs(opts types.ConfigListOptions) ([]swarm.Config, error)
 	CreateConfig(s swarm.ConfigSpec) (string, error)
 	RemoveConfig(id string) error
 	GetConfig(id string) (swarm.Config, error)
--- a/api/server/router/swarm/cluster.go
+++ b/api/server/router/swarm/cluster.go
@@ -1,4 +1,4 @@
-package swarm
+package swarm // import "github.com/docker/docker/api/server/router/swarm"

 import "github.com/docker/docker/api/server/router"

--- a/api/server/router/swarm/cluster_routes.go
+++ b/api/server/router/swarm/cluster_routes.go
@@ -1,4 +1,4 @@
-package swarm
+package swarm // import "github.com/docker/docker/api/server/router/swarm"

 import (
 	"context"
@@ -8,6 +8,7 @@ import (

 	"github.com/containerd/log"
 	"github.com/docker/docker/api/server/httputils"
+	basictypes "github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/registry"
@@ -139,7 +140,7 @@ func (sr *swarmRouter) getUnlockKey(ctx context.Context, w http.ResponseWriter,
 		return err
 	}

-	return httputils.WriteJSON(w, http.StatusOK, &types.UnlockKeyResponse{
+	return httputils.WriteJSON(w, http.StatusOK, &basictypes.SwarmUnlockKeyResponse{
 		UnlockKey: unlockKey,
 	})
 }
@@ -165,7 +166,7 @@ func (sr *swarmRouter) getServices(ctx context.Context, w http.ResponseWriter, r
 		}
 	}

-	services, err := sr.backend.GetServices(types.ServiceListOptions{Filters: filter, Status: status})
+	services, err := sr.backend.GetServices(basictypes.ServiceListOptions{Filters: filter, Status: status})
 	if err != nil {
 		log.G(ctx).WithContext(ctx).WithError(err).Debug("Error getting services")
 		return err
@@ -208,6 +209,10 @@ func (sr *swarmRouter) createService(ctx context.Context, w http.ResponseWriter,
 	if err := httputils.ReadJSON(r, &service); err != nil {
 		return err
 	}
+	// TODO(thaJeztah): remove logentries check and migration code in release v26.0.0.
+	if service.TaskTemplate.LogDriver != nil && service.TaskTemplate.LogDriver.Name == "logentries" {
+		return errdefs.InvalidParameter(errors.New("the logentries logging driver has been deprecated and removed"))
+	}

 	// Get returns "" if the header does not exist
 	encodedAuth := r.Header.Get(registry.AuthHeader)
@@ -236,6 +241,10 @@ func (sr *swarmRouter) updateService(ctx context.Context, w http.ResponseWriter,
 	if err := httputils.ReadJSON(r, &service); err != nil {
 		return err
 	}
+	// TODO(thaJeztah): remove logentries check and migration code in release v26.0.0.
+	if service.TaskTemplate.LogDriver != nil && service.TaskTemplate.LogDriver.Name == "logentries" {
+		return errdefs.InvalidParameter(errors.New("the logentries logging driver has been deprecated and removed"))
+	}

 	rawVersion := r.URL.Query().Get("version")
 	version, err := strconv.ParseUint(rawVersion, 10, 64)
@@ -244,7 +253,7 @@ func (sr *swarmRouter) updateService(ctx context.Context, w http.ResponseWriter,
 		return errdefs.InvalidParameter(err)
 	}

-	var flags types.ServiceUpdateOptions
+	var flags basictypes.ServiceUpdateOptions

 	// Get returns "" if the header does not exist
 	flags.EncodedRegistryAuth = r.Header.Get(registry.AuthHeader)
@@ -313,7 +322,7 @@ func (sr *swarmRouter) getNodes(ctx context.Context, w http.ResponseWriter, r *h
 		return err
 	}

-	nodes, err := sr.backend.GetNodes(types.NodeListOptions{Filters: filter})
+	nodes, err := sr.backend.GetNodes(basictypes.NodeListOptions{Filters: filter})
 	if err != nil {
 		log.G(ctx).WithContext(ctx).WithError(err).Debug("Error getting nodes")
 		return err
@@ -384,7 +393,7 @@ func (sr *swarmRouter) getTasks(ctx context.Context, w http.ResponseWriter, r *h
 		return err
 	}

-	tasks, err := sr.backend.GetTasks(types.TaskListOptions{Filters: filter})
+	tasks, err := sr.backend.GetTasks(basictypes.TaskListOptions{Filters: filter})
 	if err != nil {
 		log.G(ctx).WithContext(ctx).WithError(err).Debug("Error getting tasks")
 		return err
@@ -415,7 +424,7 @@ func (sr *swarmRouter) getSecrets(ctx context.Context, w http.ResponseWriter, r
 		return err
 	}

-	secrets, err := sr.backend.GetSecrets(types.SecretListOptions{Filters: filters})
+	secrets, err := sr.backend.GetSecrets(basictypes.SecretListOptions{Filters: filters})
 	if err != nil {
 		return err
 	}
@@ -438,7 +447,7 @@ func (sr *swarmRouter) createSecret(ctx context.Context, w http.ResponseWriter,
 		return err
 	}

-	return httputils.WriteJSON(w, http.StatusCreated, &types.SecretCreateResponse{
+	return httputils.WriteJSON(w, http.StatusCreated, &basictypes.SecretCreateResponse{
 		ID: id,
 	})
 }
@@ -486,7 +495,7 @@ func (sr *swarmRouter) getConfigs(ctx context.Context, w http.ResponseWriter, r
 		return err
 	}

-	configs, err := sr.backend.GetConfigs(types.ConfigListOptions{Filters: filters})
+	configs, err := sr.backend.GetConfigs(basictypes.ConfigListOptions{Filters: filters})
 	if err != nil {
 		return err
 	}
@@ -510,7 +519,7 @@ func (sr *swarmRouter) createConfig(ctx context.Context, w http.ResponseWriter,
 		return err
 	}

-	return httputils.WriteJSON(w, http.StatusCreated, &types.ConfigCreateResponse{
+	return httputils.WriteJSON(w, http.StatusCreated, &basictypes.ConfigCreateResponse{
 		ID: id,
 	})
 }
--- a/api/server/router/swarm/helpers.go
+++ b/api/server/router/swarm/helpers.go
@@ -1,4 +1,4 @@
-package swarm
+package swarm // import "github.com/docker/docker/api/server/router/swarm"

 import (
 	"context"
@@ -22,7 +22,7 @@ func (sr *swarmRouter) swarmLogs(ctx context.Context, w http.ResponseWriter, r *
 	// any error after the stream starts (i.e. container not found, wrong parameters)
 	// with the appropriate status code.
 	stdout, stderr := httputils.BoolValue(r, "stdout"), httputils.BoolValue(r, "stderr")
-	if !stdout && !stderr {
+	if !(stdout || stderr) {
 		return fmt.Errorf("Bad parameters: you must choose at least one stream")
 	}

@@ -151,4 +151,5 @@ func adjustForAPIVersion(cliVersion string, service *swarm.ServiceSpec) {
 			service.TaskTemplate.ContainerSpec.OomScoreAdj = 0
 		}
 	}
+
 }
--- a/api/server/router/swarm/helpers_test.go
+++ b/api/server/router/swarm/helpers_test.go
@@ -1,4 +1,4 @@
-package swarm
+package swarm // import "github.com/docker/docker/api/server/router/swarm"

 import (
 	"reflect"
--- a/api/server/router/system/backend.go
+++ b/api/server/router/system/backend.go
@@ -1,12 +1,10 @@
-package system
+package system // import "github.com/docker/docker/api/server/router/system"

 import (
 	"context"
 	"time"

 	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/registry"
@@ -14,12 +12,24 @@ import (
 	"github.com/docker/docker/api/types/system"
 )

+// DiskUsageOptions holds parameters for system disk usage query.
+type DiskUsageOptions struct {
+	// Containers controls whether container disk usage should be computed.
+	Containers bool
+
+	// Images controls whether image disk usage should be computed.
+	Images bool
+
+	// Volumes controls whether volume disk usage should be computed.
+	Volumes bool
+}
+
 // Backend is the methods that need to be implemented to provide
 // system specific functionality.
 type Backend interface {
 	SystemInfo(context.Context) (*system.Info, error)
 	SystemVersion(context.Context) (types.Version, error)
-	SystemDiskUsage(ctx context.Context, opts backend.DiskUsageOptions) (*backend.DiskUsage, error)
+	SystemDiskUsage(ctx context.Context, opts DiskUsageOptions) (*types.DiskUsage, error)
 	SubscribeToEvents(since, until time.Time, ef filters.Args) ([]events.Message, chan interface{})
 	UnsubscribeFromEvents(chan interface{})
 	AuthenticateToRegistry(ctx context.Context, authConfig *registry.AuthConfig) (string, string, error)
@@ -31,11 +41,6 @@ type ClusterBackend interface {
 	Info(context.Context) swarm.Info
 }

-// BuildBackend provides build specific system information.
-type BuildBackend interface {
-	DiskUsage(context.Context) ([]*build.CacheRecord, error)
-}
-
 // StatusProvider provides methods to get the swarm status of the current node.
 type StatusProvider interface {
 	Status() string
--- a/api/server/router/system/info_response.go
+++ b/api/server/router/system/info_response.go
@@ -1,39 +0,0 @@
-// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.23
-
-package system
-
-import (
-	"encoding/json"
-
-	"github.com/docker/docker/api/types/system"
-)
-
-// infoResponse is a wrapper around [system.Info] with a custom
-// marshal function for legacy fields.
-type infoResponse struct {
-	*system.Info
-
-	// extraFields is for internal use to include deprecated fields on older API versions.
-	extraFields map[string]any
-}
-
-// MarshalJSON implements a custom marshaler to include legacy fields
-// in API responses.
-func (sc *infoResponse) MarshalJSON() ([]byte, error) {
-	type tmp *system.Info
-	base, err := json.Marshal((tmp)(sc.Info))
-	if err != nil {
-		return nil, err
-	}
-	if len(sc.extraFields) == 0 {
-		return base, nil
-	}
-	var merged map[string]any
-	_ = json.Unmarshal(base, &merged)
-
-	for k, v := range sc.extraFields {
-		merged[k] = v
-	}
-	return json.Marshal(merged)
-}
--- a/api/server/router/system/info_response_test.go
+++ b/api/server/router/system/info_response_test.go
@@ -1,33 +0,0 @@
-package system
-
-import (
-	"encoding/json"
-	"strings"
-	"testing"
-
-	"github.com/docker/docker/api/types/system"
-)
-
-func TestLegacyFields(t *testing.T) {
-	infoResp := &infoResponse{
-		Info: &system.Info{
-			Containers: 10,
-		},
-		extraFields: map[string]any{
-			"LegacyFoo": false,
-			"LegacyBar": true,
-		},
-	}
-
-	data, err := json.MarshalIndent(infoResp, "", "  ")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if expected := `"LegacyFoo": false`; !strings.Contains(string(data), expected) {
-		t.Errorf("legacy fields should contain %s: %s", expected, string(data))
-	}
-	if expected := `"LegacyBar": true`; !strings.Contains(string(data), expected) {
-		t.Errorf("legacy fields should contain %s: %s", expected, string(data))
-	}
-}
--- a/api/server/router/system/system.go
+++ b/api/server/router/system/system.go
@@ -1,10 +1,12 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.23
+//go:build go1.21

-package system
+package system // import "github.com/docker/docker/api/server/router/system"

 import (
 	"github.com/docker/docker/api/server/router"
+	"github.com/docker/docker/api/types/system"
+	buildkit "github.com/docker/docker/builder/builder-next"
 	"resenje.org/singleflight"
 )

@@ -14,17 +16,17 @@ type systemRouter struct {
 	backend  Backend
 	cluster  ClusterBackend
 	routes   []router.Route
-	builder  BuildBackend
+	builder  *buildkit.Builder
 	features func() map[string]bool

 	// collectSystemInfo is a single-flight for the /info endpoint,
 	// unique per API version (as different API versions may return
 	// a different API response).
-	collectSystemInfo singleflight.Group[string, *infoResponse]
+	collectSystemInfo singleflight.Group[string, *system.Info]
 }

 // NewRouter initializes a new system router
-func NewRouter(b Backend, c ClusterBackend, builder BuildBackend, features func() map[string]bool) router.Router {
+func NewRouter(b Backend, c ClusterBackend, builder *buildkit.Builder, features func() map[string]bool) router.Router {
 	r := &systemRouter{
 		backend:  b,
 		cluster:  c,
--- a/api/server/router/system/system_routes.go
+++ b/api/server/router/system/system_routes.go
@@ -1,7 +1,4 @@
-// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.23
-
-package system
+package system // import "github.com/docker/docker/api/server/router/system"

 import (
 	"context"
@@ -14,8 +11,6 @@ import (
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/server/router/build"
 	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/backend"
-	buildtypes "github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/registry"
@@ -64,7 +59,7 @@ func (s *systemRouter) swarmStatus() string {

 func (s *systemRouter) getInfo(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	version := httputils.VersionFromContext(ctx)
-	info, _, _ := s.collectSystemInfo.Do(ctx, version, func(ctx context.Context) (*infoResponse, error) {
+	info, _, _ := s.collectSystemInfo.Do(ctx, version, func(ctx context.Context) (*system.Info, error) {
 		info, err := s.backend.SystemInfo(ctx)
 		if err != nil {
 			return nil, err
@@ -86,6 +81,7 @@ func (s *systemRouter) getInfo(ctx context.Context, w http.ResponseWriter, r *ht
 				nameOnly = append(nameOnly, so.Name)
 			}
 			info.SecurityOptions = nameOnly
+			info.ExecutionDriver = "<not supported>" //nolint:staticcheck // ignore SA1019 (ExecutionDriver is deprecated)
 		}
 		if versions.LessThan(version, "1.39") {
 			if info.KernelVersion == "" {
@@ -105,43 +101,11 @@ func (s *systemRouter) getInfo(ctx context.Context, w http.ResponseWriter, r *ht
 			// Containerd field introduced in API v1.46.
 			info.Containerd = nil
 		}
-		if versions.LessThan(version, "1.47") {
-			// Field is omitted in API 1.48 and up, but should still be included
-			// in older versions, even if no values are set.
-			info.RegistryConfig.ExtraFields = map[string]any{
-				"AllowNondistributableArtifactsCIDRs":     json.RawMessage(nil),
-				"AllowNondistributableArtifactsHostnames": json.RawMessage(nil),
-			}
-		}
-		if versions.LessThan(version, "1.49") {
-			// FirewallBackend field introduced in API v1.49.
-			info.FirewallBackend = nil
-		}
-
-		extraFields := map[string]any{}
-		if versions.LessThan(version, "1.49") {
-			// Expected commits are omitted in API 1.49, but should still be
-			// included in older versions.
-			info.ContainerdCommit.Expected = info.ContainerdCommit.ID //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.49.
-			info.RuncCommit.Expected = info.RuncCommit.ID             //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.49.
-			info.InitCommit.Expected = info.InitCommit.ID             //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.49.
-		}
 		if versions.GreaterThanOrEqualTo(version, "1.42") {
 			info.KernelMemory = false
 		}
-		if versions.LessThan(version, "1.50") {
-			info.DiscoveredDevices = nil
-
-			// These fields are omitted in > API 1.49, and always false
-			// older API versions.
-			extraFields = map[string]any{
-				"BridgeNfIptables":  json.RawMessage("false"),
-				"BridgeNfIp6tables": json.RawMessage("false"),
-			}
-		}
-		return &infoResponse{Info: info, extraFields: extraFields}, nil
+		return info, nil
 	})
-
 	return httputils.WriteJSON(w, http.StatusOK, info)
 }

@@ -184,11 +148,11 @@ func (s *systemRouter) getDiskUsage(ctx context.Context, w http.ResponseWriter,

 	eg, ctx := errgroup.WithContext(ctx)

-	var systemDiskUsage *backend.DiskUsage
+	var systemDiskUsage *types.DiskUsage
 	if getContainers || getImages || getVolumes {
 		eg.Go(func() error {
 			var err error
-			systemDiskUsage, err = s.backend.SystemDiskUsage(ctx, backend.DiskUsageOptions{
+			systemDiskUsage, err = s.backend.SystemDiskUsage(ctx, DiskUsageOptions{
 				Containers: getContainers,
 				Images:     getImages,
 				Volumes:    getVolumes,
@@ -197,7 +161,7 @@ func (s *systemRouter) getDiskUsage(ctx context.Context, w http.ResponseWriter,
 		})
 	}

-	var buildCache []*buildtypes.CacheRecord
+	var buildCache []*types.BuildCache
 	if getBuildCache {
 		eg.Go(func() error {
 			var err error
@@ -208,7 +172,7 @@ func (s *systemRouter) getDiskUsage(ctx context.Context, w http.ResponseWriter,
 			if buildCache == nil {
 				// Ensure empty `BuildCache` field is represented as empty JSON array(`[]`)
 				// instead of `null` to be consistent with `Images`, `Containers` etc.
-				buildCache = []*buildtypes.CacheRecord{}
+				buildCache = []*types.BuildCache{}
 			}
 			return nil
 		})
@@ -233,42 +197,23 @@ func (s *systemRouter) getDiskUsage(ctx context.Context, w http.ResponseWriter,
 			b.Parent = "" //nolint:staticcheck // ignore SA1019 (Parent field is deprecated)
 		}
 	}
-	if versions.LessThan(version, "1.44") && systemDiskUsage != nil && systemDiskUsage.Images != nil {
-		for _, b := range systemDiskUsage.Images.Items {
+	if versions.LessThan(version, "1.44") {
+		for _, b := range systemDiskUsage.Images {
 			b.VirtualSize = b.Size //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.44.
 		}
 	}

-	du := backend.DiskUsage{}
-	if getBuildCache {
-		du.BuildCache = &buildtypes.CacheDiskUsage{
-			TotalSize: builderSize,
-			Items:     buildCache,
-		}
+	du := types.DiskUsage{
+		BuildCache:  buildCache,
+		BuilderSize: builderSize,
 	}
 	if systemDiskUsage != nil {
+		du.LayersSize = systemDiskUsage.LayersSize
 		du.Images = systemDiskUsage.Images
 		du.Containers = systemDiskUsage.Containers
 		du.Volumes = systemDiskUsage.Volumes
 	}
-
-	// Use the old struct for the API return value.
-	var v types.DiskUsage
-	if du.Images != nil {
-		v.LayersSize = du.Images.TotalSize
-		v.Images = du.Images.Items
-	}
-	if du.Containers != nil {
-		v.Containers = du.Containers.Items
-	}
-	if du.Volumes != nil {
-		v.Volumes = du.Volumes.Items
-	}
-	if du.BuildCache != nil {
-		v.BuildCache = du.BuildCache.Items
-	}
-	v.BuilderSize = builderSize
-	return httputils.WriteJSON(w, http.StatusOK, v)
+	return httputils.WriteJSON(w, http.StatusOK, du)
 }

 type invalidRequestError struct {
--- a/api/server/router/volume/backend.go
+++ b/api/server/router/volume/backend.go
@@ -1,4 +1,4 @@
-package volume
+package volume // import "github.com/docker/docker/api/server/router/volume"

 import (
 	"context"
--- a/api/server/router/volume/volume.go
+++ b/api/server/router/volume/volume.go
@@ -1,4 +1,4 @@
-package volume
+package volume // import "github.com/docker/docker/api/server/router/volume"

 import "github.com/docker/docker/api/server/router"

@@ -20,21 +20,21 @@ func NewRouter(b Backend, cb ClusterBackend) router.Router {
 }

 // Routes returns the available routes to the volumes controller
-func (v *volumeRouter) Routes() []router.Route {
-	return v.routes
+func (r *volumeRouter) Routes() []router.Route {
+	return r.routes
 }

-func (v *volumeRouter) initRoutes() {
-	v.routes = []router.Route{
+func (r *volumeRouter) initRoutes() {
+	r.routes = []router.Route{
 		// GET
-		router.NewGetRoute("/volumes", v.getVolumesList),
-		router.NewGetRoute("/volumes/{name:.*}", v.getVolumeByName),
+		router.NewGetRoute("/volumes", r.getVolumesList),
+		router.NewGetRoute("/volumes/{name:.*}", r.getVolumeByName),
 		// POST
-		router.NewPostRoute("/volumes/create", v.postVolumesCreate),
-		router.NewPostRoute("/volumes/prune", v.postVolumesPrune),
+		router.NewPostRoute("/volumes/create", r.postVolumesCreate),
+		router.NewPostRoute("/volumes/prune", r.postVolumesPrune),
 		// PUT
-		router.NewPutRoute("/volumes/{name:.*}", v.putVolumesUpdate),
+		router.NewPutRoute("/volumes/{name:.*}", r.putVolumesUpdate),
 		// DELETE
-		router.NewDeleteRoute("/volumes/{name:.*}", v.deleteVolumes),
+		router.NewDeleteRoute("/volumes/{name:.*}", r.deleteVolumes),
 	}
 }
--- a/api/server/router/volume/volume_routes.go
+++ b/api/server/router/volume/volume_routes.go
@@ -1,4 +1,4 @@
-package volume
+package volume // import "github.com/docker/docker/api/server/router/volume"

 import (
 	"context"
@@ -6,7 +6,6 @@ import (
 	"net/http"
 	"strconv"

-	cerrdefs "github.com/containerd/errdefs"
 	"github.com/containerd/log"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types/filters"
@@ -70,7 +69,7 @@ func (v *volumeRouter) getVolumeByName(ctx context.Context, w http.ResponseWrite
 	// if the volume is not found in the regular volume backend, and the client
 	// is using an API version greater than 1.42 (when cluster volumes were
 	// introduced), then check if Swarm has the volume.
-	if cerrdefs.IsNotFound(err) && versions.GreaterThanOrEqualTo(version, clusterVolumesVersion) && v.cluster.IsManager() {
+	if errdefs.IsNotFound(err) && versions.GreaterThanOrEqualTo(version, clusterVolumesVersion) && v.cluster.IsManager() {
 		swarmVol, err := v.cluster.GetVolume(vars["name"])
 		// if swarm returns an error and that error indicates that swarm is not
 		// initialized, return original NotFound error. Otherwise, we'd return
@@ -165,7 +164,7 @@ func (v *volumeRouter) deleteVolumes(ctx context.Context, w http.ResponseWriter,
 	// errors at this stage. Note that no "not found" error is produced if
 	// "force" is enabled.
 	err := v.backend.Remove(ctx, vars["name"], opts.WithPurgeOnError(force))
-	if err != nil && !cerrdefs.IsNotFound(err) {
+	if err != nil && !errdefs.IsNotFound(err) {
 		return err
 	}

@@ -173,7 +172,7 @@ func (v *volumeRouter) deleteVolumes(ctx context.Context, w http.ResponseWriter,
 	// is enabled, the volume backend won't return an error for non-existing
 	// volumes, so we don't know if removal succeeded (or not volume existed).
 	// In that case we always try to delete cluster volumes as well.
-	if cerrdefs.IsNotFound(err) || force {
+	if errdefs.IsNotFound(err) || force {
 		version := httputils.VersionFromContext(ctx)
 		if versions.GreaterThanOrEqualTo(version, clusterVolumesVersion) && v.cluster.IsManager() {
 			err = v.cluster.RemoveVolume(vars["name"], force)
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Sebastiaan van Stijn	662f78c0b1	Merge pull request #48090 from thaJeztah/27.0_backport_48067_fix_specific_ipv6_portmap_proxy_to_ipv4 [27.0 backport] Fix incorrect validation of port mapping	2024-06-28 23:16:49 +02:00
Sebastiaan van Stijn	b86d9bdaf3	Merge pull request #48086 from thaJeztah/27.0_backport_fix_rootless_pull [27.0 backport] daemon/graphdriver/overlay2: set TarOptions.InUserNS for native differ (fix "failed to Lchown "/dev/console")	2024-06-28 22:40:07 +02:00
Sebastiaan van Stijn	0dbc3ac59e	Merge pull request #48087 from thaJeztah/27.0_backport_gofmt [27.0 backport] fix some gofmt issues reported by goreportcard	2024-06-28 21:11:01 +02:00
Rob Murray	276a648ec3	Fix incorrect validation of port mapping Regression introduced in `01eecb6`. A port mapping from a specific IPv6 host address can be used by a container on an IPv4-only network, docker-proxy makes the connection. Signed-off-by: Rob Murray <rob.murray@docker.com> (cherry picked from commit `dfbcddb9f5`) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2024-06-28 21:07:29 +02:00
Sebastiaan van Stijn	22aa07b28f	Merge pull request #48089 from robmry/backport-27.0/48069_fix_overlapping_subnets [27.0 backport] Fix duplicate subnet allocations	2024-06-28 18:26:59 +02:00
Rob Murray	23b8b023dd	Fix duplicate subnet allocations Keep allocated subnets in-order, so that they're not mistakenly reallocated due to a gap in the list where misplaced subnets should have been. Introduced in `9d288b5`. The iterator over allocated subnets was incremented too early, this change moves it past three clauses in addrSpace.allocatePredefinedPool(). The three new unit tests correspond to a separate failure caused by incrementing before each of them. (cherry picked from commit `4de54ee14c`) Signed-off-by: Rob Murray <rob.murray@docker.com>	2024-06-28 16:24:47 +01:00
Sebastiaan van Stijn	bf222d635b	fix some gofmt issues reported by goreportcard https://goreportcard.com/report/github.com/docker/docker Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit `6ada1cff02`) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2024-06-28 16:48:01 +02:00
Sebastiaan van Stijn	f8231b52d3	daemon/graphdriver/overlay2: set TarOptions.InUserNS for native differ Commits `b2fd67de77` (and the follow-up commit `f6b80253b8`) updated doesSupportNativeDiff to detect whether the host can support native overlay diffing with userns enabled. As a result, [useNaiveDiff] would now return "false" in cases where it previously would return "true" (and thus skip). However, [overlay2], unlike [fuse-overlay] did not take user namespaces into account, when using the native differ, and it therefore did not set the InUserNS option in TarOptions. As a result pkg/archive.createTarFile would attempt tocreate [device-nodes] through [handleTarTypeBlockCharFifo] which would fail, but the resulting error `EPERM` would be discarded, and `createTarFile` would not return early, therefor attempting to [os.LChown] the missing file, ultimately resulting in an error: failed to Lchown "/dev/console" for UID 0, GID 0: lchown /dev/console: no such file or directory This patch fixes the missing option in overlay. [useNaiveDiff]: `47eebd718f/daemon/graphdriver/overlay2/overlay.go (L248-L256)` [overlay2]: `47eebd718f/daemon/graphdriver/overlay2/overlay.go (L684-L689)` [fuse-overlay]: `47eebd718f/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go (L456-L462)` [device-nodes]: `ff1e2c0de7/pkg/archive/archive.go (L713-L720)` [handleTarTypeBlockCharFifo]: `47eebd718f/pkg/archive/archive_unix.go (L110-L114)` [os.LChown]: `ff1e2c0de7/pkg/archive/archive.go (L762-L773)` Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit `6521057bb2`) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2024-06-28 16:31:54 +02:00
Sebastiaan van Stijn	b951474404	pkg/archive: createTarFile: consistently use the same value for userns createTarFile accepts a opts (TarOptions) argument to specify whether userns is enabled; whe should consider always detecting locally, but at least make sure we're consistently working with the same value within this function. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit `969993a729`) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2024-06-28 16:31:53 +02:00
Sebastiaan van Stijn	c5794e23ec	pkg/archive: handleTarTypeBlockCharFifo: don't discard EPERM errors This function was discarding EPERM errors if it detected that userns was enabled; move such checks to the caller-site, so that they can decide how to handle the error (which, in case of userns may be to log and ignore). Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit `379ce56cd8`) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2024-06-28 16:31:53 +02:00
Sebastiaan van Stijn	02e24483be	pkg/archive: getWhiteoutConverter: don't error with userns enabled Since `838047a1f5`, the overlayWhiteoutConverter is supported with userns enabled, so we no longer need this check. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit `af85e47343`) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2024-06-28 16:31:53 +02:00
Sebastiaan van Stijn	b70040a8fc	Merge pull request #48074 from vvoland/v27.0-48073 [27.0 backport] Dockerfile: update compose to v2.28.1, update cli to v27.0.2	2024-06-27 18:00:44 +02:00
Paweł Gronowski	838330bac3	Dockerfile: update docker CLI to v27.0.2 Update the Docker CLI used in the dev-container full diff: https://github.com/docker/cli/compare/v26.1.0...v27.0.2 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `3928165cf7`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-06-27 14:55:28 +02:00
Paweł Gronowski	e419e22f29	Dockerfile: update compose to v2.28.1 Update the compose cli plugin used in the dev-container full diff: https://github.com/docker/cli/compare/v2.27.1...v2.28.1 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `790035f754`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-06-27 14:55:26 +02:00
Paweł Gronowski	e953d76450	Merge pull request #48060 from thaJeztah/27.0_backport_api_deprecate_ContainerJSONBase_Node [27.0 backport] api/types: deprecate ContainerJSONBase.Node, ContainerNode	2024-06-26 20:30:43 +02:00
Paweł Gronowski	861fde8cc9	Merge pull request #48061 from thaJeztah/27_backport_bump_golangci_lint [27.0 backport] update golangci-lint to v1.59.1	2024-06-26 19:14:38 +02:00
Sebastiaan van Stijn	3557077867	update golangci-lint to v1.59.1 full diff: https://github.com/golangci/golangci-lint/compare/v1.55.2...v1.59.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit `95fae036ae`) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2024-06-26 14:09:41 +02:00
Sebastiaan van Stijn	c95b917167	pkg/archive: reformat code to make #nosec comment work again Looks like the way it picks up #nosec comments changed, causing the linter error to re-appear; pkg/archive/archive_linux.go:57:17: G305: File traversal when extracting zip/tar archive (gosec) Name: filepath.Join(hdr.Name, WhiteoutOpaqueDir), ^ Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit `d4160d5aa7`) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2024-06-26 14:09:41 +02:00
Sebastiaan van Stijn	c0ff08acbd	builder/remotecontext: reformat code to make #nosec comment work again Looks like the way it picks up #nosec comments changed, causing the linter error to re-appear; builder/remotecontext/remote.go:48:17: G107: Potential HTTP request made with variable url (gosec) if resp, err = http.Get(address); err != nil { ^ Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit `04bf0e3d69`) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2024-06-26 14:09:41 +02:00
Sebastiaan van Stijn	4587688258	api/types: deprecate ContainerJSONBase.Node, ContainerNode The `Node` field and related `ContainerNode` type were used by the classic (standalone) Swarm API. API documentation for this field was already removed in `234d5a78fe` (API 1.41 / docker 20.10), and as the Docker Engine didn't implement these fields for the Swarm API, it would always have been unset / nil. Let's do a quick deprecation, and remove it on the next release. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit `1fc9236119`) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2024-06-26 14:05:47 +02:00