Merge commit from fork

[24.0] AuthZ plugin security fixes

.github/workflows/.windows.yml

@@ -15,7 +15,7 @@ on:
         default: false
 
 env:
-  GO_VERSION: "1.20.5"
+  GO_VERSION: "1.20.13"
   GOTESTLIST_VERSION: v0.3.1
   TESTSTAT_VERSION: v0.1.3
   WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore

.github/workflows/bin-image.yml

@@ -15,13 +15,16 @@ on:
   pull_request:
 
 env:
-  PLATFORM: Moby Engine
-  PRODUCT: Moby
-  DEFAULT_PRODUCT_LICENSE: Moby
-  PACKAGER_NAME: Moby
+  MOBYBIN_REPO_SLUG: moby/moby-bin
+  DOCKER_GITCOMMIT: ${{ github.sha }}
+  VERSION: ${{ github.ref }}
+  PLATFORM: Moby Engine - Nightly
+  PRODUCT: moby-bin
+  PACKAGER_NAME: The Moby Project
 
 jobs:
   validate-dco:
+    if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
     uses: ./.github/workflows/.dco.yml
 
   prepare:
@@ -32,17 +35,13 @@ jobs:
       -
         name: Checkout
         uses: actions/checkout@v3
-      -
-        name: Create platforms matrix
-        id: platforms
-        run: |
-          echo "matrix=$(docker buildx bake bin-image-cross --print | jq -cr '.target."bin-image-cross".platforms')" >>${GITHUB_OUTPUT}
       -
         name: Docker meta
         id: meta
         uses: docker/metadata-action@v4
         with:
-          images: moby-bin
+          images: |
+            ${{ env.MOBYBIN_REPO_SLUG }}
           ### versioning strategy
           ## push semver tag v23.0.0
           # moby/moby-bin:23.0.0
@@ -53,10 +52,13 @@ jobs:
           # moby/moby-bin:master
           ## push on 23.0 branch
           # moby/moby-bin:23.0
+          ## any push
+          # moby/moby-bin:sha-ad132f5
           tags: |
             type=semver,pattern={{version}}
             type=ref,event=branch
             type=ref,event=pr
+            type=sha
       -
         name: Rename meta bake definition file
         run: |
@@ -69,12 +71,18 @@ jobs:
           path: /tmp/bake-meta.json
           if-no-files-found: error
           retention-days: 1
+      -
+        name: Create platforms matrix
+        id: platforms
+        run: |
+          echo "matrix=$(docker buildx bake bin-image-cross --print | jq -cr '.target."bin-image-cross".platforms')" >>${GITHUB_OUTPUT}
 
   build:
     runs-on: ubuntu-20.04
     needs:
       - validate-dco
       - prepare
+    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled')
     strategy:
       fail-fast: false
       matrix:
@@ -97,9 +105,17 @@ jobs:
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
+      -
+        name: Login to Docker Hub
+        if: github.event_name != 'pull_request' && github.repository == 'moby/moby'
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_MOBYBIN_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_MOBYBIN_TOKEN }}
       -
         name: Build
-        uses: docker/bake-action@v2
+        id: bake
+        uses: docker/bake-action@v3
         with:
           files: |
             ./docker-bake.hcl
@@ -107,4 +123,61 @@ jobs:
           targets: bin-image
           set: |
             *.platform=${{ matrix.platform }}
-            *.output=type=cacheonly
+            *.output=type=image,name=${{ env.MOBYBIN_REPO_SLUG }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' && github.repository == 'moby/moby' }}
+            *.tags=
+      -
+        name: Export digest
+        if: github.event_name != 'pull_request' && github.repository == 'moby/moby'
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ fromJSON(steps.bake.outputs.metadata)['bin-image']['containerimage.digest'] }}"
+          touch "/tmp/digests/${digest#sha256:}"
+      -
+        name: Upload digest
+        if: github.event_name != 'pull_request' && github.repository == 'moby/moby'
+        uses: actions/upload-artifact@v3
+        with:
+          name: digests
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-20.04
+    needs:
+      - build
+    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby'
+    steps:
+      -
+        name: Download meta bake definition
+        uses: actions/download-artifact@v3
+        with:
+          name: bake-meta
+          path: /tmp
+      -
+        name: Download digests
+        uses: actions/download-artifact@v3
+        with:
+          name: digests
+          path: /tmp/digests
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_MOBYBIN_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_MOBYBIN_TOKEN }}
+      -
+        name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          set -x
+          docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map("-t " + .) | join(" ")' /tmp/bake-meta.json) \
+            $(printf '${{ env.MOBYBIN_REPO_SLUG }}@sha256:%s ' *)
+      -
+        name: Inspect image
+        run: |
+          set -x
+          docker buildx imagetools inspect ${{ env.MOBYBIN_REPO_SLUG }}:$(jq -cr '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json)

.github/workflows/buildkit.yml

@@ -13,6 +13,8 @@ on:
   pull_request:
 
 env:
+  ALPINE_VERSION: "3.18"
+  GO_VERSION: "1.20.12"
   DESTDIR: ./build
 
 jobs:
@@ -47,8 +49,6 @@ jobs:
   test:
     runs-on: ubuntu-20.04
     timeout-minutes: 120
-    env:
-      BUILDKIT_REPO: moby/buildkit
     needs:
       - build
     strategy:
@@ -82,7 +82,7 @@ jobs:
       -
         name: BuildKit ref
         run: |
-          echo "BUILDKIT_REF=$(./hack/buildkit-ref)" >> $GITHUB_ENV
+          echo "$(./hack/buildkit-ref)" >> $GITHUB_ENV
         working-directory: moby
       -
         name: Checkout BuildKit ${{ env.BUILDKIT_REF }}

.github/workflows/ci.yml

@@ -10,8 +10,6 @@ on:
     branches:
       - 'master'
       - '[0-9]+.[0-9]+'
-    tags:
-      - 'v*'
   pull_request:
 
 env:

.github/workflows/test.yml

@@ -10,12 +10,10 @@ on:
     branches:
       - 'master'
       - '[0-9]+.[0-9]+'
-    tags:
-      - 'v*'
   pull_request:
 
 env:
-  GO_VERSION: "1.20.5"
+  GO_VERSION: "1.20.13"
   GOTESTLIST_VERSION: v0.3.1
   TESTSTAT_VERSION: v0.1.3
   ITG_CLI_MATRIX_SIZE: 6
@@ -166,6 +164,7 @@ jobs:
 
   unit-report:
     runs-on: ubuntu-20.04
+    timeout-minutes: 10
     if: always()
     needs:
       - unit
@@ -354,6 +353,7 @@ jobs:
 
   integration-report:
     runs-on: ubuntu-20.04
+    timeout-minutes: 10
     if: always()
     needs:
       - integration
@@ -482,6 +482,7 @@ jobs:
 
   integration-cli-report:
     runs-on: ubuntu-20.04
+    timeout-minutes: 10
     if: always()
     needs:
       - integration-cli

CONTRIBUTING.md

@@ -422,6 +422,6 @@ The rules:
     guidelines. Since you've read all the rules, you now know that.
 
 If you are having trouble getting into the mood of idiomatic Go, we recommend
-reading through [Effective Go](https://golang.org/doc/effective_go.html). The
-[Go Blog](https://blog.golang.org) is also a great resource. Drinking the
+reading through [Effective Go](https://go.dev/doc/effective_go). The
+[Go Blog](https://go.dev/blog/) is also a great resource. Drinking the
 kool-aid is a lot easier than going thirsty.

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.20.5
+ARG GO_VERSION=1.20.13
 ARG BASE_DEBIAN_DISTRO="bullseye"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
 ARG XX_VERSION=1.2.1
@@ -12,7 +12,7 @@ ARG DOCKERCLI_VERSION=v24.0.2
 # cli version used for integration-cli tests
 ARG DOCKERCLI_INTEGRATION_REPOSITORY="https://github.com/docker/cli.git"
 ARG DOCKERCLI_INTEGRATION_VERSION=v17.06.2-ce
-ARG BUILDX_VERSION=0.11.0
+ARG BUILDX_VERSION=0.11.2
 
 ARG SYSTEMD="false"
 ARG DEBIAN_FRONTEND=noninteractive
@@ -33,8 +33,7 @@ FROM --platform=$BUILDPLATFORM ${GOLANG_IMAGE} AS base
 COPY --from=xx / /
 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 ARG APT_MIRROR
-RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \
- && sed -ri "s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g" /etc/apt/sources.list
+RUN test -n "$APT_MIRROR" && sed -ri "s#(httpredir|deb|security).debian.org#${APT_MIRROR}#g" /etc/apt/sources.list || true
 ARG DEBIAN_FRONTEND
 RUN apt-get update && apt-get install --no-install-recommends -y file
 ENV GO111MODULE=off
@@ -181,7 +180,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 
 FROM base AS gowinres
 # GOWINRES_VERSION defines go-winres tool version
-ARG GOWINRES_VERSION=v0.3.0
+ARG GOWINRES_VERSION=v0.3.1
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
         GOBIN=/build/ GO111MODULE=on go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \
@@ -198,7 +197,7 @@ RUN git init . && git remote add origin "https://github.com/containerd/container
 # When updating the binary version you may also need to update the vendor
 # version to pick up bug fixes or new APIs, however, usually the Go packages
 # are built from a commit from the master branch.
-ARG CONTAINERD_VERSION=v1.7.1
+ARG CONTAINERD_VERSION=v1.7.13
 RUN git fetch -q --depth 1 origin "${CONTAINERD_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
 
 FROM base AS containerd-build
@@ -229,7 +228,7 @@ FROM binary-dummy AS containerd-windows
 FROM containerd-${TARGETOS} AS containerd
 
 FROM base AS golangci_lint
-ARG GOLANGCI_LINT_VERSION=v1.51.2
+ARG GOLANGCI_LINT_VERSION=v1.55.2
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
         GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
@@ -251,11 +250,11 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 
 FROM base AS dockercli
 WORKDIR /go/src/github.com/docker/cli
-COPY hack/dockerfile/cli.sh /download-or-build-cli.sh
 ARG DOCKERCLI_REPOSITORY
 ARG DOCKERCLI_VERSION
 ARG TARGETPLATFORM
-RUN --mount=type=cache,id=dockercli-git-$TARGETPLATFORM,sharing=locked,target=./.git \
+RUN --mount=source=hack/dockerfile/cli.sh,target=/download-or-build-cli.sh \
+    --mount=type=cache,id=dockercli-git-$TARGETPLATFORM,sharing=locked,target=./.git \
     --mount=type=cache,target=/root/.cache/go-build,id=dockercli-build-$TARGETPLATFORM \
         rm -f ./.git/*.lock \
      && /download-or-build-cli.sh ${DOCKERCLI_VERSION} ${DOCKERCLI_REPOSITORY} /build \
@@ -263,12 +262,12 @@ RUN --mount=type=cache,id=dockercli-git-$TARGETPLATFORM,sharing=locked,target=./
 
 FROM base AS dockercli-integration
 WORKDIR /go/src/github.com/docker/cli
-COPY hack/dockerfile/cli.sh /download-or-build-cli.sh
 ARG DOCKERCLI_INTEGRATION_REPOSITORY
 ARG DOCKERCLI_INTEGRATION_VERSION
 ARG TARGETPLATFORM
-RUN --mount=type=cache,id=dockercli-integration-git-$TARGETPLATFORM,sharing=locked,target=./.git \
-    --mount=type=cache,target=/root/.cache/go-build,id=dockercli-integration-build-$TARGETPLATFORM \
+RUN --mount=source=hack/dockerfile/cli.sh,target=/download-or-build-cli.sh \
+    --mount=type=cache,id=dockercli-git-$TARGETPLATFORM,sharing=locked,target=./.git \
+    --mount=type=cache,target=/root/.cache/go-build,id=dockercli-build-$TARGETPLATFORM \
         rm -f ./.git/*.lock \
      && /download-or-build-cli.sh ${DOCKERCLI_INTEGRATION_VERSION} ${DOCKERCLI_INTEGRATION_REPOSITORY} /build \
      && /build/docker --version
@@ -281,7 +280,7 @@ RUN git init . && git remote add origin "https://github.com/opencontainers/runc.
 # that is used. If you need to update runc, open a pull request in the containerd
 # project first, and update both after that is merged. When updating RUNC_VERSION,
 # consider updating runc in vendor.mod accordingly.
-ARG RUNC_VERSION=v1.1.7
+ARG RUNC_VERSION=v1.1.12
 RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
 
 FROM base AS runc-build
@@ -345,8 +344,8 @@ FROM tini-${TARGETOS} AS tini
 FROM base AS rootlesskit-src
 WORKDIR /usr/src/rootlesskit
 RUN git init . && git remote add origin "https://github.com/rootless-containers/rootlesskit.git"
-# When updating, also update rootlesskit commit in vendor.mod accordingly.
-ARG ROOTLESSKIT_VERSION=v1.1.0
+# When updating, also update vendor.mod and hack/dockerfile/install/rootlesskit.installer accordingly.
+ARG ROOTLESSKIT_VERSION=v1.1.1
 RUN git fetch -q --depth 1 origin "${ROOTLESSKIT_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
 
 FROM base AS rootlesskit-build
@@ -369,8 +368,8 @@ RUN --mount=from=rootlesskit-src,src=/usr/src/rootlesskit,rw \
   xx-go build -o /build/rootlesskit-docker-proxy -ldflags="$([ "$DOCKER_STATIC" != "1" ] && echo "-linkmode=external")" ./cmd/rootlesskit-docker-proxy
   xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /build/rootlesskit-docker-proxy
 EOT
-COPY ./contrib/dockerd-rootless.sh /build/
-COPY ./contrib/dockerd-rootless-setuptool.sh /build/
+COPY --link ./contrib/dockerd-rootless.sh /build/
+COPY --link ./contrib/dockerd-rootless-setuptool.sh /build/
 
 FROM rootlesskit-build AS rootlesskit-linux
 FROM binary-dummy AS rootlesskit-windows
@@ -600,7 +599,7 @@ RUN <<EOT
     XX_CC_PREFER_LINKER=ld xx-clang --setup-target-triple
   fi
 EOT
-RUN --mount=type=bind,target=. \
+RUN --mount=type=bind,target=.,rw \
     --mount=type=tmpfs,target=cli/winresources/dockerd \
     --mount=type=tmpfs,target=cli/winresources/docker-proxy \
     --mount=type=cache,target=/root/.cache/go-build,id=moby-build-$TARGETPLATFORM <<EOT

Dockerfile.e2e

@@ -1,84 +0,0 @@
-ARG GO_VERSION=1.20.4
-
-FROM golang:${GO_VERSION}-alpine AS base
-ENV GO111MODULE=off
-RUN apk --no-cache add \
-    bash \
-    build-base \
-    curl \
-    lvm2-dev \
-    jq
-
-RUN mkdir -p /build/
-RUN mkdir -p /go/src/github.com/docker/docker/
-WORKDIR /go/src/github.com/docker/docker/
-
-FROM base AS frozen-images
-# Get useful and necessary Hub images so we can "docker load" locally instead of pulling
-COPY contrib/download-frozen-image-v2.sh /
-RUN /download-frozen-image-v2.sh /build \
-        busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
-        busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
-        debian:bullseye-slim@sha256:dacf278785a4daa9de07596ec739dbc07131e189942772210709c5c0777e8437 \
-        hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
-        arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1
-# See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list)
-
-FROM base AS dockercli
-COPY hack/dockerfile/install/install.sh ./install.sh
-COPY hack/dockerfile/install/dockercli.installer ./
-RUN PREFIX=/build ./install.sh dockercli
-
-# TestDockerCLIBuildSuite dependency
-FROM base AS contrib
-COPY contrib/syscall-test           /build/syscall-test
-COPY contrib/httpserver/Dockerfile  /build/httpserver/Dockerfile
-COPY contrib/httpserver             contrib/httpserver
-RUN CGO_ENABLED=0 go build -buildmode=pie -o /build/httpserver/httpserver github.com/docker/docker/contrib/httpserver
-
-# Build the integration tests and copy the resulting binaries to /build/tests
-FROM base AS builder
-
-# Set tag and add sources
-COPY . .
-# Copy test sources tests that use assert can print errors
-RUN mkdir -p /build${PWD} && find integration integration-cli -name \*_test.go -exec cp --parents '{}' /build${PWD} \;
-# Build and install test binaries
-ARG DOCKER_GITCOMMIT=undefined
-RUN hack/make.sh build-integration-test-binary
-RUN mkdir -p /build/tests && find . -name test.main -exec cp --parents '{}' /build/tests \;
-
-## Generate testing image
-FROM alpine:3.10 as runner
-
-ENV DOCKER_REMOTE_DAEMON=1
-ENV DOCKER_INTEGRATION_DAEMON_DEST=/
-ENTRYPOINT ["/scripts/run.sh"]
-
-# Add an unprivileged user to be used for tests which need it
-RUN addgroup docker && adduser -D -G docker unprivilegeduser -s /bin/ash
-
-# GNU tar is used for generating the emptyfs image
-RUN apk --no-cache add \
-    bash \
-    ca-certificates \
-    g++ \
-    git \
-    inetutils-ping \
-    iptables \
-    libcap2-bin \
-    pigz \
-    tar \
-    xz
-
-COPY hack/test/e2e-run.sh           /scripts/run.sh
-COPY hack/make/.build-empty-images  /scripts/build-empty-images.sh
-
-COPY integration/testdata       /tests/integration/testdata
-COPY integration/build/testdata /tests/integration/build/testdata
-COPY integration-cli/fixtures   /tests/integration-cli/fixtures
-
-COPY --from=frozen-images /build/ /docker-frozen-images
-COPY --from=dockercli     /build/ /usr/bin/
-COPY --from=contrib       /build/ /tests/contrib/
-COPY --from=builder       /build/ /

Dockerfile.simple

@@ -5,7 +5,7 @@
 
 # This represents the bare minimum required to build and test Docker.
 
-ARG GO_VERSION=1.20.5
+ARG GO_VERSION=1.20.13
 
 ARG BASE_DEBIAN_DISTRO="bullseye"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
@@ -13,9 +13,9 @@ ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
 FROM ${GOLANG_IMAGE}
 ENV GO111MODULE=off
 
-# allow replacing httpredir or deb mirror
-ARG APT_MIRROR=deb.debian.org
-RUN sed -ri "s/(httpredir|deb).debian.org/$APT_MIRROR/g" /etc/apt/sources.list
+# allow replacing debian mirror
+ARG APT_MIRROR
+RUN test -n "$APT_MIRROR" && sed -ri "s#(httpredir|deb|security).debian.org#${APT_MIRROR}#g" /etc/apt/sources.list || true
 
 # Compile and runtime deps
 # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies

Dockerfile.windows

@@ -165,10 +165,10 @@ FROM microsoft/windowsservercore
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
-ARG GO_VERSION=1.20.5
+ARG GO_VERSION=1.20.13
 ARG GOTESTSUM_VERSION=v1.8.2
-ARG GOWINRES_VERSION=v0.3.0
-ARG CONTAINERD_VERSION=v1.7.1
+ARG GOWINRES_VERSION=v0.3.1
+ARG CONTAINERD_VERSION=v1.7.13
 
 # Environment variable notes:
 #  - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
@@ -224,7 +224,7 @@ RUN `
   `
   Write-Host INFO: Downloading go...; `
   $dlGoVersion=$Env:GO_VERSION -replace '\.0$',''; `
-  Download-File "https://golang.org/dl/go${dlGoVersion}.windows-amd64.zip" C:\go.zip; `
+  Download-File "https://go.dev/dl/go${dlGoVersion}.windows-amd64.zip" C:\go.zip; `
   `
   Write-Host INFO: Downloading compiler 1 of 3...; `
   Download-File https://raw.githubusercontent.com/moby/docker-tdmgcc/master/gcc.zip C:\gcc.zip; `

Jenkinsfile

@@ -9,15 +9,12 @@ pipeline {
     }
     parameters {
         booleanParam(name: 'arm64', defaultValue: true, description: 'ARM (arm64) Build/Test')
-        booleanParam(name: 's390x', defaultValue: false, description: 'IBM Z (s390x) Build/Test')
-        booleanParam(name: 'ppc64le', defaultValue: false, description: 'PowerPC (ppc64le) Build/Test')
         booleanParam(name: 'dco', defaultValue: true, description: 'Run the DCO check')
     }
     environment {
         DOCKER_BUILDKIT     = '1'
         DOCKER_EXPERIMENTAL = '1'
         DOCKER_GRAPHDRIVER  = 'overlay2'
-        APT_MIRROR          = 'cdn-fastly.deb.debian.org'
         CHECK_CONFIG_COMMIT = '33a3680e08d1007e72c3b3f1454f823d8e9948ee'
         TESTDEBUG           = '0'
         TIMEOUT             = '120m'
@@ -52,406 +49,6 @@ pipeline {
         }
         stage('Build') {
             parallel {
-                stage('s390x') {
-                    when {
-                        beforeAgent true
-                        // Skip this stage on PRs unless the checkbox is selected
-                        anyOf {
-                            not { changeRequest() }
-                            expression { params.s390x }
-                        }
-                    }
-                    agent { label 's390x-ubuntu-2004' }
-
-                    stages {
-                        stage("Print info") {
-                            steps {
-                                sh 'docker version'
-                                sh 'docker info'
-                                sh '''
-                                echo "check-config.sh version: ${CHECK_CONFIG_COMMIT}"
-                                curl -fsSL -o ${WORKSPACE}/check-config.sh "https://raw.githubusercontent.com/moby/moby/${CHECK_CONFIG_COMMIT}/contrib/check-config.sh" \
-                                && bash ${WORKSPACE}/check-config.sh || true
-                                '''
-                            }
-                        }
-                        stage("Build dev image") {
-                            steps {
-                                sh '''
-                                docker build --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .
-                                '''
-                            }
-                        }
-                        stage("Unit tests") {
-                            steps {
-                                sh '''
-                                sudo modprobe ip6table_filter
-                                '''
-                                sh '''
-                                docker run --rm -t --privileged \
-                                  -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
-                                  --name docker-pr$BUILD_NUMBER \
-                                  -e DOCKER_EXPERIMENTAL \
-                                  -e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-                                  -e DOCKER_GRAPHDRIVER \
-                                  -e VALIDATE_REPO=${GIT_URL} \
-                                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
-                                  docker:${GIT_COMMIT} \
-                                  hack/test/unit
-                                '''
-                            }
-                            post {
-                                always {
-                                    junit testResults: 'bundles/junit-report*.xml', allowEmptyResults: true
-                                }
-                            }
-                        }
-                        stage("Integration tests") {
-                            environment { TEST_SKIP_INTEGRATION_CLI = '1' }
-                            steps {
-                                sh '''
-                                docker run --rm -t --privileged \
-                                  -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
-                                  --name docker-pr$BUILD_NUMBER \
-                                  -e DOCKER_EXPERIMENTAL \
-                                  -e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-                                  -e DOCKER_GRAPHDRIVER \
-                                  -e TESTDEBUG \
-                                  -e TEST_INTEGRATION_USE_SNAPSHOTTER \
-                                  -e TEST_SKIP_INTEGRATION_CLI \
-                                  -e TIMEOUT \
-                                  -e VALIDATE_REPO=${GIT_URL} \
-                                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
-                                  docker:${GIT_COMMIT} \
-                                  hack/make.sh \
-                                    dynbinary \
-                                    test-integration
-                                '''
-                            }
-                            post {
-                                always {
-                                    junit testResults: 'bundles/**/*-report.xml', allowEmptyResults: true
-                                }
-                            }
-                        }
-                    }
-
-                    post {
-                        always {
-                            sh '''
-                            echo "Ensuring container killed."
-                            docker rm -vf docker-pr$BUILD_NUMBER || true
-                            '''
-
-                            sh '''
-                            echo "Chowning /workspace to jenkins user"
-                            docker run --rm -v "$WORKSPACE:/workspace" busybox chown -R "$(id -u):$(id -g)" /workspace
-                            '''
-
-                            catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE', message: 'Failed to create bundles.tar.gz') {
-                                sh '''
-                                bundleName=s390x-integration
-                                echo "Creating ${bundleName}-bundles.tar.gz"
-                                # exclude overlay2 directories
-                                find bundles -path '*/root/*overlay2' -prune -o -type f \\( -name '*-report.json' -o -name '*.log' -o -name '*.prof' -o -name '*-report.xml' \\) -print | xargs tar -czf ${bundleName}-bundles.tar.gz
-                                '''
-
-                                archiveArtifacts artifacts: '*-bundles.tar.gz', allowEmptyArchive: true
-                            }
-                        }
-                        cleanup {
-                            sh 'make clean'
-                            deleteDir()
-                        }
-                    }
-                }
-                stage('s390x integration-cli') {
-                    when {
-                        beforeAgent true
-                        // Skip this stage on PRs unless the checkbox is selected
-                        anyOf {
-                            not { changeRequest() }
-                            expression { params.s390x }
-                        }
-                    }
-                    agent { label 's390x-ubuntu-2004' }
-
-                    stages {
-                        stage("Print info") {
-                            steps {
-                                sh 'docker version'
-                                sh 'docker info'
-                                sh '''
-                                echo "check-config.sh version: ${CHECK_CONFIG_COMMIT}"
-                                curl -fsSL -o ${WORKSPACE}/check-config.sh "https://raw.githubusercontent.com/moby/moby/${CHECK_CONFIG_COMMIT}/contrib/check-config.sh" \
-                                && bash ${WORKSPACE}/check-config.sh || true
-                                '''
-                            }
-                        }
-                        stage("Build dev image") {
-                            steps {
-                                sh '''
-                                docker build --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .
-                                '''
-                            }
-                        }
-                        stage("Integration-cli tests") {
-                            environment { TEST_SKIP_INTEGRATION = '1' }
-                            steps {
-                                sh '''
-                                docker run --rm -t --privileged \
-                                  -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
-                                  --name docker-pr$BUILD_NUMBER \
-                                  -e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-                                  -e DOCKER_GRAPHDRIVER \
-                                  -e TEST_INTEGRATION_USE_SNAPSHOTTER \
-                                  -e TEST_SKIP_INTEGRATION \
-                                  -e TIMEOUT \
-                                  -e VALIDATE_REPO=${GIT_URL} \
-                                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
-                                  docker:${GIT_COMMIT} \
-                                  hack/make.sh \
-                                    dynbinary \
-                                    test-integration
-                                '''
-                            }
-                            post {
-                                always {
-                                    junit testResults: 'bundles/**/*-report.xml', allowEmptyResults: true
-                                }
-                            }
-                        }
-                    }
-
-                    post {
-                        always {
-                            sh '''
-                            echo "Ensuring container killed."
-                            docker rm -vf docker-pr$BUILD_NUMBER || true
-                            '''
-
-                            sh '''
-                            echo "Chowning /workspace to jenkins user"
-                            docker run --rm -v "$WORKSPACE:/workspace" busybox chown -R "$(id -u):$(id -g)" /workspace
-                            '''
-
-                            catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE', message: 'Failed to create bundles.tar.gz') {
-                                sh '''
-                                bundleName=s390x-integration-cli
-                                echo "Creating ${bundleName}-bundles.tar.gz"
-                                # exclude overlay2 directories
-                                find bundles -path '*/root/*overlay2' -prune -o -type f \\( -name '*-report.json' -o -name '*.log' -o -name '*.prof' -o -name '*-report.xml' \\) -print | xargs tar -czf ${bundleName}-bundles.tar.gz
-                                '''
-
-                                archiveArtifacts artifacts: '*-bundles.tar.gz', allowEmptyArchive: true
-                            }
-                        }
-                        cleanup {
-                            sh 'make clean'
-                            deleteDir()
-                        }
-                    }
-                }
-                stage('ppc64le') {
-                    when {
-                        beforeAgent true
-                        // Skip this stage on PRs unless the checkbox is selected
-                        anyOf {
-                            not { changeRequest() }
-                            expression { params.ppc64le }
-                        }
-                    }
-                    agent { label 'ppc64le-ubuntu-1604' }
-
-                    stages {
-                        stage("Print info") {
-                            steps {
-                                sh 'docker version'
-                                sh 'docker info'
-                                sh '''
-                                echo "check-config.sh version: ${CHECK_CONFIG_COMMIT}"
-                                curl -fsSL -o ${WORKSPACE}/check-config.sh "https://raw.githubusercontent.com/moby/moby/${CHECK_CONFIG_COMMIT}/contrib/check-config.sh" \
-                                && bash ${WORKSPACE}/check-config.sh || true
-                                '''
-                            }
-                        }
-                        stage("Build dev image") {
-                            steps {
-                                sh '''
-                                docker buildx build --load --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .
-                                '''
-                            }
-                        }
-                        stage("Unit tests") {
-                            steps {
-                                sh '''
-                                sudo modprobe ip6table_filter
-                                '''
-                                sh '''
-                                docker run --rm -t --privileged \
-                                  -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
-                                  --name docker-pr$BUILD_NUMBER \
-                                  -e DOCKER_EXPERIMENTAL \
-                                  -e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-                                  -e DOCKER_GRAPHDRIVER \
-                                  -e VALIDATE_REPO=${GIT_URL} \
-                                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
-                                  docker:${GIT_COMMIT} \
-                                  hack/test/unit
-                                '''
-                            }
-                            post {
-                                always {
-                                    junit testResults: 'bundles/junit-report*.xml', allowEmptyResults: true
-                                }
-                            }
-                        }
-                        stage("Integration tests") {
-                            environment { TEST_SKIP_INTEGRATION_CLI = '1' }
-                            steps {
-                                sh '''
-                                docker run --rm -t --privileged \
-                                  -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
-                                  --name docker-pr$BUILD_NUMBER \
-                                  -e DOCKER_EXPERIMENTAL \
-                                  -e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-                                  -e DOCKER_GRAPHDRIVER \
-                                  -e TESTDEBUG \
-                                  -e TEST_INTEGRATION_USE_SNAPSHOTTER \
-                                  -e TEST_SKIP_INTEGRATION_CLI \
-                                  -e TIMEOUT \
-                                  -e VALIDATE_REPO=${GIT_URL} \
-                                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
-                                  docker:${GIT_COMMIT} \
-                                  hack/make.sh \
-                                    dynbinary \
-                                    test-integration
-                                '''
-                            }
-                            post {
-                                always {
-                                    junit testResults: 'bundles/**/*-report.xml', allowEmptyResults: true
-                                }
-                            }
-                        }
-                    }
-
-                    post {
-                        always {
-                            sh '''
-                            echo "Ensuring container killed."
-                            docker rm -vf docker-pr$BUILD_NUMBER || true
-                            '''
-
-                            sh '''
-                            echo "Chowning /workspace to jenkins user"
-                            docker run --rm -v "$WORKSPACE:/workspace" busybox chown -R "$(id -u):$(id -g)" /workspace
-                            '''
-
-                            catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE', message: 'Failed to create bundles.tar.gz') {
-                                sh '''
-                                bundleName=ppc64le-integration
-                                echo "Creating ${bundleName}-bundles.tar.gz"
-                                # exclude overlay2 directories
-                                find bundles -path '*/root/*overlay2' -prune -o -type f \\( -name '*-report.json' -o -name '*.log' -o -name '*.prof' -o -name '*-report.xml' \\) -print | xargs tar -czf ${bundleName}-bundles.tar.gz
-                                '''
-
-                                archiveArtifacts artifacts: '*-bundles.tar.gz', allowEmptyArchive: true
-                            }
-                        }
-                        cleanup {
-                            sh 'make clean'
-                            deleteDir()
-                        }
-                    }
-                }
-                stage('ppc64le integration-cli') {
-                    when {
-                        beforeAgent true
-                        // Skip this stage on PRs unless the checkbox is selected
-                        anyOf {
-                            not { changeRequest() }
-                            expression { params.ppc64le }
-                        }
-                    }
-                    agent { label 'ppc64le-ubuntu-1604' }
-
-                    stages {
-                        stage("Print info") {
-                            steps {
-                                sh 'docker version'
-                                sh 'docker info'
-                                sh '''
-                                echo "check-config.sh version: ${CHECK_CONFIG_COMMIT}"
-                                curl -fsSL -o ${WORKSPACE}/check-config.sh "https://raw.githubusercontent.com/moby/moby/${CHECK_CONFIG_COMMIT}/contrib/check-config.sh" \
-                                && bash ${WORKSPACE}/check-config.sh || true
-                                '''
-                            }
-                        }
-                        stage("Build dev image") {
-                            steps {
-                                sh '''
-                                docker buildx build --load --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .
-                                '''
-                            }
-                        }
-                        stage("Integration-cli tests") {
-                            environment { TEST_SKIP_INTEGRATION = '1' }
-                            steps {
-                                sh '''
-                                docker run --rm -t --privileged \
-                                  -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
-                                  --name docker-pr$BUILD_NUMBER \
-                                  -e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-                                  -e DOCKER_GRAPHDRIVER \
-                                  -e TEST_INTEGRATION_USE_SNAPSHOTTER \
-                                  -e TEST_SKIP_INTEGRATION \
-                                  -e TIMEOUT \
-                                  -e VALIDATE_REPO=${GIT_URL} \
-                                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
-                                  docker:${GIT_COMMIT} \
-                                  hack/make.sh \
-                                    dynbinary \
-                                    test-integration
-                                '''
-                            }
-                            post {
-                                always {
-                                    junit testResults: 'bundles/**/*-report.xml', allowEmptyResults: true
-                                }
-                            }
-                        }
-                    }
-
-                    post {
-                        always {
-                            sh '''
-                            echo "Ensuring container killed."
-                            docker rm -vf docker-pr$BUILD_NUMBER || true
-                            '''
-
-                            sh '''
-                            echo "Chowning /workspace to jenkins user"
-                            docker run --rm -v "$WORKSPACE:/workspace" busybox chown -R "$(id -u):$(id -g)" /workspace
-                            '''
-
-                            catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE', message: 'Failed to create bundles.tar.gz') {
-                                sh '''
-                                bundleName=ppc64le-integration-cli
-                                echo "Creating ${bundleName}-bundles.tar.gz"
-                                # exclude overlay2 directories
-                                find bundles -path '*/root/*overlay2' -prune -o -type f \\( -name '*-report.json' -o -name '*.log' -o -name '*.prof' -o -name '*-report.xml' \\) -print | xargs tar -czf ${bundleName}-bundles.tar.gz
-                                '''
-
-                                archiveArtifacts artifacts: '*-bundles.tar.gz', allowEmptyArchive: true
-                            }
-                        }
-                        cleanup {
-                            sh 'make clean'
-                            deleteDir()
-                        }
-                    }
-                }
                 stage('arm64') {
                     when {
                         beforeAgent true
@@ -476,7 +73,7 @@ pipeline {
                         }
                         stage("Build dev image") {
                             steps {
-                                sh 'docker build --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .'
+                                sh 'docker build --force-rm -t docker:${GIT_COMMIT} .'
                             }
                         }
                         stage("Unit tests") {

Makefile

@@ -4,14 +4,10 @@ DOCKER ?= docker
 BUILDX ?= $(DOCKER) buildx
 
 # set the graph driver as the current graphdriver if not set
-DOCKER_GRAPHDRIVER := $(if $(DOCKER_GRAPHDRIVER),$(DOCKER_GRAPHDRIVER),$(shell docker info 2>&1 | grep "Storage Driver" | sed 's/.*: //'))
+DOCKER_GRAPHDRIVER := $(if $(DOCKER_GRAPHDRIVER),$(DOCKER_GRAPHDRIVER),$(shell docker info -f {{ .Driver }} 2>&1))
 export DOCKER_GRAPHDRIVER
 
-# get OS/Arch of docker engine
-DOCKER_OSARCH := $(shell bash -c 'source hack/make/.detect-daemon-osarch && echo $${DOCKER_ENGINE_OSARCH}')
-DOCKERFILE := $(shell bash -c 'source hack/make/.detect-daemon-osarch && echo $${DOCKERFILE}')
-
-DOCKER_GITCOMMIT := $(shell git rev-parse --short HEAD || echo unsupported)
+DOCKER_GITCOMMIT := $(shell git rev-parse HEAD)
 export DOCKER_GITCOMMIT
 
 # allow overriding the repository and branch that validation scripts are running
@@ -62,6 +58,7 @@ DOCKER_ENVS := \
 	-e TEST_FORCE_VALIDATE \
 	-e TEST_INTEGRATION_DIR \
 	-e TEST_INTEGRATION_USE_SNAPSHOTTER \
+	-e TEST_INTEGRATION_FAIL_FAST \
 	-e TEST_SKIP_INTEGRATION \
 	-e TEST_SKIP_INTEGRATION_CLI \
 	-e TESTCOVERAGE \
@@ -140,6 +137,7 @@ endif
 DOCKER_RUN_DOCKER := $(DOCKER_FLAGS) "$(DOCKER_IMAGE)"
 
 DOCKER_BUILD_ARGS += --build-arg=GO_VERSION
+DOCKER_BUILD_ARGS += --build-arg=APT_MIRROR
 DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_VERSION
 DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_REPOSITORY
 DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_INTEGRATION_VERSION
@@ -148,7 +146,7 @@ ifdef DOCKER_SYSTEMD
 DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true
 endif
 
-BUILD_OPTS := ${BUILD_APT_MIRROR} ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS} -f "$(DOCKERFILE)"
+BUILD_OPTS := ${BUILD_APT_MIRROR} ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS}
 BUILD_CMD := $(BUILDX) build
 BAKE_CMD := $(BUILDX) bake
 

api/server/router/system/system.go

@@ -1,3 +1,6 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.19
+
 package system // import "github.com/docker/docker/api/server/router/system"
 
 import (

api/swagger.yaml

@@ -3011,8 +3011,6 @@ definitions:
             Name: "journald"
           - Type: "Log"
             Name: "json-file"
-          - Type: "Log"
-            Name: "logentries"
           - Type: "Log"
             Name: "splunk"
           - Type: "Log"
@@ -5068,7 +5066,7 @@ definitions:
           Go runtime (`GOOS`).
 
           Currently returned values are "linux" and "windows". A full list of
-          possible values can be found in the [Go documentation](https://golang.org/doc/install/source#environment).
+          possible values can be found in the [Go documentation](https://go.dev/doc/install/source#environment).
         type: "string"
         example: "linux"
       Architecture:
@@ -5076,7 +5074,7 @@ definitions:
           Hardware architecture of the host, as returned by the Go runtime
           (`GOARCH`).
 
-          A full list of possible values can be found in the [Go documentation](https://golang.org/doc/install/source#environment).
+          A full list of possible values can be found in the [Go documentation](https://go.dev/doc/install/source#environment).
         type: "string"
         example: "x86_64"
       NCPU:
@@ -5334,7 +5332,7 @@ definitions:
         type: "array"
         items:
           type: "string"
-        example: ["awslogs", "fluentd", "gcplogs", "gelf", "journald", "json-file", "logentries", "splunk", "syslog"]
+        example: ["awslogs", "fluentd", "gcplogs", "gelf", "journald", "json-file", "splunk", "syslog"]
 
 
   RegistryServiceConfig:
@@ -9896,7 +9894,9 @@ paths:
               Id: "22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30"
               Warning: ""
         403:
-          description: "operation not supported for pre-defined networks"
+          description: |
+            Forbidden operation. This happens when trying to create a network named after a pre-defined network,
+            or when trying to create an overlay network on a daemon which is not part of a Swarm cluster.
           schema:
             $ref: "#/definitions/ErrorResponse"
         404:

api/types/filters/parse.go

@@ -98,7 +98,7 @@ func FromJSON(p string) (Args, error) {
 	// Fallback to parsing arguments in the legacy slice format
 	deprecated := map[string][]string{}
 	if legacyErr := json.Unmarshal(raw, &deprecated); legacyErr != nil {
-		return args, invalidFilter{}
+		return args, &invalidFilter{}
 	}
 
 	args.fields = deprecatedArgs(deprecated)
@@ -206,7 +206,7 @@ func (args Args) GetBoolOrDefault(key string, defaultValue bool) (bool, error) {
 	}
 
 	if len(fieldValues) == 0 {
-		return defaultValue, invalidFilter{key, nil}
+		return defaultValue, &invalidFilter{key, nil}
 	}
 
 	isFalse := fieldValues["0"] || fieldValues["false"]
@@ -216,7 +216,7 @@ func (args Args) GetBoolOrDefault(key string, defaultValue bool) (bool, error) {
 	invalid := !isFalse && !isTrue
 
 	if conflicting || invalid {
-		return defaultValue, invalidFilter{key, args.Get(key)}
+		return defaultValue, &invalidFilter{key, args.Get(key)}
 	} else if isFalse {
 		return false, nil
 	} else if isTrue {
@@ -224,7 +224,7 @@ func (args Args) GetBoolOrDefault(key string, defaultValue bool) (bool, error) {
 	}
 
 	// This code shouldn't be reached.
-	return defaultValue, unreachableCode{Filter: key, Value: args.Get(key)}
+	return defaultValue, &unreachableCode{Filter: key, Value: args.Get(key)}
 }
 
 // ExactMatch returns true if the source matches exactly one of the values.
@@ -282,7 +282,7 @@ func (args Args) Contains(field string) bool {
 func (args Args) Validate(accepted map[string]bool) error {
 	for name := range args.fields {
 		if !accepted[name] {
-			return invalidFilter{name, nil}
+			return &invalidFilter{name, nil}
 		}
 	}
 	return nil

api/types/filters/parse_test.go

@@ -3,6 +3,7 @@ package filters // import "github.com/docker/docker/api/types/filters"
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 	"sort"
 	"testing"
 
@@ -95,15 +96,19 @@ func TestFromJSON(t *testing.T) {
 		if err == nil {
 			t.Fatalf("Expected an error with %v, got nothing", invalid)
 		}
-		var invalidFilterError invalidFilter
+		var invalidFilterError *invalidFilter
 		if !errors.As(err, &invalidFilterError) {
 			t.Fatalf("Expected an invalidFilter error, got %T", err)
 		}
+		wrappedErr := fmt.Errorf("something went wrong: %w", err)
+		if !errors.Is(wrappedErr, err) {
+			t.Errorf("Expected a wrapped error to be detected as invalidFilter")
+		}
 	}
 
 	for expectedArgs, matchers := range valid {
-		for _, json := range matchers {
-			args, err := FromJSON(json)
+		for _, jsonString := range matchers {
+			args, err := FromJSON(jsonString)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -358,9 +363,13 @@ func TestValidate(t *testing.T) {
 	if err == nil {
 		t.Fatal("Expected to return an error, got nil")
 	}
-	var invalidFilterError invalidFilter
+	var invalidFilterError *invalidFilter
 	if !errors.As(err, &invalidFilterError) {
-		t.Fatalf("Expected an invalidFilter error, got %T", err)
+		t.Errorf("Expected an invalidFilter error, got %T", err)
+	}
+	wrappedErr := fmt.Errorf("something went wrong: %w", err)
+	if !errors.Is(wrappedErr, err) {
+		t.Errorf("Expected a wrapped error to be detected as invalidFilter")
 	}
 }
 
@@ -421,7 +430,7 @@ func TestClone(t *testing.T) {
 }
 
 func TestGetBoolOrDefault(t *testing.T) {
-	for _, tC := range []struct {
+	for _, tc := range []struct {
 		name          string
 		args          map[string][]string
 		defValue      bool
@@ -452,7 +461,7 @@ func TestGetBoolOrDefault(t *testing.T) {
 				"dangling": {"potato"},
 			},
 			defValue:      true,
-			expectedErr:   invalidFilter{Filter: "dangling", Value: []string{"potato"}},
+			expectedErr:   &invalidFilter{Filter: "dangling", Value: []string{"potato"}},
 			expectedValue: true,
 		},
 		{
@@ -461,7 +470,7 @@ func TestGetBoolOrDefault(t *testing.T) {
 				"dangling": {"banana", "potato"},
 			},
 			defValue:      true,
-			expectedErr:   invalidFilter{Filter: "dangling", Value: []string{"banana", "potato"}},
+			expectedErr:   &invalidFilter{Filter: "dangling", Value: []string{"banana", "potato"}},
 			expectedValue: true,
 		},
 		{
@@ -470,7 +479,7 @@ func TestGetBoolOrDefault(t *testing.T) {
 				"dangling": {"false", "true"},
 			},
 			defValue:      false,
-			expectedErr:   invalidFilter{Filter: "dangling", Value: []string{"false", "true"}},
+			expectedErr:   &invalidFilter{Filter: "dangling", Value: []string{"false", "true"}},
 			expectedValue: false,
 		},
 		{
@@ -479,7 +488,7 @@ func TestGetBoolOrDefault(t *testing.T) {
 				"dangling": {"false", "true", "1"},
 			},
 			defValue:      true,
-			expectedErr:   invalidFilter{Filter: "dangling", Value: []string{"false", "true", "1"}},
+			expectedErr:   &invalidFilter{Filter: "dangling", Value: []string{"false", "true", "1"}},
 			expectedValue: true,
 		},
 		{
@@ -501,35 +510,38 @@ func TestGetBoolOrDefault(t *testing.T) {
 			expectedValue: false,
 		},
 	} {
-		tC := tC
-		t.Run(tC.name, func(t *testing.T) {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
 			a := NewArgs()
 
-			for key, values := range tC.args {
+			for key, values := range tc.args {
 				for _, value := range values {
 					a.Add(key, value)
 				}
 			}
 
-			value, err := a.GetBoolOrDefault("dangling", tC.defValue)
+			value, err := a.GetBoolOrDefault("dangling", tc.defValue)
 
-			if tC.expectedErr == nil {
+			if tc.expectedErr == nil {
 				assert.Check(t, is.Nil(err))
 			} else {
-				assert.Check(t, is.ErrorType(err, tC.expectedErr))
+				assert.Check(t, is.ErrorType(err, tc.expectedErr))
 
 				// Check if error is the same.
-				expected := tC.expectedErr.(invalidFilter)
-				actual := err.(invalidFilter)
+				expected := tc.expectedErr.(*invalidFilter)
+				actual := err.(*invalidFilter)
 
 				assert.Check(t, is.Equal(expected.Filter, actual.Filter))
 
 				sort.Strings(expected.Value)
 				sort.Strings(actual.Value)
 				assert.Check(t, is.DeepEqual(expected.Value, actual.Value))
+
+				wrappedErr := fmt.Errorf("something went wrong: %w", err)
+				assert.Check(t, errors.Is(wrappedErr, err), "Expected a wrapped error to be detected as invalidFilter")
 			}
 
-			assert.Check(t, is.Equal(tC.expectedValue, value))
+			assert.Check(t, is.Equal(tc.expectedValue, value))
 		})
 	}
 

api/types/versions/compare.go

@@ -16,11 +16,11 @@ func compare(v1, v2 string) int {
 		otherTab = strings.Split(v2, ".")
 	)
 
-	max := len(currTab)
-	if len(otherTab) > max {
-		max = len(otherTab)
+	maxVer := len(currTab)
+	if len(otherTab) > maxVer {
+		maxVer = len(otherTab)
 	}
-	for i := 0; i < max; i++ {
+	for i := 0; i < maxVer; i++ {
 		var currInt, otherInt int
 
 		if len(currTab) > i {

builder/builder-next/adapters/containerimage/pull.go

@@ -1,3 +1,6 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.19
+
 package containerimage
 
 import (

builder/builder-next/adapters/snapshot/layer.go

@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
 }
 
 func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
+	s.layerCreateLocker.Lock(key)
+	defer s.layerCreateLocker.Unlock(key)
+
 	diffIDs, err := s.GetDiffIDs(ctx, key)
 	if err != nil {
 		return nil, err

builder/builder-next/adapters/snapshot/snapshot.go

@@ -16,6 +16,7 @@ import (
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/snapshot"
+	"github.com/moby/locker"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	bolt "go.etcd.io/bbolt"
@@ -48,10 +49,11 @@ type checksumCalculator interface {
 type snapshotter struct {
 	opt Opt
 
-	refs map[string]layer.Layer
-	db   *bolt.DB
-	mu   sync.Mutex
-	reg  graphIDRegistrar
+	refs              map[string]layer.Layer
+	db                *bolt.DB
+	mu                sync.Mutex
+	reg               graphIDRegistrar
+	layerCreateLocker *locker.Locker
 }
 
 // NewSnapshotter creates a new snapshotter
@@ -68,10 +70,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager) (snapshot.Snapshotter, lease
 	}
 
 	s := &snapshotter{
-		opt:  opt,
-		db:   db,
-		refs: map[string]layer.Layer{},
-		reg:  reg,
+		opt:               opt,
+		db:                db,
+		refs:              map[string]layer.Layer{},
+		reg:               reg,
+		layerCreateLocker: locker.New(),
 	}
 
 	lm := newLeaseManager(s, prevLM)

builder/builder-next/controller.go

@@ -304,7 +304,7 @@ func newGraphDriverController(ctx context.Context, rt http.RoundTripper, opt Opt
 		return nil, errors.Errorf("snapshotter doesn't support differ")
 	}
 
-	leases, err := lm.List(ctx, "labels.\"buildkit/lease.temporary\"")
+	leases, err := lm.List(ctx, `labels."buildkit/lease.temporary"`)
 	if err != nil {
 		return nil, err
 	}

builder/builder-next/worker/gc.go

@@ -2,6 +2,7 @@ package worker
 
 import (
 	"math"
+	"time"
 
 	"github.com/moby/buildkit/client"
 )
@@ -30,12 +31,12 @@ func DefaultGCPolicy(p string, defaultKeepBytes int64) []client.PruneInfo {
 		// if build cache uses more than 512MB delete the most easily reproducible data after it has not been used for 2 days
 		{
 			Filter:       []string{"type==source.local,type==exec.cachemount,type==source.git.checkout"},
-			KeepDuration: 48 * 3600, // 48h
+			KeepDuration: 48 * time.Hour,
 			KeepBytes:    tempCacheKeepBytes,
 		},
 		// remove any data not used for 60 days
 		{
-			KeepDuration: 60 * 24 * 3600, // 60d
+			KeepDuration: 60 * 24 * time.Hour,
 			KeepBytes:    keep,
 		},
 		// keep the unshared build cache under cap

builder/builder-next/worker/worker.go

@@ -50,7 +50,7 @@ import (
 )
 
 func init() {
-	version.Version = "v0.11.7-0.20230525183624-798ad6b0ce9f"
+	version.Version = "v0.11.7+435cb77e369c"
 }
 
 const labelCreatedAt = "buildkit/createdat"

builder/builder.go

@@ -15,6 +15,7 @@ import (
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
 	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 const (
@@ -89,7 +90,7 @@ type ImageCacheBuilder interface {
 type ImageCache interface {
 	// GetCache returns a reference to a cached image whose parent equals `parent`
 	// and runconfig equals `cfg`. A cache miss is expected to return an empty ID and a nil error.
-	GetCache(parentID string, cfg *container.Config) (imageID string, err error)
+	GetCache(parentID string, cfg *container.Config, platform ocispec.Platform) (imageID string, err error)
 }
 
 // Image represents a Docker image used by the builder.

builder/dockerfile/copy.go

@@ -8,7 +8,6 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
-	"runtime"
 	"sort"
 	"strings"
 	"time"
@@ -74,7 +73,7 @@ type copier struct {
 	source      builder.Source
 	pathCache   pathCache
 	download    sourceDownloader
-	platform    *ocispec.Platform
+	platform    ocispec.Platform
 	// for cleanup. TODO: having copier.cleanup() is error prone and hard to
 	// follow. Code calling performCopy should manage the lifecycle of its params.
 	// Copier should take override source as input, not imageMount.
@@ -83,19 +82,7 @@ type copier struct {
 }
 
 func copierFromDispatchRequest(req dispatchRequest, download sourceDownloader, imageSource *imageMount) copier {
-	platform := req.builder.platform
-	if platform == nil {
-		// May be nil if not explicitly set in API/dockerfile
-		platform = &ocispec.Platform{}
-	}
-	if platform.OS == "" {
-		// Default to the dispatch requests operating system if not explicit in API/dockerfile
-		platform.OS = req.state.operatingSystem
-	}
-	if platform.OS == "" {
-		// This is a failsafe just in case. Shouldn't be hit.
-		platform.OS = runtime.GOOS
-	}
+	platform := req.builder.getPlatform(req.state)
 
 	return copier{
 		source:      req.source,

builder/dockerfile/copy_test.go

@@ -53,31 +53,31 @@ func TestGetFilenameForDownload(t *testing.T) {
 		expected    string
 	}{
 		{
-			path:     "http://www.example.com/",
+			path:     "https://www.example.com/",
 			expected: "",
 		},
 		{
-			path:     "http://www.example.com/xyz",
+			path:     "https://www.example.com/xyz",
 			expected: "xyz",
 		},
 		{
-			path:     "http://www.example.com/xyz.html",
+			path:     "https://www.example.com/xyz.html",
 			expected: "xyz.html",
 		},
 		{
-			path:     "http://www.example.com/xyz/",
+			path:     "https://www.example.com/xyz/",
 			expected: "",
 		},
 		{
-			path:     "http://www.example.com/xyz/uvw",
+			path:     "https://www.example.com/xyz/uvw",
 			expected: "uvw",
 		},
 		{
-			path:     "http://www.example.com/xyz/uvw.html",
+			path:     "https://www.example.com/xyz/uvw.html",
 			expected: "uvw.html",
 		},
 		{
-			path:     "http://www.example.com/xyz/uvw/",
+			path:     "https://www.example.com/xyz/uvw/",
 			expected: "",
 		},
 		{
@@ -114,23 +114,23 @@ func TestGetFilenameForDownload(t *testing.T) {
 			expected:    "xyz.html",
 		},
 		{
-			disposition: "attachment; filename=\"xyz\"",
+			disposition: `attachment; filename="xyz"`,
 			expected:    "xyz",
 		},
 		{
-			disposition: "attachment; filename=\"xyz.html\"",
+			disposition: `attachment; filename="xyz.html"`,
 			expected:    "xyz.html",
 		},
 		{
-			disposition: "attachment; filename=\"/xyz.html\"",
+			disposition: `attachment; filename="/xyz.html"`,
 			expected:    "xyz.html",
 		},
 		{
-			disposition: "attachment; filename=\"/xyz/uvw\"",
+			disposition: `attachment; filename="/xyz/uvw"`,
 			expected:    "uvw",
 		},
 		{
-			disposition: "attachment; filename=\"Naïve file.txt\"",
+			disposition: `attachment; filename="Naïve file.txt"`,
 			expected:    "Naïve file.txt",
 		},
 	}

builder/dockerfile/copy_windows.go

@@ -15,8 +15,8 @@ import (
 )
 
 var pathDenyList = map[string]bool{
-	"c:\\":        true,
-	"c:\\windows": true,
+	`c:\`:        true,
+	`c:\windows`: true,
 }
 
 func init() {

builder/dockerfile/dispatchers.go

@@ -349,9 +349,16 @@ func dispatchRun(ctx context.Context, d dispatchRequest, c *instructions.RunComm
 		saveCmd = prependEnvOnCmd(d.state.buildArgs, buildArgs, cmdFromArgs)
 	}
 
+	cacheArgsEscaped := argsEscaped
+	// ArgsEscaped is not persisted in the committed image on Windows.
+	// Use the original from previous build steps for cache probing.
+	if d.state.operatingSystem == "windows" {
+		cacheArgsEscaped = stateRunConfig.ArgsEscaped
+	}
+
 	runConfigForCacheProbe := copyRunConfig(stateRunConfig,
 		withCmd(saveCmd),
-		withArgsEscaped(argsEscaped),
+		withArgsEscaped(cacheArgsEscaped),
 		withEntrypointOverride(saveCmd, nil))
 	if hit, err := d.builder.probeCache(d.state, runConfigForCacheProbe); err != nil || hit {
 		return err

builder/dockerfile/imageprobe.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/builder"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/sirupsen/logrus"
 )
 
@@ -12,7 +13,7 @@ import (
 // cache.
 type ImageProber interface {
 	Reset(ctx context.Context) error
-	Probe(parentID string, runConfig *container.Config) (string, error)
+	Probe(parentID string, runConfig *container.Config, platform ocispec.Platform) (string, error)
 }
 
 type resetFunc func(context.Context) (builder.ImageCache, error)
@@ -51,11 +52,11 @@ func (c *imageProber) Reset(ctx context.Context) error {
 
 // Probe checks if cache match can be found for current build instruction.
 // It returns the cachedID if there is a hit, and the empty string on miss
-func (c *imageProber) Probe(parentID string, runConfig *container.Config) (string, error) {
+func (c *imageProber) Probe(parentID string, runConfig *container.Config, platform ocispec.Platform) (string, error) {
 	if c.cacheBusted {
 		return "", nil
 	}
-	cacheID, err := c.cache.GetCache(parentID, runConfig)
+	cacheID, err := c.cache.GetCache(parentID, runConfig, platform)
 	if err != nil {
 		return "", err
 	}
@@ -74,6 +75,6 @@ func (c *nopProber) Reset(ctx context.Context) error {
 	return nil
 }
 
-func (c *nopProber) Probe(_ string, _ *container.Config) (string, error) {
+func (c *nopProber) Probe(_ string, _ *container.Config, _ ocispec.Platform) (string, error) {
 	return "", nil
 }

builder/dockerfile/internals.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/containerd/containerd/platforms"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/container"
@@ -328,7 +329,7 @@ func getShell(c *container.Config, os string) []string {
 }
 
 func (b *Builder) probeCache(dispatchState *dispatchState, runConfig *container.Config) (bool, error) {
-	cachedID, err := b.imageProber.Probe(dispatchState.imageID, runConfig)
+	cachedID, err := b.imageProber.Probe(dispatchState.imageID, runConfig, b.getPlatform(dispatchState))
 	if cachedID == "" || err != nil {
 		return false, err
 	}
@@ -388,3 +389,17 @@ func hostConfigFromOptions(options *types.ImageBuildOptions) *container.HostConf
 	}
 	return hc
 }
+
+func (b *Builder) getPlatform(state *dispatchState) ocispec.Platform {
+	// May be nil if not explicitly set in API/dockerfile
+	out := platforms.DefaultSpec()
+	if b.platform != nil {
+		out = *b.platform
+	}
+
+	if state.operatingSystem != "" {
+		out.OS = state.operatingSystem
+	}
+
+	return out
+}

builder/dockerfile/mockbackend_test.go

@@ -14,6 +14,7 @@ import (
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
 	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 // MockBackend implements the builder.Backend interface for unit testing
@@ -111,7 +112,7 @@ type mockImageCache struct {
 	getCacheFunc func(parentID string, cfg *container.Config) (string, error)
 }
 
-func (mic *mockImageCache) GetCache(parentID string, cfg *container.Config) (string, error) {
+func (mic *mockImageCache) GetCache(parentID string, cfg *container.Config, _ ocispec.Platform) (string, error) {
 	if mic.getCacheFunc != nil {
 		return mic.getCacheFunc(parentID, cfg)
 	}

builder/remotecontext/detect.go

@@ -14,9 +14,9 @@ import (
 	"github.com/docker/docker/builder/remotecontext/urlutil"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/pkg/containerfs"
-	"github.com/moby/buildkit/frontend/dockerfile/dockerignore"
 	"github.com/moby/buildkit/frontend/dockerfile/parser"
 	"github.com/moby/patternmatcher"
+	"github.com/moby/patternmatcher/ignorefile"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -123,10 +123,10 @@ func removeDockerfile(c modifiableContext, filesToRemove ...string) error {
 	case err != nil:
 		return err
 	}
-	excludes, err := dockerignore.ReadAll(f)
+	excludes, err := ignorefile.ReadAll(f)
 	if err != nil {
 		f.Close()
-		return err
+		return errors.Wrap(err, "error reading .dockerignore")
 	}
 	f.Close()
 	filesToRemove = append([]string{".dockerignore"}, filesToRemove...)

cli/debug/debug_test.go

@@ -14,20 +14,20 @@ func TestEnable(t *testing.T) {
 	}()
 	Enable()
 	if os.Getenv("DEBUG") != "1" {
-		t.Fatalf("expected DEBUG=1, got %s\n", os.Getenv("DEBUG"))
+		t.Fatalf("expected DEBUG=1, got %s", os.Getenv("DEBUG"))
 	}
 	if logrus.GetLevel() != logrus.DebugLevel {
-		t.Fatalf("expected log level %v, got %v\n", logrus.DebugLevel, logrus.GetLevel())
+		t.Fatalf("expected log level %v, got %v", logrus.DebugLevel, logrus.GetLevel())
 	}
 }
 
 func TestDisable(t *testing.T) {
 	Disable()
 	if os.Getenv("DEBUG") != "" {
-		t.Fatalf("expected DEBUG=\"\", got %s\n", os.Getenv("DEBUG"))
+		t.Fatalf(`expected DEBUG="", got %s`, os.Getenv("DEBUG"))
 	}
 	if logrus.GetLevel() != logrus.InfoLevel {
-		t.Fatalf("expected log level %v, got %v\n", logrus.InfoLevel, logrus.GetLevel())
+		t.Fatalf("expected log level %v, got %v", logrus.InfoLevel, logrus.GetLevel())
 	}
 }
 

client/client.go

@@ -56,6 +56,36 @@ import (
 	"github.com/pkg/errors"
 )
 
+// DummyHost is a hostname used for local communication.
+//
+// It acts as a valid formatted hostname for local connections (such as "unix://"
+// or "npipe://") which do not require a hostname. It should never be resolved,
+// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
+// and [RFC 6761, Section 6.3]).
+//
+// [RFC 7230, Section 5.4] defines that an empty header must be used for such
+// cases:
+//
+//	If the authority component is missing or undefined for the target URI,
+//	then a client MUST send a Host header field with an empty field-value.
+//
+// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
+// allow an empty header to be used, and requires req.URL.Scheme to be either
+// "http" or "https".
+//
+// For further details, refer to:
+//
+//   - https://github.com/docker/engine-api/issues/189
+//   - https://github.com/golang/go/issues/13624
+//   - https://github.com/golang/go/issues/61076
+//   - https://github.com/moby/moby/issues/45935
+//
+// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
+// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
+// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
+// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
+const DummyHost = "api.moby.localhost"
+
 // ErrRedirect is the error returned by checkRedirect when the request is non-GET.
 var ErrRedirect = errors.New("unexpected redirect in response")
 

client/container_wait.go

@@ -66,8 +66,12 @@ func (cli *Client) ContainerWait(ctx context.Context, containerID string, condit
 			//
 			// If there's a JSON parsing error, read the real error message
 			// off the body and send it to the client.
-			_, _ = io.ReadAll(io.LimitReader(stream, containerWaitErrorMsgLimit))
-			errC <- errors.New(responseText.String())
+			if errors.As(err, new(*json.SyntaxError)) {
+				_, _ = io.ReadAll(io.LimitReader(stream, containerWaitErrorMsgLimit))
+				errC <- errors.New(responseText.String())
+			} else {
+				errC <- err
+			}
 			return
 		}
 

client/container_wait_test.go

@@ -9,11 +9,14 @@ import (
 	"log"
 	"net/http"
 	"strings"
+	"syscall"
 	"testing"
+	"testing/iotest"
 	"time"
 
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
 )
 
 func TestContainerWaitError(t *testing.T) {
@@ -117,6 +120,46 @@ func TestContainerWaitProxyInterruptLong(t *testing.T) {
 	}
 }
 
+func TestContainerWaitErrorHandling(t *testing.T) {
+	for _, test := range []struct {
+		name string
+		rdr  io.Reader
+		exp  error
+	}{
+		{name: "invalid json", rdr: strings.NewReader(`{]`), exp: errors.New("{]")},
+		{name: "context canceled", rdr: iotest.ErrReader(context.Canceled), exp: context.Canceled},
+		{name: "context deadline exceeded", rdr: iotest.ErrReader(context.DeadlineExceeded), exp: context.DeadlineExceeded},
+		{name: "connection reset", rdr: iotest.ErrReader(syscall.ECONNRESET), exp: syscall.ECONNRESET},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
+			client := &Client{
+				version: "1.30",
+				client: newMockClient(func(req *http.Request) (*http.Response, error) {
+					return &http.Response{
+						StatusCode: http.StatusOK,
+						Body:       io.NopCloser(test.rdr),
+					}, nil
+				}),
+			}
+			resultC, errC := client.ContainerWait(ctx, "container_id", "")
+			select {
+			case err := <-errC:
+				if err.Error() != test.exp.Error() {
+					t.Fatalf("ContainerWait() errC = %v; want %v", err, test.exp)
+				}
+				return
+			case result := <-resultC:
+				t.Fatalf("expected to not get a wait result, got %d", result.StatusCode)
+				return
+			}
+			// Unexpected - we should not reach this line
+		})
+	}
+}
+
 func ExampleClient_ContainerWait_withTimeout() {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()

client/hijack.go

@@ -23,14 +23,10 @@ func (cli *Client) postHijacked(ctx context.Context, path string, query url.Valu
 	if err != nil {
 		return types.HijackedResponse{}, err
 	}
-
-	apiPath := cli.getAPIPath(ctx, path, query)
-	req, err := http.NewRequest(http.MethodPost, apiPath, bodyEncoded)
+	req, err := cli.buildRequest(http.MethodPost, cli.getAPIPath(ctx, path, query), bodyEncoded, headers)
 	if err != nil {
 		return types.HijackedResponse{}, err
 	}
-	req = cli.addHeaders(req, headers)
-
 	conn, mediaType, err := cli.setupHijackConn(ctx, req, "tcp")
 	if err != nil {
 		return types.HijackedResponse{}, err
@@ -64,7 +60,6 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
 }
 
 func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) {
-	req.Host = cli.addr
 	req.Header.Set("Connection", "Upgrade")
 	req.Header.Set("Upgrade", proto)
 
@@ -80,8 +75,8 @@ func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto
 	// state. Setting TCP KeepAlive on the socket connection will prohibit
 	// ECONNTIMEOUT unless the socket connection truly is broken
 	if tcpConn, ok := conn.(*net.TCPConn); ok {
-		tcpConn.SetKeepAlive(true)
-		tcpConn.SetKeepAlivePeriod(30 * time.Second)
+		_ = tcpConn.SetKeepAlive(true)
+		_ = tcpConn.SetKeepAlivePeriod(30 * time.Second)
 	}
 
 	clientconn := httputil.NewClientConn(conn, nil)
@@ -96,7 +91,7 @@ func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto
 			return nil, "", err
 		}
 		if resp.StatusCode != http.StatusSwitchingProtocols {
-			resp.Body.Close()
+			_ = resp.Body.Close()
 			return nil, "", fmt.Errorf("unable to upgrade to %s, received %d", proto, resp.StatusCode)
 		}
 	}

client/image_tag_test.go

@@ -10,6 +10,9 @@ import (
 	"testing"
 
 	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/testutil"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )
 
 func TestImageTagError(t *testing.T) {
@@ -36,15 +39,52 @@ func TestImageTagInvalidReference(t *testing.T) {
 	}
 }
 
+// Ensure we don't allow the use of invalid repository names or tags; these tag operations should fail.
 func TestImageTagInvalidSourceImageName(t *testing.T) {
+	ctx := context.Background()
+
 	client := &Client{
-		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+		client: newMockClient(errorMock(http.StatusInternalServerError, "client should not have made an API call")),
 	}
 
-	err := client.ImageTag(context.Background(), "invalid_source_image_name_", "repo:tag")
-	if err == nil || err.Error() != "Error parsing reference: \"invalid_source_image_name_\" is not a valid repository/tag: invalid reference format" {
-		t.Fatalf("expected Parsing Reference Error, got %v", err)
+	invalidRepos := []string{"fo$z$", "Foo@3cc", "Foo$3", "Foo*3", "Fo^3", "Foo!3", "F)xcz(", "fo%asd", "aa/asdf$$^/aa"}
+	for _, repo := range invalidRepos {
+		repo := repo
+		t.Run("invalidRepo/"+repo, func(t *testing.T) {
+			t.Parallel()
+			err := client.ImageTag(ctx, "busybox", repo)
+			assert.Check(t, is.ErrorContains(err, "not a valid repository/tag"))
+		})
 	}
+
+	longTag := testutil.GenerateRandomAlphaOnlyString(121)
+	invalidTags := []string{"repo:fo$z$", "repo:Foo@3cc", "repo:Foo$3", "repo:Foo*3", "repo:Fo^3", "repo:Foo!3", "repo:%goodbye", "repo:#hashtagit", "repo:F)xcz(", "repo:-foo", "repo:..", longTag}
+	for _, repotag := range invalidTags {
+		repotag := repotag
+		t.Run("invalidTag/"+repotag, func(t *testing.T) {
+			t.Parallel()
+			err := client.ImageTag(ctx, "busybox", repotag)
+			assert.Check(t, is.ErrorContains(err, "not a valid repository/tag"))
+		})
+	}
+
+	t.Run("test repository name begin with '-'", func(t *testing.T) {
+		t.Parallel()
+		err := client.ImageTag(ctx, "busybox:latest", "-busybox:test")
+		assert.Check(t, is.ErrorContains(err, "Error parsing reference"))
+	})
+
+	t.Run("test namespace name begin with '-'", func(t *testing.T) {
+		t.Parallel()
+		err := client.ImageTag(ctx, "busybox:latest", "-test/busybox:test")
+		assert.Check(t, is.ErrorContains(err, "Error parsing reference"))
+	})
+
+	t.Run("test index name begin with '-'", func(t *testing.T) {
+		t.Parallel()
+		err := client.ImageTag(ctx, "busybox:latest", "-index:5000/busybox:test")
+		assert.Check(t, is.ErrorContains(err, "Error parsing reference"))
+	})
 }
 
 func TestImageTagHexSource(t *testing.T) {

client/request.go

@@ -96,16 +96,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea
 		return nil, err
 	}
 	req = cli.addHeaders(req, headers)
+	req.URL.Scheme = cli.scheme
+	req.URL.Host = cli.addr
 
 	if cli.proto == "unix" || cli.proto == "npipe" {
-		// For local communications, it doesn't matter what the host is. We just
-		// need a valid and meaningful host name. (See #189)
-		req.Host = "docker"
+		// Override host header for non-tcp connections.
+		req.Host = DummyHost
 	}
 
-	req.URL.Host = cli.addr
-	req.URL.Scheme = cli.scheme
-
 	if expectedPayload && req.Header.Get("Content-Type") == "" {
 		req.Header.Set("Content-Type", "text/plain")
 	}

client/request_test.go

@@ -28,24 +28,24 @@ func TestSetHostHeader(t *testing.T) {
 		expectedURLHost string
 	}{
 		{
-			"unix:///var/run/docker.sock",
-			"docker",
-			"/var/run/docker.sock",
+			host:            "unix:///var/run/docker.sock",
+			expectedHost:    DummyHost,
+			expectedURLHost: "/var/run/docker.sock",
 		},
 		{
-			"npipe:////./pipe/docker_engine",
-			"docker",
-			"//./pipe/docker_engine",
+			host:            "npipe:////./pipe/docker_engine",
+			expectedHost:    DummyHost,
+			expectedURLHost: "//./pipe/docker_engine",
 		},
 		{
-			"tcp://0.0.0.0:4243",
-			"",
-			"0.0.0.0:4243",
+			host:            "tcp://0.0.0.0:4243",
+			expectedHost:    "",
+			expectedURLHost: "0.0.0.0:4243",
 		},
 		{
-			"tcp://localhost:4243",
-			"",
-			"localhost:4243",
+			host:            "tcp://localhost:4243",
+			expectedHost:    "",
+			expectedURLHost: "localhost:4243",
 		},
 	}
 

cmd/dockerd/service_windows.go

@@ -7,7 +7,6 @@ import (
 	"io"
 	"log"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"time"
 
@@ -145,16 +144,8 @@ func (h *etwHook) Fire(e *logrus.Entry) error {
 	return windows.ReportEvent(h.log.Handle, etype, 0, eid, 0, count, 0, &ss[0], nil)
 }
 
-func getServicePath() (string, error) {
-	p, err := exec.LookPath(os.Args[0])
-	if err != nil {
-		return "", err
-	}
-	return filepath.Abs(p)
-}
-
 func registerService() error {
-	p, err := getServicePath()
+	p, err := os.Executable()
 	if err != nil {
 		return err
 	}

contrib/check-config.sh

@@ -218,7 +218,7 @@ check_flags \
 	CGROUPS CGROUP_CPUACCT CGROUP_DEVICE CGROUP_FREEZER CGROUP_SCHED CPUSETS MEMCG \
 	KEYS \
 	VETH BRIDGE BRIDGE_NETFILTER \
-	IP_NF_FILTER IP_NF_TARGET_MASQUERADE \
+	IP_NF_FILTER IP_NF_MANGLE IP_NF_TARGET_MASQUERADE \
 	NETFILTER_XT_MATCH_ADDRTYPE \
 	NETFILTER_XT_MATCH_CONNTRACK \
 	NETFILTER_XT_MATCH_IPVS \

contrib/dockerd-rootless-setuptool.sh

@@ -37,6 +37,8 @@ BIN=""
 SYSTEMD=""
 CFG_DIR=""
 XDG_RUNTIME_DIR_CREATED=""
+USERNAME=""
+USERNAME_ESCAPED=""
 
 # run checks and also initialize global vars
 init() {
@@ -78,6 +80,11 @@ init() {
 		exit 1
 	fi
 
+	# Set USERNAME from `id -un` and potentially protect backslash
+	# for windbind/samba domain users
+	USERNAME=$(id -un)
+	USERNAME_ESCAPED=$(echo $USERNAME | sed 's/\\/\\\\/g')
+
 	# set CFG_DIR
 	CFG_DIR="${XDG_CONFIG_HOME:-$HOME/.config}"
 
@@ -222,21 +229,21 @@ init() {
 	fi
 
 	# instructions: validate subuid/subgid files for current user
-	if ! grep -q "^$(id -un):\|^$(id -u):" /etc/subuid 2> /dev/null; then
+	if ! grep -q "^$USERNAME_ESCAPED:\|^$(id -u):" /etc/subuid 2> /dev/null; then
 		instructions=$(
 			cat <<- EOI
 				${instructions}
-				# Add subuid entry for $(id -un)
-				echo "$(id -un):100000:65536" >> /etc/subuid
+				# Add subuid entry for ${USERNAME}
+				echo "${USERNAME}:100000:65536" >> /etc/subuid
 			EOI
 		)
 	fi
-	if ! grep -q "^$(id -un):\|^$(id -u):" /etc/subgid 2> /dev/null; then
+	if ! grep -q "^$USERNAME_ESCAPED:\|^$(id -u):" /etc/subgid 2> /dev/null; then
 		instructions=$(
 			cat <<- EOI
 				${instructions}
-				# Add subgid entry for $(id -un)
-				echo "$(id -un):100000:65536" >> /etc/subgid
+				# Add subgid entry for ${USERNAME}
+				echo "${USERNAME}:100000:65536" >> /etc/subgid
 			EOI
 		)
 	fi
@@ -340,7 +347,7 @@ install_systemd() {
 	)
 	INFO "Installed ${SYSTEMD_UNIT} successfully."
 	INFO "To control ${SYSTEMD_UNIT}, run: \`systemctl --user (start|stop|restart) ${SYSTEMD_UNIT}\`"
-	INFO "To run ${SYSTEMD_UNIT} on system startup, run: \`sudo loginctl enable-linger $(id -un)\`"
+	INFO "To run ${SYSTEMD_UNIT} on system startup, run: \`sudo loginctl enable-linger ${USERNAME}\`"
 	echo
 }
 

contrib/init/sysvinit-debian/docker

@@ -44,14 +44,6 @@ if [ ! -x $DOCKERD ]; then
 	exit 1
 fi
 
-check_init() {
-	# see also init_is_upstart in /lib/lsb/init-functions (which isn't available in Ubuntu 12.04, or we'd use it directly)
-	if [ -x /sbin/initctl ] && /sbin/initctl version 2> /dev/null | grep -q upstart; then
-		log_failure_msg "$DOCKER_DESC is managed via upstart, try using service $BASE $1"
-		exit 1
-	fi
-}
-
 fail_unless_root() {
 	if [ "$(id -u)" != '0' ]; then
 		log_failure_msg "$DOCKER_DESC must be run as root"
@@ -59,37 +51,10 @@ fail_unless_root() {
 	fi
 }
 
-cgroupfs_mount() {
-	# see also https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount
-	if grep -v '^#' /etc/fstab | grep -q cgroup \
-		|| [ ! -e /proc/cgroups ] \
-		|| [ ! -d /sys/fs/cgroup ]; then
-		return
-	fi
-	if ! mountpoint -q /sys/fs/cgroup; then
-		mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup
-	fi
-	(
-		cd /sys/fs/cgroup
-		for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do
-			mkdir -p $sys
-			if ! mountpoint -q $sys; then
-				if ! mount -n -t cgroup -o $sys cgroup $sys; then
-					rmdir $sys || true
-				fi
-			fi
-		done
-	)
-}
-
 case "$1" in
 	start)
-		check_init
-
 		fail_unless_root
 
-		cgroupfs_mount
-
 		touch "$DOCKER_LOGFILE"
 		chgrp docker "$DOCKER_LOGFILE"
 
@@ -117,7 +82,6 @@ case "$1" in
 		;;
 
 	stop)
-		check_init
 		fail_unless_root
 		if [ -f "$DOCKER_SSD_PIDFILE" ]; then
 			log_begin_msg "Stopping $DOCKER_DESC: $BASE"
@@ -129,7 +93,6 @@ case "$1" in
 		;;
 
 	restart)
-		check_init
 		fail_unless_root
 		docker_pid=$(cat "$DOCKER_SSD_PIDFILE" 2> /dev/null || true)
 		[ -n "$docker_pid" ] \
@@ -139,13 +102,11 @@ case "$1" in
 		;;
 
 	force-reload)
-		check_init
 		fail_unless_root
 		$0 restart
 		;;
 
 	status)
-		check_init
 		status_of_proc -p "$DOCKER_SSD_PIDFILE" "$DOCKERD" "$DOCKER_DESC"
 		;;
 

contrib/init/sysvinit-debian/docker.default

@@ -1,4 +1,4 @@
-# Docker Upstart and SysVinit configuration file
+# Docker SysVinit configuration file
 
 #
 # THIS FILE DOES NOT APPLY TO SYSTEMD

contrib/init/upstart/docker.conf

@@ -1,72 +0,0 @@
-description "Docker daemon"
-
-start on (filesystem and net-device-up IFACE!=lo)
-stop on runlevel [!2345]
-
-limit nofile 524288 1048576
-
-# Having non-zero limits causes performance problems due to accounting overhead
-# in the kernel. We recommend using cgroups to do container-local accounting.
-limit nproc unlimited unlimited
-
-respawn
-
-kill timeout 20
-
-pre-start script
-	# see also https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount
-	if grep -v '^#' /etc/fstab | grep -q cgroup \
-		|| [ ! -e /proc/cgroups ] \
-		|| [ ! -d /sys/fs/cgroup ]; then
-		exit 0
-	fi
-	if ! mountpoint -q /sys/fs/cgroup; then
-		mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup
-	fi
-	(
-		cd /sys/fs/cgroup
-		for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do
-			mkdir -p $sys
-			if ! mountpoint -q $sys; then
-				if ! mount -n -t cgroup -o $sys cgroup $sys; then
-					rmdir $sys || true
-				fi
-			fi
-		done
-	)
-end script
-
-script
-	# modify these in /etc/default/$UPSTART_JOB (/etc/default/docker)
-	DOCKERD=/usr/bin/dockerd
-	DOCKER_OPTS=
-	if [ -f /etc/default/$UPSTART_JOB ]; then
-		. /etc/default/$UPSTART_JOB
-	fi
-	exec "$DOCKERD" $DOCKER_OPTS --raw-logs
-end script
-
-# Don't emit "started" event until docker.sock is ready.
-# See https://github.com/docker/docker/issues/6647
-post-start script
-	DOCKER_OPTS=
-	DOCKER_SOCKET=
-	if [ -f /etc/default/$UPSTART_JOB ]; then
-		. /etc/default/$UPSTART_JOB
-	fi
-
-	if ! printf "%s" "$DOCKER_OPTS" | grep -qE -e '-H|--host'; then
-		DOCKER_SOCKET=/var/run/docker.sock
-	else
-		DOCKER_SOCKET=$(printf "%s" "$DOCKER_OPTS" | grep -oP -e '(-H|--host)\W*unix://\K(\S+)' | sed 1q)
-	fi
-
-	if [ -n "$DOCKER_SOCKET" ]; then
-		while ! [ -e "$DOCKER_SOCKET" ]; do
-			initctl status $UPSTART_JOB | grep -qE "(stop|respawn)/" && exit 1
-			echo "Waiting for $DOCKER_SOCKET"
-			sleep 0.1
-		done
-		echo "$DOCKER_SOCKET is up"
-	fi
-end script

daemon/cluster/cluster.go

@@ -140,7 +140,7 @@ type attacher struct {
 // New creates a new Cluster instance using provided config.
 func New(config Config) (*Cluster, error) {
 	root := filepath.Join(config.Root, swarmDirName)
-	if err := os.MkdirAll(root, 0700); err != nil {
+	if err := os.MkdirAll(root, 0o700); err != nil {
 		return nil, err
 	}
 	if config.RuntimeRoot == "" {
@@ -154,7 +154,7 @@ func New(config Config) (*Cluster, error) {
 		config.RaftElectionTick = 10 * config.RaftHeartbeatTick
 	}
 
-	if err := os.MkdirAll(config.RuntimeRoot, 0700); err != nil {
+	if err := os.MkdirAll(config.RuntimeRoot, 0o700); err != nil {
 		return nil, err
 	}
 	c := &Cluster{
@@ -359,7 +359,7 @@ func (c *Cluster) errNoManager(st nodeState) error {
 		if st.err == errSwarmCertificatesExpired {
 			return errSwarmCertificatesExpired
 		}
-		return errors.WithStack(notAvailableError("This node is not a swarm manager. Use \"docker swarm init\" or \"docker swarm join\" to connect this node to swarm and try again."))
+		return errors.WithStack(notAvailableError(`This node is not a swarm manager. Use "docker swarm init" or "docker swarm join" to connect this node to swarm and try again.`))
 	}
 	if st.swarmNode.Manager() != nil {
 		return errors.WithStack(notAvailableError("This node is not a swarm manager. Manager is being prepared or has trouble connecting to the cluster."))

daemon/cluster/controllers/plugin/controller.go

@@ -65,7 +65,8 @@ func NewController(backend Backend, t *api.Task) (*Controller, error) {
 			"controller": "plugin",
 			"task":       t.ID,
 			"plugin":     spec.Name,
-		})}, nil
+		}),
+	}, nil
 }
 
 func readSpec(t *api.Task) (runtime.PluginSpec, error) {

daemon/cluster/convert/network.go

@@ -118,7 +118,8 @@ func endpointFromGRPC(e *swarmapi.Endpoint) types.Endpoint {
 		for _, v := range e.VirtualIPs {
 			endpoint.VirtualIPs = append(endpoint.VirtualIPs, types.EndpointVirtualIP{
 				NetworkID: v.NetworkID,
-				Addr:      v.Addr})
+				Addr:      v.Addr,
+			})
 		}
 	}
 

daemon/cluster/convert/node_test.go

@@ -15,12 +15,12 @@ func TestNodeCSIInfoFromGRPC(t *testing.T) {
 		ID: "someID",
 		Description: &swarmapi.NodeDescription{
 			CSIInfo: []*swarmapi.NodeCSIInfo{
-				&swarmapi.NodeCSIInfo{
+				{
 					PluginName:        "plugin1",
 					NodeID:            "p1n1",
 					MaxVolumesPerNode: 1,
 				},
-				&swarmapi.NodeCSIInfo{
+				{
 					PluginName:        "plugin2",
 					NodeID:            "p2n1",
 					MaxVolumesPerNode: 2,

daemon/cluster/errors.go

@@ -5,13 +5,13 @@ const (
 	errNoSwarm notAvailableError = "This node is not part of a swarm"
 
 	// errSwarmExists is returned on initialize or join request for a cluster that has already been activated
-	errSwarmExists notAvailableError = "This node is already part of a swarm. Use \"docker swarm leave\" to leave this swarm and join another one."
+	errSwarmExists notAvailableError = `This node is already part of a swarm. Use "docker swarm leave" to leave this swarm and join another one.`
 
 	// errSwarmJoinTimeoutReached is returned when cluster join could not complete before timeout was reached.
-	errSwarmJoinTimeoutReached notAvailableError = "Timeout was reached before node joined. The attempt to join the swarm will continue in the background. Use the \"docker info\" command to see the current swarm status of your node."
+	errSwarmJoinTimeoutReached notAvailableError = `Timeout was reached before node joined. The attempt to join the swarm will continue in the background. Use the "docker info" command to see the current swarm status of your node.`
 
 	// errSwarmLocked is returned if the swarm is encrypted and needs a key to unlock it.
-	errSwarmLocked notAvailableError = "Swarm is encrypted and needs to be unlocked before it can be used. Please use \"docker swarm unlock\" to unlock it."
+	errSwarmLocked notAvailableError = `Swarm is encrypted and needs to be unlocked before it can be used. Please use "docker swarm unlock" to unlock it.`
 
 	// errSwarmCertificatesExpired is returned if docker was not started for the whole validity period and they had no chance to renew automatically.
 	errSwarmCertificatesExpired notAvailableError = "Swarm certificates have expired. To replace them, leave the swarm and join again."

daemon/cluster/executor/container/adapter.go

@@ -412,7 +412,7 @@ func (c *containerAdapter) wait(ctx context.Context) (<-chan containerpkg.StateS
 }
 
 func (c *containerAdapter) shutdown(ctx context.Context) error {
-	var options = containertypes.StopOptions{}
+	options := containertypes.StopOptions{}
 	// Default stop grace period to nil (daemon will use the stopTimeout of the container)
 	if spec := c.container.spec(); spec.StopGracePeriod != nil {
 		timeout := int(spec.StopGracePeriod.Seconds)

daemon/cluster/executor/container/adapter_test.go

@@ -1,9 +1,8 @@
 package container // import "github.com/docker/docker/daemon/cluster/executor/container"
 
 import (
-	"testing"
-
 	"context"
+	"testing"
 	"time"
 
 	"github.com/docker/docker/daemon"

daemon/cluster/listen_addr.go

@@ -142,6 +142,7 @@ func getDataPathPort(portNum uint32) (uint32, error) {
 	}
 	return portNum, nil
 }
+
 func resolveDataPathAddr(dataPathAddr string) (string, error) {
 	if dataPathAddr == "" {
 		// dataPathAddr is not defined

daemon/cluster/services.go

@@ -456,7 +456,7 @@ func (c *Cluster) ServiceLogs(ctx context.Context, selector *backend.LogSelector
 	} else {
 		t, err := strconv.Atoi(config.Tail)
 		if err != nil {
-			return nil, errors.New("tail value must be a positive integer or \"all\"")
+			return nil, errors.New(`tail value must be a positive integer or "all"`)
 		}
 		if t < 0 {
 			return nil, errors.New("negative tail values not supported")

daemon/cluster/utils.go

@@ -32,7 +32,7 @@ func savePersistentState(root string, config nodeStartConfig) error {
 	if err != nil {
 		return err
 	}
-	return ioutils.AtomicWriteFile(filepath.Join(root, stateFile), dt, 0600)
+	return ioutils.AtomicWriteFile(filepath.Join(root, stateFile), dt, 0o600)
 }
 
 func clearPersistentState(root string) error {

daemon/container_operations.go

@@ -1,3 +1,6 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.19
+
 package daemon // import "github.com/docker/docker/daemon"
 
 import (
@@ -744,6 +747,12 @@ func (daemon *Daemon) connectToNetwork(container *container.Container, idOrName
 		return nil
 	}
 
+	if idOrName != container.HostConfig.NetworkMode.NetworkName() {
+		if err := daemon.normalizeNetMode(container); err != nil {
+			return err
+		}
+	}
+
 	var operIPAM bool
 	if config != nil {
 		if epConfig, ok := config.EndpointsConfig[n.Name()]; ok {
@@ -946,6 +955,25 @@ func (daemon *Daemon) tryDetachContainerFromClusterNetwork(network libnetwork.Ne
 	daemon.LogNetworkEventWithAttributes(network, "disconnect", attributes)
 }
 
+// normalizeNetMode checks whether the network mode references a network by a partial ID. In that case, it replaces the
+// partial ID with the full network ID.
+// TODO(aker): transform ID into name when the referenced network is one of the predefined.
+func (daemon *Daemon) normalizeNetMode(container *container.Container) error {
+	if container.HostConfig.NetworkMode.IsUserDefined() {
+		netMode := container.HostConfig.NetworkMode.NetworkName()
+		nw, err := daemon.FindNetwork(netMode)
+		if err != nil {
+			return fmt.Errorf("could not find a network matching network mode %s: %w", netMode, err)
+		}
+
+		if netMode != nw.ID() && netMode != nw.Name() {
+			container.HostConfig.NetworkMode = containertypes.NetworkMode(nw.ID())
+		}
+	}
+
+	return nil
+}
+
 func (daemon *Daemon) initializeNetworking(container *container.Container) error {
 	var err error
 
@@ -1002,10 +1030,17 @@ func (daemon *Daemon) getNetworkedContainer(containerID, connectedContainerID st
 
 func (daemon *Daemon) releaseNetwork(container *container.Container) {
 	start := time.Now()
+	// If live-restore is enabled, the daemon cleans up dead containers when it starts up. In that case, the
+	// netController hasn't been initialized yet and so we can't proceed.
+	// TODO(aker): If we hit this case, the endpoint state won't be cleaned up (ie. no call to cleanOperationalData).
 	if daemon.netController == nil {
 		return
 	}
-	if container.HostConfig.NetworkMode.IsContainer() || container.Config.NetworkDisabled {
+	// If the container uses the network namespace of another container, it doesn't own it -- nothing to do here.
+	if container.HostConfig.NetworkMode.IsContainer() {
+		return
+	}
+	if container.NetworkSettings == nil {
 		return
 	}
 

daemon/containerd/cache.go

@@ -8,7 +8,9 @@ import (
 	"github.com/docker/docker/api/types/container"
 	imagetype "github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/builder"
+	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/image"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 // MakeImageCache creates a stateful image cache.
@@ -29,7 +31,7 @@ type imageCache struct {
 	c      *ImageService
 }
 
-func (ic *imageCache) GetCache(parentID string, cfg *container.Config) (imageID string, err error) {
+func (ic *imageCache) GetCache(parentID string, cfg *container.Config, platform ocispec.Platform) (imageID string, err error) {
 	ctx := context.TODO()
 
 	if parentID == "" {
@@ -37,8 +39,11 @@ func (ic *imageCache) GetCache(parentID string, cfg *container.Config) (imageID
 		return "", nil
 	}
 
-	parent, err := ic.c.GetImage(ctx, parentID, imagetype.GetImageOpts{})
+	parent, err := ic.c.GetImage(ctx, parentID, imagetype.GetImageOpts{Platform: &platform})
 	if err != nil {
+		if errdefs.IsNotFound(err) {
+			return "", nil
+		}
 		return "", err
 	}
 
@@ -54,8 +59,11 @@ func (ic *imageCache) GetCache(parentID string, cfg *container.Config) (imageID
 	}
 
 	for _, children := range children {
-		childImage, err := ic.c.GetImage(ctx, children.String(), imagetype.GetImageOpts{})
+		childImage, err := ic.c.GetImage(ctx, children.String(), imagetype.GetImageOpts{Platform: &platform})
 		if err != nil {
+			if errdefs.IsNotFound(err) {
+				continue
+			}
 			return "", err
 		}
 

daemon/containerd/image.go

@@ -48,11 +48,25 @@ func (i *ImageService) GetImage(ctx context.Context, refOrID string, options ima
 	err = i.walkImageManifests(ctx, desc, func(img *ImageManifest) error {
 		conf, err := img.Config(ctx)
 		if err != nil {
-			return err
+			if cerrdefs.IsNotFound(err) {
+				logrus.WithFields(logrus.Fields{
+					"manifestDescriptor": img.Target(),
+				}).Debug("manifest was present, but accessing its config failed, ignoring")
+				return nil
+			}
+			return errdefs.System(fmt.Errorf("failed to get config descriptor: %w", err))
 		}
+
 		var ociimage ocispec.Image
 		if err := readConfig(ctx, cs, conf, &ociimage); err != nil {
-			return err
+			if cerrdefs.IsNotFound(err) {
+				logrus.WithFields(logrus.Fields{
+					"manifestDescriptor": img.Target(),
+					"configDescriptor":   conf,
+				}).Debug("manifest present, but its config is missing, ignoring")
+				return nil
+			}
+			return errdefs.System(fmt.Errorf("failed to read config of the manifest %v: %w", img.Target().Digest, err))
 		}
 		presentImages = append(presentImages, ociimage)
 		return nil
@@ -61,7 +75,8 @@ func (i *ImageService) GetImage(ctx context.Context, refOrID string, options ima
 		return nil, err
 	}
 	if len(presentImages) == 0 {
-		return nil, errdefs.NotFound(errors.New("failed to find image manifest"))
+		ref, _ := reference.ParseAnyReference(refOrID)
+		return nil, images.ErrImageDoesNotExist{Ref: ref}
 	}
 
 	sort.SliceStable(presentImages, func(i, j int) bool {
@@ -102,6 +117,7 @@ func (i *ImageService) GetImage(ctx context.Context, refOrID string, options ima
 		OS:           ociimage.OS,
 		Architecture: ociimage.Architecture,
 		Created:      derefTimeSafely(ociimage.Created),
+		Variant:      ociimage.Variant,
 		Config: &containertypes.Config{
 			Entrypoint:   ociimage.Config.Entrypoint,
 			Env:          ociimage.Config.Env,
@@ -130,7 +146,7 @@ func (i *ImageService) GetImage(ctx context.Context, refOrID string, options ima
 			return nil, err
 		}
 
-		// Each image will result in 2 references (named and digested).
+		// Usually each image will result in 2 references (named and digested).
 		refs := make([]reference.Named, 0, len(tagged)*2)
 		for _, i := range tagged {
 			if i.UpdatedAt.After(lastUpdated) {
@@ -155,6 +171,11 @@ func (i *ImageService) GetImage(ctx context.Context, refOrID string, options ima
 			}
 			refs = append(refs, name)
 
+			if _, ok := name.(reference.Digested); ok {
+				// Image name already contains a digest, so no need to create a digested reference.
+				continue
+			}
+
 			digested, err := reference.WithDigest(reference.TrimNamed(name), desc.Target.Digest)
 			if err != nil {
 				// This could only happen if digest is invalid, but considering that
@@ -274,6 +295,24 @@ func (i *ImageService) resolveImage(ctx context.Context, refOrID string) (contai
 			return containerdimages.Image{}, images.ErrImageDoesNotExist{Ref: parsed}
 		}
 
+		// If reference is both Named and Digested, make sure we don't match
+		// images with a different repository even if digest matches.
+		// For example, busybox@sha256:abcdef..., shouldn't match asdf@sha256:abcdef...
+		if parsedNamed, ok := parsed.(reference.Named); ok {
+			for _, img := range imgs {
+				imgNamed, err := reference.ParseNormalizedNamed(img.Name)
+				if err != nil {
+					logrus.WithError(err).WithField("image", img.Name).Warn("image with invalid name encountered")
+					continue
+				}
+
+				if parsedNamed.Name() == imgNamed.Name() {
+					return img, nil
+				}
+			}
+			return containerdimages.Image{}, images.ErrImageDoesNotExist{Ref: parsed}
+		}
+
 		return imgs[0], nil
 	}
 

daemon/containerd/image_builder.go

@@ -18,6 +18,7 @@ import (
 	"github.com/docker/docker/api/types/backend"
 	imagetypes "github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/internal/compatcontext"
 	registrypkg "github.com/docker/docker/registry"
 
 	// "github.com/docker/docker/api/types/container"
@@ -42,14 +43,14 @@ import (
 // releasableLayer.Release() to prevent leaking of layers.
 func (i *ImageService) GetImageAndReleasableLayer(ctx context.Context, refOrID string, opts backend.GetImageAndLayerOptions) (builder.Image, builder.ROLayer, error) {
 	if refOrID == "" { // from SCRATCH
-		os := runtime.GOOS
+		imgOS := runtime.GOOS
 		if runtime.GOOS == "windows" {
-			os = "linux"
+			imgOS = "linux"
 		}
 		if opts.Platform != nil {
-			os = opts.Platform.OS
+			imgOS = opts.Platform.OS
 		}
-		if !system.IsOSSupported(os) {
+		if !system.IsOSSupported(imgOS) {
 			return nil, nil, system.ErrNotSupportedOperatingSystem
 		}
 		return nil, &rolayer{
@@ -76,12 +77,12 @@ func (i *ImageService) GetImageAndReleasableLayer(ctx context.Context, refOrID s
 				return nil, nil, system.ErrNotSupportedOperatingSystem
 			}
 
-			layer, err := newROLayerForImage(ctx, &imgDesc, i, opts, refOrID, opts.Platform)
+			roLayer, err := newROLayerForImage(ctx, &imgDesc, i, opts.Platform)
 			if err != nil {
 				return nil, nil, err
 			}
 
-			return img, layer, nil
+			return img, roLayer, nil
 		}
 	}
 
@@ -105,12 +106,12 @@ func (i *ImageService) GetImageAndReleasableLayer(ctx context.Context, refOrID s
 		return nil, nil, err
 	}
 
-	layer, err := newROLayerForImage(ctx, imgDesc, i, opts, refOrID, opts.Platform)
+	roLayer, err := newROLayerForImage(ctx, imgDesc, i, opts.Platform)
 	if err != nil {
 		return nil, nil, err
 	}
 
-	return img, layer, nil
+	return img, roLayer, nil
 }
 
 func (i *ImageService) pullForBuilder(ctx context.Context, name string, authConfigs map[string]registry.AuthConfig, output io.Writer, platform *ocispec.Platform) (*ocispec.Descriptor, error) {
@@ -173,7 +174,7 @@ Please notify the image author to correct the configuration.`,
 	return &imgDesc, err
 }
 
-func newROLayerForImage(ctx context.Context, imgDesc *ocispec.Descriptor, i *ImageService, opts backend.GetImageAndLayerOptions, refOrID string, platform *ocispec.Platform) (builder.ROLayer, error) {
+func newROLayerForImage(ctx context.Context, imgDesc *ocispec.Descriptor, i *ImageService, platform *ocispec.Platform) (builder.ROLayer, error) {
 	if imgDesc == nil {
 		return nil, fmt.Errorf("can't make an RO layer for a nil image :'(")
 	}
@@ -390,12 +391,12 @@ func (i *ImageService) CreateImage(ctx context.Context, config []byte, parent st
 		return nil, err
 	}
 
-	rootfs := ocispec.RootFS{
+	rootFS := ocispec.RootFS{
 		Type:    imgToCreate.RootFS.Type,
 		DiffIDs: []digest.Digest{},
 	}
 	for _, diffId := range imgToCreate.RootFS.DiffIDs {
-		rootfs.DiffIDs = append(rootfs.DiffIDs, digest.Digest(diffId))
+		rootFS.DiffIDs = append(rootFS.DiffIDs, digest.Digest(diffId))
 	}
 	exposedPorts := make(map[string]struct{}, len(imgToCreate.Config.ExposedPorts))
 	for k, v := range imgToCreate.Config.ExposedPorts {
@@ -436,7 +437,7 @@ func (i *ImageService) CreateImage(ctx context.Context, config []byte, parent st
 			Labels:       imgToCreate.Config.Labels,
 			StopSignal:   imgToCreate.Config.StopSignal,
 		},
-		RootFS:  rootfs,
+		RootFS:  rootFS,
 		History: ociHistory,
 	}
 
@@ -472,11 +473,15 @@ func (i *ImageService) CreateImage(ctx context.Context, config []byte, parent st
 
 	// necessary to prevent the contents from being GC'd
 	// between writing them here and creating an image
-	ctx, done, err := i.client.WithLease(ctx, leases.WithRandomID(), leases.WithExpiration(1*time.Hour))
+	ctx, release, err := i.client.WithLease(ctx, leases.WithRandomID(), leases.WithExpiration(1*time.Hour))
 	if err != nil {
 		return nil, err
 	}
-	defer done(ctx)
+	defer func() {
+		if err := release(compatcontext.WithoutCancel(ctx)); err != nil {
+			logrus.WithError(err).Warn("failed to release lease created for create")
+		}
+	}()
 
 	commitManifestDesc, err := writeContentsForImage(ctx, i.snapshotter, i.client.ContentStore(), ociImgToCreate, layers)
 	if err != nil {
@@ -505,9 +510,6 @@ func (i *ImageService) CreateImage(ctx context.Context, config []byte, parent st
 		return nil, err
 	}
 
-	newImage := dimage.NewImage(dimage.ID(createdImage.Target.Digest))
-	newImage.V1Image = imgToCreate.V1Image
-	newImage.V1Image.ID = string(createdImage.Target.Digest)
-	newImage.History = imgToCreate.History
+	newImage := dimage.Clone(imgToCreate, dimage.ID(createdImage.Target.Digest))
 	return newImage, nil
 }

daemon/containerd/image_changes.go

@@ -58,15 +58,10 @@ func (i *ImageService) Changes(ctx context.Context, container *container.Contain
 		}
 	}()
 
-	mounts, err := snapshotter.Mounts(ctx, container.ID)
-	if err != nil {
-		return nil, err
-	}
-
 	var changes []archive.Change
-	err = mount.WithReadonlyTempMount(ctx, mounts, func(fs string) error {
-		return mount.WithTempMount(ctx, parent, func(root string) error {
-			changes, err = archive.ChangesDirs(fs, root)
+	err = i.PerformWithBaseFS(ctx, container, func(containerRootfs string) error {
+		return mount.WithReadonlyTempMount(ctx, parent, func(parentRootfs string) error {
+			changes, err = archive.ChangesDirs(containerRootfs, parentRootfs)
 			return err
 		})
 	})

daemon/containerd/image_commit.go

@@ -20,6 +20,8 @@ import (
 	"github.com/containerd/containerd/snapshots"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/image"
+	"github.com/docker/docker/internal/compatcontext"
+	"github.com/docker/docker/pkg/archive"
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/identity"
 	"github.com/opencontainers/image-spec/specs-go"
@@ -38,28 +40,27 @@ func (i *ImageService) CommitImage(ctx context.Context, cc backend.CommitConfig)
 	container := i.containers.Get(cc.ContainerID)
 	cs := i.client.ContentStore()
 
-	imageManifest, err := getContainerImageManifest(container)
-	if err != nil {
-		return "", err
-	}
+	var parentManifest ocispec.Manifest
+	var parentImage ocispec.Image
 
-	imageManifestBytes, err := content.ReadBlob(ctx, cs, imageManifest)
-	if err != nil {
-		return "", err
-	}
+	// ImageManifest can be nil when committing an image with base FROM scratch
+	if container.ImageManifest != nil {
+		imageManifestBytes, err := content.ReadBlob(ctx, cs, *container.ImageManifest)
+		if err != nil {
+			return "", err
+		}
 
-	var manifest ocispec.Manifest
-	if err := json.Unmarshal(imageManifestBytes, &manifest); err != nil {
-		return "", err
-	}
+		if err := json.Unmarshal(imageManifestBytes, &parentManifest); err != nil {
+			return "", err
+		}
 
-	imageConfigBytes, err := content.ReadBlob(ctx, cs, manifest.Config)
-	if err != nil {
-		return "", err
-	}
-	var ociimage ocispec.Image
-	if err := json.Unmarshal(imageConfigBytes, &ociimage); err != nil {
-		return "", err
+		imageConfigBytes, err := content.ReadBlob(ctx, cs, parentManifest.Config)
+		if err != nil {
+			return "", err
+		}
+		if err := json.Unmarshal(imageConfigBytes, &parentImage); err != nil {
+			return "", err
+		}
 	}
 
 	var (
@@ -68,25 +69,33 @@ func (i *ImageService) CommitImage(ctx context.Context, cc backend.CommitConfig)
 	)
 
 	// Don't gc me and clean the dirty data after 1 hour!
-	ctx, done, err := i.client.WithLease(ctx, leases.WithRandomID(), leases.WithExpiration(1*time.Hour))
+	ctx, release, err := i.client.WithLease(ctx, leases.WithRandomID(), leases.WithExpiration(1*time.Hour))
 	if err != nil {
 		return "", fmt.Errorf("failed to create lease for commit: %w", err)
 	}
-	defer done(ctx)
+	defer func() {
+		if err := release(compatcontext.WithoutCancel(ctx)); err != nil {
+			logrus.WithError(err).Warn("failed to release lease created for commit")
+		}
+	}()
 
 	diffLayerDesc, diffID, err := createDiff(ctx, cc.ContainerID, sn, cs, differ)
 	if err != nil {
 		return "", fmt.Errorf("failed to export layer: %w", err)
 	}
+	imageConfig := generateCommitImageConfig(parentImage, diffID, cc)
 
-	imageConfig := generateCommitImageConfig(ociimage, diffID, cc)
+	layers := parentManifest.Layers
+	if diffLayerDesc != nil {
+		rootfsID := identity.ChainID(imageConfig.RootFS.DiffIDs).String()
 
-	rootfsID := identity.ChainID(imageConfig.RootFS.DiffIDs).String()
-	if err := applyDiffLayer(ctx, rootfsID, ociimage, sn, differ, diffLayerDesc); err != nil {
-		return "", fmt.Errorf("failed to apply diff: %w", err)
+		if err := applyDiffLayer(ctx, rootfsID, parentImage, sn, differ, *diffLayerDesc); err != nil {
+			return "", fmt.Errorf("failed to apply diff: %w", err)
+		}
+
+		layers = append(layers, *diffLayerDesc)
 	}
 
-	layers := append(manifest.Layers, diffLayerDesc)
 	commitManifestDesc, err := writeContentsForImage(ctx, container.Driver, cs, imageConfig, layers)
 	if err != nil {
 		return "", err
@@ -130,6 +139,12 @@ func generateCommitImageConfig(baseConfig ocispec.Image, diffID digest.Digest, o
 		logrus.Warnf("assuming os=%q", os)
 	}
 	logrus.Debugf("generateCommitImageConfig(): arch=%q, os=%q", arch, os)
+
+	diffIds := baseConfig.RootFS.DiffIDs
+	if diffID != "" {
+		diffIds = append(diffIds, diffID)
+	}
+
 	return ocispec.Image{
 		Platform: ocispec.Platform{
 			Architecture: arch,
@@ -140,7 +155,7 @@ func generateCommitImageConfig(baseConfig ocispec.Image, diffID digest.Digest, o
 		Config:  containerConfigToOciImageConfig(opts.Config),
 		RootFS: ocispec.RootFS{
 			Type:    "layers",
-			DiffIDs: append(baseConfig.RootFS.DiffIDs, diffID),
+			DiffIDs: diffIds,
 		},
 		History: append(baseConfig.History, ocispec.History{
 			Created:   &createdTime,
@@ -217,28 +232,43 @@ func writeContentsForImage(ctx context.Context, snName string, cs content.Store,
 }
 
 // createDiff creates a layer diff into containerd's content store.
-func createDiff(ctx context.Context, name string, sn snapshots.Snapshotter, cs content.Store, comparer diff.Comparer) (ocispec.Descriptor, digest.Digest, error) {
+// If the diff is empty it returns nil empty digest and no error.
+func createDiff(ctx context.Context, name string, sn snapshots.Snapshotter, cs content.Store, comparer diff.Comparer) (*ocispec.Descriptor, digest.Digest, error) {
 	newDesc, err := rootfs.CreateDiff(ctx, name, sn, comparer)
 	if err != nil {
-		return ocispec.Descriptor{}, "", err
+		return nil, "", err
+	}
+
+	ra, err := cs.ReaderAt(ctx, newDesc)
+	if err != nil {
+		return nil, "", fmt.Errorf("failed to read diff archive: %w", err)
+	}
+	defer ra.Close()
+
+	empty, err := archive.IsEmpty(content.NewReader(ra))
+	if err != nil {
+		return nil, "", fmt.Errorf("failed to check if archive is empty: %w", err)
+	}
+	if empty {
+		return nil, "", nil
 	}
 
 	info, err := cs.Info(ctx, newDesc.Digest)
 	if err != nil {
-		return ocispec.Descriptor{}, "", err
+		return nil, "", fmt.Errorf("failed to get content info: %w", err)
 	}
 
 	diffIDStr, ok := info.Labels["containerd.io/uncompressed"]
 	if !ok {
-		return ocispec.Descriptor{}, "", fmt.Errorf("invalid differ response with no diffID")
+		return nil, "", fmt.Errorf("invalid differ response with no diffID")
 	}
 
 	diffID, err := digest.Parse(diffIDStr)
 	if err != nil {
-		return ocispec.Descriptor{}, "", err
+		return nil, "", err
 	}
 
-	return ocispec.Descriptor{
+	return &ocispec.Descriptor{
 		MediaType: ocispec.MediaTypeImageLayerGzip,
 		Digest:    newDesc.Digest,
 		Size:      info.Size,
@@ -254,7 +284,7 @@ func applyDiffLayer(ctx context.Context, name string, baseImg ocispec.Image, sn
 
 	mount, err := sn.Prepare(ctx, key, parent)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to prepare snapshot: %w", err)
 	}
 
 	defer func() {

daemon/containerd/image_exporter.go

@@ -6,10 +6,11 @@ import (
 	"io"
 
 	"github.com/containerd/containerd"
+	"github.com/containerd/containerd/content"
 	cerrdefs "github.com/containerd/containerd/errdefs"
 	containerdimages "github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/images/archive"
-	"github.com/containerd/containerd/mount"
+	"github.com/containerd/containerd/leases"
 	cplatforms "github.com/containerd/containerd/platforms"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/container"
@@ -28,7 +29,13 @@ func (i *ImageService) PerformWithBaseFS(ctx context.Context, c *container.Conta
 	if err != nil {
 		return err
 	}
-	return mount.WithTempMount(ctx, mounts, fn)
+	path, err := i.refCountMounter.Mount(mounts, c.ID)
+	if err != nil {
+		return err
+	}
+	defer i.refCountMounter.Unmount(path)
+
+	return fn(path)
 }
 
 // ExportImage exports a list of images to the given output stream. The
@@ -57,11 +64,17 @@ func (i *ImageService) ExportImage(ctx context.Context, names []string, outStrea
 		archive.WithPlatform(platform),
 	}
 
-	ctx, release, err := i.client.WithLease(ctx)
+	contentStore := i.client.ContentStore()
+	leasesManager := i.client.LeasesService()
+	lease, err := leasesManager.Create(ctx, leases.WithRandomID())
 	if err != nil {
 		return errdefs.System(err)
 	}
-	defer release(ctx)
+	defer func() {
+		if err := leasesManager.Delete(ctx, lease); err != nil {
+			logrus.WithError(err).Warn("cleaning up lease")
+		}
+	}()
 
 	for _, name := range names {
 		target, err := i.resolveDescriptor(ctx, name)
@@ -69,6 +82,10 @@ func (i *ImageService) ExportImage(ctx context.Context, names []string, outStrea
 			return err
 		}
 
+		if err = leaseContent(ctx, contentStore, leasesManager, lease, target); err != nil {
+			return err
+		}
+
 		// We may not have locally all the platforms that are specified in the index.
 		// Export only those manifests that we have.
 		// TODO(vvoland): Reconsider this when `--platform` is added.
@@ -100,6 +117,30 @@ func (i *ImageService) ExportImage(ctx context.Context, names []string, outStrea
 	return i.client.Export(ctx, outStream, opts...)
 }
 
+// leaseContent will add a resource to the lease for each child of the descriptor making sure that it and
+// its children won't be deleted while the lease exists
+func leaseContent(ctx context.Context, store content.Store, leasesManager leases.Manager, lease leases.Lease, desc ocispec.Descriptor) error {
+	return containerdimages.Walk(ctx, containerdimages.HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		_, err := store.Info(ctx, desc.Digest)
+		if err != nil {
+			if errors.Is(err, cerrdefs.ErrNotFound) {
+				return nil, nil
+			}
+			return nil, errdefs.System(err)
+		}
+
+		r := leases.Resource{
+			ID:   desc.Digest.String(),
+			Type: "content",
+		}
+		if err := leasesManager.AddResource(ctx, lease, r); err != nil {
+			return nil, errdefs.System(err)
+		}
+
+		return containerdimages.Children(ctx, store, desc)
+	}), desc)
+}
+
 // LoadImage uploads a set of images into the repository. This is the
 // complement of ExportImage.  The input stream is an uncompressed tar
 // ball containing images and metadata.
@@ -110,7 +151,7 @@ func (i *ImageService) LoadImage(ctx context.Context, inTar io.ReadCloser, outSt
 
 		// Create an additional image with dangling name for imported images...
 		containerd.WithDigestRef(danglingImageName),
-		/// ... but only if they don't have a name or it's invalid.
+		// / ... but only if they don't have a name or it's invalid.
 		containerd.WithSkipDigestRef(func(nameFromArchive string) bool {
 			if nameFromArchive == "" {
 				return false

daemon/containerd/image_import.go

@@ -18,6 +18,7 @@ import (
 	"github.com/docker/docker/builder/dockerfile"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/image"
+	"github.com/docker/docker/internal/compatcontext"
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/pools"
 	"github.com/google/uuid"
@@ -46,7 +47,11 @@ func (i *ImageService) ImportImage(ctx context.Context, ref reference.Named, pla
 	if err != nil {
 		return "", errdefs.System(err)
 	}
-	defer release(ctx)
+	defer func() {
+		if err := release(compatcontext.WithoutCancel(ctx)); err != nil {
+			logger.WithError(err).Warn("failed to release lease created for import")
+		}
+	}()
 
 	if platform == nil {
 		def := platforms.DefaultSpec()
@@ -255,9 +260,9 @@ func compressAndWriteBlob(ctx context.Context, cs content.Store, compression arc
 	writeChan := make(chan digest.Digest)
 	// Start copying the blob to the content store from the pipe.
 	go func() {
-		digest, err := writeBlobAndReturnDigest(ctx, cs, mediaType, pr)
+		dgst, err := writeBlobAndReturnDigest(ctx, cs, mediaType, pr)
 		pr.CloseWithError(err)
-		writeChan <- digest
+		writeChan <- dgst
 	}()
 
 	// Copy archive to the pipe and tee it to a digester.
@@ -392,8 +397,11 @@ func containerConfigToOciImageConfig(cfg *container.Config) ocispec.ImageConfig
 		StopSignal:  cfg.StopSignal,
 		ArgsEscaped: cfg.ArgsEscaped,
 	}
-	for k, v := range cfg.ExposedPorts {
-		ociCfg.ExposedPorts[string(k)] = v
+	if len(cfg.ExposedPorts) > 0 {
+		ociCfg.ExposedPorts = map[string]struct{}{}
+		for k, v := range cfg.ExposedPorts {
+			ociCfg.ExposedPorts[string(k)] = v
+		}
 	}
 
 	return ociCfg

daemon/containerd/image_import_test.go

@@ -0,0 +1,22 @@
+package containerd
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/go-connections/nat"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+// regression test for https://github.com/moby/moby/issues/45904
+func TestContainerConfigToOciImageConfig(t *testing.T) {
+	ociCFG := containerConfigToOciImageConfig(&container.Config{
+		ExposedPorts: nat.PortSet{
+			"80/tcp": struct{}{},
+		},
+	})
+
+	expected := map[string]struct{}{"80/tcp": {}}
+	assert.Check(t, is.DeepEqual(ociCFG.ExposedPorts, expected))
+}

daemon/containerd/image_list.go

@@ -10,10 +10,12 @@ import (
 	cerrdefs "github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/labels"
+	"github.com/containerd/containerd/snapshots"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	timetypes "github.com/docker/docker/api/types/time"
+	"github.com/docker/docker/errdefs"
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/identity"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -142,41 +144,32 @@ func (i *ImageService) Images(ctx context.Context, opts types.ImageListOptions)
 func (i *ImageService) singlePlatformImage(ctx context.Context, contentStore content.Store, image *ImageManifest) (*types.ImageSummary, []digest.Digest, error) {
 	diffIDs, err := image.RootFS(ctx)
 	if err != nil {
-		return nil, nil, err
-	}
-	chainIDs := identity.ChainIDs(diffIDs)
-
-	size, err := image.Size(ctx)
-	if err != nil {
-		return nil, nil, err
+		return nil, nil, errors.Wrapf(err, "failed to get rootfs of image %s", image.Name())
 	}
 
 	// TODO(thaJeztah): do we need to take multiple snapshotters into account? See https://github.com/moby/moby/issues/45273
 	snapshotter := i.client.SnapshotService(i.snapshotter)
-	sizeCache := make(map[digest.Digest]int64)
 
-	snapshotSizeFn := func(d digest.Digest) (int64, error) {
-		if s, ok := sizeCache[d]; ok {
-			return s, nil
+	imageSnapshotID := identity.ChainID(diffIDs).String()
+	unpackedUsage, err := calculateSnapshotTotalUsage(ctx, snapshotter, imageSnapshotID)
+	if err != nil {
+		if !cerrdefs.IsNotFound(err) {
+			logrus.WithError(err).WithFields(logrus.Fields{
+				"image":      image.Name(),
+				"snapshotID": imageSnapshotID,
+			}).Warn("failed to calculate unpacked size of image")
 		}
-		usage, err := snapshotter.Usage(ctx, d.String())
-		if err != nil {
-			if cerrdefs.IsNotFound(err) {
-				return 0, nil
-			}
-			return 0, err
-		}
-		sizeCache[d] = usage.Size
-		return usage.Size, nil
+		unpackedUsage = snapshots.Usage{Size: 0}
 	}
-	snapshotSize, err := computeSnapshotSize(chainIDs, snapshotSizeFn)
+
+	contentSize, err := image.Size(ctx)
 	if err != nil {
 		return nil, nil, err
 	}
 
 	// totalSize is the size of the image's packed layers and snapshots
 	// (unpacked layers) combined.
-	totalSize := size + snapshotSize
+	totalSize := contentSize + unpackedUsage.Size
 
 	var repoTags, repoDigests []string
 	rawImg := image.Metadata()
@@ -225,7 +218,7 @@ func (i *ImageService) singlePlatformImage(ctx context.Context, contentStore con
 		Containers: -1,
 	}
 
-	return summary, chainIDs, nil
+	return summary, identity.ChainIDs(diffIDs), nil
 }
 
 type imageFilterFunc func(image images.Image) bool
@@ -446,20 +439,6 @@ func setupLabelFilter(store content.Store, fltrs filters.Args) (func(image image
 	}, nil
 }
 
-// computeSnapshotSize calculates the total size consumed by the snapshots
-// for the given chainIDs.
-func computeSnapshotSize(chainIDs []digest.Digest, sizeFn func(d digest.Digest) (int64, error)) (int64, error) {
-	var totalSize int64
-	for _, chainID := range chainIDs {
-		size, err := sizeFn(chainID)
-		if err != nil {
-			return totalSize, err
-		}
-		totalSize += size
-	}
-	return totalSize, nil
-}
-
 func computeSharedSize(chainIDs []digest.Digest, layers map[digest.Digest]int, sizeFn func(d digest.Digest) (int64, error)) (int64, error) {
 	var sharedSize int64
 	for _, chainID := range chainIDs {
@@ -479,11 +458,20 @@ func computeSharedSize(chainIDs []digest.Digest, layers map[digest.Digest]int, s
 func readConfig(ctx context.Context, store content.Provider, desc ocispec.Descriptor, out interface{}) error {
 	data, err := content.ReadBlob(ctx, store, desc)
 	if err != nil {
-		return errors.Wrapf(err, "failed to read config content")
+		err = errors.Wrapf(err, "failed to read config content")
+		if cerrdefs.IsNotFound(err) {
+			return errdefs.NotFound(err)
+		}
+		return err
 	}
+
 	err = json.Unmarshal(data, out)
 	if err != nil {
-		return errors.Wrapf(err, "could not deserialize image config")
+		err = errors.Wrapf(err, "could not deserialize image config")
+		if cerrdefs.IsNotFound(err) {
+			return errdefs.NotFound(err)
+		}
+		return err
 	}
 
 	return nil

daemon/containerd/image_push.go

@@ -17,6 +17,7 @@ import (
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/internal/compatcontext"
 	"github.com/docker/docker/pkg/streamformatter"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -46,9 +47,8 @@ func (i *ImageService) PushImage(ctx context.Context, targetRef reference.Named,
 		return err
 	}
 	defer func() {
-		err := release(leasedCtx)
-		if err != nil && !cerrdefs.IsNotFound(err) {
-			logrus.WithField("image", targetRef).WithError(err).Error("failed to delete lease created for push")
+		if err := release(compatcontext.WithoutCancel(leasedCtx)); err != nil {
+			logrus.WithField("image", targetRef).WithError(err).Warn("failed to release lease created for push")
 		}
 	}()
 

daemon/containerd/image_snapshot.go

@@ -2,52 +2,60 @@ package containerd
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/containerd/containerd"
+	cerrdefs "github.com/containerd/containerd/errdefs"
 	containerdimages "github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/leases"
 	"github.com/containerd/containerd/platforms"
+	"github.com/containerd/containerd/snapshots"
+	"github.com/docker/docker/errdefs"
 	"github.com/opencontainers/image-spec/identity"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
 )
 
 // PrepareSnapshot prepares a snapshot from a parent image for a container
 func (i *ImageService) PrepareSnapshot(ctx context.Context, id string, parentImage string, platform *ocispec.Platform) error {
-	img, err := i.resolveImage(ctx, parentImage)
-	if err != nil {
-		return err
-	}
-
-	cs := i.client.ContentStore()
-
-	matcher := platforms.Default()
-	if platform != nil {
-		matcher = platforms.Only(*platform)
-	}
-
-	platformImg := containerd.NewImageWithPlatform(i.client, img, matcher)
-	unpacked, err := platformImg.IsUnpacked(ctx, i.snapshotter)
-	if err != nil {
-		return err
-	}
-
-	if !unpacked {
-		if err := platformImg.Unpack(ctx, i.snapshotter); err != nil {
+	var parentSnapshot string
+	if parentImage != "" {
+		img, err := i.resolveImage(ctx, parentImage)
+		if err != nil {
 			return err
 		}
-	}
 
-	desc, err := containerdimages.Config(ctx, cs, img.Target, matcher)
-	if err != nil {
-		return err
-	}
+		cs := i.client.ContentStore()
 
-	diffIDs, err := containerdimages.RootFS(ctx, cs, desc)
-	if err != nil {
-		return err
-	}
+		matcher := platforms.Default()
+		if platform != nil {
+			matcher = platforms.Only(*platform)
+		}
 
-	parent := identity.ChainID(diffIDs).String()
+		platformImg := containerd.NewImageWithPlatform(i.client, img, matcher)
+		unpacked, err := platformImg.IsUnpacked(ctx, i.snapshotter)
+		if err != nil {
+			return err
+		}
+
+		if !unpacked {
+			if err := platformImg.Unpack(ctx, i.snapshotter); err != nil {
+				return err
+			}
+		}
+
+		desc, err := containerdimages.Config(ctx, cs, img.Target, matcher)
+		if err != nil {
+			return err
+		}
+
+		diffIDs, err := containerdimages.RootFS(ctx, cs, desc)
+		if err != nil {
+			return err
+		}
+
+		parentSnapshot = identity.ChainID(diffIDs).String()
+	}
 
 	// Add a lease so that containerd doesn't garbage collect our snapshot
 	ls := i.client.LeasesService()
@@ -64,6 +72,49 @@ func (i *ImageService) PrepareSnapshot(ctx context.Context, id string, parentIma
 	}
 
 	s := i.client.SnapshotService(i.StorageDriver())
-	_, err = s.Prepare(ctx, id, parent)
+	_, err = s.Prepare(ctx, id, parentSnapshot)
 	return err
 }
+
+// calculateSnapshotParentUsage returns the usage of all ancestors of the
+// provided snapshot. It doesn't include the size of the snapshot itself.
+func calculateSnapshotParentUsage(ctx context.Context, snapshotter snapshots.Snapshotter, snapshotID string) (snapshots.Usage, error) {
+	info, err := snapshotter.Stat(ctx, snapshotID)
+	if err != nil {
+		if cerrdefs.IsNotFound(err) {
+			return snapshots.Usage{}, errdefs.NotFound(err)
+		}
+		return snapshots.Usage{}, errdefs.System(errors.Wrapf(err, "snapshotter.Stat failed for %s", snapshotID))
+	}
+	if info.Parent == "" {
+		return snapshots.Usage{}, errdefs.NotFound(fmt.Errorf("snapshot %s has no parent", snapshotID))
+	}
+
+	return calculateSnapshotTotalUsage(ctx, snapshotter, info.Parent)
+}
+
+// calculateSnapshotTotalUsage returns the total usage of that snapshot
+// including all of its ancestors.
+func calculateSnapshotTotalUsage(ctx context.Context, snapshotter snapshots.Snapshotter, snapshotID string) (snapshots.Usage, error) {
+	var total snapshots.Usage
+	next := snapshotID
+
+	for next != "" {
+		usage, err := snapshotter.Usage(ctx, next)
+		if err != nil {
+			if cerrdefs.IsNotFound(err) {
+				return total, errdefs.NotFound(errors.Wrapf(err, "non-existing ancestor of %s", snapshotID))
+			}
+			return total, errdefs.System(errors.Wrapf(err, "snapshotter.Usage failed for %s", next))
+		}
+		total.Size += usage.Size
+		total.Inodes += usage.Inodes
+
+		info, err := snapshotter.Stat(ctx, next)
+		if err != nil {
+			return total, errdefs.System(errors.Wrapf(err, "snapshotter.Stat failed for %s", next))
+		}
+		next = info.Parent
+	}
+	return total, nil
+}

daemon/containerd/service.go

@@ -2,16 +2,15 @@ package containerd
 
 import (
 	"context"
-	"encoding/json"
+	"fmt"
 	"sync/atomic"
 
 	"github.com/containerd/containerd"
-	"github.com/containerd/containerd/content"
+	cerrdefs "github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/plugin"
 	"github.com/containerd/containerd/remotes/docker"
 	"github.com/containerd/containerd/snapshots"
 	"github.com/docker/distribution/reference"
-	imagetypes "github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/container"
 	daemonevents "github.com/docker/docker/daemon/events"
 	"github.com/docker/docker/daemon/images"
@@ -20,8 +19,6 @@ import (
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
 	"github.com/docker/docker/registry"
-	"github.com/opencontainers/go-digest"
-	"github.com/opencontainers/image-spec/identity"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -165,72 +162,29 @@ func (i *ImageService) GetContainerLayerSize(ctx context.Context, containerID st
 	}
 
 	snapshotter := i.client.SnapshotService(ctr.Driver)
-
-	usage, err := snapshotter.Usage(ctx, containerID)
+	rwLayerUsage, err := snapshotter.Usage(ctx, containerID)
 	if err != nil {
-		return 0, 0, err
-	}
-
-	imageManifest, err := getContainerImageManifest(ctr)
-	if err != nil {
-		// Best efforts attempt to pick an image.
-		// We don't have platform information at this point, so we can only
-		// assume that the platform matches host.
-		// Otherwise this will give a wrong base image size (different
-		// platform), but should be close enough.
-		mfst, err := i.GetImageManifest(ctx, ctr.Config.Image, imagetypes.GetImageOpts{})
-		if err != nil {
-			// Log error, don't error out whole operation.
-			logrus.WithFields(logrus.Fields{
-				logrus.ErrorKey: err,
-				"container":     containerID,
-			}).Warn("empty ImageManifest, can't calculate base image size")
-			return usage.Size, 0, nil
+		if cerrdefs.IsNotFound(err) {
+			return 0, 0, errdefs.NotFound(fmt.Errorf("rw layer snapshot not found for container %s", containerID))
 		}
-		imageManifest = *mfst
+		return 0, 0, errdefs.System(errors.Wrapf(err, "snapshotter.Usage failed for %s", containerID))
 	}
-	cs := i.client.ContentStore()
 
-	imageManifestBytes, err := content.ReadBlob(ctx, cs, imageManifest)
+	unpackedUsage, err := calculateSnapshotParentUsage(ctx, snapshotter, containerID)
 	if err != nil {
-		return 0, 0, err
-	}
-
-	var manifest ocispec.Manifest
-	if err := json.Unmarshal(imageManifestBytes, &manifest); err != nil {
-		return 0, 0, err
-	}
-
-	imageConfigBytes, err := content.ReadBlob(ctx, cs, manifest.Config)
-	if err != nil {
-		return 0, 0, err
-	}
-	var img ocispec.Image
-	if err := json.Unmarshal(imageConfigBytes, &img); err != nil {
-		return 0, 0, err
-	}
-
-	sizeCache := make(map[digest.Digest]int64)
-	snapshotSizeFn := func(d digest.Digest) (int64, error) {
-		if s, ok := sizeCache[d]; ok {
-			return s, nil
+		if cerrdefs.IsNotFound(err) {
+			logrus.WithField("ctr", containerID).Warn("parent of container snapshot no longer present")
+		} else {
+			logrus.WithError(err).WithField("ctr", containerID).Warn("unexpected error when calculating usage of the parent snapshots")
 		}
-		u, err := snapshotter.Usage(ctx, d.String())
-		if err != nil {
-			return 0, err
-		}
-		sizeCache[d] = u.Size
-		return u.Size, nil
-	}
-
-	chainIDs := identity.ChainIDs(img.RootFS.DiffIDs)
-	snapShotSize, err := computeSnapshotSize(chainIDs, snapshotSizeFn)
-	if err != nil {
-		return 0, 0, err
 	}
+	logrus.WithFields(logrus.Fields{
+		"rwLayerUsage": rwLayerUsage.Size,
+		"unpacked":     unpackedUsage.Size,
+	}).Debug("GetContainerLayerSize")
 
 	// TODO(thaJeztah): include content-store size for the image (similar to "GET /images/json")
-	return usage.Size, usage.Size + snapShotSize, nil
+	return rwLayerUsage.Size, rwLayerUsage.Size + unpackedUsage.Size, nil
 }
 
 // getContainerImageManifest safely dereferences ImageManifest.

daemon/daemon.go

@@ -1,3 +1,6 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.19
+
 // Package daemon exposes the functions that occur on the host server
 // that the Docker daemon is running.
 //
@@ -472,9 +475,12 @@ func (daemon *Daemon) restore() error {
 				restartContainers[c] = make(chan struct{})
 				mapLock.Unlock()
 			} else if c.HostConfig != nil && c.HostConfig.AutoRemove {
-				mapLock.Lock()
-				removeContainers[c.ID] = c
-				mapLock.Unlock()
+				// Remove the container if live-restore is disabled or if the container has already exited.
+				if !daemon.configStore.LiveRestoreEnabled || !alive {
+					mapLock.Lock()
+					removeContainers[c.ID] = c
+					mapLock.Unlock()
+				}
 			}
 
 			c.Lock()

daemon/daemon_unix.go

@@ -701,7 +701,7 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.
 	if hostConfig.CgroupParent != "" && UsingSystemd(daemon.configStore) {
 		// CgroupParent for systemd cgroup should be named as "xxx.slice"
 		if len(hostConfig.CgroupParent) <= 6 || !strings.HasSuffix(hostConfig.CgroupParent, ".slice") {
-			return warnings, fmt.Errorf("cgroup-parent for systemd cgroup should be a valid slice named as \"xxx.slice\"")
+			return warnings, fmt.Errorf(`cgroup-parent for systemd cgroup should be a valid slice named as "xxx.slice"`)
 		}
 	}
 	if hostConfig.Runtime == "" {
@@ -754,7 +754,7 @@ func verifyDaemonSettings(conf *config.Config) error {
 	}
 	if conf.CgroupParent != "" && UsingSystemd(conf) {
 		if len(conf.CgroupParent) <= 6 || !strings.HasSuffix(conf.CgroupParent, ".slice") {
-			return fmt.Errorf("cgroup-parent for systemd cgroup should be a valid slice named as \"xxx.slice\"")
+			return fmt.Errorf(`cgroup-parent for systemd cgroup should be a valid slice named as "xxx.slice"`)
 		}
 	}
 
@@ -1069,7 +1069,7 @@ func initBridgeDriver(controller *libnetwork.Controller, config *config.Config)
 		libnetwork.NetworkOptionIpam("default", "", v4Conf, v6Conf, nil),
 		libnetwork.NetworkOptionDeferIPv6Alloc(deferIPv6Alloc))
 	if err != nil {
-		return fmt.Errorf("Error creating default \"bridge\" network: %v", err)
+		return fmt.Errorf(`error creating default "bridge" network: %v`, err)
 	}
 	return nil
 }

daemon/daemon_unix_test.go

@@ -148,7 +148,7 @@ func TestParseSecurityOptWithDeprecatedColon(t *testing.T) {
 		t.Fatalf("Unexpected parseSecurityOpt error: %v", err)
 	}
 	if opts.AppArmorProfile != "test_profile" {
-		t.Fatalf("Unexpected AppArmorProfile, expected: \"test_profile\", got %q", opts.AppArmorProfile)
+		t.Fatalf(`Unexpected AppArmorProfile, expected: "test_profile", got %q`, opts.AppArmorProfile)
 	}
 
 	// test seccomp

daemon/delete.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"
 
+	cerrdefs "github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/leases"
 	"github.com/docker/docker/api/types"
 	containertypes "github.com/docker/docker/api/types/container"
@@ -144,8 +145,10 @@ func (daemon *Daemon) cleanupContainer(container *container.Container, config ty
 				ID: container.ID,
 			}
 			if err := ls.Delete(context.Background(), lease, leases.SynchronousDelete); err != nil {
-				container.SetRemovalError(err)
-				return err
+				if !cerrdefs.IsNotFound(err) {
+					container.SetRemovalError(err)
+					return err
+				}
 			}
 		}
 	}

daemon/graphdriver/overlay2/overlay.go

@@ -23,6 +23,7 @@ import (
 	"github.com/docker/docker/pkg/containerfs"
 	"github.com/docker/docker/pkg/directory"
 	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/ioutils"
 	"github.com/docker/docker/pkg/parsers"
 	"github.com/docker/docker/quota"
 	units "github.com/docker/go-units"
@@ -386,7 +387,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
 	}
 
 	// Write link id to link file
-	if err := os.WriteFile(path.Join(dir, "link"), []byte(lid), 0644); err != nil {
+	if err := ioutils.AtomicWriteFile(path.Join(dir, "link"), []byte(lid), 0o644); err != nil {
 		return err
 	}
 
@@ -399,7 +400,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
 		return err
 	}
 
-	if err := os.WriteFile(path.Join(d.dir(parent), "committed"), []byte{}, 0600); err != nil {
+	if err := ioutils.AtomicWriteFile(path.Join(d.dir(parent), "committed"), []byte{}, 0o600); err != nil {
 		return err
 	}
 
@@ -408,7 +409,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
 		return err
 	}
 	if lower != "" {
-		if err := os.WriteFile(path.Join(dir, lowerFile), []byte(lower), 0666); err != nil {
+		if err := ioutils.AtomicWriteFile(path.Join(dir, lowerFile), []byte(lower), 0o644); err != nil {
 			return err
 		}
 	}

daemon/health.go

@@ -387,7 +387,7 @@ func (b *limitedBuffer) Write(data []byte) (int, error) {
 
 	bufLen := b.buf.Len()
 	dataLen := len(data)
-	keep := min(maxOutputLen-bufLen, dataLen)
+	keep := minInt(maxOutputLen-bufLen, dataLen)
 	if keep > 0 {
 		b.buf.Write(data[:keep])
 	}
@@ -417,7 +417,7 @@ func timeoutWithDefault(configuredValue time.Duration, defaultValue time.Duratio
 	return configuredValue
 }
 
-func min(x, y int) int {
+func minInt(x, y int) int {
 	if x < y {
 		return x
 	}

daemon/images/image.go

@@ -54,10 +54,13 @@ func (i *ImageService) PrepareSnapshot(ctx context.Context, id string, image str
 func (i *ImageService) manifestMatchesPlatform(ctx context.Context, img *image.Image, platform ocispec.Platform) (bool, error) {
 	logger := logrus.WithField("image", img.ID).WithField("desiredPlatform", platforms.Format(platform))
 
-	ls, leaseErr := i.leases.ListResources(ctx, leases.Lease{ID: imageKey(img.ID().String())})
-	if leaseErr != nil {
-		logger.WithError(leaseErr).Error("Error looking up image leases")
-		return false, leaseErr
+	ls, err := i.leases.ListResources(ctx, leases.Lease{ID: imageKey(img.ID().String())})
+	if err != nil {
+		if cerrdefs.IsNotFound(err) {
+			return false, nil
+		}
+		logger.WithError(err).Error("Error looking up image leases")
+		return false, err
 	}
 
 	// Note we are comparing against manifest lists here, which we expect to always have a CPU variant set (where applicable).

daemon/images/image_builder.go

@@ -257,6 +257,9 @@ func (i *ImageService) CreateImage(ctx context.Context, config []byte, parent st
 			return nil, errors.Wrapf(err, "failed to set parent %s", parent)
 		}
 	}
+	if err := i.imageStore.SetBuiltLocally(id); err != nil {
+		return nil, errors.Wrapf(err, "failed to mark image %s as built locally", id)
+	}
 
 	return i.imageStore.Get(id)
 }

daemon/images/image_commit.go

@@ -62,6 +62,9 @@ func (i *ImageService) CommitImage(ctx context.Context, c backend.CommitConfig)
 	if err != nil {
 		return "", err
 	}
+	if err := i.imageStore.SetBuiltLocally(id); err != nil {
+		return "", err
+	}
 
 	if c.ParentImageID != "" {
 		if err := i.imageStore.SetParent(id, image.ID(c.ParentImageID)); err != nil {

daemon/images/image_windows.go

@@ -18,8 +18,8 @@ func (i *ImageService) GetContainerLayerSize(ctx context.Context, containerID st
 // GetLayerFolders returns the layer folders from an image RootFS
 func (i *ImageService) GetLayerFolders(img *image.Image, rwLayer layer.RWLayer) ([]string, error) {
 	folders := []string{}
-	max := len(img.RootFS.DiffIDs)
-	for index := 1; index <= max; index++ {
+	rd := len(img.RootFS.DiffIDs)
+	for index := 1; index <= rd; index++ {
 		// FIXME: why does this mutate the RootFS?
 		img.RootFS.DiffIDs = img.RootFS.DiffIDs[:index]
 		if !system.IsOSSupported(img.OperatingSystem()) {

daemon/info.go

@@ -1,3 +1,6 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.19
+
 package daemon // import "github.com/docker/docker/daemon"
 
 import (

daemon/inspect.go

@@ -1,3 +1,6 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.19
+
 package daemon // import "github.com/docker/docker/daemon"
 
 import (

daemon/list.go

@@ -11,7 +11,6 @@ import (
 	"github.com/docker/docker/api/types/filters"
 	imagetypes "github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/container"
-	"github.com/docker/docker/daemon/images"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/image"
 	"github.com/docker/go-connections/nat"
@@ -42,7 +41,7 @@ type iterationAction int
 
 // containerReducer represents a reducer for a container.
 // Returns the object to serialize by the api.
-type containerReducer func(context.Context, *container.Snapshot, *listContext) (*types.Container, error)
+type containerReducer func(context.Context, *container.Snapshot) (*types.Container, error)
 
 const (
 	// includeContainer is the action to include a container in the reducer.
@@ -231,7 +230,7 @@ func (daemon *Daemon) reducePsContainer(ctx context.Context, container *containe
 	}
 
 	// transform internal container struct into api structs
-	newC, err := reducer(ctx, container, filter)
+	newC, err := reducer(ctx, container)
 	if err != nil {
 		return nil, err
 	}
@@ -579,21 +578,70 @@ func includeContainerInList(container *container.Snapshot, filter *listContext)
 	return includeContainer
 }
 
-// refreshImage checks if the Image ref still points to the correct ID, and updates the ref to the actual ID when it doesn't
-func (daemon *Daemon) refreshImage(ctx context.Context, s *container.Snapshot, filter *listContext) (*types.Container, error) {
+// refreshImage checks if the Image ref still points to the correct ID, and
+// updates the ref to the actual ID when it doesn't.
+// This happens when the image with a reference that was used to create
+// container was deleted or updated and now resolves to a different ID.
+//
+// For example:
+// $ docker run -d busybox:latest
+// $ docker ps -a
+// CONTAINER ID   IMAGE     COMMAND   CREATED         STATUS                     PORTS     NAMES
+// b0318bca5aef   busybox   "sh"      4 seconds ago   Exited (0) 3 seconds ago             ecstatic_beaver
+//
+// After some time, busybox image got updated on the Docker Hub:
+// $ docker pull busybox:latest
+//
+// So now busybox:latest points to a different digest, but that doesn't impact
+// the ecstatic_beaver container which was still created under an older
+// version. In this case, it should still point to the original image ID it was
+// created from.
+//
+// $ docker ps -a
+// CONTAINER ID   IMAGE          COMMAND   CREATED       STATUS                  PORTS     NAMES
+// b0318bca5aef   3fbc63216742   "sh"      3 years ago   Exited (0) 3 years ago            ecstatic_beaver
+func (daemon *Daemon) refreshImage(ctx context.Context, s *container.Snapshot) (*types.Container, error) {
 	c := s.Container
-	tmpImage := s.Image // keep the original ref if still valid (hasn't changed)
-	if tmpImage != s.ImageID {
-		img, err := daemon.imageService.GetImage(ctx, tmpImage, imagetypes.GetImageOpts{})
-		if _, isDNE := err.(images.ErrImageDoesNotExist); err != nil && !isDNE {
-			return nil, err
-		}
-		if err != nil || img.ImageID() != s.ImageID {
-			// ref changed, we need to use original ID
-			tmpImage = s.ImageID
-		}
+
+	// s.Image is the image reference passed by the user to create an image
+	//         can be a:
+	//         - name (like nginx, ubuntu:latest, docker.io/library/busybox:latest),
+	//         - truncated ID (abcdef),
+	//         - full digest (sha256:abcdef...)
+	//
+	// s.ImageID is the ID of the image that s.Image resolved to at the time
+	// of the container creation. It's always a full digest.
+
+	// If these match, there's nothing to refresh.
+	if s.Image == s.ImageID {
+		return &c, nil
 	}
-	c.Image = tmpImage
+
+	// Check if the image reference still resolves to the same digest.
+	img, err := daemon.imageService.GetImage(ctx, s.Image, imagetypes.GetImageOpts{})
+
+	// If the image is no longer found or can't be resolved for some other
+	// reason. Update the Image to the specific ID of the original image it
+	// resolved to when the container was created.
+	if err != nil {
+		if !errdefs.IsNotFound(err) {
+			logrus.WithFields(logrus.Fields{
+				logrus.ErrorKey: err,
+				"containerID":   c.ID,
+				"image":         s.Image,
+				"imageID":       s.ImageID,
+			}).Warn("failed to resolve container image")
+		}
+		c.Image = s.ImageID
+		return &c, nil
+	}
+
+	// Also update the image to the specific image ID, if the Image now
+	// resolves to a different ID.
+	if img.ImageID() != s.ImageID {
+		c.Image = s.ImageID
+	}
+
 	return &c, nil
 }
 

daemon/logger/etwlogs/etwlogs_windows.go

@@ -13,12 +13,11 @@
 package etwlogs // import "github.com/docker/docker/daemon/logger/etwlogs"
 
 import (
+	"errors"
 	"fmt"
 	"sync"
 	"unsafe"
 
-	"github.com/Microsoft/go-winio/pkg/etw"
-	"github.com/Microsoft/go-winio/pkg/guid"
 	"github.com/docker/docker/daemon/logger"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows"
@@ -33,21 +32,18 @@ type etwLogs struct {
 
 const (
 	name             = "etwlogs"
-	providerGUID     = `a3693192-9ed6-46d2-a981-f8226c8363bd`
 	win32CallSuccess = 0
 )
 
 var (
 	modAdvapi32          = windows.NewLazySystemDLL("Advapi32.dll")
+	procEventRegister    = modAdvapi32.NewProc("EventRegister")
 	procEventWriteString = modAdvapi32.NewProc("EventWriteString")
+	procEventUnregister  = modAdvapi32.NewProc("EventUnregister")
 )
-
-var (
-	providerHandle windows.Handle
-	mu             sync.Mutex
-	refCount       int
-	provider       *etw.Provider
-)
+var providerHandle windows.Handle
+var refCount int
+var mu sync.Mutex
 
 func init() {
 	providerHandle = windows.InvalidHandle
@@ -73,7 +69,12 @@ func New(info logger.Info) (logger.Logger, error) {
 
 // Log logs the message to the ETW stream.
 func (etwLogger *etwLogs) Log(msg *logger.Message) error {
-	// TODO(thaJeztah): log structured events instead and use provider.WriteEvent().
+	if providerHandle == windows.InvalidHandle {
+		// This should never be hit, if it is, it indicates a programming error.
+		errorMessage := "ETWLogs cannot log the message, because the event provider has not been registered."
+		logrus.Error(errorMessage)
+		return errors.New(errorMessage)
+	}
 	m := createLogMessage(etwLogger, msg)
 	logger.PutMessage(msg)
 	return callEventWriteString(m)
@@ -104,8 +105,7 @@ func registerETWProvider() error {
 	defer mu.Unlock()
 	if refCount == 0 {
 		var err error
-		provider, err = callEventRegister()
-		if err != nil {
+		if err = callEventRegister(); err != nil {
 			return err
 		}
 	}
@@ -118,43 +118,51 @@ func unregisterETWProvider() {
 	mu.Lock()
 	defer mu.Unlock()
 	if refCount == 1 {
-		if err := callEventUnregister(); err != nil {
-			// Not returning an error if EventUnregister fails, because etwLogs will continue to work
-			return
+		if callEventUnregister() {
+			refCount--
+			providerHandle = windows.InvalidHandle
 		}
-		refCount--
-		provider = nil
-		providerHandle = windows.InvalidHandle
+		// Not returning an error if EventUnregister fails, because etwLogs will continue to work
 	} else {
 		refCount--
 	}
 }
 
-func callEventRegister() (*etw.Provider, error) {
-	providerID, _ := guid.FromString(providerGUID)
-	p, err := etw.NewProviderWithOptions("", etw.WithID(providerID))
-	if err != nil {
-		logrus.WithError(err).Error("Failed to register ETW provider")
-		return nil, fmt.Errorf("failed to register ETW provider: %v", err)
+func callEventRegister() error {
+	// The provider's GUID is {a3693192-9ed6-46d2-a981-f8226c8363bd}
+	guid := windows.GUID{
+		Data1: 0xa3693192,
+		Data2: 0x9ed6,
+		Data3: 0x46d2,
+		Data4: [8]byte{0xa9, 0x81, 0xf8, 0x22, 0x6c, 0x83, 0x63, 0xbd},
 	}
-	return p, nil
+
+	ret, _, _ := procEventRegister.Call(uintptr(unsafe.Pointer(&guid)), 0, 0, uintptr(unsafe.Pointer(&providerHandle)))
+	if ret != win32CallSuccess {
+		errorMessage := fmt.Sprintf("Failed to register ETW provider. Error: %d", ret)
+		logrus.Error(errorMessage)
+		return errors.New(errorMessage)
+	}
+	return nil
 }
 
-// TODO(thaJeztah): port this function to github.com/Microsoft/go-winio/pkg/etw.
 func callEventWriteString(message string) error {
 	utf16message, err := windows.UTF16FromString(message)
+
 	if err != nil {
 		return err
 	}
 
 	ret, _, _ := procEventWriteString.Call(uintptr(providerHandle), 0, 0, uintptr(unsafe.Pointer(&utf16message[0])))
 	if ret != win32CallSuccess {
-		logrus.WithError(err).Error("ETWLogs provider failed to log message")
-		return fmt.Errorf("ETWLogs provider failed to log message: %v", err)
+		errorMessage := fmt.Sprintf("ETWLogs provider failed to log message. Error: %d", ret)
+		logrus.Error(errorMessage)
+		return errors.New(errorMessage)
 	}
 	return nil
 }
 
-func callEventUnregister() error {
-	return provider.Close()
+func callEventUnregister() bool {
+	ret, _, _ := procEventUnregister.Call(uintptr(providerHandle))
+	return ret == win32CallSuccess
 }

daemon/logger/local/local.go

@@ -187,7 +187,7 @@ func messageToProto(msg *logger.Message, proto *logdriver.LogEntry, partial *log
 func protoToMessage(proto *logdriver.LogEntry) *logger.Message {
 	msg := &logger.Message{
 		Source:    proto.Source,
-		Timestamp: time.Unix(0, proto.TimeNano),
+		Timestamp: time.Unix(0, proto.TimeNano).UTC(),
 	}
 	if proto.Partial {
 		var md backend.PartialLogMetaData

daemon/logger/local/read.go

@@ -66,7 +66,7 @@ func getTailReader(ctx context.Context, r loggerutils.SizeReaderAt, req int) (io
 		}
 
 		if msgLen != binary.BigEndian.Uint32(buf) {
-			return nil, 0, errdefs.DataLoss(errors.Wrap(err, "log message header and footer indicate different message sizes"))
+			return nil, 0, errdefs.DataLoss(errors.New("log message header and footer indicate different message sizes"))
 		}
 
 		found++

daemon/logger/splunk/splunk.go

@@ -37,7 +37,7 @@ const (
 	splunkCANameKey               = "splunk-caname"
 	splunkInsecureSkipVerifyKey   = "splunk-insecureskipverify"
 	splunkFormatKey               = "splunk-format"
-	splunkVerifyConnectionKey     = "splunk-verify-connection"
+	splunkVerifyConnectionKey     = "splunk-verify-connection" // #nosec G101 -- ignoring: Potential hardcoded credentials (gosec)
 	splunkGzipCompressionKey      = "splunk-gzip"
 	splunkGzipCompressionLevelKey = "splunk-gzip-level"
 	splunkIndexAcknowledgment     = "splunk-index-acknowledgment"

daemon/network.go

@@ -291,6 +291,16 @@ func (daemon *Daemon) createNetwork(create types.NetworkCreateRequest, id string
 		return nil, PredefinedNetworkError(create.Name)
 	}
 
+	c := daemon.netController
+	driver := create.Driver
+	if driver == "" {
+		driver = c.Config().DefaultDriver
+	}
+
+	if driver == "overlay" && !daemon.cluster.IsManager() && !agent {
+		return nil, errdefs.Forbidden(errors.New(`This node is not a swarm manager. Use "docker swarm init" or "docker swarm join" to connect this node to swarm and try again.`))
+	}
+
 	var warning string
 	nw, err := daemon.GetNetworkByName(create.Name)
 	if err != nil {
@@ -309,12 +319,6 @@ func (daemon *Daemon) createNetwork(create types.NetworkCreateRequest, id string
 		warning = fmt.Sprintf("Network with name %s (id : %s) already exists", nw.Name(), nw.ID())
 	}
 
-	c := daemon.netController
-	driver := create.Driver
-	if driver == "" {
-		driver = c.Config().DefaultDriver
-	}
-
 	networkOptions := make(map[string]string)
 	for k, v := range create.Options {
 		networkOptions[k] = v
@@ -373,10 +377,6 @@ func (daemon *Daemon) createNetwork(create types.NetworkCreateRequest, id string
 
 	n, err := c.NewNetwork(driver, create.Name, id, nwOptions...)
 	if err != nil {
-		if errors.Is(err, libnetwork.ErrDataStoreNotInitialized) {
-			//nolint: revive
-			return nil, errors.New("This node is not a swarm manager. Use \"docker swarm init\" or \"docker swarm join\" to connect this node to swarm and try again.")
-		}
 		return nil, err
 	}
 
@@ -875,8 +875,8 @@ func buildCreateEndpointOptions(c *container.Container, n libnetwork.Network, ep
 	// to which container was connected to on docker run.
 	// Ideally all these network-specific endpoint configurations must be moved under
 	// container.NetworkSettings.Networks[n.Name()]
-	if n.Name() == c.HostConfig.NetworkMode.NetworkName() ||
-		(n.Name() == defaultNetName && c.HostConfig.NetworkMode.IsDefault()) {
+	netMode := c.HostConfig.NetworkMode
+	if n.Name() == netMode.NetworkName() || n.ID() == netMode.NetworkName() || (n.Name() == defaultNetName && netMode.IsDefault()) {
 		if c.Config.MacAddress != "" {
 			mac, err := net.ParseMAC(c.Config.MacAddress)
 			if err != nil {

daemon/oci_linux.go

@@ -113,6 +113,15 @@ func WithRootless(daemon *Daemon) coci.SpecOpts {
 	}
 }
 
+// withRootfulInRootless is used for "rootful-in-rootless" dind;
+// the daemon is running in UserNS but has no access to RootlessKit API socket, host filesystem, etc.
+func withRootfulInRootless(daemon *Daemon, daemonCfg *dconfig.Config) coci.SpecOpts {
+	return func(_ context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
+		specconv.ToRootfulInRootless(s)
+		return nil
+	}
+}
+
 // WithOOMScore sets the oom score
 func WithOOMScore(score *int) coci.SpecOpts {
 	return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
@@ -1091,6 +1100,8 @@ func (daemon *Daemon) createSpec(ctx context.Context, c *container.Container) (r
 	}
 	if daemon.configStore.Rootless {
 		opts = append(opts, WithRootless(daemon))
+	} else if userns.RunningInUserNS() {
+		opts = append(opts, withRootfulInRootless(daemon, daemon.configStore))
 	}
 
 	var snapshotter, snapshotKey string

daemon/restart.go

@@ -6,6 +6,7 @@ import (
 
 	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/container"
+	"github.com/docker/docker/internal/compatcontext"
 )
 
 // ContainerRestart stops and starts a container. It attempts to
@@ -31,6 +32,10 @@ func (daemon *Daemon) ContainerRestart(ctx context.Context, name string, options
 // gracefully stop, before forcefully terminating the container. If
 // given a negative duration, wait forever for a graceful stop.
 func (daemon *Daemon) containerRestart(ctx context.Context, container *container.Container, options containertypes.StopOptions) error {
+	// Restarting is expected to be an atomic operation, and cancelling
+	// the request should not cancel the stop -> start sequence.
+	ctx = compatcontext.WithoutCancel(ctx)
+
 	// Determine isolation. If not specified in the hostconfig, use daemon default.
 	actualIsolation := container.HostConfig.Isolation
 	if containertypes.Isolation.IsDefault(actualIsolation) {

daemon/stats.go

@@ -7,6 +7,7 @@ import (
 	"runtime"
 	"time"
 
+	"github.com/containerd/containerd/log"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/versions"
@@ -43,6 +44,15 @@ func (daemon *Daemon) ContainerStats(ctx context.Context, prefixOrName string, c
 		})
 	}
 
+	// Get container stats directly if OneShot is set
+	if config.OneShot {
+		stats, err := daemon.GetContainerStats(ctr)
+		if err != nil {
+			return err
+		}
+		return json.NewEncoder(config.OutStream).Encode(stats)
+	}
+
 	outStream := config.OutStream
 	if config.Stream {
 		wf := ioutils.NewWriteFlusher(outStream)
@@ -148,15 +158,34 @@ func (daemon *Daemon) unsubscribeToContainerStats(c *container.Container, ch cha
 func (daemon *Daemon) GetContainerStats(container *container.Container) (*types.StatsJSON, error) {
 	stats, err := daemon.stats(container)
 	if err != nil {
-		return nil, err
+		goto done
+	}
+
+	// Sample system CPU usage close to container usage to avoid
+	// noise in metric calculations.
+	// FIXME: move to containerd on Linux (not Windows)
+	stats.CPUStats.SystemUsage, stats.CPUStats.OnlineCPUs, err = getSystemCPUUsage()
+	if err != nil {
+		goto done
 	}
 
 	// We already have the network stats on Windows directly from HCS.
 	if !container.Config.NetworkDisabled && runtime.GOOS != "windows" {
-		if stats.Networks, err = daemon.getNetworkStats(container); err != nil {
-			return nil, err
-		}
+		stats.Networks, err = daemon.getNetworkStats(container)
 	}
 
-	return stats, nil
+done:
+	switch err.(type) {
+	case nil:
+		return stats, nil
+	case errdefs.ErrConflict, errdefs.ErrNotFound:
+		// return empty stats containing only name and ID if not running or not found
+		return &types.StatsJSON{
+			Name: container.Name,
+			ID:   container.ID,
+		}, nil
+	default:
+		log.G(context.TODO()).Errorf("collecting stats for container %s: %v", container.Name, err)
+		return nil, err
+	}
 }

daemon/stats/collector.go

@@ -1,15 +1,12 @@
 package stats // import "github.com/docker/docker/daemon/stats"
 
 import (
-	"bufio"
 	"sync"
 	"time"
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/container"
-	"github.com/docker/docker/errdefs"
 	"github.com/moby/pubsub"
-	"github.com/sirupsen/logrus"
 )
 
 // Collector manages and provides container resource stats
@@ -19,7 +16,6 @@ type Collector struct {
 	supervisor supervisor
 	interval   time.Duration
 	publishers map[*container.Container]*pubsub.Publisher
-	bufReader  *bufio.Reader
 }
 
 // NewCollector creates a stats collector that will poll the supervisor with the specified interval
@@ -28,7 +24,6 @@ func NewCollector(supervisor supervisor, interval time.Duration) *Collector {
 		interval:   interval,
 		supervisor: supervisor,
 		publishers: make(map[*container.Container]*pubsub.Publisher),
-		bufReader:  bufio.NewReaderSize(nil, 128),
 	}
 	s.cond = sync.NewCond(&s.m)
 	return s
@@ -107,45 +102,15 @@ func (s *Collector) Run() {
 
 		s.cond.L.Unlock()
 
-		onlineCPUs, err := s.getNumberOnlineCPUs()
-		if err != nil {
-			logrus.Errorf("collecting system online cpu count: %v", err)
-			continue
-		}
-
 		for _, pair := range pairs {
 			stats, err := s.supervisor.GetContainerStats(pair.container)
-
-			switch err.(type) {
-			case nil:
-				// Sample system CPU usage close to container usage to avoid
-				// noise in metric calculations.
-				systemUsage, err := s.getSystemCPUUsage()
-				if err != nil {
-					logrus.WithError(err).WithField("container_id", pair.container.ID).Errorf("collecting system cpu usage")
-					continue
+			if err != nil {
+				stats = &types.StatsJSON{
+					Name: pair.container.Name,
+					ID:   pair.container.ID,
 				}
-
-				// FIXME: move to containerd on Linux (not Windows)
-				stats.CPUStats.SystemUsage = systemUsage
-				stats.CPUStats.OnlineCPUs = onlineCPUs
-
-				pair.publisher.Publish(*stats)
-
-			case errdefs.ErrConflict, errdefs.ErrNotFound:
-				// publish empty stats containing only name and ID if not running or not found
-				pair.publisher.Publish(types.StatsJSON{
-					Name: pair.container.Name,
-					ID:   pair.container.ID,
-				})
-
-			default:
-				logrus.Errorf("collecting stats for %s: %v", pair.container.ID, err)
-				pair.publisher.Publish(types.StatsJSON{
-					Name: pair.container.Name,
-					ID:   pair.container.ID,
-				})
 			}
+			pair.publisher.Publish(*stats)
 		}
 
 		time.Sleep(s.interval)

daemon/stats/collector_unix.go

@@ -1,76 +0,0 @@
-//go:build !windows
-// +build !windows
-
-package stats // import "github.com/docker/docker/daemon/stats"
-
-import (
-	"fmt"
-	"os"
-	"strconv"
-	"strings"
-
-	"golang.org/x/sys/unix"
-)
-
-const (
-	// The value comes from `C.sysconf(C._SC_CLK_TCK)`, and
-	// on Linux it's a constant which is safe to be hard coded,
-	// so we can avoid using cgo here. For details, see:
-	// https://github.com/containerd/cgroups/pull/12
-	clockTicksPerSecond  = 100
-	nanoSecondsPerSecond = 1e9
-)
-
-// getSystemCPUUsage returns the host system's cpu usage in
-// nanoseconds. An error is returned if the format of the underlying
-// file does not match.
-//
-// Uses /proc/stat defined by POSIX. Looks for the cpu
-// statistics line and then sums up the first seven fields
-// provided. See `man 5 proc` for details on specific field
-// information.
-func (s *Collector) getSystemCPUUsage() (uint64, error) {
-	f, err := os.Open("/proc/stat")
-	if err != nil {
-		return 0, err
-	}
-	defer func() {
-		s.bufReader.Reset(nil)
-		f.Close()
-	}()
-	s.bufReader.Reset(f)
-
-	for {
-		line, err := s.bufReader.ReadString('\n')
-		if err != nil {
-			break
-		}
-		parts := strings.Fields(line)
-		switch parts[0] {
-		case "cpu":
-			if len(parts) < 8 {
-				return 0, fmt.Errorf("invalid number of cpu fields")
-			}
-			var totalClockTicks uint64
-			for _, i := range parts[1:8] {
-				v, err := strconv.ParseUint(i, 10, 64)
-				if err != nil {
-					return 0, fmt.Errorf("Unable to convert value %s to int: %s", i, err)
-				}
-				totalClockTicks += v
-			}
-			return (totalClockTicks * nanoSecondsPerSecond) /
-				clockTicksPerSecond, nil
-		}
-	}
-	return 0, fmt.Errorf("invalid stat format. Error trying to parse the '/proc/stat' file")
-}
-
-func (s *Collector) getNumberOnlineCPUs() (uint32, error) {
-	var cpuset unix.CPUSet
-	err := unix.SchedGetaffinity(0, &cpuset)
-	if err != nil {
-		return 0, err
-	}
-	return uint32(cpuset.Count()), nil
-}

daemon/stats/collector_windows.go

@@ -1,12 +0,0 @@
-package stats // import "github.com/docker/docker/daemon/stats"
-
-// getSystemCPUUsage returns the host system's cpu usage in
-// nanoseconds. An error is returned if the format of the underlying
-// file does not match. This is a no-op on Windows.
-func (s *Collector) getSystemCPUUsage() (uint64, error) {
-	return 0, nil
-}
-
-func (s *Collector) getNumberOnlineCPUs() (uint32, error) {
-	return 0, nil
-}

daemon/stats_unix.go

@@ -4,7 +4,11 @@
 package daemon // import "github.com/docker/docker/daemon"
 
 import (
+	"bufio"
 	"context"
+	"fmt"
+	"os"
+	"strconv"
 	"strings"
 
 	statsV1 "github.com/containerd/cgroups/v3/cgroup1/stats"
@@ -297,3 +301,60 @@ func (daemon *Daemon) getNetworkStats(c *container.Container) (map[string]types.
 
 	return stats, nil
 }
+
+const (
+	// The value comes from `C.sysconf(C._SC_CLK_TCK)`, and
+	// on Linux it's a constant which is safe to be hard coded,
+	// so we can avoid using cgo here. For details, see:
+	// https://github.com/containerd/cgroups/pull/12
+	clockTicksPerSecond  = 100
+	nanoSecondsPerSecond = 1e9
+)
+
+// getSystemCPUUsage returns the host system's cpu usage in
+// nanoseconds and number of online CPUs. An error is returned
+// if the format of the underlying file does not match.
+//
+// Uses /proc/stat defined by POSIX. Looks for the cpu
+// statistics line and then sums up the first seven fields
+// provided. See `man 5 proc` for details on specific field
+// information.
+func getSystemCPUUsage() (cpuUsage uint64, cpuNum uint32, err error) {
+	f, err := os.Open("/proc/stat")
+	if err != nil {
+		return 0, 0, err
+	}
+	defer f.Close()
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if len(line) < 4 || line[:3] != "cpu" {
+			break // Assume all cpu* records are at the front, like glibc https://github.com/bminor/glibc/blob/5d00c201b9a2da768a79ea8d5311f257871c0b43/sysdeps/unix/sysv/linux/getsysstats.c#L108-L135
+		}
+		if line[3] == ' ' {
+			parts := strings.Fields(line)
+			if len(parts) < 8 {
+				return 0, 0, fmt.Errorf("invalid number of cpu fields")
+			}
+			var totalClockTicks uint64
+			for _, i := range parts[1:8] {
+				v, err := strconv.ParseUint(i, 10, 64)
+				if err != nil {
+					return 0, 0, fmt.Errorf("Unable to convert value %s to int: %w", i, err)
+				}
+				totalClockTicks += v
+			}
+			cpuUsage = (totalClockTicks * nanoSecondsPerSecond) /
+				clockTicksPerSecond
+		}
+		if '0' <= line[3] && line[3] <= '9' {
+			cpuNum++
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return 0, 0, fmt.Errorf("error scanning '/proc/stat' file: %w", err)
+	}
+	return
+}

daemon/stats_windows.go

@@ -77,3 +77,11 @@ func (daemon *Daemon) stats(c *container.Container) (*types.StatsJSON, error) {
 func (daemon *Daemon) getNetworkStats(c *container.Container) (map[string]types.NetworkStats, error) {
 	return make(map[string]types.NetworkStats), nil
 }
+
+// getSystemCPUUsage returns the host system's cpu usage in
+// nanoseconds and number of online CPUs. An error is returned
+// if the format of the underlying file does not match.
+// This is a no-op on Windows.
+func getSystemCPUUsage() (uint64, uint32, error) {
+	return 0, 0, nil
+}

daemon/top_unix.go

@@ -29,7 +29,7 @@ func validatePSArgs(psArgs string) error {
 			k := group[1]
 			v := group[2]
 			if k != "pid" {
-				return fmt.Errorf("specifying \"%s=%s\" is not allowed", k, v)
+				return fmt.Errorf(`specifying "%s=%s" is not allowed`, k, v)
 			}
 		}
 	}

daemon/top_unix_test.go

@@ -12,8 +12,8 @@ import (
 func TestContainerTopValidatePSArgs(t *testing.T) {
 	tests := map[string]bool{
 		"ae -o uid=PID":             true,
-		"ae -o \"uid= PID\"":        true,  // ascii space (0x20)
-		"ae -o \"uid= PID\"":        false, // unicode space (U+2003, 0xe2 0x80 0x83)
+		`ae -o "uid= PID"`:          true,  // ascii space (0x20)
+		`ae -o "uid= PID"`:          false, // unicode space (U+2003, 0xe2 0x80 0x83)
 		"ae o uid=PID":              true,
 		"aeo uid=PID":               true,
 		"ae -O uid=PID":             true,

daemon/update.go

@@ -53,7 +53,7 @@ func (daemon *Daemon) update(name string, hostConfig *container.HostConfig) erro
 
 	if ctr.RemovalInProgress || ctr.Dead {
 		ctr.Unlock()
-		return errCannotUpdate(ctr.ID, fmt.Errorf("container is marked for removal and cannot be \"update\""))
+		return errCannotUpdate(ctr.ID, fmt.Errorf(`container is marked for removal and cannot be "update"`))
 	}
 
 	if err := ctr.UpdateContainer(hostConfig); err != nil {

distribution/pull_v2.go

@@ -438,13 +438,9 @@ func (p *puller) pullTag(ctx context.Context, ref reference.Named, platform *oci
 
 	switch v := manifest.(type) {
 	case *schema1.SignedManifest:
-		// give registries time to upgrade to schema2 and only warn if we know a registry has been upgraded long time ago
-		// TODO: condition to be removed
-		if reference.Domain(ref) == "docker.io" {
-			msg := fmt.Sprintf("Image %s uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/", ref)
-			logrus.Warn(msg)
-			progress.Message(p.config.ProgressOutput, "", msg)
-		}
+		msg := fmt.Sprintf("[DEPRECATION NOTICE] Docker Image Format v1, and Docker Image manifest version 2, schema 1 support will be removed in an upcoming release. Suggest the author of %s to upgrade the image to the OCI Format, or Docker Image manifest v2, schema 2. More information at https://docs.docker.com/go/deprecated-image-specs/", ref)
+		logrus.Warn(msg)
+		progress.Message(p.config.ProgressOutput, "", msg)
 
 		id, manifestDigest, err = p.pullSchema1(ctx, ref, v, platform)
 		if err != nil {
@@ -873,7 +869,7 @@ func (p *puller) pullManifestList(ctx context.Context, ref reference.Named, mfst
 
 		switch v := manifest.(type) {
 		case *schema1.SignedManifest:
-			msg := fmt.Sprintf("[DEPRECATION NOTICE] v2 schema1 manifests in manifest lists are not supported and will break in a future release. Suggest author of %s to upgrade to v2 schema2. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/", ref)
+			msg := fmt.Sprintf("[DEPRECATION NOTICE] Docker Image Format v1, and Docker Image manifest version 2, schema 1 support will be removed in an upcoming release. Suggest the author of %s to upgrade the image to the OCI Format, or Docker Image manifest v2, schema 2. More information at https://docs.docker.com/go/deprecated-image-specs/", ref)
 			logrus.Warn(msg)
 			progress.Message(p.config.ProgressOutput, "", msg)
 

docker-bake.hcl

@@ -1,5 +1,5 @@
 variable "APT_MIRROR" {
-  default = "cdn-fastly.deb.debian.org"
+  default = ""
 }
 variable "DOCKER_DEBUG" {
   default = ""
@@ -14,7 +14,7 @@ variable "DOCKER_BUILDTAGS" {
   default = ""
 }
 variable "DOCKER_GITCOMMIT" {
-  default = "HEAD"
+  default = null
 }
 
 # Docker version such as 23.0.0-dev. Automatically generated through Git ref.
@@ -47,18 +47,6 @@ variable "PACKAGER_NAME" {
   default = ""
 }
 
-# GITHUB_REF is the actual ref that triggers the workflow and used as version
-# when tag is pushed: https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables
-variable "GITHUB_REF" {
-  default = ""
-}
-
-# GITHUB_SHA is the commit SHA that triggered the workflow and used as commit.
-# https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables
-variable "GITHUB_SHA" {
-  default = ""
-}
-
 # Special target: https://github.com/docker/metadata-action#bake-definition
 target "docker-metadata-action" {
   tags = ["moby-bin:local"]
@@ -81,8 +69,8 @@ target "_common" {
     DOCKER_STATIC = DOCKER_STATIC
     DOCKER_LDFLAGS = DOCKER_LDFLAGS
     DOCKER_BUILDTAGS = DOCKER_BUILDTAGS
-    DOCKER_GITCOMMIT = DOCKER_GITCOMMIT != "" ? DOCKER_GITCOMMIT : GITHUB_SHA
-    VERSION = VERSION != "" ? VERSION : GITHUB_REF
+    DOCKER_GITCOMMIT = DOCKER_GITCOMMIT
+    VERSION = VERSION
     PLATFORM = PLATFORM
     PRODUCT = PRODUCT
     DEFAULT_PRODUCT_LICENSE = DEFAULT_PRODUCT_LICENSE