Merge commit from fork

[26.0] AuthZ plugin security fixes
If url includes scheme, urlPath will drop hostname, which would not match the auth check
2026-01-18 01:18:04 +00:00 · 2024-07-23 21:36:28 +02:00 · 2024-07-17 13:09:10 +02:00 · 2024-07-17 13:09:08 +02:00 · 2024-06-08 17:25:26 +02:00 · 2024-05-08 09:43:51 +02:00
2363 changed files with 131625 additions and 59277 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -0,0 +1,21 @@
+{
+  "name": "moby",
+  "build": {
+    "context": "..",
+    "dockerfile": "../Dockerfile",
+    "target": "devcontainer"
+  },
+  "workspaceFolder": "/go/src/github.com/docker/docker",
+  "workspaceMount": "source=${localWorkspaceFolder},target=/go/src/github.com/docker/docker,type=bind,consistency=cached",
+
+  "remoteUser": "root",
+  "runArgs": ["--privileged"],
+
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "golang.go"
+      ]
+    }
+  }
+}
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -22,9 +22,12 @@ Please provide the following information:
 **- Description for the changelog**
 <!--
 Write a short (one line) summary that describes the changes in this
-pull request for inclusion in the changelog:
+pull request for inclusion in the changelog.
+It must be placed inside the below triple backticks section:
 -->
+```markdown changelog

+```

 **- A picture of a cute animal (not mandatory but encouraged)**

--- a/.github/workflows/.dco.yml
+++ b/.github/workflows/.dco.yml
@@ -15,19 +15,19 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
        name: Dump context
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        with:
          script: |
            console.log(JSON.stringify(context, null, 2));
      -
        name: Get base ref
        id: base-ref
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        with:
          result-encoding: string
          script: |
--- a/.github/workflows/.test-prepare.yml
+++ b/.github/workflows/.test-prepare.yml
@@ -18,11 +18,11 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Create matrix
        id: set
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        with:
          script: |
            let matrix = ['graphdriver'];
--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -12,9 +12,9 @@ on:
        default: "graphdriver"

 env:
-  GO_VERSION: "1.21.5"
+  GO_VERSION: "1.21.9"
  GOTESTLIST_VERSION: v0.3.1
-  TESTSTAT_VERSION: v0.1.3
+  TESTSTAT_VERSION: v0.1.25
  ITG_CLI_MATRIX_SIZE: 6
  DOCKER_EXPERIMENTAL: 1
  DOCKER_GRAPHDRIVER: ${{ inputs.storage == 'snapshotter' && 'overlayfs' || 'overlay2' }}
@@ -23,21 +23,21 @@ env:
 jobs:
  unit:
    runs-on: ubuntu-20.04
-    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
    timeout-minutes: 120
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up runner
        uses: ./.github/actions/setup-runner
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Build dev image
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -57,22 +57,24 @@ jobs:
          tree -nh /tmp/reports
      -
        name: Send to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
        with:
          directory: ./bundles
          env_vars: RUNNER_OS
          flags: unit
+          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
      -
        name: Upload reports
        if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
-          name: ${{ inputs.storage }}-unit-reports
+          name: test-reports-unit-${{ inputs.storage }}
          path: /tmp/reports/*
+          retention-days: 1

  unit-report:
    runs-on: ubuntu-20.04
-    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
    timeout-minutes: 10
    if: always()
    needs:
@@ -80,14 +82,14 @@ jobs:
    steps:
      -
        name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      -
        name: Download reports
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
-          name: ${{ inputs.storage }}-unit-reports
+          name: test-reports-unit-${{ inputs.storage }}
          path: /tmp/reports
      -
        name: Install teststat
@@ -96,16 +98,16 @@ jobs:
      -
        name: Create summary
        run: |
-          teststat -markdown $(find /tmp/reports -type f -name '*.json' -print0 | xargs -0) >> $GITHUB_STEP_SUMMARY
+          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY

  docker-py:
    runs-on: ubuntu-20.04
-    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
    timeout-minutes: 120
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up runner
        uses: ./.github/actions/setup-runner
@@ -114,10 +116,10 @@ jobs:
        uses: ./.github/actions/setup-tracing
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Build dev image
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -145,28 +147,29 @@ jobs:
      -
        name: Upload reports
        if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
-          name: ${{ inputs.storage }}-docker-py-reports
+          name: test-reports-docker-py-${{ inputs.storage }}
          path: /tmp/reports/*
+          retention-days: 1

  integration-flaky:
    runs-on: ubuntu-20.04
-    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
    timeout-minutes: 120
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up runner
        uses: ./.github/actions/setup-runner
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Build dev image
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -180,7 +183,7 @@ jobs:

  integration:
    runs-on: ${{ matrix.os }}
-    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
    timeout-minutes: 120
    strategy:
      fail-fast: false
@@ -196,7 +199,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up runner
        uses: ./.github/actions/setup-runner
@@ -217,10 +220,10 @@ jobs:
          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Build dev image
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -236,10 +239,13 @@ jobs:
        name: Prepare reports
        if: always()
        run: |
-          reportsPath="/tmp/reports/${{ matrix.os }}"
+          reportsName=${{ matrix.os }}
          if [ -n "${{ matrix.mode }}" ]; then
-            reportsPath="$reportsPath-${{ matrix.mode }}"
+            reportsName="$reportsName-${{ matrix.mode }}"
          fi
+          reportsPath="/tmp/reports/$reportsName"
+          echo "TESTREPORTS_NAME=$reportsName" >> $GITHUB_ENV
+          
          mkdir -p bundles $reportsPath
          find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
          tar -xzf /tmp/reports.tar.gz -C $reportsPath
@@ -249,11 +255,12 @@ jobs:
          curl -sSLf localhost:16686/api/traces?service=integration-test-client > $reportsPath/jaeger-trace.json
      -
        name: Send to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
        with:
          directory: ./bundles/test-integration
          env_vars: RUNNER_OS
          flags: integration,${{ matrix.mode }}
+          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
      -
        name: Test daemon logs
        if: always()
@@ -262,14 +269,15 @@ jobs:
      -
        name: Upload reports
        if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
-          name: ${{ inputs.storage }}-integration-reports
+          name: test-reports-integration-${{ inputs.storage }}-${{ env.TESTREPORTS_NAME }}
          path: /tmp/reports/*
+          retention-days: 1

  integration-report:
    runs-on: ubuntu-20.04
-    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
    timeout-minutes: 10
    if: always()
    needs:
@@ -277,15 +285,16 @@ jobs:
    steps:
      -
        name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      -
        name: Download reports
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
-          name: ${{ inputs.storage }}-integration-reports
          path: /tmp/reports
+          pattern: test-reports-integration-${{ inputs.storage }}-*
+          merge-multiple: true
      -
        name: Install teststat
        run: |
@@ -293,20 +302,20 @@ jobs:
      -
        name: Create summary
        run: |
-          teststat -markdown $(find /tmp/reports -type f -name '*.json' -print0 | xargs -0) >> $GITHUB_STEP_SUMMARY
+          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY

  integration-cli-prepare:
    runs-on: ubuntu-20.04
-    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
    outputs:
      matrix: ${{ steps.tests.outputs.matrix }}
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      -
@@ -332,7 +341,7 @@ jobs:

  integration-cli:
    runs-on: ubuntu-20.04
-    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
    timeout-minutes: 120
    needs:
      - integration-cli-prepare
@@ -343,7 +352,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up runner
        uses: ./.github/actions/setup-runner
@@ -352,10 +361,10 @@ jobs:
        uses: ./.github/actions/setup-tracing
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Build dev image
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -372,7 +381,10 @@ jobs:
        name: Prepare reports
        if: always()
        run: |
-          reportsPath=/tmp/reports/$(echo -n "${{ matrix.test }}" | sha256sum | cut -d " " -f 1)
+          reportsName=$(echo -n "${{ matrix.test }}" | sha256sum | cut -d " " -f 1)
+          reportsPath=/tmp/reports/$reportsName
+          echo "TESTREPORTS_NAME=$reportsName" >> $GITHUB_ENV
+          
          mkdir -p bundles $reportsPath
          echo "${{ matrix.test }}" | tr -s '|' '\n' | tee -a "$reportsPath/tests.txt"
          find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
@@ -383,11 +395,12 @@ jobs:
          curl -sSLf localhost:16686/api/traces?service=integration-test-client > $reportsPath/jaeger-trace.json
      -
        name: Send to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
        with:
          directory: ./bundles/test-integration
          env_vars: RUNNER_OS
          flags: integration-cli
+          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
      -
        name: Test daemon logs
        if: always()
@@ -396,14 +409,15 @@ jobs:
      -
        name: Upload reports
        if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
-          name: ${{ inputs.storage }}-integration-cli-reports
+          name: test-reports-integration-cli-${{ inputs.storage }}-${{ env.TESTREPORTS_NAME }}
          path: /tmp/reports/*
+          retention-days: 1

  integration-cli-report:
    runs-on: ubuntu-20.04
-    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
    timeout-minutes: 10
    if: always()
    needs:
@@ -411,15 +425,16 @@ jobs:
    steps:
      -
        name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      -
        name: Download reports
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
-          name: ${{ inputs.storage }}-integration-cli-reports
          path: /tmp/reports
+          pattern: test-reports-integration-cli-${{ inputs.storage }}-*
+          merge-multiple: true
      -
        name: Install teststat
        run: |
@@ -427,4 +442,4 @@ jobs:
      -
        name: Create summary
        run: |
-          teststat -markdown $(find /tmp/reports -type f -name '*.json' -print0 | xargs -0) >> $GITHUB_STEP_SUMMARY
+          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/.windows.yml
+++ b/.github/workflows/.windows.yml
@@ -19,9 +19,9 @@ on:
        default: false

 env:
-  GO_VERSION: "1.21.5"
+  GO_VERSION: "1.21.10"
  GOTESTLIST_VERSION: v0.3.1
-  TESTSTAT_VERSION: v0.1.3
+  TESTSTAT_VERSION: v0.1.25
  WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
  WINDOWS_BASE_TAG_2019: ltsc2019
  WINDOWS_BASE_TAG_2022: ltsc2022
@@ -43,7 +43,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          path: ${{ env.GOPATH }}/src/github.com/docker/docker
      -
@@ -62,7 +62,7 @@ jobs:
          }
      -
        name: Cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: |
            ~\AppData\Local\go-build
@@ -103,7 +103,7 @@ jobs:
          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\containerd\bin\containerd-shim-runhcs-v1.exe" ${{ env.BIN_OUT }}\
      -
        name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: build-${{ inputs.storage }}-${{ inputs.os }}
          path: ${{ env.BIN_OUT }}/*
@@ -122,7 +122,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          path: ${{ env.GOPATH }}/src/github.com/docker/docker
      -
@@ -142,7 +142,7 @@ jobs:
          }
      -
        name: Cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: |
            ~\AppData\Local\go-build
@@ -176,19 +176,21 @@ jobs:
      -
        name: Send to Codecov
        if: inputs.send_coverage
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
        with:
          working-directory: ${{ env.GOPATH }}\src\github.com\docker\docker
          directory: bundles
          env_vars: RUNNER_OS
          flags: unit
+          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
      -
        name: Upload reports
        if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: ${{ inputs.os }}-${{ inputs.storage }}-unit-reports
          path: ${{ env.GOPATH }}\src\github.com\docker\docker\bundles\*
+          retention-days: 1

  unit-test-report:
    runs-on: ubuntu-latest
@@ -198,12 +200,12 @@ jobs:
    steps:
      -
        name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      -
        name: Download artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
          name: ${{ inputs.os }}-${{ inputs.storage }}-unit-reports
          path: /tmp/artifacts
@@ -214,7 +216,7 @@ jobs:
      -
        name: Create summary
        run: |
-          teststat -markdown $(find /tmp/artifacts -type f -name '*.json' -print0 | xargs -0) >> $GITHUB_STEP_SUMMARY
+          find /tmp/artifacts -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY

  integration-test-prepare:
    runs-on: ubuntu-latest
@@ -223,10 +225,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      -
@@ -278,10 +280,11 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          path: ${{ env.GOPATH }}/src/github.com/docker/docker
      -
+        name: Set up Jaeger
        run: |
          # Jaeger is set up on Linux through the setup-tracing action. If you update Jaeger here, don't forget to
          # update the version set in .github/actions/setup-tracing/action.yml.
@@ -296,7 +299,7 @@ jobs:
          Get-ChildItem Env: | Out-String
      -
        name: Download artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
          name: build-${{ inputs.storage }}-${{ inputs.os }}
          path: ${{ env.BIN_OUT }}
@@ -310,6 +313,9 @@ jobs:
            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
          Write-Output "${{ env.BIN_OUT }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+          
+          $testName = ([System.BitConverter]::ToString((New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes("${{ matrix.test }}"))) -replace '-').ToLower()
+          echo "TESTREPORTS_NAME=$testName" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
      -
        # removes docker service that is currently installed on the runner. we
        # could use Uninstall-Package but not yet available on Windows runners.
@@ -420,7 +426,7 @@ jobs:
          DOCKER_HOST: npipe:////./pipe/docker_engine
      -
        name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      -
@@ -445,12 +451,13 @@ jobs:
      -
        name: Send to Codecov
        if: inputs.send_coverage
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
        with:
          working-directory: ${{ env.GOPATH }}\src\github.com\docker\docker
          directory: bundles
          env_vars: RUNNER_OS
          flags: integration,${{ matrix.runtime }}
+          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
      -
        name: Docker info
        run: |
@@ -498,10 +505,11 @@ jobs:
      -
        name: Upload reports
        if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
-          name: ${{ inputs.os }}-${{ inputs.storage }}-integration-reports-${{ matrix.runtime }}
+          name: ${{ inputs.os }}-${{ inputs.storage }}-integration-reports-${{ matrix.runtime }}-${{ env.TESTREPORTS_NAME }}
          path: ${{ env.GOPATH }}\src\github.com\docker\docker\bundles\*
+          retention-days: 1

  integration-test-report:
    runs-on: ubuntu-latest
@@ -523,15 +531,16 @@ jobs:
    steps:
      -
        name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      -
-        name: Download artifacts
-        uses: actions/download-artifact@v3
+        name: Download reports
+        uses: actions/download-artifact@v4
        with:
-          name: ${{ inputs.os }}-${{ inputs.storage }}-integration-reports-${{ matrix.runtime }}
-          path: /tmp/artifacts
+          path: /tmp/reports
+          pattern: ${{ inputs.os }}-${{ inputs.storage }}-integration-reports-${{ matrix.runtime }}-*
+          merge-multiple: true
      -
        name: Install teststat
        run: |
@@ -539,4 +548,4 @@ jobs:
      -
        name: Create summary
        run: |
-          teststat -markdown $(find /tmp/artifacts -type f -name '*.json' -print0 | xargs -0) >> $GITHUB_STEP_SUMMARY
+          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/bin-image.yml
+++ b/.github/workflows/bin-image.yml
@@ -34,11 +34,11 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Docker meta
        id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.MOBYBIN_REPO_SLUG }}
@@ -61,11 +61,13 @@ jobs:
            type=sha
      -
        name: Rename meta bake definition file
+        # see https://github.com/docker/metadata-action/issues/381#issuecomment-1918607161
        run: |
-          mv "${{ steps.meta.outputs.bake-file }}" "/tmp/bake-meta.json"
+          bakeFile="${{ steps.meta.outputs.bake-file }}"
+          mv "${bakeFile#cwd://}" "/tmp/bake-meta.json"
      -
        name: Upload meta bake definition
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: bake-meta
          path: /tmp/bake-meta.json
@@ -82,39 +84,45 @@ jobs:
    needs:
      - validate-dco
      - prepare
+    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled')
    strategy:
      fail-fast: false
      matrix:
        platform: ${{ fromJson(needs.prepare.outputs.platforms) }}
    steps:
+      -
+        name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
        name: Download meta bake definition
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
          name: bake-meta
          path: /tmp
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Login to Docker Hub
        if: github.event_name != 'pull_request' && github.repository == 'moby/moby'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_MOBYBIN_USERNAME }}
          password: ${{ secrets.DOCKERHUB_MOBYBIN_TOKEN }}
      -
        name: Build
        id: bake
-        uses: docker/bake-action@v3
+        uses: docker/bake-action@v4
        with:
          files: |
            ./docker-bake.hcl
@@ -134,37 +142,38 @@ jobs:
      -
        name: Upload digest
        if: github.event_name != 'pull_request' && github.repository == 'moby/moby'
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
-          name: digests
+          name: digests-${{ env.PLATFORM_PAIR }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

  merge:
    runs-on: ubuntu-20.04
-    if: github.event_name != 'pull_request' && github.repository == 'moby/moby'
    needs:
      - build
+    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby'
    steps:
      -
        name: Download meta bake definition
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
          name: bake-meta
          path: /tmp
      -
        name: Download digests
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
-          name: digests
          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_MOBYBIN_USERNAME }}
          password: ${{ secrets.DOCKERHUB_MOBYBIN_TOKEN }}
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -13,7 +13,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.21.5"
+  GO_VERSION: "1.21.10"
  DESTDIR: ./build

 jobs:
@@ -27,18 +27,18 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Build
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: binary
      -
        name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: binary
          path: ${{ env.DESTDIR }}
@@ -50,6 +50,9 @@ jobs:
    timeout-minutes: 120
    needs:
      - build
+    env:
+      TEST_IMAGE_BUILD: "0"
+      TEST_IMAGE_ID: "buildkit-tests"
    strategy:
      fail-fast: false
      matrix:
@@ -78,10 +81,10 @@ jobs:
      # https://github.com/moby/buildkit/blob/567a99433ca23402d5e9b9f9124005d2e59b8861/client/client_test.go#L5407-L5411
      -
        name: Expose GitHub Runtime
-        uses: crazy-max/ghaction-github-runtime@v2
+        uses: crazy-max/ghaction-github-runtime@v3
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          path: moby
      -
@@ -91,20 +94,20 @@ jobs:
        working-directory: moby
      -
        name: Checkout BuildKit ${{ env.BUILDKIT_REF }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          repository: ${{ env.BUILDKIT_REPO }}
          ref: ${{ env.BUILDKIT_REF }}
          path: buildkit
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Download binary artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
          name: binary
          path: ./buildkit/build/moby/
@@ -115,6 +118,14 @@ jobs:
          sudo service docker restart
          docker version
          docker info
+      -
+        name: Build test image
+        uses: docker/bake-action@v4
+        with:
+          workdir: ./buildkit
+          targets: integration-tests
+          set: |
+            *.output=type=docker,name=${{ env.TEST_IMAGE_ID }}
      -
        name: Test
        run: |
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,8 +10,6 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
-    tags:
-      - 'v*'
  pull_request:

 env:
@@ -34,15 +32,15 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Build
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: ${{ matrix.target }}
      -
@@ -53,14 +51,6 @@ jobs:
        name: Check artifacts
        run: |
          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
-      -
-        name: Upload artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: ${{ matrix.target }}
-          path: ${{ env.DESTDIR }}
-          if-no-files-found: error
-          retention-days: 7

  prepare-cross:
    runs-on: ubuntu-latest
@@ -71,7 +61,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Create matrix
        id: platforms
@@ -95,7 +85,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
@@ -105,10 +95,10 @@ jobs:
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Build
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: all
          set: |
@@ -121,11 +111,3 @@ jobs:
        name: Check artifacts
        run: |
          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
-      -
-        name: Upload artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: cross-${{ env.PLATFORM_PAIR }}
-          path: ${{ env.DESTDIR }}
-          if-no-files-found: error
-          retention-days: 7
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,12 +10,12 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
-    tags:
-      - 'v*'
  pull_request:

 env:
-  GO_VERSION: "1.21.5"
+  GO_VERSION: "1.21.10"
+  GIT_PAGER: "cat"
+  PAGER: "cat"

 jobs:
  validate-dco:
@@ -40,13 +40,13 @@ jobs:
          fi
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Build dev image
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -54,20 +54,18 @@ jobs:
            *.cache-to=type=gha,scope=dev${{ matrix.mode }},mode=max
            *.output=type=cacheonly

-  test-prepare:
-    uses: ./.github/workflows/.test-prepare.yml
-    needs:
-      - validate-dco
-
  test:
    needs:
-      - test-prepare
      - build-dev
+      - validate-dco
    uses: ./.github/workflows/.test.yml
+    secrets: inherit
    strategy:
      fail-fast: false
      matrix:
-        storage: ${{ fromJson(needs.test-prepare.outputs.matrix) }}
+        storage:
+          - graphdriver
+          - snapshotter
    with:
      storage: ${{ matrix.storage }}

@@ -80,7 +78,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Create matrix
        id: scripts
@@ -105,7 +103,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
@@ -113,10 +111,10 @@ jobs:
        uses: ./.github/actions/setup-runner
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Build dev image
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -135,7 +133,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Create matrix
        id: platforms
@@ -158,7 +156,7 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Prepare
        run: |
@@ -166,13 +164,13 @@ jobs:
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Test
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: binary-smoketest
          set: |
--- a/.github/workflows/validate-pr.yml
+++ b/.github/workflows/validate-pr.yml
@@ -0,0 +1,62 @@
+name: validate-pr
+
+on:
+  pull_request:
+    types: [opened, edited, labeled, unlabeled]
+
+jobs:
+  check-area-label:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Missing `area/` label
+        if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
+        run: |
+          echo "::error::Every PR with an 'impact/*' label should also have an 'area/*' label"
+          exit 1
+      - name: OK
+        run: exit 0
+
+  check-changelog:
+    if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/')
+    runs-on: ubuntu-20.04
+    env:
+      PR_BODY: |
+        ${{ github.event.pull_request.body }}
+    steps:
+      - name: Check changelog description
+        run: |
+          # Extract the `markdown changelog` note code block
+          block=$(echo -n "$PR_BODY" | tr -d '\r' | awk '/^```markdown changelog$/{flag=1;next}/^```$/{flag=0}flag')
+
+          # Strip empty lines
+          desc=$(echo "$block" |  awk NF)
+
+          if [ -z "$desc" ]; then
+            echo "::error::Changelog section is empty. Please provide a description for the changelog."
+            exit 1
+          fi
+
+          len=$(echo -n "$desc" | wc -c)
+          if [[ $len -le 6 ]]; then
+            echo "::error::Description looks too short: $desc"
+            exit 1
+          fi
+
+          echo "This PR will be included in the release notes with the following note:"
+          echo "$desc"
+
+  check-pr-branch:
+    runs-on: ubuntu-20.04
+    env:
+      PR_TITLE: ${{ github.event.pull_request.title }}
+    steps:
+      # Backports or PR that target a release branch directly should mention the target branch in the title, for example:
+      # [X.Y backport] Some change that needs backporting to X.Y
+      # [X.Y] Change directly targeting the X.Y branch
+      - name: Get branch from PR title
+        id: title_branch
+        run: echo "$PR_TITLE" | sed -n 's/^\[\([0-9]*\.[0-9]*\)[^]]*\].*/branch=\1/p' >> $GITHUB_OUTPUT
+
+      - name: Check release branch
+        if: github.event.pull_request.base.ref != steps.title_branch.outputs.branch && !(github.event.pull_request.base.ref == 'master' && steps.title_branch.outputs.branch == '')
+        run: echo "::error::PR title suggests targetting the ${{ steps.title_branch.outputs.branch }} branch, but is opened against ${{ github.event.pull_request.base.ref }}" && exit 1
--- a/.github/workflows/windows-2019.yml
+++ b/.github/workflows/windows-2019.yml
@@ -22,6 +22,7 @@ jobs:
    needs:
      - test-prepare
    uses: ./.github/workflows/.windows.yml
+    secrets: inherit
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/windows-2022.yml
+++ b/.github/workflows/windows-2022.yml
@@ -25,6 +25,7 @@ jobs:
    needs:
      - test-prepare
    uses: ./.github/workflows/.windows.yml
+    secrets: inherit
    strategy:
      fail-fast: false
      matrix:
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,6 +1,7 @@
 linters:
  enable:
    - depguard
+    - dupword         # Checks for duplicate words in the source code.
    - goimports
    - gosec
    - gosimple
@@ -25,6 +26,11 @@ linters:
      - docs

 linters-settings:
+  dupword:
+    ignore:
+      - "true"    # some tests use this as expected output
+      - "false"   # some tests use this as expected output
+      - "root"    # for tests using "ls" output with files owned by "root:root"
  importas:
    # Do not allow unaliased imports of aliased packages.
    no-unaliased: true
@@ -113,14 +119,6 @@ issues:
      path: "api/types/(volume|container)/"
      linters:
        - revive
-    # FIXME temporarily suppress these. See #39926
-    - text: "SA1019: httputil.NewClientConn"
-      linters:
-        - staticcheck
-    # FIXME temporarily suppress these (related to the ones above)
-    - text: "SA1019: httputil.ErrPersistEOF"
-      linters:
-        - staticcheck
    # FIXME temporarily suppress these (see https://github.com/gotestyourself/gotest.tools/issues/272)
    - text: "SA1019: (assert|cmp|is)\\.ErrorType is deprecated"
      linters:
--- a/4
+++ b/4
@@ -238,6 +238,7 @@ Ben Golub <ben.golub@dotcloud.com>
 Ben Gould <ben@bengould.co.uk>
 Ben Hall <ben@benhall.me.uk>
 Ben Langfeld <ben@langfeld.me>
+Ben Lovy <ben@deciduously.com>
 Ben Sargent <ben@brokendigits.com>
 Ben Severson <BenSeverson@users.noreply.github.com>
 Ben Toews <mastahyeti@gmail.com>
@@ -1399,6 +1400,7 @@ Martijn van Oosterhout <kleptog@svana.org>
 Martin Braun <braun@neuroforge.de>
 Martin Dojcak <martin.dojcak@lablabs.io>
 Martin Honermeyer <maze@strahlungsfrei.de>
+Martin Jirku <martin@jirku.sk>
 Martin Kelly <martin@surround.io>
 Martin Mosegaard Amdisen <martin.amdisen@praqma.com>
 Martin Muzatko <martin@happy-css.com>
@@ -1477,6 +1479,7 @@ Michael Holzheu <holzheu@linux.vnet.ibm.com>
 Michael Hudson-Doyle <michael.hudson@canonical.com>
 Michael Huettermann <michael@huettermann.net>
 Michael Irwin <mikesir87@gmail.com>
+Michael Kebe <michael.kebe@hkm.de>
 Michael Kuehn <micha@kuehn.io>
 Michael Käufl <docker@c.michael-kaeufl.de>
 Michael Neale <michael.neale@gmail.com>
@@ -1813,6 +1816,7 @@ Ritesh H Shukla <sritesh@vmware.com>
 Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
 Rob Cowsill <42620235+rcowsill@users.noreply.github.com>
 Rob Gulewich <rgulewich@netflix.com>
+Rob Murray <rob.murray@docker.com>
 Rob Vesse <rvesse@dotnetrdf.org>
 Robert Bachmann <rb@robertbachmann.at>
 Robert Bittle <guywithnose@gmail.com>
--- a/35
+++ b/35
@@ -1,19 +1,19 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.21.5
+ARG GO_VERSION=1.21.10
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
-ARG XX_VERSION=1.2.1
+ARG XX_VERSION=1.4.0

 ARG VPNKIT_VERSION=0.5.0

 ARG DOCKERCLI_REPOSITORY="https://github.com/docker/cli.git"
-ARG DOCKERCLI_VERSION=v24.0.2
+ARG DOCKERCLI_VERSION=v26.0.0
 # cli version used for integration-cli tests
 ARG DOCKERCLI_INTEGRATION_REPOSITORY="https://github.com/docker/cli.git"
 ARG DOCKERCLI_INTEGRATION_VERSION=v17.06.2-ce
-ARG BUILDX_VERSION=0.12.0
-ARG COMPOSE_VERSION=v2.20.1
+ARG BUILDX_VERSION=0.13.1
+ARG COMPOSE_VERSION=v2.25.0

 ARG SYSTEMD="false"
 ARG DOCKER_STATIC=1
@@ -198,7 +198,7 @@ RUN git init . && git remote add origin "https://github.com/containerd/container
 # When updating the binary version you may also need to update the vendor
 # version to pick up bug fixes or new APIs, however, usually the Go packages
 # are built from a commit from the master branch.
-ARG CONTAINERD_VERSION=v1.7.11
+ARG CONTAINERD_VERSION=v1.7.15
 RUN git fetch -q --depth 1 origin "${CONTAINERD_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS containerd-build
@@ -231,7 +231,7 @@ FROM binary-dummy AS containerd-windows
 FROM containerd-${TARGETOS} AS containerd

 FROM base AS golangci_lint
-ARG GOLANGCI_LINT_VERSION=v1.54.2
+ARG GOLANGCI_LINT_VERSION=v1.55.2
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
        GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
@@ -245,12 +245,18 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     && /build/gotestsum --version

 FROM base AS shfmt
-ARG SHFMT_VERSION=v3.6.0
+ARG SHFMT_VERSION=v3.8.0
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
        GOBIN=/build/ GO111MODULE=on go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \
     && /build/shfmt --version

+FROM base AS gopls
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+        GOBIN=/build/ GO111MODULE=on go install "golang.org/x/tools/gopls@latest" \
+     && /build/gopls version
+
 FROM base AS dockercli
 WORKDIR /go/src/github.com/docker/cli
 ARG DOCKERCLI_REPOSITORY
@@ -283,7 +289,7 @@ RUN git init . && git remote add origin "https://github.com/opencontainers/runc.
 # that is used. If you need to update runc, open a pull request in the containerd
 # project first, and update both after that is merged. When updating RUNC_VERSION,
 # consider updating runc in vendor.mod accordingly.
-ARG RUNC_VERSION=v1.1.10
+ARG RUNC_VERSION=v1.1.12
 RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS runc-build
@@ -351,8 +357,8 @@ FROM tini-${TARGETOS} AS tini
 FROM base AS rootlesskit-src
 WORKDIR /usr/src/rootlesskit
 RUN git init . && git remote add origin "https://github.com/rootless-containers/rootlesskit.git"
-# When updating, also update rootlesskit commit in vendor.mod accordingly.
-ARG ROOTLESSKIT_VERSION=v1.1.0
+# When updating, also update vendor.mod and hack/dockerfile/install/rootlesskit.installer accordingly.
+ARG ROOTLESSKIT_VERSION=v2.0.2
 RUN git fetch -q --depth 1 origin "${ROOTLESSKIT_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS rootlesskit-build
@@ -384,7 +390,7 @@ FROM binary-dummy AS rootlesskit-windows
 FROM rootlesskit-${TARGETOS} AS rootlesskit

 FROM base AS crun
-ARG CRUN_VERSION=1.8.7
+ARG CRUN_VERSION=1.12
 RUN --mount=type=cache,sharing=locked,id=moby-crun-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-crun-aptcache,target=/var/cache/apt \
        apt-get update && apt-get install -y --no-install-recommends \
@@ -655,6 +661,11 @@ RUN <<EOT
  docker-proxy --version
 EOT

+# devcontainer is a stage used by .devcontainer/devcontainer.json
+FROM dev-base AS devcontainer
+COPY --link . .
+COPY --link --from=gopls         /build/ /usr/local/bin/
+
 # usage:
 # > make shell
 # > SYSTEMD=true make shell
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@@ -5,7 +5,7 @@

 # This represents the bare minimum required to build and test Docker.

-ARG GO_VERSION=1.21.5
+ARG GO_VERSION=1.21.10

 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -161,10 +161,10 @@ FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

-ARG GO_VERSION=1.21.5
+ARG GO_VERSION=1.21.10
 ARG GOTESTSUM_VERSION=v1.8.2
 ARG GOWINRES_VERSION=v0.3.1
-ARG CONTAINERD_VERSION=v1.7.11
+ARG CONTAINERD_VERSION=v1.7.15

 # Environment variable notes:
 #  - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
--- a/6
+++ b/6
@@ -75,6 +75,7 @@
 			"olljanat",
 			"programmerq",
 			"ripcurld",
+			"robmry",
 			"sam-thibault",
 			"samwhited",
 			"thajeztah"
@@ -478,6 +479,11 @@
 	Email = "jeff@docker.com"
 	GitHub = "programmerq"

+	[people.robmry]
+	Name = "Rob Murray"
+	Email = "rob.murray@docker.com"
+	GitHub = "robmry"
+
 	[people.ripcurld]
 	Name = "Boaz Shuster"
 	Email = "ripcurld.github@gmail.com"
--- a/9
+++ b/9
@@ -16,6 +16,9 @@ export VALIDATE_REPO
 export VALIDATE_BRANCH
 export VALIDATE_ORIGIN_BRANCH

+export PAGER
+export GIT_PAGER
+
 # env vars passed through directly to Docker's build scripts
 # to allow things like `make KEEPBUNDLE=1 binary` easily
 # `project/PACKAGERS.md` have some limited documentation of some of these
@@ -77,6 +80,8 @@ DOCKER_ENVS := \
 	-e DEFAULT_PRODUCT_LICENSE \
 	-e PRODUCT \
 	-e PACKAGER_NAME \
+	-e PAGER \
+	-e GIT_PAGER \
 	-e OTEL_EXPORTER_OTLP_ENDPOINT \
 	-e OTEL_EXPORTER_OTLP_PROTOCOL \
 	-e OTEL_SERVICE_NAME
@@ -250,6 +255,10 @@ swagger-docs: ## preview the API documentation
 .PHONY: generate-files
 generate-files:
 	$(eval $@_TMP_OUT := $(shell mktemp -d -t moby-output.XXXXXXXXXX))
+	@if [ -z "$($@_TMP_OUT)" ]; then \
+		echo "Temp dir is not set"; \
+		exit 1; \
+	fi
 	$(BUILD_CMD) --target "update" \
 		--output "type=local,dest=$($@_TMP_OUT)" \
 		--file "./hack/dockerfiles/generate-files.Dockerfile" .
--- a/api/common.go
+++ b/api/common.go
@@ -2,8 +2,17 @@ package api // import "github.com/docker/docker/api"

 // Common constants for daemon and client.
 const (
-	// DefaultVersion of Current REST API
-	DefaultVersion = "1.44"
+	// DefaultVersion of the current REST API.
+	DefaultVersion = "1.45"
+
+	// MinSupportedAPIVersion is the minimum API version that can be supported
+	// by the API server, specified as "major.minor". Note that the daemon
+	// may be configured with a different minimum API version, as returned
+	// in [github.com/docker/docker/api/types.Version.MinAPIVersion].
+	//
+	// API requests for API versions lower than the configured version produce
+	// an error.
+	MinSupportedAPIVersion = "1.24"

 	// NoBaseImageSpecifier is the symbol used by the FROM
 	// command to specify that no base image is to be used.
--- a/api/server/errorhandler.go
+++ b/api/server/errorhandler.go
@@ -1,34 +0,0 @@
-package server
-
-import (
-	"net/http"
-
-	"github.com/docker/docker/api/server/httpstatus"
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/versions"
-	"github.com/gorilla/mux"
-	"google.golang.org/grpc/status"
-)
-
-// makeErrorHandler makes an HTTP handler that decodes a Docker error and
-// returns it in the response.
-func makeErrorHandler(err error) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		statusCode := httpstatus.FromError(err)
-		vars := mux.Vars(r)
-		if apiVersionSupportsJSONErrors(vars["version"]) {
-			response := &types.ErrorResponse{
-				Message: err.Error(),
-			}
-			_ = httputils.WriteJSON(w, statusCode, response)
-		} else {
-			http.Error(w, status.Convert(err).Message(), statusCode)
-		}
-	}
-}
-
-func apiVersionSupportsJSONErrors(version string) bool {
-	const firstAPIVersionWithJSONErrors = "1.23"
-	return version == "" || versions.GreaterThan(version, firstAPIVersionWithJSONErrors)
-}
--- a/api/server/httputils/decoder.go
+++ b/api/server/httputils/decoder.go
@@ -12,5 +12,4 @@ import (
 // container configuration.
 type ContainerDecoder interface {
 	DecodeConfig(src io.Reader) (*container.Config, *container.HostConfig, *network.NetworkingConfig, error)
-	DecodeHostConfig(src io.Reader) (*container.HostConfig, error)
 }
--- a/api/server/middleware/version.go
+++ b/api/server/middleware/version.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"runtime"

+	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types/versions"
 )
@@ -13,19 +14,40 @@ import (
 // VersionMiddleware is a middleware that
 // validates the client and server versions.
 type VersionMiddleware struct {
-	serverVersion  string
-	defaultVersion string
-	minVersion     string
+	serverVersion string
+
+	// defaultAPIVersion is the default API version provided by the API server,
+	// specified as "major.minor". It is usually configured to the latest API
+	// version [github.com/docker/docker/api.DefaultVersion].
+	//
+	// API requests for API versions greater than this version are rejected by
+	// the server and produce a [versionUnsupportedError].
+	defaultAPIVersion string
+
+	// minAPIVersion is the minimum API version provided by the API server,
+	// specified as "major.minor".
+	//
+	// API requests for API versions lower than this version are rejected by
+	// the server and produce a [versionUnsupportedError].
+	minAPIVersion string
 }

-// NewVersionMiddleware creates a new VersionMiddleware
-// with the default versions.
-func NewVersionMiddleware(s, d, m string) VersionMiddleware {
-	return VersionMiddleware{
-		serverVersion:  s,
-		defaultVersion: d,
-		minVersion:     m,
+// NewVersionMiddleware creates a VersionMiddleware with the given versions.
+func NewVersionMiddleware(serverVersion, defaultAPIVersion, minAPIVersion string) (*VersionMiddleware, error) {
+	if versions.LessThan(defaultAPIVersion, api.MinSupportedAPIVersion) || versions.GreaterThan(defaultAPIVersion, api.DefaultVersion) {
+		return nil, fmt.Errorf("invalid default API version (%s): must be between %s and %s", defaultAPIVersion, api.MinSupportedAPIVersion, api.DefaultVersion)
 	}
+	if versions.LessThan(minAPIVersion, api.MinSupportedAPIVersion) || versions.GreaterThan(minAPIVersion, api.DefaultVersion) {
+		return nil, fmt.Errorf("invalid minimum API version (%s): must be between %s and %s", minAPIVersion, api.MinSupportedAPIVersion, api.DefaultVersion)
+	}
+	if versions.GreaterThan(minAPIVersion, defaultAPIVersion) {
+		return nil, fmt.Errorf("invalid API version: the minimum API version (%s) is higher than the default version (%s)", minAPIVersion, defaultAPIVersion)
+	}
+	return &VersionMiddleware{
+		serverVersion:     serverVersion,
+		defaultAPIVersion: defaultAPIVersion,
+		minAPIVersion:     minAPIVersion,
+	}, nil
 }

 type versionUnsupportedError struct {
@@ -45,18 +67,18 @@ func (e versionUnsupportedError) InvalidParameter() {}
 func (v VersionMiddleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 		w.Header().Set("Server", fmt.Sprintf("Docker/%s (%s)", v.serverVersion, runtime.GOOS))
-		w.Header().Set("API-Version", v.defaultVersion)
+		w.Header().Set("API-Version", v.defaultAPIVersion)
 		w.Header().Set("OSType", runtime.GOOS)

 		apiVersion := vars["version"]
 		if apiVersion == "" {
-			apiVersion = v.defaultVersion
+			apiVersion = v.defaultAPIVersion
 		}
-		if versions.LessThan(apiVersion, v.minVersion) {
-			return versionUnsupportedError{version: apiVersion, minVersion: v.minVersion}
+		if versions.LessThan(apiVersion, v.minAPIVersion) {
+			return versionUnsupportedError{version: apiVersion, minVersion: v.minAPIVersion}
 		}
-		if versions.GreaterThan(apiVersion, v.defaultVersion) {
-			return versionUnsupportedError{version: apiVersion, maxVersion: v.defaultVersion}
+		if versions.GreaterThan(apiVersion, v.defaultAPIVersion) {
+			return versionUnsupportedError{version: apiVersion, maxVersion: v.defaultAPIVersion}
 		}
 		ctx = context.WithValue(ctx, httputils.APIVersionKey{}, apiVersion)
 		return handler(ctx, w, r, vars)
--- a/api/server/middleware/version_test.go
+++ b/api/server/middleware/version_test.go
@@ -2,27 +2,82 @@ package middleware // import "github.com/docker/docker/api/server/middleware"

 import (
 	"context"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"runtime"
 	"testing"

+	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/server/httputils"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )

+func TestNewVersionMiddlewareValidation(t *testing.T) {
+	tests := []struct {
+		doc, defaultVersion, minVersion, expectedErr string
+	}{
+		{
+			doc:            "defaults",
+			defaultVersion: api.DefaultVersion,
+			minVersion:     api.MinSupportedAPIVersion,
+		},
+		{
+			doc:            "invalid default lower than min",
+			defaultVersion: api.MinSupportedAPIVersion,
+			minVersion:     api.DefaultVersion,
+			expectedErr:    fmt.Sprintf("invalid API version: the minimum API version (%s) is higher than the default version (%s)", api.DefaultVersion, api.MinSupportedAPIVersion),
+		},
+		{
+			doc:            "invalid default too low",
+			defaultVersion: "0.1",
+			minVersion:     api.MinSupportedAPIVersion,
+			expectedErr:    fmt.Sprintf("invalid default API version (0.1): must be between %s and %s", api.MinSupportedAPIVersion, api.DefaultVersion),
+		},
+		{
+			doc:            "invalid default too high",
+			defaultVersion: "9999.9999",
+			minVersion:     api.DefaultVersion,
+			expectedErr:    fmt.Sprintf("invalid default API version (9999.9999): must be between %s and %s", api.MinSupportedAPIVersion, api.DefaultVersion),
+		},
+		{
+			doc:            "invalid minimum too low",
+			defaultVersion: api.MinSupportedAPIVersion,
+			minVersion:     "0.1",
+			expectedErr:    fmt.Sprintf("invalid minimum API version (0.1): must be between %s and %s", api.MinSupportedAPIVersion, api.DefaultVersion),
+		},
+		{
+			doc:            "invalid minimum too high",
+			defaultVersion: api.DefaultVersion,
+			minVersion:     "9999.9999",
+			expectedErr:    fmt.Sprintf("invalid minimum API version (9999.9999): must be between %s and %s", api.MinSupportedAPIVersion, api.DefaultVersion),
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.doc, func(t *testing.T) {
+			_, err := NewVersionMiddleware("1.2.3", tc.defaultVersion, tc.minVersion)
+			if tc.expectedErr == "" {
+				assert.Check(t, err)
+			} else {
+				assert.Check(t, is.Error(err, tc.expectedErr))
+			}
+		})
+	}
+}
+
 func TestVersionMiddlewareVersion(t *testing.T) {
-	defaultVersion := "1.10.0"
-	minVersion := "1.2.0"
-	expectedVersion := defaultVersion
+	expectedVersion := "<not set>"
 	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 		v := httputils.VersionFromContext(ctx)
 		assert.Check(t, is.Equal(expectedVersion, v))
 		return nil
 	}

-	m := NewVersionMiddleware(defaultVersion, defaultVersion, minVersion)
+	m, err := NewVersionMiddleware("1.2.3", api.DefaultVersion, api.MinSupportedAPIVersion)
+	assert.NilError(t, err)
 	h := m.WrapHandler(handler)

 	req, _ := http.NewRequest(http.MethodGet, "/containers/json", nil)
@@ -35,19 +90,19 @@ func TestVersionMiddlewareVersion(t *testing.T) {
 		errString       string
 	}{
 		{
-			expectedVersion: "1.10.0",
+			expectedVersion: api.DefaultVersion,
 		},
 		{
-			reqVersion:      "1.9.0",
-			expectedVersion: "1.9.0",
+			reqVersion:      api.MinSupportedAPIVersion,
+			expectedVersion: api.MinSupportedAPIVersion,
 		},
 		{
 			reqVersion: "0.1",
-			errString:  "client version 0.1 is too old. Minimum supported API version is 1.2.0, please upgrade your client to a newer version",
+			errString:  fmt.Sprintf("client version 0.1 is too old. Minimum supported API version is %s, please upgrade your client to a newer version", api.MinSupportedAPIVersion),
 		},
 		{
 			reqVersion: "9999.9999",
-			errString:  "client version 9999.9999 is too new. Maximum supported API version is 1.10.0",
+			errString:  fmt.Sprintf("client version 9999.9999 is too new. Maximum supported API version is %s", api.DefaultVersion),
 		},
 	}

@@ -71,9 +126,8 @@ func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
 		return nil
 	}

-	defaultVersion := "1.10.0"
-	minVersion := "1.2.0"
-	m := NewVersionMiddleware(defaultVersion, defaultVersion, minVersion)
+	m, err := NewVersionMiddleware("1.2.3", api.DefaultVersion, api.MinSupportedAPIVersion)
+	assert.NilError(t, err)
 	h := m.WrapHandler(handler)

 	req, _ := http.NewRequest(http.MethodGet, "/containers/json", nil)
@@ -81,12 +135,12 @@ func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
 	ctx := context.Background()

 	vars := map[string]string{"version": "0.1"}
-	err := h(ctx, resp, req, vars)
+	err = h(ctx, resp, req, vars)
 	assert.Check(t, is.ErrorContains(err, ""))

 	hdr := resp.Result().Header
-	assert.Check(t, is.Contains(hdr.Get("Server"), "Docker/"+defaultVersion))
+	assert.Check(t, is.Contains(hdr.Get("Server"), "Docker/1.2.3"))
 	assert.Check(t, is.Contains(hdr.Get("Server"), runtime.GOOS))
-	assert.Check(t, is.Equal(hdr.Get("API-Version"), defaultVersion))
+	assert.Check(t, is.Equal(hdr.Get("API-Version"), api.DefaultVersion))
 	assert.Check(t, is.Equal(hdr.Get("OSType"), runtime.GOOS))
 }
--- a/api/server/router/build/build_routes.go
+++ b/api/server/router/build/build_routes.go
@@ -42,6 +42,7 @@ func newImageBuildOptions(ctx context.Context, r *http.Request) (*types.ImageBui
 		SuppressOutput: httputils.BoolValue(r, "q"),
 		NoCache:        httputils.BoolValue(r, "nocache"),
 		ForceRemove:    httputils.BoolValue(r, "forcerm"),
+		PullParent:     httputils.BoolValue(r, "pull"),
 		MemorySwap:     httputils.Int64ValueOrZero(r, "memswap"),
 		Memory:         httputils.Int64ValueOrZero(r, "memory"),
 		CPUShares:      httputils.Int64ValueOrZero(r, "cpushares"),
@@ -66,17 +67,14 @@ func newImageBuildOptions(ctx context.Context, r *http.Request) (*types.ImageBui
 		return nil, invalidParam{errors.New("security options are not supported on " + runtime.GOOS)}
 	}

-	version := httputils.VersionFromContext(ctx)
-	if httputils.BoolValue(r, "forcerm") && versions.GreaterThanOrEqualTo(version, "1.12") {
+	if httputils.BoolValue(r, "forcerm") {
 		options.Remove = true
-	} else if r.FormValue("rm") == "" && versions.GreaterThanOrEqualTo(version, "1.12") {
+	} else if r.FormValue("rm") == "" {
 		options.Remove = true
 	} else {
 		options.Remove = httputils.BoolValue(r, "rm")
 	}
-	if httputils.BoolValue(r, "pull") && versions.GreaterThanOrEqualTo(version, "1.16") {
-		options.PullParent = true
-	}
+	version := httputils.VersionFromContext(ctx)
 	if versions.GreaterThanOrEqualTo(version, "1.32") {
 		options.Platform = r.FormValue("platform")
 	}
--- a/api/server/router/container/backend.go
+++ b/api/server/router/container/backend.go
@@ -24,7 +24,6 @@ type execBackend interface {
 // copyBackend includes functions to implement to provide container copy functionality.
 type copyBackend interface {
 	ContainerArchivePath(name string, path string) (content io.ReadCloser, stat *types.ContainerPathStat, err error)
-	ContainerCopy(name string, res string) (io.ReadCloser, error)
 	ContainerExport(ctx context.Context, name string, out io.Writer) error
 	ContainerExtractToDir(name, path string, copyUIDGID, noOverwriteDirNonDir bool, content io.Reader) error
 	ContainerStatPath(name string, path string) (stat *types.ContainerPathStat, err error)
@@ -39,7 +38,7 @@ type stateBackend interface {
 	ContainerResize(name string, height, width int) error
 	ContainerRestart(ctx context.Context, name string, options container.StopOptions) error
 	ContainerRm(name string, config *backend.ContainerRmConfig) error
-	ContainerStart(ctx context.Context, name string, hostConfig *container.HostConfig, checkpoint string, checkpointDir string) error
+	ContainerStart(ctx context.Context, name string, checkpoint string, checkpointDir string) error
 	ContainerStop(ctx context.Context, name string, options container.StopOptions) error
 	ContainerUnpause(name string) error
 	ContainerUpdate(name string, hostConfig *container.HostConfig) (container.ContainerUpdateOKBody, error)
--- a/api/server/router/container/container.go
+++ b/api/server/router/container/container.go
@@ -56,7 +56,6 @@ func (r *containerRouter) initRoutes() {
 		router.NewPostRoute("/containers/{name:.*}/wait", r.postContainersWait),
 		router.NewPostRoute("/containers/{name:.*}/resize", r.postContainersResize),
 		router.NewPostRoute("/containers/{name:.*}/attach", r.postContainersAttach),
-		router.NewPostRoute("/containers/{name:.*}/copy", r.postContainersCopy), // Deprecated since 1.8 (API v1.20), errors out since 1.12 (API v1.24)
 		router.NewPostRoute("/containers/{name:.*}/exec", r.postContainerExecCreate),
 		router.NewPostRoute("/exec/{name:.*}/start", r.postContainerExecStart),
 		router.NewPostRoute("/exec/{name:.*}/resize", r.postContainerExecResize),
--- a/api/server/router/container/container_routes.go
+++ b/api/server/router/container/container_routes.go
@@ -39,13 +39,6 @@ func (s *containerRouter) postCommit(ctx context.Context, w http.ResponseWriter,
 		return err
 	}

-	// TODO: remove pause arg, and always pause in backend
-	pause := httputils.BoolValue(r, "pause")
-	version := httputils.VersionFromContext(ctx)
-	if r.FormValue("pause") == "" && versions.GreaterThanOrEqualTo(version, "1.13") {
-		pause = true
-	}
-
 	config, _, _, err := s.decoder.DecodeConfig(r.Body)
 	if err != nil && !errors.Is(err, io.EOF) { // Do not fail if body is empty.
 		return err
@@ -57,7 +50,7 @@ func (s *containerRouter) postCommit(ctx context.Context, w http.ResponseWriter,
 	}

 	imgID, err := s.backend.CreateImageFromContainer(ctx, r.Form.Get("container"), &backend.CreateImageConfig{
-		Pause:   pause,
+		Pause:   httputils.BoolValueOrDefault(r, "pause", true), // TODO(dnephin): remove pause arg, and always pause in backend
 		Tag:     ref,
 		Author:  r.Form.Get("author"),
 		Comment: r.Form.Get("comment"),
@@ -118,14 +111,11 @@ func (s *containerRouter) getContainersStats(ctx context.Context, w http.Respons
 		oneShot = httputils.BoolValueOrDefault(r, "one-shot", false)
 	}

-	config := &backend.ContainerStatsConfig{
+	return s.backend.ContainerStats(ctx, vars["name"], &backend.ContainerStatsConfig{
 		Stream:    stream,
 		OneShot:   oneShot,
 		OutStream: w,
-		Version:   httputils.VersionFromContext(ctx),
-	}
-
-	return s.backend.ContainerStats(ctx, vars["name"], config)
+	})
 }

 func (s *containerRouter) getContainersLogs(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
@@ -178,14 +168,6 @@ func (s *containerRouter) getContainersExport(ctx context.Context, w http.Respon
 	return s.backend.ContainerExport(ctx, vars["name"], w)
 }

-type bodyOnStartError struct{}
-
-func (bodyOnStartError) Error() string {
-	return "starting container with non-empty request body was deprecated since API v1.22 and removed in v1.24"
-}
-
-func (bodyOnStartError) InvalidParameter() {}
-
 func (s *containerRouter) postContainersStart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	// If contentLength is -1, we can assumed chunked encoding
 	// or more technically that the length is unknown
@@ -193,33 +175,17 @@ func (s *containerRouter) postContainersStart(ctx context.Context, w http.Respon
 	// net/http otherwise seems to swallow any headers related to chunked encoding
 	// including r.TransferEncoding
 	// allow a nil body for backwards compatibility
-
-	version := httputils.VersionFromContext(ctx)
-	var hostConfig *container.HostConfig
+	//
 	// A non-nil json object is at least 7 characters.
 	if r.ContentLength > 7 || r.ContentLength == -1 {
-		if versions.GreaterThanOrEqualTo(version, "1.24") {
-			return bodyOnStartError{}
-		}
-
-		if err := httputils.CheckForJSON(r); err != nil {
-			return err
-		}
-
-		c, err := s.decoder.DecodeHostConfig(r.Body)
-		if err != nil {
-			return err
-		}
-		hostConfig = c
+		return errdefs.InvalidParameter(errors.New("starting container with non-empty request body was deprecated since API v1.22 and removed in v1.24"))
 	}

 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

-	checkpoint := r.Form.Get("checkpoint")
-	checkpointDir := r.Form.Get("checkpoint-dir")
-	if err := s.backend.ContainerStart(ctx, vars["name"], hostConfig, checkpoint, checkpointDir); err != nil {
+	if err := s.backend.ContainerStart(ctx, vars["name"], r.Form.Get("checkpoint"), r.Form.Get("checkpoint-dir")); err != nil {
 		return err
 	}

@@ -255,25 +221,14 @@ func (s *containerRouter) postContainersStop(ctx context.Context, w http.Respons
 	return nil
 }

-func (s *containerRouter) postContainersKill(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersKill(_ context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

 	name := vars["name"]
 	if err := s.backend.ContainerKill(name, r.Form.Get("signal")); err != nil {
-		var isStopped bool
-		if errdefs.IsConflict(err) {
-			isStopped = true
-		}
-
-		// Return error that's not caused because the container is stopped.
-		// Return error if the container is not running and the api is >= 1.20
-		// to keep backwards compatibility.
-		version := httputils.VersionFromContext(ctx)
-		if versions.GreaterThanOrEqualTo(version, "1.20") || !isStopped {
-			return errors.Wrapf(err, "Cannot kill container: %s", name)
-		}
+		return errors.Wrapf(err, "cannot kill container: %s", name)
 	}

 	w.WriteHeader(http.StatusNoContent)
@@ -512,7 +467,6 @@ func (s *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 	}

 	version := httputils.VersionFromContext(ctx)
-	adjustCPUShares := versions.LessThan(version, "1.19")

 	// When using API 1.24 and under, the client is responsible for removing the container
 	if versions.LessThan(version, "1.25") {
@@ -602,17 +556,27 @@ func (s *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 		hostConfig.Annotations = nil
 	}

+	defaultReadOnlyNonRecursive := false
 	if versions.LessThan(version, "1.44") {
 		if config.Healthcheck != nil {
 			// StartInterval was added in API 1.44
 			config.Healthcheck.StartInterval = 0
 		}

+		// Set ReadOnlyNonRecursive to true because it was added in API 1.44
+		// Before that all read-only mounts were non-recursive.
+		// Keep that behavior for clients on older APIs.
+		defaultReadOnlyNonRecursive = true
+
 		for _, m := range hostConfig.Mounts {
-			if m.BindOptions != nil {
-				// Ignore ReadOnlyNonRecursive because it was added in API 1.44.
-				m.BindOptions.ReadOnlyNonRecursive = false
-				if m.BindOptions.ReadOnlyForceRecursive {
+			if m.Type == mount.TypeBind {
+				if m.BindOptions != nil && m.BindOptions.ReadOnlyForceRecursive {
+					// NOTE: that technically this is a breaking change for older
+					// API versions, and we should ignore the new field.
+					// However, this option may be incorrectly set by a client with
+					// the expectation that the failing to apply recursive read-only
+					// is enforced, so we decided to produce an error instead,
+					// instead of silently ignoring.
 					return errdefs.InvalidParameter(errors.New("BindOptions.ReadOnlyForceRecursive needs API v1.44 or newer"))
 				}
 			}
@@ -628,6 +592,14 @@ func (s *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 		}
 	}

+	if versions.LessThan(version, "1.45") {
+		for _, m := range hostConfig.Mounts {
+			if m.VolumeOptions != nil && m.VolumeOptions.Subpath != "" {
+				return errdefs.InvalidParameter(errors.New("VolumeOptions.Subpath needs API v1.45 or newer"))
+			}
+		}
+	}
+
 	var warnings []string
 	if warn, err := handleMACAddressBC(config, hostConfig, networkingConfig, version); err != nil {
 		return err
@@ -644,12 +616,12 @@ func (s *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 	}

 	ccr, err := s.backend.ContainerCreate(ctx, backend.ContainerCreateConfig{
-		Name:             name,
-		Config:           config,
-		HostConfig:       hostConfig,
-		NetworkingConfig: networkingConfig,
-		AdjustCPUShares:  adjustCPUShares,
-		Platform:         platform,
+		Name:                        name,
+		Config:                      config,
+		HostConfig:                  hostConfig,
+		NetworkingConfig:            networkingConfig,
+		Platform:                    platform,
+		DefaultReadOnlyNonRecursive: defaultReadOnlyNonRecursive,
 	})
 	if err != nil {
 		return err
@@ -662,42 +634,73 @@ func (s *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 // networkingConfig to set the endpoint-specific MACAddress field introduced in API v1.44. It returns a warning message
 // or an error if the container-wide field was specified for API >= v1.44.
 func handleMACAddressBC(config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, version string) (string, error) {
-	if config.MacAddress == "" { //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.44.
-		return "", nil
-	}
-
 	deprecatedMacAddress := config.MacAddress //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.44.

+	// For older versions of the API, migrate the container-wide MAC address to EndpointsConfig.
 	if versions.LessThan(version, "1.44") {
-		// The container-wide MacAddress parameter is deprecated and should now be specified in EndpointsConfig.
-		if hostConfig.NetworkMode.IsDefault() || hostConfig.NetworkMode.IsBridge() || hostConfig.NetworkMode.IsUserDefined() {
-			nwName := hostConfig.NetworkMode.NetworkName()
-			if _, ok := networkingConfig.EndpointsConfig[nwName]; !ok {
-				networkingConfig.EndpointsConfig[nwName] = &network.EndpointSettings{}
+		if deprecatedMacAddress == "" {
+			// If a MAC address is supplied in EndpointsConfig, discard it because the old API
+			// would have ignored it.
+			for _, ep := range networkingConfig.EndpointsConfig {
+				ep.MacAddress = ""
 			}
-			// Overwrite the config: either the endpoint's MacAddress was set by the user on API < v1.44, which
-			// must be ignored, or migrate the top-level MacAddress to the endpoint's config.
-			networkingConfig.EndpointsConfig[nwName].MacAddress = deprecatedMacAddress
+			return "", nil
 		}
 		if !hostConfig.NetworkMode.IsDefault() && !hostConfig.NetworkMode.IsBridge() && !hostConfig.NetworkMode.IsUserDefined() {
 			return "", runconfig.ErrConflictContainerNetworkAndMac
 		}

+		// There cannot be more than one entry in EndpointsConfig with API < 1.44.
+
+		// If there's no EndpointsConfig, create a place to store the configured address. It is
+		// safe to use NetworkMode as the network name, whether it's a name or id/short-id, as
+		// it will be normalised later and there is no other EndpointSettings object that might
+		// refer to this network/endpoint.
+		if len(networkingConfig.EndpointsConfig) == 0 {
+			nwName := hostConfig.NetworkMode.NetworkName()
+			networkingConfig.EndpointsConfig[nwName] = &network.EndpointSettings{}
+		}
+		// There's exactly one network in EndpointsConfig, either from the API or just-created.
+		// Migrate the container-wide setting to it.
+		// No need to check for a match between NetworkMode and the names/ids in EndpointsConfig,
+		// the old version of the API would have applied the address to this network anyway.
+		for _, ep := range networkingConfig.EndpointsConfig {
+			ep.MacAddress = deprecatedMacAddress
+		}
 		return "", nil
 	}

+	// The container-wide MacAddress parameter is deprecated and should now be specified in EndpointsConfig.
+	if deprecatedMacAddress == "" {
+		return "", nil
+	}
 	var warning string
 	if hostConfig.NetworkMode.IsDefault() || hostConfig.NetworkMode.IsBridge() || hostConfig.NetworkMode.IsUserDefined() {
 		nwName := hostConfig.NetworkMode.NetworkName()
-		if _, ok := networkingConfig.EndpointsConfig[nwName]; !ok {
-			networkingConfig.EndpointsConfig[nwName] = &network.EndpointSettings{}
-		}
-
-		ep := networkingConfig.EndpointsConfig[nwName]
-		if ep.MacAddress == "" {
-			ep.MacAddress = deprecatedMacAddress
-		} else if ep.MacAddress != deprecatedMacAddress {
-			return "", errdefs.InvalidParameter(errors.New("the container-wide MAC address should match the endpoint-specific MAC address for the main network or should be left empty"))
+		// If there's no endpoint config, create a place to store the configured address.
+		if len(networkingConfig.EndpointsConfig) == 0 {
+			networkingConfig.EndpointsConfig[nwName] = &network.EndpointSettings{
+				MacAddress: deprecatedMacAddress,
+			}
+		} else {
+			// There is existing endpoint config - if it's not indexed by NetworkMode.Name(), we
+			// can't tell which network the container-wide settings was intended for. NetworkMode,
+			// the keys in EndpointsConfig and the NetworkID in EndpointsConfig may mix network
+			// name/id/short-id. It's not safe to create EndpointsConfig under the NetworkMode
+			// name to store the container-wide MAC address, because that may result in two sets
+			// of EndpointsConfig for the same network and one set will be discarded later. So,
+			// reject the request ...
+			ep, ok := networkingConfig.EndpointsConfig[nwName]
+			if !ok {
+				return "", errdefs.InvalidParameter(errors.New("if a container-wide MAC address is supplied, HostConfig.NetworkMode must match the identity of a network in NetworkSettings.Networks"))
+			}
+			// ep is the endpoint that needs the container-wide MAC address; migrate the address
+			// to it, or bail out if there's a mismatch.
+			if ep.MacAddress == "" {
+				ep.MacAddress = deprecatedMacAddress
+			} else if ep.MacAddress != deprecatedMacAddress {
+				return "", errdefs.InvalidParameter(errors.New("the container-wide MAC address must match the endpoint-specific MAC address for the main network, or be left empty"))
+			}
 		}
 	}
 	warning = "The container-wide MacAddress field is now deprecated. It should be specified in EndpointsConfig instead."
--- a/api/server/router/container/container_routes_test.go
+++ b/api/server/router/container/container_routes_test.go
@@ -0,0 +1,160 @@
+package container
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestHandleMACAddressBC(t *testing.T) {
+	testcases := []struct {
+		name                string
+		apiVersion          string
+		ctrWideMAC          string
+		networkMode         container.NetworkMode
+		epConfig            map[string]*network.EndpointSettings
+		expEpWithCtrWideMAC string
+		expEpWithNoMAC      string
+		expCtrWideMAC       string
+		expWarning          string
+		expError            string
+	}{
+		{
+			name:                "old api ctr-wide mac mix id and name",
+			apiVersion:          "1.43",
+			ctrWideMAC:          "11:22:33:44:55:66",
+			networkMode:         "aNetId",
+			epConfig:            map[string]*network.EndpointSettings{"aNetName": {}},
+			expEpWithCtrWideMAC: "aNetName",
+			expCtrWideMAC:       "11:22:33:44:55:66",
+		},
+		{
+			name:           "old api clear ep mac",
+			apiVersion:     "1.43",
+			networkMode:    "aNetId",
+			epConfig:       map[string]*network.EndpointSettings{"aNetName": {MacAddress: "11:22:33:44:55:66"}},
+			expEpWithNoMAC: "aNetName",
+		},
+		{
+			name:          "old api no-network ctr-wide mac",
+			apiVersion:    "1.43",
+			networkMode:   "none",
+			ctrWideMAC:    "11:22:33:44:55:66",
+			expError:      "conflicting options: mac-address and the network mode",
+			expCtrWideMAC: "11:22:33:44:55:66",
+		},
+		{
+			name:                "old api create ep",
+			apiVersion:          "1.43",
+			networkMode:         "aNetId",
+			ctrWideMAC:          "11:22:33:44:55:66",
+			epConfig:            map[string]*network.EndpointSettings{},
+			expEpWithCtrWideMAC: "aNetId",
+			expCtrWideMAC:       "11:22:33:44:55:66",
+		},
+		{
+			name:                "old api migrate ctr-wide mac",
+			apiVersion:          "1.43",
+			ctrWideMAC:          "11:22:33:44:55:66",
+			networkMode:         "aNetName",
+			epConfig:            map[string]*network.EndpointSettings{"aNetName": {}},
+			expEpWithCtrWideMAC: "aNetName",
+			expCtrWideMAC:       "11:22:33:44:55:66",
+		},
+		{
+			name:        "new api no macs",
+			apiVersion:  "1.44",
+			networkMode: "aNetId",
+			epConfig:    map[string]*network.EndpointSettings{"aNetName": {}},
+		},
+		{
+			name:        "new api ep specific mac",
+			apiVersion:  "1.44",
+			networkMode: "aNetName",
+			epConfig:    map[string]*network.EndpointSettings{"aNetName": {MacAddress: "11:22:33:44:55:66"}},
+		},
+		{
+			name:                "new api migrate ctr-wide mac to new ep",
+			apiVersion:          "1.44",
+			ctrWideMAC:          "11:22:33:44:55:66",
+			networkMode:         "aNetName",
+			epConfig:            map[string]*network.EndpointSettings{},
+			expEpWithCtrWideMAC: "aNetName",
+			expWarning:          "The container-wide MacAddress field is now deprecated",
+			expCtrWideMAC:       "",
+		},
+		{
+			name:                "new api migrate ctr-wide mac to existing ep",
+			apiVersion:          "1.44",
+			ctrWideMAC:          "11:22:33:44:55:66",
+			networkMode:         "aNetName",
+			epConfig:            map[string]*network.EndpointSettings{"aNetName": {}},
+			expEpWithCtrWideMAC: "aNetName",
+			expWarning:          "The container-wide MacAddress field is now deprecated",
+			expCtrWideMAC:       "",
+		},
+		{
+			name:          "new api mode vs name mismatch",
+			apiVersion:    "1.44",
+			ctrWideMAC:    "11:22:33:44:55:66",
+			networkMode:   "aNetId",
+			epConfig:      map[string]*network.EndpointSettings{"aNetName": {}},
+			expError:      "if a container-wide MAC address is supplied, HostConfig.NetworkMode must match the identity of a network in NetworkSettings.Networks",
+			expCtrWideMAC: "11:22:33:44:55:66",
+		},
+		{
+			name:          "new api mac mismatch",
+			apiVersion:    "1.44",
+			ctrWideMAC:    "11:22:33:44:55:66",
+			networkMode:   "aNetName",
+			epConfig:      map[string]*network.EndpointSettings{"aNetName": {MacAddress: "00:11:22:33:44:55"}},
+			expError:      "the container-wide MAC address must match the endpoint-specific MAC address",
+			expCtrWideMAC: "11:22:33:44:55:66",
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			cfg := &container.Config{
+				MacAddress: tc.ctrWideMAC, //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.44.
+			}
+			hostCfg := &container.HostConfig{
+				NetworkMode: tc.networkMode,
+			}
+			epConfig := make(map[string]*network.EndpointSettings, len(tc.epConfig))
+			for k, v := range tc.epConfig {
+				v := v
+				epConfig[k] = v
+			}
+			netCfg := &network.NetworkingConfig{
+				EndpointsConfig: epConfig,
+			}
+
+			warning, err := handleMACAddressBC(cfg, hostCfg, netCfg, tc.apiVersion)
+
+			if tc.expError == "" {
+				assert.Check(t, err)
+			} else {
+				assert.Check(t, is.ErrorContains(err, tc.expError))
+			}
+			if tc.expWarning == "" {
+				assert.Check(t, is.Equal(warning, ""))
+			} else {
+				assert.Check(t, is.Contains(warning, tc.expWarning))
+			}
+			if tc.expEpWithCtrWideMAC != "" {
+				got := netCfg.EndpointsConfig[tc.expEpWithCtrWideMAC].MacAddress
+				assert.Check(t, is.Equal(got, tc.ctrWideMAC))
+			}
+			if tc.expEpWithNoMAC != "" {
+				got := netCfg.EndpointsConfig[tc.expEpWithNoMAC].MacAddress
+				assert.Check(t, is.Equal(got, ""))
+			}
+			gotCtrWideMAC := cfg.MacAddress //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.44.
+			assert.Check(t, is.Equal(gotCtrWideMAC, tc.expCtrWideMAC))
+		})
+	}
+}
--- a/api/server/router/container/copy.go
+++ b/api/server/router/container/copy.go
@@ -11,49 +11,10 @@ import (

 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/versions"
 	gddohttputil "github.com/golang/gddo/httputil"
 )

-type pathError struct{}
-
-func (pathError) Error() string {
-	return "Path cannot be empty"
-}
-
-func (pathError) InvalidParameter() {}
-
-// postContainersCopy is deprecated in favor of getContainersArchive.
-//
-// Deprecated since 1.8 (API v1.20), errors out since 1.12 (API v1.24)
-func (s *containerRouter) postContainersCopy(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	version := httputils.VersionFromContext(ctx)
-	if versions.GreaterThanOrEqualTo(version, "1.24") {
-		w.WriteHeader(http.StatusNotFound)
-		return nil
-	}
-
-	cfg := types.CopyConfig{}
-	if err := httputils.ReadJSON(r, &cfg); err != nil {
-		return err
-	}
-
-	if cfg.Resource == "" {
-		return pathError{}
-	}
-
-	data, err := s.backend.ContainerCopy(vars["name"], cfg.Resource)
-	if err != nil {
-		return err
-	}
-	defer data.Close()
-
-	w.Header().Set("Content-Type", "application/x-tar")
-	_, err = io.Copy(w, data)
-	return err
-}
-
-// // Encode the stat to JSON, base64 encode, and place in a header.
+// setContainerPathStatHeader encodes the stat to JSON, base64 encode, and place in a header.
 func setContainerPathStatHeader(stat *types.ContainerPathStat, header http.Header) error {
 	statJSON, err := json.Marshal(stat)
 	if err != nil {
--- a/api/server/router/container/exec.go
+++ b/api/server/router/container/exec.go
@@ -71,15 +71,6 @@ func (s *containerRouter) postContainerExecStart(ctx context.Context, w http.Res
 		return err
 	}

-	version := httputils.VersionFromContext(ctx)
-	if versions.LessThan(version, "1.22") {
-		// API versions before 1.22 did not enforce application/json content-type.
-		// Allow older clients to work by patching the content-type.
-		if r.Header.Get("Content-Type") != "application/json" {
-			r.Header.Set("Content-Type", "application/json")
-		}
-	}
-
 	var (
 		execName                  = vars["name"]
 		stdin, inStream           io.ReadCloser
@@ -96,6 +87,8 @@ func (s *containerRouter) postContainerExecStart(ctx context.Context, w http.Res
 	}

 	if execStartCheck.ConsoleSize != nil {
+		version := httputils.VersionFromContext(ctx)
+
 		// Not supported before 1.42
 		if versions.LessThan(version, "1.42") {
 			execStartCheck.ConsoleSize = nil
--- a/api/server/router/distribution/backend.go
+++ b/api/server/router/distribution/backend.go
@@ -11,5 +11,5 @@ import (
 // Backend is all the methods that need to be implemented
 // to provide image specific functionality.
 type Backend interface {
-	GetRepository(context.Context, reference.Named, *registry.AuthConfig) (distribution.Repository, error)
+	GetRepositories(context.Context, reference.Named, *registry.AuthConfig) ([]distribution.Repository, error)
 }
--- a/api/server/router/distribution/distribution_routes.go
+++ b/api/server/router/distribution/distribution_routes.go
@@ -4,13 +4,16 @@ import (
 	"context"
 	"encoding/json"
 	"net/http"
+	"os"

 	"github.com/distribution/reference"
+	"github.com/docker/distribution"
 	"github.com/docker/distribution/manifest/manifestlist"
 	"github.com/docker/distribution/manifest/schema1"
 	"github.com/docker/distribution/manifest/schema2"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types/registry"
+	distributionpkg "github.com/docker/docker/distribution"
 	"github.com/docker/docker/errdefs"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -23,10 +26,10 @@ func (s *distributionRouter) getDistributionInfo(ctx context.Context, w http.Res

 	w.Header().Set("Content-Type", "application/json")

-	image := vars["name"]
+	imgName := vars["name"]

 	// TODO why is reference.ParseAnyReference() / reference.ParseNormalizedNamed() not using the reference.ErrTagInvalidFormat (and so on) errors?
-	ref, err := reference.ParseAnyReference(image)
+	ref, err := reference.ParseAnyReference(imgName)
 	if err != nil {
 		return errdefs.InvalidParameter(err)
 	}
@@ -36,30 +39,56 @@ func (s *distributionRouter) getDistributionInfo(ctx context.Context, w http.Res
 			// full image ID
 			return errors.Errorf("no manifest found for full image ID")
 		}
-		return errdefs.InvalidParameter(errors.Errorf("unknown image reference format: %s", image))
+		return errdefs.InvalidParameter(errors.Errorf("unknown image reference format: %s", imgName))
 	}

 	// For a search it is not an error if no auth was given. Ignore invalid
 	// AuthConfig to increase compatibility with the existing API.
 	authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))
-	distrepo, err := s.backend.GetRepository(ctx, namedRef, authConfig)
+	repos, err := s.backend.GetRepositories(ctx, namedRef, authConfig)
 	if err != nil {
 		return err
 	}
-	blobsrvc := distrepo.Blobs(ctx)

+	// Fetch the manifest; if a mirror is configured, try the mirror first,
+	// but continue with upstream on failure.
+	//
+	// FIXME(thaJeztah): construct "repositories" on-demand;
+	// GetRepositories() will attempt to connect to all endpoints (registries),
+	// but we may only need the first one if it contains the manifest we're
+	// looking for, or if the configured mirror is a pull-through mirror.
+	//
+	// Logic for this could be implemented similar to "distribution.Pull()",
+	// which uses the "pullEndpoints" utility to iterate over the list
+	// of endpoints;
+	//
+	// - https://github.com/moby/moby/blob/12c7411b6b7314bef130cd59f1c7384a7db06d0b/distribution/pull.go#L17-L31
+	// - https://github.com/moby/moby/blob/12c7411b6b7314bef130cd59f1c7384a7db06d0b/distribution/pull.go#L76-L152
+	var lastErr error
+	for _, repo := range repos {
+		distributionInspect, err := s.fetchManifest(ctx, repo, namedRef)
+		if err != nil {
+			lastErr = err
+			continue
+		}
+		return httputils.WriteJSON(w, http.StatusOK, distributionInspect)
+	}
+	return lastErr
+}
+
+func (s *distributionRouter) fetchManifest(ctx context.Context, distrepo distribution.Repository, namedRef reference.Named) (registry.DistributionInspect, error) {
 	var distributionInspect registry.DistributionInspect
 	if canonicalRef, ok := namedRef.(reference.Canonical); !ok {
 		namedRef = reference.TagNameOnly(namedRef)

 		taggedRef, ok := namedRef.(reference.NamedTagged)
 		if !ok {
-			return errdefs.InvalidParameter(errors.Errorf("image reference not tagged: %s", image))
+			return registry.DistributionInspect{}, errdefs.InvalidParameter(errors.Errorf("image reference not tagged: %s", namedRef))
 		}

 		descriptor, err := distrepo.Tags(ctx).Get(ctx, taggedRef.Tag())
 		if err != nil {
-			return err
+			return registry.DistributionInspect{}, err
 		}
 		distributionInspect.Descriptor = ocispec.Descriptor{
 			MediaType: descriptor.MediaType,
@@ -76,7 +105,7 @@ func (s *distributionRouter) getDistributionInfo(ctx context.Context, w http.Res
 	// we have a digest, so we can retrieve the manifest
 	mnfstsrvc, err := distrepo.Manifests(ctx)
 	if err != nil {
-		return err
+		return registry.DistributionInspect{}, err
 	}
 	mnfst, err := mnfstsrvc.Get(ctx, distributionInspect.Descriptor.Digest)
 	if err != nil {
@@ -88,14 +117,14 @@ func (s *distributionRouter) getDistributionInfo(ctx context.Context, w http.Res
 			reference.ErrNameEmpty,
 			reference.ErrNameTooLong,
 			reference.ErrNameNotCanonical:
-			return errdefs.InvalidParameter(err)
+			return registry.DistributionInspect{}, errdefs.InvalidParameter(err)
 		}
-		return err
+		return registry.DistributionInspect{}, err
 	}

 	mediaType, payload, err := mnfst.Payload()
 	if err != nil {
-		return err
+		return registry.DistributionInspect{}, err
 	}
 	// update MediaType because registry might return something incorrect
 	distributionInspect.Descriptor.MediaType = mediaType
@@ -116,7 +145,8 @@ func (s *distributionRouter) getDistributionInfo(ctx context.Context, w http.Res
 			})
 		}
 	case *schema2.DeserializedManifest:
-		configJSON, err := blobsrvc.Get(ctx, mnfstObj.Config.Digest)
+		blobStore := distrepo.Blobs(ctx)
+		configJSON, err := blobStore.Get(ctx, mnfstObj.Config.Digest)
 		var platform ocispec.Platform
 		if err == nil {
 			err := json.Unmarshal(configJSON, &platform)
@@ -125,12 +155,14 @@ func (s *distributionRouter) getDistributionInfo(ctx context.Context, w http.Res
 			}
 		}
 	case *schema1.SignedManifest:
+		if os.Getenv("DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE") == "" {
+			return registry.DistributionInspect{}, distributionpkg.DeprecatedSchema1ImageError(namedRef)
+		}
 		platform := ocispec.Platform{
 			Architecture: mnfstObj.Architecture,
 			OS:           "linux",
 		}
 		distributionInspect.Platforms = append(distributionInspect.Platforms, platform)
 	}
-
-	return httputils.WriteJSON(w, http.StatusOK, distributionInspect)
+	return distributionInspect, nil
 }
--- a/api/server/router/grpc/grpc.go
+++ b/api/server/router/grpc/grpc.go
@@ -21,7 +21,7 @@ type grpcRouter struct {
 // NewRouter initializes a new grpc http router
 func NewRouter(backends ...Backend) router.Router {
 	unary := grpc.UnaryInterceptor(grpc_middleware.ChainUnaryServer(unaryInterceptor(), grpcerrors.UnaryServerInterceptor))
-	stream := grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(otelgrpc.StreamServerInterceptor(), grpcerrors.StreamServerInterceptor))
+	stream := grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(otelgrpc.StreamServerInterceptor(), grpcerrors.StreamServerInterceptor)) //nolint:staticcheck // TODO(thaJeztah): ignore SA1019 for deprecated options: see https://github.com/moby/moby/issues/47437

 	r := &grpcRouter{
 		h2Server:   &http2.Server{},
@@ -46,7 +46,7 @@ func (gr *grpcRouter) initRoutes() {
 }

 func unaryInterceptor() grpc.UnaryServerInterceptor {
-	withTrace := otelgrpc.UnaryServerInterceptor()
+	withTrace := otelgrpc.UnaryServerInterceptor() //nolint:staticcheck // TODO(thaJeztah): ignore SA1019 for deprecated options: see https://github.com/moby/moby/issues/47437

 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
 		// This method is used by the clients to send their traces to buildkit so they can be included
--- a/api/server/router/image/backend.go
+++ b/api/server/router/image/backend.go
@@ -6,6 +6,7 @@ import (

 	"github.com/distribution/reference"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/registry"
@@ -24,8 +25,8 @@ type Backend interface {
 type imageBackend interface {
 	ImageDelete(ctx context.Context, imageRef string, force, prune bool) ([]image.DeleteResponse, error)
 	ImageHistory(ctx context.Context, imageName string) ([]*image.HistoryResponseItem, error)
-	Images(ctx context.Context, opts types.ImageListOptions) ([]*image.Summary, error)
-	GetImage(ctx context.Context, refOrID string, options image.GetImageOpts) (*dockerimage.Image, error)
+	Images(ctx context.Context, opts image.ListOptions) ([]*image.Summary, error)
+	GetImage(ctx context.Context, refOrID string, options backend.GetImageOpts) (*dockerimage.Image, error)
 	TagImage(ctx context.Context, id dockerimage.ID, newRef reference.Named) error
 	ImagesPrune(ctx context.Context, pruneFilters filters.Args) (*types.ImagesPruneReport, error)
 }
--- a/api/server/router/image/image_routes.go
+++ b/api/server/router/image/image_routes.go
@@ -15,8 +15,9 @@ import (
 	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/filters"
-	opts "github.com/docker/docker/api/types/image"
+	imagetypes "github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/builder/remotecontext"
@@ -72,9 +73,9 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit
 		// Special case: "pull -a" may send an image name with a
 		// trailing :. This is ugly, but let's not break API
 		// compatibility.
-		image := strings.TrimSuffix(img, ":")
+		imgName := strings.TrimSuffix(img, ":")

-		ref, err := reference.ParseNormalizedNamed(image)
+		ref, err := reference.ParseNormalizedNamed(imgName)
 		if err != nil {
 			return errdefs.InvalidParameter(err)
 		}
@@ -189,7 +190,7 @@ func (ir *imageRouter) postImagesPush(ctx context.Context, w http.ResponseWriter

 	var ref reference.Named

-	// Tag is empty only in case ImagePushOptions.All is true.
+	// Tag is empty only in case PushOptions.All is true.
 	if tag != "" {
 		r, err := httputils.RepoTagReference(img, tag)
 		if err != nil {
@@ -285,7 +286,7 @@ func (ir *imageRouter) deleteImages(ctx context.Context, w http.ResponseWriter,
 }

 func (ir *imageRouter) getImagesByName(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	img, err := ir.backend.GetImage(ctx, vars["name"], opts.GetImageOpts{Details: true})
+	img, err := ir.backend.GetImage(ctx, vars["name"], backend.GetImageOpts{Details: true})
 	if err != nil {
 		return err
 	}
@@ -298,6 +299,16 @@ func (ir *imageRouter) getImagesByName(ctx context.Context, w http.ResponseWrite
 	version := httputils.VersionFromContext(ctx)
 	if versions.LessThan(version, "1.44") {
 		imageInspect.VirtualSize = imageInspect.Size //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.44.
+
+		if imageInspect.Created == "" {
+			// backwards compatibility for Created not existing returning "0001-01-01T00:00:00Z"
+			// https://github.com/moby/moby/issues/47368
+			imageInspect.Created = time.Time{}.Format(time.RFC3339Nano)
+		}
+	}
+	if versions.GreaterThanOrEqualTo(version, "1.45") {
+		imageInspect.Container = ""        //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
+		imageInspect.ContainerConfig = nil //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
 	}
 	return httputils.WriteJSON(w, http.StatusOK, imageInspect)
 }
@@ -338,8 +349,8 @@ func (ir *imageRouter) toImageInspect(img *image.Image) (*types.ImageInspect, er
 		Parent:          img.Parent.String(),
 		Comment:         comment,
 		Created:         created,
-		Container:       img.Container,
-		ContainerConfig: &img.ContainerConfig,
+		Container:       img.Container,        //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
+		ContainerConfig: &img.ContainerConfig, //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
 		DockerVersion:   img.DockerVersion,
 		Author:          img.Author,
 		Config:          img.Config,
@@ -353,7 +364,7 @@ func (ir *imageRouter) toImageInspect(img *image.Image) (*types.ImageInspect, er
 			Data: img.Details.Metadata,
 		},
 		RootFS: rootFSToAPIType(img.RootFS),
-		Metadata: opts.Metadata{
+		Metadata: imagetypes.Metadata{
 			LastTagTime: img.Details.LastUpdated,
 		},
 	}, nil
@@ -395,7 +406,7 @@ func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter,
 		sharedSize = httputils.BoolValue(r, "shared-size")
 	}

-	images, err := ir.backend.Images(ctx, types.ImageListOptions{
+	images, err := ir.backend.Images(ctx, imagetypes.ListOptions{
 		All:        httputils.BoolValue(r, "all"),
 		Filters:    imageFilters,
 		SharedSize: sharedSize,
@@ -452,7 +463,7 @@ func (ir *imageRouter) postImagesTag(ctx context.Context, w http.ResponseWriter,
 		return errdefs.InvalidParameter(errors.New("refusing to create an ambiguous tag using digest algorithm as name"))
 	}

-	img, err := ir.backend.GetImage(ctx, vars["name"], opts.GetImageOpts{})
+	img, err := ir.backend.GetImage(ctx, vars["name"], backend.GetImageOpts{})
 	if err != nil {
 		return errdefs.NotFound(err)
 	}
--- a/api/server/router/network/network_routes.go
+++ b/api/server/router/network/network_routes.go
@@ -213,6 +213,10 @@ func (n *networkRouter) postNetworkCreate(ctx context.Context, w http.ResponseWr
 		return libnetwork.NetworkNameError(create.Name)
 	}

+	// For a Swarm-scoped network, this call to backend.CreateNetwork is used to
+	// validate the configuration. The network will not be created but, if the
+	// configuration is valid, ManagerRedirectError will be returned and handled
+	// below.
 	nw, err := n.backend.CreateNetwork(create)
 	if err != nil {
 		if _, ok := err.(libnetwork.ManagerRedirectError); !ok {
--- a/api/server/router/swarm/cluster_routes.go
+++ b/api/server/router/swarm/cluster_routes.go
@@ -209,6 +209,10 @@ func (sr *swarmRouter) createService(ctx context.Context, w http.ResponseWriter,
 	if err := httputils.ReadJSON(r, &service); err != nil {
 		return err
 	}
+	// TODO(thaJeztah): remove logentries check and migration code in release v26.0.0.
+	if service.TaskTemplate.LogDriver != nil && service.TaskTemplate.LogDriver.Name == "logentries" {
+		return errdefs.InvalidParameter(errors.New("the logentries logging driver has been deprecated and removed"))
+	}

 	// Get returns "" if the header does not exist
 	encodedAuth := r.Header.Get(registry.AuthHeader)
@@ -245,6 +249,10 @@ func (sr *swarmRouter) updateService(ctx context.Context, w http.ResponseWriter,
 	if err := httputils.ReadJSON(r, &service); err != nil {
 		return err
 	}
+	// TODO(thaJeztah): remove logentries check and migration code in release v26.0.0.
+	if service.TaskTemplate.LogDriver != nil && service.TaskTemplate.LogDriver.Name == "logentries" {
+		return errdefs.InvalidParameter(errors.New("the logentries logging driver has been deprecated and removed"))
+	}

 	rawVersion := r.URL.Query().Get("version")
 	version, err := strconv.ParseUint(rawVersion, 10, 64)
--- a/api/server/router/system/system.go
+++ b/api/server/router/system/system.go
@@ -1,3 +1,6 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.19
+
 package system // import "github.com/docker/docker/api/server/router/system"

 import (
--- a/api/server/router/system/system_routes.go
+++ b/api/server/router/system/system_routes.go
@@ -91,6 +91,12 @@ func (s *systemRouter) getInfo(ctx context.Context, w http.ResponseWriter, r *ht
 				info.OperatingSystem = "<unknown>"
 			}
 		}
+		if versions.LessThan(version, "1.44") {
+			for k, rt := range info.Runtimes {
+				// Status field introduced in API v1.44.
+				info.Runtimes[k] = system.RuntimeWithStatus{Runtime: rt.Runtime}
+			}
+		}
 		if versions.GreaterThanOrEqualTo(version, "1.42") {
 			info.KernelMemory = false
 		}
--- a/api/server/server.go
+++ b/api/server/server.go
@@ -10,6 +10,7 @@ import (
 	"github.com/docker/docker/api/server/middleware"
 	"github.com/docker/docker/api/server/router"
 	"github.com/docker/docker/api/server/router/debug"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/dockerversion"
 	"github.com/gorilla/mux"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
@@ -57,19 +58,13 @@ func (s *Server) makeHTTPHandler(handler httputils.APIFunc, operation string) ht
 			if statusCode >= 500 {
 				log.G(ctx).Errorf("Handler for %s %s returned error: %v", r.Method, r.URL.Path, err)
 			}
-			makeErrorHandler(err)(w, r)
+			_ = httputils.WriteJSON(w, statusCode, &types.ErrorResponse{
+				Message: err.Error(),
+			})
 		}
 	}), operation).ServeHTTP
 }

-type pageNotFoundError struct{}
-
-func (pageNotFoundError) Error() string {
-	return "page not found"
-}
-
-func (pageNotFoundError) NotFound() {}
-
 // CreateMux returns a new mux with all the routers registered.
 func (s *Server) CreateMux(routers ...router.Router) *mux.Router {
 	m := mux.NewRouter()
@@ -91,7 +86,12 @@ func (s *Server) CreateMux(routers ...router.Router) *mux.Router {
 		m.Path("/debug" + r.Path()).Handler(f)
 	}

-	notFoundHandler := makeErrorHandler(pageNotFoundError{})
+	notFoundHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_ = httputils.WriteJSON(w, http.StatusNotFound, &types.ErrorResponse{
+			Message: "page not found",
+		})
+	})
+
 	m.HandleFunc(versionMatcher+"/{path:.*}", notFoundHandler)
 	m.NotFoundHandler = notFoundHandler
 	m.MethodNotAllowedHandler = notFoundHandler
--- a/api/server/server_test.go
+++ b/api/server/server_test.go
@@ -15,8 +15,11 @@ import (
 func TestMiddlewares(t *testing.T) {
 	srv := &Server{}

-	const apiMinVersion = "1.12"
-	srv.UseMiddleware(middleware.NewVersionMiddleware("0.1omega2", api.DefaultVersion, apiMinVersion))
+	m, err := middleware.NewVersionMiddleware("0.1omega2", api.DefaultVersion, api.MinSupportedAPIVersion)
+	if err != nil {
+		t.Fatal(err)
+	}
+	srv.UseMiddleware(*m)

 	req, _ := http.NewRequest(http.MethodGet, "/containers/json", nil)
 	resp := httptest.NewRecorder()
--- a/api/swagger.yaml
+++ b/api/swagger.yaml
@@ -19,10 +19,10 @@ produces:
 consumes:
  - "application/json"
  - "text/plain"
-basePath: "/v1.44"
+basePath: "/v1.45"
 info:
  title: "Docker Engine API"
-  version: "1.44"
+  version: "1.45"
  x-logo:
    url: "https://docs.docker.com/assets/images/logo-docker-main.png"
  description: |
@@ -55,8 +55,8 @@ info:
    the URL is not supported by the daemon, a HTTP `400 Bad Request` error message
    is returned.

-    If you omit the version-prefix, the current version of the API (v1.44) is used.
-    For example, calling `/info` is the same as calling `/v1.44/info`. Using the
+    If you omit the version-prefix, the current version of the API (v1.45) is used.
+    For example, calling `/info` is the same as calling `/v1.45/info`. Using the
    API without a version-prefix is deprecated and will be removed in a future release.

    Engine releases in the near future should support this version of the API,
@@ -391,7 +391,11 @@ definitions:
          ReadOnlyNonRecursive:
            description: |
               Make the mount non-recursively read-only, but still leave the mount recursive
-               (unless NonRecursive is set to true in conjunction).
+               (unless NonRecursive is set to `true` in conjunction).
+
+               Addded in v1.44, before that version all read-only mounts were
+               non-recursive by default. To match the previous behaviour this
+               will default to `true` for clients on versions prior to v1.44.
            type: "boolean"
            default: false
          ReadOnlyForceRecursive:
@@ -423,6 +427,10 @@ definitions:
                type: "object"
                additionalProperties:
                  type: "string"
+          Subpath:
+            description: "Source path inside the volume. Must be relative without any back traversals."
+            type: "string"
+            example: "dir-inside-volume/subdirectory"
      TmpfsOptions:
        description: "Optional configuration for the `tmpfs` type."
        type: "object"
@@ -1398,7 +1406,8 @@ definitions:
    type: "object"
    properties:
      Bridge:
-        description: Name of the network's bridge (for example, `docker0`).
+        description: |
+          Name of the default bridge interface when dockerd's --bridge flag is set.
        type: "string"
        example: "docker0"
      SandboxID:
@@ -1408,34 +1417,40 @@ definitions:
      HairpinMode:
        description: |
          Indicates if hairpin NAT should be enabled on the virtual interface.
+
+          Deprecated: This field is never set and will be removed in a future release.
        type: "boolean"
        example: false
      LinkLocalIPv6Address:
-        description: IPv6 unicast address using the link-local prefix.
+        description: |
+          IPv6 unicast address using the link-local prefix.
+
+          Deprecated: This field is never set and will be removed in a future release.
        type: "string"
-        example: "fe80::42:acff:fe11:1"
+        example: ""
      LinkLocalIPv6PrefixLen:
-        description: Prefix length of the IPv6 unicast address.
+        description: |
+          Prefix length of the IPv6 unicast address.
+
+          Deprecated: This field is never set and will be removed in a future release.
        type: "integer"
-        example: "64"
+        example: ""
      Ports:
        $ref: "#/definitions/PortMap"
      SandboxKey:
-        description: SandboxKey identifies the sandbox
+        description: SandboxKey is the full path of the netns handle
        type: "string"
        example: "/var/run/docker/netns/8ab54b426c38"

-      # TODO is SecondaryIPAddresses actually used?
      SecondaryIPAddresses:
-        description: ""
+        description: "Deprecated: This field is never set and will be removed in a future release."
        type: "array"
        items:
          $ref: "#/definitions/Address"
        x-nullable: true

-      # TODO is SecondaryIPv6Addresses actually used?
      SecondaryIPv6Addresses:
-        description: ""
+        description: "Deprecated: This field is never set and will be removed in a future release."
        type: "array"
        items:
          $ref: "#/definitions/Address"
@@ -1736,18 +1751,27 @@ definitions:
        description: |
          Date and time at which the image was created, formatted in
          [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
+
+          This information is only available if present in the image,
+          and omitted otherwise.
        type: "string"
-        x-nullable: false
+        format: "dateTime"
+        x-nullable: true
        example: "2022-02-04T21:20:12.497794809Z"
      Container:
        description: |
          The ID of the container that was used to create the image.

          Depending on how the image was created, this field may be empty.
+
+          **Deprecated**: this field is kept for backward compatibility, but
+          will be removed in API v1.45.
        type: "string"
-        x-nullable: false
        example: "65974bc86f1770ae4bff79f651ebdbce166ae9aada632ee3fa9af3a264911735"
      ContainerConfig:
+        description: |
+          **Deprecated**: this field is kept for backward compatibility, but
+          will be removed in API v1.45.
        $ref: "#/definitions/ContainerConfig"
      DockerVersion:
        description: |
@@ -2525,6 +2549,21 @@ definitions:
        example:
          com.example.some-label: "some-value"
          com.example.some-other-label: "some-other-value"
+      DNSNames:
+        description: |
+          List of all DNS names an endpoint has on a specific network. This
+          list is based on the container name, network aliases, container short
+          ID, and hostname.
+
+          These DNS names are non-fully qualified but can contain several dots.
+          You can get fully qualified DNS names by appending `.<network-name>`.
+          For instance, if container name is `my.ctr` and the network is named
+          `testnet`, `DNSNames` will contain `my.ctr` and the FQDN will be
+          `my.ctr.testnet`.
+        type: array
+        items:
+          type: string
+        example: ["foobar", "server_x", "server_y", "my.ctr"]

  EndpointIPAMConfig:
    description: |
@@ -3022,8 +3061,6 @@ definitions:
            Name: "journald"
          - Type: "Log"
            Name: "json-file"
-          - Type: "Log"
-            Name: "logentries"
          - Type: "Log"
            Name: "splunk"
          - Type: "Log"
@@ -3978,6 +4015,44 @@ definitions:
      - "remove"
      - "orphaned"

+  ContainerStatus:
+    type: "object"
+    description: "represents the status of a container."
+    properties:
+      ContainerID:
+        type: "string"
+      PID:
+        type: "integer"
+      ExitCode:
+        type: "integer"
+
+  PortStatus:
+    type: "object"
+    description: "represents the port status of a task's host ports whose service has published host ports"
+    properties:
+      Ports:
+        type: "array"
+        items:
+          $ref: "#/definitions/EndpointPortConfig"
+
+  TaskStatus:
+    type: "object"
+    description: "represents the status of a task."
+    properties:
+      Timestamp:
+        type: "string"
+        format: "dateTime"
+      State:
+        $ref: "#/definitions/TaskState"
+      Message:
+        type: "string"
+      Err:
+        type: "string"
+      ContainerStatus:
+        $ref: "#/definitions/ContainerStatus"
+      PortStatus:
+        $ref: "#/definitions/PortStatus"
+
  Task:
    type: "object"
    properties:
@@ -4013,26 +4088,7 @@ definitions:
      AssignedGenericResources:
        $ref: "#/definitions/GenericResources"
      Status:
-        type: "object"
-        properties:
-          Timestamp:
-            type: "string"
-            format: "dateTime"
-          State:
-            $ref: "#/definitions/TaskState"
-          Message:
-            type: "string"
-          Err:
-            type: "string"
-          ContainerStatus:
-            type: "object"
-            properties:
-              ContainerID:
-                type: "string"
-              PID:
-                type: "integer"
-              ExitCode:
-                type: "integer"
+        $ref: "#/definitions/TaskStatus"
      DesiredState:
        $ref: "#/definitions/TaskState"
      JobIteration:
@@ -5417,7 +5473,7 @@ definitions:
        type: "array"
        items:
          type: "string"
-        example: ["awslogs", "fluentd", "gcplogs", "gelf", "journald", "json-file", "logentries", "splunk", "syslog"]
+        example: ["awslogs", "fluentd", "gcplogs", "gelf", "journald", "json-file", "splunk", "syslog"]


  RegistryServiceConfig:
@@ -5615,6 +5671,28 @@ definitions:
        items:
          type: "string"
        example: ["--debug", "--systemd-cgroup=false"]
+      status:
+        description: |
+          Information specific to the runtime.
+
+          While this API specification does not define data provided by runtimes,
+          the following well-known properties may be provided by runtimes:
+
+          `org.opencontainers.runtime-spec.features`: features structure as defined
+          in the [OCI Runtime Specification](https://github.com/opencontainers/runtime-spec/blob/main/features.md),
+          in a JSON string representation.
+
+          <p><br /></p>
+
+          > **Note**: The information returned in this field, including the
+          > formatting of values and labels, should not be considered stable,
+          > and may change without notice.
+        type: "object"
+        x-nullable: true
+        additionalProperties:
+          type: "string"
+        example:
+          "org.opencontainers.runtime-spec.features": "{\"ociVersionMin\":\"1.0.0\",\"ociVersionMax\":\"1.1.0\",\"...\":\"...\"}"

  Commit:
    description: |
@@ -8261,6 +8339,16 @@ paths:
          description: "BuildKit output configuration"
          type: "string"
          default: ""
+        - name: "version"
+          in: "query"
+          type: "string"
+          default: "1"
+          enum: ["1", "2"]
+          description: |
+            Version of the builder backend to use.
+
+            - `1` is the first generation classic (deprecated) builder in the Docker daemon (default)
+            - `2` is [BuildKit](https://github.com/moby/buildkit)
      responses:
        200:
          description: "no error"
@@ -8686,8 +8774,7 @@ paths:

                    <p><br /></p>

-                    > **Deprecated**: This field is deprecated and will always
-                    > be "false" in future.
+                    > **Deprecated**: This field is deprecated and will always be "false".
                  type: "boolean"
                  example: false
                name:
@@ -8730,13 +8817,8 @@ paths:
          description: |
            A JSON encoded value of the filters (a `map[string][]string`) to process on the images list. Available filters:

-            - `is-automated=(true|false)` (deprecated, see below)
            - `is-official=(true|false)`
            - `stars=<number>` Matches images that has at least 'number' stars.
-
-            The `is-automated` filter is deprecated. The `is_automated` field has
-            been deprecated by Docker Hub's search API. Consequently, searching
-            for `is-automated=true` will yield no results.
          type: "string"
      tags: ["Image"]
  /images/prune:
--- a/api/types/backend/backend.go
+++ b/api/types/backend/backend.go
@@ -13,12 +13,12 @@ import (

 // ContainerCreateConfig is the parameter set to ContainerCreate()
 type ContainerCreateConfig struct {
-	Name             string
-	Config           *container.Config
-	HostConfig       *container.HostConfig
-	NetworkingConfig *network.NetworkingConfig
-	Platform         *ocispec.Platform
-	AdjustCPUShares  bool
+	Name                        string
+	Config                      *container.Config
+	HostConfig                  *container.HostConfig
+	NetworkingConfig            *network.NetworkingConfig
+	Platform                    *ocispec.Platform
+	DefaultReadOnlyNonRecursive bool
 }

 // ContainerRmConfig holds arguments for the container remove
@@ -90,7 +90,6 @@ type ContainerStatsConfig struct {
 	Stream    bool
 	OneShot   bool
 	OutStream io.Writer
-	Version   string
 }

 // ExecInspect holds information about a running process started
@@ -130,6 +129,13 @@ type CreateImageConfig struct {
 	Changes []string
 }

+// GetImageOpts holds parameters to retrieve image information
+// from the backend.
+type GetImageOpts struct {
+	Platform *ocispec.Platform
+	Details  bool
+}
+
 // CommitConfig is the configuration for creating an image as part of a build.
 type CommitConfig struct {
 	Author              string
--- a/api/types/client.go
+++ b/api/types/client.go
@@ -157,42 +157,12 @@ type ImageBuildResponse struct {
 	OSType string
 }

-// ImageCreateOptions holds information to create images.
-type ImageCreateOptions struct {
-	RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry.
-	Platform     string // Platform is the target platform of the image if it needs to be pulled from the registry.
-}
-
 // ImageImportSource holds source information for ImageImport
 type ImageImportSource struct {
 	Source     io.Reader // Source is the data to send to the server to create this image from. You must set SourceName to "-" to leverage this.
 	SourceName string    // SourceName is the name of the image to pull. Set to "-" to leverage the Source attribute.
 }

-// ImageImportOptions holds information to import images from the client host.
-type ImageImportOptions struct {
-	Tag      string   // Tag is the name to tag this image with. This attribute is deprecated.
-	Message  string   // Message is the message to tag the image with
-	Changes  []string // Changes are the raw changes to apply to this image
-	Platform string   // Platform is the target platform of the image
-}
-
-// ImageListOptions holds parameters to list images with.
-type ImageListOptions struct {
-	// All controls whether all images in the graph are filtered, or just
-	// the heads.
-	All bool
-
-	// Filters is a JSON-encoded set of filter arguments.
-	Filters filters.Args
-
-	// SharedSize indicates whether the shared size of images should be computed.
-	SharedSize bool
-
-	// ContainerCount indicates whether container count should be computed.
-	ContainerCount bool
-}
-
 // ImageLoadResponse returns information to the client about a load process.
 type ImageLoadResponse struct {
 	// Body must be closed to avoid a resource leak
@@ -200,14 +170,6 @@ type ImageLoadResponse struct {
 	JSON bool
 }

-// ImagePullOptions holds information to pull images.
-type ImagePullOptions struct {
-	All           bool
-	RegistryAuth  string // RegistryAuth is the base64 encoded credentials for the registry
-	PrivilegeFunc RequestPrivilegeFunc
-	Platform      string
-}
-
 // RequestPrivilegeFunc is a function interface that
 // clients can supply to retry operations after
 // getting an authorization error.
@@ -216,15 +178,6 @@ type ImagePullOptions struct {
 // if the privilege request fails.
 type RequestPrivilegeFunc func() (string, error)

-// ImagePushOptions holds information to push images.
-type ImagePushOptions ImagePullOptions
-
-// ImageRemoveOptions holds parameters to remove images.
-type ImageRemoveOptions struct {
-	Force         bool
-	PruneChildren bool
-}
-
 // ImageSearchOptions holds parameters to search images with.
 type ImageSearchOptions struct {
 	RegistryAuth  string
--- a/api/types/container/config.go
+++ b/api/types/container/config.go
@@ -5,8 +5,8 @@ import (
 	"time"

 	"github.com/docker/docker/api/types/strslice"
-	dockerspec "github.com/docker/docker/image/spec/specs-go/v1"
 	"github.com/docker/go-connections/nat"
+	dockerspec "github.com/moby/docker-image-spec/specs-go/v1"
 )

 // MinimumDuration puts a minimum on user configured duration.
--- a/api/types/image/opts.go
+++ b/api/types/image/opts.go
@@ -1,9 +1,57 @@
 package image

-import ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+import "github.com/docker/docker/api/types/filters"

-// GetImageOpts holds parameters to inspect an image.
-type GetImageOpts struct {
-	Platform *ocispec.Platform
-	Details  bool
+// ImportOptions holds information to import images from the client host.
+type ImportOptions struct {
+	Tag      string   // Tag is the name to tag this image with. This attribute is deprecated.
+	Message  string   // Message is the message to tag the image with
+	Changes  []string // Changes are the raw changes to apply to this image
+	Platform string   // Platform is the target platform of the image
+}
+
+// CreateOptions holds information to create images.
+type CreateOptions struct {
+	RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry.
+	Platform     string // Platform is the target platform of the image if it needs to be pulled from the registry.
+}
+
+// PullOptions holds information to pull images.
+type PullOptions struct {
+	All          bool
+	RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry
+
+	// PrivilegeFunc is a function that clients can supply to retry operations
+	// after getting an authorization error. This function returns the registry
+	// authentication header value in base64 encoded format, or an error if the
+	// privilege request fails.
+	//
+	// Also see [github.com/docker/docker/api/types.RequestPrivilegeFunc].
+	PrivilegeFunc func() (string, error)
+	Platform      string
+}
+
+// PushOptions holds information to push images.
+type PushOptions PullOptions
+
+// ListOptions holds parameters to list images with.
+type ListOptions struct {
+	// All controls whether all images in the graph are filtered, or just
+	// the heads.
+	All bool
+
+	// Filters is a JSON-encoded set of filter arguments.
+	Filters filters.Args
+
+	// SharedSize indicates whether the shared size of images should be computed.
+	SharedSize bool
+
+	// ContainerCount indicates whether container count should be computed.
+	ContainerCount bool
+}
+
+// RemoveOptions holds parameters to remove images.
+type RemoveOptions struct {
+	Force         bool
+	PruneChildren bool
 }
--- a/api/types/mount/mount.go
+++ b/api/types/mount/mount.go
@@ -96,6 +96,7 @@ type BindOptions struct {
 type VolumeOptions struct {
 	NoCopy       bool              `json:",omitempty"`
 	Labels       map[string]string `json:",omitempty"`
+	Subpath      string            `json:",omitempty"`
 	DriverConfig *Driver           `json:",omitempty"`
 }

--- a/api/types/network/endpoint.go
+++ b/api/types/network/endpoint.go
@@ -13,7 +13,10 @@ type EndpointSettings struct {
 	// Configurations
 	IPAMConfig *EndpointIPAMConfig
 	Links      []string
-	Aliases    []string
+	Aliases    []string // Aliases holds the list of extra, user-specified DNS names for this endpoint.
+	// MacAddress may be used to specify a MAC address when the container is created.
+	// Once the container is running, it becomes operational data (it may contain a
+	// generated address).
 	MacAddress string
 	// Operational data
 	NetworkID           string
@@ -25,6 +28,9 @@ type EndpointSettings struct {
 	GlobalIPv6Address   string
 	GlobalIPv6PrefixLen int
 	DriverOpts          map[string]string
+	// DNSNames holds all the (non fully qualified) DNS names associated to this endpoint. First entry is used to
+	// generate PTR records.
+	DNSNames []string
 }

 // Copy makes a deep copy of `EndpointSettings`
@@ -43,6 +49,12 @@ func (es *EndpointSettings) Copy() *EndpointSettings {
 		aliases := make([]string, 0, len(es.Aliases))
 		epCopy.Aliases = append(aliases, es.Aliases...)
 	}
+
+	if len(es.DNSNames) > 0 {
+		epCopy.DNSNames = make([]string, len(es.DNSNames))
+		copy(epCopy.DNSNames, es.DNSNames)
+	}
+
 	return &epCopy
 }

--- a/api/types/network/ipam.go
+++ b/api/types/network/ipam.go
@@ -30,30 +30,9 @@ const (
 	ip6 ipFamily = "IPv6"
 )

-// HasIPv6Subnets checks whether there's any IPv6 subnets in the ipam parameter. It ignores any invalid Subnet and nil
-// ipam.
-func HasIPv6Subnets(ipam *IPAM) bool {
-	if ipam == nil {
-		return false
-	}
-
-	for _, cfg := range ipam.Config {
-		subnet, err := netip.ParsePrefix(cfg.Subnet)
-		if err != nil {
-			continue
-		}
-
-		if subnet.Addr().Is6() {
-			return true
-		}
-	}
-
-	return false
-}
-
 // ValidateIPAM checks whether the network's IPAM passed as argument is valid. It returns a joinError of the list of
 // errors found.
-func ValidateIPAM(ipam *IPAM) error {
+func ValidateIPAM(ipam *IPAM, enableIPv6 bool) error {
 	if ipam == nil {
 		return nil
 	}
@@ -70,6 +49,10 @@ func ValidateIPAM(ipam *IPAM) error {
 			subnetFamily = ip6
 		}

+		if !enableIPv6 && subnetFamily == ip6 {
+			continue
+		}
+
 		if subnet != subnet.Masked() {
 			errs = append(errs, fmt.Errorf("invalid subnet %s: it should be %s", subnet, subnet.Masked()))
 		}
--- a/api/types/network/ipam_test.go
+++ b/api/types/network/ipam_test.go
@@ -30,6 +30,12 @@ func TestNetworkWithInvalidIPAM(t *testing.T) {
 				"invalid auxiliary address DefaultGatewayIPv4: parent subnet is an IPv4 block",
 			},
 		},
+		{
+			// Regression test for https://github.com/moby/moby/issues/47202
+			name: "IPv6 subnet is discarded with no error when IPv6 is disabled",
+			ipam: IPAM{Config: []IPAMConfig{{Subnet: "2001:db8::/32"}}},
+			ipv6: false,
+		},
 		{
 			name: "Invalid data - Subnet",
 			ipam: IPAM{Config: []IPAMConfig{{Subnet: "foobar"}}},
@@ -122,7 +128,7 @@ func TestNetworkWithInvalidIPAM(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()

-			errs := ValidateIPAM(&tc.ipam)
+			errs := ValidateIPAM(&tc.ipam, tc.ipv6)
 			if tc.expectedErrors == nil {
 				assert.NilError(t, errs)
 				return
--- a/api/types/registry/registry.go
+++ b/api/types/registry/registry.go
@@ -94,7 +94,7 @@ type SearchResult struct {
 	Name string `json:"name"`
 	// IsAutomated indicates whether the result is automated.
 	//
-	// Deprecated: the "is_automated" field is deprecated and will always be "false" in the future.
+	// Deprecated: the "is_automated" field is deprecated and will always be "false".
 	IsAutomated bool `json:"is_automated"`
 	// Description is a textual description of the repository
 	Description string `json:"description"`
--- a/api/types/system/info.go
+++ b/api/types/system/info.go
@@ -58,7 +58,7 @@ type Info struct {
 	Labels             []string
 	ExperimentalBuild  bool
 	ServerVersion      string
-	Runtimes           map[string]Runtime
+	Runtimes           map[string]RuntimeWithStatus
 	DefaultRuntime     string
 	Swarm              swarm.Info
 	// LiveRestoreEnabled determines whether containers should be kept
--- a/api/types/system/runtime.go
+++ b/api/types/system/runtime.go
@@ -12,3 +12,9 @@ type Runtime struct {
 	Type    string                 `json:"runtimeType,omitempty"`
 	Options map[string]interface{} `json:"options,omitempty"`
 }
+
+// RuntimeWithStatus extends [Runtime] to hold [RuntimeStatus].
+type RuntimeWithStatus struct {
+	Runtime
+	Status map[string]string `json:"status,omitempty"`
+}
--- a/api/types/types.go
+++ b/api/types/types.go
@@ -72,19 +72,26 @@ type ImageInspect struct {

 	// Created is the date and time at which the image was created, formatted in
 	// RFC 3339 nano-seconds (time.RFC3339Nano).
-	Created string
+	//
+	// This information is only available if present in the image,
+	// and omitted otherwise.
+	Created string `json:",omitempty"`

 	// Container is the ID of the container that was used to create the image.
 	//
 	// Depending on how the image was created, this field may be empty.
-	Container string
+	//
+	// Deprecated: this field is omitted in API v1.45, but kept for backward compatibility.
+	Container string `json:",omitempty"`

 	// ContainerConfig is an optional field containing the configuration of the
 	// container that was last committed when creating the image.
 	//
 	// Previous versions of Docker builder used this field to store build cache,
 	// and it is not in active use anymore.
-	ContainerConfig *container.Config
+	//
+	// Deprecated: this field is omitted in API v1.45, but kept for backward compatibility.
+	ContainerConfig *container.Config `json:",omitempty"`

 	// DockerVersion is the version of Docker that was used to build the image.
 	//
@@ -335,17 +342,27 @@ type SummaryNetworkSettings struct {
 	Networks map[string]*network.EndpointSettings
 }

-// NetworkSettingsBase holds basic information about networks
+// NetworkSettingsBase holds networking state for a container when inspecting it.
 type NetworkSettingsBase struct {
-	Bridge                 string      // Bridge is the Bridge name the network uses(e.g. `docker0`)
-	SandboxID              string      // SandboxID uniquely represents a container's network stack
-	HairpinMode            bool        // HairpinMode specifies if hairpin NAT should be enabled on the virtual interface
-	LinkLocalIPv6Address   string      // LinkLocalIPv6Address is an IPv6 unicast address using the link-local prefix
-	LinkLocalIPv6PrefixLen int         // LinkLocalIPv6PrefixLen is the prefix length of an IPv6 unicast address
-	Ports                  nat.PortMap // Ports is a collection of PortBinding indexed by Port
-	SandboxKey             string      // SandboxKey identifies the sandbox
-	SecondaryIPAddresses   []network.Address
-	SecondaryIPv6Addresses []network.Address
+	Bridge     string      // Bridge contains the name of the default bridge interface iff it was set through the daemon --bridge flag.
+	SandboxID  string      // SandboxID uniquely represents a container's network stack
+	SandboxKey string      // SandboxKey identifies the sandbox
+	Ports      nat.PortMap // Ports is a collection of PortBinding indexed by Port
+
+	// HairpinMode specifies if hairpin NAT should be enabled on the virtual interface
+	//
+	// Deprecated: This field is never set and will be removed in a future release.
+	HairpinMode bool
+	// LinkLocalIPv6Address is an IPv6 unicast address using the link-local prefix
+	//
+	// Deprecated: This field is never set and will be removed in a future release.
+	LinkLocalIPv6Address string
+	// LinkLocalIPv6PrefixLen is the prefix length of an IPv6 unicast address
+	//
+	// Deprecated: This field is never set and will be removed in a future release.
+	LinkLocalIPv6PrefixLen int
+	SecondaryIPAddresses   []network.Address // Deprecated: This field is never set and will be removed in a future release.
+	SecondaryIPv6Addresses []network.Address // Deprecated: This field is never set and will be removed in a future release.
 }

 // DefaultNetworkSettings holds network information
--- a/api/types/types_deprecated.go
+++ b/api/types/types_deprecated.go
@@ -1,138 +1,35 @@
 package types

 import (
-	"github.com/docker/docker/api/types/checkpoint"
-	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/api/types/swarm"
-	"github.com/docker/docker/api/types/system"
 )

-// CheckpointCreateOptions holds parameters to create a checkpoint from a container.
+// ImageImportOptions holds information to import images from the client host.
 //
-// Deprecated: use [checkpoint.CreateOptions].
-type CheckpointCreateOptions = checkpoint.CreateOptions
+// Deprecated: use [image.ImportOptions].
+type ImageImportOptions = image.ImportOptions

-// CheckpointListOptions holds parameters to list checkpoints for a container
+// ImageCreateOptions holds information to create images.
 //
-// Deprecated: use [checkpoint.ListOptions].
-type CheckpointListOptions = checkpoint.ListOptions
+// Deprecated: use [image.CreateOptions].
+type ImageCreateOptions = image.CreateOptions

-// CheckpointDeleteOptions holds parameters to delete a checkpoint from a container
+// ImagePullOptions holds information to pull images.
 //
-// Deprecated: use [checkpoint.DeleteOptions].
-type CheckpointDeleteOptions = checkpoint.DeleteOptions
+// Deprecated: use [image.PullOptions].
+type ImagePullOptions = image.PullOptions

-// Checkpoint represents the details of a checkpoint when listing endpoints.
+// ImagePushOptions holds information to push images.
 //
-// Deprecated: use [checkpoint.Summary].
-type Checkpoint = checkpoint.Summary
+// Deprecated: use [image.PushOptions].
+type ImagePushOptions = image.PushOptions

-// Info contains response of Engine API:
-// GET "/info"
+// ImageListOptions holds parameters to list images with.
 //
-// Deprecated: use [system.Info].
-type Info = system.Info
+// Deprecated: use [image.ListOptions].
+type ImageListOptions = image.ListOptions

-// Commit holds the Git-commit (SHA1) that a binary was built from, as reported
-// in the version-string of external tools, such as containerd, or runC.
+// ImageRemoveOptions holds parameters to remove images.
 //
-// Deprecated: use [system.Commit].
-type Commit = system.Commit
-
-// PluginsInfo is a temp struct holding Plugins name
-// registered with docker daemon. It is used by [system.Info] struct
-//
-// Deprecated: use [system.PluginsInfo].
-type PluginsInfo = system.PluginsInfo
-
-// NetworkAddressPool is a temp struct used by [system.Info] struct.
-//
-// Deprecated: use [system.NetworkAddressPool].
-type NetworkAddressPool = system.NetworkAddressPool
-
-// Runtime describes an OCI runtime.
-//
-// Deprecated: use [system.Runtime].
-type Runtime = system.Runtime
-
-// SecurityOpt contains the name and options of a security option.
-//
-// Deprecated: use [system.SecurityOpt].
-type SecurityOpt = system.SecurityOpt
-
-// KeyValue holds a key/value pair.
-//
-// Deprecated: use [system.KeyValue].
-type KeyValue = system.KeyValue
-
-// ImageDeleteResponseItem image delete response item.
-//
-// Deprecated: use [image.DeleteResponse].
-type ImageDeleteResponseItem = image.DeleteResponse
-
-// ImageSummary image summary.
-//
-// Deprecated: use [image.Summary].
-type ImageSummary = image.Summary
-
-// ImageMetadata contains engine-local data about the image.
-//
-// Deprecated: use [image.Metadata].
-type ImageMetadata = image.Metadata
-
-// ServiceCreateResponse contains the information returned to a client
-// on the creation of a new service.
-//
-// Deprecated: use [swarm.ServiceCreateResponse].
-type ServiceCreateResponse = swarm.ServiceCreateResponse
-
-// ServiceUpdateResponse service update response.
-//
-// Deprecated: use [swarm.ServiceUpdateResponse].
-type ServiceUpdateResponse = swarm.ServiceUpdateResponse
-
-// ContainerStartOptions holds parameters to start containers.
-//
-// Deprecated: use [container.StartOptions].
-type ContainerStartOptions = container.StartOptions
-
-// ResizeOptions holds parameters to resize a TTY.
-// It can be used to resize container TTYs and
-// exec process TTYs too.
-//
-// Deprecated: use [container.ResizeOptions].
-type ResizeOptions = container.ResizeOptions
-
-// ContainerAttachOptions holds parameters to attach to a container.
-//
-// Deprecated: use [container.AttachOptions].
-type ContainerAttachOptions = container.AttachOptions
-
-// ContainerCommitOptions holds parameters to commit changes into a container.
-//
-// Deprecated: use [container.CommitOptions].
-type ContainerCommitOptions = container.CommitOptions
-
-// ContainerListOptions holds parameters to list containers with.
-//
-// Deprecated: use [container.ListOptions].
-type ContainerListOptions = container.ListOptions
-
-// ContainerLogsOptions holds parameters to filter logs with.
-//
-// Deprecated: use [container.LogsOptions].
-type ContainerLogsOptions = container.LogsOptions
-
-// ContainerRemoveOptions holds parameters to remove containers.
-//
-// Deprecated: use [container.RemoveOptions].
-type ContainerRemoveOptions = container.RemoveOptions
-
-// DecodeSecurityOptions decodes a security options string slice to a type safe
-// [system.SecurityOpt].
-//
-// Deprecated: use [system.DecodeSecurityOptions].
-func DecodeSecurityOptions(opts []string) ([]system.SecurityOpt, error) {
-	return system.DecodeSecurityOptions(opts)
-}
+// Deprecated: use [image.RemoveOptions].
+type ImageRemoveOptions = image.RemoveOptions
--- a/api/types/versions/README.md
+++ b/api/types/versions/README.md
@@ -1,14 +0,0 @@
-# Legacy API type versions
-
-This package includes types for legacy API versions. The stable version of the API types live in `api/types/*.go`.
-
-Consider moving a type here when you need to keep backwards compatibility in the API. This legacy types are organized by the latest API version they appear in. For instance, types in the `v1p19` package are valid for API versions below or equal `1.19`. Types in the `v1p20` package are valid for the API version `1.20`, since the versions below that will use the legacy types in `v1p19`.
-
-## Package name conventions
-
-The package name convention is to use `v` as a prefix for the version number and `p`(patch) as a separator. We use this nomenclature due to a few restrictions in the Go package name convention:
-
-1. We cannot use `.` because it's interpreted by the language, think of `v1.20.CallFunction`.
-2. We cannot use `_` because golint complains about it. The code is actually valid, but it looks probably more weird: `v1_20.CallFunction`.
-
-For instance, if you want to modify a type that was available in the version `1.21` of the API but it will have different fields in the version `1.22`, you want to create a new package under `api/types/versions/v1p21`.
--- a/api/types/versions/v1p19/types.go
+++ b/api/types/versions/v1p19/types.go
@@ -1,35 +0,0 @@
-// Package v1p19 provides specific API types for the API version 1, patch 19.
-package v1p19 // import "github.com/docker/docker/api/types/versions/v1p19"
-
-import (
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/versions/v1p20"
-	"github.com/docker/go-connections/nat"
-)
-
-// ContainerJSON is a backcompatibility struct for APIs prior to 1.20.
-// Note this is not used by the Windows daemon.
-type ContainerJSON struct {
-	*types.ContainerJSONBase
-	Volumes         map[string]string
-	VolumesRW       map[string]bool
-	Config          *ContainerConfig
-	NetworkSettings *v1p20.NetworkSettings
-}
-
-// ContainerConfig is a backcompatibility struct for APIs prior to 1.20.
-type ContainerConfig struct {
-	*container.Config
-
-	MacAddress      string
-	NetworkDisabled bool
-	ExposedPorts    map[nat.Port]struct{}
-
-	// backward compatibility, they now live in HostConfig
-	VolumeDriver string
-	Memory       int64
-	MemorySwap   int64
-	CPUShares    int64  `json:"CpuShares"`
-	CPUSet       string `json:"Cpuset"`
-}
--- a/api/types/versions/v1p20/types.go
+++ b/api/types/versions/v1p20/types.go
@@ -1,40 +0,0 @@
-// Package v1p20 provides specific API types for the API version 1, patch 20.
-package v1p20 // import "github.com/docker/docker/api/types/versions/v1p20"
-
-import (
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/go-connections/nat"
-)
-
-// ContainerJSON is a backcompatibility struct for the API 1.20
-type ContainerJSON struct {
-	*types.ContainerJSONBase
-	Mounts          []types.MountPoint
-	Config          *ContainerConfig
-	NetworkSettings *NetworkSettings
-}
-
-// ContainerConfig is a backcompatibility struct used in ContainerJSON for the API 1.20
-type ContainerConfig struct {
-	*container.Config
-
-	MacAddress      string
-	NetworkDisabled bool
-	ExposedPorts    map[nat.Port]struct{}
-
-	// backward compatibility, they now live in HostConfig
-	VolumeDriver string
-}
-
-// StatsJSON is a backcompatibility struct used in Stats for APIs prior to 1.21
-type StatsJSON struct {
-	types.Stats
-	Network types.NetworkStats `json:"network,omitempty"`
-}
-
-// NetworkSettings is a backward compatible struct for APIs prior to 1.21
-type NetworkSettings struct {
-	types.NetworkSettingsBase
-	types.DefaultNetworkSettings
-}
--- a/api/types/volume/cluster_volume.go
+++ b/api/types/volume/cluster_volume.go
@@ -238,13 +238,13 @@ type TopologyRequirement struct {
 	// If requisite is specified, all topologies in preferred list MUST
 	// also be present in the list of requisite topologies.
 	//
-	// If the SP is unable to to make the provisioned volume available
+	// If the SP is unable to make the provisioned volume available
 	// from any of the preferred topologies, the SP MAY choose a topology
 	// from the list of requisite topologies.
 	// If the list of requisite topologies is not specified, then the SP
 	// MAY choose from the list of all possible topologies.
 	// If the list of requisite topologies is specified and the SP is
-	// unable to to make the provisioned volume available from any of the
+	// unable to make the provisioned volume available from any of the
 	// requisite topologies it MUST fail the CreateVolume call.
 	//
 	// Example 1:
@@ -254,7 +254,7 @@ type TopologyRequirement struct {
 	//   {"region": "R1", "zone": "Z3"}
 	// preferred =
 	//   {"region": "R1", "zone": "Z3"}
-	// then the the SP SHOULD first attempt to make the provisioned volume
+	// then the SP SHOULD first attempt to make the provisioned volume
 	// available from "zone" "Z3" in the "region" "R1" and fall back to
 	// "zone" "Z2" in the "region" "R1" if that is not possible.
 	//
@@ -268,7 +268,7 @@ type TopologyRequirement struct {
 	// preferred =
 	//   {"region": "R1", "zone": "Z4"},
 	//   {"region": "R1", "zone": "Z2"}
-	// then the the SP SHOULD first attempt to make the provisioned volume
+	// then the SP SHOULD first attempt to make the provisioned volume
 	// accessible from "zone" "Z4" in the "region" "R1" and fall back to
 	// "zone" "Z2" in the "region" "R1" if that is not possible. If that
 	// is not possible, the SP may choose between either the "zone"
@@ -287,7 +287,7 @@ type TopologyRequirement struct {
 	// preferred =
 	//   {"region": "R1", "zone": "Z5"},
 	//   {"region": "R1", "zone": "Z3"}
-	// then the the SP SHOULD first attempt to make the provisioned volume
+	// then the SP SHOULD first attempt to make the provisioned volume
 	// accessible from the combination of the two "zones" "Z5" and "Z3" in
 	// the "region" "R1". If that's not possible, it should fall back to
 	// a combination of "Z5" and other possibilities from the list of
--- a/builder/builder-next/adapters/containerimage/pull.go
+++ b/builder/builder-next/adapters/containerimage/pull.go
@@ -1,3 +1,6 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.19
+
 package containerimage

 import (
@@ -6,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"path"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -31,14 +35,15 @@ import (
 	pkgprogress "github.com/docker/docker/pkg/progress"
 	"github.com/docker/docker/reference"
 	"github.com/moby/buildkit/cache"
-	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/client/llb/sourceresolver"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/solver"
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/source"
+	"github.com/moby/buildkit/source/containerimage"
 	srctypes "github.com/moby/buildkit/source/types"
 	"github.com/moby/buildkit/sourcepolicy"
-	policy "github.com/moby/buildkit/sourcepolicy/pb"
 	spb "github.com/moby/buildkit/sourcepolicy/pb"
 	"github.com/moby/buildkit/util/flightcontrol"
 	"github.com/moby/buildkit/util/imageutil"
@@ -77,9 +82,77 @@ func NewSource(opt SourceOpt) (*Source, error) {
 	return &Source{SourceOpt: opt}, nil
 }

-// ID returns image scheme identifier
-func (is *Source) ID() string {
-	return srctypes.DockerImageScheme
+// Schemes returns a list of SourceOp identifier schemes that this source
+// should match.
+func (is *Source) Schemes() []string {
+	return []string{srctypes.DockerImageScheme}
+}
+
+// Identifier constructs an Identifier from the given scheme, ref, and attrs,
+// all of which come from a SourceOp.
+func (is *Source) Identifier(scheme, ref string, attrs map[string]string, platform *pb.Platform) (source.Identifier, error) {
+	return is.registryIdentifier(ref, attrs, platform)
+}
+
+// Copied from github.com/moby/buildkit/source/containerimage/source.go
+func (is *Source) registryIdentifier(ref string, attrs map[string]string, platform *pb.Platform) (source.Identifier, error) {
+	id, err := containerimage.NewImageIdentifier(ref)
+	if err != nil {
+		return nil, err
+	}
+
+	if platform != nil {
+		id.Platform = &ocispec.Platform{
+			OS:           platform.OS,
+			Architecture: platform.Architecture,
+			Variant:      platform.Variant,
+			OSVersion:    platform.OSVersion,
+		}
+		if platform.OSFeatures != nil {
+			id.Platform.OSFeatures = append([]string{}, platform.OSFeatures...)
+		}
+	}
+
+	for k, v := range attrs {
+		switch k {
+		case pb.AttrImageResolveMode:
+			rm, err := resolver.ParseImageResolveMode(v)
+			if err != nil {
+				return nil, err
+			}
+			id.ResolveMode = rm
+		case pb.AttrImageRecordType:
+			rt, err := parseImageRecordType(v)
+			if err != nil {
+				return nil, err
+			}
+			id.RecordType = rt
+		case pb.AttrImageLayerLimit:
+			l, err := strconv.Atoi(v)
+			if err != nil {
+				return nil, errors.Wrapf(err, "invalid layer limit %s", v)
+			}
+			if l <= 0 {
+				return nil, errors.Errorf("invalid layer limit %s", v)
+			}
+			id.LayerLimit = &l
+		}
+	}
+
+	return id, nil
+}
+
+func parseImageRecordType(v string) (client.UsageRecordType, error) {
+	switch client.UsageRecordType(v) {
+	case "", client.UsageRecordTypeRegular:
+		return client.UsageRecordTypeRegular, nil
+	case client.UsageRecordTypeInternal:
+		return client.UsageRecordTypeInternal, nil
+	case client.UsageRecordTypeFrontend:
+		return client.UsageRecordTypeFrontend, nil
+	default:
+		return "", errors.Errorf("invalid record type %s", v)
+	}
 }

 func (is *Source) resolveLocal(refStr string) (*image.Image, error) {
@@ -104,7 +177,7 @@ type resolveRemoteResult struct {
 	dt   []byte
 }

-func (is *Source) resolveRemote(ctx context.Context, ref string, platform *ocispec.Platform, sm *session.Manager, g session.Group) (string, digest.Digest, []byte, error) {
+func (is *Source) resolveRemote(ctx context.Context, ref string, platform *ocispec.Platform, sm *session.Manager, g session.Group) (digest.Digest, []byte, error) {
 	p := platforms.DefaultSpec()
 	if platform != nil {
 		p = *platform
@@ -113,34 +186,36 @@ func (is *Source) resolveRemote(ctx context.Context, ref string, platform *ocisp
 	key := "getconfig::" + ref + "::" + platforms.Format(p)
 	res, err := is.g.Do(ctx, key, func(ctx context.Context) (*resolveRemoteResult, error) {
 		res := resolver.DefaultPool.GetResolver(is.RegistryHosts, ref, "pull", sm, g)
-		ref, dgst, dt, err := imageutil.Config(ctx, ref, res, is.ContentStore, is.LeaseManager, platform, []*policy.Policy{})
+		dgst, dt, err := imageutil.Config(ctx, ref, res, is.ContentStore, is.LeaseManager, platform)
 		if err != nil {
 			return nil, err
 		}
 		return &resolveRemoteResult{ref: ref, dgst: dgst, dt: dt}, nil
 	})
 	if err != nil {
-		return ref, "", nil, err
+		return "", nil, err
 	}
-	return res.ref, res.dgst, res.dt, nil
+	return res.dgst, res.dt, nil
 }

 // ResolveImageConfig returns image config for an image
-func (is *Source) ResolveImageConfig(ctx context.Context, ref string, opt llb.ResolveImageConfigOpt, sm *session.Manager, g session.Group) (string, digest.Digest, []byte, error) {
+func (is *Source) ResolveImageConfig(ctx context.Context, ref string, opt sourceresolver.Opt, sm *session.Manager, g session.Group) (digest.Digest, []byte, error) {
+	if opt.ImageOpt == nil {
+		return "", nil, fmt.Errorf("can only resolve an image: %v, opt: %v", ref, opt)
+	}
 	ref, err := applySourcePolicies(ctx, ref, opt.SourcePolicies)
 	if err != nil {
-		return "", "", nil, err
+		return "", nil, err
 	}
-	resolveMode, err := source.ParseImageResolveMode(opt.ResolveMode)
+	resolveMode, err := resolver.ParseImageResolveMode(opt.ImageOpt.ResolveMode)
 	if err != nil {
-		return ref, "", nil, err
+		return "", nil, err
 	}
 	switch resolveMode {
-	case source.ResolveModeForcePull:
-		ref, dgst, dt, err := is.resolveRemote(ctx, ref, opt.Platform, sm, g)
+	case resolver.ResolveModeForcePull:
+		return is.resolveRemote(ctx, ref, opt.Platform, sm, g)
 		// TODO: pull should fallback to local in case of failure to allow offline behavior
 		// the fallback doesn't work currently
-		return ref, dgst, dt, err
 		/*
 			if err == nil {
 				return dgst, dt, err
@@ -150,10 +225,10 @@ func (is *Source) ResolveImageConfig(ctx context.Context, ref string, opt llb.Re
 			return "", dt, err
 		*/

-	case source.ResolveModeDefault:
+	case resolver.ResolveModeDefault:
 		// default == prefer local, but in the future could be smarter
 		fallthrough
-	case source.ResolveModePreferLocal:
+	case resolver.ResolveModePreferLocal:
 		img, err := is.resolveLocal(ref)
 		if err == nil {
 			if opt.Platform != nil && !platformMatches(img, opt.Platform) {
@@ -162,19 +237,19 @@ func (is *Source) ResolveImageConfig(ctx context.Context, ref string, opt llb.Re
 					path.Join(img.OS, img.Architecture, img.Variant),
 				)
 			} else {
-				return ref, "", img.RawJSON(), err
+				return "", img.RawJSON(), err
 			}
 		}
 		// fallback to remote
 		return is.resolveRemote(ctx, ref, opt.Platform, sm, g)
 	}
 	// should never happen
-	return ref, "", nil, fmt.Errorf("builder cannot resolve image %s: invalid mode %q", ref, opt.ResolveMode)
+	return "", nil, fmt.Errorf("builder cannot resolve image %s: invalid mode %q", ref, opt.ImageOpt.ResolveMode)
 }

 // Resolve returns access to pulling for an identifier
 func (is *Source) Resolve(ctx context.Context, id source.Identifier, sm *session.Manager, vtx solver.Vertex) (source.SourceInstance, error) {
-	imageIdentifier, ok := id.(*source.ImageIdentifier)
+	imageIdentifier, ok := id.(*containerimage.ImageIdentifier)
 	if !ok {
 		return nil, errors.Errorf("invalid image identifier %v", id)
 	}
@@ -198,7 +273,7 @@ type puller struct {
 	is               *Source
 	resolveLocalOnce sync.Once
 	g                flightcontrol.Group[struct{}]
-	src              *source.ImageIdentifier
+	src              *containerimage.ImageIdentifier
 	desc             ocispec.Descriptor
 	ref              string
 	config           []byte
@@ -250,7 +325,7 @@ func (p *puller) resolveLocal() {
 			}
 		}

-		if p.src.ResolveMode == source.ResolveModeDefault || p.src.ResolveMode == source.ResolveModePreferLocal {
+		if p.src.ResolveMode == resolver.ResolveModeDefault || p.src.ResolveMode == resolver.ResolveModePreferLocal {
 			ref := p.src.Reference.String()
 			img, err := p.is.resolveLocal(ref)
 			if err == nil {
@@ -299,12 +374,17 @@ func (p *puller) resolve(ctx context.Context, g session.Group) error {
 			if err != nil {
 				return struct{}{}, err
 			}
-			newRef, _, dt, err := p.is.ResolveImageConfig(ctx, ref.String(), llb.ResolveImageConfigOpt{Platform: &p.platform, ResolveMode: p.src.ResolveMode.String()}, p.sm, g)
+			_, dt, err := p.is.ResolveImageConfig(ctx, ref.String(), sourceresolver.Opt{
+				Platform: &p.platform,
+				ImageOpt: &sourceresolver.ResolveImageOpt{
+					ResolveMode: p.src.ResolveMode.String(),
+				},
+			}, p.sm, g)
 			if err != nil {
 				return struct{}{}, err
 			}

-			p.ref = newRef
+			p.ref = ref.String()
 			p.config = dt
 		}
 		return struct{}{}, nil
@@ -863,12 +943,8 @@ func applySourcePolicies(ctx context.Context, str string, spls []*spb.Policy) (s
 	if err != nil {
 		return "", errors.WithStack(err)
 	}
-	op := &pb.Op{
-		Op: &pb.Op_Source{
-			Source: &pb.SourceOp{
-				Identifier: srctypes.DockerImageScheme + "://" + ref.String(),
-			},
-		},
+	op := &pb.SourceOp{
+		Identifier: srctypes.DockerImageScheme + "://" + ref.String(),
 	}

 	mut, err := sourcepolicy.NewEngine(spls).Evaluate(ctx, op)
@@ -881,9 +957,9 @@ func applySourcePolicies(ctx context.Context, str string, spls []*spb.Policy) (s
 			t  string
 			ok bool
 		)
-		t, newRef, ok := strings.Cut(op.GetSource().GetIdentifier(), "://")
+		t, newRef, ok := strings.Cut(op.GetIdentifier(), "://")
 		if !ok {
-			return "", errors.Errorf("could not parse ref: %s", op.GetSource().GetIdentifier())
+			return "", errors.Errorf("could not parse ref: %s", op.GetIdentifier())
 		}
 		if ok && t != srctypes.DockerImageScheme {
 			return "", &imageutil.ResolveToNonImageError{Ref: str, Updated: newRef}
--- a/builder/builder-next/adapters/snapshot/layer.go
+++ b/builder/builder-next/adapters/snapshot/layer.go
@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
 }

 func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
+	s.layerCreateLocker.Lock(key)
+	defer s.layerCreateLocker.Unlock(key)
+
 	diffIDs, err := s.GetDiffIDs(ctx, key)
 	if err != nil {
 		return nil, err
@@ -78,7 +81,7 @@ func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.Diff
 				parent, _ = s.getGraphDriverID(info.Parent)
 			}
 		}
-		diffID, size, err = s.reg.ChecksumForGraphID(id, parent, "", tarSplitPath)
+		diffID, size, err = s.reg.ChecksumForGraphID(id, parent, tarSplitPath)
 		return err
 	})

--- a/builder/builder-next/adapters/snapshot/snapshot.go
+++ b/builder/builder-next/adapters/snapshot/snapshot.go
@@ -17,6 +17,7 @@ import (
 	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/snapshot"
 	"github.com/moby/buildkit/util/leaseutil"
+	"github.com/moby/locker"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	bolt "go.etcd.io/bbolt"
@@ -45,16 +46,17 @@ type graphIDRegistrar interface {
 }

 type checksumCalculator interface {
-	ChecksumForGraphID(id, parent, oldTarDataPath, newTarDataPath string) (diffID layer.DiffID, size int64, err error)
+	ChecksumForGraphID(id, parent, newTarDataPath string) (diffID layer.DiffID, size int64, err error)
 }

 type snapshotter struct {
 	opt Opt

-	refs map[string]layer.Layer
-	db   *bolt.DB
-	mu   sync.Mutex
-	reg  graphIDRegistrar
+	refs              map[string]layer.Layer
+	db                *bolt.DB
+	mu                sync.Mutex
+	reg               graphIDRegistrar
+	layerCreateLocker *locker.Locker
 }

 // NewSnapshotter creates a new snapshotter
@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
 	}

 	s := &snapshotter{
-		opt:  opt,
-		db:   db,
-		refs: map[string]layer.Layer{},
-		reg:  reg,
+		opt:               opt,
+		db:                db,
+		refs:              map[string]layer.Layer{},
+		reg:               reg,
+		layerCreateLocker: locker.New(),
 	}

 	slm := newLeaseManager(s, prevLM)
--- a/builder/builder-next/builder.go
+++ b/builder/builder-next/builder.go
@@ -389,9 +389,10 @@ func (b *Builder) Build(ctx context.Context, opt backend.BuildConfig) (*builder.
 	}

 	req := &controlapi.SolveRequest{
-		Ref:           id,
-		Exporter:      exporterName,
-		ExporterAttrs: exporterAttrs,
+		Ref: id,
+		Exporters: []*controlapi.Exporter{
+			&controlapi.Exporter{Type: exporterName, Attrs: exporterAttrs},
+		},
 		Frontend:      "dockerfile.v0",
 		FrontendAttrs: frontendAttrs,
 		Session:       opt.Options.SessionID,
--- a/builder/builder-next/controller.go
+++ b/builder/builder-next/controller.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"runtime"
 	"time"

 	ctd "github.com/containerd/containerd"
@@ -66,11 +67,11 @@ func newController(ctx context.Context, rt http.RoundTripper, opt Opt) (*control
 }

 func getTraceExporter(ctx context.Context) trace.SpanExporter {
-	exp, err := detect.Exporter()
+	span, _, err := detect.Exporter()
 	if err != nil {
 		log.G(ctx).WithError(err).Error("Failed to detect trace exporter for buildkit controller")
 	}
-	return exp
+	return span
 }

 func newSnapshotterController(ctx context.Context, rt http.RoundTripper, opt Opt) (*control.Controller, error) {
@@ -91,12 +92,21 @@ func newSnapshotterController(ctx context.Context, rt http.RoundTripper, opt Opt
 	nc := netproviders.Opt{
 		Mode: "host",
 	}
+
+	// HACK! Windows doesn't have 'host' mode networking.
+	if runtime.GOOS == "windows" {
+		nc = netproviders.Opt{
+			Mode: "auto",
+		}
+	}
+
 	dns := getDNSConfig(opt.DNSConfig)

 	wo, err := containerd.NewWorkerOpt(opt.Root, opt.ContainerdAddress, opt.Snapshotter, opt.ContainerdNamespace,
 		opt.Rootless, map[string]string{
 			label.Snapshotter: opt.Snapshotter,
-		}, dns, nc, opt.ApparmorProfile, false, nil, "", ctd.WithTimeout(60*time.Second))
+		}, dns, nc, opt.ApparmorProfile, false, nil, "", nil, ctd.WithTimeout(60*time.Second),
+	)
 	if err != nil {
 		return nil, err
 	}
@@ -133,8 +143,8 @@ func newSnapshotterController(ctx context.Context, rt http.RoundTripper, opt Opt
 		return nil, err
 	}
 	frontends := map[string]frontend.Frontend{
-		"dockerfile.v0": forwarder.NewGatewayForwarder(wc, dockerfile.Build),
-		"gateway.v0":    gateway.NewGatewayFrontend(wc),
+		"dockerfile.v0": forwarder.NewGatewayForwarder(wc.Infos(), dockerfile.Build),
+		"gateway.v0":    gateway.NewGatewayFrontend(wc.Infos()),
 	}

 	return control.NewController(control.Opt{
@@ -293,9 +303,11 @@ func newGraphDriverController(ctx context.Context, rt http.RoundTripper, opt Opt
 	}

 	exp, err := mobyexporter.New(mobyexporter.Opt{
-		ImageStore:  dist.ImageStore,
-		Differ:      differ,
-		ImageTagger: opt.ImageTagger,
+		ImageStore:   dist.ImageStore,
+		ContentStore: store,
+		Differ:       differ,
+		ImageTagger:  opt.ImageTagger,
+		LeaseManager: lm,
 	})
 	if err != nil {
 		return nil, err
@@ -355,8 +367,8 @@ func newGraphDriverController(ctx context.Context, rt http.RoundTripper, opt Opt
 	wc.Add(w)

 	frontends := map[string]frontend.Frontend{
-		"dockerfile.v0": forwarder.NewGatewayForwarder(wc, dockerfile.Build),
-		"gateway.v0":    gateway.NewGatewayFrontend(wc),
+		"dockerfile.v0": forwarder.NewGatewayForwarder(wc.Infos(), dockerfile.Build),
+		"gateway.v0":    gateway.NewGatewayFrontend(wc.Infos()),
 	}

 	return control.NewController(control.Opt{
--- a/builder/builder-next/executor_linux.go
+++ b/builder/builder-next/executor_linux.go
@@ -16,6 +16,7 @@ import (
 	"github.com/moby/buildkit/executor"
 	"github.com/moby/buildkit/executor/oci"
 	"github.com/moby/buildkit/executor/resources"
+	resourcestypes "github.com/moby/buildkit/executor/resources/types"
 	"github.com/moby/buildkit/executor/runcexecutor"
 	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/solver/pb"
@@ -56,9 +57,16 @@ func newExecutor(root, cgroupParent string, net *libnetwork.Controller, dnsConfi
 		return nil, err
 	}

+	runcCmds := []string{"runc"}
+
+	// TODO: FIXME: testing env var, replace with something better or remove in a major version or two
+	if runcOverride := os.Getenv("DOCKER_BUILDKIT_RUNC_COMMAND"); runcOverride != "" {
+		runcCmds = []string{runcOverride}
+	}
+
 	return runcexecutor.New(runcexecutor.Opt{
 		Root:                filepath.Join(root, "executor"),
-		CommandCandidates:   []string{"runc"},
+		CommandCandidates:   runcCmds,
 		DefaultCgroupParent: cgroupParent,
 		Rootless:            rootless,
 		NoPivot:             os.Getenv("DOCKER_RAMDISK") != "",
@@ -128,8 +136,8 @@ func (iface *lnInterface) init(c *libnetwork.Controller, n *libnetwork.Network)
 }

 // TODO(neersighted): Unstub Sample(), and collect data from the libnetwork Endpoint.
-func (iface *lnInterface) Sample() (*network.Sample, error) {
-	return &network.Sample{}, nil
+func (iface *lnInterface) Sample() (*resourcestypes.NetworkSample, error) {
+	return &resourcestypes.NetworkSample{}, nil
 }

 func (iface *lnInterface) Set(s *specs.Spec) error {
--- a/builder/builder-next/exporter/mobyexporter/export.go
+++ b/builder/builder-next/exporter/mobyexporter/export.go
@@ -1,24 +1,27 @@
 package mobyexporter

 import (
+	"bytes"
 	"context"
-	"encoding/json"
 	"fmt"
 	"strings"

+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/leases"
+	"github.com/containerd/log"
 	distref "github.com/distribution/reference"
 	"github.com/docker/docker/image"
+	"github.com/docker/docker/internal/compatcontext"
 	"github.com/docker/docker/layer"
 	"github.com/moby/buildkit/exporter"
+	"github.com/moby/buildkit/exporter/containerimage"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
+	"github.com/moby/buildkit/util/leaseutil"
 	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 )

-const (
-	keyImageName = "name"
-)
-
 // Differ can make a moby layer from a snapshot
 type Differ interface {
 	EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error)
@@ -30,9 +33,11 @@ type ImageTagger interface {

 // Opt defines a struct for creating new exporter
 type Opt struct {
-	ImageStore  image.Store
-	Differ      Differ
-	ImageTagger ImageTagger
+	ImageStore   image.Store
+	Differ       Differ
+	ImageTagger  ImageTagger
+	ContentStore content.Store
+	LeaseManager leases.Manager
 }

 type imageExporter struct {
@@ -45,13 +50,14 @@ func New(opt Opt) (exporter.Exporter, error) {
 	return im, nil
 }

-func (e *imageExporter) Resolve(ctx context.Context, opt map[string]string) (exporter.ExporterInstance, error) {
+func (e *imageExporter) Resolve(ctx context.Context, id int, opt map[string]string) (exporter.ExporterInstance, error) {
 	i := &imageExporterInstance{
 		imageExporter: e,
+		id:            id,
 	}
 	for k, v := range opt {
-		switch k {
-		case keyImageName:
+		switch exptypes.ImageExporterOptKey(k) {
+		case exptypes.OptKeyName:
 			for _, v := range strings.Split(v, ",") {
 				ref, err := distref.ParseNormalizedNamed(v)
 				if err != nil {
@@ -71,10 +77,15 @@ func (e *imageExporter) Resolve(ctx context.Context, opt map[string]string) (exp

 type imageExporterInstance struct {
 	*imageExporter
+	id          int
 	targetNames []distref.Named
 	meta        map[string][]byte
 }

+func (e *imageExporterInstance) ID() int {
+	return e.id
+}
+
 func (e *imageExporterInstance) Name() string {
 	return "exporting to image"
 }
@@ -83,7 +94,7 @@ func (e *imageExporterInstance) Config() *exporter.Config {
 	return exporter.NewConfig()
 }

-func (e *imageExporterInstance) Export(ctx context.Context, inp *exporter.Source, sessionID string) (map[string]string, exporter.DescriptorReference, error) {
+func (e *imageExporterInstance) Export(ctx context.Context, inp *exporter.Source, inlineCache exptypes.InlineCache, sessionID string) (map[string]string, exporter.DescriptorReference, error) {
 	if len(inp.Refs) > 1 {
 		return nil, nil, fmt.Errorf("exporting multiple references to image store is currently unsupported")
 	}
@@ -103,18 +114,14 @@ func (e *imageExporterInstance) Export(ctx context.Context, inp *exporter.Source
 	case 0:
 		config = inp.Metadata[exptypes.ExporterImageConfigKey]
 	case 1:
-		platformsBytes, ok := inp.Metadata[exptypes.ExporterPlatformsKey]
-		if !ok {
-			return nil, nil, fmt.Errorf("cannot export image, missing platforms mapping")
+		ps, err := exptypes.ParsePlatforms(inp.Metadata)
+		if err != nil {
+			return nil, nil, fmt.Errorf("cannot export image, failed to parse platforms: %w", err)
 		}
-		var p exptypes.Platforms
-		if err := json.Unmarshal(platformsBytes, &p); err != nil {
-			return nil, nil, errors.Wrapf(err, "failed to parse platforms passed to exporter")
+		if len(ps.Platforms) != len(inp.Refs) {
+			return nil, nil, errors.Errorf("number of platforms does not match references %d %d", len(ps.Platforms), len(inp.Refs))
 		}
-		if len(p.Platforms) != len(inp.Refs) {
-			return nil, nil, errors.Errorf("number of platforms does not match references %d %d", len(p.Platforms), len(inp.Refs))
-		}
-		config = inp.Metadata[fmt.Sprintf("%s/%s", exptypes.ExporterImageConfigKey, p.Platforms[0].ID)]
+		config = inp.Metadata[fmt.Sprintf("%s/%s", exptypes.ExporterImageConfigKey, ps.Platforms[0].ID)]
 	}

 	var diffs []digest.Digest
@@ -157,7 +164,21 @@ func (e *imageExporterInstance) Export(ctx context.Context, inp *exporter.Source

 	diffs, history = normalizeLayersAndHistory(diffs, history, ref)

-	config, err = patchImageConfig(config, diffs, history, inp.Metadata[exptypes.ExporterInlineCache])
+	var inlineCacheEntry *exptypes.InlineCacheEntry
+	if inlineCache != nil {
+		inlineCacheResult, err := inlineCache(ctx)
+		if err != nil {
+			return nil, nil, err
+		}
+		if inlineCacheResult != nil {
+			if ref != nil {
+				inlineCacheEntry, _ = inlineCacheResult.FindRef(ref.ID())
+			} else {
+				inlineCacheEntry = inlineCacheResult.Ref
+			}
+		}
+	}
+	config, err = patchImageConfig(config, diffs, history, inlineCacheEntry)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -171,8 +192,10 @@ func (e *imageExporterInstance) Export(ctx context.Context, inp *exporter.Source
 	}
 	_ = configDone(nil)

-	if e.opt.ImageTagger != nil {
-		for _, targetName := range e.targetNames {
+	var names []string
+	for _, targetName := range e.targetNames {
+		names = append(names, targetName.String())
+		if e.opt.ImageTagger != nil {
 			tagDone := oneOffProgress(ctx, "naming to "+targetName.String())
 			if err := e.opt.ImageTagger.TagImage(ctx, image.ID(digest.Digest(id)), targetName); err != nil {
 				return nil, nil, tagDone(err)
@@ -181,8 +204,49 @@ func (e *imageExporterInstance) Export(ctx context.Context, inp *exporter.Source
 		}
 	}

-	return map[string]string{
+	resp := map[string]string{
 		exptypes.ExporterImageConfigDigestKey: configDigest.String(),
 		exptypes.ExporterImageDigestKey:       id.String(),
-	}, nil, nil
+	}
+	if len(names) > 0 {
+		resp["image.name"] = strings.Join(names, ",")
+	}
+
+	descRef, err := e.newTempReference(ctx, config)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to create a temporary descriptor reference: %w", err)
+	}
+
+	return resp, descRef, nil
+}
+
+func (e *imageExporterInstance) newTempReference(ctx context.Context, config []byte) (exporter.DescriptorReference, error) {
+	lm := e.opt.LeaseManager
+
+	dgst := digest.FromBytes(config)
+	leaseCtx, done, err := leaseutil.WithLease(ctx, lm, leaseutil.MakeTemporary)
+	if err != nil {
+		return nil, err
+	}
+
+	unlease := func(ctx context.Context) error {
+		err := done(compatcontext.WithoutCancel(ctx))
+		if err != nil {
+			log.G(ctx).WithError(err).Error("failed to delete descriptor reference lease")
+		}
+		return err
+	}
+
+	desc := ocispec.Descriptor{
+		Digest:    dgst,
+		MediaType: "application/vnd.docker.container.image.v1+json",
+		Size:      int64(len(config)),
+	}
+
+	if err := content.WriteBlob(leaseCtx, e.opt.ContentStore, desc.Digest.String(), bytes.NewReader(config), desc); err != nil {
+		unlease(leaseCtx)
+		return nil, fmt.Errorf("failed to save temporary image config: %w", err)
+	}
+
+	return containerimage.NewDescriptorReference(desc, unlease), nil
 }
--- a/builder/builder-next/exporter/mobyexporter/writer.go
+++ b/builder/builder-next/exporter/mobyexporter/writer.go
@@ -8,6 +8,7 @@ import (
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/log"
 	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/exporter/containerimage/exptypes"
 	"github.com/moby/buildkit/util/progress"
 	"github.com/moby/buildkit/util/system"
 	"github.com/opencontainers/go-digest"
@@ -38,7 +39,7 @@ func parseHistoryFromConfig(dt []byte) ([]ocispec.History, error) {
 	return config.History, nil
 }

-func patchImageConfig(dt []byte, dps []digest.Digest, history []ocispec.History, cache []byte) ([]byte, error) {
+func patchImageConfig(dt []byte, dps []digest.Digest, history []ocispec.History, cache *exptypes.InlineCacheEntry) ([]byte, error) {
 	m := map[string]json.RawMessage{}
 	if err := json.Unmarshal(dt, &m); err != nil {
 		return nil, errors.Wrap(err, "failed to parse image config for patch")
@@ -75,7 +76,7 @@ func patchImageConfig(dt []byte, dps []digest.Digest, history []ocispec.History,
 	}

 	if cache != nil {
-		dt, err := json.Marshal(cache)
+		dt, err := json.Marshal(cache.Data)
 		if err != nil {
 			return nil, err
 		}
--- a/builder/builder-next/exporter/overrides/wrapper.go
+++ b/builder/builder-next/exporter/overrides/wrapper.go
@@ -19,7 +19,7 @@ func NewExporterWrapper(exp exporter.Exporter) (exporter.Exporter, error) {
 }

 // Resolve applies moby specific attributes to the request.
-func (e *imageExporterMobyWrapper) Resolve(ctx context.Context, exporterAttrs map[string]string) (exporter.ExporterInstance, error) {
+func (e *imageExporterMobyWrapper) Resolve(ctx context.Context, id int, exporterAttrs map[string]string) (exporter.ExporterInstance, error) {
 	if exporterAttrs == nil {
 		exporterAttrs = make(map[string]string)
 	}
@@ -33,5 +33,5 @@ func (e *imageExporterMobyWrapper) Resolve(ctx context.Context, exporterAttrs ma
 		exporterAttrs[string(exptypes.OptKeyDanglingPrefix)] = "moby-dangling"
 	}

-	return e.exp.Resolve(ctx, exporterAttrs)
+	return e.exp.Resolve(ctx, id, exporterAttrs)
 }
--- a/builder/builder-next/worker/worker.go
+++ b/builder/builder-next/worker/worker.go
@@ -12,7 +12,7 @@ import (
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/containerd/rootfs"
 	"github.com/containerd/log"
-	"github.com/docker/docker/builder/builder-next/adapters/containerimage"
+	imageadapter "github.com/docker/docker/builder/builder-next/adapters/containerimage"
 	mobyexporter "github.com/docker/docker/builder/builder-next/exporter"
 	distmetadata "github.com/docker/docker/distribution/metadata"
 	"github.com/docker/docker/distribution/xfer"
@@ -23,7 +23,7 @@ import (
 	"github.com/moby/buildkit/cache"
 	cacheconfig "github.com/moby/buildkit/cache/config"
 	"github.com/moby/buildkit/client"
-	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/client/llb/sourceresolver"
 	"github.com/moby/buildkit/executor"
 	"github.com/moby/buildkit/exporter"
 	localexporter "github.com/moby/buildkit/exporter/local"
@@ -37,6 +37,7 @@ import (
 	"github.com/moby/buildkit/solver/llbsolver/ops"
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/source"
+	"github.com/moby/buildkit/source/containerimage"
 	"github.com/moby/buildkit/source/git"
 	"github.com/moby/buildkit/source/http"
 	"github.com/moby/buildkit/source/local"
@@ -75,7 +76,7 @@ type Opt struct {
 	ContentStore      *containerdsnapshot.Store
 	CacheManager      cache.Manager
 	LeaseManager      *leaseutil.Manager
-	ImageSource       *containerimage.Source
+	ImageSource       *imageadapter.Source
 	DownloadManager   *xfer.LayerDownloadManager
 	V2MetadataService distmetadata.V2MetadataService
 	Transport         nethttp.RoundTripper
@@ -212,6 +213,49 @@ func (w *Worker) LoadRef(ctx context.Context, id string, hidden bool) (cache.Imm
 	return w.CacheManager().Get(ctx, id, nil, opts...)
 }

+func (w *Worker) ResolveSourceMetadata(ctx context.Context, op *pb.SourceOp, opt sourceresolver.Opt, sm *session.Manager, g session.Group) (*sourceresolver.MetaResponse, error) {
+	if opt.SourcePolicies != nil {
+		return nil, errors.New("source policies can not be set for worker")
+	}
+
+	var platform *pb.Platform
+	if p := opt.Platform; p != nil {
+		platform = &pb.Platform{
+			Architecture: p.Architecture,
+			OS:           p.OS,
+			Variant:      p.Variant,
+			OSVersion:    p.OSVersion,
+		}
+	}
+
+	id, err := w.SourceManager.Identifier(&pb.Op_Source{Source: op}, platform)
+	if err != nil {
+		return nil, err
+	}
+
+	switch idt := id.(type) {
+	case *containerimage.ImageIdentifier:
+		if opt.ImageOpt == nil {
+			opt.ImageOpt = &sourceresolver.ResolveImageOpt{}
+		}
+		dgst, config, err := w.ImageSource.ResolveImageConfig(ctx, idt.Reference.String(), opt, sm, g)
+		if err != nil {
+			return nil, err
+		}
+		return &sourceresolver.MetaResponse{
+			Op: op,
+			Image: &sourceresolver.ResolveImageResponse{
+				Digest: dgst,
+				Config: config,
+			},
+		}, nil
+	}
+
+	return &sourceresolver.MetaResponse{
+		Op: op,
+	}, nil
+}
+
 // ResolveOp converts a LLB vertex into a LLB operation
 func (w *Worker) ResolveOp(v solver.Vertex, s frontend.FrontendLLBBridge, sm *session.Manager) (solver.Op, error) {
 	if baseOp, ok := v.Sys().(*pb.Op); ok {
@@ -236,7 +280,7 @@ func (w *Worker) ResolveOp(v solver.Vertex, s frontend.FrontendLLBBridge, sm *se
 }

 // ResolveImageConfig returns image config for an image
-func (w *Worker) ResolveImageConfig(ctx context.Context, ref string, opt llb.ResolveImageConfigOpt, sm *session.Manager, g session.Group) (string, digest.Digest, []byte, error) {
+func (w *Worker) ResolveImageConfig(ctx context.Context, ref string, opt sourceresolver.Opt, sm *session.Manager, g session.Group) (digest.Digest, []byte, error) {
 	return w.ImageSource.ResolveImageConfig(ctx, ref, opt, sm, g)
 }

@@ -526,3 +570,7 @@ type emptyProvider struct{}
 func (p *emptyProvider) ReaderAt(ctx context.Context, dec ocispec.Descriptor) (content.ReaderAt, error) {
 	return nil, errors.Errorf("ReaderAt not implemented for empty provider")
 }
+
+func (p *emptyProvider) Info(ctx context.Context, d digest.Digest) (content.Info, error) {
+	return content.Info{}, errors.Errorf("Info not implemented for empty provider")
+}
--- a/builder/builder.go
+++ b/builder/builder.go
@@ -14,6 +14,7 @@ import (
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
 	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )

 const (
@@ -62,10 +63,8 @@ type ExecBackend interface {
 	ContainerCreateIgnoreImagesArgsEscaped(ctx context.Context, config backend.ContainerCreateConfig) (container.CreateResponse, error)
 	// ContainerRm removes a container specified by `id`.
 	ContainerRm(name string, config *backend.ContainerRmConfig) error
-	// ContainerKill stops the container execution abruptly.
-	ContainerKill(containerID string, sig string) error
 	// ContainerStart starts a new container
-	ContainerStart(ctx context.Context, containerID string, hostConfig *container.HostConfig, checkpoint string, checkpointDir string) error
+	ContainerStart(ctx context.Context, containerID string, checkpoint string, checkpointDir string) error
 	// ContainerWait stops processing until the given container is stopped.
 	ContainerWait(ctx context.Context, name string, condition containerpkg.WaitCondition) (<-chan containerpkg.StateStatus, error)
 }
@@ -87,7 +86,7 @@ type ImageCacheBuilder interface {
 type ImageCache interface {
 	// GetCache returns a reference to a cached image whose parent equals `parent`
 	// and runconfig equals `cfg`. A cache miss is expected to return an empty ID and a nil error.
-	GetCache(parentID string, cfg *container.Config) (imageID string, err error)
+	GetCache(parentID string, cfg *container.Config, platform ocispec.Platform) (imageID string, err error)
 }

 // Image represents a Docker image used by the builder.
--- a/builder/dockerfile/containerbackend.go
+++ b/builder/dockerfile/containerbackend.go
@@ -10,6 +10,7 @@ import (
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/builder"
 	containerpkg "github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/pkg/errors"
 )
@@ -60,16 +61,18 @@ func (c *containerManager) Run(ctx context.Context, cID string, stdout, stderr i
 	go func() {
 		select {
 		case <-ctx.Done():
-			log.G(ctx).Debugln("Build cancelled, killing and removing container:", cID)
-			c.backend.ContainerKill(cID, "")
-			c.removeContainer(cID, stdout)
+			log.G(ctx).Debugln("Build cancelled, removing container:", cID)
+			err = c.backend.ContainerRm(cID, &backend.ContainerRmConfig{ForceRemove: true, RemoveVolume: true})
+			if err != nil {
+				_, _ = fmt.Fprintf(stdout, "Removing container %s: %v\n", stringid.TruncateID(cID), err)
+			}
 			cancelErrCh <- errCancelled
 		case <-finished:
 			cancelErrCh <- nil
 		}
 	}()

-	if err := c.backend.ContainerStart(ctx, cID, nil, "", ""); err != nil {
+	if err := c.backend.ContainerStart(ctx, cID, "", ""); err != nil {
 		close(finished)
 		logCancellationError(cancelErrCh, "error from ContainerStart: "+err.Error())
 		return err
@@ -122,23 +125,12 @@ func (e *statusCodeError) StatusCode() int {
 	return e.code
 }

-func (c *containerManager) removeContainer(containerID string, stdout io.Writer) error {
-	rmConfig := &backend.ContainerRmConfig{
-		ForceRemove:  true,
-		RemoveVolume: true,
-	}
-	if err := c.backend.ContainerRm(containerID, rmConfig); err != nil {
-		fmt.Fprintf(stdout, "Error removing intermediate container %s: %v\n", stringid.TruncateID(containerID), err)
-		return err
-	}
-	return nil
-}
-
 // RemoveAll containers managed by this container manager
 func (c *containerManager) RemoveAll(stdout io.Writer) {
 	for containerID := range c.tmpContainers {
-		if err := c.removeContainer(containerID, stdout); err != nil {
-			return
+		if err := c.backend.ContainerRm(containerID, &backend.ContainerRmConfig{ForceRemove: true, RemoveVolume: true}); err != nil && !errdefs.IsNotFound(err) {
+			_, _ = fmt.Fprintf(stdout, "Removing intermediate container %s: %v\n", stringid.TruncateID(containerID), err)
+			continue
 		}
 		delete(c.tmpContainers, containerID)
 		_, _ = fmt.Fprintf(stdout, " ---> Removed intermediate container %s\n", stringid.TruncateID(containerID))
--- a/builder/dockerfile/copy.go
+++ b/builder/dockerfile/copy.go
@@ -8,7 +8,6 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
-	"runtime"
 	"sort"
 	"strings"
 	"time"
@@ -17,13 +16,13 @@ import (
 	"github.com/docker/docker/builder/remotecontext"
 	"github.com/docker/docker/builder/remotecontext/urlutil"
 	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/containerfs"
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/longpath"
 	"github.com/docker/docker/pkg/progress"
 	"github.com/docker/docker/pkg/streamformatter"
 	"github.com/docker/docker/pkg/system"
 	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/moby/sys/symlink"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 )
@@ -45,7 +44,7 @@ type copyInfo struct {
 }

 func (c copyInfo) fullPath() (string, error) {
-	return containerfs.ResolveScopedPath(c.root, c.path)
+	return symlink.FollowSymlinkInScope(filepath.Join(c.root, c.path), c.root)
 }

 func newCopyInfoFromSource(source builder.Source, path string, hash string) copyInfo {
@@ -74,7 +73,7 @@ type copier struct {
 	source      builder.Source
 	pathCache   pathCache
 	download    sourceDownloader
-	platform    *ocispec.Platform
+	platform    ocispec.Platform
 	// for cleanup. TODO: having copier.cleanup() is error prone and hard to
 	// follow. Code calling performCopy should manage the lifecycle of its params.
 	// Copier should take override source as input, not imageMount.
@@ -83,19 +82,7 @@ type copier struct {
 }

 func copierFromDispatchRequest(req dispatchRequest, download sourceDownloader, imageSource *imageMount) copier {
-	platform := req.builder.platform
-	if platform == nil {
-		// May be nil if not explicitly set in API/dockerfile
-		platform = &ocispec.Platform{}
-	}
-	if platform.OS == "" {
-		// Default to the dispatch requests operating system if not explicit in API/dockerfile
-		platform.OS = req.state.operatingSystem
-	}
-	if platform.OS == "" {
-		// This is a failsafe just in case. Shouldn't be hit.
-		platform.OS = runtime.GOOS
-	}
+	platform := req.builder.getPlatform(req.state)

 	return copier{
 		source:      req.source,
@@ -472,7 +459,16 @@ func performCopyForInfo(dest copyInfo, source copyInfo, options copyFileOptions)
 		return copyDirectory(archiver, srcPath, destPath, options.identity)
 	}
 	if options.decompress && archive.IsArchivePath(srcPath) && !source.noDecompress {
-		return archiver.UntarPath(srcPath, destPath)
+		f, err := os.Open(srcPath)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+		options := &archive.TarOptions{
+			IDMap:            archiver.IDMapping,
+			BestEffortXattrs: true,
+		}
+		return archiver.Untar(f, destPath, options)
 	}

 	destExistsAsDir, err := isExistingDirectory(destPath)
--- a/builder/dockerfile/dispatchers.go
+++ b/builder/dockerfile/dispatchers.go
@@ -348,9 +348,16 @@ func dispatchRun(ctx context.Context, d dispatchRequest, c *instructions.RunComm
 		saveCmd = prependEnvOnCmd(d.state.buildArgs, buildArgs, cmdFromArgs)
 	}

+	cacheArgsEscaped := argsEscaped
+	// ArgsEscaped is not persisted in the committed image on Windows.
+	// Use the original from previous build steps for cache probing.
+	if d.state.operatingSystem == "windows" {
+		cacheArgsEscaped = stateRunConfig.ArgsEscaped
+	}
+
 	runConfigForCacheProbe := copyRunConfig(stateRunConfig,
 		withCmd(saveCmd),
-		withArgsEscaped(argsEscaped),
+		withArgsEscaped(cacheArgsEscaped),
 		withEntrypointOverride(saveCmd, nil))
 	if hit, err := d.builder.probeCache(d.state, runConfigForCacheProbe); err != nil || hit {
 		return err
--- a/builder/dockerfile/imageprobe.go
+++ b/builder/dockerfile/imageprobe.go
@@ -6,13 +6,14 @@ import (
 	"github.com/containerd/log"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/builder"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )

 // ImageProber exposes an Image cache to the Builder. It supports resetting a
 // cache.
 type ImageProber interface {
 	Reset(ctx context.Context) error
-	Probe(parentID string, runConfig *container.Config) (string, error)
+	Probe(parentID string, runConfig *container.Config, platform ocispec.Platform) (string, error)
 }

 type resetFunc func(context.Context) (builder.ImageCache, error)
@@ -51,11 +52,11 @@ func (c *imageProber) Reset(ctx context.Context) error {

 // Probe checks if cache match can be found for current build instruction.
 // It returns the cachedID if there is a hit, and the empty string on miss
-func (c *imageProber) Probe(parentID string, runConfig *container.Config) (string, error) {
+func (c *imageProber) Probe(parentID string, runConfig *container.Config, platform ocispec.Platform) (string, error) {
 	if c.cacheBusted {
 		return "", nil
 	}
-	cacheID, err := c.cache.GetCache(parentID, runConfig)
+	cacheID, err := c.cache.GetCache(parentID, runConfig, platform)
 	if err != nil {
 		return "", err
 	}
@@ -74,6 +75,6 @@ func (c *nopProber) Reset(ctx context.Context) error {
 	return nil
 }

-func (c *nopProber) Probe(_ string, _ *container.Config) (string, error) {
+func (c *nopProber) Probe(_ string, _ *container.Config, _ ocispec.Platform) (string, error) {
 	return "", nil
 }
--- a/builder/dockerfile/internals.go
+++ b/builder/dockerfile/internals.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"strings"

+	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/log"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
@@ -328,7 +329,7 @@ func getShell(c *container.Config, os string) []string {
 }

 func (b *Builder) probeCache(dispatchState *dispatchState, runConfig *container.Config) (bool, error) {
-	cachedID, err := b.imageProber.Probe(dispatchState.imageID, runConfig)
+	cachedID, err := b.imageProber.Probe(dispatchState.imageID, runConfig, b.getPlatform(dispatchState))
 	if cachedID == "" || err != nil {
 		return false, err
 	}
@@ -388,3 +389,17 @@ func hostConfigFromOptions(options *types.ImageBuildOptions) *container.HostConf
 	}
 	return hc
 }
+
+func (b *Builder) getPlatform(state *dispatchState) ocispec.Platform {
+	// May be nil if not explicitly set in API/dockerfile
+	out := platforms.DefaultSpec()
+	if b.platform != nil {
+		out = *b.platform
+	}
+
+	if state.operatingSystem != "" {
+		out.OS = state.operatingSystem
+	}
+
+	return out
+}
--- a/builder/dockerfile/mockbackend_test.go
+++ b/builder/dockerfile/mockbackend_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/layer"
 	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )

 // MockBackend implements the builder.Backend interface for unit testing
@@ -45,11 +46,7 @@ func (m *MockBackend) CommitBuildStep(ctx context.Context, c backend.CommitConfi
 	return "", nil
 }

-func (m *MockBackend) ContainerKill(containerID string, sig string) error {
-	return nil
-}
-
-func (m *MockBackend) ContainerStart(ctx context.Context, containerID string, hostConfig *container.HostConfig, checkpoint string, checkpointDir string) error {
+func (m *MockBackend) ContainerStart(ctx context.Context, containerID string, checkpoint string, checkpointDir string) error {
 	return nil
 }

@@ -110,7 +107,7 @@ type mockImageCache struct {
 	getCacheFunc func(parentID string, cfg *container.Config) (string, error)
 }

-func (mic *mockImageCache) GetCache(parentID string, cfg *container.Config) (string, error) {
+func (mic *mockImageCache) GetCache(parentID string, cfg *container.Config, _ ocispec.Platform) (string, error) {
 	if mic.getCacheFunc != nil {
 		return mic.getCacheFunc(parentID, cfg)
 	}
--- a/builder/remotecontext/archive.go
+++ b/builder/remotecontext/archive.go
@@ -8,9 +8,10 @@ import (
 	"github.com/docker/docker/builder"
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/chrootarchive"
-	"github.com/docker/docker/pkg/containerfs"
 	"github.com/docker/docker/pkg/longpath"
+	"github.com/docker/docker/pkg/system"
 	"github.com/docker/docker/pkg/tarsum"
+	"github.com/moby/sys/symlink"
 	"github.com/pkg/errors"
 )

@@ -24,9 +25,11 @@ func (c *archiveContext) Close() error {
 }

 func convertPathError(err error, cleanpath string) error {
-	if err, ok := err.(*os.PathError); ok {
+	switch err := err.(type) {
+	case *os.PathError:
+		err.Path = cleanpath
+	case *system.XattrError:
 		err.Path = cleanpath
-		return err
 	}
 	return err
 }
@@ -117,7 +120,7 @@ func (c *archiveContext) Hash(path string) (string, error) {

 func normalize(path string, root string) (cleanPath, fullPath string, err error) {
 	cleanPath = filepath.Clean(string(filepath.Separator) + path)[1:]
-	fullPath, err = containerfs.ResolveScopedPath(root, path)
+	fullPath, err = symlink.FollowSymlinkInScope(filepath.Join(root, path), root)
 	if err != nil {
 		return "", "", errors.Wrapf(err, "forbidden path outside the build context: %s (%s)", path, cleanPath)
 	}
--- a/builder/remotecontext/detect.go
+++ b/builder/remotecontext/detect.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"runtime"
 	"strings"

@@ -15,10 +16,10 @@ import (
 	"github.com/docker/docker/builder"
 	"github.com/docker/docker/builder/remotecontext/urlutil"
 	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/pkg/containerfs"
 	"github.com/moby/buildkit/frontend/dockerfile/parser"
 	"github.com/moby/patternmatcher"
 	"github.com/moby/patternmatcher/ignorefile"
+	"github.com/moby/sys/symlink"
 	"github.com/pkg/errors"
 )

@@ -177,7 +178,8 @@ func StatAt(remote builder.Source, path string) (os.FileInfo, error) {

 // FullPath is a helper for getting a full path for a path from a source
 func FullPath(remote builder.Source, path string) (string, error) {
-	fullPath, err := containerfs.ResolveScopedPath(remote.Root(), path)
+	remoteRoot := remote.Root()
+	fullPath, err := symlink.FollowSymlinkInScope(filepath.Join(remoteRoot, path), remoteRoot)
 	if err != nil {
 		if runtime.GOOS == "windows" {
 			return "", fmt.Errorf("failed to resolve scoped path %s (%s): %s. Possible cause is a forbidden path outside the build context", path, fullPath, err)
--- a/builder/remotecontext/urlutil/urlutil.go
+++ b/builder/remotecontext/urlutil/urlutil.go
@@ -12,7 +12,7 @@ import (

 // urlPathWithFragmentSuffix matches fragments to use as Git reference and build
 // context from the Git repository. See IsGitURL for details.
-var urlPathWithFragmentSuffix = regexp.MustCompile(".git(?:#.+)?$")
+var urlPathWithFragmentSuffix = regexp.MustCompile(`\.git(?:#.+)?$`)

 // IsURL returns true if the provided str is an HTTP(S) URL by checking if it
 // has a http:// or https:// scheme. No validation is performed to verify if the
--- a/builder/remotecontext/urlutil/urlutil_test.go
+++ b/builder/remotecontext/urlutil/urlutil_test.go
@@ -17,6 +17,7 @@ var (
 	}
 	invalidGitUrls = []string{
 		"http://github.com/docker/docker.git:#branch",
+		"https://github.com/docker/dgit",
 	}
 )

--- a/client/client.go
+++ b/client/client.go
@@ -265,17 +265,22 @@ func (cli *Client) Close() error {
 // This allows for version-dependent code to use the same version as will
 // be negotiated when making the actual requests, and for which cases
 // we cannot do the negotiation lazily.
-func (cli *Client) checkVersion(ctx context.Context) {
-	if cli.negotiateVersion && !cli.negotiated {
-		cli.NegotiateAPIVersion(ctx)
+func (cli *Client) checkVersion(ctx context.Context) error {
+	if !cli.manualOverride && cli.negotiateVersion && !cli.negotiated {
+		ping, err := cli.Ping(ctx)
+		if err != nil {
+			return err
+		}
+		cli.negotiateAPIVersionPing(ping)
 	}
+	return nil
 }

 // getAPIPath returns the versioned request path to call the API.
 // It appends the query parameters to the path if they are not empty.
 func (cli *Client) getAPIPath(ctx context.Context, p string, query url.Values) string {
 	var apiPath string
-	cli.checkVersion(ctx)
+	_ = cli.checkVersion(ctx)
 	if cli.version != "" {
 		v := strings.TrimPrefix(cli.version, "v")
 		apiPath = path.Join(cli.basePath, "/v"+v, p)
@@ -307,7 +312,11 @@ func (cli *Client) ClientVersion() string {
 // added (1.24).
 func (cli *Client) NegotiateAPIVersion(ctx context.Context) {
 	if !cli.manualOverride {
-		ping, _ := cli.Ping(ctx)
+		ping, err := cli.Ping(ctx)
+		if err != nil {
+			// FIXME(thaJeztah): Ping returns an error when failing to connect to the API; we should not swallow the error here, and instead returning it.
+			return
+		}
 		cli.negotiateAPIVersionPing(ping)
 	}
 }
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -354,6 +354,19 @@ func TestNegotiateAPVersionOverride(t *testing.T) {
 	assert.Equal(t, client.ClientVersion(), expected)
 }

+// TestNegotiateAPVersionConnectionFailure asserts that we do not modify the
+// API version when failing to connect.
+func TestNegotiateAPVersionConnectionFailure(t *testing.T) {
+	const expected = "9.99"
+
+	client, err := NewClientWithOpts(WithHost("tcp://no-such-host.invalid"))
+	assert.NilError(t, err)
+
+	client.version = expected
+	client.NegotiateAPIVersion(context.Background())
+	assert.Equal(t, client.ClientVersion(), expected)
+}
+
 func TestNegotiateAPIVersionAutomatic(t *testing.T) {
 	var pingVersion string
 	httpClient := newMockClient(func(req *http.Request) (*http.Response, error) {
--- a/client/container_create.go
+++ b/client/container_create.go
@@ -28,7 +28,9 @@ func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config
 	//
 	// Normally, version-negotiation (if enabled) would not happen until
 	// the API request is made.
-	cli.checkVersion(ctx)
+	if err := cli.checkVersion(ctx); err != nil {
+		return response, err
+	}

 	if err := cli.NewVersionError(ctx, "1.25", "stop timeout"); config != nil && config.StopTimeout != nil && err != nil {
 		return response, err
--- a/client/container_create_test.go
+++ b/client/container_create_test.go
@@ -113,3 +113,15 @@ func TestContainerCreateAutoRemove(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+// TestContainerCreateConnection verifies that connection errors occurring
+// during API-version negotiation are not shadowed by API-version errors.
+//
+// Regression test for https://github.com/docker/cli/issues/4890
+func TestContainerCreateConnectionError(t *testing.T) {
+	client, err := NewClientWithOpts(WithAPIVersionNegotiation(), WithHost("tcp://no-such-host.invalid"))
+	assert.NilError(t, err)
+
+	_, err = client.ContainerCreate(context.Background(), nil, nil, nil, nil, "")
+	assert.Check(t, is.ErrorType(err, IsErrConnectionFailed))
+}
--- a/client/container_exec.go
+++ b/client/container_exec.go
@@ -18,7 +18,9 @@ func (cli *Client) ContainerExecCreate(ctx context.Context, container string, co
 	//
 	// Normally, version-negotiation (if enabled) would not happen until
 	// the API request is made.
-	cli.checkVersion(ctx)
+	if err := cli.checkVersion(ctx); err != nil {
+		return response, err
+	}

 	if err := cli.NewVersionError(ctx, "1.25", "env"); len(config.Env) != 0 && err != nil {
 		return response, err
--- a/client/container_exec_test.go
+++ b/client/container_exec_test.go
@@ -24,6 +24,18 @@ func TestContainerExecCreateError(t *testing.T) {
 	assert.Check(t, is.ErrorType(err, errdefs.IsSystem))
 }

+// TestContainerExecCreateConnectionError verifies that connection errors occurring
+// during API-version negotiation are not shadowed by API-version errors.
+//
+// Regression test for https://github.com/docker/cli/issues/4890
+func TestContainerExecCreateConnectionError(t *testing.T) {
+	client, err := NewClientWithOpts(WithAPIVersionNegotiation(), WithHost("tcp://no-such-host.invalid"))
+	assert.NilError(t, err)
+
+	_, err = client.ContainerExecCreate(context.Background(), "", types.ExecConfig{})
+	assert.Check(t, is.ErrorType(err, IsErrConnectionFailed))
+}
+
 func TestContainerExecCreate(t *testing.T) {
 	expectedURL := "/containers/container_id/exec"
 	client := &Client{
--- a/client/container_restart.go
+++ b/client/container_restart.go
@@ -23,7 +23,9 @@ func (cli *Client) ContainerRestart(ctx context.Context, containerID string, opt
 		//
 		// Normally, version-negotiation (if enabled) would not happen until
 		// the API request is made.
-		cli.checkVersion(ctx)
+		if err := cli.checkVersion(ctx); err != nil {
+			return err
+		}
 		if versions.GreaterThanOrEqualTo(cli.version, "1.42") {
 			query.Set("signal", options.Signal)
 		}
--- a/client/container_restart_test.go
+++ b/client/container_restart_test.go
@@ -23,6 +23,18 @@ func TestContainerRestartError(t *testing.T) {
 	assert.Check(t, is.ErrorType(err, errdefs.IsSystem))
 }

+// TestContainerRestartConnectionError verifies that connection errors occurring
+// during API-version negotiation are not shadowed by API-version errors.
+//
+// Regression test for https://github.com/docker/cli/issues/4890
+func TestContainerRestartConnectionError(t *testing.T) {
+	client, err := NewClientWithOpts(WithAPIVersionNegotiation(), WithHost("tcp://no-such-host.invalid"))
+	assert.NilError(t, err)
+
+	err = client.ContainerRestart(context.Background(), "nothing", container.StopOptions{})
+	assert.Check(t, is.ErrorType(err, IsErrConnectionFailed))
+}
+
 func TestContainerRestart(t *testing.T) {
 	const expectedURL = "/v1.42/containers/container_id/restart"
 	client := &Client{
--- a/client/container_stop.go
+++ b/client/container_stop.go
@@ -27,7 +27,9 @@ func (cli *Client) ContainerStop(ctx context.Context, containerID string, option
 		//
 		// Normally, version-negotiation (if enabled) would not happen until
 		// the API request is made.
-		cli.checkVersion(ctx)
+		if err := cli.checkVersion(ctx); err != nil {
+			return err
+		}
 		if versions.GreaterThanOrEqualTo(cli.version, "1.42") {
 			query.Set("signal", options.Signal)
 		}
--- a/client/container_stop_test.go
+++ b/client/container_stop_test.go
@@ -23,6 +23,18 @@ func TestContainerStopError(t *testing.T) {
 	assert.Check(t, is.ErrorType(err, errdefs.IsSystem))
 }

+// TestContainerStopConnectionError verifies that connection errors occurring
+// during API-version negotiation are not shadowed by API-version errors.
+//
+// Regression test for https://github.com/docker/cli/issues/4890
+func TestContainerStopConnectionError(t *testing.T) {
+	client, err := NewClientWithOpts(WithAPIVersionNegotiation(), WithHost("tcp://no-such-host.invalid"))
+	assert.NilError(t, err)
+
+	err = client.ContainerStop(context.Background(), "nothing", container.StopOptions{})
+	assert.Check(t, is.ErrorType(err, IsErrConnectionFailed))
+}
+
 func TestContainerStop(t *testing.T) {
 	const expectedURL = "/v1.42/containers/container_id/stop"
 	client := &Client{
--- a/client/container_wait.go
+++ b/client/container_wait.go
@@ -30,19 +30,22 @@ const containerWaitErrorMsgLimit = 2 * 1024 /* Max: 2KiB */
 // synchronize ContainerWait with other calls, such as specifying a
 // "next-exit" condition before issuing a ContainerStart request.
 func (cli *Client) ContainerWait(ctx context.Context, containerID string, condition container.WaitCondition) (<-chan container.WaitResponse, <-chan error) {
+	resultC := make(chan container.WaitResponse)
+	errC := make(chan error, 1)
+
 	// Make sure we negotiated (if the client is configured to do so),
 	// as code below contains API-version specific handling of options.
 	//
 	// Normally, version-negotiation (if enabled) would not happen until
 	// the API request is made.
-	cli.checkVersion(ctx)
+	if err := cli.checkVersion(ctx); err != nil {
+		errC <- err
+		return resultC, errC
+	}
 	if versions.LessThan(cli.ClientVersion(), "1.30") {
 		return cli.legacyContainerWait(ctx, containerID)
 	}

-	resultC := make(chan container.WaitResponse)
-	errC := make(chan error, 1)
-
 	query := url.Values{}
 	if condition != "" {
 		query.Set("condition", string(condition))
--- a/client/container_wait_test.go
+++ b/client/container_wait_test.go
@@ -34,6 +34,23 @@ func TestContainerWaitError(t *testing.T) {
 	}
 }

+// TestContainerWaitConnectionError verifies that connection errors occurring
+// during API-version negotiation are not shadowed by API-version errors.
+//
+// Regression test for https://github.com/docker/cli/issues/4890
+func TestContainerWaitConnectionError(t *testing.T) {
+	client, err := NewClientWithOpts(WithAPIVersionNegotiation(), WithHost("tcp://no-such-host.invalid"))
+	assert.NilError(t, err)
+
+	resultC, errC := client.ContainerWait(context.Background(), "nothing", "")
+	select {
+	case result := <-resultC:
+		t.Fatalf("expected to not get a wait result, got %d", result.StatusCode)
+	case err := <-errC:
+		assert.Check(t, is.ErrorType(err, IsErrConnectionFailed))
+	}
+}
+
 func TestContainerWait(t *testing.T) {
 	expectedURL := "/containers/container_id/wait"
 	client := &Client{
--- a/client/distribution_inspect.go
+++ b/client/distribution_inspect.go
@@ -10,11 +10,11 @@ import (
 )

 // DistributionInspect returns the image digest with the full manifest.
-func (cli *Client) DistributionInspect(ctx context.Context, image, encodedRegistryAuth string) (registry.DistributionInspect, error) {
+func (cli *Client) DistributionInspect(ctx context.Context, imageRef, encodedRegistryAuth string) (registry.DistributionInspect, error) {
 	// Contact the registry to retrieve digest and platform information
 	var distributionInspect registry.DistributionInspect
-	if image == "" {
-		return distributionInspect, objectNotFoundError{object: "distribution", id: image}
+	if imageRef == "" {
+		return distributionInspect, objectNotFoundError{object: "distribution", id: imageRef}
 	}

 	if err := cli.NewVersionError(ctx, "1.30", "distribution inspect"); err != nil {
@@ -28,7 +28,7 @@ func (cli *Client) DistributionInspect(ctx context.Context, image, encodedRegist
 		}
 	}

-	resp, err := cli.get(ctx, "/distribution/"+image+"/json", url.Values{}, headers)
+	resp, err := cli.get(ctx, "/distribution/"+imageRef+"/json", url.Values{}, headers)
 	defer ensureReaderClosed(resp)
 	if err != nil {
 		return distributionInspect, err
--- a/client/errors.go
+++ b/client/errors.go
@@ -11,15 +11,16 @@ import (

 // errConnectionFailed implements an error returned when connection failed.
 type errConnectionFailed struct {
-	host string
+	error
 }

 // Error returns a string representation of an errConnectionFailed
-func (err errConnectionFailed) Error() string {
-	if err.host == "" {
-		return "Cannot connect to the Docker daemon. Is the docker daemon running on this host?"
-	}
-	return fmt.Sprintf("Cannot connect to the Docker daemon at %s. Is the docker daemon running?", err.host)
+func (e errConnectionFailed) Error() string {
+	return e.error.Error()
+}
+
+func (e errConnectionFailed) Unwrap() error {
+	return e.error
 }

 // IsErrConnectionFailed returns true if the error is caused by connection failed.
@@ -29,7 +30,13 @@ func IsErrConnectionFailed(err error) bool {

 // ErrorConnectionFailed returns an error with host in the error message when connection to docker daemon failed.
 func ErrorConnectionFailed(host string) error {
-	return errConnectionFailed{host: host}
+	var err error
+	if host == "" {
+		err = fmt.Errorf("Cannot connect to the Docker daemon. Is the docker daemon running on this host?")
+	} else {
+		err = fmt.Errorf("Cannot connect to the Docker daemon at %s. Is the docker daemon running?", host)
+	}
+	return errConnectionFailed{error: err}
 }

 // IsErrNotFound returns true if the error is a NotFound error, which is returned
@@ -60,7 +67,9 @@ func (cli *Client) NewVersionError(ctx context.Context, APIrequired, feature str
 	//
 	// Normally, version-negotiation (if enabled) would not happen until
 	// the API request is made.
-	cli.checkVersion(ctx)
+	if err := cli.checkVersion(ctx); err != nil {
+		return err
+	}
 	if cli.version != "" && versions.LessThan(cli.version, APIrequired) {
 		return fmt.Errorf("%q requires API version %s, but the Docker daemon API version is %s", feature, APIrequired, cli.version)
 	}
--- a/client/hijack.go
+++ b/client/hijack.go
@@ -6,17 +6,13 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"net/http/httputil"
 	"net/url"
 	"time"

 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/pkg/errors"
-	"go.opentelemetry.io/otel"
-	"go.opentelemetry.io/otel/codes"
-	"go.opentelemetry.io/otel/propagation"
-	"go.opentelemetry.io/otel/trace"
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 )

 // postHijacked sends a POST request and hijacks the connection.
@@ -54,33 +50,16 @@ func (cli *Client) setupHijackConn(req *http.Request, proto string) (_ net.Conn,
 	req.Header.Set("Connection", "Upgrade")
 	req.Header.Set("Upgrade", proto)

-	// We aren't using the configured RoundTripper here so manually inject the trace context
-	tp := cli.tp
-	if tp == nil {
-		if span := trace.SpanFromContext(ctx); span.SpanContext().IsValid() {
-			tp = span.TracerProvider()
-		} else {
-			tp = otel.GetTracerProvider()
-		}
-	}
-
-	ctx, span := tp.Tracer("").Start(ctx, req.Method+" "+req.URL.Path, trace.WithSpanKind(trace.SpanKindClient))
-	// FIXME(thaJeztah): httpconv.ClientRequest is now an internal package; replace this with alternative for semconv v1.21
-	// span.SetAttributes(httpconv.ClientRequest(req)...)
-	defer func() {
-		if retErr != nil {
-			span.RecordError(retErr)
-			span.SetStatus(codes.Error, retErr.Error())
-		}
-		span.End()
-	}()
-	otel.GetTextMapPropagator().Inject(ctx, propagation.HeaderCarrier(req.Header))
-
 	dialer := cli.Dialer()
 	conn, err := dialer(ctx)
 	if err != nil {
 		return nil, "", errors.Wrap(err, "cannot connect to the Docker daemon. Is 'docker daemon' running on this host?")
 	}
+	defer func() {
+		if retErr != nil {
+			conn.Close()
+		}
+	}()

 	// When we set up a TCP connection for hijack, there could be long periods
 	// of inactivity (a long running command with no output) that in certain
@@ -92,58 +71,29 @@ func (cli *Client) setupHijackConn(req *http.Request, proto string) (_ net.Conn,
 		_ = tcpConn.SetKeepAlivePeriod(30 * time.Second)
 	}

-	clientconn := httputil.NewClientConn(conn, nil)
-	defer clientconn.Close()
+	hc := &hijackedConn{conn, bufio.NewReader(conn)}

 	// Server hijacks the connection, error 'connection closed' expected
-	resp, err := clientconn.Do(req)
-	if resp != nil {
-		// This is a simplified variant of "httpconv.ClientStatus(resp.StatusCode))";
-		//
-		// The main purpose of httpconv.ClientStatus() is to detect whether the
-		// status was successful (1xx, 2xx, 3xx) or non-successful (4xx/5xx).
-		//
-		// It also provides complex logic to *validate* status-codes against
-		// a hard-coded list meant to exclude "bogus" status codes in "success"
-		// ranges (1xx, 2xx) and convert them into an error status. That code
-		// seemed over-reaching (and not accounting for potential future valid
-		// status codes). We assume we only get valid status codes, and only
-		// look at status-code ranges.
-		//
-		// For reference, see:
-		// https://github.com/open-telemetry/opentelemetry-go/blob/v1.21.0/semconv/v1.17.0/httpconv/http.go#L85-L89
-		// https://github.com/open-telemetry/opentelemetry-go/blob/v1.21.0/semconv/internal/v2/http.go#L322-L330
-		// https://github.com/open-telemetry/opentelemetry-go/blob/v1.21.0/semconv/internal/v2/http.go#L356-L404
-		code := codes.Unset
-		if resp.StatusCode >= http.StatusBadRequest {
-			code = codes.Error
-		}
-		span.SetStatus(code, "")
+	resp, err := otelhttp.NewTransport(hc).RoundTrip(req)
+	if err != nil {
+		return nil, "", err
+	}
+	if resp.StatusCode != http.StatusSwitchingProtocols {
+		_ = resp.Body.Close()
+		return nil, "", fmt.Errorf("unable to upgrade to %s, received %d", proto, resp.StatusCode)
 	}

-	//nolint:staticcheck // ignore SA1019 for connecting to old (pre go1.8) daemons
-	if err != httputil.ErrPersistEOF {
-		if err != nil {
-			return nil, "", err
-		}
-		if resp.StatusCode != http.StatusSwitchingProtocols {
-			_ = resp.Body.Close()
-			return nil, "", fmt.Errorf("unable to upgrade to %s, received %d", proto, resp.StatusCode)
-		}
-	}
-
-	c, br := clientconn.Hijack()
-	if br.Buffered() > 0 {
+	if hc.r.Buffered() > 0 {
 		// If there is buffered content, wrap the connection.  We return an
 		// object that implements CloseWrite if the underlying connection
 		// implements it.
-		if _, ok := c.(types.CloseWriter); ok {
-			c = &hijackedConnCloseWriter{&hijackedConn{c, br}}
+		if _, ok := hc.Conn.(types.CloseWriter); ok {
+			conn = &hijackedConnCloseWriter{hc}
 		} else {
-			c = &hijackedConn{c, br}
+			conn = hc
 		}
 	} else {
-		br.Reset(nil)
+		hc.r.Reset(nil)
 	}

 	var mediaType string
@@ -152,7 +102,7 @@ func (cli *Client) setupHijackConn(req *http.Request, proto string) (_ net.Conn,
 		mediaType = resp.Header.Get("Content-Type")
 	}

-	return c, mediaType, nil
+	return conn, mediaType, nil
 }

 // hijackedConn wraps a net.Conn and is returned by setupHijackConn in the case
@@ -164,6 +114,13 @@ type hijackedConn struct {
 	r *bufio.Reader
 }

+func (c *hijackedConn) RoundTrip(req *http.Request) (*http.Response, error) {
+	if err := req.Write(c.Conn); err != nil {
+		return nil, err
+	}
+	return http.ReadResponse(c.r, req)
+}
+
 func (c *hijackedConn) Read(b []byte) (int, error) {
 	return c.r.Read(b)
 }
--- a/client/image_create.go
+++ b/client/image_create.go
@@ -8,13 +8,13 @@ import (
 	"strings"

 	"github.com/distribution/reference"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/registry"
 )

 // ImageCreate creates a new image based on the parent options.
 // It returns the JSON content in the response body.
-func (cli *Client) ImageCreate(ctx context.Context, parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error) {
+func (cli *Client) ImageCreate(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error) {
 	ref, err := reference.ParseNormalizedNamed(parentReference)
 	if err != nil {
 		return nil, err
--- a/client/image_create_test.go
+++ b/client/image_create_test.go
@@ -9,7 +9,7 @@ import (
 	"strings"
 	"testing"

-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/errdefs"
 	"gotest.tools/v3/assert"
@@ -20,7 +20,7 @@ func TestImageCreateError(t *testing.T) {
 	client := &Client{
 		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
 	}
-	_, err := client.ImageCreate(context.Background(), "reference", types.ImageCreateOptions{})
+	_, err := client.ImageCreate(context.Background(), "reference", image.CreateOptions{})
 	assert.Check(t, is.ErrorType(err, errdefs.IsSystem))
 }

@@ -58,7 +58,7 @@ func TestImageCreate(t *testing.T) {
 		}),
 	}

-	createResponse, err := client.ImageCreate(context.Background(), expectedReference, types.ImageCreateOptions{
+	createResponse, err := client.ImageCreate(context.Background(), expectedReference, image.CreateOptions{
 		RegistryAuth: expectedRegistryAuth,
 	})
 	if err != nil {
--- a/client/image_import.go
+++ b/client/image_import.go
@@ -8,11 +8,12 @@ import (

 	"github.com/distribution/reference"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 )

 // ImageImport creates a new image based on the source options.
 // It returns the JSON content in the response body.
-func (cli *Client) ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
+func (cli *Client) ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error) {
 	if ref != "" {
 		// Check if the given image name can be resolved
 		if _, err := reference.ParseNormalizedNamed(ref); err != nil {
--- a/Show More
+++ b/Show More