Merge pull request #49487 from austinvazquez/cherry-pick-838ae09a2337e6561b40d13be6ddf43005a92a9e-to-27.x

[27.x backport] Dockerfile: update runc binary to v1.2.5
Dockerfile: update runc binary to v1.2.5
2026-01-12 03:01:38 +00:00 · 2025-02-18 18:08:52 +01:00 · 2025-02-18 15:19:10 +00:00 · 2025-02-06 09:38:21 +01:00 · 2025-02-04 20:31:16 +01:00 · 2025-02-04 17:24:07 +01:00
2038 changed files with 166771 additions and 91986 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -19,11 +19,14 @@ Please provide the following information:

 **- How to verify it**

-**- Description for the changelog**
+**- Human readable description for the release notes**
 <!--
 Write a short (one line) summary that describes the changes in this
 pull request for inclusion in the changelog.
-It must be placed inside the below triple backticks section:
+It must be placed inside the below triple backticks section.
+
+NOTE: Only fill this section if changes introduced in this PR are user-facing.
+The PR must have a relevant impact/ label.
 -->
 ```markdown changelog

--- a/.github/workflows/.dco.yml
+++ b/.github/workflows/.dco.yml
@@ -3,15 +3,25 @@ name: .dco

 # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
  workflow_call:

 env:
-  ALPINE_VERSION: 3.16
+  ALPINE_VERSION: "3.20"

 jobs:
  run:
    runs-on: ubuntu-20.04
+    timeout-minutes: 10 # guardrails timeout for the whole job
    steps:
      -
        name: Checkout
@@ -39,10 +49,12 @@ jobs:
        name: Validate
        run: |
          docker run --rm \
-            -v "$(pwd):/workspace" \
+            --quiet \
+            -v ./:/workspace \
+            -w /workspace \
            -e VALIDATE_REPO \
            -e VALIDATE_BRANCH \
-            alpine:${{ env.ALPINE_VERSION }} sh -c 'apk add --no-cache -q bash git openssh-client && git config --system --add safe.directory /workspace && cd /workspace && hack/validate/dco'
+            alpine:${{ env.ALPINE_VERSION }} sh -c 'apk add --no-cache -q bash git openssh-client && git config --system --add safe.directory /workspace && hack/validate/dco'
        env:
          VALIDATE_REPO: ${{ github.server_url }}/${{ github.repository }}.git
          VALIDATE_BRANCH: ${{ steps.base-ref.outputs.result }}
--- a/.github/workflows/.test-prepare.yml
+++ b/.github/workflows/.test-prepare.yml
@@ -3,6 +3,15 @@ name: .test-prepare

 # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
  workflow_call:
    outputs:
@@ -13,6 +22,7 @@ on:
 jobs:
  run:
    runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    outputs:
      matrix: ${{ steps.set.outputs.matrix }}
    steps:
--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -3,6 +3,15 @@ name: .test

 # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
  workflow_call:
    inputs:
@@ -12,7 +21,7 @@ on:
        default: "graphdriver"

 env:
-  GO_VERSION: "1.21.12"
+  GO_VERSION: "1.22.12"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  ITG_CLI_MATRIX_SIZE: 6
@@ -25,8 +34,8 @@ env:
 jobs:
  unit:
    runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    timeout-minutes: 120
    steps:
      -
        name: Checkout
@@ -43,7 +52,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          targets: dev
          set: |
@@ -80,8 +89,8 @@ jobs:

  unit-report:
    runs-on: ubuntu-20.04
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
    timeout-minutes: 10
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
    if: always()
    needs:
      - unit
@@ -108,8 +117,8 @@ jobs:

  docker-py:
    runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    timeout-minutes: 120
    steps:
      -
        name: Checkout
@@ -129,7 +138,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          targets: dev
          set: |
@@ -165,8 +174,8 @@ jobs:

  integration-flaky:
    runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    timeout-minutes: 120
    steps:
      -
        name: Checkout
@@ -183,7 +192,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          targets: dev
          set: |
@@ -197,8 +206,8 @@ jobs:

  integration:
    runs-on: ${{ matrix.os }}
+    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    timeout-minutes: 120
    strategy:
      fail-fast: false
      matrix:
@@ -241,7 +250,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          targets: dev
          set: |
@@ -295,8 +304,8 @@ jobs:

  integration-report:
    runs-on: ubuntu-20.04
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
    timeout-minutes: 10
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
    if: always()
    needs:
      - integration
@@ -324,6 +333,7 @@ jobs:

  integration-cli-prepare:
    runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
    outputs:
      matrix: ${{ steps.tests.outputs.matrix }}
@@ -359,8 +369,8 @@ jobs:

  integration-cli:
    runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    timeout-minutes: 120
    needs:
      - integration-cli-prepare
    strategy:
@@ -386,7 +396,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          targets: dev
          set: |
@@ -439,8 +449,8 @@ jobs:

  integration-cli-report:
    runs-on: ubuntu-20.04
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
    timeout-minutes: 10
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
    if: always()
    needs:
      - integration-cli
--- a/.github/workflows/.windows.yml
+++ b/.github/workflows/.windows.yml
@@ -3,6 +3,16 @@ name: .windows

 # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+
 on:
  workflow_call:
    inputs:
@@ -19,7 +29,7 @@ on:
        default: false

 env:
-  GO_VERSION: "1.21.12"
+  GO_VERSION: "1.22.12"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
@@ -33,6 +43,7 @@ env:
 jobs:
  build:
    runs-on: ${{ inputs.os }}
+    timeout-minutes: 120 # guardrails timeout for the whole job
    env:
      GOPATH: ${{ github.workspace }}\go
      GOBIN: ${{ github.workspace }}\go\bin
@@ -112,7 +123,7 @@ jobs:

  unit-test:
    runs-on: ${{ inputs.os }}
-    timeout-minutes: 120
+    timeout-minutes: 120 # guardrails timeout for the whole job
    env:
      GOPATH: ${{ github.workspace }}\go
      GOBIN: ${{ github.workspace }}\go\bin
@@ -193,7 +204,8 @@ jobs:
          retention-days: 1

  unit-test-report:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    if: always()
    needs:
      - unit-test
@@ -219,7 +231,8 @@ jobs:
          find /tmp/artifacts -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY

  integration-test-prepare:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    outputs:
      matrix: ${{ steps.tests.outputs.matrix }}
    steps:
@@ -253,8 +266,8 @@ jobs:

  integration-test:
    runs-on: ${{ inputs.os }}
+    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
-    timeout-minutes: 120
    needs:
      - build
      - integration-test-prepare
@@ -512,7 +525,8 @@ jobs:
          retention-days: 1

  integration-test-report:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
    if: always()
    needs:
--- a/.github/workflows/arm64.yml
+++ b/.github/workflows/arm64.yml
@@ -0,0 +1,276 @@
+name: arm64
+
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
+  pull_request:
+
+env:
+  GO_VERSION: "1.22.12"
+  TESTSTAT_VERSION: v0.1.25
+  DESTDIR: ./build
+  SETUP_BUILDX_VERSION: edge
+  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
+  DOCKER_EXPERIMENTAL: 1
+
+jobs:
+  validate-dco:
+    uses: ./.github/workflows/.dco.yml
+
+  build:
+    runs-on: ubuntu-22.04-arm
+    timeout-minutes: 20 # guardrails timeout for the whole job
+    needs:
+      - validate-dco
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          - binary
+          - dynbinary
+    steps:
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.SETUP_BUILDX_VERSION }}
+          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build
+        uses: docker/bake-action@v6
+        with:
+          targets: ${{ matrix.target }}
+      -
+        name: List artifacts
+        run: |
+          tree -nh ${{ env.DESTDIR }}
+      -
+        name: Check artifacts
+        run: |
+          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
+
+  build-dev:
+    runs-on: ubuntu-22.04-arm
+    timeout-minutes: 120 # guardrails timeout for the whole job
+    needs:
+      - validate-dco
+    steps:
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.SETUP_BUILDX_VERSION }}
+          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build dev image
+        uses: docker/bake-action@v6
+        with:
+          targets: dev
+          set: |
+            *.cache-from=type=gha,scope=dev-arm64
+            *.cache-to=type=gha,scope=dev-arm64,mode=max
+            *.output=type=cacheonly
+
+  test-unit:
+    runs-on: ubuntu-22.04-arm
+    timeout-minutes: 120 # guardrails timeout for the whole job
+    needs:
+      - build-dev
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up runner
+        uses: ./.github/actions/setup-runner
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.SETUP_BUILDX_VERSION }}
+          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build dev image
+        uses: docker/bake-action@v6
+        with:
+          targets: dev
+          set: |
+            dev.cache-from=type=gha,scope=dev-arm64
+      -
+        name: Test
+        run: |
+          make -o build test-unit
+      -
+        name: Prepare reports
+        if: always()
+        run: |
+          mkdir -p bundles /tmp/reports
+          find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
+          tar -xzf /tmp/reports.tar.gz -C /tmp/reports
+          sudo chown -R $(id -u):$(id -g) /tmp/reports
+          tree -nh /tmp/reports
+      -
+        name: Send to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          directory: ./bundles
+          env_vars: RUNNER_OS
+          flags: unit
+          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
+      -
+        name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-reports-unit-arm64-graphdriver
+          path: /tmp/reports/*
+          retention-days: 1
+
+  test-unit-report:
+    runs-on: ubuntu-20.04
+    timeout-minutes: 10
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    if: always()
+    needs:
+      - test-unit
+    steps:
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: vendor.sum
+      -
+        name: Download reports
+        uses: actions/download-artifact@v4
+        with:
+          pattern: test-reports-unit-arm64-*
+          path: /tmp/reports
+      -
+        name: Install teststat
+        run: |
+          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
+      -
+        name: Create summary
+        run: |
+          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
+
+  test-integration:
+    runs-on: ubuntu-22.04-arm
+    timeout-minutes: 120 # guardrails timeout for the whole job
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    needs:
+      - build-dev
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up runner
+        uses: ./.github/actions/setup-runner
+      -
+        name: Set up tracing
+        uses: ./.github/actions/setup-tracing
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.SETUP_BUILDX_VERSION }}
+          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build dev image
+        uses: docker/bake-action@v6
+        with:
+          targets: dev
+          set: |
+            dev.cache-from=type=gha,scope=dev-arm64
+      -
+        name: Test
+        run: |
+          make -o build test-integration
+        env:
+          TEST_SKIP_INTEGRATION_CLI: 1
+          TESTCOVERAGE: 1
+      -
+        name: Prepare reports
+        if: always()
+        run: |
+          reportsPath="/tmp/reports/arm64-graphdriver"
+          mkdir -p bundles $reportsPath
+          find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
+          tar -xzf /tmp/reports.tar.gz -C $reportsPath
+          sudo chown -R $(id -u):$(id -g) $reportsPath
+          tree -nh $reportsPath
+          curl -sSLf localhost:16686/api/traces?service=integration-test-client > $reportsPath/jaeger-trace.json
+      -
+        name: Send to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          directory: ./bundles/test-integration
+          env_vars: RUNNER_OS
+          flags: integration
+          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
+      -
+        name: Test daemon logs
+        if: always()
+        run: |
+          cat bundles/test-integration/docker.log
+      -
+        name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-reports-integration-arm64-graphdriver
+          path: /tmp/reports/*
+          retention-days: 1
+
+  test-integration-report:
+    runs-on: ubuntu-20.04
+    timeout-minutes: 10
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    if: always()
+    needs:
+      - test-integration
+    steps:
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: vendor.sum
+      -
+        name: Download reports
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/reports
+          pattern: test-reports-integration-arm64-*
+          merge-multiple: true
+      -
+        name: Install teststat
+        run: |
+          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
+      -
+        name: Create summary
+        run: |
+          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/bin-image.yml
+++ b/.github/workflows/bin-image.yml
@@ -1,5 +1,14 @@
 name: bin-image

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -10,6 +19,7 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
    tags:
      - 'v*'
  pull_request:
@@ -31,6 +41,7 @@ jobs:

  prepare:
    runs-on: ubuntu-20.04
+    timeout-minutes: 20 # guardrails timeout for the whole job
    outputs:
      platforms: ${{ steps.platforms.outputs.matrix }}
    steps:
@@ -48,7 +59,7 @@ jobs:
          ## push semver tag v23.0.0
          # moby/moby-bin:23.0.0
          # moby/moby-bin:latest
-          ## push semver prelease tag v23.0.0-beta.1
+          ## push semver prerelease tag v23.0.0-beta.1
          # moby/moby-bin:23.0.0-beta.1
          ## push on master
          # moby/moby-bin:master
@@ -83,6 +94,7 @@ jobs:

  build:
    runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    needs:
      - validate-dco
      - prepare
@@ -92,16 +104,16 @@ jobs:
      matrix:
        platform: ${{ fromJson(needs.prepare.outputs.platforms) }}
    steps:
-      -
-        name: Prepare
-        run: |
-          platform=${{ matrix.platform }}
-          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      -
        name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
+      -
+        name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      -
        name: Download meta bake definition
        uses: actions/download-artifact@v4
@@ -128,8 +140,9 @@ jobs:
      -
        name: Build
        id: bake
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
+          source: .
          files: |
            ./docker-bake.hcl
            /tmp/bake-meta.json
@@ -157,6 +170,7 @@ jobs:

  merge:
    runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    needs:
      - build
    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby'
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -1,5 +1,14 @@
 name: buildkit

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -10,10 +19,11 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
  pull_request:

 env:
-  GO_VERSION: "1.21.12"
+  GO_VERSION: "1.22.12"
  DESTDIR: ./build
  SETUP_BUILDX_VERSION: latest
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
@@ -24,12 +34,10 @@ jobs:

  build:
    runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    needs:
      - validate-dco
    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
@@ -39,7 +47,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          targets: binary
      -
@@ -53,7 +61,7 @@ jobs:

  test:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120
+    timeout-minutes: 120 # guardrails timeout for the whole job
    needs:
      - build
    env:
@@ -93,6 +101,11 @@ jobs:
        uses: actions/checkout@v4
        with:
          path: moby
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
      -
        name: BuildKit ref
        run: |
@@ -130,8 +143,9 @@ jobs:
          docker info
      -
        name: Build test image
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
+          source: .
          workdir: ./buildkit
          targets: integration-tests
          set: |
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,14 @@
 name: ci

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -10,6 +19,7 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
  pull_request:

 env:
@@ -23,6 +33,7 @@ jobs:

  build:
    runs-on: ubuntu-20.04
+    timeout-minutes: 20 # guardrails timeout for the whole job
    needs:
      - validate-dco
    strategy:
@@ -32,11 +43,6 @@ jobs:
          - binary
          - dynbinary
    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
@@ -46,7 +52,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          targets: ${{ matrix.target }}
      -
@@ -59,7 +65,8 @@ jobs:
          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +

  prepare-cross:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 20 # guardrails timeout for the whole job
    needs:
      - validate-dco
    outputs:
@@ -81,6 +88,7 @@ jobs:

  cross:
    runs-on: ubuntu-20.04
+    timeout-minutes: 20 # guardrails timeout for the whole job
    needs:
      - validate-dco
      - prepare-cross
@@ -89,11 +97,6 @@ jobs:
      matrix:
        platform: ${{ fromJson(needs.prepare-cross.outputs.matrix) }}
    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
      -
        name: Prepare
        run: |
@@ -108,7 +111,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          targets: all
          set: |
@@ -121,3 +124,33 @@ jobs:
        name: Check artifacts
        run: |
          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
+
+  govulncheck:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
+    permissions:
+      # required to write sarif report
+      security-events: write
+      # required to check out the repository
+      contents: read
+    steps:
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.SETUP_BUILDX_VERSION }}
+          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Run
+        uses: docker/bake-action@v6
+        with:
+          targets: govulncheck
+        env:
+          GOVULNCHECK_FORMAT: sarif
+      -
+        name: Upload SARIF report
+        if: ${{ github.event_name != 'pull_request' && github.repository == 'moby/moby' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ env.DESTDIR }}/govulncheck.out
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,71 @@
+name: codeql
+
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - 'master'
+      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
+    tags:
+      - 'v*'
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["master"]
+  schedule:
+    #        ┌───────────── minute (0 - 59)
+    #        │ ┌───────────── hour (0 - 23)
+    #        │ │ ┌───────────── day of the month (1 - 31)
+    #        │ │ │ ┌───────────── month (1 - 12)
+    #        │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday)
+    #        │ │ │ │ │
+    #        │ │ │ │ │
+    #        │ │ │ │ │
+    #        * * * * *
+    - cron: '0 9 * * 4'
+
+jobs:
+  codeql:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      # CodeQL 2.16.4's auto-build added support for multi-module repositories,
+      # and is trying to be smart by searching for modules in every directory,
+      # including vendor directories. If no module is found, it's creating one
+      # which is ... not what we want, so let's give it a "go.mod".
+      # see: https://github.com/docker/cli/pull/4944#issuecomment-2002034698
+      - name: Create go.mod
+        run: |
+          ln -s vendor.mod go.mod
+          ln -s vendor.sum go.sum
+      - name: Update Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.22.12"
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: go
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:go"
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,14 @@
 name: test

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -10,10 +19,11 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
  pull_request:

 env:
-  GO_VERSION: "1.21.12"
+  GO_VERSION: "1.22.12"
  GIT_PAGER: "cat"
  PAGER: "cat"
  SETUP_BUILDX_VERSION: latest
@@ -25,6 +35,7 @@ jobs:

  build-dev:
    runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    needs:
      - validate-dco
    strategy:
@@ -40,9 +51,6 @@ jobs:
          if [ "${{ matrix.mode }}" = "systemd" ]; then
            echo "SYSTEMD=true" >> $GITHUB_ENV
          fi
-      -
-        name: Checkout
-        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
@@ -52,7 +60,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          targets: dev
          set: |
@@ -77,6 +85,7 @@ jobs:

  validate-prepare:
    runs-on: ubuntu-20.04
+    timeout-minutes: 10 # guardrails timeout for the whole job
    needs:
      - validate-dco
    outputs:
@@ -98,7 +107,7 @@ jobs:

  validate:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120
+    timeout-minutes: 30 # guardrails timeout for the whole job
    needs:
      - validate-prepare
      - build-dev
@@ -124,7 +133,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          targets: dev
          set: |
@@ -136,6 +145,7 @@ jobs:

  smoke-prepare:
    runs-on: ubuntu-20.04
+    timeout-minutes: 10 # guardrails timeout for the whole job
    needs:
      - validate-dco
    outputs:
@@ -157,6 +167,7 @@ jobs:

  smoke:
    runs-on: ubuntu-20.04
+    timeout-minutes: 20 # guardrails timeout for the whole job
    needs:
      - smoke-prepare
    strategy:
@@ -164,9 +175,6 @@ jobs:
      matrix:
        platform: ${{ fromJson(needs.smoke-prepare.outputs.matrix) }}
    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
      -
        name: Prepare
        run: |
@@ -184,7 +192,7 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Test
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v6
        with:
          targets: binary-smoketest
          set: |
--- a/.github/workflows/validate-pr.yml
+++ b/.github/workflows/validate-pr.yml
@@ -1,12 +1,22 @@
 name: validate-pr

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
  pull_request:
-    types: [opened, edited, labeled, unlabeled]
+    types: [opened, edited, labeled, unlabeled, synchronize]

 jobs:
  check-area-label:
    runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    steps:
      - name: Missing `area/` label
        if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
@@ -17,9 +27,10 @@ jobs:
        run: exit 0

  check-changelog:
-    if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/')
    runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    env:
+      HAS_IMPACT_LABEL: ${{ contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') }}
      PR_BODY: |
        ${{ github.event.pull_request.body }}
    steps:
@@ -31,15 +42,23 @@ jobs:
          # Strip empty lines
          desc=$(echo "$block" |  awk NF)

-          if [ -z "$desc" ]; then
-            echo "::error::Changelog section is empty. Please provide a description for the changelog."
-            exit 1
-          fi
+          if [ "$HAS_IMPACT_LABEL" = "true" ]; then
+            if [ -z "$desc" ]; then
+              echo "::error::Changelog section is empty. Please provide a description for the changelog."
+              exit 1
+            fi

-          len=$(echo -n "$desc" | wc -c)
-          if [[ $len -le 6 ]]; then
-            echo "::error::Description looks too short: $desc"
-            exit 1
+            len=$(echo -n "$desc" | wc -c)
+            if [[ $len -le 6 ]]; then
+              echo "::error::Description looks too short: $desc"
+              exit 1
+            fi
+          else
+            if [ -n "$desc" ]; then
+              echo "::error::PR has a changelog description, but no changelog label"
+              echo "::error::Please add the relevant 'impact/' label to the PR or remove the changelog description"
+              exit 1
+            fi
          fi

          echo "This PR will be included in the release notes with the following note:"
@@ -47,6 +66,7 @@ jobs:

  check-pr-branch:
    runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
    env:
      PR_TITLE: ${{ github.event.pull_request.title }}
    steps:
--- a/.github/workflows/windows-2019.yml
+++ b/.github/workflows/windows-2019.yml
@@ -1,5 +1,14 @@
 name: windows-2019

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/windows-2022.yml
+++ b/.github/workflows/windows-2022.yml
@@ -1,5 +1,14 @@
 name: windows-2022

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -10,6 +19,7 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
  pull_request:

 jobs:
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -6,6 +6,7 @@ linters:
    - gosec
    - gosimple
    - govet
+    - forbidigo
    - importas
    - ineffassign
    - misspell
@@ -31,6 +32,15 @@ linters-settings:
      - "true"    # some tests use this as expected output
      - "false"   # some tests use this as expected output
      - "root"    # for tests using "ls" output with files owned by "root:root"
+  forbidigo:
+    forbid:
+      - pkg: github.com/vishvananda/netlink$
+        p: ^netlink\.(Handle\.)?(AddrList|BridgeVlanList|ChainList|ClassList|ConntrackTableList|ConntrackDeleteFilter$|ConntrackDeleteFilters|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByName|LinkByAlias|LinkList|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteList|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList|XfrmPolicyList|XfrmStateList)
+        msg: Use internal nlwrap package for EINTR handling.
+      - pkg: github.com/docker/docker/internal/nlwrap$
+        p: ^nlwrap.Handle.(BridgeVlanList|ChainList|ClassList|ConntrackDeleteFilter$|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByAlias|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList)
+        msg: Add a wrapper to nlwrap.Handle for EINTR handling and update the list in .golangci.yml.
+    analyze-types: true
  importas:
    # Do not allow unaliased imports of aliased packages.
    no-unaliased: true
@@ -45,6 +55,11 @@ linters-settings:

  govet:
    check-shadowing: false
+
+  gosec:
+    excludes:
+      - G115 # FIXME temporarily suppress 'G115: integer overflow conversion': it produces many hits, some of which may be false positives, and need to be looked at; see https://github.com/moby/moby/issues/48358
+
  depguard:
    rules:
      main:
@@ -57,10 +72,16 @@ linters-settings:
            desc: Use "gotest.tools/v3/assert" instead
          - pkg: "github.com/stretchr/testify/suite"
            desc: Do not use
-          - pkg: github.com/containerd/containerd/errdefs
+          - pkg: "github.com/containerd/containerd/errdefs"
            desc: The errdefs package has moved to a separate module, https://github.com/containerd/errdefs
-          - pkg: github.com/containerd/containerd/log
+          - pkg: "github.com/containerd/containerd/log"
            desc: The logs package has moved to a separate module, https://github.com/containerd/log
+          - pkg: "github.com/containerd/containerd/pkg/userns"
+            desc: Use github.com/moby/sys/userns instead.
+          - pkg: "github.com/opencontainers/runc/libcontainer/userns"
+            desc: Use github.com/moby/sys/userns instead.
+          - pkg: "github.com/tonistiigi/fsutil"
+            desc: The fsutil module does not have a stable API, so we should not have a direct dependency unless necessary.
  revive:
    rules:
      # FIXME make sure all packages have a description. Currently, there's many packages without.
@@ -78,7 +99,7 @@ issues:
    # (unlike the "include" option), the "exclude" option does not take exclusion
    # ID's.
    #
-    # These exclusion patterns are copied from the default excluses at:
+    # These exclusion patterns are copied from the default excludes at:
    # https://github.com/golangci/golangci-lint/blob/v1.46.2/pkg/config/issues.go#L10-L104

    # EXC0001
@@ -129,11 +150,27 @@ issues:
      path: "api/types/(volume|container)/"
      linters:
        - revive
+    # FIXME temporarily suppress these until we migrated these to internal.
+    - text: "SA1019: fileutils\\.GetTotalUsedFds"
+      linters:
+        - staticcheck
    # FIXME temporarily suppress these (see https://github.com/gotestyourself/gotest.tools/issues/272)
    - text: "SA1019: (assert|cmp|is)\\.ErrorType is deprecated"
      linters:
        - staticcheck

+    # FIXME temporarily suppress these until https://github.com/moby/moby/pull/49072 is merged, which removes their use.
+    - text: "SA1019: system\\.(FromStatT|Mkdev|Mknod|StatT)"
+      path: "pkg/archive/"
+      linters:
+        - staticcheck
+
+    # FIXME temporarily suppress these until they are moved internal to container/streams.
+    - text: "SA1019: ioutils\\.(ErrClosed|BytesPipe|NewBytesPipe)"
+      path: "container/stream/"
+      linters:
+        - staticcheck
+
    - text: "ineffectual assignment to ctx"
      source: "ctx[, ].*=.*\\(ctx[,)]"
      linters:
--- a/20
+++ b/20
@@ -1,19 +1,19 @@
 # syntax=docker/dockerfile:1.7

-ARG GO_VERSION=1.21.12
+ARG GO_VERSION=1.22.12
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
-ARG XX_VERSION=1.4.0
+ARG XX_VERSION=1.6.1

 ARG VPNKIT_VERSION=0.5.0

 ARG DOCKERCLI_REPOSITORY="https://github.com/docker/cli.git"
-ARG DOCKERCLI_VERSION=v27.0.2
+ARG DOCKERCLI_VERSION=v27.5.0
 # cli version used for integration-cli tests
 ARG DOCKERCLI_INTEGRATION_REPOSITORY="https://github.com/docker/cli.git"
 ARG DOCKERCLI_INTEGRATION_VERSION=v17.06.2-ce
-ARG BUILDX_VERSION=0.16.1
-ARG COMPOSE_VERSION=v2.29.0
+ARG BUILDX_VERSION=0.20.0
+ARG COMPOSE_VERSION=v2.32.4

 ARG SYSTEMD="false"
 ARG DOCKER_STATIC=1
@@ -147,7 +147,7 @@ RUN git init . && git remote add origin "https://github.com/go-delve/delve.git"
 # from the https://github.com/go-delve/delve repository.
 # It can be used to run Docker with a possibility of
 # attaching debugger to it.
-ARG DELVE_VERSION=v1.21.1
+ARG DELVE_VERSION=v1.23.0
 RUN git fetch -q --depth 1 origin "${DELVE_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS delve-supported
@@ -196,7 +196,7 @@ RUN git init . && git remote add origin "https://github.com/containerd/container
 # When updating the binary version you may also need to update the vendor
 # version to pick up bug fixes or new APIs, however, usually the Go packages
 # are built from a commit from the master branch.
-ARG CONTAINERD_VERSION=v1.7.20
+ARG CONTAINERD_VERSION=v1.7.25
 RUN git fetch -q --depth 1 origin "${CONTAINERD_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS containerd-build
@@ -229,7 +229,7 @@ FROM binary-dummy AS containerd-windows
 FROM containerd-${TARGETOS} AS containerd

 FROM base AS golangci_lint
-ARG GOLANGCI_LINT_VERSION=v1.59.1
+ARG GOLANGCI_LINT_VERSION=v1.60.2
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
        GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
@@ -287,7 +287,7 @@ RUN git init . && git remote add origin "https://github.com/opencontainers/runc.
 # that is used. If you need to update runc, open a pull request in the containerd
 # project first, and update both after that is merged. When updating RUNC_VERSION,
 # consider updating runc in vendor.mod accordingly.
-ARG RUNC_VERSION=v1.1.13
+ARG RUNC_VERSION=v1.2.5
 RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS runc-build
@@ -356,7 +356,7 @@ FROM base AS rootlesskit-src
 WORKDIR /usr/src/rootlesskit
 RUN git init . && git remote add origin "https://github.com/rootless-containers/rootlesskit.git"
 # When updating, also update vendor.mod and hack/dockerfile/install/rootlesskit.installer accordingly.
-ARG ROOTLESSKIT_VERSION=v2.0.2
+ARG ROOTLESSKIT_VERSION=v2.3.2
 RUN git fetch -q --depth 1 origin "${ROOTLESSKIT_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS rootlesskit-build
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@@ -5,7 +5,7 @@

 # This represents the bare minimum required to build and test Docker.

-ARG GO_VERSION=1.21.12
+ARG GO_VERSION=1.22.12

 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -161,10 +161,10 @@ FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

-ARG GO_VERSION=1.21.12
+ARG GO_VERSION=1.22.12
 ARG GOTESTSUM_VERSION=v1.8.2
 ARG GOWINRES_VERSION=v0.3.1
-ARG CONTAINERD_VERSION=v1.7.20
+ARG CONTAINERD_VERSION=v1.7.25

 # Environment variable notes:
 #  - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
--- a/165
+++ b/165
@@ -1,165 +0,0 @@
-#!groovy
-pipeline {
-    agent none
-
-    options {
-        buildDiscarder(logRotator(daysToKeepStr: '30'))
-        timeout(time: 2, unit: 'HOURS')
-        timestamps()
-    }
-    parameters {
-        booleanParam(name: 'arm64', defaultValue: true, description: 'ARM (arm64) Build/Test')
-        booleanParam(name: 'dco', defaultValue: true, description: 'Run the DCO check')
-    }
-    environment {
-        DOCKER_BUILDKIT     = '1'
-        DOCKER_EXPERIMENTAL = '1'
-        DOCKER_GRAPHDRIVER  = 'overlay2'
-        CHECK_CONFIG_COMMIT = '33a3680e08d1007e72c3b3f1454f823d8e9948ee'
-        TESTDEBUG           = '0'
-        TIMEOUT             = '120m'
-    }
-    stages {
-        stage('pr-hack') {
-            when { changeRequest() }
-            steps {
-                script {
-                    echo "Workaround for PR auto-cancel feature. Borrowed from https://issues.jenkins-ci.org/browse/JENKINS-43353"
-                    def buildNumber = env.BUILD_NUMBER as int
-                    if (buildNumber > 1) milestone(buildNumber - 1)
-                    milestone(buildNumber)
-                }
-            }
-        }
-        stage('DCO-check') {
-            when {
-                beforeAgent true
-                expression { params.dco }
-            }
-            agent { label 'arm64 && ubuntu-2004' }
-            steps {
-                sh '''
-                docker run --rm \
-                  -v "$WORKSPACE:/workspace" \
-                  -e VALIDATE_REPO=${GIT_URL} \
-                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
-                  alpine sh -c 'apk add --no-cache -q bash git openssh-client && git config --system --add safe.directory /workspace && cd /workspace && hack/validate/dco'
-                '''
-            }
-        }
-        stage('Build') {
-            parallel {
-                stage('arm64') {
-                    when {
-                        beforeAgent true
-                        expression { params.arm64 }
-                    }
-                    agent { label 'arm64 && ubuntu-2004' }
-                    environment {
-                        TEST_SKIP_INTEGRATION_CLI = '1'
-                    }
-
-                    stages {
-                        stage("Print info") {
-                            steps {
-                                sh 'docker version'
-                                sh 'docker info'
-                                sh '''
-                                echo "check-config.sh version: ${CHECK_CONFIG_COMMIT}"
-                                curl -fsSL -o ${WORKSPACE}/check-config.sh "https://raw.githubusercontent.com/moby/moby/${CHECK_CONFIG_COMMIT}/contrib/check-config.sh" \
-                                && bash ${WORKSPACE}/check-config.sh || true
-                                '''
-                            }
-                        }
-                        stage("Build dev image") {
-                            steps {
-                                sh 'docker build --force-rm -t docker:${GIT_COMMIT} .'
-                            }
-                        }
-                        stage("Unit tests") {
-                            steps {
-                                sh '''
-                                sudo modprobe ip6table_filter
-                                '''
-                                sh '''
-                                docker run --rm -t --privileged \
-                                  -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
-                                  --name docker-pr$BUILD_NUMBER \
-                                  -e DOCKER_EXPERIMENTAL \
-                                  -e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-                                  -e DOCKER_GRAPHDRIVER \
-                                  -e VALIDATE_REPO=${GIT_URL} \
-                                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
-                                  docker:${GIT_COMMIT} \
-                                  hack/test/unit
-                                '''
-                            }
-                            post {
-                                always {
-                                    junit testResults: 'bundles/junit-report*.xml', allowEmptyResults: true
-                                }
-                            }
-                        }
-                        stage("Integration tests") {
-                            environment { TEST_SKIP_INTEGRATION_CLI = '1' }
-                            steps {
-                                sh '''
-                                docker run --rm -t --privileged \
-                                  -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
-                                  --name docker-pr$BUILD_NUMBER \
-                                  -e DOCKER_EXPERIMENTAL \
-                                  -e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-                                  -e DOCKER_GRAPHDRIVER \
-                                  -e TESTDEBUG \
-                                  -e TEST_INTEGRATION_USE_SNAPSHOTTER \
-                                  -e TEST_SKIP_INTEGRATION_CLI \
-                                  -e TIMEOUT \
-                                  -e VALIDATE_REPO=${GIT_URL} \
-                                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
-                                  docker:${GIT_COMMIT} \
-                                  hack/make.sh \
-                                    dynbinary \
-                                    test-integration
-                                '''
-                            }
-                            post {
-                                always {
-                                    junit testResults: 'bundles/**/*-report.xml', allowEmptyResults: true
-                                }
-                            }
-                        }
-                    }
-
-                    post {
-                        always {
-                            sh '''
-                            echo "Ensuring container killed."
-                            docker rm -vf docker-pr$BUILD_NUMBER || true
-                            '''
-
-                            sh '''
-                            echo "Chowning /workspace to jenkins user"
-                            docker run --rm -v "$WORKSPACE:/workspace" busybox chown -R "$(id -u):$(id -g)" /workspace
-                            '''
-
-                            catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE', message: 'Failed to create bundles.tar.gz') {
-                                sh '''
-                                bundleName=arm64-integration
-                                echo "Creating ${bundleName}-bundles.tar.gz"
-                                # exclude overlay2 directories
-                                find bundles -path '*/root/*overlay2' -prune -o -type f \\( -name '*-report.json' -o -name '*.log' -o -name '*.prof' -o -name '*-report.xml' \\) -print | xargs tar -czf ${bundleName}-bundles.tar.gz
-                                '''
-
-                                archiveArtifacts artifacts: '*-bundles.tar.gz', allowEmptyArchive: true
-                            }
-                        }
-                        cleanup {
-                            sh 'make clean'
-                            deleteDir()
-                        }
-                    }
-                }
-            }
-        }
-    }
-}
--- a/2
+++ b/2
@@ -90,7 +90,7 @@ DOCKER_ENVS := \
 # note: BINDDIR is supported for backwards-compatibility here
 BIND_DIR := $(if $(BINDDIR),$(BINDDIR),$(if $(DOCKER_HOST),,bundles))

-# DOCKER_MOUNT can be overriden, but use at your own risk!
+# DOCKER_MOUNT can be overridden, but use at your own risk!
 ifndef DOCKER_MOUNT
 DOCKER_MOUNT := $(if $(BIND_DIR),-v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/docker/docker/$(BIND_DIR)")
 DOCKER_MOUNT := $(if $(DOCKER_BINDDIR_MOUNT_OPTS),$(DOCKER_MOUNT):$(DOCKER_BINDDIR_MOUNT_OPTS),$(DOCKER_MOUNT))
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ New projects can be added if they fit with the community goals. Docker is commit
 However, other projects are also encouraged to use Moby as an upstream, and to reuse the components in diverse ways, and all these uses will be treated in the same way. External maintainers and contributors are welcomed.

 The Moby project is not intended as a location for support or feature requests for Docker products, but as a place for contributors to work on open source code, fix bugs, and make the code more useful.
-The releases are supported by the maintainers, community and users, on a best efforts basis only, and are not intended for customers who want enterprise or commercial support; Docker EE is the appropriate product for these use cases.
+The releases are supported by the maintainers, community and users, on a best efforts basis only. For customers who want enterprise or commercial support, [Docker Desktop](https://www.docker.com/products/docker-desktop/) and [Mirantis Container Runtime](https://www.mirantis.com/software/mirantis-container-runtime/) are the appropriate products for these use cases.

 -----

--- a/api/common.go
+++ b/api/common.go
@@ -3,7 +3,7 @@ package api // import "github.com/docker/docker/api"
 // Common constants for daemon and client.
 const (
 	// DefaultVersion of the current REST API.
-	DefaultVersion = "1.46"
+	DefaultVersion = "1.47"

 	// MinSupportedAPIVersion is the minimum API version that can be supported
 	// by the API server, specified as "major.minor". Note that the daemon
--- a/api/server/middleware/version.go
+++ b/api/server/middleware/version.go
@@ -67,8 +67,8 @@ func (e versionUnsupportedError) InvalidParameter() {}
 func (v VersionMiddleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 		w.Header().Set("Server", fmt.Sprintf("Docker/%s (%s)", v.serverVersion, runtime.GOOS))
-		w.Header().Set("API-Version", v.defaultAPIVersion)
-		w.Header().Set("OSType", runtime.GOOS)
+		w.Header().Set("Api-Version", v.defaultAPIVersion)
+		w.Header().Set("Ostype", runtime.GOOS)

 		apiVersion := vars["version"]
 		if apiVersion == "" {
--- a/api/server/middleware/version_test.go
+++ b/api/server/middleware/version_test.go
@@ -141,6 +141,6 @@ func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
 	hdr := resp.Result().Header
 	assert.Check(t, is.Contains(hdr.Get("Server"), "Docker/1.2.3"))
 	assert.Check(t, is.Contains(hdr.Get("Server"), runtime.GOOS))
-	assert.Check(t, is.Equal(hdr.Get("API-Version"), api.DefaultVersion))
-	assert.Check(t, is.Equal(hdr.Get("OSType"), runtime.GOOS))
+	assert.Check(t, is.Equal(hdr.Get("Api-Version"), api.DefaultVersion))
+	assert.Check(t, is.Equal(hdr.Get("Ostype"), runtime.GOOS))
 }
--- a/api/server/router/build/build_routes.go
+++ b/api/server/router/build/build_routes.go
@@ -339,8 +339,12 @@ type flusher interface {
 	Flush()
 }

+type nopFlusher struct{}
+
+func (f *nopFlusher) Flush() {}
+
 func wrapOutputBufferedUntilRequestRead(rc io.ReadCloser, out io.Writer) (io.ReadCloser, io.Writer) {
-	var fl flusher = &ioutils.NopFlusher{}
+	var fl flusher = &nopFlusher{}
 	if f, ok := out.(flusher); ok {
 		fl = f
 	}
--- a/api/server/router/container/container_routes.go
+++ b/api/server/router/container/container_routes.go
@@ -769,12 +769,14 @@ func handleSysctlBC(
 			netIfSysctl := fmt.Sprintf("net.%s.%s.IFNAME.%s=%s", spl[1], spl[2], spl[4], v)
 			// Find the EndpointConfig to migrate settings to, if not already found.
 			if ep == nil {
+				/* TODO(robmry) - apply this to the API version used in 28.0.0
 				// Per-endpoint sysctls were introduced in API version 1.46. Migration is
 				// needed, but refuse to do it automatically for newer versions of the API.
-				if versions.GreaterThan(version, "1.46") {
+				if versions.GreaterThan(version, "1.??") {
 					return "", fmt.Errorf("interface specific sysctl setting %q must be supplied using driver option '%s'",
 						k, netlabel.EndpointSysctls)
 				}
+				*/
 				var err error
 				ep, err = epConfigForNetMode(version, hostConfig.NetworkMode, netConfig)
 				if err != nil {
@@ -938,9 +940,11 @@ func (s *containerRouter) postContainersAttach(ctx context.Context, w http.Respo
 			if multiplexed && versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.42") {
 				contentType = types.MediaTypeMultiplexedStream
 			}
-			fmt.Fprintf(conn, "HTTP/1.1 101 UPGRADED\r\nContent-Type: "+contentType+"\r\nConnection: Upgrade\r\nUpgrade: tcp\r\n\r\n")
+			// FIXME(thaJeztah): we should not ignore errors here; see https://github.com/moby/moby/pull/48359#discussion_r1725562802
+			fmt.Fprintf(conn, "HTTP/1.1 101 UPGRADED\r\nContent-Type: %v\r\nConnection: Upgrade\r\nUpgrade: tcp\r\n\r\n", contentType)
 		} else {
-			fmt.Fprintf(conn, "HTTP/1.1 200 OK\r\nContent-Type: application/vnd.docker.raw-stream\r\n\r\n")
+			// FIXME(thaJeztah): we should not ignore errors here; see https://github.com/moby/moby/pull/48359#discussion_r1725562802
+			fmt.Fprint(conn, "HTTP/1.1 200 OK\r\nContent-Type: application/vnd.docker.raw-stream\r\n\r\n")
 		}

 		go notifyClosed(ctx, conn, cancel)
--- a/api/server/router/container/container_routes_test.go
+++ b/api/server/router/container/container_routes_test.go
@@ -273,15 +273,17 @@ func TestHandleSysctlBC(t *testing.T) {
 				"net.ipv6.conf.all.disable_ipv6": "0",
 			},
 		},
+		/* TODO(robmry) - enable this test for the API version used in 28.0.0
 		{
 			name:        "migration disabled for newer api",
-			apiVersion:  "1.47",
+			apiVersion:  "1.??",
 			networkMode: "mynet",
 			sysctls: map[string]string{
 				"net.ipv6.conf.eth0.accept_ra": "2",
 			},
 			expError: "must be supplied using driver option 'com.docker.network.endpoint.sysctls'",
 		},
+		*/
 		{
 			name:        "only migrate eth0",
 			apiVersion:  "1.46",
--- a/api/server/router/grpc/grpc.go
+++ b/api/server/router/grpc/grpc.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22

 package grpc // import "github.com/docker/docker/api/server/router/grpc"

@@ -9,13 +9,14 @@ import (
 	"os"
 	"strings"

+	"github.com/containerd/containerd/defaults"
 	"github.com/containerd/log"
 	"github.com/docker/docker/api/server/router"
+	"github.com/docker/docker/internal/otelutil"
 	"github.com/moby/buildkit/util/grpcerrors"
 	"github.com/moby/buildkit/util/stack"
 	"github.com/moby/buildkit/util/tracing"
 	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
-	"go.opentelemetry.io/otel"
 	"golang.org/x/net/http2"
 	"google.golang.org/grpc"
 )
@@ -28,10 +29,13 @@ type grpcRouter struct {

 // NewRouter initializes a new grpc http router
 func NewRouter(backends ...Backend) router.Router {
+	tp, _ := otelutil.NewTracerProvider(context.Background(), false)
 	opts := []grpc.ServerOption{
-		grpc.StatsHandler(tracing.ServerStatsHandler(otelgrpc.WithTracerProvider(otel.GetTracerProvider()))),
+		grpc.StatsHandler(tracing.ServerStatsHandler(otelgrpc.WithTracerProvider(tp))),
 		grpc.ChainUnaryInterceptor(unaryInterceptor, grpcerrors.UnaryServerInterceptor),
 		grpc.StreamInterceptor(grpcerrors.StreamServerInterceptor),
+		grpc.MaxRecvMsgSize(defaults.DefaultMaxRecvMsgSize),
+		grpc.MaxSendMsgSize(defaults.DefaultMaxSendMsgSize),
 	}

 	r := &grpcRouter{
--- a/api/server/router/image/image_routes.go
+++ b/api/server/router/image/image_routes.go
@@ -142,7 +142,7 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit
 		id, progressErr = ir.backend.ImportImage(ctx, tagRef, platform, comment, layerReader, r.Form["changes"])

 		if progressErr == nil {
-			output.Write(streamformatter.FormatStatus("", id.String()))
+			_, _ = output.Write(streamformatter.FormatStatus("", "%v", id.String()))
 		}
 	}
 	if progressErr != nil {
@@ -220,7 +220,6 @@ func (ir *imageRouter) postImagesPush(ctx context.Context, w http.ResponseWriter
 			}
 			platform = p
 		}
-
 	}

 	if err := ir.backend.PushImage(ctx, ref, platform, metaHeaders, authConfig, output); err != nil {
@@ -424,10 +423,16 @@ func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter,
 		sharedSize = httputils.BoolValue(r, "shared-size")
 	}

+	var manifests bool
+	if versions.GreaterThanOrEqualTo(version, "1.47") {
+		manifests = httputils.BoolValue(r, "manifests")
+	}
+
 	images, err := ir.backend.Images(ctx, imagetypes.ListOptions{
 		All:        httputils.BoolValue(r, "all"),
 		Filters:    imageFilters,
 		SharedSize: sharedSize,
+		Manifests:  manifests,
 	})
 	if err != nil {
 		return err
--- a/api/server/router/network/network_routes.go
+++ b/api/server/router/network/network_routes.go
@@ -75,13 +75,13 @@ func (e invalidRequestError) Error() string {

 func (e invalidRequestError) InvalidParameter() {}

-type ambigousResultsError string
+type ambiguousResultsError string

-func (e ambigousResultsError) Error() string {
+func (e ambiguousResultsError) Error() string {
 	return "network " + string(e) + " is ambiguous"
 }

-func (ambigousResultsError) InvalidParameter() {}
+func (ambiguousResultsError) InvalidParameter() {}

 func (n *networkRouter) getNetwork(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
@@ -182,7 +182,7 @@ func (n *networkRouter) getNetwork(ctx context.Context, w http.ResponseWriter, r
 		}
 	}
 	if len(listByFullName) > 1 {
-		return errors.Wrapf(ambigousResultsError(term), "%d matches found based on name", len(listByFullName))
+		return errors.Wrapf(ambiguousResultsError(term), "%d matches found based on name", len(listByFullName))
 	}

 	// Find based on partial ID, returns true only if no duplicates
@@ -192,7 +192,7 @@ func (n *networkRouter) getNetwork(ctx context.Context, w http.ResponseWriter, r
 		}
 	}
 	if len(listByPartialID) > 1 {
-		return errors.Wrapf(ambigousResultsError(term), "%d matches found based on ID prefix", len(listByPartialID))
+		return errors.Wrapf(ambiguousResultsError(term), "%d matches found based on ID prefix", len(listByPartialID))
 	}

 	return libnetwork.ErrNoSuchNetwork(term)
--- a/api/server/router/swarm/helpers.go
+++ b/api/server/router/swarm/helpers.go
@@ -151,5 +151,4 @@ func adjustForAPIVersion(cliVersion string, service *swarm.ServiceSpec) {
 			service.TaskTemplate.ContainerSpec.OomScoreAdj = 0
 		}
 	}
-
 }
--- a/api/server/router/system/system.go
+++ b/api/server/router/system/system.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22

 package system // import "github.com/docker/docker/api/server/router/system"

--- a/api/swagger.yaml
+++ b/api/swagger.yaml
@@ -19,10 +19,10 @@ produces:
 consumes:
  - "application/json"
  - "text/plain"
-basePath: "/v1.46"
+basePath: "/v1.47"
 info:
  title: "Docker Engine API"
-  version: "1.46"
+  version: "1.47"
  x-logo:
    url: "https://docs.docker.com/assets/images/logo-docker-main.png"
  description: |
@@ -55,8 +55,8 @@ info:
    the URL is not supported by the daemon, a HTTP `400 Bad Request` error message
    is returned.

-    If you omit the version-prefix, the current version of the API (v1.46) is used.
-    For example, calling `/info` is the same as calling `/v1.46/info`. Using the
+    If you omit the version-prefix, the current version of the API (v1.47) is used.
+    For example, calling `/info` is the same as calling `/v1.47/info`. Using the
    API without a version-prefix is deprecated and will be removed in a future release.

    Engine releases in the near future should support this version of the API,
@@ -393,7 +393,7 @@ definitions:
               Make the mount non-recursively read-only, but still leave the mount recursive
               (unless NonRecursive is set to `true` in conjunction).

-               Addded in v1.44, before that version all read-only mounts were
+               Added in v1.44, before that version all read-only mounts were
               non-recursive by default. To match the previous behaviour this
               will default to `true` for clients on versions prior to v1.44.
            type: "boolean"
@@ -1195,6 +1195,7 @@ definitions:
              - "default"
              - "process"
              - "hyperv"
+              - ""
          MaskedPaths:
            type: "array"
            description: |
@@ -1384,7 +1385,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.47.
+          > always empty. It must not be used, and will be removed in API v1.48.
        type: "string"
        example: ""
      Domainname:
@@ -1394,7 +1395,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.47.
+          > always empty. It must not be used, and will be removed in API v1.48.
        type: "string"
        example: ""
      User:
@@ -1408,7 +1409,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.47.
+          > always false. It must not be used, and will be removed in API v1.48.
        type: "boolean"
        default: false
        example: false
@@ -1419,7 +1420,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.47.
+          > always false. It must not be used, and will be removed in API v1.48.
        type: "boolean"
        default: false
        example: false
@@ -1430,7 +1431,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.47.
+          > always false. It must not be used, and will be removed in API v1.48.
        type: "boolean"
        default: false
        example: false
@@ -1457,7 +1458,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.47.
+          > always false. It must not be used, and will be removed in API v1.48.
        type: "boolean"
        default: false
        example: false
@@ -1468,7 +1469,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.47.
+          > always false. It must not be used, and will be removed in API v1.48.
        type: "boolean"
        default: false
        example: false
@@ -1479,7 +1480,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.47.
+          > always false. It must not be used, and will be removed in API v1.48.
        type: "boolean"
        default: false
        example: false
@@ -1516,7 +1517,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.47.
+          > always empty. It must not be used, and will be removed in API v1.48.
        type: "string"
        default: ""
        example: ""
@@ -1555,7 +1556,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.47.
+          > always omitted. It must not be used, and will be removed in API v1.48.
        type: "boolean"
        default: false
        example: false
@@ -1567,7 +1568,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.47.
+          > always omitted. It must not be used, and will be removed in API v1.48.
        type: "string"
        default: ""
        example: ""
@@ -1601,7 +1602,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.47.
+          > always omitted. It must not be used, and will be removed in API v1.48.
        type: "integer"
        default: 10
        x-nullable: true
@@ -2216,7 +2217,7 @@ definitions:
      Created:
        description: |
          Date and time at which the image was created as a Unix timestamp
-          (number of seconds sinds EPOCH).
+          (number of seconds since EPOCH).
        type: "integer"
        x-nullable: false
        example: "1644009612"
@@ -2265,6 +2266,19 @@ definitions:
        x-nullable: false
        type: "integer"
        example: 2
+      Manifests:
+        description: |
+          Manifests is a list of manifests available in this image.
+          It provides a more detailed view of the platform-specific image manifests
+          or other image-attached data like build attestations.
+
+          WARNING: This is experimental and may change at any time without any backward
+          compatibility.
+        type: "array"
+        x-nullable: false
+        x-omitempty: true
+        items:
+          $ref: "#/definitions/ImageManifestSummary"

  AuthConfig:
    type: "object"
@@ -2500,7 +2514,7 @@ definitions:
        example: false
      Attachable:
        description: |
-          Wheter a global / swarm scope network is manually attachable by regular
+          Whether a global / swarm scope network is manually attachable by regular
          containers from workers in swarm mode.
        type: "boolean"
        default: false
@@ -3723,7 +3737,7 @@ definitions:
                example: "json-file"
              Options:
                description: |
-                  Driver-specific options for the selectd log driver, specified
+                  Driver-specific options for the selected log driver, specified
                  as key/value pairs.
                type: "object"
                additionalProperties:
@@ -4167,6 +4181,7 @@ definitions:
              - "default"
              - "process"
              - "hyperv"
+              - ""
          Init:
            description: |
              Run an init inside the container that forwards signals and reaps
@@ -5318,7 +5333,7 @@ definitions:
        description: |
          The default (and highest) API version that is supported by the daemon
        type: "string"
-        example: "1.46"
+        example: "1.47"
      MinAPIVersion:
        description: |
          The minimum API version that is supported by the daemon
@@ -5334,7 +5349,7 @@ definitions:
          The version Go used to compile the daemon, and the version of the Go
          runtime in use.
        type: "string"
-        example: "go1.21.12"
+        example: "go1.22.7"
      Os:
        description: |
          The operating system that the daemon is running on ("linux" or "windows")
@@ -5737,6 +5752,7 @@ definitions:
          - "default"
          - "hyperv"
          - "process"
+          - ""
      InitBinary:
        description: |
          Name and, optional, path of the `docker-init` binary.
@@ -5807,8 +5823,6 @@ definitions:
          type: "string"
        example:
          - "WARNING: No memory limit support"
-          - "WARNING: bridge-nf-call-iptables is disabled"
-          - "WARNING: bridge-nf-call-ip6tables is disabled"
      CDISpecDirs:
        description: |
          List of directories where (Container Device Interface) CDI
@@ -5830,13 +5844,13 @@ definitions:
          - "/var/run/cdi"
      Containerd:
        $ref: "#/definitions/ContainerdInfo"
-        x-nullable: true

  ContainerdInfo:
    description: |
      Information for connecting to the containerd instance that is used by the daemon.
      This is included for debugging purposes only.
    type: "object"
+    x-nullable: true
    properties:
      Address:
        description: "The address of the containerd socket."
@@ -6644,6 +6658,120 @@ definitions:
    additionalProperties:
      type: "string"

+  ImageManifestSummary:
+    x-go-name: "ManifestSummary"
+    description: |
+      ImageManifestSummary represents a summary of an image manifest.
+    type: "object"
+    required: ["ID", "Descriptor", "Available", "Size", "Kind"]
+    properties:
+      ID:
+        description: |
+          ID is the content-addressable ID of an image and is the same as the
+          digest of the image manifest.
+        type: "string"
+        example: "sha256:95869fbcf224d947ace8d61d0e931d49e31bb7fc67fffbbe9c3198c33aa8e93f"
+      Descriptor:
+        $ref: "#/definitions/OCIDescriptor"
+      Available:
+        description: Indicates whether all the child content (image config, layers) is fully available locally.
+        type: "boolean"
+        example: true
+      Size:
+        type: "object"
+        x-nullable: false
+        required: ["Content", "Total"]
+        properties:
+          Total:
+            type: "integer"
+            format: "int64"
+            example: 8213251
+            description: |
+              Total is the total size (in bytes) of all the locally present
+              data (both distributable and non-distributable) that's related to
+              this manifest and its children.
+              This equal to the sum of [Content] size AND all the sizes in the
+              [Size] struct present in the Kind-specific data struct.
+              For example, for an image kind (Kind == "image")
+              this would include the size of the image content and unpacked
+              image snapshots ([Size.Content] + [ImageData.Size.Unpacked]).
+          Content:
+            description: |
+              Content is the size (in bytes) of all the locally present
+              content in the content store (e.g. image config, layers)
+              referenced by this manifest and its children.
+              This only includes blobs in the content store.
+            type: "integer"
+            format: "int64"
+            example: 3987495
+      Kind:
+        type: "string"
+        example: "image"
+        enum:
+          - "image"
+          - "attestation"
+          - "unknown"
+        description: |
+          The kind of the manifest.
+
+          kind         | description
+          -------------|-----------------------------------------------------------
+          image        | Image manifest that can be used to start a container.
+          attestation  | Attestation manifest produced by the Buildkit builder for a specific image manifest.
+      ImageData:
+        description: |
+          The image data for the image manifest.
+          This field is only populated when Kind is "image".
+        type: "object"
+        x-nullable: true
+        x-omitempty: true
+        required: ["Platform", "Containers", "Size", "UnpackedSize"]
+        properties:
+          Platform:
+            $ref: "#/definitions/OCIPlatform"
+            description: |
+              OCI platform of the image. This will be the platform specified in the
+              manifest descriptor from the index/manifest list.
+              If it's not available, it will be obtained from the image config.
+          Containers:
+            description: |
+              The IDs of the containers that are using this image.
+            type: "array"
+            items:
+              type: "string"
+            example: ["ede54ee1fda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c7430", "abadbce344c096744d8d6071a90d474d28af8f1034b5ea9fb03c3f4bfc6d005e"]
+          Size:
+            type: "object"
+            x-nullable: false
+            required: ["Unpacked"]
+            properties:
+              Unpacked:
+                type: "integer"
+                format: "int64"
+                example: 3987495
+                description: |
+                  Unpacked is the size (in bytes) of the locally unpacked
+                  (uncompressed) image content that's directly usable by the containers
+                  running this image.
+                  It's independent of the distributable content - e.g.
+                  the image might still have an unpacked data that's still used by
+                  some container even when the distributable/compressed content is
+                  already gone.
+      AttestationData:
+        description: |
+          The image data for the attestation manifest.
+          This field is only populated when Kind is "attestation".
+        type: "object"
+        x-nullable: true
+        x-omitempty: true
+        required: ["For"]
+        properties:
+          For:
+            description: |
+              The digest of the image manifest that this attestation is for.
+            type: "string"
+            example: "sha256:95869fbcf224d947ace8d61d0e931d49e31bb7fc67fffbbe9c3198c33aa8e93f"
+
 paths:
  /containers/json:
    get:
@@ -7585,7 +7713,7 @@ paths:
        * Memory usage % = `(used_memory / available_memory) * 100.0`
        * cpu_delta = `cpu_stats.cpu_usage.total_usage - precpu_stats.cpu_usage.total_usage`
        * system_cpu_delta = `cpu_stats.system_cpu_usage - precpu_stats.system_cpu_usage`
-        * number_cpus = `lenght(cpu_stats.cpu_usage.percpu_usage)` or `cpu_stats.online_cpus`
+        * number_cpus = `length(cpu_stats.cpu_usage.percpu_usage)` or `cpu_stats.online_cpus`
        * CPU usage % = `(cpu_delta / system_cpu_delta) * number_cpus * 100.0`
      operationId: "ContainerStats"
      produces: ["application/json"]
@@ -7749,10 +7877,12 @@ paths:
          type: "string"
        - name: "h"
          in: "query"
+          required: true
          description: "Height of the TTY session in characters"
          type: "integer"
        - name: "w"
          in: "query"
+          required: true
          description: "Width of the TTY session in characters"
          type: "integer"
      tags: ["Container"]
@@ -8622,6 +8752,11 @@ paths:
          description: "Show digest information as a `RepoDigests` field on each image."
          type: "boolean"
          default: false
+        - name: "manifests"
+          in: "query"
+          description: "Include `Manifests` in the image summary."
+          type: "boolean"
+          default: false
      tags: ["Image"]
  /build:
    post:
@@ -9094,13 +9229,37 @@ paths:
      parameters:
        - name: "name"
          in: "path"
-          description: "Image name or ID."
+          description: |
+            Name of the image to push. For example, `registry.example.com/myimage`.
+            The image must be present in the local image store with the same name.
+
+            The name should be provided without tag; if a tag is provided, it
+            is ignored. For example, `registry.example.com/myimage:latest` is
+            considered equivalent to `registry.example.com/myimage`.
+
+            Use the `tag` parameter to specify the tag to push.
          type: "string"
          required: true
        - name: "tag"
          in: "query"
-          description: "The tag to associate with the image on the registry."
+          description: |
+            Tag of the image to push. For example, `latest`. If no tag is provided,
+            all tags of the given image that are present in the local image store
+            are pushed.
          type: "string"
+        - name: "platform"
+          type: "string"
+          in: "query"
+          description: |
+            JSON-encoded OCI platform to select the platform-variant to push.
+            If not provided, all available variants will attempt to be pushed.
+
+            If the daemon provides a multi-platform image store, this selects
+            the platform-variant to push to the registry. If the image is
+            a single-platform image, or if the multi-platform image does not
+            provide a variant matching the given platform, an error is returned.
+
+            Example: `{"os": "linux", "architecture": "arm", "variant": "v5"}`
        - name: "X-Registry-Auth"
          in: "header"
          description: |
@@ -9110,11 +9269,6 @@ paths:
            details.
          type: "string"
          required: true
-        - name: "platform"
-          in: "query"
-          description: "Select a platform-specific manifest to be pushed. OCI platform (JSON encoded)"
-          type: "string"
-          x-nullable: true
      tags: ["Image"]
  /images/{name}/tag:
    post:
@@ -9410,7 +9564,7 @@ paths:
            type: "string"
            example: "OK"
          headers:
-            API-Version:
+            Api-Version:
              type: "string"
              description: "Max API Version the server supports"
            Builder-Version:
@@ -9466,7 +9620,7 @@ paths:
            type: "string"
            example: "(empty)"
          headers:
-            API-Version:
+            Api-Version:
              type: "string"
              description: "Max API Version the server supports"
            Builder-Version:
@@ -10060,10 +10214,12 @@ paths:
          type: "string"
        - name: "h"
          in: "query"
+          required: true
          description: "Height of the TTY session in characters"
          type: "integer"
        - name: "w"
          in: "query"
+          required: true
          description: "Width of the TTY session in characters"
          type: "integer"
      tags: ["Exec"]
@@ -11479,6 +11635,7 @@ paths:
            example:
              ListenAddr: "0.0.0.0:2377"
              AdvertiseAddr: "192.168.1.1:2377"
+              DataPathAddr: "192.168.1.1"
              RemoteAddrs:
                - "node1:2377"
              JoinToken: "SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2"
--- a/api/types/container/hostconfig.go
+++ b/api/types/container/hostconfig.go
@@ -1,6 +1,7 @@
 package container // import "github.com/docker/docker/api/types/container"

 import (
+	"errors"
 	"fmt"
 	"strings"

@@ -9,7 +10,7 @@ import (
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/strslice"
 	"github.com/docker/go-connections/nat"
-	units "github.com/docker/go-units"
+	"github.com/docker/go-units"
 )

 // CgroupnsMode represents the cgroup namespace mode of the container
@@ -325,12 +326,12 @@ func ValidateRestartPolicy(policy RestartPolicy) error {
 			if policy.MaximumRetryCount < 0 {
 				msg += " and cannot be negative"
 			}
-			return &errInvalidParameter{fmt.Errorf(msg)}
+			return &errInvalidParameter{errors.New(msg)}
 		}
 		return nil
 	case RestartPolicyOnFailure:
 		if policy.MaximumRetryCount < 0 {
-			return &errInvalidParameter{fmt.Errorf("invalid restart policy: maximum retry count cannot be negative")}
+			return &errInvalidParameter{errors.New("invalid restart policy: maximum retry count cannot be negative")}
 		}
 		return nil
 	case "":
--- a/api/types/filters/parse.go
+++ b/api/types/filters/parse.go
@@ -196,7 +196,7 @@ func (args Args) Match(field, source string) bool {
 }

 // GetBoolOrDefault returns a boolean value of the key if the key is present
-// and is intepretable as a boolean value. Otherwise the default value is returned.
+// and is interpretable as a boolean value. Otherwise the default value is returned.
 // Error is not nil only if the filter values are not valid boolean or are conflicting.
 func (args Args) GetBoolOrDefault(key string, defaultValue bool) (bool, error) {
 	fieldValues, ok := args.fields[key]
--- a/api/types/image/manifest.go
+++ b/api/types/image/manifest.go
@@ -0,0 +1,99 @@
+package image
+
+import (
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+type ManifestKind string
+
+const (
+	ManifestKindImage       ManifestKind = "image"
+	ManifestKindAttestation ManifestKind = "attestation"
+	ManifestKindUnknown     ManifestKind = "unknown"
+)
+
+type ManifestSummary struct {
+	// ID is the content-addressable ID of an image and is the same as the
+	// digest of the image manifest.
+	//
+	// Required: true
+	ID string `json:"ID"`
+
+	// Descriptor is the OCI descriptor of the image.
+	//
+	// Required: true
+	Descriptor ocispec.Descriptor `json:"Descriptor"`
+
+	// Indicates whether all the child content (image config, layers) is
+	// fully available locally
+	//
+	// Required: true
+	Available bool `json:"Available"`
+
+	// Size is the size information of the content related to this manifest.
+	// Note: These sizes only take the locally available content into account.
+	//
+	// Required: true
+	Size struct {
+		// Content is the size (in bytes) of all the locally present
+		// content in the content store (e.g. image config, layers)
+		// referenced by this manifest and its children.
+		// This only includes blobs in the content store.
+		Content int64 `json:"Content"`
+
+		// Total is the total size (in bytes) of all the locally present
+		// data (both distributable and non-distributable) that's related to
+		// this manifest and its children.
+		// This equal to the sum of [Content] size AND all the sizes in the
+		// [Size] struct present in the Kind-specific data struct.
+		// For example, for an image kind (Kind == ManifestKindImage),
+		// this would include the size of the image content and unpacked
+		// image snapshots ([Size.Content] + [ImageData.Size.Unpacked]).
+		Total int64 `json:"Total"`
+	} `json:"Size"`
+
+	// Kind is the kind of the image manifest.
+	//
+	// Required: true
+	Kind ManifestKind `json:"Kind"`
+
+	// Fields below are specific to the kind of the image manifest.
+
+	// Present only if Kind == ManifestKindImage.
+	ImageData *ImageProperties `json:"ImageData,omitempty"`
+
+	// Present only if Kind == ManifestKindAttestation.
+	AttestationData *AttestationProperties `json:"AttestationData,omitempty"`
+}
+
+type ImageProperties struct {
+	// Platform is the OCI platform object describing the platform of the image.
+	//
+	// Required: true
+	Platform ocispec.Platform `json:"Platform"`
+
+	Size struct {
+		// Unpacked is the size (in bytes) of the locally unpacked
+		// (uncompressed) image content that's directly usable by the containers
+		// running this image.
+		// It's independent of the distributable content - e.g.
+		// the image might still have an unpacked data that's still used by
+		// some container even when the distributable/compressed content is
+		// already gone.
+		//
+		// Required: true
+		Unpacked int64 `json:"Unpacked"`
+	}
+
+	// Containers is an array containing the IDs of the containers that are
+	// using this image.
+	//
+	// Required: true
+	Containers []string `json:"Containers"`
+}
+
+type AttestationProperties struct {
+	// For is the digest of the image manifest that this attestation is for.
+	For digest.Digest `json:"For"`
+}
--- a/api/types/image/opts.go
+++ b/api/types/image/opts.go
@@ -76,6 +76,9 @@ type ListOptions struct {

 	// ContainerCount indicates whether container count should be computed.
 	ContainerCount bool
+
+	// Manifests indicates whether the image manifests should be returned.
+	Manifests bool
 }

 // RemoveOptions holds parameters to remove images.
--- a/api/types/image/summary.go
+++ b/api/types/image/summary.go
@@ -1,10 +1,5 @@
 package image

-// This file was generated by the swagger tool.
-// Editing this file might prove futile when you re-run the swagger generate command
-
-// Summary summary
-// swagger:model Summary
 type Summary struct {

 	// Number of containers using this image. Includes both stopped and running
@@ -17,7 +12,7 @@ type Summary struct {
 	Containers int64 `json:"Containers"`

 	// Date and time at which the image was created as a Unix timestamp
-	// (number of seconds sinds EPOCH).
+	// (number of seconds since EPOCH).
 	//
 	// Required: true
 	Created int64 `json:"Created"`
@@ -47,6 +42,14 @@ type Summary struct {
 	// Required: true
 	ParentID string `json:"ParentId"`

+	// Manifests is a list of image manifests available in this image.  It
+	// provides a more detailed view of the platform-specific image manifests or
+	// other image-attached data like build attestations.
+	//
+	// WARNING: This is experimental and may change at any time without any backward
+	// compatibility.
+	Manifests []ManifestSummary `json:"Manifests,omitempty"`
+
 	// List of content-addressable digests of locally available image manifests
 	// that the image is referenced from. Multiple manifests can refer to the
 	// same image.
--- a/api/types/network/endpoint_test.go
+++ b/api/types/network/endpoint_test.go
@@ -102,7 +102,6 @@ func TestEndpointIPAMConfigWithOutOfRangeAddrs(t *testing.T) {
 			}
 		})
 	}
-
 }

 func TestEndpointIPAMConfigWithInvalidConfig(t *testing.T) {
--- a/api/types/registry/authconfig.go
+++ b/api/types/registry/authconfig.go
@@ -34,10 +34,9 @@ type AuthConfig struct {
 }

 // EncodeAuthConfig serializes the auth configuration as a base64url encoded
-// RFC4648, section 5) JSON string for sending through the X-Registry-Auth header.
+// ([RFC4648, section 5]) JSON string for sending through the X-Registry-Auth header.
 //
-// For details on base64url encoding, see:
-// - RFC4648, section 5:   https://tools.ietf.org/html/rfc4648#section-5
+// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5
 func EncodeAuthConfig(authConfig AuthConfig) (string, error) {
 	buf, err := json.Marshal(authConfig)
 	if err != nil {
@@ -46,15 +45,14 @@ func EncodeAuthConfig(authConfig AuthConfig) (string, error) {
 	return base64.URLEncoding.EncodeToString(buf), nil
 }

-// DecodeAuthConfig decodes base64url encoded (RFC4648, section 5) JSON
+// DecodeAuthConfig decodes base64url encoded ([RFC4648, section 5]) JSON
 // authentication information as sent through the X-Registry-Auth header.
 //
-// This function always returns an AuthConfig, even if an error occurs. It is up
+// This function always returns an [AuthConfig], even if an error occurs. It is up
 // to the caller to decide if authentication is required, and if the error can
 // be ignored.
 //
-// For details on base64url encoding, see:
-// - RFC4648, section 5:   https://tools.ietf.org/html/rfc4648#section-5
+// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5
 func DecodeAuthConfig(authEncoded string) (*AuthConfig, error) {
 	if authEncoded == "" {
 		return &AuthConfig{}, nil
@@ -69,7 +67,7 @@ func DecodeAuthConfig(authEncoded string) (*AuthConfig, error) {
 // clients and API versions. Current clients and API versions expect authentication
 // to be provided through the X-Registry-Auth header.
 //
-// Like DecodeAuthConfig, this function always returns an AuthConfig, even if an
+// Like [DecodeAuthConfig], this function always returns an [AuthConfig], even if an
 // error occurs. It is up to the caller to decide if authentication is required,
 // and if the error can be ignored.
 func DecodeAuthConfigBody(rdr io.ReadCloser) (*AuthConfig, error) {
--- a/api/types/swarm/swarm.go
+++ b/api/types/swarm/swarm.go
@@ -122,7 +122,7 @@ type CAConfig struct {
 	SigningCAKey  string `json:",omitempty"`

 	// If this value changes, and there is no specified signing cert and key,
-	// then the swarm is forced to generate a new root certificate ane key.
+	// then the swarm is forced to generate a new root certificate and key.
 	ForceRotate uint64 `json:",omitempty"`
 }

--- a/api/types/types.go
+++ b/api/types/types.go
@@ -484,4 +484,6 @@ type BuildCachePruneOptions struct {
 	All         bool
 	KeepStorage int64
 	Filters     filters.Args
+
+	// FIXME(thaJeztah): add new options; see https://github.com/moby/moby/issues/48639
 }
--- a/api/types/volume/cluster_volume.go
+++ b/api/types/volume/cluster_volume.go
@@ -414,7 +414,7 @@ type Info struct {
 	// the Volume has not been successfully created yet.
 	VolumeID string `json:",omitempty"`

-	// AccessibleTopolgoy is the topology this volume is actually accessible
+	// AccessibleTopology is the topology this volume is actually accessible
 	// from.
 	AccessibleTopology []Topology `json:",omitempty"`
 }
--- a/builder/builder-next/adapters/containerimage/pull.go
+++ b/builder/builder-next/adapters/containerimage/pull.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22

 package containerimage

--- a/builder/builder-next/builder.go
+++ b/builder/builder-next/builder.go
@@ -38,6 +38,7 @@ import (
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc"
 	grpcmetadata "google.golang.org/grpc/metadata"
+	"google.golang.org/protobuf/proto"
 )

 type errMultipleFilterValues struct{}
@@ -162,16 +163,29 @@ func (b *Builder) DiskUsage(ctx context.Context) ([]*types.BuildCache, error) {
 			Description: r.Description,
 			InUse:       r.InUse,
 			Shared:      r.Shared,
-			Size:        r.Size_,
-			CreatedAt:   r.CreatedAt,
-			LastUsedAt:  r.LastUsedAt,
-			UsageCount:  int(r.UsageCount),
+			Size:        r.Size,
+			CreatedAt: func() time.Time {
+				if r.CreatedAt != nil {
+					return r.CreatedAt.AsTime()
+				}
+				return time.Time{}
+			}(),
+			LastUsedAt: func() *time.Time {
+				if r.LastUsedAt == nil {
+					return nil
+				}
+				t := r.LastUsedAt.AsTime()
+				return &t
+			}(),
+			UsageCount: int(r.UsageCount),
 		})
 	}
 	return items, nil
 }

-// Prune clears all reclaimable build cache
+// Prune clears all reclaimable build cache.
+//
+// FIXME(thaJeztah): wire up new options https://github.com/moby/moby/issues/48639
 func (b *Builder) Prune(ctx context.Context, opts types.BuildCachePruneOptions) (int64, []string, error) {
 	ch := make(chan *controlapi.UsageRecord)

@@ -197,10 +211,10 @@ func (b *Builder) Prune(ctx context.Context, opts types.BuildCachePruneOptions)
 	eg.Go(func() error {
 		defer close(ch)
 		return b.controller.Prune(&controlapi.PruneRequest{
-			All:          pi.All,
-			KeepDuration: int64(pi.KeepDuration),
-			KeepBytes:    pi.KeepBytes,
-			Filter:       pi.Filter,
+			All:           pi.All,
+			KeepDuration:  int64(pi.KeepDuration),
+			ReservedSpace: pi.ReservedSpace,
+			Filter:        pi.Filter,
 		}, &pruneProxy{
 			streamProxy: streamProxy{ctx: ctx},
 			ch:          ch,
@@ -211,7 +225,7 @@ func (b *Builder) Prune(ctx context.Context, opts types.BuildCachePruneOptions)
 	var cacheIDs []string
 	eg.Go(func() error {
 		for r := range ch {
-			size += r.Size_
+			size += r.Size
 			cacheIDs = append(cacheIDs, r.ID)
 		}
 		return nil
@@ -381,7 +395,7 @@ func (b *Builder) Build(ctx context.Context, opt backend.BuildConfig) (*builder.
 		exporterAttrs["name"] = strings.Join(nameAttr, ",")
 	}

-	cache := controlapi.CacheOptions{}
+	cache := &controlapi.CacheOptions{}
 	if inlineCache := opt.Options.BuildArgs["BUILDKIT_INLINE_CACHE"]; inlineCache != nil {
 		if b, err := strconv.ParseBool(*inlineCache); err == nil && b {
 			cache.Exports = append(cache.Exports, &controlapi.CacheOptionsEntry{
@@ -402,7 +416,7 @@ func (b *Builder) Build(ctx context.Context, opt backend.BuildConfig) (*builder.
 	}

 	if opt.Options.NetworkMode == "host" {
-		req.Entitlements = append(req.Entitlements, entitlements.EntitlementNetworkHost)
+		req.Entitlements = append(req.Entitlements, string(entitlements.EntitlementNetworkHost))
 	}

 	aux := streamformatter.AuxFormatter{Writer: opt.ProgressWriter.Output}
@@ -437,7 +451,7 @@ func (b *Builder) Build(ctx context.Context, opt backend.BuildConfig) (*builder.

 	eg.Go(func() error {
 		for sr := range ch {
-			dt, err := sr.Marshal()
+			dt, err := proto.Marshal(sr)
 			if err != nil {
 				return err
 			}
@@ -624,6 +638,7 @@ func toBuildkitUlimits(inp []*container.Ulimit) (string, error) {
 	return strings.Join(ulimits, ","), nil
 }

+// FIXME(thaJeztah): wire-up new fields; see https://github.com/moby/moby/issues/48639
 func toBuildkitPruneInfo(opts types.BuildCachePruneOptions) (client.PruneInfo, error) {
 	var until time.Duration
 	untilValues := opts.Filters.Get("until")          // canonical
@@ -679,9 +694,9 @@ func toBuildkitPruneInfo(opts types.BuildCachePruneOptions) (client.PruneInfo, e
 		}
 	}
 	return client.PruneInfo{
-		All:          opts.All,
-		KeepDuration: until,
-		KeepBytes:    opts.KeepStorage,
-		Filter:       []string{strings.Join(bkFilter, ",")},
+		All:           opts.All,
+		KeepDuration:  until,
+		ReservedSpace: opts.KeepStorage,
+		Filter:        []string{strings.Join(bkFilter, ",")},
 	}, nil
 }
--- a/builder/builder-next/controller.go
+++ b/builder/builder-next/controller.go
@@ -25,7 +25,7 @@ import (
 	wlabel "github.com/docker/docker/builder/builder-next/worker/label"
 	"github.com/docker/docker/daemon/config"
 	"github.com/docker/docker/daemon/graphdriver"
-	units "github.com/docker/go-units"
+	"github.com/docker/go-units"
 	"github.com/moby/buildkit/cache"
 	"github.com/moby/buildkit/cache/metadata"
 	"github.com/moby/buildkit/cache/remotecache"
@@ -43,6 +43,8 @@ import (
 	containerdsnapshot "github.com/moby/buildkit/snapshot/containerd"
 	"github.com/moby/buildkit/solver"
 	"github.com/moby/buildkit/solver/bboltcachestorage"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/apicaps"
 	"github.com/moby/buildkit/util/archutil"
 	"github.com/moby/buildkit/util/entitlements"
 	"github.com/moby/buildkit/util/network/netproviders"
@@ -55,9 +57,6 @@ import (
 	"go.etcd.io/bbolt"
 	bolt "go.etcd.io/bbolt"
 	"go.opentelemetry.io/otel/sdk/trace"
-
-	"github.com/moby/buildkit/solver/pb"
-	"github.com/moby/buildkit/util/apicaps"
 )

 func newController(ctx context.Context, rt http.RoundTripper, opt Opt) (*control.Controller, error) {
@@ -86,7 +85,7 @@ func newSnapshotterController(ctx context.Context, rt http.RoundTripper, opt Opt
 		return nil, err
 	}

-	historyDB, historyConf, err := openHistoryDB(opt.Root, opt.BuilderConfig.History)
+	historyDB, historyConf, err := openHistoryDB(opt.Root, "history_c8d.db", opt.BuilderConfig.History)
 	if err != nil {
 		return nil, err
 	}
@@ -149,7 +148,7 @@ func newSnapshotterController(ctx context.Context, rt http.RoundTripper, opt Opt
 	}
 	wo.Executor = exec

-	w, err := mobyworker.NewContainerdWorker(ctx, wo, opt.Callbacks)
+	w, err := mobyworker.NewContainerdWorker(ctx, wo, opt.Callbacks, rt)
 	if err != nil {
 		return nil, err
 	}
@@ -194,11 +193,12 @@ func newSnapshotterController(ctx context.Context, rt http.RoundTripper, opt Opt
 		LeaseManager:   wo.LeaseManager,
 		ContentStore:   wo.ContentStore,
 		TraceCollector: getTraceExporter(ctx),
+		GarbageCollect: w.GarbageCollect,
 	})
 }

-func openHistoryDB(root string, cfg *config.BuilderHistoryConfig) (*bolt.DB, *bkconfig.HistoryConfig, error) {
-	db, err := bbolt.Open(filepath.Join(root, "history.db"), 0o600, nil)
+func openHistoryDB(root string, fn string, cfg *config.BuilderHistoryConfig) (*bolt.DB, *bkconfig.HistoryConfig, error) {
+	db, err := bbolt.Open(filepath.Join(root, fn), 0o600, nil)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -344,7 +344,7 @@ func newGraphDriverController(ctx context.Context, rt http.RoundTripper, opt Opt
 		return nil, err
 	}

-	historyDB, historyConf, err := openHistoryDB(opt.Root, opt.BuilderConfig.History)
+	historyDB, historyConf, err := openHistoryDB(opt.Root, "history.db", opt.BuilderConfig.History)
 	if err != nil {
 		return nil, err
 	}
@@ -382,6 +382,7 @@ func newGraphDriverController(ctx context.Context, rt http.RoundTripper, opt Opt
 		Layers:            layers,
 		Platforms:         archutil.SupportedPlatforms(true),
 		LeaseManager:      lm,
+		GarbageCollect:    mdb.GarbageCollect,
 		Labels:            getLabels(opt, nil),
 	}

@@ -421,6 +422,7 @@ func newGraphDriverController(ctx context.Context, rt http.RoundTripper, opt Opt
 		HistoryDB:      historyDB,
 		HistoryConfig:  historyConf,
 		TraceCollector: getTraceExporter(ctx),
+		GarbageCollect: w.GarbageCollect,
 	})
 }

@@ -435,7 +437,7 @@ func getGCPolicy(conf config.BuilderConfig, root string) ([]client.PruneInfo, er
 		if conf.GC.DefaultKeepStorage != "" {
 			defaultKeepStorage, err = units.RAMInBytes(conf.GC.DefaultKeepStorage)
 			if err != nil {
-				return nil, errors.Wrapf(err, "could not parse '%s' as Builder.GC.DefaultKeepStorage config", conf.GC.DefaultKeepStorage)
+				return nil, errors.Wrapf(err, "failed to parse defaultKeepStorage")
 			}
 		}

@@ -444,13 +446,18 @@ func getGCPolicy(conf config.BuilderConfig, root string) ([]client.PruneInfo, er
 		} else {
 			gcPolicy = make([]client.PruneInfo, len(conf.GC.Policy))
 			for i, p := range conf.GC.Policy {
-				b, err := units.RAMInBytes(p.KeepStorage)
-				if err != nil {
-					return nil, err
+				var b int64
+				if p.KeepStorage != "" {
+					b, err = units.RAMInBytes(p.KeepStorage)
+					if err != nil {
+						return nil, errors.Wrapf(err, "failed to parse keepStorage")
+					}
 				}
 				if b == 0 {
 					b = defaultKeepStorage
 				}
+
+				// FIXME(thaJeztah): wire up new options https://github.com/moby/moby/issues/48639
 				gcPolicy[i], err = toBuildkitPruneInfo(types.BuildCachePruneOptions{
 					All:         p.All,
 					KeepStorage: b,
--- a/builder/builder-next/worker/containerdworker.go
+++ b/builder/builder-next/worker/containerdworker.go
@@ -2,11 +2,14 @@ package worker

 import (
 	"context"
+	nethttp "net/http"

+	"github.com/containerd/log"
 	"github.com/docker/docker/builder/builder-next/exporter"
 	"github.com/moby/buildkit/client"
 	bkexporter "github.com/moby/buildkit/exporter"
 	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/source/http"
 	"github.com/moby/buildkit/worker/base"
 )

@@ -17,11 +20,21 @@ type ContainerdWorker struct {
 }

 // NewContainerdWorker instantiates a local worker.
-func NewContainerdWorker(ctx context.Context, wo base.WorkerOpt, callbacks exporter.BuildkitCallbacks) (*ContainerdWorker, error) {
+func NewContainerdWorker(ctx context.Context, wo base.WorkerOpt, callbacks exporter.BuildkitCallbacks, rt nethttp.RoundTripper) (*ContainerdWorker, error) {
 	bw, err := base.NewWorker(ctx, wo)
 	if err != nil {
 		return nil, err
 	}
+	hs, err := http.NewSource(http.Opt{
+		CacheAccessor: bw.CacheManager(),
+		Transport:     rt,
+	})
+	if err == nil {
+		bw.SourceManager.Register(hs)
+	} else {
+		log.G(ctx).Warnf("Could not register builder http source: %s", err)
+	}
+
 	return &ContainerdWorker{Worker: bw, callbacks: callbacks}, nil
 }

--- a/builder/builder-next/worker/gc.go
+++ b/builder/builder-next/worker/gc.go
@@ -27,26 +27,27 @@ func DefaultGCPolicy(p string, defaultKeepBytes int64) []client.PruneInfo {
 		tempCacheKeepBytes = minTempCacheKeepBytes
 	}

+	// FIXME(thaJeztah): wire up new options https://github.com/moby/moby/issues/48639
 	return []client.PruneInfo{
 		// if build cache uses more than 512MB delete the most easily reproducible data after it has not been used for 2 days
 		{
-			Filter:       []string{"type==source.local,type==exec.cachemount,type==source.git.checkout"},
-			KeepDuration: 48 * time.Hour,
-			KeepBytes:    tempCacheKeepBytes,
+			Filter:        []string{"type==source.local,type==exec.cachemount,type==source.git.checkout"},
+			KeepDuration:  48 * time.Hour,
+			ReservedSpace: tempCacheKeepBytes,
 		},
 		// remove any data not used for 60 days
 		{
-			KeepDuration: 60 * 24 * time.Hour,
-			KeepBytes:    keep,
+			KeepDuration:  60 * 24 * time.Hour,
+			ReservedSpace: keep,
 		},
 		// keep the unshared build cache under cap
 		{
-			KeepBytes: keep,
+			ReservedSpace: keep,
 		},
 		// if previous policies were insufficient start deleting internal data to keep build cache under cap
 		{
-			All:       true,
-			KeepBytes: keep,
+			All:           true,
+			ReservedSpace: keep,
 		},
 	}
 }
--- a/builder/builder-next/worker/worker.go
+++ b/builder/builder-next/worker/worker.go
@@ -8,8 +8,10 @@ import (
 	"time"

 	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/gc"
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/rootfs"
+	cerrdefs "github.com/containerd/errdefs"
 	"github.com/containerd/log"
 	"github.com/containerd/platforms"
 	imageadapter "github.com/docker/docker/builder/builder-next/adapters/containerimage"
@@ -76,6 +78,7 @@ type Opt struct {
 	ContentStore      *containerdsnapshot.Store
 	CacheManager      cache.Manager
 	LeaseManager      *leaseutil.Manager
+	GarbageCollect    func(context.Context) (gc.Stats, error)
 	ImageSource       *imageadapter.Source
 	DownloadManager   *xfer.LayerDownloadManager
 	V2MetadataService distmetadata.V2MetadataService
@@ -183,6 +186,14 @@ func (w *Worker) BuildkitVersion() client.BuildkitVersion {
 	}
 }

+func (w *Worker) GarbageCollect(ctx context.Context) error {
+	if w.Opt.GarbageCollect == nil {
+		return nil
+	}
+	_, err := w.Opt.GarbageCollect(ctx)
+	return err
+}
+
 // Close closes the worker and releases all resources
 func (w *Worker) Close() error {
 	return nil
@@ -353,13 +364,13 @@ func (w *Worker) GetRemotes(ctx context.Context, ref cache.ImmutableRef, createI
 }

 // PruneCacheMounts removes the current cache snapshots for specified IDs
-func (w *Worker) PruneCacheMounts(ctx context.Context, ids []string) error {
+func (w *Worker) PruneCacheMounts(ctx context.Context, ids map[string]bool) error {
 	mu := mounts.CacheMountsLocker()
 	mu.Lock()
 	defer mu.Unlock()

-	for _, id := range ids {
-		mds, err := mounts.SearchCacheDir(ctx, w.CacheManager(), id)
+	for id, nested := range ids {
+		mds, err := mounts.SearchCacheDir(ctx, w.CacheManager(), id, nested)
 		if err != nil {
 			return err
 		}
@@ -572,5 +583,5 @@ func (p *emptyProvider) ReaderAt(ctx context.Context, dec ocispec.Descriptor) (c
 }

 func (p *emptyProvider) Info(ctx context.Context, d digest.Digest) (content.Info, error) {
-	return content.Info{}, errors.Errorf("Info not implemented for empty provider")
+	return content.Info{}, errors.Wrapf(cerrdefs.ErrNotImplemented, "Info not implemented for empty provider")
 }
--- a/builder/dockerfile/copy_windows.go
+++ b/builder/dockerfile/copy_windows.go
@@ -8,8 +8,8 @@ import (

 	winio "github.com/Microsoft/go-winio"
 	"github.com/docker/docker/pkg/idtools"
-	"github.com/docker/docker/pkg/reexec"
 	"github.com/docker/docker/pkg/system"
+	"github.com/moby/sys/reexec"
 	"github.com/pkg/errors"
 	"golang.org/x/sys/windows"
 )
--- a/builder/dockerfile/evaluator_test.go
+++ b/builder/dockerfile/evaluator_test.go
@@ -8,8 +8,8 @@ import (

 	"github.com/docker/docker/builder/remotecontext"
 	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/reexec"
 	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/moby/sys/reexec"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/skip"
--- a/builder/dockerfile/internals_linux.go
+++ b/builder/dockerfile/internals_linux.go
@@ -27,25 +27,25 @@ func parseChownFlag(ctx context.Context, builder *Builder, state *dispatchState,

 	passwdPath, err := symlink.FollowSymlinkInScope(filepath.Join(ctrRootPath, "etc", "passwd"), ctrRootPath)
 	if err != nil {
-		return idtools.Identity{}, errors.Wrapf(err, "can't resolve /etc/passwd path in container rootfs")
+		return idtools.Identity{}, errors.Wrap(err, "can't resolve /etc/passwd path in container rootfs")
 	}
 	groupPath, err := symlink.FollowSymlinkInScope(filepath.Join(ctrRootPath, "etc", "group"), ctrRootPath)
 	if err != nil {
-		return idtools.Identity{}, errors.Wrapf(err, "can't resolve /etc/group path in container rootfs")
+		return idtools.Identity{}, errors.Wrap(err, "can't resolve /etc/group path in container rootfs")
 	}
 	uid, err := lookupUser(userStr, passwdPath)
 	if err != nil {
-		return idtools.Identity{}, errors.Wrapf(err, "can't find uid for user "+userStr)
+		return idtools.Identity{}, errors.Wrap(err, "can't find uid for user "+userStr)
 	}
 	gid, err := lookupGroup(grpStr, groupPath)
 	if err != nil {
-		return idtools.Identity{}, errors.Wrapf(err, "can't find gid for group "+grpStr)
+		return idtools.Identity{}, errors.Wrap(err, "can't find gid for group "+grpStr)
 	}

 	// convert as necessary because of user namespaces
 	chownPair, err := identityMapping.ToHost(idtools.Identity{UID: uid, GID: gid})
 	if err != nil {
-		return idtools.Identity{}, errors.Wrapf(err, "unable to convert uid/gid to host mapping")
+		return idtools.Identity{}, errors.Wrap(err, "unable to convert uid/gid to host mapping")
 	}
 	return chownPair, nil
 }
--- a/builder/dockerfile/utils_test.go
+++ b/builder/dockerfile/utils_test.go
@@ -17,7 +17,6 @@ func createTestTempDir(t *testing.T, dir, prefix string) (string, func()) {

 	return path, func() {
 		err = os.RemoveAll(path)
-
 		if err != nil {
 			t.Fatalf("Error when removing directory %s: %s", path, err)
 		}
--- a/builder/remotecontext/tarsum_test.go
+++ b/builder/remotecontext/tarsum_test.go
@@ -7,7 +7,7 @@ import (

 	"github.com/docker/docker/builder"
 	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/reexec"
+	"github.com/moby/sys/reexec"
 	"github.com/pkg/errors"
 	"gotest.tools/v3/skip"
 )
@@ -33,7 +33,6 @@ func TestCloseRootDirectory(t *testing.T) {

 	src := makeTestArchiveContext(t, contextDir)
 	err = src.Close()
-
 	if err != nil {
 		t.Fatalf("Error while executing Close: %s", err)
 	}
--- a/builder/remotecontext/utils_test.go
+++ b/builder/remotecontext/utils_test.go
@@ -17,7 +17,6 @@ func createTestTempDir(t *testing.T, dir, prefix string) (string, func()) {

 	return path, func() {
 		err = os.RemoveAll(path)
-
 		if err != nil {
 			t.Fatalf("Error when removing directory %s: %s", path, err)
 		}
--- a/client/client.go
+++ b/client/client.go
@@ -2,7 +2,7 @@
 Package client is a Go client for the Docker Engine API.

 For more information about the Engine API, see the documentation:
-https://docs.docker.com/engine/api/
+https://docs.docker.com/reference/api/engine/

 # Usage

@@ -247,6 +247,14 @@ func (cli *Client) tlsConfig() *tls.Config {

 func defaultHTTPClient(hostURL *url.URL) (*http.Client, error) {
 	transport := &http.Transport{}
+	// Necessary to prevent long-lived processes using the
+	// client from leaking connections due to idle connections
+	// not being released.
+	// TODO: see if we can also address this from the server side,
+	// or in go-connections.
+	// see: https://github.com/moby/moby/issues/45539
+	transport.MaxIdleConns = 6
+	transport.IdleConnTimeout = 30 * time.Second
 	err := sockets.ConfigureTransport(transport, hostURL.Scheme, hostURL.Host)
 	if err != nil {
 		return nil, err
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -371,7 +371,7 @@ func TestNegotiateAPIVersionAutomatic(t *testing.T) {
 	var pingVersion string
 	httpClient := newMockClient(func(req *http.Request) (*http.Response, error) {
 		resp := &http.Response{StatusCode: http.StatusOK, Header: http.Header{}}
-		resp.Header.Set("API-Version", pingVersion)
+		resp.Header.Set("Api-Version", pingVersion)
 		resp.Body = io.NopCloser(strings.NewReader("OK"))
 		return resp, nil
 	})
--- a/client/image_list.go
+++ b/client/image_list.go
@@ -11,6 +11,11 @@ import (
 )

 // ImageList returns a list of images in the docker host.
+//
+// Experimental: Setting the [options.Manifest] will populate
+// [image.Summary.Manifests] with information about image manifests.
+// This is experimental and might change in the future without any backward
+// compatibility.
 func (cli *Client) ImageList(ctx context.Context, options image.ListOptions) ([]image.Summary, error) {
 	var images []image.Summary

@@ -47,6 +52,9 @@ func (cli *Client) ImageList(ctx context.Context, options image.ListOptions) ([]
 	if options.SharedSize && versions.GreaterThanOrEqualTo(cli.version, "1.42") {
 		query.Set("shared-size", "1")
 	}
+	if options.Manifests && versions.GreaterThanOrEqualTo(cli.version, "1.47") {
+		query.Set("manifests", "1")
+	}

 	serverResp, err := cli.get(ctx, "/images/json", query, nil)
 	defer ensureReaderClosed(serverResp)
--- a/client/ping.go
+++ b/client/ping.go
@@ -56,8 +56,8 @@ func parsePingResponse(cli *Client, resp serverResponse) (types.Ping, error) {
 		err := cli.checkResponseErr(resp)
 		return ping, errdefs.FromStatusCode(err, resp.statusCode)
 	}
-	ping.APIVersion = resp.header.Get("API-Version")
-	ping.OSType = resp.header.Get("OSType")
+	ping.APIVersion = resp.header.Get("Api-Version")
+	ping.OSType = resp.header.Get("Ostype")
 	if resp.header.Get("Docker-Experimental") == "true" {
 		ping.Experimental = true
 	}
--- a/client/ping_test.go
+++ b/client/ping_test.go
@@ -24,7 +24,7 @@ func TestPingFail(t *testing.T) {
 			resp := &http.Response{StatusCode: http.StatusInternalServerError}
 			if withHeader {
 				resp.Header = http.Header{}
-				resp.Header.Set("API-Version", "awesome")
+				resp.Header.Set("Api-Version", "awesome")
 				resp.Header.Set("Docker-Experimental", "true")
 				resp.Header.Set("Swarm", "inactive")
 			}
@@ -72,7 +72,7 @@ func TestPingSuccess(t *testing.T) {
 		client: newMockClient(func(req *http.Request) (*http.Response, error) {
 			resp := &http.Response{StatusCode: http.StatusOK}
 			resp.Header = http.Header{}
-			resp.Header.Set("API-Version", "awesome")
+			resp.Header.Set("Api-Version", "awesome")
 			resp.Header.Set("Docker-Experimental", "true")
 			resp.Header.Set("Swarm", "active/manager")
 			resp.Body = io.NopCloser(strings.NewReader("OK"))
@@ -122,7 +122,7 @@ func TestPingHeadFallback(t *testing.T) {
 						resp.StatusCode = tc.status
 					}
 					resp.Header = http.Header{}
-					resp.Header.Add("API-Version", strings.Join(reqs, ", "))
+					resp.Header.Add("Api-Version", strings.Join(reqs, ", "))
 					return resp, nil
 				}),
 			}
--- a/cmd/dockerd/config.go
+++ b/cmd/dockerd/config.go
@@ -4,6 +4,7 @@ import (
 	"runtime"

 	"github.com/docker/docker/daemon/config"
+	dopts "github.com/docker/docker/internal/opts"
 	"github.com/docker/docker/opts"
 	"github.com/docker/docker/registry"
 	"github.com/spf13/pflag"
@@ -28,6 +29,7 @@ func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
 	flags.StringVar(&conf.ExecRoot, "exec-root", conf.ExecRoot, "Root directory for execution state files")
 	flags.StringVar(&conf.ContainerdAddr, "containerd", "", "containerd grpc address")
 	flags.BoolVar(&conf.CriContainerd, "cri-containerd", false, "start containerd with cri")
+	flags.Var(dopts.NewNamedSetOpts("features", conf.Features), "feature", "Enable feature in the daemon")

 	flags.Var(opts.NewNamedMapMapOpts("default-network-opts", conf.DefaultNetworkOpts, nil), "default-network-opt", "Default network options")
 	flags.IntVar(&conf.MTU, "mtu", conf.MTU, `Set the MTU for the default "bridge" network`)
--- a/cmd/dockerd/daemon.go
+++ b/cmd/dockerd/daemon.go
@@ -44,6 +44,7 @@ import (
 	"github.com/docker/docker/daemon/config"
 	"github.com/docker/docker/daemon/listeners"
 	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/internal/otelutil"
 	"github.com/docker/docker/libcontainerd/supervisor"
 	dopts "github.com/docker/docker/opts"
 	"github.com/docker/docker/pkg/authorization"
@@ -64,8 +65,6 @@ import (
 	"github.com/spf13/pflag"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/propagation"
-	"go.opentelemetry.io/otel/sdk/resource"
-	sdktrace "go.opentelemetry.io/otel/sdk/trace"
 	"tags.cncf.io/container-device-interface/pkg/cdi"
 )

@@ -245,7 +244,7 @@ func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
 	// Initialize the trace recorder for buildkit.
 	detect.Recorder = detect.NewTraceRecorder()

-	tp := newTracerProvider(ctx)
+	tp, otelShutdown := otelutil.NewTracerProvider(ctx, true)
 	otel.SetTracerProvider(tp)
 	log.G(ctx).Logger.AddHook(tracing.NewLogrusHook())

@@ -270,7 +269,7 @@ func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
 	}

 	// Note that CDI is not inherently linux-specific, there are some linux-specific assumptions / implementations in the code that
-	// queries the properties of device on the host as wel as performs the injection of device nodes and their access permissions into the OCI spec.
+	// queries the properties of device on the host as well as performs the injection of device nodes and their access permissions into the OCI spec.
 	//
 	// In order to lift this restriction the following would have to be addressed:
 	// - Support needs to be added to the cdi package for injecting Windows devices: https://tags.cncf.io/container-device-interface/issues/28
@@ -297,16 +296,13 @@ func (cli *DaemonCli) start(opts *daemonOptions) (err error) {

 	log.G(ctx).Info("Daemon has completed initialization")

-	routerCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-
 	// Get a the current daemon config, because the daemon sets up config
 	// during initialization. We cannot user the cli.Config for that reason,
 	// as that only holds the config that was set by the user.
 	//
 	// FIXME(thaJeztah): better separate runtime and config data?
 	daemonCfg := d.Config()
-	routerOpts, err := newRouterOptions(routerCtx, &daemonCfg, d, c)
+	routerOpts, err := newRouterOptions(ctx, &daemonCfg, d, c)
 	if err != nil {
 		return err
 	}
@@ -364,7 +360,7 @@ func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
 		return errors.Wrap(err, "shutting down due to ServeAPI error")
 	}

-	if err := tp.Shutdown(context.Background()); err != nil {
+	if err := otelShutdown(context.WithoutCancel(ctx)); err != nil {
 		log.G(ctx).WithError(err).Error("Failed to shutdown OTEL tracing")
 	}

@@ -395,20 +391,6 @@ func setOTLPProtoDefault() {
 	}
 }

-func newTracerProvider(ctx context.Context) *sdktrace.TracerProvider {
-	opts := []sdktrace.TracerProviderOption{
-		sdktrace.WithResource(resource.Default()),
-		sdktrace.WithSyncer(detect.Recorder),
-	}
-
-	if exp, err := detect.NewSpanExporter(ctx); err != nil {
-		log.G(ctx).WithError(err).Warn("Failed to initialize tracing, skipping")
-	} else if !detect.IsNoneSpanExporter(exp) {
-		opts = append(opts, sdktrace.WithBatcher(exp))
-	}
-	return sdktrace.NewTracerProvider(opts...)
-}
-
 type routerOptions struct {
 	sessionManager *session.Manager
 	buildBackend   *buildbackend.Backend
--- a/cmd/dockerd/daemon_linux_test.go
+++ b/cmd/dockerd/daemon_linux_test.go
@@ -9,7 +9,7 @@ import (
 	"testing"

 	"github.com/docker/docker/daemon/config"
-	"github.com/docker/docker/pkg/reexec"
+	"github.com/moby/sys/reexec"
 	"golang.org/x/sys/unix"
 	"gotest.tools/v3/assert"
 )
--- a/cmd/dockerd/daemon_test.go
+++ b/cmd/dockerd/daemon_test.go
@@ -1,12 +1,14 @@
 package main

 import (
+	"runtime"
 	"testing"

 	"github.com/containerd/log"
 	"github.com/docker/docker/daemon/config"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/spf13/pflag"
+	"go.opentelemetry.io/otel"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/fs"
@@ -284,3 +286,29 @@ func TestCDISpecDirs(t *testing.T) {
 		})
 	}
 }
+
+// TestOtelMeterLeak tests for a memory leak in the OTEL meter implementation.
+// Once the fixed OTEL is vendored, this test will fail - the workaround
+// and this test should be removed then.
+func TestOtelMeterLeak(t *testing.T) {
+	meter := otel.Meter("foo")
+
+	var before runtime.MemStats
+	runtime.ReadMemStats(&before)
+
+	const counters = 10 * 1000 * 1000
+	for i := 0; i < counters; i++ {
+		_, _ = meter.Int64Counter("bar")
+	}
+
+	var after runtime.MemStats
+	runtime.ReadMemStats(&after)
+
+	allocs := after.Mallocs - before.Mallocs
+	t.Log("Allocations:", allocs)
+
+	if allocs < 10 {
+		// TODO: Remove Workaround OTEL memory leak in cmd/dockerd/daemon.go
+		t.Fatal("Allocations count decreased. OTEL leak workaround is no longer needed!")
+	}
+}
--- a/cmd/dockerd/docker.go
+++ b/cmd/dockerd/docker.go
@@ -9,11 +9,14 @@ import (
 	"github.com/containerd/log"
 	"github.com/docker/docker/daemon/config"
 	"github.com/docker/docker/dockerversion"
-	"github.com/docker/docker/pkg/reexec"
 	"github.com/docker/docker/pkg/rootless"
 	"github.com/moby/buildkit/util/apicaps"
+	"github.com/moby/sys/reexec"
 	"github.com/moby/term"
 	"github.com/spf13/cobra"
+
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/metric/noop"
 )

 var honorXDG bool
@@ -82,6 +85,12 @@ func main() {
 	// Fixes https://github.com/docker/docker/issues/19728
 	signal.Ignore(syscall.SIGPIPE)

+	// Workaround OTEL memory leak
+	// See: https://github.com/open-telemetry/opentelemetry-go-contrib/issues/5190
+	// The need for this workaround is checked by the TestOtelMeterLeak test
+	// TODO: Remove this workaround after upgrading to v1.30.0
+	otel.SetMeterProvider(noop.MeterProvider{})
+
 	// Set terminal emulation based on platform as required.
 	_, stdout, stderr := term.StdStreams()
 	onError := func(err error) {
--- a/cmd/dockerd/main_linux_test.go
+++ b/cmd/dockerd/main_linux_test.go
@@ -3,7 +3,7 @@ package main
 import (
 	"testing"

-	"github.com/docker/docker/pkg/reexec"
+	"github.com/moby/sys/reexec"
 )

 func TestMain(m *testing.M) {
--- a/cmd/dockerd/required.go
+++ b/cmd/dockerd/required.go
@@ -14,7 +14,7 @@ func NoArgs(cmd *cobra.Command, args []string) error {
 	}

 	if cmd.HasSubCommands() {
-		return errors.Errorf("\n" + strings.TrimRight(cmd.UsageString(), "\n"))
+		return errors.New("\n" + strings.TrimRight(cmd.UsageString(), "\n"))
 	}

 	return errors.Errorf(
--- a/container/container.go
+++ b/container/container.go
@@ -35,7 +35,7 @@ import (
 	"github.com/docker/docker/restartmanager"
 	"github.com/docker/docker/volume"
 	volumemounts "github.com/docker/docker/volume/mounts"
-	units "github.com/docker/go-units"
+	"github.com/docker/go-units"
 	agentexec "github.com/moby/swarmkit/v2/agent/exec"
 	"github.com/moby/sys/signal"
 	"github.com/moby/sys/symlink"
@@ -325,7 +325,7 @@ func (container *Container) SetupWorkingDirectory(rootIdentity idtools.Identity)
 }

 // GetResourcePath evaluates `path` in the scope of the container's BaseFS, with proper path
-// sanitisation. Symlinks are all scoped to the BaseFS of the container, as
+// sanitization. Symlinks are all scoped to the BaseFS of the container, as
 // though the container's BaseFS was `/`.
 //
 // The BaseFS of a container is the host-facing path which is bind-mounted as
@@ -368,7 +368,7 @@ func cleanScopedPath(path string) string {
 }

 // GetRootResourcePath evaluates `path` in the scope of the container's root, with proper path
-// sanitisation. Symlinks are all scoped to the root of the container, as
+// sanitization. Symlinks are all scoped to the root of the container, as
 // though the container's root was `/`.
 //
 // The root of a container is the host-facing configuration metadata directory.
--- a/container/state.go
+++ b/container/state.go
@@ -9,7 +9,7 @@ import (

 	"github.com/docker/docker/api/types"
 	libcontainerdtypes "github.com/docker/docker/libcontainerd/types"
-	units "github.com/docker/go-units"
+	"github.com/docker/go-units"
 )

 // State holds the current container state, and has methods to get and
--- a/container/stream/streams.go
+++ b/container/stream/streams.go
@@ -2,6 +2,7 @@ package stream // import "github.com/docker/docker/container/stream"

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"strings"
@@ -86,29 +87,35 @@ func (c *Config) NewInputPipes() {

 // NewNopInputPipe creates a new input pipe that will silently drop all messages in the input.
 func (c *Config) NewNopInputPipe() {
-	c.stdinPipe = ioutils.NopWriteCloser(io.Discard)
+	c.stdinPipe = &nopWriteCloser{io.Discard}
 }

+type nopWriteCloser struct {
+	io.Writer
+}
+
+func (w *nopWriteCloser) Close() error { return nil }
+
 // CloseStreams ensures that the configured streams are properly closed.
 func (c *Config) CloseStreams() error {
-	var errors []string
+	var errs []string

 	if c.stdin != nil {
 		if err := c.stdin.Close(); err != nil {
-			errors = append(errors, fmt.Sprintf("error close stdin: %s", err))
+			errs = append(errs, fmt.Sprintf("error close stdin: %s", err))
 		}
 	}

 	if err := c.stdout.Clean(); err != nil {
-		errors = append(errors, fmt.Sprintf("error close stdout: %s", err))
+		errs = append(errs, fmt.Sprintf("error close stdout: %s", err))
 	}

 	if err := c.stderr.Clean(); err != nil {
-		errors = append(errors, fmt.Sprintf("error close stderr: %s", err))
+		errs = append(errs, fmt.Sprintf("error close stderr: %s", err))
 	}

-	if len(errors) > 0 {
-		return fmt.Errorf(strings.Join(errors, "\n"))
+	if len(errs) > 0 {
+		return errors.New(strings.Join(errs, "\n"))
 	}

 	return nil
--- a/container/view.go
+++ b/container/view.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22

 package container // import "github.com/docker/docker/container"

@@ -30,8 +30,12 @@ const (

 var (
 	// ErrNameReserved is an error which is returned when a name is requested to be reserved that already is reserved
+	//
+	// Deprecated: check for [errdefs.Conflict] errors instead (using [errdefs.IsConflict].
 	ErrNameReserved = errors.New("name is reserved")
 	// ErrNameNotReserved is an error which is returned when trying to find a name that is not reserved
+	//
+	// Deprecated: check for [errdefs.NotFound] errors instead (using [errdefs.IsNotFound].
 	ErrNameNotReserved = errors.New("name is not reserved")
 )

@@ -112,6 +116,7 @@ func NewViewDB() (*ViewDB, error) {

 // GetByPrefix returns a container with the given ID prefix. It returns an
 // error if an empty prefix was given or if multiple containers match the prefix.
+// It returns an [errdefs.NotFound] if the given s yielded no results.
 func (db *ViewDB) GetByPrefix(s string) (string, error) {
 	if s == "" {
 		return "", errdefs.InvalidParameter(errors.New("prefix can't be empty"))
@@ -152,7 +157,7 @@ func (db *ViewDB) withTxn(cb func(*memdb.Txn) error) error {
 	err := cb(txn)
 	if err != nil {
 		txn.Abort()
-		return errdefs.System(err)
+		return err
 	}
 	txn.Commit()
 	return nil
@@ -183,10 +188,9 @@ func (db *ViewDB) Delete(c *Container) error {
 	})
 }

-// ReserveName registers a container ID to a name
-// ReserveName is idempotent
-// Attempting to reserve a container ID to a name that already exists results in an `ErrNameReserved`
-// A name reservation is globally unique
+// ReserveName registers a container ID to a name. ReserveName is idempotent,
+// but returns an [errdefs.Conflict] when attempting to reserve a container ID
+// to a name that already is reserved.
 func (db *ViewDB) ReserveName(name, containerID string) error {
 	return db.withTxn(func(txn *memdb.Txn) error {
 		s, err := txn.First(memdbNamesTable, memdbIDIndex, name)
@@ -195,7 +199,7 @@ func (db *ViewDB) ReserveName(name, containerID string) error {
 		}
 		if s != nil {
 			if s.(nameAssociation).containerID != containerID {
-				return ErrNameReserved
+				return errdefs.Conflict(ErrNameReserved) //nolint:staticcheck  // ignore SA1019: ErrNameReserved is deprecated.
 			}
 			return nil
 		}
@@ -235,6 +239,7 @@ func (v *View) All() ([]Snapshot, error) {
 }

 // Get returns an item by id. Returned objects must never be modified.
+// It returns an [errdefs.NotFound] if the given id was not found.
 func (v *View) Get(id string) (*Snapshot, error) {
 	s, err := v.txn.First(memdbContainersTable, memdbIDIndex, id)
 	if err != nil {
@@ -266,13 +271,14 @@ func (v *View) getNames(containerID string) []string {
 }

 // GetID returns the container ID that the passed in name is reserved to.
+// It returns an [errdefs.NotFound] if the given id was not found.
 func (v *View) GetID(name string) (string, error) {
 	s, err := v.txn.First(memdbNamesTable, memdbIDIndex, name)
 	if err != nil {
 		return "", errdefs.System(err)
 	}
 	if s == nil {
-		return "", ErrNameNotReserved
+		return "", errdefs.NotFound(ErrNameNotReserved) //nolint:staticcheck  // ignore SA1019: ErrNameNotReserved is deprecated.
 	}
 	return s.(nameAssociation).containerID, nil
 }
--- a/container/view_test.go
+++ b/container/view_test.go
@@ -9,6 +9,7 @@ import (

 	"github.com/docker/docker/api/types"
 	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/google/uuid"
 	"gotest.tools/v3/assert"
@@ -115,7 +116,10 @@ func TestNames(t *testing.T) {
 	assert.Check(t, db.ReserveName("name1", "containerid1"))
 	assert.Check(t, db.ReserveName("name1", "containerid1")) // idempotent
 	assert.Check(t, db.ReserveName("name2", "containerid2"))
-	assert.Check(t, is.Error(db.ReserveName("name2", "containerid3"), ErrNameReserved.Error()))
+
+	err = db.ReserveName("name2", "containerid3")
+	assert.Check(t, is.ErrorType(err, errdefs.IsConflict))
+	assert.Check(t, is.ErrorIs(err, ErrNameReserved)) //nolint:staticcheck  // ignore SA1019: ErrNameReserved is deprecated.

 	// Releasing a name allows the name to point to something else later.
 	assert.Check(t, db.ReleaseName("name2"))
@@ -132,7 +136,8 @@ func TestNames(t *testing.T) {
 	assert.Check(t, is.Equal("containerid3", id))

 	_, err = view.GetID("notreserved")
-	assert.Check(t, is.Error(err, ErrNameNotReserved.Error()))
+	assert.Check(t, is.ErrorType(err, errdefs.IsNotFound))
+	assert.Check(t, is.ErrorIs(err, ErrNameNotReserved)) //nolint:staticcheck  // ignore SA1019: ErrNameNotReserved is deprecated.

 	// Releasing and re-reserving a name doesn't affect the snapshot.
 	assert.Check(t, db.ReleaseName("name2"))
--- a/contrib/dockerd-rootless-setuptool.sh
+++ b/contrib/dockerd-rootless-setuptool.sh
@@ -269,13 +269,6 @@ init() {
 	# - sysctl: "net.ipv4.ip_unprivileged_port_start"
 	# - external binary: slirp4netns
 	# - external binary: fuse-overlayfs
-
-	# check RootlessKit functionality. RootlessKit will print hints if something is still unsatisfied.
-	# (e.g., `kernel.apparmor_restrict_unprivileged_userns` constraint)
-	if ! rootlesskit true; then
-		ERROR "RootlessKit failed, see the error messages and https://rootlesscontaine.rs/getting-started/common/ ."
-		exit 1
-	fi
 }

 # CLI subcommand: "check"
@@ -400,7 +393,20 @@ cli_ctx_rm() {
 # CLI subcommand: "install"
 cmd_entrypoint_install() {
 	init
-	# requirements are already checked in init()
+	# Most requirements are already checked in init(), except the smoke test below for RootlessKit.
+	# https://github.com/docker/docker-install/issues/417
+
+	# check RootlessKit functionality. RootlessKit will print hints if something is still unsatisfied.
+	# (e.g., `kernel.apparmor_restrict_unprivileged_userns` constraint)
+	if ! rootlesskit true; then
+		if [ -z "$OPT_FORCE" ]; then
+			ERROR "RootlessKit failed, see the error messages and https://rootlesscontaine.rs/getting-started/common/ . Set --force to ignore."
+			exit 1
+		else
+			WARNING "RootlessKit failed, see the error messages and https://rootlesscontaine.rs/getting-started/common/ ."
+		fi
+	fi
+
 	if [ -z "$SYSTEMD" ]; then
 		install_nonsystemd
 	else
--- a/contrib/dockerd-rootless.sh
+++ b/contrib/dockerd-rootless.sh
@@ -54,6 +54,30 @@ if ! [ -d "$HOME" ]; then
 	exit 1
 fi

+mount_directory() {
+	if [ -z "$_DOCKERD_ROOTLESS_CHILD" ]; then
+		echo "mount_directory should be called from the child context. Otherwise data loss is at risk" >&2
+		exit 1
+	fi
+
+	DIRECTORY="$1"
+	if [ ! -d "$DIRECTORY" ]; then
+		return
+	fi
+
+	# Bind mount directory: this makes this directory visible to
+	# Dockerd, even if it is originally a symlink, given Dockerd does
+	# not always follow symlinks. Some directories might also be
+	# "copied-up", meaning that they will also be writable on the child
+	# namespace; this will be the case only if they are provided as
+	# --copy-up to the rootlesskit.
+	DIRECTORY_REALPATH=$(realpath "$DIRECTORY")
+	MOUNT_OPTIONS="${2:---bind}"
+	rm -rf "$DIRECTORY"
+	mkdir -p "$DIRECTORY"
+	mount $MOUNT_OPTIONS "$DIRECTORY_REALPATH" "$DIRECTORY"
+}
+
 rootlesskit=""
 for f in docker-rootlesskit rootlesskit; do
 	if command -v $f > /dev/null 2>&1; then
@@ -139,6 +163,25 @@ if [ -z "$_DOCKERD_ROOTLESS_CHILD" ]; then
 		"$0" "$@"
 else
 	[ "$_DOCKERD_ROOTLESS_CHILD" = 1 ]
+
+	# The Container Device Interface (CDI) specs can be found by default
+	# under {/etc,/var/run}/cdi. More information at:
+	# https://github.com/cncf-tags/container-device-interface
+	#
+	# In order to use the Container Device Interface (CDI) integration,
+	# the CDI paths need to exist before the Docker daemon is started in
+	# order for it to read the CDI specification files. Otherwise, a
+	# Docker daemon restart will be required for the daemon to discover
+	# them.
+	#
+	# If another set of CDI paths (other than the default /etc/cdi and
+	# /var/run/cdi) are configured through the Docker configuration file
+	# (using "cdi-spec-dirs"), they need to be bind mounted in rootless
+	# mode; otherwise the Docker daemon won't have access to the CDI
+	# specification files.
+	mount_directory /etc/cdi
+	mount_directory /var/run/cdi
+
 	# remove the symlinks for the existing files in the parent namespace if any,
 	# so that we can create our own files in our mount namespace.
 	rm -f /run/docker /run/containerd /run/xtables.lock
@@ -153,10 +196,7 @@ else
 	if [ "$(stat -c %T -f /etc)" = "tmpfs" ] && [ -L "/etc/ssl" ]; then
 		# Workaround for "x509: certificate signed by unknown authority" on openSUSE Tumbleweed.
 		# https://github.com/rootless-containers/rootlesskit/issues/225
-		realpath_etc_ssl=$(realpath /etc/ssl)
-		rm -f /etc/ssl
-		mkdir /etc/ssl
-		mount --rbind ${realpath_etc_ssl} /etc/ssl
+		mount_directory /etc/ssl "--rbind"
 	fi

 	exec "$dockerd" "$@"
--- a/daemon/attach.go
+++ b/daemon/attach.go
@@ -141,7 +141,7 @@ func (daemon *Daemon) containerAttach(c *container.Container, cfg *stream.Attach
 		if !ok {
 			return logger.ErrReadLogsNotSupported{}
 		}
-		logs := cLog.ReadLogs(logger.ReadConfig{Tail: -1})
+		logs := cLog.ReadLogs(context.TODO(), logger.ReadConfig{Tail: -1})
 		defer logs.ConsumerGone()

 	LogLoop:
--- a/daemon/cdi.go
+++ b/daemon/cdi.go
@@ -34,7 +34,7 @@ func newCDIDeviceDriver(cdiSpecDirs ...string) *deviceDriver {
 		// We create a spec updater that always returns an error.
 		// This error will be returned only when a CDI device is requested.
 		// This ensures that daemon startup is not blocked by a CDI registry initialization failure or being disabled
-		// by configuratrion.
+		// by configuration.
 		errorOnUpdateSpec := func(s *specs.Spec, dev *deviceInstance) error {
 			return fmt.Errorf("CDI device injection failed: %w", err)
 		}
--- a/daemon/cluster/convert/service_test.go
+++ b/daemon/cluster/convert/service_test.go
@@ -396,7 +396,7 @@ func TestServiceConvertFromGRPCCredentialSpec(t *testing.T) {
 	}
 }

-func TestServiceConvertToGRPCNetworkAtachmentRuntime(t *testing.T) {
+func TestServiceConvertToGRPCNetworkAttachmentRuntime(t *testing.T) {
 	someid := "asfjkl"
 	s := swarmtypes.ServiceSpec{
 		TaskTemplate: swarmtypes.TaskSpec{
--- a/daemon/cluster/executor/container/adapter_test.go
+++ b/daemon/cluster/executor/container/adapter_test.go
@@ -19,7 +19,7 @@ func TestWaitNodeAttachment(t *testing.T) {
 	// and add some attachments to it
 	attachmentStore := emptyDaemon.GetAttachmentStore()

-	// create a set of attachments to put into the attahcment store
+	// create a set of attachments to put into the attachment store
 	attachments := map[string]string{
 		"network1": "10.1.2.3/24",
 	}
--- a/daemon/cluster/listen_addr_linux.go
+++ b/daemon/cluster/listen_addr_linux.go
@@ -3,13 +3,14 @@ package cluster // import "github.com/docker/docker/daemon/cluster"
 import (
 	"net"

+	"github.com/docker/docker/internal/nlwrap"
 	"github.com/vishvananda/netlink"
 )

 func (c *Cluster) resolveSystemAddr() (net.IP, error) {
 	// Use the system's only device IP address, or fail if there are
 	// multiple addresses to choose from.
-	interfaces, err := netlink.LinkList()
+	interfaces, err := nlwrap.LinkList()
 	if err != nil {
 		return nil, err
 	}
@@ -26,7 +27,7 @@ func (c *Cluster) resolveSystemAddr() (net.IP, error) {
 			continue
 		}

-		addrs, err := netlink.AddrList(intf, netlink.FAMILY_ALL)
+		addrs, err := nlwrap.AddrList(intf, netlink.FAMILY_ALL)
 		if err != nil {
 			continue
 		}
--- a/daemon/config/config.go
+++ b/daemon/config/config.go
@@ -305,6 +305,7 @@ func New() (*Config, error) {
 			},
 			ContainerdNamespace:       DefaultContainersNamespace,
 			ContainerdPluginNamespace: DefaultPluginNamespace,
+			Features:                  make(map[string]bool),
 			DefaultRuntime:            StockRuntimeName,
 			MinAPIVersion:             defaultMinAPIVersion,
 		},
--- a/daemon/config/config_linux_test.go
+++ b/daemon/config/config_linux_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"

 	"github.com/docker/docker/api/types/container"
+	dopts "github.com/docker/docker/internal/opts"
 	"github.com/docker/docker/opts"
 	"github.com/spf13/pflag"
 	"gotest.tools/v3/assert"
@@ -121,6 +122,72 @@ func TestDaemonConfigurationMergeShmSize(t *testing.T) {
 	assert.Check(t, is.Equal(int64(expectedValue), cc.ShmSize.Value()))
 }

+func TestDaemonConfigurationFeatures(t *testing.T) {
+	tests := []struct {
+		name, config, flags string
+		expectedValue       map[string]bool
+		expectedErr         string
+	}{
+		{
+			name:          "enable from file",
+			config:        `{"features": {"containerd-snapshotter": true}}`,
+			expectedValue: map[string]bool{"containerd-snapshotter": true},
+		},
+		{
+			name:          "enable from flags",
+			config:        `{}`,
+			flags:         "containerd-snapshotter=true",
+			expectedValue: map[string]bool{"containerd-snapshotter": true},
+		},
+		{
+			name:          "disable from file",
+			config:        `{"features": {"containerd-snapshotter": false}}`,
+			expectedValue: map[string]bool{"containerd-snapshotter": false},
+		},
+		{
+			name:          "disable from flags",
+			config:        `{}`,
+			flags:         "containerd-snapshotter=false",
+			expectedValue: map[string]bool{"containerd-snapshotter": false},
+		},
+		{
+			name:        "conflict",
+			config:      `{"features": {"containerd-snapshotter": true}}`,
+			flags:       "containerd-snapshotter=true",
+			expectedErr: `the following directives are specified both as a flag and in the configuration file: features: (from flag: map[containerd-snapshotter:true], from file: map[containerd-snapshotter:true])`,
+		},
+		{
+			name:        "invalid config value",
+			config:      `{"features": {"containerd-snapshotter": "not-a-boolean"}}`,
+			expectedErr: `json: cannot unmarshal string into Go struct field`,
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			c, err := New()
+			assert.NilError(t, err)
+
+			configFile := makeConfigFile(t, tc.config)
+			flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+			flags.Var(dopts.NewNamedSetOpts("features", c.Features), "feature", "Enable feature in the daemon")
+			if tc.flags != "" {
+				err = flags.Set("feature", tc.flags)
+				assert.NilError(t, err)
+			}
+			cc, err := MergeDaemonConfigurations(c, flags, configFile)
+			if tc.expectedErr != "" {
+				assert.ErrorContains(t, err, tc.expectedErr)
+			} else {
+				assert.NilError(t, err)
+				assert.Check(t, is.DeepEqual(tc.expectedValue, cc.Features))
+			}
+		})
+	}
+}
+
 func TestUnixGetInitPath(t *testing.T) {
 	testCases := []struct {
 		config           *Config
--- a/daemon/config/config_test.go
+++ b/daemon/config/config_test.go
@@ -557,7 +557,6 @@ func TestValidateMinAPIVersion(t *testing.T) {
 			}
 		})
 	}
-
 }

 func TestConfigInvalidDNS(t *testing.T) {
--- a/daemon/container.go
+++ b/daemon/container.go
@@ -70,12 +70,16 @@ func (daemon *Daemon) GetContainer(prefixOrName string) (*container.Container, e

 // Exists returns a true if a container of the specified ID or name exists,
 // false otherwise.
+//
+// Deprecated: use [Daemon.GetContainer] to look up a container by ID, Name, or ID-prefix. This function will be removed in the next release.
 func (daemon *Daemon) Exists(id string) bool {
 	c, _ := daemon.GetContainer(id)
 	return c != nil
 }

 // IsPaused returns a bool indicating if the specified container is paused.
+//
+// Deprecated: use [Daemon.GetContainer] to look up a container by ID, Name, or ID-prefix, and use [container.State.IsPaused]. This function will be removed in the next release.
 func (daemon *Daemon) IsPaused(id string) bool {
 	c, _ := daemon.GetContainer(id)
 	return c.State.IsPaused()
--- a/daemon/container_operations.go
+++ b/daemon/container_operations.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22

 package daemon // import "github.com/docker/docker/daemon"

--- a/daemon/containerd/cache.go
+++ b/daemon/containerd/cache.go
@@ -44,7 +44,7 @@ func (c cacheAdaptor) Get(id image.ID) (*image.Image, error) {
 		return nil, fmt.Errorf("resolveImage: %w", err)
 	}

-	var errFound = errors.New("success")
+	errFound := errors.New("success")
 	err = c.is.walkImageManifests(ctx, c8dImg, func(img *ImageManifest) error {
 		desc, err := img.Config(ctx)
 		if err != nil {
--- a/daemon/containerd/image.go
+++ b/daemon/containerd/image.go
@@ -1,3 +1,6 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.22
+
 package containerd

 import (
@@ -19,6 +22,7 @@ import (
 	"github.com/docker/docker/daemon/images"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/image"
+	"github.com/docker/docker/internal/sliceutil"
 	imagespec "github.com/moby/docker-image-spec/specs-go/v1"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -26,8 +30,6 @@ import (
 	"golang.org/x/sync/semaphore"
 )

-var truncatedID = regexp.MustCompile(`^(sha256:)?([a-f0-9]{4,64})$`)
-
 var errInconsistentData error = errors.New("consistency error: data changed during operation, retry")

 // GetImage returns an image corresponding to the image referred to by refOrID.
@@ -111,7 +113,7 @@ func (i *ImageService) GetImage(ctx context.Context, refOrID string, options bac
 		}

 		img.Details = &image.Details{
-			References:  refs,
+			References:  sliceutil.Dedup(refs),
 			Size:        size,
 			Metadata:    nil,
 			Driver:      i.snapshotter,
@@ -202,10 +204,8 @@ func (i *ImageService) GetImageManifest(ctx context.Context, refOrID string, opt
 		}

 		if options.Platform != nil {
-			if plat == nil {
-				return nil, errdefs.NotFound(errors.Errorf("image with reference %s was found but does not match the specified platform: wanted %s, actual: nil", refOrID, platforms.Format(*options.Platform)))
-			} else if !platform.Match(*plat) {
-				return nil, errdefs.NotFound(errors.Errorf("image with reference %s was found but does not match the specified platform: wanted %s, actual: %s", refOrID, platforms.Format(*options.Platform), platforms.Format(*plat)))
+			if plat == nil || !platform.Match(*plat) {
+				return nil, errdefs.NotFound(errors.Errorf("image with reference %s was found but does not provide the specified platform (%s)", refOrID, platforms.FormatAll(*options.Platform)))
 			}
 		}

@@ -326,9 +326,8 @@ func (i *ImageService) resolveImage(ctx context.Context, refOrID string) (contai
 		}
 	}

-	// If the identifier could be a short ID, attempt to match
-	if truncatedID.MatchString(refOrID) {
-		idWithoutAlgo := strings.TrimPrefix(refOrID, "sha256:")
+	// If the identifier could be a short ID, attempt to match.
+	if idWithoutAlgo := checkTruncatedID(refOrID); idWithoutAlgo != "" { // Valid ID.
 		filters := []string{
 			fmt.Sprintf("name==%q", ref), // Or it could just look like one.
 			"target.digest~=" + strconv.Quote(fmt.Sprintf(`^sha256:%s[0-9a-fA-F]{%d}$`, regexp.QuoteMeta(idWithoutAlgo), 64-len(idWithoutAlgo))),
@@ -435,7 +434,7 @@ func (i *ImageService) resolveAllReferences(ctx context.Context, refOrID string)
 	var dgst digest.Digest
 	var img *containerdimages.Image

-	if truncatedID.MatchString(refOrID) {
+	if idWithoutAlgo := checkTruncatedID(refOrID); idWithoutAlgo != "" { // Valid ID.
 		if d, ok := parsed.(reference.Digested); ok {
 			if cimg, err := i.images.Get(ctx, d.String()); err == nil {
 				img = &cimg
@@ -451,7 +450,6 @@ func (i *ImageService) resolveAllReferences(ctx context.Context, refOrID string)
 				dgst = d.Digest()
 			}
 		} else {
-			idWithoutAlgo := strings.TrimPrefix(refOrID, "sha256:")
 			name := reference.TagNameOnly(parsed.(reference.Named)).String()
 			filters := []string{
 				fmt.Sprintf("name==%q", name), // Or it could just look like one.
@@ -551,3 +549,20 @@ func (i *ImageService) resolveAllReferences(ctx context.Context, refOrID string)

 	return img, imgs, nil
 }
+
+// checkTruncatedID checks id for validity. If id is invalid, an empty string
+// is returned; otherwise, the ID without the optional "sha256:" prefix is
+// returned. The validity check is equivalent to
+// regexp.MustCompile(`^(sha256:)?([a-f0-9]{4,64})$`).MatchString(id).
+func checkTruncatedID(id string) string {
+	id = strings.TrimPrefix(id, "sha256:")
+	if l := len(id); l < 4 || l > 64 {
+		return ""
+	}
+	for _, c := range id {
+		if (c < '0' || c > '9') && (c < 'a' || c > 'f') {
+			return ""
+		}
+	}
+	return id
+}
--- a/daemon/containerd/image_builder.go
+++ b/daemon/containerd/image_builder.go
@@ -106,10 +106,11 @@ func (i *ImageService) GetImageAndReleasableLayer(ctx context.Context, refOrID s
 		}
 	}

-	ctx, _, err := i.client.WithLease(ctx, leases.WithRandomID(), leases.WithExpiration(1*time.Hour))
+	ctx, release, err := i.withLease(ctx, true)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create lease for commit: %w", err)
 	}
+	defer release()

 	// TODO(laurazard): do we really need a new method here to pull the image?
 	imgDesc, err := i.pullForBuilder(ctx, refOrID, opts.AuthConfig, opts.Output, opts.Platform)
@@ -234,9 +235,9 @@ func newROLayerForImage(ctx context.Context, imgDesc *ocispec.Descriptor, i *Ima

 func createLease(ctx context.Context, lm leases.Manager) (context.Context, leases.Lease, error) {
 	lease, err := lm.Create(ctx,
-		leases.WithExpiration(time.Hour*24),
+		leases.WithExpiration(leaseExpireDuration),
 		leases.WithLabels(map[string]string{
-			"org.mobyproject.lease.classicbuilder": "true",
+			pruneLeaseLabel: "true",
 		}),
 	)
 	if err != nil {
@@ -493,17 +494,11 @@ func (i *ImageService) createImageOCI(ctx context.Context, imgToCreate imagespec
 	parentDigest digest.Digest, layers []ocispec.Descriptor,
 	containerConfig container.Config,
 ) (dimage.ID, error) {
-	// Necessary to prevent the contents from being GC'd
-	// between writing them here and creating an image
-	ctx, release, err := i.client.WithLease(ctx, leases.WithRandomID(), leases.WithExpiration(1*time.Hour))
+	ctx, release, err := i.withLease(ctx, false)
 	if err != nil {
 		return "", err
 	}
-	defer func() {
-		if err := release(context.WithoutCancel(ctx)); err != nil {
-			log.G(ctx).WithError(err).Warn("failed to release lease created for create")
-		}
-	}()
+	defer release()

 	manifestDesc, ccDesc, err := writeContentsForImage(ctx, i.snapshotter, i.content, imgToCreate, layers, containerConfig)
 	if err != nil {
--- a/daemon/containerd/image_children.go
+++ b/daemon/containerd/image_children.go
@@ -13,7 +13,6 @@ import (
 // getImagesWithLabel returns all images that have the matching label key and value.
 func (i *ImageService) getImagesWithLabel(ctx context.Context, labelKey string, labelValue string) ([]image.ID, error) {
 	imgs, err := i.images.List(ctx, "labels."+labelKey+"=="+labelValue)
-
 	if err != nil {
 		return []image.ID{}, errdefs.System(errors.Wrap(err, "failed to list all images"))
 	}
--- a/daemon/containerd/image_commit.go
+++ b/daemon/containerd/image_commit.go
@@ -12,7 +12,6 @@ import (

 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/diff"
-	"github.com/containerd/containerd/leases"
 	"github.com/containerd/containerd/mount"
 	"github.com/containerd/containerd/pkg/cleanup"
 	"github.com/containerd/containerd/snapshots"
@@ -67,16 +66,11 @@ func (i *ImageService) CommitImage(ctx context.Context, cc backend.CommitConfig)
 		sn     = i.client.SnapshotService(container.Driver)
 	)

-	// Don't gc me and clean the dirty data after 1 hour!
-	ctx, release, err := i.client.WithLease(ctx, leases.WithRandomID(), leases.WithExpiration(1*time.Hour))
+	ctx, release, err := i.withLease(ctx, false)
 	if err != nil {
 		return "", fmt.Errorf("failed to create lease for commit: %w", err)
 	}
-	defer func() {
-		if err := release(context.WithoutCancel(ctx)); err != nil {
-			log.G(ctx).WithError(err).Warn("failed to release lease created for commit")
-		}
-	}()
+	defer release()

 	diffLayerDesc, diffID, err := i.createDiff(ctx, cc.ContainerID, sn, cs, differ)
 	if err != nil {
--- a/daemon/containerd/image_delete_test.go
+++ b/daemon/containerd/image_delete_test.go
@@ -254,7 +254,6 @@ func TestImageDelete(t *testing.T) {
 			}
 		})
 	}
-
 }

 type testContainerStore struct{}
--- a/daemon/containerd/image_exporter.go
+++ b/daemon/containerd/image_exporter.go
@@ -67,19 +67,14 @@ func (i *ImageService) ExportImage(ctx context.Context, names []string, outStrea
 		archive.WithSkipMissing(i.content),
 	}

-	leasesManager := i.client.LeasesService()
-	lease, err := leasesManager.Create(ctx, leases.WithRandomID())
+	ctx, done, err := i.withLease(ctx, false)
 	if err != nil {
 		return errdefs.System(err)
 	}
-	defer func() {
-		if err := leasesManager.Delete(ctx, lease); err != nil {
-			log.G(ctx).WithError(err).Warn("cleaning up lease")
-		}
-	}()
+	defer done()

 	addLease := func(ctx context.Context, target ocispec.Descriptor) error {
-		return leaseContent(ctx, i.content, leasesManager, lease, target)
+		return i.leaseContent(ctx, i.content, target)
 	}

 	exportImage := func(ctx context.Context, target ocispec.Descriptor, ref reference.Named) error {
@@ -131,7 +126,6 @@ func (i *ImageService) ExportImage(ctx context.Context, names []string, outStrea

 		for _, img := range imgs {
 			ref, err := reference.ParseNamed(img.Name)
-
 			if err != nil {
 				log.G(ctx).WithFields(log.Fields{
 					"image": img.Name,
@@ -207,7 +201,13 @@ func (i *ImageService) ExportImage(ctx context.Context, names []string, outStrea

 // leaseContent will add a resource to the lease for each child of the descriptor making sure that it and
 // its children won't be deleted while the lease exists
-func leaseContent(ctx context.Context, store content.Store, leasesManager leases.Manager, lease leases.Lease, desc ocispec.Descriptor) error {
+func (i *ImageService) leaseContent(ctx context.Context, store content.Store, desc ocispec.Descriptor) error {
+	lid, ok := leases.FromContext(ctx)
+	if !ok {
+		return nil
+	}
+	lease := leases.Lease{ID: lid}
+	leasesManager := i.client.LeasesService()
 	return containerdimages.Walk(ctx, containerdimages.HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
 		_, err := store.Info(ctx, desc.Digest)
 		if err != nil {
@@ -291,6 +291,17 @@ func (i *ImageService) LoadImage(ctx context.Context, inTar io.ReadCloser, outSt
 				return nil
 			}

+			imgPlat, err := platformImg.ImagePlatform(ctx)
+			if err != nil {
+				logger.WithError(err).Warn("failed to read image platform, skipping unpack")
+				return nil
+			}
+
+			// Only unpack the image if it matches the host platform
+			if !i.hostPlatformMatcher().Match(imgPlat) {
+				return nil
+			}
+
 			unpacked, err := platformImg.IsUnpacked(ctx, i.snapshotter)
 			if err != nil {
 				logger.WithError(err).Warn("failed to check if image is unpacked")
@@ -299,7 +310,6 @@ func (i *ImageService) LoadImage(ctx context.Context, inTar io.ReadCloser, outSt

 			if !unpacked {
 				err = platformImg.Unpack(ctx, i.snapshotter)
-
 				if err != nil {
 					return errdefs.System(err)
 				}
@@ -307,12 +317,14 @@ func (i *ImageService) LoadImage(ctx context.Context, inTar io.ReadCloser, outSt
 			logger.WithField("alreadyUnpacked", unpacked).WithError(err).Debug("unpack")
 			return nil
 		})
-		if err != nil {
-			return errors.Wrap(err, "failed to unpack loaded image")
-		}

 		fmt.Fprintf(progress, "%s: %s\n", loadedMsg, name)
 		i.LogImageEvent(img.Target.Digest.String(), img.Target.Digest.String(), events.ActionLoad)
+
+		if err != nil {
+			// The image failed to unpack, but is already imported, log the error but don't fail the whole load.
+			fmt.Fprintf(progress, "Error unpacking image %s: %v\n", name, err)
+		}
 	}

 	return nil
--- a/daemon/containerd/image_import.go
+++ b/daemon/containerd/image_import.go
@@ -327,7 +327,7 @@ func (i *ImageService) unpackImage(ctx context.Context, snapshotter string, img
 	return nil
 }

-// detectCompression dectects the reader compression type.
+// detectCompression detects the reader compression type.
 func detectCompression(bufRd *bufio.Reader) (archive.Compression, error) {
 	bs, err := bufRd.Peek(10)
 	if err != nil && err != io.EOF {
--- a/daemon/containerd/image_list.go
+++ b/daemon/containerd/image_list.go
@@ -1,3 +1,6 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.22
+
 package containerd

 import (
@@ -21,8 +24,9 @@ import (
 	"github.com/docker/docker/api/types/filters"
 	imagetypes "github.com/docker/docker/api/types/image"
 	timetypes "github.com/docker/docker/api/types/time"
-	"github.com/docker/docker/container"
 	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/internal/sliceutil"
+	"github.com/moby/buildkit/util/attestation"
 	dockerspec "github.com/moby/docker-image-spec/specs-go/v1"
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/identity"
@@ -209,6 +213,7 @@ func (i *ImageService) Images(ctx context.Context, opts imagetypes.ListOptions)
 func (i *ImageService) imageSummary(ctx context.Context, img images.Image, platformMatcher platforms.MatchComparer,
 	opts imagetypes.ListOptions, tagsByDigest map[digest.Digest][]string,
 ) (_ *imagetypes.Summary, allChainIDs []digest.Digest, _ error) {
+	var manifestSummaries []imagetypes.ManifestSummary

 	// Total size of the image including all its platform
 	var totalSize int64
@@ -223,67 +228,148 @@ func (i *ImageService) imageSummary(ctx context.Context, img images.Image, platf
 	var best *ImageManifest
 	var bestPlatform ocispec.Platform

-	err := i.walkImageManifests(ctx, img, func(img *ImageManifest) error {
-		if isPseudo, err := img.IsPseudoImage(ctx); isPseudo || err != nil {
+	err := i.walkReachableImageManifests(ctx, img, func(img *ImageManifest) error {
+		target := img.Target()
+
+		logger := log.G(ctx).WithFields(log.Fields{
+			"image":    img.Name(),
+			"digest":   target.Digest,
+			"manifest": target,
+		})
+
+		available, err := img.CheckContentAvailable(ctx)
+		if err != nil && !errdefs.IsNotFound(err) {
+			logger.WithError(err).Warn("checking availability of platform specific manifest failed")
 			return nil
 		}

-		available, err := img.CheckContentAvailable(ctx)
+		mfstSummary := imagetypes.ManifestSummary{
+			ID:         target.Digest.String(),
+			Available:  available,
+			Descriptor: target,
+			Kind:       imagetypes.ManifestKindUnknown,
+		}
+
+		if opts.Manifests {
+			defer func() {
+				manifestSummaries = append(manifestSummaries, mfstSummary)
+			}()
+		}
+
+		contentSize, err := img.Size(ctx)
 		if err != nil {
-			log.G(ctx).WithFields(log.Fields{
-				"error":    err,
-				"manifest": img.Target(),
-				"image":    img.Name(),
-			}).Warn("checking availability of platform specific manifest failed")
+			if !cerrdefs.IsNotFound(err) {
+				logger.WithError(err).Warn("failed to determine size")
+			}
+		} else {
+			mfstSummary.Size.Content = contentSize
+			totalSize += contentSize
+			mfstSummary.Size.Total += contentSize
+		}
+
+		isPseudo, err := img.IsPseudoImage(ctx)
+
+		// Ignore not found error as it's expected in case where the image is
+		// not fully available. Otherwise, just continue to the next manifest,
+		// so we don't error out the whole list in case the error is related to
+		// the content itself (e.g. corrupted data) or just manifest kind that
+		// we don't know about (yet).
+		if err != nil && !errdefs.IsNotFound(err) {
+			logger.WithError(err).Debug("pseudo image check failed")
 			return nil
 		}

+		logger = logger.WithField("isPseudo", isPseudo)
+		if isPseudo {
+			if img.IsAttestation() {
+				if s := target.Annotations[attestation.DockerAnnotationReferenceDigest]; s != "" {
+					dgst, err := digest.Parse(s)
+					if err != nil {
+						logger.WithError(err).Warn("failed to parse attestation digest")
+						return nil
+					}
+
+					mfstSummary.Kind = imagetypes.ManifestKindAttestation
+					mfstSummary.AttestationData = &imagetypes.AttestationProperties{For: dgst}
+				}
+			}
+
+			return nil
+		}
+
+		mfstSummary.Kind = imagetypes.ManifestKindImage
+		mfstSummary.ImageData = &imagetypes.ImageProperties{}
+		if target.Platform != nil {
+			mfstSummary.ImageData.Platform = *target.Platform
+		}
+
 		if !available {
 			return nil
 		}

 		conf, err := img.Config(ctx)
 		if err != nil {
-			return err
+			logger.WithError(err).Warn("failed to read image config")
+			return nil
 		}

 		var dockerImage dockerspec.DockerOCIImage
 		if err := readConfig(ctx, i.content, conf, &dockerImage); err != nil {
-			return err
+			logger.WithError(err).Warn("failed to read image config")
+			return nil
 		}

-		target := img.Target()
+		if target.Platform == nil {
+			mfstSummary.ImageData.Platform = dockerImage.Platform
+		}

 		diffIDs, err := img.RootFS(ctx)
 		if err != nil {
-			return err
+			logger.WithError(err).Warn("failed to read image config")
+			return nil
 		}

 		chainIDs := identity.ChainIDs(diffIDs)

-		ts, _, err := i.singlePlatformSize(ctx, img)
+		unpackedSize, imgContentSize, err := i.singlePlatformSize(ctx, img)
 		if err != nil {
-			return err
+			logger.WithError(err).Warn("failed to determine platform specific size")
+			return nil
 		}

-		totalSize += ts
+		// If the image-specific content size calculation produces different result
+		// than the "generic" one, adjust the total size with the difference.
+		// Note: This shouldn't happen unless the implementation changes or the
+		// content is added/removed during the list operation.
+		if contentSize != imgContentSize {
+			logger.WithFields(log.Fields{
+				"contentSize":    contentSize,
+				"imgContentSize": imgContentSize,
+			}).Warn("content size calculation mismatch")
+
+			mfstSummary.Size.Content = contentSize
+
+			// contentSize was already added to total, adjust it by the difference
+			// between the newly calculated size and the old size.
+			d := imgContentSize - contentSize
+			totalSize += d
+			mfstSummary.Size.Total += d
+		}
+
+		mfstSummary.ImageData.Size.Unpacked = unpackedSize
+		mfstSummary.Size.Total += unpackedSize
+		totalSize += unpackedSize
+
 		allChainsIDs = append(allChainsIDs, chainIDs...)

-		if opts.ContainerCount {
-			i.containers.ApplyAll(func(c *container.Container) {
-				if c.ImageManifest != nil && c.ImageManifest.Digest == target.Digest {
-					containersCount++
-				}
-			})
-		}
-
-		var platform ocispec.Platform
-		if target.Platform != nil {
-			platform = *target.Platform
-		} else {
-			platform = dockerImage.Platform
+		for _, c := range i.containers.List() {
+			if c.ImageManifest != nil && c.ImageManifest.Digest == target.Digest {
+				mfstSummary.ImageData.Containers = append(mfstSummary.ImageData.Containers, c.ID)
+				containersCount++
+			}
 		}

+		platform := mfstSummary.ImageData.Platform
 		// Filter out platforms that don't match the requested platform.  Do it
 		// after the size, container count and chainIDs are summed up to have
 		// the single combined entry still represent the whole multi-platform
@@ -305,17 +391,25 @@ func (i *ImageService) imageSummary(ctx context.Context, img images.Image, platf
 				"error": err,
 				"image": img.Name,
 			}).Warn("unexpected image target (neither a manifest nor index)")
-			return nil, nil, nil
+		} else {
+			return nil, nil, err
 		}
-		return nil, nil, err
 	}

 	if best == nil {
-		// TODO we should probably show *something* for images we've pulled
-		// but are 100% shallow or an empty manifest list/index
-		// ("tianon/scratch:index" is an empty example image index and
-		// "tianon/scratch:list" is an empty example manifest list)
-		return nil, nil, nil
+		target := img.Target
+		return &imagetypes.Summary{
+			ID:          target.Digest.String(),
+			RepoDigests: []string{target.Digest.String()},
+			RepoTags:    tagsByDigest[target.Digest],
+			Size:        totalSize,
+			// -1 indicates that the value has not been set (avoids ambiguity
+			// between 0 (default) and "not set". We cannot use a pointer (nil)
+			// for this, as the JSON representation uses "omitempty", which would
+			// consider both "0" and "nil" to be "empty".
+			SharedSize: -1,
+			Containers: -1,
+		}, nil, nil
 	}

 	image, err := i.singlePlatformImage(ctx, i.content, tagsByDigest[best.RealTarget.Digest], best)
@@ -323,6 +417,7 @@ func (i *ImageService) imageSummary(ctx context.Context, img images.Image, platf
 		return nil, nil, err
 	}
 	image.Size = totalSize
+	image.Manifests = manifestSummaries

 	if opts.ContainerCount {
 		image.Containers = containersCount
@@ -330,7 +425,7 @@ func (i *ImageService) imageSummary(ctx context.Context, img images.Image, platf
 	return image, allChainsIDs, nil
 }

-func (i *ImageService) singlePlatformSize(ctx context.Context, imgMfst *ImageManifest) (totalSize int64, contentSize int64, _ error) {
+func (i *ImageService) singlePlatformSize(ctx context.Context, imgMfst *ImageManifest) (unpackedSize int64, contentSize int64, _ error) {
 	// TODO(thaJeztah): do we need to take multiple snapshotters into account? See https://github.com/moby/moby/issues/45273
 	snapshotter := i.snapshotterService(i.snapshotter)

@@ -356,10 +451,7 @@ func (i *ImageService) singlePlatformSize(ctx context.Context, imgMfst *ImageMan
 		return -1, -1, err
 	}

-	// totalSize is the size of the image's packed layers and snapshots
-	// (unpacked layers) combined.
-	totalSize = contentSize + unpackedUsage.Size
-	return totalSize, contentSize, nil
+	return unpackedUsage.Size, contentSize, nil
 }

 func (i *ImageService) singlePlatformImage(ctx context.Context, contentStore content.Store, repoTags []string, imageManifest *ImageManifest) (*imagetypes.Summary, error) {
@@ -401,15 +493,19 @@ func (i *ImageService) singlePlatformImage(ctx context.Context, contentStore con
 		return nil, err
 	}

-	totalSize, _, err := i.singlePlatformSize(ctx, imageManifest)
+	unpackedSize, contentSize, err := i.singlePlatformSize(ctx, imageManifest)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to calculate size of image %s", imageManifest.Name())
 	}

+	// totalSize is the size of the image's packed layers and snapshots
+	// (unpacked layers) combined.
+	totalSize := contentSize + unpackedSize
+
 	summary := &imagetypes.Summary{
 		ParentID:    rawImg.Labels[imageLabelClassicBuilderParent],
 		ID:          target.String(),
-		RepoDigests: repoDigests,
+		RepoDigests: sliceutil.Dedup(repoDigests),
 		RepoTags:    repoTags,
 		Size:        totalSize,
 		Labels:      cfg.Config.Labels,
--- a/daemon/containerd/image_list_test.go
+++ b/daemon/containerd/image_list_test.go
@@ -7,6 +7,7 @@ import (
 	"math/rand"
 	"os"
 	"path/filepath"
+	"slices"
 	"sort"
 	"strconv"
 	"testing"
@@ -22,6 +23,7 @@ import (
 	"github.com/containerd/log/logtest"
 	"github.com/containerd/platforms"
 	imagetypes "github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/container"
 	daemonevents "github.com/docker/docker/daemon/events"
 	"github.com/docker/docker/internal/testutils/specialimage"
 	"github.com/opencontainers/go-digest"
@@ -44,7 +46,13 @@ func imagesFromIndex(index ...*ocispec.Index) []images.Image {
 }

 func BenchmarkImageList(b *testing.B) {
-	populateStore := func(ctx context.Context, is *ImageService, dir string, count int) {
+	populateStore := func(ctx context.Context, is *ImageService, dir string,
+		count int,
+		// % chance for each image to spawn containers
+		containerChance int,
+		// Maximum container count if the image is decided to spawn containers (chance above)
+		maxContainerCount int,
+	) {
 		// Use constant seed for reproducibility
 		src := rand.NewSource(1982731263716)

@@ -59,15 +67,34 @@ func BenchmarkImageList(b *testing.B) {
 			idx, err := specialimage.RandomSinglePlatform(dir, platform, src)
 			assert.NilError(b, err)

+			r1 := int(src.Int63())
+			r2 := int(src.Int63())
+
 			imgs := imagesFromIndex(idx)
 			for _, desc := range imgs {
 				_, err := is.images.Create(ctx, desc)
 				assert.NilError(b, err)
+
+				if r1%100 >= containerChance {
+					continue
+				}
+
+				containersCount := r2 % maxContainerCount
+				for j := 0; j < containersCount; j++ {
+					id := digest.FromString(desc.Name + strconv.Itoa(i)).String()
+
+					target := desc.Target
+					is.containers.Add(id, &container.Container{
+						ID:            id,
+						ImageManifest: &target,
+					})
+				}
 			}
 		}
 	}

 	for _, count := range []int{10, 100, 1000} {
+		count := count
 		csDir := b.TempDir()

 		ctx := namespaces.WithNamespace(context.TODO(), "testing-"+strconv.Itoa(count))
@@ -78,7 +105,11 @@ func BenchmarkImageList(b *testing.B) {
 		}

 		is := fakeImageService(b, ctx, cs)
-		populateStore(ctx, is, csDir, count)
+
+		// Every generated image has a 10% chance to spawn up to 5 containers
+		const containerChance = 10
+		const maxContainerCount = 5
+		populateStore(ctx, is, csDir, count, containerChance, maxContainerCount)

 		b.Run(strconv.Itoa(count)+"-images", func(b *testing.B) {
 			for i := 0; i < b.N; i++ {
@@ -89,6 +120,76 @@ func BenchmarkImageList(b *testing.B) {
 	}
 }

+func TestImageListCheckTotalSize(t *testing.T) {
+	ctx := namespaces.WithNamespace(context.TODO(), "testing")
+
+	blobsDir := t.TempDir()
+	cs := &blobsDirContentStore{blobs: filepath.Join(blobsDir, "blobs/sha256")}
+
+	twoplatform, mfstsDescs, err := specialimage.MultiPlatform(blobsDir, "test:latest", []ocispec.Platform{
+		{OS: "linux", Architecture: "arm64"},
+		{OS: "linux", Architecture: "amd64"},
+	})
+	assert.NilError(t, err)
+
+	ctx = logtest.WithT(ctx, t)
+	service := fakeImageService(t, ctx, cs)
+
+	_, err = service.images.Create(ctx, imagesFromIndex(twoplatform)[0])
+	assert.NilError(t, err)
+
+	all, err := service.Images(ctx, imagetypes.ListOptions{Manifests: true})
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Len(all, 1))
+	assert.Check(t, is.Len(all[0].Manifests, 2))
+
+	// TODO: The test snapshotter doesn't do anything, so the size is always 0.
+	assert.Check(t, is.Equal(all[0].Manifests[0].ImageData.Size.Unpacked, int64(0)))
+	assert.Check(t, is.Equal(all[0].Manifests[1].ImageData.Size.Unpacked, int64(0)))
+
+	mfstArm64 := mfstsDescs[0]
+	mfstAmd64 := mfstsDescs[1]
+
+	indexSize := blobSize(t, ctx, cs, twoplatform.Manifests[0].Digest)
+	arm64ManifestSize := blobSize(t, ctx, cs, mfstArm64.Digest)
+	amd64ManifestSize := blobSize(t, ctx, cs, mfstAmd64.Digest)
+
+	var arm64Mfst, amd64Mfst ocispec.Manifest
+	assert.NilError(t, readConfig(ctx, cs, mfstArm64, &arm64Mfst))
+	assert.NilError(t, readConfig(ctx, cs, mfstAmd64, &amd64Mfst))
+
+	// MultiPlatform should produce a single layer. If these fail, the test needs to be adjusted.
+	assert.Assert(t, is.Len(arm64Mfst.Layers, 1))
+	assert.Assert(t, is.Len(amd64Mfst.Layers, 1))
+
+	arm64ConfigSize := blobSize(t, ctx, cs, arm64Mfst.Config.Digest)
+	amd64ConfigSize := blobSize(t, ctx, cs, amd64Mfst.Config.Digest)
+
+	arm64LayerSize := blobSize(t, ctx, cs, arm64Mfst.Layers[0].Digest)
+	amd64LayerSize := blobSize(t, ctx, cs, amd64Mfst.Layers[0].Digest)
+
+	allTotalSize := indexSize +
+		arm64ManifestSize + amd64ManifestSize +
+		arm64ConfigSize + amd64ConfigSize +
+		arm64LayerSize + amd64LayerSize
+
+	assert.Check(t, is.Equal(all[0].Size, allTotalSize-indexSize))
+
+	assert.Check(t, is.Equal(all[0].Manifests[0].Size.Content, arm64ManifestSize+arm64ConfigSize+arm64LayerSize))
+	assert.Check(t, is.Equal(all[0].Manifests[1].Size.Content, amd64ManifestSize+amd64ConfigSize+amd64LayerSize))
+
+	// TODO: This should also include the Size.Unpacked, but the test snapshotter doesn't do anything yet
+	assert.Check(t, is.Equal(all[0].Manifests[0].Size.Total, amd64ManifestSize+amd64ConfigSize+amd64LayerSize))
+	assert.Check(t, is.Equal(all[0].Manifests[1].Size.Total, amd64ManifestSize+amd64ConfigSize+amd64LayerSize))
+}
+
+func blobSize(t *testing.T, ctx context.Context, cs content.Store, dgst digest.Digest) int64 {
+	info, err := cs.Info(ctx, dgst)
+	assert.NilError(t, err)
+	return info.Size
+}
+
 func TestImageList(t *testing.T) {
 	ctx := namespaces.WithNamespace(context.TODO(), "testing")

@@ -106,6 +207,9 @@ func TestImageList(t *testing.T) {
 	configTarget, err := specialimage.ConfigTarget(blobsDir)
 	assert.NilError(t, err)

+	textplain, err := specialimage.TextPlain(blobsDir)
+	assert.NilError(t, err)
+
 	cs := &blobsDirContentStore{blobs: filepath.Join(blobsDir, "blobs/sha256")}

 	for _, tc := range []struct {
@@ -123,6 +227,10 @@ func TestImageList(t *testing.T) {

 				assert.Check(t, is.Equal(all[0].ID, multilayer.Manifests[0].Digest.String()))
 				assert.Check(t, is.DeepEqual(all[0].RepoTags, []string{"multilayer:latest"}))
+
+				assert.Check(t, is.Len(all[0].Manifests, 1))
+				assert.Check(t, all[0].Manifests[0].Available)
+				assert.Check(t, is.Equal(all[0].Manifests[0].Kind, imagetypes.ManifestKindImage))
 			},
 		},
 		{
@@ -133,6 +241,18 @@ func TestImageList(t *testing.T) {

 				assert.Check(t, is.Equal(all[0].ID, twoplatform.Manifests[0].Digest.String()))
 				assert.Check(t, is.DeepEqual(all[0].RepoTags, []string{"twoplatform:latest"}))
+
+				i := all[0]
+				assert.Check(t, is.Len(i.Manifests, 2))
+
+				assert.Check(t, is.Equal(i.Manifests[0].Kind, imagetypes.ManifestKindImage))
+				if assert.Check(t, i.Manifests[0].ImageData != nil) {
+					assert.Check(t, is.Equal(i.Manifests[0].ImageData.Platform.Architecture, "amd64"))
+				}
+				assert.Check(t, is.Equal(i.Manifests[1].Kind, imagetypes.ManifestKindImage))
+				if assert.Check(t, i.Manifests[1].ImageData != nil) {
+					assert.Check(t, is.Equal(i.Manifests[1].ImageData.Platform.Architecture, "arm64"))
+				}
 			},
 		},
 		{
@@ -146,23 +266,48 @@ func TestImageList(t *testing.T) {

 				assert.Check(t, is.Equal(all[1].ID, twoplatform.Manifests[0].Digest.String()))
 				assert.Check(t, is.DeepEqual(all[1].RepoTags, []string{"twoplatform:latest"}))
+
+				assert.Check(t, is.Len(all[0].Manifests, 1))
+				assert.Check(t, is.Len(all[1].Manifests, 2))
+
+				assert.Check(t, is.Equal(all[0].Manifests[0].Kind, imagetypes.ManifestKindImage))
+
+				assert.Check(t, is.Equal(all[1].Manifests[0].Kind, imagetypes.ManifestKindImage))
+				assert.Check(t, is.Equal(all[1].Manifests[1].Kind, imagetypes.ManifestKindImage))
 			},
 		},
 		{
 			name:   "three images, one is an empty index",
 			images: imagesFromIndex(multilayer, emptyIndex, twoplatform),
 			check: func(t *testing.T, all []*imagetypes.Summary) {
-				assert.Check(t, is.Len(all, 2))
+				assert.Check(t, is.Len(all, 3))
 			},
 		},
 		{
-			// Make sure an invalid image target doesn't break the whole operation
 			name:   "one good image, second has config as a target",
 			images: imagesFromIndex(multilayer, configTarget),
 			check: func(t *testing.T, all []*imagetypes.Summary) {
-				assert.Check(t, is.Len(all, 1))
+				assert.Check(t, is.Len(all, 2))
+
+				sort.Slice(all, func(i, j int) bool {
+					return slices.Contains(all[i].RepoTags, "multilayer:latest")
+				})

 				assert.Check(t, is.Equal(all[0].ID, multilayer.Manifests[0].Digest.String()))
+				assert.Check(t, is.Len(all[0].Manifests, 1))
+
+				assert.Check(t, is.Equal(all[1].ID, configTarget.Manifests[0].Digest.String()))
+				assert.Check(t, is.Len(all[1].Manifests, 0))
+			},
+		},
+		{
+			name:   "a non-container image manifest",
+			images: imagesFromIndex(textplain),
+			check: func(t *testing.T, all []*imagetypes.Summary) {
+				assert.Check(t, is.Len(all, 1))
+				assert.Check(t, is.Equal(all[0].ID, textplain.Manifests[0].Digest.String()))
+
+				assert.Assert(t, is.Len(all[0].Manifests, 0))
 			},
 		},
 	} {
@@ -176,7 +321,9 @@ func TestImageList(t *testing.T) {
 				assert.NilError(t, err)
 			}

-			all, err := service.Images(ctx, tc.opts)
+			opts := tc.opts
+			opts.Manifests = true
+			all, err := service.Images(ctx, opts)
 			assert.NilError(t, err)

 			sort.Slice(all, func(i, j int) bool {
@@ -192,7 +339,6 @@ func TestImageList(t *testing.T) {
 			tc.check(t, all)
 		})
 	}
-
 }

 func fakeImageService(t testing.TB, ctx context.Context, cs content.Store) *ImageService {
@@ -206,7 +352,7 @@ func fakeImageService(t testing.TB, ctx context.Context, cs content.Store) *Imag

 	service := &ImageService{
 		images:              metadata.NewImageStore(mdb),
-		containers:          emptyTestContainerStore(),
+		containers:          container.NewMemoryStore(),
 		content:             cs,
 		eventsService:       daemonevents.New(),
 		snapshotterServices: snapshotters,
--- a/daemon/containerd/image_prune.go
+++ b/daemon/containerd/image_prune.go
@@ -2,14 +2,18 @@ package containerd

 import (
 	"context"
+	"sort"
 	"strings"

 	containerdimages "github.com/containerd/containerd/images"
+	"github.com/containerd/containerd/leases"
+	"github.com/containerd/containerd/tracing"
 	cerrdefs "github.com/containerd/errdefs"
 	"github.com/containerd/log"
 	"github.com/distribution/reference"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/container"
 	"github.com/docker/docker/errdefs"
 	"github.com/hashicorp/go-multierror"
 	"github.com/opencontainers/go-digest"
@@ -57,11 +61,42 @@ func (i *ImageService) ImagesPrune(ctx context.Context, fltrs filters.Args) (*im
 		return nil, err
 	}

+	// Prune leases
+	leaseManager := i.client.LeasesService()
+	pullLeases, err := leaseManager.List(ctx, pruneLeaseFilter)
+	if err != nil {
+		return nil, err
+	}
+	for i, lease := range pullLeases {
+		var opts []leases.DeleteOpt
+		if i == len(pullLeases)-1 {
+			opts = append(opts, leases.SynchronousDelete)
+		}
+		if err := leaseManager.Delete(ctx, lease, opts...); err != nil {
+			return nil, err
+		}
+	}
+
 	return i.pruneUnused(ctx, filterFunc, danglingOnly)
 }

+// pruneUnused deletes images that are dangling or unused by any container.
+// The behavior is controlled by the danglingOnly parameter.
+// If danglingOnly is true, only dangling images are deleted.
+// Otherwise, all images unused by any container are deleted.
+//
+// Additionally, the filterFunc parameter is used to filter images that should
+// be considered for deletion.
+//
+// Container created with images specified by an ID only (e.g. `docker run 82d1e9d`)
+// will keep at least one image tag with that ID.
+//
+// In case a digested and tagged reference was used (e.g. `docker run alpine:latest@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1`),
+// the alpine:latest image will be kept.
 func (i *ImageService) pruneUnused(ctx context.Context, filterFunc imageFilterFunc, danglingOnly bool) (*image.PruneReport, error) {
-	report := image.PruneReport{}
+	ctx, span := tracing.StartSpan(ctx, "ImageService.pruneUnused")
+	span.SetAttributes(tracing.Attribute("danglingOnly", danglingOnly))
+	defer span.End()

 	allImages, err := i.images.List(ctx)
 	if err != nil {
@@ -85,16 +120,52 @@ func (i *ImageService) pruneUnused(ctx context.Context, filterFunc imageFilterFu
 			if canBePruned {
 				imagesToPrune[img.Name] = img
 			}
-
 		}
 	}

+	usedDigests := filterImagesUsedByContainers(ctx, i.containers.List(), imagesToPrune)
+
+	// Sort images by name to make the behavior deterministic and consistent with graphdrivers.
+	sorted := make([]string, 0, len(imagesToPrune))
+	for name := range imagesToPrune {
+		sorted = append(sorted, name)
+	}
+	sort.Strings(sorted)
+
+	// Make sure we don't delete the last image of a particular digest used by any container.
+	for _, name := range sorted {
+		img := imagesToPrune[name]
+		dgst := img.Target.Digest
+
+		if digestRefCount[dgst] > 1 {
+			digestRefCount[dgst] -= 1
+			continue
+		}
+
+		if _, isUsed := usedDigests[dgst]; isUsed {
+			delete(imagesToPrune, name)
+		}
+	}
+
+	return i.pruneAll(ctx, imagesToPrune)
+}
+
+// filterImagesUsedByContainers removes image names that are used by containers
+// and returns a map of used image digests.
+func filterImagesUsedByContainers(ctx context.Context,
+	allContainers []*container.Container,
+	imagesToPrune map[string]containerdimages.Image,
+) (usedDigests map[digest.Digest]struct{}) {
+	ctx, span := tracing.StartSpan(ctx, "filterImagesUsedByContainers")
+	span.SetAttributes(tracing.Attribute("count", len(allContainers)))
+	defer span.End()
+
 	// Image specified by digests that are used by containers.
-	usedDigests := map[digest.Digest]struct{}{}
+	usedDigests = map[digest.Digest]struct{}{}

 	// Exclude images used by existing containers
-	for _, ctr := range i.containers.List() {
-		// If the original image was deleted, make sure we don't delete the dangling image
+	for _, ctr := range allContainers {
+		// If the original image was force deleted, make sure we don't delete the dangling image
 		delete(imagesToPrune, danglingImageName(ctr.ImageID.Digest()))

 		// Config.Image is the image reference passed by user.
@@ -105,41 +176,48 @@ func (i *ImageService) pruneUnused(ctx context.Context, filterFunc imageFilterFu
 		// but both will have ImageID="sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1"
 		imageDgst := ctr.ImageID.Digest()

-		// If user didn't specify an explicit image, mark the digest as used.
+		// If user used an full or truncated ID instead of an explicit image name, mark the digest as used.
 		normalizedImageID := "sha256:" + strings.TrimPrefix(ctr.Config.Image, "sha256:")
-		if strings.HasPrefix(imageDgst.String(), normalizedImageID) {
+		fullOrTruncatedID := strings.HasPrefix(imageDgst.String(), normalizedImageID)
+		digestedRef := strings.HasSuffix(ctr.Config.Image, "@"+imageDgst.String())
+		if fullOrTruncatedID || digestedRef {
 			usedDigests[imageDgst] = struct{}{}
-			continue
 		}

 		ref, err := reference.ParseNormalizedNamed(ctr.Config.Image)
 		log.G(ctx).WithFields(log.Fields{
 			"ctr":          ctr.ID,
-			"image":        ref,
+			"imageRef":     ref,
+			"imageID":      imageDgst,
 			"nameParseErr": err,
 		}).Debug("filtering container's image")
-
 		if err == nil {
 			// If user provided a specific image name, exclude that image.
 			name := reference.TagNameOnly(ref)
 			delete(imagesToPrune, name.String())
-		}
-	}

-	// Create dangling images for images that will be deleted but are still in use.
-	for _, img := range imagesToPrune {
-		dgst := img.Target.Digest
-
-		digestRefCount[dgst] -= 1
-		if digestRefCount[dgst] == 0 {
-			if _, isUsed := usedDigests[dgst]; isUsed {
-				if err := i.ensureDanglingImage(ctx, img); err != nil {
-					return &report, errors.Wrapf(err, "failed to create ensure dangling image for %s", img.Name)
-				}
+			// Also exclude repo:tag image if repo:tag@sha256:digest reference was used.
+			_, isDigested := name.(reference.Digested)
+			tagged, isTagged := name.(reference.NamedTagged)
+			if isDigested && isTagged {
+				named, _ := reference.ParseNormalizedNamed(tagged.Name())
+				namedTagged, _ := reference.WithTag(named, tagged.Tag())
+				delete(imagesToPrune, namedTagged.String())
 			}
 		}
 	}

+	return usedDigests
+}
+
+// pruneAll deletes all images in the imagesToPrune map.
+func (i *ImageService) pruneAll(ctx context.Context, imagesToPrune map[string]containerdimages.Image) (*image.PruneReport, error) {
+	report := image.PruneReport{}
+
+	ctx, span := tracing.StartSpan(ctx, "ImageService.pruneAll")
+	span.SetAttributes(tracing.Attribute("count", len(imagesToPrune)))
+	defer span.End()
+
 	possiblyDeletedConfigs := map[digest.Digest]struct{}{}
 	var errs error

--- a/daemon/containerd/image_pull.go
+++ b/daemon/containerd/image_pull.go
@@ -39,6 +39,12 @@ func (i *ImageService) PullImage(ctx context.Context, baseRef reference.Named, p
 	}()
 	out := streamformatter.NewJSONProgressOutput(outStream, false)

+	ctx, done, err := i.withLease(ctx, true)
+	if err != nil {
+		return err
+	}
+	defer done()
+
 	if !reference.IsNameOnly(baseRef) {
 		return i.pullTag(ctx, baseRef, platform, metaHeaders, authConfig, out)
 	}
@@ -79,10 +85,32 @@ func (i *ImageService) pullTag(ctx context.Context, ref reference.Named, platfor
 	resolver, _ := i.newResolverFromAuthConfig(ctx, authConfig, ref)
 	opts = append(opts, containerd.WithResolver(resolver))

-	old, err := i.resolveDescriptor(ctx, ref.String())
+	oldImage, err := i.resolveImage(ctx, ref.String())
 	if err != nil && !errdefs.IsNotFound(err) {
 		return err
 	}
+
+	// Will be set to the new image after pull succeeds.
+	var outNewImg containerd.Image
+
+	if oldImage.Target.Digest != "" {
+		err = i.leaseContent(ctx, i.content, oldImage.Target)
+		if err != nil {
+			return errdefs.System(fmt.Errorf("failed to lease content: %w", err))
+		}
+
+		// If the pulled image is different than the old image, we will keep the old image as a dangling image.
+		defer func() {
+			if outNewImg != nil {
+				if outNewImg.Target().Digest != oldImage.Target.Digest {
+					if err := i.ensureDanglingImage(ctx, oldImage); err != nil {
+						log.G(ctx).WithError(err).Warn("failed to keep the previous image as dangling")
+					}
+				}
+			}
+		}()
+	}
+
 	p := platforms.Default()
 	if platform != nil {
 		p = platforms.Only(*platform)
@@ -100,7 +128,6 @@ func (i *ImageService) pullTag(ctx context.Context, ref reference.Named, platfor
 	pp := pullProgress{store: i.content, showExists: true}
 	finishProgress := jobs.showProgress(ctx, out, pp)

-	var outNewImg *containerd.Image
 	defer func() {
 		finishProgress()

@@ -114,9 +141,10 @@ func (i *ImageService) pullTag(ctx context.Context, ref reference.Named, platfor
 		// Status: Downloaded newer image for hello-world:latest
 		// docker.io/library/hello-world:latest
 		if outNewImg != nil {
-			img := *outNewImg
+			img := outNewImg
 			progress.Message(out, "", "Digest: "+img.Target().Digest.String())
-			writeStatus(out, reference.FamiliarString(ref), old.Digest != img.Target().Digest)
+			newer := oldImage.Target.Digest != img.Target().Digest
+			writeStatus(out, reference.FamiliarString(ref), newer)
 		}
 	}()

@@ -184,6 +212,18 @@ func (i *ImageService) pullTag(ctx context.Context, ref reference.Named, platfor
 			}
 			return errdefs.NotFound(fmt.Errorf("pull access denied for %s, repository does not exist or may require 'docker login'", reference.FamiliarName(ref)))
 		}
+		if cerrdefs.IsNotFound(err) {
+			// Transform "no match for platform in manifest" error returned by containerd into
+			// the same message as the graphdrivers backend.
+			// The one returned by containerd doesn't contain the platform and is much less informative.
+			if strings.Contains(err.Error(), "platform") {
+				platformStr := platforms.DefaultString()
+				if platform != nil {
+					platformStr = platforms.Format(*platform)
+				}
+				return errdefs.NotFound(fmt.Errorf("no matching manifest for %s in the manifest list entries: %w", platformStr, err))
+			}
+		}
 		return err
 	}

@@ -202,7 +242,7 @@ func (i *ImageService) pullTag(ctx context.Context, ref reference.Named, platfor
 	}

 	i.LogImageEvent(reference.FamiliarString(ref), reference.FamiliarName(ref), events.ActionPull)
-	outNewImg = &img
+	outNewImg = img
 	return nil
 }

--- a/daemon/containerd/image_push.go
+++ b/daemon/containerd/image_push.go
@@ -270,7 +270,7 @@ func (i *ImageService) getPushDescriptor(ctx context.Context, img containerdimag

 	switch len(presentMatchingManifests) {
 	case 0:
-		return ocispec.Descriptor{}, errdefs.NotFound(fmt.Errorf("no suitable image manifest found for platform %s", *platform))
+		return ocispec.Descriptor{}, errdefs.NotFound(fmt.Errorf("no suitable image manifest found for platform %s", platforms.FormatAll(*platform)))
 	case 1:
 		// Only one manifest is available AND matching the requested platform.

@@ -302,7 +302,7 @@ func (i *ImageService) getPushDescriptor(ctx context.Context, img containerdimag
 			return ocispec.Descriptor{}, errdefs.Conflict(errors.Errorf("multiple matching manifests found but no specific platform requested"))
 		}

-		return ocispec.Descriptor{}, errdefs.Conflict(errors.Errorf("multiple manifests found for platform %s", *platform))
+		return ocispec.Descriptor{}, errdefs.Conflict(errors.Errorf("multiple manifests found for platform %s", platforms.FormatAll(*platform)))
 	}
 }

--- a/daemon/containerd/image_push_test.go
+++ b/daemon/containerd/image_push_test.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22

 package containerd

@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"path/filepath"
+	"slices"
 	"testing"

 	containerdimages "github.com/containerd/containerd/images"
@@ -15,7 +16,6 @@ import (
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/internal/testutils/specialimage"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"golang.org/x/exp/slices"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -204,7 +204,7 @@ func TestImagePushIndex(t *testing.T) {
 				imgSvc.defaultPlatformOverride = platforms.Only(defaultDaemonPlatform)
 			}

-			idx, err := specialimage.MultiPlatform(csDir, "multiplatform:latest", tc.indexPlatforms)
+			idx, _, err := specialimage.MultiPlatform(csDir, "multiplatform:latest", tc.indexPlatforms)
 			assert.NilError(t, err)

 			imgs := imagesFromIndex(idx)
--- a/daemon/containerd/image_snapshot.go
+++ b/daemon/containerd/image_snapshot.go
@@ -58,6 +58,11 @@ func (i *ImageService) PrepareSnapshot(ctx context.Context, id string, parentIma
 		parentSnapshot = identity.ChainID(diffIDs).String()
 	}

+	// TODO: Consider a better way to do this. It is better to have a container directly
+	// reference a snapshot, however, that is not done today because a container may
+	// removed and recreated with nothing holding the snapshot in between. Consider
+	// removing this lease and only temporarily holding a lease on re-create, using
+	// non-expiring leases introduces the possibility of leaking resources.
 	ls := i.client.LeasesService()
 	lease, err := ls.Create(ctx, leases.WithID(id))
 	if err != nil {
--- a/daemon/containerd/image_tag.go
+++ b/daemon/containerd/image_tag.go
@@ -68,7 +68,9 @@ func (i *ImageService) TagImage(ctx context.Context, imageID image.ID, newTag re

 	// Delete the source dangling image, as it's no longer dangling.
 	if err := i.images.Delete(context.WithoutCancel(ctx), danglingImageName(targetImage.Target.Digest)); err != nil {
-		logger.WithError(err).Warn("unexpected error when deleting dangling image")
+		if !cerrdefs.IsNotFound(err) {
+			logger.WithError(err).Warn("unexpected error when deleting dangling image")
+		}
 	}

 	return nil
--- a/Show More
+++ b/Show More