Merge pull request #51174 from vvoland/gha-autolabel

gha/labeler: disable sync-labels to preserve human-added labels
Merge pull request #51175 from vvoland/vendor-api
2026-01-11 18:51:37 +00:00 · 2025-10-14 11:26:21 +09:00 · 2025-10-14 11:25:49 +09:00 · 2025-10-13 22:29:06 +02:00 · 2025-10-13 19:22:30 +02:00 · 2025-10-13 16:56:44 +02:00
5681 changed files with 359535 additions and 170527 deletions
--- a/.codecov.yml
+++ b/.codecov.yml
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,4 +1,6 @@
-.git
-bundles/
-cli/winresources/**/winres.json
-cli/winresources/**/*.syso
+/.git
+
+# build artifacts
+/bundles/
+/cmd/dockerd/winresources/winres.json
+/cmd/dockerd/*.syso
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1 @@
 Dockerfile* linguist-language=Dockerfile
-vendor.mod linguist-language=Go-Module
-vendor.sum linguist-language=Go-Checksums
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -0,0 +1,155 @@
+module/client:
+  - changed-files:
+    - any-glob-to-any-file: 'client/**'
+
+module/api:
+  - changed-files:
+    - any-glob-to-any-file: 'api/**'
+
+area/daemon:
+  - changed-files:
+    - any-glob-to-any-file: 'daemon/**'
+
+area/builder/buildkit:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*buildkit*'
+      - 'daemon/internal/builder-next/**'
+
+area/builder/classic-builder:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'daemon/images/*_build*'
+      - 'daemon/builder/**'
+
+area/builder:
+  - labels:
+    - any-glob-to-any-file:
+      - '**/*buildkit*'
+      - 'daemon/internal/builder-next/**'
+      - 'daemon/images/*_build*'
+      - 'daemon/builder/**'
+
+area/networking:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'daemon/network*'
+      - 'daemon/network/**'
+      - 'api/types/network/**'
+      - 'integration/network/**'
+      - 'integration/networking/**'
+
+area/volumes:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'daemon/volume/**'
+      - 'api/types/volume/**'
+      - 'integration/volume/**'
+
+area/swarm:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'daemon/cluster/**'
+      - 'api/types/swarm/**'
+
+area/images:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'daemon/images/**'
+      - 'api/types/image/**'
+      - 'integration/image/**'
+
+area/logging:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'daemon/logger/**'
+      - '**/*log*'
+
+area/security:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*seccomp*'
+      - '**/*apparmor*'
+      - '**/*selinux*'
+
+area/security/apparmor:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*apparmor*'
+      - 'contrib/apparmor/**'
+
+area/security/selinux:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*selinux*'
+      - 'contrib/selinux/**'
+
+area/security/seccomp:
+  - changed-files:
+    - any-glob-to-any-file: '**/*seccomp*'
+
+area/systemd:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*systemd*'
+      - 'contrib/init/systemd/**'
+
+area/contrib:
+  - changed-files:
+    - any-glob-to-any-file: 'contrib/**'
+
+area/packaging:
+  - changed-files:
+    - any-glob-to-any-file:
+      # files used in packaging
+      - 'contrib/dockerd-rootless.sh'
+      - 'contrib/dockerd-rootless-setuptool.sh'
+      - 'contrib/init/systemd/**'
+
+containerd-integration:
+  - changed-files:
+    - any-glob-to-any-file: 'daemon/containerd/**'
+
+area/rootless:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*rootless*'
+      - 'contrib/dockerd-rootless*'
+
+area/testing:
+  - changed-files:
+    - any-glob-to-all-files:
+      - 'integration/**'
+      - 'integration-cli/**'
+      - '**/*_test.go'
+      - 'internal/test*'
+      - 'internal/testutil/**'
+
+area/docs:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'api/docs/*.yaml'
+      - 'docs/**'
+      - '**/*.md'
+      - 'man/**'
+
+area/dependencies:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'go.mod'
+      - 'go.sum'
+      - 'vendor/**'
+
+area/ci:
+  - changed-files:
+    - any-glob-to-any-file: '.github/**'
+
+platform/windows:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*_windows.go'
+      - 'Dockerfile.windows'
+
+impact/changelog:
+  - changed-files:
+    - any-glob-to-any-file: 'api/docs/CHANGELOG.md'
--- a/.github/workflows/.dco.yml
+++ b/.github/workflows/.dco.yml
@@ -16,11 +16,11 @@ on:
  workflow_call:

 env:
-  ALPINE_VERSION: "3.21"
+  ALPINE_VERSION: "3.22"

 jobs:
  run:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 10 # guardrails timeout for the whole job
    steps:
      -
--- a/.github/workflows/.test-prepare.yml
+++ b/.github/workflows/.test-prepare.yml
@@ -1,45 +0,0 @@
-# reusable workflow
-name: .test-prepare
-
-# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025
-
-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
-on:
-  workflow_call:
-    outputs:
-      matrix:
-        description: Test matrix
-        value: ${{ jobs.run.outputs.matrix }}
-
-jobs:
-  run:
-    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    outputs:
-      matrix: ${{ steps.set.outputs.matrix }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Create matrix
-        id: set
-        uses: actions/github-script@v7
-        with:
-          script: |
-            let matrix = ['graphdriver'];
-            if ("${{ contains(github.event.pull_request.labels.*.name, 'containerd-integration') || github.event_name != 'pull_request' }}" == "true") {
-              matrix.push('snapshotter');
-            }
-            await core.group(`Set matrix`, async () => {
-              core.info(`matrix: ${JSON.stringify(matrix)}`);
-              core.setOutput('matrix', JSON.stringify(matrix));
-            });
--- a/.github/workflows/.test-unit.yml
+++ b/.github/workflows/.test-unit.yml
@@ -0,0 +1,123 @@
+# reusable workflow
+name: .test-unit
+
+# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025
+
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+
+env:
+  GO_VERSION: "1.25.2"
+  GOTESTLIST_VERSION: v0.3.1
+  TESTSTAT_VERSION: v0.1.25
+  SETUP_BUILDX_VERSION: edge
+  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
+
+jobs:
+  unit:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        mode:
+          - ""
+          - firewalld
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up runner
+        uses: ./.github/actions/setup-runner
+      -
+        name: Prepare
+        run: |
+          CACHE_DEV_SCOPE=dev
+          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
+            echo "FIREWALLD=true" >> $GITHUB_ENV
+            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
+          fi
+          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.SETUP_BUILDX_VERSION }}
+          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build dev image
+        uses: docker/bake-action@v6
+        with:
+          targets: dev
+          set: |
+            dev.cache-from=type=gha,scope=${{ env.CACHE_DEV_SCOPE }}
+      -
+        name: Test
+        run: |
+          make -o build test-unit
+      -
+        name: Prepare reports
+        if: always()
+        run: |
+          mkdir -p bundles /tmp/reports
+          find bundles -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
+          tar -xzf /tmp/reports.tar.gz -C /tmp/reports
+          sudo chown -R $(id -u):$(id -g) /tmp/reports
+          tree -nh /tmp/reports
+      -
+        name: Send to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          directory: ./bundles
+          env_vars: RUNNER_OS
+          flags: unit
+          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
+      -
+        name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-reports-unit--${{ matrix.mode }}
+          path: /tmp/reports/*
+          retention-days: 1
+
+  unit-report:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    if: always()
+    needs:
+      - unit
+    steps:
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+      -
+        name: Download reports
+        uses: actions/download-artifact@v4
+        with:
+          pattern: test-reports-unit-*
+          path: /tmp/reports
+      -
+        name: Install teststat
+        run: |
+          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
+      -
+        name: Create summary
+        run: |
+          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -21,148 +21,19 @@ on:
        default: "graphdriver"

 env:
-  GO_VERSION: "1.23.6"
+  GO_VERSION: "1.25.2"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  ITG_CLI_MATRIX_SIZE: 6
  DOCKER_EXPERIMENTAL: 1
  DOCKER_GRAPHDRIVER: ${{ inputs.storage == 'snapshotter' && 'overlayfs' || 'overlay2' }}
-  TEST_INTEGRATION_USE_SNAPSHOTTER: ${{ inputs.storage == 'snapshotter' && '1' || '' }}
+  TEST_INTEGRATION_USE_GRAPHDRIVER: ${{ inputs.storage == 'graphdriver' && '1' || '' }}
  SETUP_BUILDX_VERSION: edge
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
-  unit-prepare:
-    runs-on: ubuntu-20.04
-    timeout-minutes: 10 # guardrails timeout for the whole job
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    outputs:
-      includes: ${{ steps.set.outputs.includes }}
-    steps:
-      -
-        name: Create matrix includes
-        id: set
-        uses: actions/github-script@v7
-        with:
-          script: |
-            let includes = [
-              { mode: '' },
-              { mode: 'rootless' },
-              { mode: 'systemd' },
-            ];
-            if ("${{ inputs.storage }}" == "snapshotter") {
-              includes.push({ mode: 'firewalld' });
-            }
-            await core.group(`Set matrix`, async () => {
-              core.info(`matrix: ${JSON.stringify(includes)}`);
-              core.setOutput('includes', JSON.stringify(includes));
-            });
-      -
-        name: Show matrix
-        run: |
-          echo ${{ steps.set.outputs.includes }}
-
-  unit:
-    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    needs:
-      - unit-prepare
-    strategy:
-      fail-fast: false
-      matrix:
-        include: ${{ fromJson(needs.unit-prepare.outputs.includes) }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up runner
-        uses: ./.github/actions/setup-runner
-      -
-        name: Prepare
-        run: |
-          CACHE_DEV_SCOPE=dev
-          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "DOCKER_FIREWALLD=true" >> $GITHUB_ENV
-            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
-          fi
-          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Build dev image
-        uses: docker/bake-action@v6
-        with:
-          targets: dev
-          set: |
-            dev.cache-from=type=gha,scope=dev
-      -
-        name: Test
-        run: |
-          make -o build test-unit
-      -
-        name: Prepare reports
-        if: always()
-        run: |
-          mkdir -p bundles /tmp/reports
-          find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
-          tar -xzf /tmp/reports.tar.gz -C /tmp/reports
-          sudo chown -R $(id -u):$(id -g) /tmp/reports
-          tree -nh /tmp/reports
-      -
-        name: Send to Codecov
-        uses: codecov/codecov-action@v4
-        with:
-          directory: ./bundles
-          env_vars: RUNNER_OS
-          flags: unit
-          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
-      -
-        name: Upload reports
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: test-reports-unit-${{ inputs.storage }}-${{ matrix.mode }}
-          path: /tmp/reports/*
-          retention-days: 1
-
-  unit-report:
-    runs-on: ubuntu-20.04
-    timeout-minutes: 10
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: always()
-    needs:
-      - unit
-    steps:
-      -
-        name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
-      -
-        name: Download reports
-        uses: actions/download-artifact@v4
-        with:
-          pattern: test-reports-unit-${{ inputs.storage }}-*
-          path: /tmp/reports
-      -
-        name: Install teststat
-        run: |
-          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
-      -
-        name: Create summary
-        run: |
-          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
-
  docker-py:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
    steps:
@@ -192,7 +63,7 @@ jobs:
      -
        name: Test
        run: |
-          make -o build test-docker-py
+          make TEST_SKIP_INTEGRATION_CLI=1 -o build test-docker-py
      -
        name: Prepare reports
        if: always()
@@ -219,7 +90,7 @@ jobs:
          retention-days: 1

  integration-flaky:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
    steps:
@@ -251,7 +122,7 @@ jobs:
          TEST_SKIP_INTEGRATION_CLI: 1

  integration-prepare:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 10 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
    outputs:
@@ -264,17 +135,18 @@ jobs:
        with:
          script: |
            let includes = [
-              { os: 'ubuntu-20.04', mode: '' },
-              { os: 'ubuntu-20.04', mode: 'rootless' },
-              { os: 'ubuntu-20.04', mode: 'systemd' },
              { os: 'ubuntu-22.04', mode: '' },
              { os: 'ubuntu-22.04', mode: 'rootless' },
              { os: 'ubuntu-22.04', mode: 'systemd' },
-              // { os: 'ubuntu-20.04', mode: 'rootless-systemd' }, // FIXME: https://github.com/moby/moby/issues/44084
-              // { os: 'ubuntu-22.04', mode: 'rootless-systemd' }, // FIXME: https://github.com/moby/moby/issues/44084
+              { os: 'ubuntu-24.04', mode: '' },
+              // { os: 'ubuntu-24.04', mode: 'rootless' },  // FIXME: https://github.com/moby/moby/pull/49579#issuecomment-2698622223
+              { os: 'ubuntu-24.04', mode: 'systemd' },
+              // { os: 'ubuntu-24.04', mode: 'rootless-systemd' }, // FIXME: https://github.com/moby/moby/issues/44084
            ];
            if ("${{ inputs.storage }}" == "snapshotter") {
-              includes.push({ os: 'ubuntu-22.04', mode: 'firewalld' });
+              includes.push({ os: 'ubuntu-24.04', mode: 'iptables+firewalld' });
+              includes.push({ os: 'ubuntu-24.04', mode: 'nftables' });
+              includes.push({ os: 'ubuntu-24.04', mode: 'nftables+firewalld' });
            }
            await core.group(`Set matrix`, async () => {
              core.info(`matrix: ${JSON.stringify(includes)}`);
@@ -317,9 +189,12 @@ jobs:
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}systemd"
          fi
          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "DOCKER_FIREWALLD=true" >> $GITHUB_ENV
+            echo "FIREWALLD=true" >> $GITHUB_ENV
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
          fi
+          if [[ "${{ matrix.mode }}" == *"nftables"* ]]; then
+            echo "DOCKER_FIREWALL_BACKEND=nftables" >> $GITHUB_ENV
+          fi
          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
@@ -383,7 +258,7 @@ jobs:
          retention-days: 1

  integration-report:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 10
    continue-on-error: ${{ github.event_name != 'pull_request' }}
    if: always()
@@ -395,7 +270,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
@@ -413,7 +288,7 @@ jobs:
          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY

  integration-cli-prepare:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
    outputs:
@@ -427,7 +302,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Install gotestlist
        run:
@@ -458,19 +333,43 @@ jobs:
            // 'include' with other matrix variables that aren't part of the
            // include items.
            // Moreover, since the goal is to run only relevant tests with
-            // firewalld enabled to minimize the number of CI jobs, we
+            // firewalld/nftables enabled to minimize the number of CI jobs, we
            // statically define the list of test suites that we want to run.
            if ("${{ inputs.storage }}" == "snapshotter") {
              matrix.include.push({
-                'mode': 'firewalld',
+                'mode': 'iptables+firewalld',
                'test': 'DockerCLINetworkSuite|DockerCLIPortSuite|DockerDaemonSuite'
              });
              matrix.include.push({
-                'mode': 'firewalld',
+                'mode': 'iptables+firewalld',
                'test': 'DockerSwarmSuite'
              });
              matrix.include.push({
-                'mode': 'firewalld',
+                'mode': 'iptables+firewalld',
+                'test': 'DockerNetworkSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables',
+                'test': 'DockerCLINetworkSuite|DockerCLIPortSuite|DockerDaemonSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables',
+                'test': 'DockerSwarmSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables',
+                'test': 'DockerNetworkSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables+firewalld',
+                'test': 'DockerCLINetworkSuite|DockerCLIPortSuite|DockerDaemonSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables+firewalld',
+                'test': 'DockerSwarmSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables+firewalld',
                'test': 'DockerNetworkSuite'
              });
            }
@@ -484,7 +383,7 @@ jobs:
          echo ${{ steps.set.outputs.matrix }}

  integration-cli:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
    needs:
@@ -507,9 +406,12 @@ jobs:
        run: |
          CACHE_DEV_SCOPE=dev
          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "DOCKER_FIREWALLD=true" >> $GITHUB_ENV
+            echo "FIREWALLD=true" >> $GITHUB_ENV
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
          fi
+          if [[ "${{ matrix.mode }}" == *"nftables"* ]]; then
+            echo "DOCKER_FIREWALL_BACKEND=nftables" >> $GITHUB_ENV
+          fi
          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
@@ -567,12 +469,12 @@ jobs:
        if: always()
        uses: actions/upload-artifact@v4
        with:
-          name: test-reports-integration-cli-${{ inputs.storage }}-${{ env.TESTREPORTS_NAME }}
+          name: test-reports-integration-cli-${{ inputs.storage }}-${{ matrix.mode }}-${{ env.TESTREPORTS_NAME }}
          path: /tmp/reports/*
          retention-days: 1

  integration-cli-report:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 10
    continue-on-error: ${{ github.event_name != 'pull_request' }}
    if: always()
@@ -584,13 +486,13 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
        with:
          path: /tmp/reports
-          pattern: test-reports-integration-cli-${{ inputs.storage }}-*
+          pattern: test-reports-integration-cli-${{ inputs.storage }}-${{ matrix.mode }}-*
          merge-multiple: true
      -
        name: Install teststat
--- a/.github/workflows/.vm.yml
+++ b/.github/workflows/.vm.yml
@@ -0,0 +1,205 @@
+# reusable workflow
+name: .vm
+
+# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025
+
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+    inputs:
+      template:
+        required: true
+        type: string
+
+env:
+  GO_VERSION: "1.25.2"
+  TESTSTAT_VERSION: v0.1.25
+
+jobs:
+  integration:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+    strategy:
+      fail-fast: false
+      matrix:
+        mode:
+          - ""
+          - rootless
+
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Lima
+        uses: lima-vm/lima-actions/setup@03b96d61959e83b2c737e44162c3088e81de0886  # v1.0.1
+        id: lima-actions-setup
+      -
+        name: Cache ~/.cache/lima
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/lima
+          key: lima-${{ steps.lima-actions-setup.outputs.version }}-${{ inputs.template }}
+      -
+        name: Start the guest VM
+        run: |
+          # --plain is set because the built-in containerd support conflicts with Docker
+          limactl start \
+            --name=default \
+            --cpus=4 \
+            --memory=12 \
+            --plain \
+            ${{ inputs.template }}
+      -
+        name: Load kernel modules in the guest VM
+        run: |
+          set -eux -o pipefail
+          cat <<-EOF | lima sudo tee /etc/modules-load.d/docker.conf
+          br_netfilter
+          bridge
+          ip6_tables
+          ip6table_filter
+          ip6table_nat
+          ip_tables
+          ip_vs
+          iptable_filter
+          iptable_nat
+          nf_tables
+          overlay
+          tap
+          tun
+          veth
+          x_tables
+          xt_addrtype
+          xt_comment
+          xt_conntrack
+          xt_mark
+          xt_multiport
+          xt_nat
+          xt_tcpudp
+          EOF
+          lima sudo systemctl restart systemd-modules-load.service
+      -
+        name: Install dockerd in the guest VM
+        run: |
+          set -eux -o pipefail
+          lima sudo mkdir -p /etc/systemd/system/docker.socket.d
+          cat <<-EOF | lima sudo tee /etc/systemd/system/docker.socket.d/override.conf
+          [Socket]
+          SocketUser=$(whoami)
+          EOF
+          # TODO: use native packages for AlmaLinux: https://github.com/docker/packaging/pull/138
+          lima sudo dnf config-manager --add-repo=https://download.docker.com/linux/rhel/docker-ce.repo
+          lima sudo dnf -q -y install --nobest docker-ce make
+          lima sudo systemctl enable --now docker
+          lima docker info
+      -
+        name: Copy the current directory
+        run: |
+          set -eux -o pipefail
+          limactl cp -r . default:/tmp/docker
+      -
+        name: Test
+        run: |
+          set -eux -o pipefail
+          DOCKER_ROOTLESS=
+          DOCKER_GRAPHDRIVER=overlay2
+          if [[ "${{ matrix.mode }}" == *"rootless"* ]]; then
+            DOCKER_ROOTLESS=1
+            if lima grep -q "AlmaLinux release 8" /etc/system-release; then
+              # kernel prior to 5.11 needs fuse-overlayfs
+              DOCKER_GRAPHDRIVER=fuse-overlayfs
+            fi
+          fi
+
+          DOCKER_IGNORE_BR_NETFILTER_ERROR=
+          if lima grep -q "AlmaLinux release 8" /etc/system-release; then
+            # DOCKER_IGNORE_BR_NETFILTER_ERROR=1 is set because /proc/sys/net/bridge does not appear in
+            # a container when the kernel is older than 5.3.
+            # https://web.archive.org/web/20201123224428/github.com/lxc/lxd/issues/3306#issuecomment-502857864
+            DOCKER_IGNORE_BR_NETFILTER_ERROR=1
+          fi
+
+          # TODO: just propagate the env from the host: https://github.com/lima-vm/lima/issues/3430
+          # TODO: enable GHA cache?
+          LIMA_WORKDIR=/tmp/docker lima \
+            TEST_SKIP_INTEGRATION_CLI=1 \
+            TEST_INTEGRATION_USE_GRAPHDRIVER=1 \
+            DOCKER_ROOTLESS=${DOCKER_ROOTLESS} \
+            DOCKER_GRAPHDRIVER=${DOCKER_GRAPHDRIVER} \
+            DOCKER_IGNORE_BR_NETFILTER_ERROR=${DOCKER_IGNORE_BR_NETFILTER_ERROR} \
+            make test-integration
+      -
+        name: Prepare reports
+        if: always()
+        run: |
+          set -eux -o pipefail
+          limactl cp -v -r default:/tmp/docker/bundles . || true
+          reportsName="$(basename ${{ inputs.template }})"
+          if [ -n "${{ matrix.mode }}" ]; then
+            reportsName="$reportsName-${{ matrix.mode }}"
+          fi
+          reportsPath="/tmp/reports/$reportsName"
+          echo "TESTREPORTS_NAME=$reportsName" >> $GITHUB_ENV
+
+          mkdir -p bundles $reportsPath
+          find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
+          tar -xzf /tmp/reports.tar.gz -C $reportsPath
+          sudo chown -R $(id -u):$(id -g) $reportsPath
+          tree -nh $reportsPath
+      -
+        name: Test daemon logs
+        if: always()
+        run: |
+          cat bundles/test-integration/docker.log
+      -
+        name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-reports-integration-${{ env.TESTREPORTS_NAME }}
+          path: /tmp/reports/*
+          retention-days: 1
+
+  integration-report:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    if: always() && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only'))
+    needs:
+      - integration
+    steps:
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+      -
+        name: Prepare reports
+        run: echo "TESTREPORTS_NAME=$(basename ${{ inputs.template }})*" >> $GITHUB_ENV
+      -
+        name: Download reports
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/reports
+          pattern: test-reports-integration-${{ env.TESTREPORTS_NAME }}
+          merge-multiple: true
+      -
+        name: Install teststat
+        run: |
+          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
+      -
+        name: Create summary
+        run: |
+          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/.windows.yml
+++ b/.github/workflows/.windows.yml
@@ -28,12 +28,12 @@ on:
        default: false

 env:
-  GO_VERSION: "1.23.6"
+  GO_VERSION: "1.25.2"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
-  WINDOWS_BASE_TAG_2019: ltsc2019
  WINDOWS_BASE_TAG_2022: ltsc2022
+  WINDOWS_BASE_TAG_2025: ltsc2025
  TEST_IMAGE_NAME: moby:test
  TEST_CTN_NAME: moby
  DOCKER_BUILDKIT: 0
@@ -65,23 +65,11 @@ jobs:
        run: |
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
-          If ("${{ inputs.os }}" -eq "windows-2019") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2025") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
-      -
-        name: Cache
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-            ${{ github.workspace }}\go-build
-            ${{ env.GOPATH }}\pkg\mod
-          key: ${{ inputs.os }}-${{ github.job }}-${{ hashFiles('**/vendor.sum') }}
-          restore-keys: |
-            ${{ inputs.os }}-${{ github.job }}-
      -
        name: Docker info
        run: |
@@ -92,15 +80,12 @@ jobs:
          & docker build `
            --build-arg WINDOWS_BASE_IMAGE `
            --build-arg WINDOWS_BASE_IMAGE_TAG `
-            --build-arg GO_VERSION `
            -t ${{ env.TEST_IMAGE_NAME }} `
            -f Dockerfile.windows .
      -
        name: Build binaries
        run: |
          & docker run --name ${{ env.TEST_CTN_NAME }} -e "DOCKER_GITCOMMIT=${{ github.sha }}" `
-              -v "${{ github.workspace }}\go-build:C:\Users\ContainerAdministrator\AppData\Local\go-build" `
-              -v "${{ github.workspace }}\go\pkg\mod:C:\gopath\pkg\mod" `
              ${{ env.TEST_IMAGE_NAME }} hack\make.ps1 -Daemon -Client
      -
        name: Copy artifacts
@@ -145,23 +130,11 @@ jobs:
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
          New-Item -ItemType "directory" -Path "bundles"
-          If ("${{ inputs.os }}" -eq "windows-2019") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2025") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
-      -
-        name: Cache
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-            ${{ github.workspace }}\go-build
-            ${{ env.GOPATH }}\pkg\mod
-          key: ${{ inputs.os }}-${{ github.job }}-${{ hashFiles('**/vendor.sum') }}
-          restore-keys: |
-            ${{ inputs.os }}-${{ github.job }}-
      -
        name: Docker info
        run: |
@@ -172,15 +145,12 @@ jobs:
          & docker build `
            --build-arg WINDOWS_BASE_IMAGE `
            --build-arg WINDOWS_BASE_IMAGE_TAG `
-            --build-arg GO_VERSION `
            -t ${{ env.TEST_IMAGE_NAME }} `
            -f Dockerfile.windows .
      -
        name: Test
        run: |
          & docker run --name ${{ env.TEST_CTN_NAME }} -e "DOCKER_GITCOMMIT=${{ github.sha }}" `
-            -v "${{ github.workspace }}\go-build:C:\Users\ContainerAdministrator\AppData\Local\go-build" `
-            -v "${{ github.workspace }}\go\pkg\mod:C:\gopath\pkg\mod" `
            -v "${{ env.GOPATH }}\src\github.com\docker\docker\bundles:C:\gopath\src\github.com\docker\docker\bundles" `
            ${{ env.TEST_IMAGE_NAME }} hack\make.ps1 -TestUnit
      -
@@ -214,7 +184,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Download artifacts
        uses: actions/download-artifact@v4
@@ -244,7 +214,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Install gotestlist
        run:
@@ -297,6 +267,12 @@ jobs:
        uses: actions/checkout@v4
        with:
          path: ${{ env.GOPATH }}/src/github.com/docker/docker
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
      -
        name: Set up Jaeger
        run: |
@@ -321,8 +297,8 @@ jobs:
        name: Init
        run: |
          New-Item -ItemType "directory" -Path "bundles"
-          If ("${{ inputs.os }}" -eq "windows-2019") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2025") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
@@ -366,10 +342,10 @@ jobs:
              "--exec-root=$env:TEMP\moby-exec", `
              "--pidfile=$env:TEMP\docker.pid", `
              "--register-service"
-          If ("${{ inputs.storage }}" -eq "snapshotter") {
+          If ("${{ inputs.storage }}" -eq "graphdriver") {
            # Make the env-var visible to the service-managed dockerd, as there's no CLI flag for this option.
-            & reg add "HKLM\SYSTEM\CurrentControlSet\Services\docker" /v Environment /t REG_MULTI_SZ /s '@' /d TEST_INTEGRATION_USE_SNAPSHOTTER=1 
-            echo "TEST_INTEGRATION_USE_SNAPSHOTTER=1" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+            & reg add "HKLM\SYSTEM\CurrentControlSet\Services\docker" /v Environment /t REG_MULTI_SZ /s '@' /d TEST_INTEGRATION_USE_GRAPHDRIVER=1
+            echo "TEST_INTEGRATION_USE_GRAPHDRIVER=1" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
          Write-Host "Starting service"
          Start-Service -Name docker
@@ -428,12 +404,6 @@ jobs:
          & "${{ env.BIN_OUT }}\docker" images
        env:
          DOCKER_HOST: npipe:////./pipe/docker_engine
-      -
-        name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
      -
        name: Test integration
        if: matrix.test == './...'
@@ -441,7 +411,6 @@ jobs:
          .\hack\make.ps1 -TestIntegration
        env:
          DOCKER_HOST: npipe:////./pipe/docker_engine
-          GO111MODULE: "off"
          TEST_CLIENT_BINARY: ${{ env.BIN_OUT }}\docker
      -
        name: Test integration-cli
@@ -450,7 +419,6 @@ jobs:
          .\hack\make.ps1 -TestIntegrationCli
        env:
          DOCKER_HOST: npipe:////./pipe/docker_engine
-          GO111MODULE: "off"
          TEST_CLIENT_BINARY: ${{ env.BIN_OUT }}\docker
          INTEGRATION_TESTRUN: ${{ matrix.test }}
      -
@@ -527,7 +495,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
--- a/.github/workflows/arm64.yml
+++ b/.github/workflows/arm64.yml
@@ -23,7 +23,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.23.6"
+  GO_VERSION: "1.25.2"
  TESTSTAT_VERSION: v0.1.25
  DESTDIR: ./build
  SETUP_BUILDX_VERSION: edge
@@ -35,8 +35,9 @@ jobs:
    uses: ./.github/workflows/.dco.yml

  build:
-    runs-on: ubuntu-22.04-arm
+    runs-on: ubuntu-24.04-arm
    timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
    strategy:
@@ -68,8 +69,9 @@ jobs:
          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +

  build-dev:
-    runs-on: ubuntu-22.04-arm
+    runs-on: ubuntu-24.04-arm
    timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
    steps:
@@ -87,12 +89,13 @@ jobs:
          targets: dev
          set: |
            *.cache-from=type=gha,scope=dev-arm64
-            *.cache-to=type=gha,scope=dev-arm64,mode=max
+            *.cache-to=type=gha,scope=dev-arm64
            *.output=type=cacheonly

  test-unit:
-    runs-on: ubuntu-22.04-arm
+    runs-on: ubuntu-24.04-arm
    timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - build-dev
    steps:
@@ -109,6 +112,9 @@ jobs:
          version: ${{ env.SETUP_BUILDX_VERSION }}
          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
          buildkitd-flags: --debug
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
      -
        name: Build dev image
        uses: docker/bake-action@v6
@@ -147,10 +153,10 @@ jobs:
          retention-days: 1

  test-unit-report:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 10
    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: always()
+    if: always() && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only'))
    needs:
      - test-unit
    steps:
@@ -159,7 +165,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
@@ -176,9 +182,10 @@ jobs:
          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY

  test-integration:
-    runs-on: ubuntu-22.04-arm
+    runs-on: ubuntu-24.04-arm
    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - build-dev
    steps:
@@ -198,6 +205,9 @@ jobs:
          version: ${{ env.SETUP_BUILDX_VERSION }}
          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
          buildkitd-flags: --debug
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
      -
        name: Build dev image
        uses: docker/bake-action@v6
@@ -246,10 +256,10 @@ jobs:
          retention-days: 1

  test-integration-report:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 10
    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: always()
+    if: always() && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only'))
    needs:
      - test-integration
    steps:
@@ -258,7 +268,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
--- a/.github/workflows/bin-image.yml
+++ b/.github/workflows/bin-image.yml
@@ -40,8 +40,9 @@ jobs:
    uses: ./.github/workflows/.dco.yml

  prepare:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    outputs:
      platforms: ${{ steps.platforms.outputs.matrix }}
    steps:
@@ -58,20 +59,21 @@ jobs:
          ### versioning strategy
          ## push semver tag v23.0.0
          # moby/moby-bin:23.0.0
+          # moby/moby-bin:23.0
+          # moby/moby-bin:23
          # moby/moby-bin:latest
          ## push semver prerelease tag v23.0.0-beta.1
          # moby/moby-bin:23.0.0-beta.1
          ## push on master
          # moby/moby-bin:master
-          ## push on 23.0 branch
-          # moby/moby-bin:23.0
-          ## any push
-          # moby/moby-bin:sha-ad132f5
+          ## push on 28.x branch
+          # moby/moby-bin:28.x
          tags: |
            type=semver,pattern={{version}}
            type=ref,event=branch
            type=ref,event=pr
-            type=sha
+            type=semver,pattern={{major}}
+            type=semver,pattern={{major}}.{{minor}}
      -
        name: Rename meta bake definition file
        # see https://github.com/docker/metadata-action/issues/381#issuecomment-1918607161
@@ -93,12 +95,12 @@ jobs:
          echo "matrix=$(docker buildx bake bin-image-cross --print | jq -cr '.target."bin-image-cross".platforms')" >>${GITHUB_OUTPUT}

  build:
-    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-24.04
+    timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only')) }}
    needs:
      - validate-dco
      - prepare
-    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled')
    strategy:
      fail-fast: false
      matrix:
@@ -169,11 +171,11 @@ jobs:
          retention-days: 1

  merge:
-    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-24.04
+    timeout-minutes: 40 # guardrails timeout for the whole job
+    if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby' }}
    needs:
      - build
-    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby'
    steps:
      -
        name: Download meta bake definition
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -23,7 +23,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.23.6"
+  GO_VERSION: "1.25.2"
  DESTDIR: ./build
  SETUP_BUILDX_VERSION: edge
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
@@ -32,9 +32,10 @@ jobs:
  validate-dco:
    uses: ./.github/workflows/.dco.yml

-  build:
-    runs-on: ubuntu-20.04
+  build-linux:
+    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
    steps:
@@ -59,11 +60,12 @@ jobs:
          if-no-files-found: error
          retention-days: 1

-  test:
-    runs-on: ubuntu-20.04
+  test-linux:
+    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
-      - build
+      - build-linux
    env:
      TEST_IMAGE_BUILD: "0"
      TEST_IMAGE_ID: "buildkit-tests"
@@ -106,7 +108,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: BuildKit ref
        run: |
@@ -162,3 +164,210 @@ jobs:
          TESTPKGS: "./${{ matrix.pkg }}"
          TESTFLAGS: "-v --parallel=1 --timeout=30m --run=//worker=${{ matrix.worker }}$"
        working-directory: buildkit
+
+  build-windows:
+    runs-on: windows-2022
+    timeout-minutes: 120
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+    needs:
+      - validate-dco
+    env:
+      GOPATH: ${{ github.workspace }}\go
+      GOBIN: ${{ github.workspace }}\go\bin
+      BIN_OUT: ${{ github.workspace }}\out
+      WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
+      WINDOWS_BASE_TAG_2022: ltsc2022
+      TEST_IMAGE_NAME: moby:test
+      TEST_CTN_NAME: moby
+    defaults:
+      run:
+        working-directory: ${{ env.GOPATH }}/src/github.com/docker/docker
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: ${{ env.GOPATH }}/src/github.com/docker/docker
+
+      - name: Env
+        run: |
+          Get-ChildItem Env: | Out-String
+
+      - name: Moby - Init
+        run: |
+          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
+          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
+          echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: Docker info
+        run: |
+          docker info
+
+      - name: Build base image
+        run: |
+          & docker build `
+            --build-arg WINDOWS_BASE_IMAGE `
+            --build-arg WINDOWS_BASE_IMAGE_TAG `
+            -t ${{ env.TEST_IMAGE_NAME }} `
+            -f Dockerfile.windows .
+
+      - name: Build binaries
+        run: |
+          & docker run --name ${{ env.TEST_CTN_NAME }} -e "DOCKER_GITCOMMIT=${{ github.sha }}" `
+              -v "${{ github.workspace }}\go-build:C:\Users\ContainerAdministrator\AppData\Local\go-build" `
+              -v "${{ github.workspace }}\go\pkg\mod:C:\gopath\pkg\mod" `
+              ${{ env.TEST_IMAGE_NAME }} hack\make.ps1 -Daemon -Client
+          go install github.com/distribution/distribution/v3/cmd/registry@latest
+
+      - name: Checkout BuildKit
+        uses: actions/checkout@v4
+        with:
+          repository: moby/buildkit
+          ref: master
+          path: buildkit
+
+      - name: Add buildctl to binaries
+        run: |
+          go install ./cmd/buildctl
+        working-directory: buildkit
+
+      - name: Copy artifacts
+        run: |
+          New-Item -ItemType "directory" -Path "${{ env.BIN_OUT }}"
+          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\gopath\src\github.com\docker\docker\bundles\docker.exe" ${{ env.BIN_OUT }}\
+          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\gopath\src\github.com\docker\docker\bundles\dockerd.exe" ${{ env.BIN_OUT }}\
+          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\gopath\bin\gotestsum.exe" ${{ env.BIN_OUT }}\
+          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\containerd\bin\containerd.exe" ${{ env.BIN_OUT }}\
+          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\containerd\bin\containerd-shim-runhcs-v1.exe" ${{ env.BIN_OUT }}\
+          cp ${{ env.GOPATH }}\bin\registry.exe ${{ env.BIN_OUT }}
+          cp ${{ env.GOPATH }}\bin\buildctl.exe ${{ env.BIN_OUT }}
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-windows
+          path: ${{ env.BIN_OUT }}/*
+          if-no-files-found: error
+          retention-days: 2
+
+  test-windows:
+    runs-on: windows-2022
+    timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+    needs:
+      - build-windows
+    env:
+      TEST_IMAGE_BUILD: "0"
+      TEST_IMAGE_ID: "buildkit-tests"
+      GOPATH: ${{ github.workspace }}\go
+      GOBIN: ${{ github.workspace }}\go\bin
+      BIN_OUT: ${{ github.workspace }}\out
+      TESTFLAGS: "-v --timeout=90m"
+      TEST_DOCKERD: "1"
+    strategy:
+      fail-fast: false
+      matrix:
+        worker:
+          - dockerd-containerd
+        pkg:
+          - ./client#1-4
+          - ./client#2-4
+          - ./client#3-4
+          - ./client#4-4
+          - ./cmd/buildctl
+          - ./frontend
+          - ./frontend/dockerfile#1-12
+          - ./frontend/dockerfile#2-12
+          - ./frontend/dockerfile#3-12
+          - ./frontend/dockerfile#4-12
+          - ./frontend/dockerfile#5-12
+          - ./frontend/dockerfile#6-12
+          - ./frontend/dockerfile#7-12
+          - ./frontend/dockerfile#8-12
+          - ./frontend/dockerfile#9-12
+          - ./frontend/dockerfile#10-12
+          - ./frontend/dockerfile#11-12
+          - ./frontend/dockerfile#12-12
+    steps:
+      - name: Prepare
+        shell: bash
+        run: |
+          disabledFeatures="cache_backend_azblob,cache_backend_s3"
+          if [ "${{ matrix.worker }}" = "dockerd" ]; then
+            disabledFeatures="${disabledFeatures},merge_diff"
+          fi
+          echo "BUILDKIT_TEST_DISABLE_FEATURES=${disabledFeatures}" >> $GITHUB_ENV
+
+      - name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@v3
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: moby
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: BuildKit ref
+        shell: bash
+        run: |
+          echo "$(./hack/buildkit-ref)" >> $GITHUB_ENV
+        working-directory: moby
+
+      - name: Checkout BuildKit ${{ env.BUILDKIT_REF }}
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ env.BUILDKIT_REPO }}
+          ref: ${{ env.BUILDKIT_REF }}
+          path: buildkit
+
+      - name: Download Moby artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: build-windows
+          path: ${{ env.BIN_OUT }}
+
+      - name: Add binaries to PATH
+        run: |
+          ls ${{ env.BIN_OUT }}
+          Write-Output "${{ env.BIN_OUT }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+
+      - name: Test Prep
+        shell: bash
+        run: |
+          TESTPKG=$(echo "${{ matrix.pkg }}" | awk '-F#' '{print $1}')
+          echo "TESTPKG=$TESTPKG" >> $GITHUB_ENV
+          echo "TEST_REPORT_NAME=${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.worker }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+          testFlags="${{ env.TESTFLAGS }}"
+          testSlice=$(echo "${{ matrix.pkg }}" | awk '-F#' '{print $2}')
+          testSliceOffset=""
+          if [ -n "$testSlice" ]; then
+           testSliceOffset="slice=$testSlice/"
+          fi
+          if [ -n "${{ matrix.worker }}" ]; then
+           testFlags="${testFlags} --run=TestIntegration/$testSliceOffset.*/worker=${{ matrix.worker }}"
+          fi
+          echo "TESTFLAGS=${testFlags}" >> $GITHUB_ENV
+
+      - name: Test
+        shell: bash
+        run: |
+          mkdir -p ./bin/testreports
+          gotestsum \
+            --jsonfile="./bin/testreports/go-test-report-${{ env.TEST_REPORT_NAME }}.json" \
+            --junitfile="./bin/testreports/junit-report-${{ env.TEST_REPORT_NAME }}.xml" \
+            --packages="${{ env.TESTPKG }}" \
+            -- \
+              "-mod=vendor" \
+              "-coverprofile" "./bin/testreports/coverage-${{ env.TEST_REPORT_NAME }}.txt" \
+              "-covermode" "atomic" ${{ env.TESTFLAGS }}
+        working-directory: buildkit
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,7 +32,7 @@ jobs:
    uses: ./.github/workflows/.dco.yml

  build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 20 # guardrails timeout for the whole job
    needs:
      - validate-dco
@@ -67,6 +67,7 @@ jobs:
  prepare-cross:
    runs-on: ubuntu-24.04
    timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
    outputs:
@@ -87,8 +88,9 @@ jobs:
          echo ${{ steps.platforms.outputs.matrix }}

  cross:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
      - prepare-cross
@@ -128,6 +130,7 @@ jobs:
  govulncheck:
    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
+    # Always run security checks, even with 'ci/validate-only' label
    permissions:
      # required to write sarif report
      security-events: write
@@ -154,3 +157,24 @@ jobs:
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ env.DESTDIR }}/govulncheck.out
+
+  build-dind:
+    runs-on: ubuntu-24.04
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+    needs:
+      - validate-dco
+    steps:
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.SETUP_BUILDX_VERSION }}
+          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build dind image
+        uses: docker/bake-action@v6
+        with:
+          targets: dind
+          set: |
+            *.output=type=cacheonly
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -32,6 +32,9 @@ on:
    #        * * * * *
    - cron: '0 9 * * 4'

+env:
+  GO_VERSION: "1.25.2"
+
 jobs:
  codeql:
    runs-on: ubuntu-24.04
@@ -46,19 +49,11 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 2
-      # CodeQL 2.16.4's auto-build added support for multi-module repositories,
-      # and is trying to be smart by searching for modules in every directory,
-      # including vendor directories. If no module is found, it's creating one
-      # which is ... not what we want, so let's give it a "go.mod".
-      # see: https://github.com/docker/cli/pull/4944#issuecomment-2002034698
-      - name: Create go.mod
-        run: |
-          ln -s vendor.mod go.mod
-          ln -s vendor.sum go.sum
-      - name: Update Go
+      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.6"
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -0,0 +1,18 @@
+name: "Labeler"
+on:
+  pull_request_target:
+
+permissions:
+  contents: read
+
+jobs:
+  labeler:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Labels
+        uses: actions/labeler@v6
+        with:
+          sync-labels: false
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -23,7 +23,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.23.6"
+  GO_VERSION: "1.25.2"
  GIT_PAGER: "cat"
  PAGER: "cat"
  SETUP_BUILDX_VERSION: edge
@@ -34,7 +34,7 @@ jobs:
    uses: ./.github/workflows/.dco.yml

  build-dev:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
    needs:
      - validate-dco
@@ -44,6 +44,7 @@ jobs:
        mode:
          - ""
          - systemd
+          - firewalld
    steps:
      -
        name: Prepare
@@ -65,10 +66,11 @@ jobs:
          targets: dev
          set: |
            *.cache-from=type=gha,scope=dev${{ matrix.mode }}
-            *.cache-to=type=gha,scope=dev${{ matrix.mode }},mode=max
+            *.cache-to=type=gha,scope=dev${{ matrix.mode }}
            *.output=type=cacheonly

  test:
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - build-dev
      - validate-dco
@@ -83,8 +85,16 @@ jobs:
    with:
      storage: ${{ matrix.storage }}

+  test-unit:
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+    needs:
+      - build-dev
+      - validate-dco
+    uses: ./.github/workflows/.test-unit.yml
+    secrets: inherit
+
  validate-prepare:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 10 # guardrails timeout for the whole job
    needs:
      - validate-dco
@@ -106,7 +116,7 @@ jobs:
          echo ${{ steps.scripts.outputs.matrix }}

  validate:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 30 # guardrails timeout for the whole job
    needs:
      - validate-prepare
@@ -144,8 +154,9 @@ jobs:
          make -o build validate-${{ matrix.script }}

  smoke-prepare:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 10 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
    outputs:
@@ -166,8 +177,9 @@ jobs:
          echo ${{ steps.platforms.outputs.matrix }}

  smoke:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - smoke-prepare
    strategy:
--- a/.github/workflows/validate-pr.yml
+++ b/.github/workflows/validate-pr.yml
@@ -14,20 +14,25 @@ on:
    types: [opened, edited, labeled, unlabeled, synchronize]

 jobs:
-  check-area-label:
-    runs-on: ubuntu-20.04
+  check-labels:
+    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
    steps:
      - name: Missing `area/` label
-        if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
+        if: always() && contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
        run: |
          echo "::error::Every PR with an 'impact/*' label should also have an 'area/*' label"
          exit 1
+      - name: Missing `kind/` label
+        if: always() && contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'kind/')
+        run: |
+          echo "::error::Every PR with an 'impact/*' label should also have a 'kind/*' label"
+          exit 1
      - name: OK
        run: exit 0

  check-changelog:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
    env:
      HAS_IMPACT_LABEL: ${{ contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') }}
@@ -65,7 +70,7 @@ jobs:
          echo "$desc"

  check-pr-branch:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
    env:
      PR_TITLE: ${{ github.event.pull_request.title }}
--- a/.github/workflows/vm.yml
+++ b/.github/workflows/vm.yml
@@ -0,0 +1,46 @@
+name: vm
+
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
+  pull_request:
+
+jobs:
+  validate-dco:
+    uses: ./.github/workflows/.dco.yml
+
+  vm:
+    needs:
+      - validate-dco
+    uses: ./.github/workflows/.vm.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        template:
+          # EL 8 is used for running the tests with cgroup v1.
+          # Do not upgrade this to EL 9 until formally deprecating the cgroup v1 support.
+          #
+          # FIXME: use almalinux-8, then probably no need to keep oraclelinux-8 here.
+          # On almalinux-8, port forwarding tests are failing:
+          # https://github.com/moby/moby/pull/49819#issuecomment-2815676000
+          - template://oraclelinux-8  # Oracle's kernel 5.15
+          # - template://almalinux-8  # kernel 4.18
+    with:
+      template: ${{ matrix.template }}
--- a/.github/workflows/windows-2019.yml
+++ b/.github/workflows/windows-2019.yml
@@ -1,42 +0,0 @@
-name: windows-2019
-
-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-on:
-  schedule:
-    - cron: '0 10 * * *'
-  workflow_dispatch:
-
-jobs:
-  validate-dco:
-    uses: ./.github/workflows/.dco.yml
-
-  test-prepare:
-    uses: ./.github/workflows/.test-prepare.yml
-    needs:
-      - validate-dco
-
-  run:
-    needs:
-      - test-prepare
-    uses: ./.github/workflows/.windows.yml
-    secrets: inherit
-    strategy:
-      fail-fast: false
-      matrix:
-        storage: ${{ fromJson(needs.test-prepare.outputs.matrix) }}
-    with:
-      os: windows-2019
-      storage: ${{ matrix.storage }}
-      send_coverage: false
--- a/.github/workflows/windows-2022.yml
+++ b/.github/workflows/windows-2022.yml
@@ -14,32 +14,25 @@ concurrency:
  cancel-in-progress: true

 on:
+  schedule:
+    - cron: '0 10 * * *'
  workflow_dispatch:
-  push:
-    branches:
-      - 'master'
-      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
-  pull_request:

 jobs:
  validate-dco:
    uses: ./.github/workflows/.dco.yml

-  test-prepare:
-    uses: ./.github/workflows/.test-prepare.yml
-    needs:
-      - validate-dco
-
  run:
-    needs:
-      - test-prepare
+    needs: validate-dco
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    uses: ./.github/workflows/.windows.yml
    secrets: inherit
    strategy:
      fail-fast: false
      matrix:
-        storage: ${{ fromJson(needs.test-prepare.outputs.matrix) }}
+        storage:
+          - graphdriver
+          - snapshotter
    with:
      os: windows-2022
      storage: ${{ matrix.storage }}
--- a/.github/workflows/windows-2025.yml
+++ b/.github/workflows/windows-2025.yml
@@ -0,0 +1,43 @@
+name: windows-2025
+
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
+  pull_request:
+
+jobs:
+  validate-dco:
+    uses: ./.github/workflows/.dco.yml
+
+  run:
+    needs: validate-dco
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+    uses: ./.github/workflows/.windows.yml
+    secrets: inherit
+    strategy:
+      fail-fast: false
+      matrix:
+        storage:
+          - graphdriver
+          - snapshotter
+    with:
+      os: windows-2025
+      storage: ${{ matrix.storage }}
+      send_coverage: false
--- a/.gitignore
+++ b/.gitignore
@@ -14,10 +14,9 @@ thumbs.db
 .editorconfig

 # build artifacts
-bundles/
-cli/winresources/*/*.syso
-cli/winresources/*/winres.json
-contrib/builder/rpm/*/changelog
+/bundles/
+/cmd/dockerd/winresources/winres.json
+/cmd/dockerd/*.syso

 # ci artifacts
 *.exe
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,191 +1,359 @@
-linters:
-  enable:
-    - copyloopvar   # Detects places where loop variables are copied.
-    - depguard
-    - dupword       # Detects duplicate words.
-    - goimports
-    - gosec         # Detects security problems.
-    - gosimple
-    - govet
-    - forbidigo
-    - importas
-    - ineffassign
-    - misspell      # Detects commonly misspelled English words in comments.
-    - revive        # Metalinter; drop-in replacement for golint.
-    - staticcheck
-    - typecheck
-    - unconvert     # Detects unnecessary type conversions.
-    - unused
-
-  disable:
-    - errcheck
+version: "2"

 run:
  # prevent golangci-lint from deducting the go version to lint for through go.mod,
  # which causes it to fallback to go1.17 semantics.
-  go: "1.23.6"
+  go: "1.25.2"
  concurrency: 2
  # Only supported with go modules enabled (build flag -mod=vendor only valid when using modules)
  # modules-download-mode: vendor

-linters-settings:
-  depguard:
+formatters:
+  enable:
+    - gofmt
+    - goimports
+
+linters:
+  enable:
+    - asasalint                 # Detects "[]any" used as argument for variadic "func(...any)".
+    - copyloopvar               # Detects places where loop variables are copied.
+    - depguard
+    - dogsled                   # Detects assignments with too many blank identifiers.
+    - dupword                   # Detects duplicate words.
+    - durationcheck             # Detect cases where two time.Duration values are being multiplied in possibly erroneous ways.
+    - errorlint                 # Detects code that will cause problems with the error wrapping scheme introduced in Go 1.13.
+    - errchkjson                # Detects unsupported types passed to json encoding functions and reports if checks for the returned error can be omitted.
+    - exhaustive                # Detects missing options in enum switch statements.
+    - exptostd                  # Detects functions from golang.org/x/exp/ that can be replaced by std functions.
+    - fatcontext                # Detects nested contexts in loops and function literals.
+    - forbidigo
+    - gocheckcompilerdirectives # Detects invalid go compiler directive comments (//go:).
+    - gocritic                  # Detects for bugs, performance and style issues.
+    - gosec                     # Detects security problems.
+    - govet
+    - iface                     # Detects incorrect use of interfaces. Currently only used for "identical" interfaces in the same package.
+    - importas
+    - ineffassign
+    - makezero                  # Finds slice declarations with non-zero initial length.
+    - mirror                    # Detects wrong mirror patterns of bytes/strings usage.
+    - misspell                  # Detects commonly misspelled English words in comments.
+    - nakedret                  # Detects uses of naked returns.
+    - nilnesserr                # Detects returning nil errors. It combines the features of nilness and nilerr,
+    - nosprintfhostport         # Detects misuse of Sprintf to construct a host with port in a URL.
+    - reassign                  # Detects reassigning a top-level variable in another package.
+    - revive                    # Metalinter; drop-in replacement for golint.
+    - spancheck                 # Detects mistakes with OpenTelemetry/Census spans.
+    - staticcheck
+    - thelper
+    - unconvert                 # Detects unnecessary type conversions.
+    - unused
+    - usestdlibvars             # Detects the possibility to use variables/constants from the Go standard library.
+    - wastedassign              # Detects wasted assignment statements.
+
+  disable:
+    - errcheck
+    - spancheck # FIXME
+
+  settings:
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: "github.com/stretchr/testify/assert"
+              desc: Use "gotest.tools/v3/assert" instead
+            - pkg: "github.com/stretchr/testify/require"
+              desc: Use "gotest.tools/v3/assert" instead
+            - pkg: "github.com/stretchr/testify/suite"
+              desc: Do not use
+            - pkg: "github.com/containerd/containerd/pkg/userns"
+              desc: Use github.com/moby/sys/userns instead.
+            - pkg: "github.com/tonistiigi/fsutil"
+              desc: The fsutil module does not have a stable API, so we should not have a direct dependency unless necessary.
+            - pkg: "github.com/hashicorp/go-multierror"
+              desc: "Use errors.Join instead"
+
+    dupword:
+      ignore:
+        - "true"    # some tests use this as expected output
+        - "false"   # some tests use this as expected output
+        - "root"    # for tests using "ls" output with files owned by "root:root"
+
+    errorlint:
+      # Check whether fmt.Errorf uses the %w verb for formatting errors.
+      # See the https://github.com/polyfloyd/go-errorlint for caveats.
+      errorf: false
+      # Check for plain type assertions and type switches.
+      asserts: false
+
+    exhaustive:
+      # Program elements to check for exhaustiveness.
+      # Default: [ switch ]
+      check:
+        - switch
+        # - map # TODO(thaJeztah): also enable for maps
+      # Presence of "default" case in switch statements satisfies exhaustiveness,
+      # even if all enum members are not listed.
+      # Default: false
+      #
+      # TODO(thaJeztah): consider not allowing this to catch new values being added (and falling through to "default")
+      default-signifies-exhaustive: true
+
+    forbidigo:
+      forbid:
+        - pkg: ^sync/atomic$
+          pattern: ^atomic\.(Add|CompareAndSwap|Load|Store|Swap).
+          msg: Go 1.19 atomic types should be used instead.
+        - pkg: ^regexp$
+          pattern: ^regexp\.MustCompile
+          msg: Use daemon/internal/lazyregexp.New instead.
+        - pkg: github.com/vishvananda/netlink$
+          pattern: ^netlink\.(Handle\.)?(AddrList|BridgeVlanList|ChainList|ClassList|ConntrackTableList|ConntrackDeleteFilter$|ConntrackDeleteFilters|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByName|LinkByAlias|LinkList|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteList|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList|XfrmPolicyList|XfrmStateList)
+          msg: Use internal nlwrap package for EINTR handling.
+        - pkg: github.com/moby/moby/v2/internal/nlwrap$
+          pattern: ^nlwrap.Handle.(BridgeVlanList|ChainList|ClassList|ConntrackDeleteFilter$|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByAlias|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList)
+          msg: Add a wrapper to nlwrap.Handle for EINTR handling and update the list in .golangci.yml.
+      analyze-types: true
+
+    gocritic:
+      disabled-checks:
+        - appendAssign
+        - appendCombine
+        - assignOp
+        - builtinShadow
+        - builtinShadowDecl
+        - captLocal
+        - commentedOutCode
+        - deferInLoop
+        - dupImport
+        - dupSubExpr
+        - elseif
+        - emptyFallthrough
+        - equalFold
+        - evalOrder
+        - exitAfterDefer
+        - exposedSyncMutex
+        - filepathJoin
+        - hexLiteral
+        - hugeParam
+        - ifElseChain
+        - importShadow
+        - indexAlloc
+        - methodExprCall
+        - nestingReduce
+        - nilValReturn
+        - octalLiteral
+        - paramTypeCombine
+        - preferStringWriter
+        - ptrToRefParam
+        - rangeValCopy
+        - redundantSprint
+        - regexpMust
+        - regexpSimplify
+        - singleCaseSwitch
+        - sloppyReassign
+        - stringXbytes
+        - typeAssertChain
+        - typeDefFirst
+        - typeUnparen
+        - uncheckedInlineErr
+        - unlambda
+        - unnamedResult
+        - unnecessaryDefer
+        - unslice
+        - valSwap
+        - whyNoLint
+      enable-all: true
+
+    gosec:
+      excludes:
+        - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
+        - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/moby/moby/issues/48358)
+        - G204 # G204: Subprocess launched with variable; too many false positives.
+        - G301 # G301: Expect directory permissions to be 0750 or less (also EXC0009); too restrictive
+        - G302 # G302: Expect file permissions to be 0600 or less (also EXC0009); too restrictive
+        - G304 # G304: Potential file inclusion via variable.
+        - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
+        - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
+        - G504 # G504: Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386); (only affects go < 1.6.3)
+
+    govet:
+      enable-all: true
+      disable:
+        - fieldalignment # TODO: evaluate which ones should be updated.
+
+    importas:
+      # Do not allow unaliased imports of aliased packages.
+      no-unaliased: true
+
+      alias:
+          # Enforce alias to prevent it accidentally being used instead of our
+          # own errdefs package (or vice-versa).
+        - pkg: github.com/containerd/errdefs
+          alias: cerrdefs
+        - pkg: github.com/containerd/containerd/images
+          alias: c8dimages
+        - pkg: github.com/opencontainers/image-spec/specs-go/v1
+          alias: ocispec
+        - pkg: github.com/moby/docker-image-spec/specs-go/v1
+          alias: dockerspec
+        - pkg: go.etcd.io/bbolt
+          alias: bolt
+          # Enforce that gotest.tools/v3/assert/cmp is always aliased as "is"
+        - pkg: gotest.tools/v3/assert/cmp
+          alias: is
+
+    nakedret:
+      # Disallow naked returns if func has more lines of code than this setting.
+      # Default: 30
+      max-func-lines: 0
+
+    revive:
+      # Only listed rules are applied
+      # https://github.com/mgechev/revive/blob/HEAD/RULES_DESCRIPTIONS.md
+      rules:
+        - name: increment-decrement
+          # FIXME make sure all packages have a description. Currently, there's many packages without.
+        - name: package-comments
+          disabled: true
+        - name: redefines-builtin-id
+        - name: superfluous-else
+          arguments:
+            - preserve-scope
+        - name: use-any
+        - name: use-errors-new
+        - name: var-declaration
+
+    staticcheck:
+      checks:
+        - all
+        - -QF1008 # Omit embedded fields from selector expression; https://staticcheck.dev/docs/checks/#QF1008
+        - -ST1000 # Incorrect or missing package comment; https://staticcheck.dev/docs/checks/#ST1000
+        - -ST1003 # Poorly chosen identifier; https://staticcheck.dev/docs/checks/#ST1003
+        - -ST1005 # Incorrectly formatted error string; https://staticcheck.dev/docs/checks/#ST1005
+
+    spancheck:
+      # Default: ["end"]
+      checks:
+        - end             # check that `span.End()` is called
+        - record-error    # check that `span.RecordError(err)` is called when an error is returned
+        - set-status      # check that `span.SetStatus(codes.Error, msg)` is called when an error is returned
+
+    thelper:
+      test:
+        # Check *testing.T is first param (or after context.Context) of helper function.
+        first: false
+        # Check t.Helper() begins helper function.
+        begin: false
+      benchmark:
+        # Check *testing.B is first param (or after context.Context) of helper function.
+        first: false
+        # Check b.Helper() begins helper function.
+        begin: false
+      tb:
+        # Check *testing.TB is first param (or after context.Context) of helper function.
+        first: false
+        # Check *testing.TB param has name tb.
+        name: false
+        # Check tb.Helper() begins helper function.
+        begin: false
+      fuzz:
+        # Check *testing.F is first param (or after context.Context) of helper function.
+        first: false
+        # Check f.Helper() begins helper function.
+        begin: false
+
+    usestdlibvars:
+      # Suggest the use of http.MethodXX.
+      http-method: true
+      # Suggest the use of http.StatusXX.
+      http-status-code: true
+
+  exclusions:
    rules:
-      main:
-        deny:
-          - pkg: io/ioutil
-            desc: The io/ioutil package has been deprecated, see https://go.dev/doc/go1.16#ioutil
-          - pkg: "github.com/stretchr/testify/assert"
-            desc: Use "gotest.tools/v3/assert" instead
-          - pkg: "github.com/stretchr/testify/require"
-            desc: Use "gotest.tools/v3/assert" instead
-          - pkg: "github.com/stretchr/testify/suite"
-            desc: Do not use
-          - pkg: "github.com/containerd/containerd/errdefs"
-            desc: The errdefs package has moved to a separate module, https://github.com/containerd/errdefs
-          - pkg: "github.com/containerd/containerd/log"
-            desc: The logs package has moved to a separate module, https://github.com/containerd/log
-          - pkg: "github.com/containerd/containerd/pkg/userns"
-            desc: Use github.com/moby/sys/userns instead.
-          - pkg: "github.com/tonistiigi/fsutil"
-            desc: The fsutil module does not have a stable API, so we should not have a direct dependency unless necessary.
+        # We prefer to use an "linters.exclusions.rules" so that new "default" exclusions are not
+        # automatically inherited. We can decide whether or not to follow upstream
+        # defaults when updating golang-ci-lint versions.
+        # Unfortunately, this means we have to copy the whole exclusion pattern, as
+        # (unlike the "include" option), the "exclude" option does not take exclusion
+        # ID's.
+        #
+        # These exclusion patterns are copied from the default excludes at:
+        # https://github.com/golangci/golangci-lint/blob/v1.61.0/pkg/config/issues.go#L11-L104
+        #
+        # The default list of exclusions can be found at:
+        # https://golangci-lint.run/usage/false-positives/#default-exclusions

-  dupword:
-    ignore:
-      - "true"    # some tests use this as expected output
-      - "false"   # some tests use this as expected output
-      - "root"    # for tests using "ls" output with files owned by "root:root"
+        # Exclude some linters from running on tests files.
+      - path: _test\.go
+        linters:
+          - errcheck

-  forbidigo:
-    forbid:
-      - pkg: ^sync/atomic$
-        p: ^atomic\.(Add|CompareAndSwap|Load|Store|Swap).
-        msg: Go 1.19 atomic types should be used instead.
-      - pkg: ^regexp$
-        p: ^regexp\.MustCompile
-        msg: Use internal/lazyregexp.New instead.
-      - pkg: github.com/vishvananda/netlink$
-        p: ^netlink\.(Handle\.)?(AddrList|BridgeVlanList|ChainList|ClassList|ConntrackTableList|ConntrackDeleteFilter$|ConntrackDeleteFilters|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByName|LinkByAlias|LinkList|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteList|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList|XfrmPolicyList|XfrmStateList)
-        msg: Use internal nlwrap package for EINTR handling.
-      - pkg: github.com/docker/docker/internal/nlwrap$
-        p: ^nlwrap.Handle.(BridgeVlanList|ChainList|ClassList|ConntrackDeleteFilter$|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByAlias|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList)
-        msg: Add a wrapper to nlwrap.Handle for EINTR handling and update the list in .golangci.yml.
-    analyze-types: true
+      - text: "G404: Use of weak random number generator"
+        path: _test\.go
+        linters:
+          - gosec

-  gosec:
-    excludes:
-      - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
-      - G113 # G113: Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772); (only affects go < 1.16.14. and go < 1.17.7)
-      - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/moby/moby/issues/48358)
-      - G204 # G204: Subprocess launched with variable; too many false positives.
-      - G301 # G301: Expect directory permissions to be 0750 or less (also EXC0009); too restrictive
-      - G302 # G302: Expect file permissions to be 0600 or less (also EXC0009); too restrictive
-      - G304 # G304: Potential file inclusion via variable.
-      - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
-      - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
-      - G504 # G504: Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386); (only affects go < 1.6.3)
+        # Suppress golint complaining about generated types in api/types/
+      - text: "type name will be used as (container|volume)\\.(Container|Volume).* by other packages, and that stutters; consider calling this"
+        path: "api/types/(volume|container)/"
+        linters:
+          - revive

-  govet:
-    enable-all: true
-    disable:
-      - fieldalignment # TODO: evaluate which ones should be updated.
+        # FIXME: ignoring unused assigns to ctx for now; too many hits in libnetwork/xxx functions that setup traces
+      - text: "assigned to ctx, but never used afterwards"
+        linters:
+          - wastedassign

-  importas:
-    # Do not allow unaliased imports of aliased packages.
-    no-unaliased: true
+      - text: "ineffectual assignment to ctx"
+        source: "ctx[, ].*=.*\\(ctx[,)]"
+        linters:
+          - ineffassign

-    alias:
-      # Enforce alias to prevent it accidentally being used instead of our
-      # own errdefs package (or vice-versa).
-      - pkg: github.com/containerd/errdefs
-        alias: cerrdefs
-      - pkg: github.com/containerd/containerd/images
-        alias: c8dimages
-      - pkg: github.com/opencontainers/image-spec/specs-go/v1
-        alias: ocispec
+      - text: "SA4006: this value of ctx is never used"
+        source: "ctx[, ].*=.*\\(ctx[,)]"
+        linters:
+          - staticcheck

-  revive:
-    rules:
-      # FIXME make sure all packages have a description. Currently, there's many packages without.
-      - name: package-comments
-        disabled: true
+        # Ignore "nested context in function literal (fatcontext)" as we intentionally set up tracing on a base-context for tests.
+        # FIXME(thaJeztah): see if there's a more iodiomatic way to do this.
+      - text: 'nested context in function literal'
+        path: '((main|check)_(linux_|)test\.go)|testutil/helpers\.go'
+        linters:
+          - fatcontext
+
+      - text: '^shadow: declaration of "(ctx|err|ok)" shadows declaration'
+        linters:
+          - govet
+      - text: '^shadow: declaration of "(out)" shadows declaration'
+        path: _test\.go
+        linters:
+          - govet
+      - text: 'use of `regexp.MustCompile` forbidden'
+        path: _test\.go
+        linters:
+          - forbidigo
+      - text: 'use of `regexp.MustCompile` forbidden'
+        path: "daemon/internal/lazyregexp"
+        linters:
+          - forbidigo
+      - text: 'use of `regexp.MustCompile` forbidden'
+        path: "internal/testutils"
+        linters:
+          - forbidigo
+      - text: 'use of `regexp.MustCompile` forbidden'
+        path: "libnetwork/cmd/networkdb-test/dbclient"
+        linters:
+          - forbidigo
+      - text: 'use of `regexp.MustCompile` forbidden'
+        path: "registry/"
+        linters:
+          - forbidigo
+
+    # Log a warning if an exclusion rule is unused.
+    # Default: false
+    warn-unused: true

 issues:
-  # The default exclusion rules are a bit too permissive, so copying the relevant ones below
-  exclude-use-default: false
-
-  exclude-dirs:
-    - docs
-
-  exclude-rules:
-    # We prefer to use an "exclude-list" so that new "default" exclusions are not
-    # automatically inherited. We can decide whether or not to follow upstream
-    # defaults when updating golang-ci-lint versions.
-    # Unfortunately, this means we have to copy the whole exclusion pattern, as
-    # (unlike the "include" option), the "exclude" option does not take exclusion
-    # ID's.
-    #
-    # These exclusion patterns are copied from the default excludes at:
-    # https://github.com/golangci/golangci-lint/blob/v1.61.0/pkg/config/issues.go#L11-L104
-    #
-    # The default list of exclusions can be found at:
-    # https://golangci-lint.run/usage/false-positives/#default-exclusions
-
-    # EXC0001
-    - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*print(f|ln)?|os\\.(Un)?Setenv). is not checked"
-      linters:
-        - errcheck
-
-    # Exclude some linters from running on tests files.
-    - path: _test\.go
-      linters:
-        - errcheck
-
-    - text: "G404: Use of weak random number generator"
-      path: _test\.go
-      linters:
-        - gosec
-
-    # Suppress golint complaining about generated types in api/types/
-    - text: "type name will be used as (container|volume)\\.(Container|Volume).* by other packages, and that stutters; consider calling this"
-      path: "api/types/(volume|container)/"
-      linters:
-        - revive
-    # FIXME temporarily suppress these (see https://github.com/gotestyourself/gotest.tools/issues/272)
-    - text: "SA1019: (assert|cmp|is)\\.ErrorType is deprecated"
-      linters:
-        - staticcheck
-
-    - text: "ineffectual assignment to ctx"
-      source: "ctx[, ].*=.*\\(ctx[,)]"
-      linters:
-        - ineffassign
-
-    - text: "SA4006: this value of `ctx` is never used"
-      source: "ctx[, ].*=.*\\(ctx[,)]"
-      linters:
-        - staticcheck
-
-    - text: '^shadow: declaration of "(ctx|err|ok)" shadows declaration'
-      linters:
-        - govet
-    - text: '^shadow: declaration of "(out)" shadows declaration'
-      path: _test\.go
-      linters:
-        - govet
-    - text: 'use of `regexp.MustCompile` forbidden'
-      path: _test\.go
-      linters:
-        - forbidigo
-    - text: 'use of `regexp.MustCompile` forbidden'
-      path: "internal/lazyregexp"
-      linters:
-        - forbidigo
-    - text: 'use of `regexp.MustCompile` forbidden'
-      path: "libnetwork/cmd/networkdb-test/dbclient"
-      linters:
-        - forbidigo
-
  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
  max-issues-per-linter: 0

--- a/.mailmap
+++ b/.mailmap
@@ -94,6 +94,10 @@ Arnaud Rebillout <arnaud.rebillout@collabora.com>
 Arnaud Rebillout <arnaud.rebillout@collabora.com> <elboulangero@gmail.com>
 Arthur Gautier <baloo@gandi.net> <superbaloo+registrations.github@superbaloo.net>
 Artur Meyster <arthurfbi@yahoo.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com> <55906459+austinvazquez@users.noreply.github.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com> <macedonv@amazon.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com> <austin.vazquez@docker.com>
 Avi Miller <avi.miller@oracle.com> <avi.miller@gmail.com>
 Ben Bonnefoy <frenchben@docker.com>
 Ben Golub <ben.golub@dotcloud.com>
@@ -136,6 +140,7 @@ Chen Mingjie <chenmingjie0828@163.com>
 Chen Qiu <cheney-90@hotmail.com>
 Chen Qiu <cheney-90@hotmail.com> <21321229@zju.edu.cn>
 Chengfei Shang <cfshang@alauda.io>
+Chengyu Zhu <hudson@cyzhu.com>
 Chentianze <cmoman@126.com>
 Chris Dias <cdias@microsoft.com>
 Chris McKinnel <chris.mckinnel@tangentlabs.co.uk>
@@ -507,6 +512,7 @@ Moorthy RS <rsmoorthy@gmail.com> <rsmoorthy@users.noreply.github.com>
 Moysés Borges <moysesb@gmail.com>
 Moysés Borges <moysesb@gmail.com> <moyses.furtado@wplex.com.br>
 mrfly <mr.wrfly@gmail.com> <wrfly@users.noreply.github.com>
+Myeongjoon Kim <kimmj8409@gmail.com>
 Nace Oroz <orkica@gmail.com>
 Natasha Jarus <linuxmercedes@gmail.com>
 Nathan LeClaire <nathan.leclaire@docker.com> <nathan.leclaire@gmail.com>
@@ -529,6 +535,8 @@ Ouyang Liduo <oyld0210@163.com>
 Patrick St. laurent <patrick@saint-laurent.us>
 Patrick Stapleton <github@gdi2290.com>
 Paul Liljenberg <liljenberg.paul@gmail.com> <letters@paulnotcom.se>
+Paweł Gronowski <pawel.gronowski@docker.com>
+Paweł Gronowski <pawel.gronowski@docker.com> <me@woland.xyz>
 Pavel Tikhomirov <ptikhomirov@virtuozzo.com> <ptikhomirov@parallels.com>
 Pawel Konczalski <mail@konczalski.de>
 Peter Choi <phkchoi89@gmail.com> <reikani@Peters-MacBook-Pro.local>
@@ -556,6 +564,8 @@ Robert Terhaar <rterhaar@atlanticdynamic.com> <robbyt@users.noreply.github.com>
 Roberto G. Hashioka <roberto.hashioka@docker.com> <roberto_hashioka@hotmail.com>
 Roberto Muñoz Fernández <robertomf@gmail.com> <roberto.munoz.fernandez.contractor@bbva.com>
 Robin Thoni <robin@rthoni.com>
+Rodrigo Campos <rodrigoca@microsoft.com>
+Rodrigo Campos <rodrigoca@microsoft.com> <rodrigo@kinvolk.io>
 Roman Dudin <katrmr@gmail.com> <decadent@users.noreply.github.com>
 Rong Zhang <rongzhang@alauda.io>
 Rongxiang Song <tinysong1226@gmail.com>
--- a/64
+++ b/64
@@ -2,7 +2,10 @@
 # This file lists all contributors to the repository.
 # See hack/generate-authors.sh to make modifications.

+17neverends <ionianrise@gmail.com>
+7sunarni <710720732@qq.com>
 Aanand Prasad <aanand.prasad@gmail.com>
+Aarni Koskela <akx@iki.fi>
 Aaron Davidson <aaron@databricks.com>
 Aaron Feng <aaron.feng@gmail.com>
 Aaron Hnatiw <aaron@griddio.com>
@@ -11,6 +14,7 @@ Aaron L. Xu <liker.xu@foxmail.com>
 Aaron Lehmann <alehmann@netflix.com>
 Aaron Welch <welch@packet.net>
 Aaron Yoshitake <airandfingers@gmail.com>
+Abdur Rehman <abdur_rehman@mentor.com>
 Abel Muiño <amuino@gmail.com>
 Abhijeet Kasurde <akasurde@redhat.com>
 Abhinandan Prativadi <aprativadi@gmail.com>
@@ -19,14 +23,17 @@ Abhishek Chanda <abhishek.becs@gmail.com>
 Abhishek Sharma <abhishek@asharma.me>
 Abin Shahab <ashahab@altiscale.com>
 Abirdcfly <fp544037857@gmail.com>
+Abubacarr Ceesay <abubacarr671@gmail.com>
 Ada Mancini <ada@docker.com>
 Adam Avilla <aavilla@yp.com>
 Adam Dobrawy <naczelnik@jawnosc.tk>
 Adam Eijdenberg <adam.eijdenberg@gmail.com>
 Adam Kunk <adam.kunk@tiaa-cref.org>
+Adam Lamers <adam.lamers@wmsdev.pl>
 Adam Miller <admiller@redhat.com>
 Adam Mills <adam@armills.info>
 Adam Pointer <adam.pointer@skybettingandgaming.com>
+Adam Simon <adamsimon85100@gmail.com>
 Adam Singer <financeCoding@gmail.com>
 Adam Thornton <adam.thornton@maryville.com>
 Adam Walz <adam@adamwalz.net>
@@ -43,6 +50,7 @@ Adrian Mouat <adrian.mouat@gmail.com>
 Adrian Oprea <adrian@codesi.nz>
 Adrien Folie <folie.adrien@gmail.com>
 Adrien Gallouët <adrien@gallouet.fr>
+Adrien Pompée <adrien.pompee@atmosphere.aero>
 Ahmed Kamal <email.ahmedkamal@googlemail.com>
 Ahmet Alp Balkan <ahmetb@microsoft.com>
 Aidan Feldman <aidan.feldman@gmail.com>
@@ -75,6 +83,7 @@ Aleksandrs Fadins <aleks@s-ko.net>
 Alena Prokharchyk <alena@rancher.com>
 Alessandro Boch <aboch@tetrationanalytics.com>
 Alessio Biancalana <dottorblaster@gmail.com>
+Alessio Perugini <alessio@perugini.xyz>
 Alex Chan <alex@alexwlchan.net>
 Alex Chen <alexchenunix@gmail.com>
 Alex Coventry <alx@empirical.com>
@@ -119,6 +128,7 @@ amangoel <amangoel@gmail.com>
 Amen Belayneh <amenbelayneh@gmail.com>
 Ameya Gawde <agawde@mirantis.com>
 Amir Goldstein <amir73il@aquasec.com>
+AmirBuddy <badinlu.amirhossein@gmail.com>
 Amit Bakshi <ambakshi@gmail.com>
 Amit Krishnan <amit.krishnan@oracle.com>
 Amit Shukla <amit.shukla@docker.com>
@@ -164,10 +174,12 @@ Andrew Po <absourd.noise@gmail.com>
 Andrew Weiss <andrew.weiss@docker.com>
 Andrew Williams <williams.andrew@gmail.com>
 Andrews Medina <andrewsmedina@gmail.com>
+Andrey Epifanov <aepifanov@mirantis.com>
 Andrey Kolomentsev <andrey.kolomentsev@docker.com>
 Andrey Petrov <andrey.petrov@shazow.net>
 Andrey Stolbovsky <andrey.stolbovsky@gmail.com>
 André Martins <aanm90@gmail.com>
+Andrés Maldonado <maldonado@codelutin.com>
 Andy Chambers <anchambers@paypal.com>
 andy diller <dillera@gmail.com>
 Andy Goldstein <agoldste@redhat.com>
@@ -182,6 +194,7 @@ Anes Hasicic <anes.hasicic@gmail.com>
 Angel Velazquez <angelcar@amazon.com>
 Anil Belur <askb23@gmail.com>
 Anil Madhavapeddy <anil@recoil.org>
+Anirudh Aithal <aithal@amazon.com>
 Ankit Jain <ajatkj@yahoo.co.in>
 Ankush Agarwal <ankushagarwal11@gmail.com>
 Anonmily <michelle@michelleliu.io>
@@ -191,6 +204,7 @@ Anthon van der Neut <anthon@mnt.org>
 Anthony Baire <Anthony.Baire@irisa.fr>
 Anthony Bishopric <git@anthonybishopric.com>
 Anthony Dahanne <anthony.dahanne@gmail.com>
+Anthony Nandaa <profnandaa@gmail.com>
 Anthony Sottile <asottile@umich.edu>
 Anton Löfgren <anton.lofgren@gmail.com>
 Anton Nikitin <anton.k.nikitin@gmail.com>
@@ -219,7 +233,8 @@ Artur Meyster <arthurfbi@yahoo.com>
 Arun Gupta <arun.gupta@gmail.com>
 Asad Saeeduddin <masaeedu@gmail.com>
 Asbjørn Enge <asbjorn@hanafjedle.net>
-Austin Vazquez <macedonv@amazon.com>
+Ashly Mathew <ashly.mathew@sap.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com>
 averagehuman <averagehuman@users.noreply.github.com>
 Avi Das <andas222@gmail.com>
 Avi Kivity <avi@scylladb.com>
@@ -285,6 +300,7 @@ Brandon Liu <bdon@bdon.org>
 Brandon Philips <brandon.philips@coreos.com>
 Brandon Rhodes <brandon@rhodesmill.org>
 Brendan Dixon <brendand@microsoft.com>
+Brendon Smith <bws@bws.bio>
 Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 Brent Salisbury <brent.salisbury@docker.com>
 Brett Higgins <brhiggins@arbor.net>
@@ -334,17 +350,20 @@ Carlos Alexandro Becker <caarlos0@gmail.com>
 Carlos de Paula <me@carlosedp.com>
 Carlos Sanchez <carlos@apache.org>
 Carol Fager-Higgins <carol.fager-higgins@docker.com>
+carsontham <carsontham@outlook.com>
 Cary <caryhartline@users.noreply.github.com>
 Casey Bisson <casey.bisson@joyent.com>
 Catalin Pirvu <pirvu.catalin94@gmail.com>
 Ce Gao <ce.gao@outlook.com>
 Cedric Davies <cedricda@microsoft.com>
+Cesar Talledo <cesar.talledo@docker.com>
 Cezar Sa Espinola <cezarsa@gmail.com>
 Chad Swenson <chadswen@gmail.com>
 Chance Zibolski <chance.zibolski@gmail.com>
 Chander Govindarajan <chandergovind@gmail.com>
 Chanhun Jeong <keyolk@gmail.com>
 Chao Wang <wangchao.fnst@cn.fujitsu.com>
+Charity Kathure <ckathure@microsoft.com>
 Charles Chan <charleswhchan@users.noreply.github.com>
 Charles Hooper <charles.hooper@dotcloud.com>
 Charles Law <claw@conduce.com>
@@ -366,6 +385,7 @@ Chen Qiu <cheney-90@hotmail.com>
 Cheng-mean Liu <soccerl@microsoft.com>
 Chengfei Shang <cfshang@alauda.io>
 Chengguang Xu <cgxu519@gmx.com>
+Chengyu Zhu <hudson@cyzhu.com>
 Chentianze <cmoman@126.com>
 Chenyang Yan <memory.yancy@gmail.com>
 chenyuzhu <chenyuzhi@oschina.cn>
@@ -480,6 +500,7 @@ Daniel Farrell <dfarrell@redhat.com>
 Daniel Garcia <daniel@danielgarcia.info>
 Daniel Gasienica <daniel@gasienica.ch>
 Daniel Grunwell <mwgrunny@gmail.com>
+Daniel Guns <danbguns@gmail.com>
 Daniel Helfand <helfand.4@gmail.com>
 Daniel Hiltgen <daniel.hiltgen@docker.com>
 Daniel J Walsh <dwalsh@redhat.com>
@@ -763,6 +784,7 @@ Frank Macreery <frank@macreery.com>
 Frank Rosquin <frank.rosquin+github@gmail.com>
 Frank Villaro-Dixon <frank.villarodixon@merkle.com>
 Frank Yang <yyb196@gmail.com>
+François Scala <github@arcenik.net>
 Fred Lifton <fred.lifton@docker.com>
 Frederick F. Kautz IV <fkautz@redhat.com>
 Frederico F. de Oliveira <FreddieOliveira@users.noreply.github.com>
@@ -798,6 +820,7 @@ GennadySpb <lipenkov@gmail.com>
 Geoff Levand <geoff@infradead.org>
 Geoffrey Bachelet <grosfrais@gmail.com>
 Geon Kim <geon0250@gmail.com>
+George Adams <georgeadams1995@gmail.com>
 George Kontridze <george@bugsnag.com>
 George Ma <mayangang@outlook.com>
 George MacRorie <gmacr31@gmail.com>
@@ -826,6 +849,7 @@ Gopikannan Venugopalsamy <gopikannan.venugopalsamy@gmail.com>
 Gosuke Miyashita <gosukenator@gmail.com>
 Gou Rao <gou@portworx.com>
 Govinda Fichtner <govinda.fichtner@googlemail.com>
+Grace Choi <grace.54109@gmail.com>
 Grant Millar <rid@cylo.io>
 Grant Reaber <grant.reaber@gmail.com>
 Graydon Hoare <graydon@pobox.com>
@@ -853,6 +877,7 @@ haining.cao <haining.cao@daocloud.io>
 Hakan Özler <hakan.ozler@kodcu.com>
 Hamish Hutchings <moredhel@aoeu.me>
 Hannes Ljungberg <hannes@5monkeys.se>
+Hannes Ortmeier <ortmeier.hannes@gmail.com>
 Hans Kristian Flaatten <hans@starefossen.com>
 Hans Rødtang <hansrodtang@gmail.com>
 Hao Shu Wei <haoshuwei24@gmail.com>
@@ -872,6 +897,7 @@ heartlock <21521209@zju.edu.cn>
 Hector Castro <hectcastro@gmail.com>
 Helen Xie <chenjg@harmonycloud.cn>
 Henning Sprang <henning.sprang@gmail.com>
+Henry Wang <henwang@amazon.com>
 Hiroshi Hatake <hatake@clear-code.com>
 Hiroyuki Sasagawa <hs19870702@gmail.com>
 Hobofan <goisser94@gmail.com>
@@ -966,6 +992,7 @@ James Nugent <james@jen20.com>
 James Sanders <james3sanders@gmail.com>
 James Turnbull <james@lovedthanlost.net>
 James Watkins-Harvey <jwatkins@progi-media.com>
+Jameson Hyde <jameson.hyde@docker.com>
 Jamie Hannaford <jamie@limetree.org>
 Jamshid Afshar <jafshar@yahoo.com>
 Jan Breig <git@pygos.space>
@@ -1064,13 +1091,17 @@ Jim Perrin <jperrin@centos.org>
 Jimmy Cuadra <jimmy@jimmycuadra.com>
 Jimmy Puckett <jimmy.puckett@spinen.com>
 Jimmy Song <rootsongjc@gmail.com>
+jinjiadu <jinjiadu@aliyun.com>
 Jinsoo Park <cellpjs@gmail.com>
 Jintao Zhang <zhangjintao9020@gmail.com>
 Jiri Appl <jiria@microsoft.com>
 Jiri Popelka <jpopelka@redhat.com>
 Jiuyue Ma <majiuyue@huawei.com>
+Jiří Moravčík <jiri.moravcik@gmail.com>
 Jiří Župka <jzupka@redhat.com>
+jjimbo137 <115816493+jjimbo137@users.noreply.github.com>
 Joakim Roubert <joakim.roubert@axis.com>
+Joan Grau <grautxo.dev@proton.me>
 Joao Fernandes <joao.fernandes@docker.com>
 Joao Trindade <trindade.joao@gmail.com>
 Joe Beda <joe.github@bedafamily.com>
@@ -1155,6 +1186,7 @@ Josiah Kiehl <jkiehl@riotgames.com>
 José Tomás Albornoz <jojo@eljojo.net>
 Joyce Jang <mail@joycejang.com>
 JP <jpellerin@leapfrogonline.com>
+JSchltggr <jschltggr@gmail.com>
 Julian Taylor <jtaylor.debian@googlemail.com>
 Julien Barbier <write0@gmail.com>
 Julien Bisconti <veggiemonk@users.noreply.github.com>
@@ -1189,6 +1221,7 @@ K. Heller <pestophagous@gmail.com>
 Kai Blin <kai@samba.org>
 Kai Qiang Wu (Kennan) <wkq5325@gmail.com>
 Kaijie Chen <chen@kaijie.org>
+Kaita Nakamura <kaita.nakamura0830@gmail.com>
 Kamil Domański <kamil@domanski.co>
 Kamjar Gerami <kami.gerami@gmail.com>
 Kanstantsin Shautsou <kanstantsin.sha@gmail.com>
@@ -1263,6 +1296,7 @@ Krasi Georgiev <krasi@vip-consult.solutions>
 Krasimir Georgiev <support@vip-consult.co.uk>
 Kris-Mikael Krister <krismikael@protonmail.com>
 Kristian Haugene <kristian.haugene@capgemini.com>
+Kristian Heljas <kristian@kristian.ee>
 Kristina Zabunova <triara.xiii@gmail.com>
 Krystian Wojcicki <kwojcicki@sympatico.ca>
 Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
@@ -1289,11 +1323,13 @@ Laura Brehm <laurabrehm@hey.com>
 Laura Frank <ljfrank@gmail.com>
 Laurent Bernaille <laurent.bernaille@datadoghq.com>
 Laurent Erignoux <lerignoux@gmail.com>
+Laurent Goderre <laurent.goderre@docker.com>
 Laurie Voss <github@seldo.com>
 Leandro Motta Barros <lmb@stackedboxes.org>
 Leandro Siqueira <leandro.siqueira@gmail.com>
 Lee Calcote <leecalcote@gmail.com>
 Lee Chao <932819864@qq.com>
+Lee Gaines <leetgaines@gmail.com>
 Lee, Meng-Han <sunrisedm4@gmail.com>
 Lei Gong <lgong@alauda.io>
 Lei Jitang <leijitang@huawei.com>
@@ -1369,6 +1405,7 @@ Madhan Raj Mookkandy <MadhanRaj.Mookkandy@microsoft.com>
 Madhav Puri <madhav.puri@gmail.com>
 Madhu Venugopal <mavenugo@gmail.com>
 Mageee <fangpuyi@foxmail.com>
+maggie44 <64841595+maggie44@users.noreply.github.com>
 Mahesh Tiyyagura <tmahesh@gmail.com>
 malnick <malnick@gmail..com>
 Malte Janduda <mail@janduda.net>
@@ -1380,6 +1417,7 @@ Manuel Meurer <manuel@krautcomputing.com>
 Manuel Rüger <manuel@rueg.eu>
 Manuel Woelker <github@manuel.woelker.org>
 mapk0y <mapk0y@gmail.com>
+Marat Abrarov <abrarov@gmail.com>
 Marat Radchenko <marat@slonopotamus.org>
 Marc Abramowitz <marc@marc-abramowitz.com>
 Marc Kuo <kuomarc2@gmail.com>
@@ -1394,6 +1432,7 @@ Marcus Linke <marcus.linke@gmx.de>
 Marcus Martins <marcus@docker.com>
 Marcus Ramberg <marcus@nordaaker.com>
 Marek Goldmann <marek.goldmann@gmail.com>
+Maria Glushenok <glushenokm@gmail.com>
 Marian Marinov <mm@yuhu.biz>
 Marianna Tessel <mtesselh@gmail.com>
 Mario Loriedo <mario.loriedo@gmail.com>
@@ -1462,6 +1501,7 @@ Matthias Kühnle <git.nivoc@neverbox.com>
 Matthias Rampke <mr@soundcloud.com>
 Matthieu Fronton <m@tthieu.fr>
 Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
+Matthieu MOREL <matthieu.morel35@gmail.com>
 Mattias Jernberg <nostrad@gmail.com>
 Mauricio Garavaglia <mauricio@medallia.com>
 mauriyouth <mauriyouth@gmail.com>
@@ -1476,6 +1516,7 @@ Maxime Petazzoni <max@signalfuse.com>
 Maximiliano Maccanti <maccanti@amazon.com>
 Maxwell <csuhp007@gmail.com>
 Meaglith Ma <genedna@gmail.com>
+Medhy DOHOU <52136144+PowerPixel@users.noreply.github.com>
 meejah <meejah@meejah.ca>
 Megan Kostick <mkostick@us.ibm.com>
 Mehul Kar <mehul.kar@gmail.com>
@@ -1576,9 +1617,11 @@ Moysés Borges <moysesb@gmail.com>
 mrfly <mr.wrfly@gmail.com>
 Mrunal Patel <mrunalp@gmail.com>
 Muayyad Alsadi <alsadi@gmail.com>
+Muhammad Daffa Dinaya <muhammaddaffadinaya@gmail.com>
 Muhammad Zohaib Aslam <zohaibse011@gmail.com>
 Mustafa Akın <mustafa91@gmail.com>
 Muthukumar R <muthur@gmail.com>
+Myeongjoon Kim <kimmj8409@gmail.com>
 Máximo Cuadros <mcuadros@gmail.com>
 Médi-Rémi Hashim <medimatrix@users.noreply.github.com>
 Nace Oroz <orkica@gmail.com>
@@ -1593,6 +1636,7 @@ Natasha Jarus <linuxmercedes@gmail.com>
 Nate Brennand <nate.brennand@clever.com>
 Nate Eagleson <nate@nateeag.com>
 Nate Jones <nate@endot.org>
+Nathan Baulch <nathan.baulch@gmail.com>
 Nathan Carlson <carl4403@umn.edu>
 Nathan Herald <me@nathanherald.com>
 Nathan Hsieh <hsieh.nathan@gmail.com>
@@ -1655,6 +1699,7 @@ Nuutti Kotivuori <naked@iki.fi>
 nzwsch <hi@nzwsch.com>
 O.S. Tezer <ostezer@gmail.com>
 objectified <objectified@gmail.com>
+Octol1ttle <l1ttleofficial@outlook.com>
 Odin Ugedal <odin@ugedal.com>
 Oguz Bilgic <fisyonet@gmail.com>
 Oh Jinkyun <tintypemolly@gmail.com>
@@ -1689,6 +1734,7 @@ Patrick Hemmer <patrick.hemmer@gmail.com>
 Patrick St. laurent <patrick@saint-laurent.us>
 Patrick Stapleton <github@gdi2290.com>
 Patrik Cyvoct <patrik@ptrk.io>
+Patrik Leifert <patrikleifert@hotmail.com>
 pattichen <craftsbear@gmail.com>
 Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
 Paul <paul9869@gmail.com>
@@ -1763,6 +1809,7 @@ Pierre Carrier <pierre@meteor.com>
 Pierre Dal-Pra <dalpra.pierre@gmail.com>
 Pierre Wacrenier <pierre.wacrenier@gmail.com>
 Pierre-Alain RIVIERE <pariviere@ippon.fr>
+pinglanlu <pinglanlu@outlook.com>
 Piotr Bogdan <ppbogdan@gmail.com>
 Piotr Karbowski <piotr.karbowski@protonmail.ch>
 Porjo <porjo38@yahoo.com.au>
@@ -1790,6 +1837,7 @@ Quentin Tayssier <qtayssier@gmail.com>
 r0n22 <cameron.regan@gmail.com>
 Rachit Sharma <rachitsharma613@gmail.com>
 Radostin Stoyanov <rstoyanov1@gmail.com>
+Rafael Fernández López <ereslibre@ereslibre.es>
 Rafal Jeczalik <rjeczalik@gmail.com>
 Rafe Colton <rafael.colton@gmail.com>
 Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
@@ -1845,6 +1893,7 @@ Robert Obryk <robryk@gmail.com>
 Robert Schneider <mail@shakeme.info>
 Robert Shade <robert.shade@gmail.com>
 Robert Stern <lexandro2000@gmail.com>
+Robert Sturla <robertsturla@outlook.com>
 Robert Terhaar <rterhaar@atlanticdynamic.com>
 Robert Wallis <smilingrob@gmail.com>
 Robert Wang <robert@arctic.tw>
@@ -1856,7 +1905,7 @@ Robin Speekenbrink <robin@kingsquare.nl>
 Robin Thoni <robin@rthoni.com>
 robpc <rpcann@gmail.com>
 Rodolfo Carvalho <rhcarvalho@gmail.com>
-Rodrigo Campos <rodrigo@kinvolk.io>
+Rodrigo Campos <rodrigoca@microsoft.com>
 Rodrigo Vaz <rodrigo.vaz@gmail.com>
 Roel Van Nyen <roel.vannyen@gmail.com>
 Roger Peppe <rogpeppe@gmail.com>
@@ -1988,13 +2037,16 @@ Sergey Alekseev <sergey.alekseev.minsk@gmail.com>
 Sergey Evstifeev <sergey.evstifeev@gmail.com>
 Sergii Kabashniuk <skabashnyuk@codenvy.com>
 Sergio Lopez <slp@redhat.com>
+Serhan Tutar <randomnoise@users.noreply.github.com>
 Serhat Gülçiçek <serhat25@gmail.com>
 Serhii Nakon <serhii.n@thescimus.com>
 SeungUkLee <lsy931106@gmail.com>
 Sevki Hasirci <s@sevki.org>
 Shane Canon <scanon@lbl.gov>
 Shane da Silva <shane@dasilva.io>
+Shang Mu <smu@princeton.edu>
 Shaun Kaasten <shaunk@gmail.com>
+Shaun Thompson <shaun.thompson@docker.com>
 shaunol <shaunol@gmail.com>
 Shawn Landden <shawn@churchofgit.com>
 Shawn Siefkas <shawn.siefkas@meredith.com>
@@ -2013,6 +2065,7 @@ Shijun Qin <qinshijun16@mails.ucas.ac.cn>
 Shishir Mahajan <shishir.mahajan@redhat.com>
 Shoubhik Bose <sbose78@gmail.com>
 Shourya Sarcar <shourya.sarcar@gmail.com>
+Shreenidhi Shedi <shreenidhi.shedi@broadcom.com>
 Shu-Wai Chow <shu-wai.chow@seattlechildrens.org>
 shuai-z <zs.broccoli@gmail.com>
 Shukui Yang <yangshukui@huawei.com>
@@ -2083,6 +2136,7 @@ Stéphane Este-Gracias <sestegra@gmail.com>
 Stig Larsson <stig@larsson.dev>
 Su Wang <su.wang@docker.com>
 Subhajit Ghosh <isubuz.g@gmail.com>
+Sudheendra Gopinath <sudheendra.gopinath@amd.com>
 Sujith Haridasan <sujith.h@gmail.com>
 Sun Gengze <690388648@qq.com>
 Sun Jianbo <wonderflow.sun@gmail.com>
@@ -2100,6 +2154,7 @@ Sébastien Stormacq <sebsto@users.noreply.github.com>
 Sören Tempel <soeren+git@soeren-tempel.net>
 Tabakhase <mail@tabakhase.com>
 Tadej Janež <tadej.j@nez.si>
+Tadeusz Dudkiewicz <tadeusz.dudkiewicz@rtbhouse.com>
 Takuto Sato <tockn.jp@gmail.com>
 tang0th <tang0th@gmx.com>
 Tangi Colin <tangicolin@gmail.com>
@@ -2107,6 +2162,7 @@ Tatsuki Sugiura <sugi@nemui.org>
 Tatsushi Inagaki <e29253@jp.ibm.com>
 Taylan Isikdemir <taylani@google.com>
 Taylor Jones <monitorjbl@gmail.com>
+tcpdumppy <847462026@qq.com>
 Ted M. Young <tedyoung@gmail.com>
 Tehmasp Chaudhri <tehmasp@gmail.com>
 Tejaswini Duggaraju <naduggar@microsoft.com>
@@ -2137,6 +2193,7 @@ Thomas Tanaka <thomas.tanaka@oracle.com>
 Thomas Texier <sharkone@en-mousse.org>
 Ti Zhou <tizhou1986@gmail.com>
 Tiago Seabra <tlgs@users.noreply.github.com>
+Tiago Teixeira <tiago.teixeira@ecorobotix.com>
 Tianon Gravi <admwiggin@gmail.com>
 Tianyi Wang <capkurmagati@gmail.com>
 Tibor Vass <teabee89@gmail.com>
@@ -2237,6 +2294,7 @@ Valentin Kulesh <valentin.kulesh@virtuozzo.com>
 vanderliang <lansheng@meili-inc.com>
 Velko Ivanov <vivanov@deeperplane.com>
 Veres Lajos <vlajos@gmail.com>
+Viacheslav Gagara <viacheslavg@gmail.com>
 Victor Algaze <valgaze@gmail.com>
 Victor Coisne <victor.coisne@dotcloud.com>
 Victor Costan <costan@gmail.com>
@@ -2391,6 +2449,7 @@ You-Sheng Yang (楊有勝) <vicamo@gmail.com>
 youcai <omegacoleman@gmail.com>
 Youcef YEKHLEF <yyekhlef@gmail.com>
 Youfu Zhang <zhangyoufu@gmail.com>
+YR Chen <stevapple@icloud.com>
 Yu Changchun <yuchangchun1@huawei.com>
 Yu Chengxia <yuchengxia@huawei.com>
 Yu Peng <yu.peng36@zte.com.cn>
@@ -2452,5 +2511,6 @@ Zunayed Ali <zunayed@gmail.com>
 徐俊杰 <paco.xu@daocloud.io>
 慕陶 <jihui.xjh@alibaba-inc.com>
 搏通 <yufeng.pyf@alibaba-inc.com>
+纯真 <38834411+chunzhennn@users.noreply.github.com>
 黄艳红00139573 <huang.yanhong@zte.com.cn>
 정재영 <jjy600901@gmail.com>
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -83,6 +83,39 @@ contributions, see [the advanced contribution
 section](https://docs.docker.com/opensource/workflow/advanced-contributing/) in
 the contributors guide.

+### Where to put your changes
+
+You can make changes to any Go package within Moby outside of the vendor directory. There are no
+restrictions on packages but a few guidelines to follow for deciding on making these changes.
+When adding new packages, first consider putting them in an internal directory to prevent
+unintended importing from other modules. Code changes should either go under `api`, `client`,
+or `daemon` modules, or one of the integration test directories.
+
+Try to put a new package under the appropriate directories. The root directory is reserved for
+configuration and build files, no source files will be accepted in the root.
+
+- `api` - All types shared by client and daemon along with swagger definitions.
+- `client` - All Go files for the docker client
+- `contrib` - Files, configurations, and packages related to external tools or libraries
+- `daemon` - All Go files and packages for building the daemon
+- `docs` - All Moby technical documentation using markdown
+- `hack` - All scripts used for testing, development, and CI
+- `integration` - Testing the integration of the API, client, and daemon
+- `integration-cli` - Deprecated integration tests of the docker cli with the daemon, no new tests allowed
+- `pkg` - Legacy Go packages used externally, no new packages should be added here
+- `project` - All files related to Moby project governance
+- `vendor` - Autogenerated vendor files from `make vendor` command, do not manually edit files here
+
+The daemon module has many subpackages. Consider putting new packages under one of these
+directories.
+
+- `daemon/cmd` - All Go main packages and the packages used only for that main package
+- `daemon/internal` - All utility packages used by daemon and not intended for external use
+- `daemon/man`- All Moby reference manuals used for the `man` command
+- `daemon/plugins` - All included daemon plugins which are intended to be registered via init
+- `daemon/pkg` - All libraries used by daemon and for integration testing
+- `daemon/version` - Version package with the current daemon version
+
 ### Connect with other Moby Project contributors

 <table class="tg">
--- a/191
+++ b/191
@@ -1,19 +1,30 @@
-# syntax=docker/dockerfile:1.7
+# syntax=docker/dockerfile:1

-ARG GO_VERSION=1.23.6
+ARG GO_VERSION=1.25.2
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
-ARG XX_VERSION=1.6.1

-ARG VPNKIT_VERSION=0.5.0
+# XX_VERSION specifies the version of the xx utility to use.
+# It must be a valid tag in the docker.io/tonistiigi/xx image repository.
+ARG XX_VERSION=1.7.0

+# VPNKIT_VERSION is the version of the vpnkit binary which is used as a fallback
+# network driver for rootless.
+ARG VPNKIT_VERSION=0.6.0
+
+# DOCKERCLI_VERSION is the version of the CLI to install in the dev-container.
+ARG DOCKERCLI_VERSION=v28.5.0
 ARG DOCKERCLI_REPOSITORY="https://github.com/docker/cli.git"
-ARG DOCKERCLI_VERSION=v27.5.0
+
 # cli version used for integration-cli tests
 ARG DOCKERCLI_INTEGRATION_REPOSITORY="https://github.com/docker/cli.git"
-ARG DOCKERCLI_INTEGRATION_VERSION=v17.06.2-ce
-ARG BUILDX_VERSION=0.20.0
-ARG COMPOSE_VERSION=v2.32.4
+ARG DOCKERCLI_INTEGRATION_VERSION=v18.06.3-ce
+
+# BUILDX_VERSION is the version of buildx to install in the dev container.
+ARG BUILDX_VERSION=0.29.1
+
+# COMPOSE_VERSION is the version of compose to install in the dev container.
+ARG COMPOSE_VERSION=v2.40.0

 ARG SYSTEMD="false"
 ARG FIREWALLD="false"
@@ -23,11 +34,16 @@ ARG DOCKER_STATIC=1
 # https://hub.docker.com/r/distribution/distribution. This version of
 # the registry is used to test schema 2 manifests. Generally,  the version
 # specified here should match a current release.
-ARG REGISTRY_VERSION=3.0.0-rc.1
+ARG REGISTRY_VERSION=3.0.0

 # delve is currently only supported on linux/amd64 and linux/arm64;
-# https://github.com/go-delve/delve/blob/v1.8.1/pkg/proc/native/support_sentinel.go#L1-L6
-ARG DELVE_SUPPORTED=${TARGETPLATFORM#linux/amd64} DELVE_SUPPORTED=${DELVE_SUPPORTED#linux/arm64}
+# https://github.com/go-delve/delve/blob/v1.25.0/pkg/proc/native/support_sentinel.go#L1
+# https://github.com/go-delve/delve/blob/v1.25.0/pkg/proc/native/support_sentinel_linux.go#L1
+#
+# ppc64le support was added in v1.21.1, but is still experimental, and requires
+# the "-tags exp.linuxppc64le" build-tag to be set:
+# https://github.com/go-delve/delve/commit/71f12207175a1cc09668f856340d8a543c87dcca
+ARG DELVE_SUPPORTED=${TARGETPLATFORM#linux/amd64} DELVE_SUPPORTED=${DELVE_SUPPORTED#linux/arm64} DELVE_SUPPORTED=${DELVE_SUPPORTED#linux/ppc64le}
 ARG DELVE_SUPPORTED=${DELVE_SUPPORTED:+"unsupported"}
 ARG DELVE_SUPPORTED=${DELVE_SUPPORTED:-"supported"}

@@ -44,9 +60,13 @@ COPY --from=build-dummy /build /build
 # base
 FROM --platform=$BUILDPLATFORM ${GOLANG_IMAGE} AS base
 COPY --from=xx / /
+# Disable collecting local telemetry, as collected by Go and Delve;
+#
+# - https://github.com/go-delve/delve/blob/v1.24.1/CHANGELOG.md#1231-2024-09-23
+# - https://go.dev/doc/telemetry#background
+RUN go telemetry off && [ "$(go telemetry)" = "off" ] || { echo "Failed to disable Go telemetry"; exit 1; }
 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN apt-get update && apt-get install --no-install-recommends -y file
-ENV GO111MODULE=off
 ENV GOTOOLCHAIN=local

 FROM base AS criu
@@ -60,62 +80,22 @@ RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \
        && /build/criu --version

 # registry
-FROM base AS registry-src
-WORKDIR /usr/src/registry
-RUN git init . && git remote add origin "https://github.com/distribution/distribution.git"
-
-FROM base AS registry
-WORKDIR /go/src/github.com/docker/distribution
-
-# REGISTRY_VERSION_SCHEMA1 specifies the version of the registry to build and
-# install from the https://github.com/docker/distribution repository. This is
-# an older (pre v2.3.0) version of the registry that only supports schema1
-# manifests. This version of the registry is not working on arm64, so installation
-# is skipped on that architecture.
-ARG REGISTRY_VERSION_SCHEMA1=v2.1.0
-ARG TARGETPLATFORM
-RUN --mount=from=registry-src,src=/usr/src/registry,rw \
-    --mount=type=cache,target=/root/.cache/go-build,id=registry-build-$TARGETPLATFORM \
-    --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=tmpfs,target=/go/src <<EOT
-  set -ex
-  export GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH"
-  # Make the /build directory no matter what so that it doesn't fail on arm64 or
-  # any other platform where we don't build this registry
-  mkdir /build
-  case $TARGETPLATFORM in
-    linux/amd64|linux/arm/v7|linux/ppc64le|linux/s390x)
-      git fetch -q --depth 1 origin "${REGISTRY_VERSION_SCHEMA1}" +refs/tags/*:refs/tags/*
-      git checkout -q FETCH_HEAD
-      CGO_ENABLED=0 xx-go build -o /build/registry-v2-schema1 -v ./cmd/registry
-      xx-verify /build/registry-v2-schema1
-      ;;
-  esac
-EOT
-
-FROM distribution/distribution:$REGISTRY_VERSION AS registry-v2
-RUN mkdir /build && mv /bin/registry /build/registry-v2
+FROM distribution/distribution:$REGISTRY_VERSION AS registry
+RUN mkdir /build && mv /bin/registry /build/registry

 # go-swagger
-FROM base AS swagger-src
-WORKDIR /usr/src/swagger
-# Currently uses a fork from https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix
-# TODO: move to under moby/ or fix upstream go-swagger to work for us.
-RUN git init . && git remote add origin "https://github.com/kolyshkin/go-swagger.git"
-# GO_SWAGGER_COMMIT specifies the version of the go-swagger binary to build and
-# install. Go-swagger is used in CI for validating swagger.yaml in hack/validate/swagger-gen
-ARG GO_SWAGGER_COMMIT=c56166c036004ba7a3a321e5951ba472b9ae298c
-RUN git fetch -q --depth 1 origin "${GO_SWAGGER_COMMIT}" && git checkout -q FETCH_HEAD
-
 FROM base AS swagger
 WORKDIR /go/src/github.com/go-swagger/go-swagger
 ARG TARGETPLATFORM
-RUN --mount=from=swagger-src,src=/usr/src/swagger,rw \
-    --mount=type=cache,target=/root/.cache/go-build,id=swagger-build-$TARGETPLATFORM \
+# GO_SWAGGER_VERSION specifies the version of the go-swagger binary to install.
+# Go-swagger is used in CI for generating types from swagger.yaml in
+# hack/validate/swagger-gen
+ARG GO_SWAGGER_VERSION=v0.33.1
+RUN --mount=type=cache,target=/root/.cache/go-build,id=swagger-build-$TARGETPLATFORM \
    --mount=type=cache,target=/go/pkg/mod \
    --mount=type=tmpfs,target=/go/src/ <<EOT
  set -e
-  xx-go build -o /build/swagger ./cmd/swagger
+  GOBIN=/build CGO_ENABLED=0 xx-go install "github.com/go-swagger/go-swagger/cmd/swagger@${GO_SWAGGER_VERSION}"
  xx-verify /build/swagger
 EOT

@@ -136,7 +116,7 @@ ARG TARGETVARIANT
 RUN /download-frozen-image-v2.sh /build \
        busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
        busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
-        debian:bookworm-slim@sha256:2bc5c236e9b262645a323e9088dfa3bb1ecb16cc75811daf40a23a824d665be9 \
+        debian:trixie-slim@sha256:c85a2732e97694ea77237c61304b3bb410e0e961dd6ee945997a06c788c545bb \
        hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
        arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1 \
        hello-world:amd64@sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042 \
@@ -150,7 +130,7 @@ RUN git init . && git remote add origin "https://github.com/go-delve/delve.git"
 # from the https://github.com/go-delve/delve repository.
 # It can be used to run Docker with a possibility of
 # attaching debugger to it.
-ARG DELVE_VERSION=v1.23.0
+ARG DELVE_VERSION=v1.25.0
 RUN git fetch -q --depth 1 origin "${DELVE_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS delve-supported
@@ -160,32 +140,19 @@ RUN --mount=from=delve-src,src=/usr/src/delve,rw \
    --mount=type=cache,target=/root/.cache/go-build,id=delve-build-$TARGETPLATFORM \
    --mount=type=cache,target=/go/pkg/mod <<EOT
  set -e
-  GO111MODULE=on xx-go build -o /build/dlv ./cmd/dlv
+  xx-go build -o /build/dlv ./cmd/dlv
  xx-verify /build/dlv
 EOT

 FROM binary-dummy AS delve-unsupported
 FROM delve-${DELVE_SUPPORTED} AS delve

-FROM base AS tomll
-# GOTOML_VERSION specifies the version of the tomll binary to build and install
-# from the https://github.com/pelletier/go-toml repository. This binary is used
-# in CI in the hack/validate/toml script.
-#
-# When updating this version, consider updating the github.com/pelletier/go-toml
-# dependency in vendor.mod accordingly.
-ARG GOTOML_VERSION=v1.8.1
-RUN --mount=type=cache,target=/root/.cache/go-build \
-    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "github.com/pelletier/go-toml/cmd/tomll@${GOTOML_VERSION}" \
-     && /build/tomll --help
-
 FROM base AS gowinres
 # GOWINRES_VERSION defines go-winres tool version
 ARG GOWINRES_VERSION=v0.3.1
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \
+        GOBIN=/build CGO_ENABLED=0 go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \
     && /build/go-winres --help

 # containerd
@@ -195,11 +162,8 @@ RUN git init . && git remote add origin "https://github.com/containerd/container
 # CONTAINERD_VERSION is used to build containerd binaries, and used for the
 # integration tests. The distributed docker .deb and .rpm packages depend on a
 # separate (containerd.io) package, which may be a different version as is
-# specified here. The containerd golang package is also pinned in vendor.mod.
-# When updating the binary version you may also need to update the vendor
-# version to pick up bug fixes or new APIs, however, usually the Go packages
-# are built from a commit from the master branch.
-ARG CONTAINERD_VERSION=v1.7.25
+# specified here.
+ARG CONTAINERD_VERSION=v1.7.28
 RUN git fetch -q --depth 1 origin "${CONTAINERD_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS containerd-build
@@ -230,30 +194,31 @@ FROM binary-dummy AS containerd-windows
 FROM containerd-${TARGETOS} AS containerd

 FROM base AS golangci_lint
-ARG GOLANGCI_LINT_VERSION=v1.62.0
+ARG GOLANGCI_LINT_VERSION=v2.1.5
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
+        GOBIN=/build CGO_ENABLED=0 go install "github.com/golangci/golangci-lint/v2/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
     && /build/golangci-lint --version

 FROM base AS gotestsum
-ARG GOTESTSUM_VERSION=v1.8.2
+# GOTESTSUM_VERSION is the version of gotest.tools/gotestsum to install.
+ARG GOTESTSUM_VERSION=v1.13.0
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
+        GOBIN=/build CGO_ENABLED=0 go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
     && /build/gotestsum --version

 FROM base AS shfmt
 ARG SHFMT_VERSION=v3.8.0
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \
+        GOBIN=/build CGO_ENABLED=0 go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \
     && /build/shfmt --version

 FROM base AS gopls
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "golang.org/x/tools/gopls@latest" \
+        GOBIN=/build CGO_ENABLED=0 go install "golang.org/x/tools/gopls@latest" \
     && /build/gopls version

 FROM base AS dockercli
@@ -287,9 +252,8 @@ WORKDIR /usr/src/runc
 RUN git init . && git remote add origin "https://github.com/opencontainers/runc.git"
 # RUNC_VERSION should match the version that is used by the containerd version
 # that is used. If you need to update runc, open a pull request in the containerd
-# project first, and update both after that is merged. When updating RUNC_VERSION,
-# consider updating runc in vendor.mod accordingly.
-ARG RUNC_VERSION=v1.2.4
+# project first, and update both after that is merged.
+ARG RUNC_VERSION=v1.3.0
 RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS runc-build
@@ -356,8 +320,8 @@ FROM tini-${TARGETOS} AS tini
 FROM base AS rootlesskit-src
 WORKDIR /usr/src/rootlesskit
 RUN git init . && git remote add origin "https://github.com/rootless-containers/rootlesskit.git"
-# When updating, also update vendor.mod and hack/dockerfile/install/rootlesskit.installer accordingly.
-ARG ROOTLESSKIT_VERSION=v2.3.2
+# When updating, also update go.mod and hack/dockerfile/install/rootlesskit.installer accordingly.
+ARG ROOTLESSKIT_VERSION=v2.3.5
 RUN git fetch -q --depth 1 origin "${ROOTLESSKIT_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS rootlesskit-build
@@ -369,7 +333,6 @@ RUN --mount=type=cache,sharing=locked,id=moby-rootlesskit-aptlib,target=/var/lib
            gcc \
            libc6-dev \
            pkg-config
-ENV GO111MODULE=on
 ARG DOCKER_STATIC
 RUN --mount=from=rootlesskit-src,src=/usr/src/rootlesskit,rw \
    --mount=type=cache,target=/go/pkg/mod \
@@ -387,7 +350,8 @@ FROM binary-dummy AS rootlesskit-windows
 FROM rootlesskit-${TARGETOS} AS rootlesskit

 FROM base AS crun
-ARG CRUN_VERSION=1.12
+# CRUN_VERSION is the version of crun to install in the dev-container.
+ARG CRUN_VERSION=1.21
 RUN --mount=type=cache,sharing=locked,id=moby-crun-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-crun-aptcache,target=/var/cache/apt \
        apt-get update && apt-get install -y --no-install-recommends \
@@ -418,8 +382,8 @@ FROM scratch AS vpnkit-linux-arm
 FROM scratch AS vpnkit-linux-ppc64le
 FROM scratch AS vpnkit-linux-riscv64
 FROM scratch AS vpnkit-linux-s390x
-FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-linux-amd64
-FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-linux-arm64
+FROM moby/vpnkit-bin:${VPNKIT_VERSION} AS vpnkit-linux-amd64
+FROM moby/vpnkit-bin:${VPNKIT_VERSION} AS vpnkit-linux-arm64
 FROM vpnkit-linux-${TARGETARCH} AS vpnkit-linux
 FROM vpnkit-${TARGETOS} AS vpnkit

@@ -451,18 +415,16 @@ FROM binary-dummy AS containerutil-linux
 FROM containerutil-build AS containerutil-windows-amd64
 FROM containerutil-windows-${TARGETARCH} AS containerutil-windows
 FROM containerutil-${TARGETOS} AS containerutil
-FROM docker/buildx-bin:${BUILDX_VERSION} as buildx
-FROM docker/compose-bin:${COMPOSE_VERSION} as compose
+FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx
+FROM docker/compose-bin:${COMPOSE_VERSION} AS compose

 FROM base AS dev-systemd-false
 COPY --link --from=frozen-images /build/ /docker-frozen-images
 COPY --link --from=swagger       /build/ /usr/local/bin/
 COPY --link --from=delve         /build/ /usr/local/bin/
-COPY --link --from=tomll         /build/ /usr/local/bin/
 COPY --link --from=gowinres      /build/ /usr/local/bin/
 COPY --link --from=tini          /build/ /usr/local/bin/
 COPY --link --from=registry      /build/ /usr/local/bin/
-COPY --link --from=registry-v2   /build/ /usr/local/bin/

 # Skip the CRIU stage for now, as the opensuse package repository is sometimes
 # unstable, and we're currently not using it in CI.
@@ -509,7 +471,6 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
        apt-get update && apt-get install -y --no-install-recommends \
            firewalld
-RUN sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf

 FROM dev-firewalld-${FIREWALLD} AS dev-base
 RUN groupadd -r docker
@@ -532,15 +493,19 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
            apparmor \
            bash-completion \
            bzip2 \
+            fuse-overlayfs \
            inetutils-ping \
            iproute2 \
            iptables \
+            nftables \
            jq \
            libcap2-bin \
            libnet1 \
+            libnftables-dev \
            libnl-3-200 \
            libprotobuf-c1 \
            libyajl2 \
+            nano \
            net-tools \
            netcat-openbsd \
            patch \
@@ -555,11 +520,6 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
            xz-utils \
            zip \
            zstd
-# Switch to use iptables instead of nftables (to match the CI hosts)
-# TODO use some kind of runtime auto-detection instead if/when nftables is supported (https://github.com/moby/moby/issues/26824)
-RUN update-alternatives --set iptables  /usr/sbin/iptables-legacy  || true \
- && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \
- && update-alternatives --set arptables /usr/sbin/arptables-legacy || true
 RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
        apt-get update && apt-get install --no-install-recommends -y \
@@ -575,20 +535,21 @@ COPY --link --from=dockercli-integration /build/ /usr/local/cli-integration
 FROM base AS build
 COPY --from=gowinres /build/ /usr/local/bin/
 WORKDIR /go/src/github.com/docker/docker
-ENV GO111MODULE=off
 ENV CGO_ENABLED=1
 RUN --mount=type=cache,sharing=locked,id=moby-build-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-build-aptcache,target=/var/cache/apt \
        apt-get update && apt-get install --no-install-recommends -y \
            clang \
            lld \
-            llvm
+            llvm \
+            icoutils
 ARG TARGETPLATFORM
 RUN --mount=type=cache,sharing=locked,id=moby-build-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-build-aptcache,target=/var/cache/apt \
        xx-apt-get install --no-install-recommends -y \
            gcc \
            libc6-dev \
+            libnftables-dev \
            libseccomp-dev \
            libsystemd-dev \
            pkg-config
@@ -612,7 +573,6 @@ RUN <<EOT
  fi
 EOT
 RUN --mount=type=bind,target=.,rw \
-    --mount=type=tmpfs,target=cli/winresources/dockerd \
    --mount=type=cache,target=/root/.cache/go-build,id=moby-build-$TARGETPLATFORM <<EOT
  set -e
  target=$([ "$DOCKER_STATIC" = "1" ] && echo "binary" || echo "dynbinary")
@@ -647,7 +607,7 @@ COPY --link --from=build         /build  /
 # smoke tests
 # usage:
 # > docker buildx bake binary-smoketest
-FROM --platform=$TARGETPLATFORM base AS smoketest
+FROM base AS smoketest
 WORKDIR /usr/local/bin
 COPY --from=build /build .
 RUN <<EOT
@@ -663,6 +623,15 @@ FROM dev-base AS devcontainer
 COPY --link . .
 COPY --link --from=gopls         /build/ /usr/local/bin/

+# usage:
+# > docker buildx bake dind
+# > docker run -d --restart always --privileged --name devdind -p 12375:2375 docker-dind --debug --host=tcp://0.0.0.0:2375 --tlsverify=false
+FROM docker:dind AS dind
+COPY --link --from=dockercli /build/docker /usr/local/bin/
+COPY --link --from=buildx    /buildx /usr/local/libexec/docker/cli-plugins/docker-buildx
+COPY --link --from=compose   /docker-compose /usr/local/libexec/docker/cli-plugins/docker-compose
+COPY --link --from=all       / /usr/local/bin/
+
 # usage:
 # > make shell
 # > SYSTEMD=true make shell
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@@ -5,18 +5,17 @@

 # This represents the bare minimum required to build and test Docker.

-ARG GO_VERSION=1.23.6
+ARG GO_VERSION=1.25.2

 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"

 FROM ${GOLANG_IMAGE}
-ENV GO111MODULE=off
 ENV GOTOOLCHAIN=local

 # Compile and runtime deps
-# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
-# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#build-dependencies
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
 		build-essential \
 		curl \
@@ -35,10 +34,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 		vim-common \
 	&& rm -rf /var/lib/apt/lists/*

-# Install runc, containerd, tini and docker-proxy
+# Install runc, containerd, and tini
 # Please edit hack/dockerfile/install/<name>.installer to update them.
 COPY hack/dockerfile/install hack/dockerfile/install
-RUN for i in runc containerd tini proxy dockercli; \
+RUN set -e; for i in runc containerd tini dockercli; \
 		do hack/dockerfile/install/install.sh $i; \
 	done
 ENV PATH=/usr/local/cli:$PATH
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -161,10 +161,14 @@ FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

-ARG GO_VERSION=1.23.6
-ARG GOTESTSUM_VERSION=v1.8.2
-ARG GOWINRES_VERSION=v0.3.1
-ARG CONTAINERD_VERSION=v1.7.25
+ARG GO_VERSION=1.25.2
+
+# GOTESTSUM_VERSION is the version of gotest.tools/gotestsum to install.
+ARG GOTESTSUM_VERSION=v1.13.0
+
+# GOWINRES_VERSION is the version of go-winres to install.
+ARG GOWINRES_VERSION=v0.3.3
+ARG CONTAINERD_VERSION=v1.7.28

 # Environment variable notes:
 #  - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
@@ -174,7 +178,6 @@ ENV GO_VERSION=${GO_VERSION} `
    CONTAINERD_VERSION=${CONTAINERD_VERSION} `
    GIT_VERSION=2.11.1 `
    GOPATH=C:\gopath `
-    GO111MODULE=off `
    GOTOOLCHAIN=local `
    FROM_DOCKERFILE=1 `
    GOTESTSUM_VERSION=${GOTESTSUM_VERSION} `
@@ -255,14 +258,11 @@ RUN `
  Remove-Item C:\gitsetup.zip; `
  `
  Write-Host INFO: Downloading containerd; `
-  Install-Package -Force 7Zip4PowerShell; `
  $location='https://github.com/containerd/containerd/releases/download/'+$Env:CONTAINERD_VERSION+'/containerd-'+$Env:CONTAINERD_VERSION.TrimStart('v')+'-windows-amd64.tar.gz'; `
  Download-File $location C:\containerd.tar.gz; `
  New-Item -Path C:\containerd -ItemType Directory; `
-  Expand-7Zip C:\containerd.tar.gz C:\; `
-  Expand-7Zip C:\containerd.tar C:\containerd; `
+  tar -xzf C:\containerd.tar.gz -C C:\containerd; `
  Remove-Item C:\containerd.tar.gz; `
-  Remove-Item C:\containerd.tar; `
  `
  # Ensure all directories exist that we will require below....
  $srcDir = """$Env:GOPATH`\src\github.com\docker\docker\bundles"""; `
@@ -274,13 +274,11 @@ RUN `

 RUN `
  Function Install-GoTestSum() { `
-    $Env:GO111MODULE = 'on'; `
    $tmpGobin = "${Env:GOBIN_TMP}"; `
    $Env:GOBIN = """${Env:GOPATH}`\bin"""; `
    Write-Host "INFO: Installing gotestsum version $Env:GOTESTSUM_VERSION in $Env:GOBIN"; `
    &go install "gotest.tools/gotestsum@${Env:GOTESTSUM_VERSION}"; `
    $Env:GOBIN = "${tmpGobin}"; `
-    $Env:GO111MODULE = 'off'; `
    if ($LASTEXITCODE -ne 0) {  `
      Throw '"gotestsum install failed..."'; `
    } `
@@ -290,13 +288,11 @@ RUN `

 RUN `
  Function Install-GoWinres() { `
-    $Env:GO111MODULE = 'on'; `
    $tmpGobin = "${Env:GOBIN_TMP}"; `
    $Env:GOBIN = """${Env:GOPATH}`\bin"""; `
    Write-Host "INFO: Installing go-winres version $Env:GOWINRES_VERSION in $Env:GOBIN"; `
    &go install "github.com/tc-hib/go-winres@${Env:GOWINRES_VERSION}"; `
    $Env:GOBIN = "${tmpGobin}"; `
-    $Env:GO111MODULE = 'off'; `
    if ($LASTEXITCODE -ne 0) {  `
      Throw '"go-winres install failed..."'; `
    } `
--- a/622
+++ b/622
@@ -1,597 +1,33 @@
 # Moby maintainers file
 #
-# This file describes the maintainer groups within the moby/moby project.
-# More detail on Moby project governance is available in the
-# project/GOVERNANCE.md file found in this repository.
+# See project/GOVERNANCE.md for committer versus reviewer roles
 #
-# It is structured to be consumable by both humans and programs.
-# To extract its contents programmatically, use any TOML-compliant
-# parser.
+# COMMITTERS
+# GitHub ID, Name, Email address, GPG fingerprint
+"akerouanton","Albin Kerouanton","albinker@gmail.com"
+"AkihiroSuda","Akihiro Suda","akihiro.suda.cz@hco.ntt.co.jp"
+"austinvazquez","Austin Vazquez","austin.vazquez.dev@gmail.com"
+"corhere","Cory Snider","csnider@mirantis.com"
+"cpuguy83","Brian Goff","cpuguy83@gmail.com"
+"robmry","Rob Murray","rob.murray@docker.com"
+"thaJeztah","Sebastiaan van Stijn","github@gone.nl"
+"tianon","Tianon Gravi","admwiggin@gmail.com"
+"tonistiigi","Tõnis Tiigi","tonis@docker.com"
+"vvoland","Paweł Gronowski","pawel.gronowski@docker.com"
 #
-# TODO(estesp): This file should not necessarily depend on docker/opensource
-# This file is compiled into the MAINTAINERS file in docker/opensource.
-#
-[Org]
-
-	[Org."Core maintainers"]
-
-	# The Core maintainers are the ghostbusters of the project: when there's a problem others
-	# can't solve, they show up and fix it with bizarre devices and weaponry.
-	# They have final say on technical implementation and coding style.
-	# They are ultimately responsible for quality in all its forms: usability polish,
-	# bugfixes, performance, stability, etc. When ownership  can cleanly be passed to
-	# a subsystem, they are responsible for doing so and holding the
-	# subsystem maintainers accountable. If ownership is unclear, they are the de facto owners.
-
-		people = [
-			"akerouanton",
-			"akihirosuda",
-			"anusha",
-			"austinvazquez",
-			"coolljt0725",
-			"corhere",
-			"cpuguy83",
-			"crazy-max",
-			"estesp",
-			"johnstep",
-			"justincormack",
-			"kolyshkin",
-			"laurazard",
-			"mhbauer",
-			"neersighted",
-			"robmry",
-			"rumpl",
-			"runcom",
-			"samuelkarp",
-			"stevvooe",
-			"thajeztah",
-			"tianon",
-			"tibor",
-			"tonistiigi",
-			"unclejack",
-			"vdemeester",
-			"vieux",
-			"vvoland",
-			"yongtang"
-		]
-
-	[Org.Curators]
-
-	# The curators help ensure that incoming issues and pull requests are properly triaged and
-	# that our various contribution and reviewing processes are respected. With their knowledge of
-	# the repository activity, they can also guide contributors to relevant material or
-	# discussions.
-	#
-	# They are neither code nor docs reviewers, so they are never expected to merge. They can
-	# however:
-	# - close an issue or pull request when it's an exact duplicate
-	# - close an issue or pull request when it's inappropriate or off-topic
-
-		people = [
-			"alexellis",
-			"andrewhsu",
-			"bsousaa",
-			"dmcgowan",
-			"fntlnz",
-			"gianarb",
-			"olljanat",
-			"programmerq",
-			"ripcurld",
-			"sam-thibault",
-			"samwhited",
-			"thajeztah",
-			"thompson-shaun",
-		]
-
-	[Org.Alumni]
-
-	# This list contains maintainers that are no longer active on the project.
-	# It is thanks to these people that the project has become what it is today.
-	# Thank you!
-
-		people = [
-			# Aaron Lehmann was a maintainer for swarmkit, the registry, and the engine,
-			# and contributed many improvements, features, and bugfixes in those areas,
-			# among which "automated service rollbacks", templated secrets and configs,
-			# and resumable image layer downloads.
-			"aaronlehmann",
-
-			# Harald Albers is the mastermind behind the bash completion scripts for the
-			# Docker CLI. The completion scripts moved to the Docker CLI repository, so
-			# you can now find him perform his magic in the https://github.com/docker/cli repository.
-			"albers",
-
-			# Andrea Luzzardi started contributing to the Docker codebase in the "dotCloud"
-			# era, even before it was called "Docker". He is one of the architects of both
-			# Swarm and SwarmKit, and its integration into the Docker engine.
-			"aluzzardi",
-			
-			# David Calavera contributed many features to Docker, such as an improved
-			# event system, dynamic configuration reloading, volume plugins, fancy
-			# new templating options, and an external client credential store. As a
-			# maintainer, David was release captain for Docker 1.8, and competing
-			# with Jess Frazelle to be "top dream killer".
-			# David is now doing amazing stuff as CTO for https://www.netlify.com,
-			# and tweets as @calavera.
-			"calavera",
-
-			# Michael Crosby was "chief maintainer" of the Docker project.
-			# During his time as a maintainer, Michael contributed to many
-			# milestones of the project; he was release captain of Docker v1.0.0,
-			# started the development of "libcontainer" (what later became runc)
-			# and containerd, as well as demoing cool hacks such as live migrating
-			# a game server container with checkpoint/restore.
-			#
-			# Michael is currently a maintainer of containerd, but you may see
-			# him around in other projects on GitHub.
-			"crosbymichael",
-
-			# Before becoming a maintainer, Daniel Nephin was a core contributor
-			# to "Fig" (now known as Docker Compose). As a maintainer for both the
-			# Engine and Docker CLI, Daniel contributed many features, among which
-			# the `docker stack` commands, allowing users to deploy their Docker
-			# Compose projects as a Swarm service.
-			"dnephin",
-
-			# Doug Davis contributed many features and fixes for the classic builder,
-			# such as "wildcard" copy, the dockerignore file, custom paths/names
-			# for the Dockerfile, as well as enhancements to the API and documentation.
-			# Follow Doug on Twitter, where he tweets as @duginabox.
-			"duglin",
-
-			# As a maintainer, Erik was responsible for the "builder", and
-			# started the first designs for the new networking model in
-			# Docker. Erik is now working on all kinds of plugins for Docker
-			# (https://github.com/contiv) and various open source projects
-			# in his own repository https://github.com/erikh. You may
-			# still stumble into him in our issue tracker, or on IRC.
-			"erikh",
-
-			# Evan Hazlett is the creator of the Shipyard and Interlock open source projects,
-			# and the author of "Orca", which became the foundation of Docker Universal Control
-			# Plane (UCP). As a maintainer, Evan helped integrating SwarmKit (secrets, tasks)
-			# into the Docker engine.
-			"ehazlett",
-
-			# Arnaud Porterie (AKA "icecrime") was in charge of maintaining the maintainers.
-			# As a maintainer, he made life easier for contributors to the Docker open-source
-			# projects, bringing order in the chaos by designing a triage- and review workflow
-			# using labels (see https://icecrime.net/technology/a-structured-approach-to-labeling/),
-			# and automating the hell out of things with his buddies GordonTheTurtle and Poule
-			# (a chicken!).
-			# 
-			# A lesser-known fact is that he created the first commit in the libnetwork repository
-			# even though he didn't know anything about it. Some say, he's now selling stuff on
-			# the internet ;-)
-			"icecrime",
-
-			# After a false start with his first PR being rejected, James Turnbull became a frequent
-			# contributor to the documentation, and became a docs maintainer on December 5, 2013. As
-			# a maintainer, James lifted the docs to a higher standard, and introduced the community
-			# guidelines ("three strikes"). James is currently changing the world as CTO of https://www.empatico.org,
-			# meanwhile authoring various books that are worth checking out. You can find him on Twitter,
-			# rambling as @kartar, and although no longer active as a maintainer, he's always "game" to
-			# help out reviewing docs PRs, so you may still see him around in the repository.
-			"jamtur01",
-
-			# Jessica Frazelle, also known as the "Keyser Söze of containers",
-			# runs *everything* in containers. She started contributing to
-			# Docker with a (fun fun) change involving both iptables and regular
-			# expressions (coz, YOLO!) on July 10, 2014
-			# https://github.com/docker/docker/pull/6950/commits/f3a68ffa390fb851115c77783fa4031f1d3b2995.
-			# Jess was Release Captain for Docker 1.4, 1.6 and 1.7, and contributed
-			# many features and improvement, among which "seccomp profiles" (making
-			# containers a lot more secure). Besides being a maintainer, she
-			# set up the CI infrastructure for the project, giving everyone
-			# something to shout at if a PR failed ("noooo Janky!").
-			# Be sure you don't miss her talks at a conference near you (a must-see),
-			# read her blog at https://blog.jessfraz.com (a must-read), and
-			# check out her open source projects on GitHub https://github.com/jessfraz (a must-try).
-			"jessfraz",
-
-			# As a maintainer, John Howard managed to make the impossible possible;
-			# to run Docker on Windows. After facing many challenges, teaching
-			# fellow-maintainers that 'Windows is not Linux', and many changes in
-			# Windows Server to facilitate containers, native Windows containers
-			# saw the light of day in 2015.
-			#
-			# John is now enjoying life without containers: playing piano, painting,
-			# and walking his dogs, but you may occasionally see him drop by on GitHub.
-			"lowenna",
-
-			# Alexander Morozov contributed many features to Docker, worked on the premise of 
-			# what later became containerd (and worked on that too), and made a "stupid" Go
-			# vendor tool specifically for docker/docker needs: vndr (https://github.com/LK4D4/vndr).
-			# Not many know that Alexander is a master negotiator, being able to change course
-			# of action with a single "Nope, we're not gonna do that".
-			"lk4d4",
-
-			# Madhu Venugopal was part of the SocketPlane team that joined Docker.
-			# As a maintainer, he was working with Jana for the Container Network
-			# Model (CNM) implemented through libnetwork, and the "routing mesh" powering
-			# Swarm mode networking.
-			"mavenugo",
-
-			# As a maintainer, Kenfe-Mickaël Laventure worked on the container runtime,
-			# integrating containerd 1.0 with the daemon, and adding support for custom
-			# OCI runtimes, as well as implementing the `docker prune` subcommands,
-			# which was a welcome feature to be added. You can keep up with Mickaél on
-			# Twitter (@kmlaventure).
-			"mlaventure",
-
-			# As a docs maintainer, Mary Anthony contributed greatly to the Docker
-			# docs. She wrote the Docker Contributor Guide and Getting Started
-			# Guides. She helped create a doc build system independent of
-			# docker/docker project, and implemented a new docs.docker.com theme and
-			# nav for 2015 Dockercon. Fun fact: the most inherited layer in DockerHub
-			# public repositories was originally referenced in
-			# maryatdocker/docker-whale back in May 2015.
-			"moxiegirl",
-
-			# Jana Radhakrishnan was part of the SocketPlane team that joined Docker.
-			# As a maintainer, he was the lead architect for the Container Network
-			# Model (CNM) implemented through libnetwork, and the "routing mesh" powering
-			# Swarm mode networking.
-			#
-			# Jana started new adventures in networking, but you can find him tweeting as @mrjana,
-			# coding on GitHub https://github.com/mrjana, and he may be hiding on the Docker Community
-			# slack channel :-)
-			"mrjana",
-
-			# Sven Dowideit became a well known person in the Docker ecosphere, building
-			# boot2docker, and became a regular contributor to the project, starting as
-			# early as October 2013 (https://github.com/docker/docker/pull/2119), to become
-			# a maintainer less than two months later (https://github.com/docker/docker/pull/3061).
-			#
-			# As a maintainer, Sven took on the task to convert the documentation from
-			# ReStructuredText to Markdown, migrate to Hugo for generating the docs, and
-			# writing tooling for building, testing, and publishing them.
-			#
-			# If you're not in the occasion to visit "the Australian office", you
-			# can keep up with Sven on Twitter (@SvenDowideit), his blog http://fosiki.com,
-			# and of course on GitHub.
-			"sven",
-
-			# Vincent "vbatts!" Batts made his first contribution to the project
-			# in November 2013, to become a maintainer a few months later, on
-			# May 10, 2014 (https://github.com/docker/docker/commit/d6e666a87a01a5634c250358a94c814bf26cb778).
-			# As a maintainer, Vincent made important contributions to core elements
-			# of Docker, such as "distribution" (tarsum) and graphdrivers (btrfs, devicemapper).
-			# He also contributed the "tar-split" library, an important element
-			# for the content-addressable store.
-			# Vincent is currently a member of the Open Containers Initiative
-			# Technical Oversight Board (TOB), besides his work at Red Hat and
-			# Project Atomic. You can still find him regularly hanging out in
-			# our repository and the #docker-dev and #docker-maintainers IRC channels
-			# for a chat, as he's always a lot of fun.
-			"vbatts",
-
-			# Vishnu became a maintainer to help out on the daemon codebase and
-			# libcontainer integration. He's currently involved in the
-			# Open Containers Initiative, working on the specifications,
-			# besides his work on cAdvisor and Kubernetes for Google.
-			"vishh"
-		]
-
-[people]
-
-# A reference list of all people associated with the project.
-# All other sections should refer to people by their canonical key
-# in the people section.
-
-	# ADD YOURSELF HERE IN ALPHABETICAL ORDER
-
-	[people.aaronlehmann]
-	Name = "Aaron Lehmann"
-	Email = "aaron.lehmann@docker.com"
-	GitHub = "aaronlehmann"
-
-	[people.akerouanton]
-	Name = "Albin Kerouanton"
-	Email = "albinker@gmail.com"
-	GitHub = "akerouanton"
-
-	[people.alexellis]
-	Name = "Alex Ellis"
-	Email = "alexellis2@gmail.com"
-	GitHub = "alexellis"
-
-	[people.akihirosuda]
-	Name = "Akihiro Suda"
-	Email = "akihiro.suda.cz@hco.ntt.co.jp"
-	GitHub = "AkihiroSuda"
-
-	[people.aluzzardi]
-	Name = "Andrea Luzzardi"
-	Email = "al@docker.com"
-	GitHub = "aluzzardi"
-
-	[people.albers]
-	Name = "Harald Albers"
-	Email = "github@albersweb.de"
-	GitHub = "albers"
-
-	[people.andrewhsu]
-	Name = "Andrew Hsu"
-	Email = "andrewhsu@docker.com"
-	GitHub = "andrewhsu"
-
-	[people.austinvazquez]
-	Name = "Austin Vazquez"
-	Email = "macedonv@amazon.com"
-	GitHub = "austinvazquez"
-
-	[people.anusha]
-	Name = "Anusha Ragunathan"
-	Email = "anusha@docker.com"
-	GitHub = "anusha-ragunathan"
-	
-	[people.bsousaa]
-	Name = "Bruno de Sousa"
-	Email = "bruno.sousa@docker.com"
-	GitHub = "bsousaa"
-
-	[people.calavera]
-	Name = "David Calavera"
-	Email = "david.calavera@gmail.com"
-	GitHub = "calavera"
-
-	[people.coolljt0725]
-	Name = "Lei Jitang"
-	Email = "leijitang@huawei.com"
-	GitHub = "coolljt0725"
-
-	[people.corhere]
-	Name = "Cory Snider"
-	Email = "csnider@mirantis.com"
-	GitHub = "corhere"
-
-	[people.cpuguy83]
-	Name = "Brian Goff"
-	Email = "cpuguy83@gmail.com"
-	GitHub = "cpuguy83"
-
-	[people.crazy-max]
-	Name = "Kevin Alvarez"
-	Email = "contact@crazymax.dev"
-	GitHub = "crazy-max"
-
-	[people.crosbymichael]
-	Name = "Michael Crosby"
-	Email = "crosbymichael@gmail.com"
-	GitHub = "crosbymichael"
-
-	[people.dnephin]
-	Name = "Daniel Nephin"
-	Email = "dnephin@gmail.com"
-	GitHub = "dnephin"
-
-	[people.dmcgowan]
-	Name = "Derek McGowan"
-	Email = "derek@mcgstyle.net"
-	GitHub = "dmcgowan"
-
-	[people.duglin]
-	Name = "Doug Davis"
-	Email = "dug@us.ibm.com"
-	GitHub = "duglin"
-
-	[people.ehazlett]
-	Name = "Evan Hazlett"
-	Email = "ejhazlett@gmail.com"
-	GitHub = "ehazlett"
-
-	[people.erikh]
-	Name = "Erik Hollensbe"
-	Email = "erik@docker.com"
-	GitHub = "erikh"
-
-	[people.estesp]
-	Name = "Phil Estes"
-	Email = "estesp@linux.vnet.ibm.com"
-	GitHub = "estesp"
-
-	[people.fntlnz]
-	Name = "Lorenzo Fontana"
-	Email = "fontanalorenz@gmail.com"
-	GitHub = "fntlnz"
-
-	[people.gianarb]
-	Name = "Gianluca Arbezzano"
-	Email = "ga@thumpflow.com"
-	GitHub = "gianarb"
-
-	[people.icecrime]
-	Name = "Arnaud Porterie"
-	Email = "icecrime@gmail.com"
-	GitHub = "icecrime"
-
-	[people.jamtur01]
-	Name = "James Turnbull"
-	Email = "james@lovedthanlost.net"
-	GitHub = "jamtur01"
-
-	[people.jessfraz]
-	Name = "Jessie Frazelle"
-	Email = "jess@linux.com"
-	GitHub = "jessfraz"
-
-	[people.johnstep]
-	Name = "John Stephens"
-	Email = "johnstep@docker.com"
-	GitHub = "johnstep"
-
-	[people.justincormack]
-	Name = "Justin Cormack"
-	Email = "justin.cormack@docker.com"
-	GitHub = "justincormack"
-
-	[people.kolyshkin]
-	Name = "Kir Kolyshkin"
-	Email = "kolyshkin@gmail.com"
-	GitHub = "kolyshkin"
-
-	[people.laurazard]
-	Name = "Laura Brehm"
-	Email = "laurabrehm@hey.com"
-	GitHub = "laurazard"
-
-	[people.lk4d4]
-	Name = "Alexander Morozov"
-	Email = "lk4d4@docker.com"
-	GitHub = "lk4d4"
-
-	[people.lowenna]
-	Name = "John Howard"
-	Email = "github@lowenna.com"
-	GitHub = "lowenna"
-
-	[people.mavenugo]
-	Name = "Madhu Venugopal"
-	Email = "madhu@docker.com"
-	GitHub = "mavenugo"
-
-	[people.mhbauer]
-	Name = "Morgan Bauer"
-	Email = "mbauer@us.ibm.com"
-	GitHub = "mhbauer"
-
-	[people.mlaventure]
-	Name = "Kenfe-Mickaël Laventure"
-	Email = "mickael.laventure@gmail.com"
-	GitHub = "mlaventure"
-
-	[people.moxiegirl]
-	Name = "Mary Anthony"
-	Email = "mary.anthony@docker.com"
-	GitHub = "moxiegirl"
-
-	[people.mrjana]
-	Name = "Jana Radhakrishnan"
-	Email = "mrjana@docker.com"
-	GitHub = "mrjana"
-
-	[people.neersighted]
-	Name = "Bjorn Neergaard"
-	Email = "bjorn@neersighted.com"
-	GitHub = "neersighted"
-
-	[people.olljanat]
-	Name = "Olli Janatuinen"
-	Email = "olli.janatuinen@gmail.com"
-	GitHub = "olljanat"
-
-	[people.programmerq]
-	Name = "Jeff Anderson"
-	Email = "jeff@docker.com"
-	GitHub = "programmerq"
-
-	[people.robmry]
-	Name = "Rob Murray"
-	Email = "rob.murray@docker.com"
-	GitHub = "robmry"
-
-	[people.ripcurld]
-	Name = "Boaz Shuster"
-	Email = "ripcurld.github@gmail.com"
-	GitHub = "ripcurld"
-
-	[people.rumpl]
-	Name = "Djordje Lukic"
-	Email = "djordje.lukic@docker.com"
-	GitHub = "rumpl"
-
-	[people.runcom]
-	Name = "Antonio Murdaca"
-	Email = "runcom@redhat.com"
-	GitHub = "runcom"
-
-	[people.sam-thibault]
-	Name = "Sam Thibault"
-	Email = "sam.thibault@docker.com"
-	GitHub = "sam-thibault"
-
-	[people.samuelkarp]
-	Name = "Samuel Karp"
-	Email = "me@samuelkarp.com"
-	GitHub = "samuelkarp"
-
-	[people.samwhited]
-	Name = "Sam Whited"
-	Email = "sam@samwhited.com"
-	GitHub = "samwhited"
-
-	[people.shykes]
-	Name = "Solomon Hykes"
-	Email = "solomon@docker.com"
-	GitHub = "shykes"
-
-	[people.stevvooe]
-	Name = "Stephen Day"
-	Email = "stephen.day@docker.com"
-	GitHub = "stevvooe"
-
-	[people.sven]
-	Name = "Sven Dowideit"
-	Email = "SvenDowideit@home.org.au"
-	GitHub = "SvenDowideit"
-
-	[people.thajeztah]
-	Name = "Sebastiaan van Stijn"
-	Email = "github@gone.nl"
-	GitHub = "thaJeztah"
-
-	[people.thompson-shaun]
-	Name = "Shaun Thompson"
-	Email = "shaun.thompson@docker.com"
-	GitHub = "thompson-shaun"
-
-	[people.tianon]
-	Name = "Tianon Gravi"
-	Email = "admwiggin@gmail.com"
-	GitHub = "tianon"
-
-	[people.tibor]
-	Name = "Tibor Vass"
-	Email = "tibor@docker.com"
-	GitHub = "tiborvass"
-
-	[people.tonistiigi]
-	Name = "Tõnis Tiigi"
-	Email = "tonis@docker.com"
-	GitHub = "tonistiigi"
-
-	[people.unclejack]
-	Name = "Cristian Staretu"
-	Email = "cristian.staretu@gmail.com"
-	GitHub = "unclejack"
-
-	[people.vbatts]
-	Name = "Vincent Batts"
-	Email = "vbatts@redhat.com"
-	GitHub = "vbatts"
-
-	[people.vdemeester]
-	Name = "Vincent Demeester"
-	Email = "vincent@sbr.pm"
-	GitHub = "vdemeester"
-
-	[people.vieux]
-	Name = "Victor Vieux"
-	Email = "vieux@docker.com"
-	GitHub = "vieux"
-
-	[people.vishh]
-	Name = "Vishnu Kannan"
-	Email = "vishnuk@google.com"
-	GitHub = "vishh"
-	
-	[people.vvoland]
-	Name = "Paweł Gronowski"
-	Email = "pawel.gronowski@docker.com"
-	GitHub = "vvoland"
-
-	[people.yongtang]
-	Name = "Yong Tang"
-	Email = "yong.tang.github@outlook.com"
-	GitHub = "yongtang"
+# REVIEWERS
+# GitHub ID, Name, Email address, GPG fingerprint
+"coolljt0725","Lei Jitang","leijitang@huawei.com"
+"crazy-max","Kevin Alvarez","contact@crazymax.dev"
+"dmcgowan","Derek McGowan","derek@mcgstyle.net"
+"estesp","Phil Estes","estesp@linux.vnet.ibm.com"
+"justincormack","Justin Cormack","justin.cormack@docker.com"
+"kolyshkin","Kir Kolyshkin","kolyshkin@gmail.com"
+"laurazard","Laura Brehm","laurabrehm@hey.com"
+"neersighted","Bjorn Neergaard","bjorn@neersighted.com"
+"rumpl","Djordje Lukic","djordje.lukic@docker.com"
+"samuelkarp","Samuel Karp","me@samuelkarp.com"
+"stevvooe","Stephen Day","stephen.day@docker.com"
+"thompson-shaun","Shaun Thompson","shaun.thompson@docker.com"
+"tiborvass","Tibor Vass","tibor@docker.com"
+"unclejack","Cristian Staretu","cristian.staretu@gmail.com"
--- a/22
+++ b/22
@@ -38,9 +38,10 @@ DOCKER_ENVS := \
 	-e DOCKERCLI_INTEGRATION_REPOSITORY \
 	-e DOCKER_DEBUG \
 	-e DOCKER_EXPERIMENTAL \
-	-e DOCKER_FIREWALLD \
+	-e DOCKER_FIREWALL_BACKEND \
 	-e DOCKER_GITCOMMIT \
 	-e DOCKER_GRAPHDRIVER \
+	-e DOCKER_IGNORE_BR_NETFILTER_ERROR \
 	-e DOCKER_LDFLAGS \
 	-e DOCKER_PORT \
 	-e DOCKER_REMAP_ROOT \
@@ -50,14 +51,14 @@ DOCKER_ENVS := \
 	-e DOCKER_USERLANDPROXY \
 	-e DOCKERD_ARGS \
 	-e DELVE_PORT \
+	-e FIREWALLD \
 	-e GITHUB_ACTIONS \
 	-e TEST_FORCE_VALIDATE \
 	-e TEST_INTEGRATION_DIR \
-	-e TEST_INTEGRATION_USE_SNAPSHOTTER \
+	-e TEST_INTEGRATION_USE_GRAPHDRIVER \
 	-e TEST_INTEGRATION_FAIL_FAST \
 	-e TEST_SKIP_INTEGRATION \
 	-e TEST_SKIP_INTEGRATION_CLI \
-	-e TEST_IGNORE_CGROUP_CHECK \
 	-e TESTCOVERAGE \
 	-e TESTDEBUG \
 	-e TESTDIRS \
@@ -84,11 +85,11 @@ DOCKER_ENVS := \
 # to allow `make BIND_DIR=. shell` or `make BIND_DIR= test`
 # (default to no bind mount if DOCKER_HOST is set)
 # note: BINDDIR is supported for backwards-compatibility here
-BIND_DIR := $(if $(BINDDIR),$(BINDDIR),$(if $(DOCKER_HOST),,bundles))
+BIND_DIR := $(if $(BINDDIR),$(BINDDIR),$(if $(DOCKER_HOST),,.))

 # DOCKER_MOUNT can be overridden, but use at your own risk!
 ifndef DOCKER_MOUNT
-DOCKER_MOUNT := $(if $(BIND_DIR),-v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/docker/docker/$(BIND_DIR)")
+DOCKER_MOUNT := $(if $(BIND_DIR),-v "$(BIND_DIR):/go/src/github.com/docker/docker/$(BIND_DIR)")
 DOCKER_MOUNT := $(if $(DOCKER_BINDDIR_MOUNT_OPTS),$(DOCKER_MOUNT):$(DOCKER_BINDDIR_MOUNT_OPTS),$(DOCKER_MOUNT))

 # This allows the test suite to be able to run without worrying about the underlying fs used by the container running the daemon (e.g. aufs-on-aufs), so long as the host running the container is running a supported fs.
@@ -150,7 +151,7 @@ DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_INTEGRATION_REPOSITORY
 ifdef DOCKER_SYSTEMD
 DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true
 endif
-ifdef DOCKER_FIREWALLD
+ifdef FIREWALLD
 DOCKER_BUILD_ARGS += --build-arg=FIREWALLD=true
 endif

@@ -204,7 +205,7 @@ build: shell_target := --target=dev-base
 else
 build: shell_target := --target=dev
 endif
-build: bundles
+build: validate-bind-dir bundles
 	$(BUILD_CMD) $(BUILD_OPTS) $(shell_target) --load -t "$(DOCKER_IMAGE)" .

 .PHONY: shell
@@ -285,3 +286,10 @@ generate-files:
 		--file "./hack/dockerfiles/generate-files.Dockerfile" .
 	cp -R "$($@_TMP_OUT)"/. .
 	rm -rf "$($@_TMP_OUT)"/*
+
+.PHONY: validate-bind-dir
+validate-bind-dir:
+	@case "$(BIND_DIR)" in \
+		".."*|"/"*) echo "Make needs to be run from the project-root directory, with BIND_DIR set to \".\" or a subdir"; \
+		exit 1 ;; \
+	esac
--- a/README.md
+++ b/README.md
@@ -1,9 +1,11 @@
 The Moby Project
 ================

-[![PkgGoDev](https://pkg.go.dev/badge/github.com/docker/docker)](https://pkg.go.dev/github.com/docker/docker)
-[![Go Report Card](https://goreportcard.com/badge/github.com/docker/docker)](https://goreportcard.com/report/github.com/docker/docker)
+[![PkgGoDev](https://pkg.go.dev/badge/github.com/moby/moby/v2)](https://pkg.go.dev/github.com/moby/moby/v2)
+![GitHub License](https://img.shields.io/github/license/moby/moby)
+[![Go Report Card](https://goreportcard.com/badge/github.com/moby/moby/v2)](https://goreportcard.com/report/github.com/moby/moby/v2)
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/moby/moby/badge)](https://scorecard.dev/viewer/?uri=github.com/moby/moby)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10989/badge)](https://www.bestpractices.dev/projects/10989)


 ![Moby Project logo](docs/static_files/moby-project-logo.png "The Moby Project")
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -113,5 +113,5 @@ We see gRPC as the natural communication layer between decoupled components.

 In addition to pushing out large components into other projects, much of the
 internal code structure, and in particular the
-["Daemon"](https://godoc.org/github.com/docker/docker/daemon#Daemon) object,
+["Daemon"](https://pkg.go.dev/github.com/moby/moby/v2/daemon#Daemon) object,
 should be split into smaller, more manageable, and more testable components.
--- a/TESTING.md
+++ b/TESTING.md
@@ -8,11 +8,11 @@ questions you may have as an aspiring Moby contributor.
 Moby has two test suites (and one legacy test suite):

 * Unit tests - use standard `go test` and
-  [gotest.tools/assert](https://godoc.org/gotest.tools/assert) assertions. They are located in
+  [gotest.tools/v3/assert](https://pkg.go.dev/gotest.tools/v3/assert) assertions. They are located in
  the package they test. Unit tests should be fast and test only their own 
  package.
 * API integration tests - use standard `go test` and
-  [gotest.tools/assert](https://godoc.org/gotest.tools/assert) assertions. They are located in
+  [gotest.tools/v3/assert](https://pkg.go.dev/gotest.tools/v3/assert) assertions. They are located in
  `./integration/<component>` directories, where `component` is: container,
  image, volume, etc. These tests perform HTTP requests to an API endpoint and
  check the HTTP response and daemon state after the call.
@@ -57,17 +57,28 @@ Instead, implement new tests under `integration/`.
 ### Integration tests environment considerations

 When adding new tests or modifying existing tests under `integration/`, testing
-environment should be properly considered. `skip.If` from 
-[gotest.tools/skip](https://godoc.org/gotest.tools/skip) can be used to make the 
+environment should be properly considered. [`skip.If`](https://pkg.go.dev/gotest.tools/v3/skip#If) from 
+[gotest.tools/v3/skip](https://pkg.go.dev/gotest.tools/v3/skip) can be used to make the 
 test run conditionally. Full testing environment conditions can be found at 
-[environment.go](https://github.com/moby/moby/blob/6b6eeed03b963a27085ea670f40cd5ff8a61f32e/testutil/environment/environment.go)
+[environment.go](https://github.com/moby/moby/blob/311b2c87e125c6d4198014369e313135cf928a8a/testutil/environment/environment.go)

 Here is a quick example. If the test needs to interact with a docker daemon on 
 the same host, the following condition should be checked within the test code

 ```go
-skip.If(t, testEnv.IsRemoteDaemon())
-// your integration test code
+package example
+
+import (
+	"testing"
+
+	"gotest.tools/v3/skip"
+)
+
+func TestSomething(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon(), "test requires a local daemon")
+
+	// your integration test code
+}
 ```

 If a remote daemon is detected, the test will be skipped.
@@ -78,11 +89,11 @@ If a remote daemon is detected, the test will be skipped.

 To run the unit test suite:

-```
+```bash
 make test-unit
 ```

-or `hack/test/unit` from inside a `BINDDIR=. make shell` container or properly
+or `hack/test/unit` from inside a `make shell` container or properly
 configured environment.

 The following environment variables may be used to run a subset of tests:
@@ -95,7 +106,7 @@ The following environment variables may be used to run a subset of tests:

 To run the integration test suite:

-```
+```bash
 make test-integration
 ```

@@ -121,6 +132,6 @@ automatically set the other above mentioned environment variables accordingly.
 You can change a version of golang used for building stuff that is being tested
 by setting `GO_VERSION` variable, for example:

-```
-make GO_VERSION=1.12.8 test
+```bash
+make GO_VERSION=1.24.8 test
 ```
--- a/VENDORING.md
+++ b/VENDORING.md
@@ -1,46 +0,0 @@
-# Vendoring policies
-
-This document outlines recommended Vendoring policies for Docker repositories.
-(Example, libnetwork is a Docker repo and logrus is not.)
-
-## Vendoring using tags
-
-Commit ID based vendoring provides little/no information about the updates
-vendored. To fix this, vendors will now require that repositories use annotated
-tags along with commit ids to snapshot commits. Annotated tags by themselves
-are not sufficient, since the same tag can be force updated to reference
-different commits.
-
-Each tag should:
- Follow Semantic Versioning rules (refer to section on "Semantic Versioning")
- Have a corresponding entry in the change tracking document.
-
-Each repo should:
- Have a change tracking document between tags/releases. Ex: CHANGELOG.md,
-github releases file.
-
-The goal here is for consuming repos to be able to use the tag version and
-changelog updates to determine whether the vendoring will cause any breaking or
-backward incompatible changes. This also means that repos can specify having
-dependency on a package of a specific version or greater up to the next major
-release, without encountering breaking changes.
-
-## Semantic Versioning
-Annotated version tags should follow [Semantic Versioning](http://semver.org) policies:
-
-"Given a version number MAJOR.MINOR.PATCH, increment the:
-
-   1. MAJOR version when you make incompatible API changes,
-   2. MINOR version when you add functionality in a backwards-compatible manner, and
-   3. PATCH version when you make backwards-compatible bug fixes.
-
-Additional labels for pre-release and build metadata are available as extensions
-to the MAJOR.MINOR.PATCH format."
-
-## Vendoring cadence
-In order to avoid huge vendoring changes, it is recommended to have a regular
-cadence for vendoring updates. e.g. monthly.
-
-## Pre-merge vendoring tests
-All related repos will be vendored into docker/docker.
-CI on docker/docker should catch any breaking changes involving multiple repos.
--- a/api/README.md
+++ b/api/README.md
@@ -1,12 +1,18 @@
-# Working on the Engine API
+# Engine API
+
+[![PkgGoDev](https://pkg.go.dev/badge/github.com/moby/moby/api)](https://pkg.go.dev/github.com/moby/moby/api)
+![GitHub License](https://img.shields.io/github/license/moby/moby)
+[![Go Report Card](https://goreportcard.com/badge/github.com/moby/moby/api)](https://goreportcard.com/report/github.com/moby/moby/api)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/moby/moby/badge)](https://scorecard.dev/viewer/?uri=github.com/moby/moby)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10989/badge)](https://www.bestpractices.dev/projects/10989)
+

 The Engine API is an HTTP API used by the command-line client to communicate with the daemon. It can also be used by third-party software to control the daemon.

 It consists of various components in this repository:

 - `api/swagger.yaml` A Swagger definition of the API.
- `api/types/` Types shared by both the client and server, representing various objects, options, responses, etc. Most are written manually, but some are automatically generated from the Swagger definition. See [#27919](https://github.com/docker/docker/issues/27919) for progress on this.
- `cli/` The command-line client.
+- `api/types/` Types shared by both the client and server, representing various objects, options, responses, etc. Most are written manually, but some are automatically generated from the Swagger definition. See [#27919](https://github.com/moby/moby/issues/27919) for progress on this.
 - `client/` The Go client used by the command-line client. It can also be used by third-party Go programs.
 - `daemon/` The daemon, which serves the API.

@@ -21,6 +27,7 @@ The API is defined by the [Swagger](http://swagger.io/specification/) definition
 ## Updating the API documentation

 The API documentation is generated entirely from `api/swagger.yaml`. If you make updates to the API, edit this file to represent the change in the documentation.
+Documentation for each API version can be found in the [docs directory](docs/README.md), which also provides a [CHANGELOG.md](docs/CHANGELOG.md). 

 The file is split into two main sections:

@@ -29,7 +36,7 @@ The file is split into two main sections:

 To make an edit, first look for the endpoint you want to edit under `paths`, then make the required edits. Endpoints may reference reusable objects with `$ref`, which can be found in the `definitions` section.

-There is hopefully enough example material in the file for you to copy a similar pattern from elsewhere in the file (e.g. adding new fields or endpoints), but for the full reference, see the [Swagger specification](https://github.com/docker/docker/issues/27919).
+There is hopefully enough example material in the file for you to copy a similar pattern from elsewhere in the file (e.g. adding new fields or endpoints), but for the full reference, see the [Swagger specification](https://github.com/moby/moby/issues/27919).

 `swagger.yaml` is validated by `hack/validate/swagger` to ensure it is a valid Swagger definition. This is useful when making edits to ensure you are doing the right thing.

@@ -39,4 +46,4 @@ When you make edits to `swagger.yaml`, you may want to check the generated API d

 Run `make swagger-docs` and a preview will be running at `http://localhost:9000`. Some of the styling may be incorrect, but you'll be able to ensure that it is generating the correct documentation.

-The production documentation is generated by vendoring `swagger.yaml` into [docker/docker.github.io](https://github.com/docker/docker.github.io).
+The production documentation is generated by vendoring `swagger.yaml` into [docker/docs](https://github.com/docker/docs).
--- a/api/common.go
+++ b/api/common.go
@@ -1,20 +0,0 @@
-package api // import "github.com/docker/docker/api"
-
-// Common constants for daemon and client.
-const (
-	// DefaultVersion of the current REST API.
-	DefaultVersion = "1.48"
-
-	// MinSupportedAPIVersion is the minimum API version that can be supported
-	// by the API server, specified as "major.minor". Note that the daemon
-	// may be configured with a different minimum API version, as returned
-	// in [github.com/docker/docker/api/types.Version.MinAPIVersion].
-	//
-	// API requests for API versions lower than the configured version produce
-	// an error.
-	MinSupportedAPIVersion = "1.24"
-
-	// NoBaseImageSpecifier is the symbol used by the FROM
-	// command to specify that no base image is to be used.
-	NoBaseImageSpecifier = "scratch"
-)
--- a/api/docs/CHANGELOG.md
+++ b/api/docs/CHANGELOG.md
--- a/api/docs/README.md
+++ b/api/docs/README.md
@@ -0,0 +1,26 @@
+# API Documentation
+
+This directory contains versioned documents for each version of the API
+specification supported by this module. While this module provides support
+for older API versions, support should be considered "best-effort", especially
+for very old versions. Users are recommended to use the latest API versions,
+and only rely on older API versions for compatibility with older clients.
+
+Newer API versions tend to be backward-compatible with older versions,
+with some exceptions where features were deprecated. For an overview
+of changes for each version, refer to [CHANGELOG.md](CHANGELOG.md).
+
+The latest version of the API specification can be found [at the root directory
+of this module](../swagger.yaml) which may contain unreleased changes.
+
+For API version v1.24, documentation is only available in markdown
+format, for later versions [Swagger (OpenAPI) v2.0](https://swagger.io/specification/v2/)
+specifications can be found in this directory. The Moby project itself
+primarily uses these swagger files to produce the API documentation;
+while we attempt to make these files match the actual implementation,
+the OpenAPI 2.0 specification has limitations that prevent us from
+expressing all options provided. There may be discrepancies (for which
+we welcome contributions). If you find bugs, or discrepancies, please
+open a ticket (or pull request).
+
+
--- a/api/docs/v1.24.md
+++ b/api/docs/v1.24.md
@@ -310,7 +310,6 @@ Create a container
             "Memory": 0,
             "MemorySwap": 0,
             "MemoryReservation": 0,
-             "KernelMemory": 0,
             "CpuPercent": 80,
             "CpuShares": 512,
             "CpuPeriod": 100000,
@@ -438,7 +437,6 @@ Create a container
    -   **MemorySwap** - Total memory limit (memory + swap); set `-1` to enable unlimited swap.
          You must use this with `memory` and make the swap value larger than `memory`.
    -   **MemoryReservation** - Memory soft limit in bytes.
-    -   **KernelMemory** - Kernel memory limit in bytes.
    -   **CpuPercent** - An integer value containing the usable percentage of the available CPUs. (Windows daemon only)
    -   **CpuShares** - An integer value containing the container's CPU Shares
          (ie. the relative weight vs other containers).
@@ -627,7 +625,6 @@ Return low-level information on the container `id`
 			"Memory": 0,
 			"MemorySwap": 0,
 			"MemoryReservation": 0,
-			"KernelMemory": 0,
 			"OomKillDisable": false,
 			"OomScoreAdj": 500,
 			"NetworkMode": "bridge",
@@ -1197,7 +1194,6 @@ Update configuration of one or more containers.
         "Memory": 314572800,
         "MemorySwap": 514288000,
         "MemoryReservation": 209715200,
-         "KernelMemory": 52428800,
         "RestartPolicy": {
           "MaximumRetryCount": 4,
           "Name": "on-failure"
@@ -1830,8 +1826,7 @@ a base64-encoded AuthConfig object.
        ```
    {
            "username": "jdoe",
-            "password": "secret",
-            "email": "jdoe@acme.com"
+            "password": "secret"
    }
        ```

@@ -2066,8 +2061,7 @@ The push is cancelled if the HTTP connection is closed.
        ```
    {
            "username": "jdoe",
-            "password": "secret",
-            "email": "jdoe@acme.com",
+            "password": "secret"
    }
        ```

@@ -2498,8 +2492,6 @@ Docker daemon report the following event:
    Transfer-Encoding: chunked

    {
-      "status": "pull",
-      "id": "alpine:latest",
      "Type": "image",
      "Action": "pull",
      "Actor": {
@@ -2512,9 +2504,6 @@ Docker daemon report the following event:
      "timeNano": 1461943101301854122
    }
    {
-      "status": "create",
-      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
-      "from": "alpine",
      "Type": "container",
      "Action": "create",
      "Actor": {
@@ -2529,9 +2518,6 @@ Docker daemon report the following event:
      "timeNano": 1461943101381709551
    }
    {
-      "status": "attach",
-      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
-      "from": "alpine",
      "Type": "container",
      "Action": "attach",
      "Actor": {
@@ -2560,9 +2546,6 @@ Docker daemon report the following event:
      "timeNano": 1461943101394865557
    }
    {
-      "status": "start",
-      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
-      "from": "alpine",
      "Type": "container",
      "Action": "start",
      "Actor": {
@@ -2577,9 +2560,6 @@ Docker daemon report the following event:
      "timeNano": 1461943101607533796
    }
    {
-      "status": "resize",
-      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
-      "from": "alpine",
      "Type": "container",
      "Action": "resize",
      "Actor": {
@@ -2596,9 +2576,6 @@ Docker daemon report the following event:
      "timeNano": 1461943101610269268
    }
    {
-      "status": "die",
-      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
-      "from": "alpine",
      "Type": "container",
      "Action": "die",
      "Actor": {
@@ -2628,9 +2605,6 @@ Docker daemon report the following event:
      "timeNano": 1461943105230860245
    }
    {
-      "status": "destroy",
-      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
-      "from": "alpine",
      "Type": "container",
      "Action": "destroy",
      "Actor": {
--- a/api/docs/v1.25.yaml
+++ b/api/docs/v1.25.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -432,10 +431,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -984,6 +979,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -1975,6 +1974,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
@@ -2712,7 +2712,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -3012,7 +3011,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -3693,7 +3691,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
@@ -5100,7 +5097,6 @@ paths:
              IndexServerAddress: "https://index.docker.io/v1/"
              InitPath: "/usr/bin/docker"
              InitSha1: ""
-              KernelMemory: true
              KernelVersion: "3.12.0-1-amd64"
              Labels:
                - "storage=ssd"
--- a/api/docs/v1.26.yaml
+++ b/api/docs/v1.26.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -432,10 +431,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -984,6 +979,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -1979,6 +1978,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
@@ -2716,7 +2716,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
--- a/api/docs/v1.27.yaml
+++ b/api/docs/v1.27.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -434,10 +433,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -989,6 +984,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2051,6 +2050,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
@@ -2775,7 +2775,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -3075,7 +3074,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
--- a/api/docs/v1.28.yaml
+++ b/api/docs/v1.28.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -440,10 +439,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1027,6 +1022,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2104,6 +2103,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
@@ -2864,7 +2864,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -3164,7 +3163,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -3855,7 +3853,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
@@ -5287,7 +5284,6 @@ paths:
              IndexServerAddress: "https://index.docker.io/v1/"
              InitPath: "/usr/bin/docker"
              InitSha1: ""
-              KernelMemory: true
              KernelVersion: "3.12.0-1-amd64"
              Labels:
                - "storage=ssd"
--- a/api/docs/v1.29.yaml
+++ b/api/docs/v1.29.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -443,10 +442,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1033,6 +1028,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2125,6 +2124,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
@@ -2897,7 +2897,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -3197,7 +3196,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -3888,7 +3886,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
@@ -5320,7 +5317,6 @@ paths:
              IndexServerAddress: "https://index.docker.io/v1/"
              InitPath: "/usr/bin/docker"
              InitSha1: ""
-              KernelMemory: true
              KernelVersion: "3.12.0-1-amd64"
              Labels:
                - "storage=ssd"
--- a/api/docs/v1.30.yaml
+++ b/api/docs/v1.30.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -445,10 +444,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1043,6 +1038,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2303,6 +2302,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3110,7 +3110,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
--- a/api/docs/v1.31.yaml
+++ b/api/docs/v1.31.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -445,10 +444,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1049,6 +1044,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2332,6 +2331,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -2857,8 +2857,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -2899,8 +2902,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"
  Config:
    type: "object"
@@ -3179,7 +3183,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
--- a/api/docs/v1.32.yaml
+++ b/api/docs/v1.32.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -449,10 +448,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1308,6 +1303,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2783,6 +2782,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3329,8 +3329,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -3372,8 +3375,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"

  Config:
@@ -3514,10 +3518,6 @@ definitions:
        description: "Indicates if the host has memory swap limit support enabled."
        type: "boolean"
        example: true
-      KernelMemory:
-        description: "Indicates if the host has kernel memory limit support enabled."
-        type: "boolean"
-        example: true
      CpuCfsPeriod:
        description: "Indicates if CPU CFS(Completely Fair Scheduler) period is supported by the host."
        type: "boolean"
@@ -4391,7 +4391,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -4699,7 +4698,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -5388,7 +5386,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
--- a/api/docs/v1.33.yaml
+++ b/api/docs/v1.33.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -453,10 +452,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1312,6 +1307,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2787,6 +2786,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3333,8 +3333,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -3376,8 +3379,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"

  Config:
@@ -3518,10 +3522,6 @@ definitions:
        description: "Indicates if the host has memory swap limit support enabled."
        type: "boolean"
        example: true
-      KernelMemory:
-        description: "Indicates if the host has kernel memory limit support enabled."
-        type: "boolean"
-        example: true
      CpuCfsPeriod:
        description: "Indicates if CPU CFS(Completely Fair Scheduler) period is supported by the host."
        type: "boolean"
@@ -4395,7 +4395,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -4703,7 +4702,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -5392,7 +5390,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
--- a/api/docs/v1.34.yaml
+++ b/api/docs/v1.34.yaml
@@ -62,7 +62,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -455,10 +454,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1322,6 +1317,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2797,6 +2796,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3361,8 +3361,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -3404,8 +3407,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"

  Config:
@@ -3546,10 +3550,6 @@ definitions:
        description: "Indicates if the host has memory swap limit support enabled."
        type: "boolean"
        example: true
-      KernelMemory:
-        description: "Indicates if the host has kernel memory limit support enabled."
-        type: "boolean"
-        example: true
      CpuCfsPeriod:
        description: "Indicates if CPU CFS(Completely Fair Scheduler) period is supported by the host."
        type: "boolean"
@@ -4423,7 +4423,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -4731,7 +4730,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -5420,7 +5418,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
--- a/api/docs/v1.35.yaml
+++ b/api/docs/v1.35.yaml
@@ -71,7 +71,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -466,10 +465,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1319,6 +1314,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2801,6 +2800,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3365,8 +3365,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -3408,8 +3411,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"

  Config:
@@ -3550,10 +3554,6 @@ definitions:
        description: "Indicates if the host has memory swap limit support enabled."
        type: "boolean"
        example: true
-      KernelMemory:
-        description: "Indicates if the host has kernel memory limit support enabled."
-        type: "boolean"
-        example: true
      CpuCfsPeriod:
        description: "Indicates if CPU CFS(Completely Fair Scheduler) period is supported by the host."
        type: "boolean"
@@ -4427,7 +4427,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -4735,7 +4734,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -5429,7 +5427,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
--- a/api/docs/v1.36.yaml
+++ b/api/docs/v1.36.yaml
@@ -71,7 +71,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -1319,6 +1318,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2814,6 +2817,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3378,8 +3382,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -3421,8 +3428,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"

  Config:
--- a/api/docs/v1.37.yaml
+++ b/api/docs/v1.37.yaml
@@ -71,7 +71,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -1322,6 +1321,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2817,6 +2820,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3384,8 +3388,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -3434,8 +3441,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"
      Templating:
        description: |
--- a/api/docs/v1.38.yaml
+++ b/api/docs/v1.38.yaml
@@ -71,7 +71,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -467,10 +466,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1333,6 +1328,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2871,6 +2870,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3438,8 +3438,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -3488,8 +3491,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"
      Templating:
        description: |
@@ -3637,10 +3641,6 @@ definitions:
        description: "Indicates if the host has memory swap limit support enabled."
        type: "boolean"
        example: true
-      KernelMemory:
-        description: "Indicates if the host has kernel memory limit support enabled."
-        type: "boolean"
-        example: true
      CpuCfsPeriod:
        description: "Indicates if CPU CFS(Completely Fair Scheduler) period is supported by the host."
        type: "boolean"
@@ -4514,7 +4514,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -4832,7 +4831,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -5539,7 +5537,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
--- a/api/docs/v1.39.yaml
+++ b/api/docs/v1.39.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -530,11 +529,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
-        example: 209715200
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -2109,6 +2103,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -3913,6 +3911,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4499,8 +4498,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -4551,8 +4553,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"
      Templating:
        description: |
@@ -4885,10 +4888,6 @@ definitions:
        description: "Indicates if the host has memory swap limit support enabled."
        type: "boolean"
        example: true
-      KernelMemory:
-        description: "Indicates if the host has kernel memory limit support enabled."
-        type: "boolean"
-        example: true
      CpuCfsPeriod:
        description: |
          Indicates if CPU CFS(Completely Fair Scheduler) period is supported by
@@ -5819,7 +5818,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -6093,7 +6091,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -6831,7 +6828,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
--- a/api/docs/v1.40.yaml
+++ b/api/docs/v1.40.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2169,6 +2168,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -4039,6 +4042,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4623,8 +4627,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -4675,8 +4682,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"
      Templating:
        description: |
@@ -7944,7 +7952,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.41.yaml
+++ b/api/docs/v1.41.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2200,6 +2199,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -4204,6 +4207,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4872,8 +4876,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -4924,8 +4931,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"
      Templating:
        description: |
@@ -8233,7 +8241,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.42.yaml
+++ b/api/docs/v1.42.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2203,6 +2202,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -4223,6 +4226,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4891,8 +4895,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -4943,8 +4950,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"
      Templating:
        description: |
@@ -8483,7 +8491,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.43.yaml
+++ b/api/docs/v1.43.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2234,6 +2233,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -4254,6 +4257,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4922,8 +4926,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -4974,8 +4981,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"
      Templating:
        description: |
@@ -8501,7 +8509,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.44.yaml
+++ b/api/docs/v1.44.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2086,14 +2085,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 1239828
      GraphDriver:
        $ref: "#/definitions/GraphDriverData"
      RootFS:
@@ -2225,14 +2216,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |-
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 172064416
      Labels:
        description: "User-defined key/value metadata."
        type: "object"
@@ -2261,6 +2244,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -4322,6 +4309,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5037,8 +5025,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -5089,8 +5080,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"
      Templating:
        description: |
@@ -8658,7 +8650,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
@@ -9643,13 +9646,9 @@ paths:

        ### Image tarball format

-        An image tarball contains one directory per image layer (named using its long ID), each containing these files:
+        An image tarball contains [Content as defined in the OCI Image Layout Specification](https://github.com/opencontainers/image-spec/blob/v1.1.1/image-layout.md#content).

-        - `VERSION`: currently `1.0` - the file format version
-        - `json`: detailed layer information, similar to `docker inspect layer_id`
-        - `layer.tar`: A tarfile containing the filesystem changes in this layer
-
-        The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories for storing attribute changes and deletions.
+        Additionally, includes the manifest.json file associated with a backwards compatible docker save format.

        If the tarball defines a repository, the tarball should also include a `repositories` file at the root that contains a list of repository and tag names mapped to layer IDs.

--- a/api/docs/v1.45.yaml
+++ b/api/docs/v1.45.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2072,14 +2071,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 1239828
      GraphDriver:
        $ref: "#/definitions/GraphDriverData"
      RootFS:
@@ -2211,14 +2202,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |-
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 172064416
      Labels:
        description: "User-defined key/value metadata."
        type: "object"
@@ -2247,6 +2230,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -4308,6 +4295,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5023,8 +5011,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -5075,8 +5066,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"
      Templating:
        description: |
@@ -8644,7 +8636,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
@@ -9623,13 +9626,9 @@ paths:

        ### Image tarball format

-        An image tarball contains one directory per image layer (named using its long ID), each containing these files:
+        An image tarball contains [Content as defined in the OCI Image Layout Specification](https://github.com/opencontainers/image-spec/blob/v1.1.1/image-layout.md#content).

-        - `VERSION`: currently `1.0` - the file format version
-        - `json`: detailed layer information, similar to `docker inspect layer_id`
-        - `layer.tar`: A tarfile containing the filesystem changes in this layer
-
-        The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories for storing attribute changes and deletions.
+        Additionally, includes the manifest.json file associated with a backwards compatible docker save format.

        If the tarball defines a repository, the tarball should also include a `repositories` file at the root that contains a list of repository and tag names mapped to layer IDs.

--- a/api/docs/v1.46.yaml
+++ b/api/docs/v1.46.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -1385,7 +1384,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.48.
+          > always empty. It must not be used, and will be removed in API v1.50.
        type: "string"
        example: ""
      Domainname:
@@ -1395,7 +1394,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.48.
+          > always empty. It must not be used, and will be removed in API v1.50.
        type: "string"
        example: ""
      User:
@@ -1409,7 +1408,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
+          > always false. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1420,7 +1419,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
+          > always false. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1431,7 +1430,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
+          > always false. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1458,7 +1457,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
+          > always false. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1469,7 +1468,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
+          > always false. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1480,7 +1479,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
+          > always false. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1517,7 +1516,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.48.
+          > always empty. It must not be used, and will be removed in API v1.50.
        type: "string"
        default: ""
        example: ""
@@ -1556,7 +1555,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.48.
+          > always omitted. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1568,7 +1567,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.48.
+          > always omitted. It must not be used, and will be removed in API v1.50.
        type: "string"
        default: ""
        example: ""
@@ -1602,7 +1601,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.48.
+          > always omitted. It must not be used, and will be removed in API v1.50.
        type: "integer"
        default: 10
        x-nullable: true
@@ -2099,14 +2098,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 1239828
      GraphDriver:
        $ref: "#/definitions/GraphDriverData"
      RootFS:
@@ -2239,14 +2230,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |-
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 172064416
      Labels:
        description: "User-defined key/value metadata."
        type: "object"
@@ -2275,6 +2258,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -4361,6 +4348,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5082,8 +5070,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -5134,8 +5125,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"
      Templating:
        description: |
@@ -8765,7 +8757,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
@@ -9757,13 +9760,9 @@ paths:

        ### Image tarball format

-        An image tarball contains one directory per image layer (named using its long ID), each containing these files:
+        An image tarball contains [Content as defined in the OCI Image Layout Specification](https://github.com/opencontainers/image-spec/blob/v1.1.1/image-layout.md#content).

-        - `VERSION`: currently `1.0` - the file format version
-        - `json`: detailed layer information, similar to `docker inspect layer_id`
-        - `layer.tar`: A tarfile containing the filesystem changes in this layer
-
-        The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories for storing attribute changes and deletions.
+        Additionally, includes the manifest.json file associated with a backwards compatible docker save format.

        If the tarball defines a repository, the tarball should also include a `repositories` file at the root that contains a list of repository and tag names mapped to layer IDs.

--- a/api/docs/v1.47.yaml
+++ b/api/docs/v1.47.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -1385,7 +1384,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.48.
+          > always empty. It must not be used, and will be removed in API v1.50.
        type: "string"
        example: ""
      Domainname:
@@ -1395,7 +1394,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.48.
+          > always empty. It must not be used, and will be removed in API v1.50.
        type: "string"
        example: ""
      User:
@@ -1409,7 +1408,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
+          > always false. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1420,7 +1419,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
+          > always false. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1431,7 +1430,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
+          > always false. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1458,7 +1457,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
+          > always false. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1469,7 +1468,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
+          > always false. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1480,7 +1479,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
+          > always false. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1517,7 +1516,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.48.
+          > always empty. It must not be used, and will be removed in API v1.50.
        type: "string"
        default: ""
        example: ""
@@ -1556,7 +1555,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.48.
+          > always omitted. It must not be used, and will be removed in API v1.50.
        type: "boolean"
        default: false
        example: false
@@ -1568,7 +1567,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.48.
+          > always omitted. It must not be used, and will be removed in API v1.50.
        type: "string"
        default: ""
        example: ""
@@ -1602,7 +1601,7 @@ definitions:
          <p><br /></p>

          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.48.
+          > always omitted. It must not be used, and will be removed in API v1.50.
        type: "integer"
        default: 10
        x-nullable: true
@@ -2099,14 +2098,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 1239828
      GraphDriver:
        $ref: "#/definitions/DriverData"
      RootFS:
@@ -2239,14 +2230,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |-
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 172064416
      Labels:
        description: "User-defined key/value metadata."
        type: "object"
@@ -2288,6 +2271,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -4379,6 +4366,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5100,8 +5088,11 @@ definitions:
          com.example.some-other-label: "some-other-value"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -5152,8 +5143,9 @@ definitions:
          type: "string"
      Data:
        description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
        type: "string"
      Templating:
        description: |
@@ -8906,7 +8898,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
@@ -9898,13 +9901,9 @@ paths:

        ### Image tarball format

-        An image tarball contains one directory per image layer (named using its long ID), each containing these files:
+        An image tarball contains [Content as defined in the OCI Image Layout Specification](https://github.com/opencontainers/image-spec/blob/v1.1.1/image-layout.md#content).

-        - `VERSION`: currently `1.0` - the file format version
-        - `json`: detailed layer information, similar to `docker inspect layer_id`
-        - `layer.tar`: A tarfile containing the filesystem changes in this layer
-
-        The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories for storing attribute changes and deletions.
+        Additionally, includes the manifest.json file associated with a backwards compatible docker save format.

        If the tarball defines a repository, the tarball should also include a `repositories` file at the root that contains a list of repository and tag names mapped to layer IDs.

--- a/api/docs/v1.48.yaml
+++ b/api/docs/v1.48.yaml
--- a/api/docs/v1.49.yaml
+++ b/api/docs/v1.49.yaml
--- a/api/docs/v1.50.yaml
+++ b/api/docs/v1.50.yaml
--- a/api/docs/v1.51.yaml
+++ b/api/docs/v1.51.yaml
--- a/api/docs/v1.52.yaml
+++ b/api/docs/v1.52.yaml
--- a/api/go.mod
+++ b/api/go.mod
@@ -0,0 +1,14 @@
+module github.com/moby/moby/api
+
+go 1.23.0
+
+require (
+	github.com/docker/go-units v0.5.0
+	github.com/google/go-cmp v0.7.0
+	github.com/moby/docker-image-spec v1.3.1
+	github.com/opencontainers/go-digest v1.0.0
+	github.com/opencontainers/image-spec v1.1.1
+	golang.org/x/time v0.11.0
+	gotest.tools/v3 v3.5.2
+	pgregory.net/rapid v1.2.0
+)
--- a/api/go.sum
+++ b/api/go.sum
@@ -0,0 +1,16 @@
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
+golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
--- a/api/pkg/authconfig/authconfig.go
+++ b/api/pkg/authconfig/authconfig.go
@@ -0,0 +1,92 @@
+package authconfig
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/moby/moby/api/types/registry"
+)
+
+// Encode serializes the auth configuration as a base64url encoded
+// ([RFC4648, section 5]) JSON string for sending through the X-Registry-Auth header.
+//
+// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5
+func Encode(authConfig registry.AuthConfig) (string, error) {
+	// Older daemons (or registries) may not handle an empty string,
+	// which resulted in an "io.EOF" when unmarshaling or decoding.
+	//
+	// FIXME(thaJeztah): find exactly what code-paths are impacted by this.
+	// if authConfig == (AuthConfig{}) { return "", nil }
+	buf, err := json.Marshal(authConfig)
+	if err != nil {
+		return "", errInvalidParameter{err}
+	}
+	return base64.URLEncoding.EncodeToString(buf), nil
+}
+
+// Decode decodes base64url encoded ([RFC4648, section 5]) JSON
+// authentication information as sent through the X-Registry-Auth header.
+//
+// This function always returns an [AuthConfig], even if an error occurs. It is up
+// to the caller to decide if authentication is required, and if the error can
+// be ignored.
+//
+// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5
+func Decode(authEncoded string) (*registry.AuthConfig, error) {
+	if authEncoded == "" {
+		return &registry.AuthConfig{}, nil
+	}
+
+	decoded, err := base64.URLEncoding.DecodeString(authEncoded)
+	if err != nil {
+		var e base64.CorruptInputError
+		if errors.As(err, &e) {
+			return &registry.AuthConfig{}, invalid(errors.New("must be a valid base64url-encoded string"))
+		}
+		return &registry.AuthConfig{}, invalid(err)
+	}
+
+	if bytes.Equal(decoded, []byte("{}")) {
+		return &registry.AuthConfig{}, nil
+	}
+
+	return decode(bytes.NewReader(decoded))
+}
+
+// DecodeRequestBody decodes authentication information as sent as JSON in the
+// body of a request. This function is to provide backward compatibility with old
+// clients and API versions. Current clients and API versions expect authentication
+// to be provided through the X-Registry-Auth header.
+//
+// Like [Decode], this function always returns an [AuthConfig], even if an
+// error occurs. It is up to the caller to decide if authentication is required,
+// and if the error can be ignored.
+func DecodeRequestBody(r io.ReadCloser) (*registry.AuthConfig, error) {
+	return decode(r)
+}
+
+func decode(r io.Reader) (*registry.AuthConfig, error) {
+	authConfig := &registry.AuthConfig{}
+	if err := json.NewDecoder(r).Decode(authConfig); err != nil {
+		// always return an (empty) AuthConfig to increase compatibility with
+		// the existing API.
+		return &registry.AuthConfig{}, invalid(fmt.Errorf("invalid JSON: %w", err))
+	}
+	return authConfig, nil
+}
+
+func invalid(err error) error {
+	return errInvalidParameter{fmt.Errorf("invalid X-Registry-Auth header: %w", err)}
+}
+
+type errInvalidParameter struct{ error }
+
+func (errInvalidParameter) InvalidParameter() {}
+
+func (e errInvalidParameter) Cause() error { return e.error }
+
+func (e errInvalidParameter) Unwrap() error { return e.error }
--- a/api/pkg/authconfig/authconfig_test.go
+++ b/api/pkg/authconfig/authconfig_test.go
@@ -0,0 +1,191 @@
+package authconfig
+
+import (
+	"encoding/base64"
+	"strings"
+	"testing"
+
+	"github.com/moby/moby/api/types/registry"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestDecodeAuthConfig(t *testing.T) {
+	tests := []struct {
+		doc         string
+		input       string
+		inputBase64 string
+		expected    registry.AuthConfig
+		expectedErr string
+	}{
+		{
+			doc:         "empty",
+			input:       ``,
+			inputBase64: ``,
+			expected:    registry.AuthConfig{},
+		},
+		{
+			doc:         "empty JSON",
+			input:       `{}`,
+			inputBase64: `e30=`,
+			expected:    registry.AuthConfig{},
+		},
+		{
+			doc:         "malformed JSON",
+			input:       `{`,
+			inputBase64: `ew==`,
+			expected:    registry.AuthConfig{},
+			expectedErr: `invalid X-Registry-Auth header: invalid JSON: unexpected EOF`,
+		},
+		{
+			doc:         "test authConfig",
+			input:       `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`,
+			inputBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifQ==`,
+			expected: registry.AuthConfig{
+				Username:      "testuser",
+				Password:      "testpassword",
+				ServerAddress: "example.com",
+			},
+		},
+		{
+			// FIXME(thaJeztah): we should not accept multiple JSON documents.
+			doc:         "multiple authConfig",
+			input:       `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}{"username":"testuser2","password":"testpassword2","serveraddress":"example.org"}`,
+			inputBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifXsidXNlcm5hbWUiOiJ0ZXN0dXNlcjIiLCJwYXNzd29yZCI6InRlc3RwYXNzd29yZDIiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5vcmcifQ==`,
+			expected: registry.AuthConfig{
+				Username:      "testuser",
+				Password:      "testpassword",
+				ServerAddress: "example.com",
+			},
+		},
+		// We currently only support base64url encoding with padding, so
+		// un-padded should produce an error.
+		//
+		// RFC4648, section 5: https://tools.ietf.org/html/rfc4648#section-5
+		// RFC4648, section 3.2: https://tools.ietf.org/html/rfc4648#section-3.2
+		{
+			doc:         "empty JSON no padding",
+			input:       `{}`,
+			inputBase64: `e30`,
+			expected:    registry.AuthConfig{},
+			expectedErr: `invalid X-Registry-Auth header: must be a valid base64url-encoded string`,
+		},
+		{
+			doc:         "test authConfig",
+			input:       `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`,
+			inputBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifQ`,
+			expected:    registry.AuthConfig{},
+			expectedErr: `invalid X-Registry-Auth header: must be a valid base64url-encoded string`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.doc, func(t *testing.T) {
+			if tc.inputBase64 != "" {
+				// Sanity check to make sure our fixtures are correct.
+				b64 := base64.URLEncoding.EncodeToString([]byte(tc.input))
+				if !strings.HasSuffix(tc.inputBase64, "=") {
+					b64 = strings.TrimRight(b64, "=")
+				}
+				assert.Check(t, is.Equal(b64, tc.inputBase64))
+			}
+
+			out, err := Decode(tc.inputBase64)
+			if tc.expectedErr != "" {
+				assert.Check(t, is.ErrorType(err, errInvalidParameter{}))
+				assert.Check(t, is.Error(err, tc.expectedErr))
+			} else {
+				assert.NilError(t, err)
+				assert.Equal(t, *out, tc.expected)
+			}
+		})
+	}
+}
+
+func TestEncodeAuthConfig(t *testing.T) {
+	tests := []struct {
+		doc       string
+		input     registry.AuthConfig
+		outBase64 string
+		outPlain  string
+	}{
+		{
+			// Older daemons (or registries) may not handle an empty string,
+			// which resulted in an "io.EOF" when unmarshaling or decoding.
+			//
+			// FIXME(thaJeztah): find exactly what code-paths are impacted by this.
+			doc:       "empty",
+			input:     registry.AuthConfig{},
+			outBase64: `e30=`,
+			outPlain:  `{}`,
+		},
+		{
+			doc: "test authConfig",
+			input: registry.AuthConfig{
+				Username:      "testuser",
+				Password:      "testpassword",
+				ServerAddress: "example.com",
+			},
+			outBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifQ==`,
+			outPlain:  `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`,
+		},
+	}
+	for _, tc := range tests {
+		// Sanity check to make sure our fixtures are correct.
+		b64 := base64.URLEncoding.EncodeToString([]byte(tc.outPlain))
+		assert.Check(t, is.Equal(b64, tc.outBase64))
+
+		t.Run(tc.doc, func(t *testing.T) {
+			out, err := Encode(tc.input)
+			assert.NilError(t, err)
+			assert.Equal(t, out, tc.outBase64)
+
+			authJSON, err := base64.URLEncoding.DecodeString(out)
+			assert.NilError(t, err)
+			assert.Equal(t, string(authJSON), tc.outPlain)
+		})
+	}
+}
+
+func BenchmarkDecodeAuthConfig(b *testing.B) {
+	cases := []struct {
+		doc         string
+		inputBase64 string
+		invalid     bool
+	}{
+		{
+			doc:         "empty",
+			inputBase64: ``,
+		},
+		{
+			doc:         "empty JSON",
+			inputBase64: `e30=`,
+		},
+		{
+			doc:         "valid",
+			inputBase64: base64.URLEncoding.EncodeToString([]byte(`{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`)),
+		},
+		{
+			doc:         "invalid base64",
+			inputBase64: "not-base64",
+			invalid:     true,
+		},
+		{
+			doc:         "malformed JSON",
+			inputBase64: `ew==`,
+			invalid:     true,
+		},
+	}
+
+	for _, tc := range cases {
+		b.Run(tc.doc, func(b *testing.B) {
+			b.ReportAllocs()
+			for i := 0; i < b.N; i++ {
+				_, err := Decode(tc.inputBase64)
+				if !tc.invalid && err != nil {
+					b.Fatal(err)
+				}
+			}
+		})
+	}
+}
--- a/api/pkg/progress/progress.go
+++ b/api/pkg/progress/progress.go
@@ -0,0 +1,93 @@
+package progress
+
+import (
+	"fmt"
+)
+
+// Progress represents the progress of a transfer.
+type Progress struct {
+	ID string
+
+	// Progress contains a Message or...
+	Message string
+
+	// ...progress of an action
+	Action  string
+	Current int64
+	Total   int64
+
+	// If true, don't show xB/yB
+	HideCounts bool
+	// If not empty, use units instead of bytes for counts
+	Units string
+
+	// Aux contains extra information not presented to the user, such as
+	// digests for push signing.
+	Aux any
+
+	LastUpdate bool
+}
+
+// Output is an interface for writing progress information. It's
+// like a writer for progress, but we don't call it Writer because
+// that would be confusing next to ProgressReader (also, because it
+// doesn't implement the io.Writer interface).
+type Output interface {
+	WriteProgress(Progress) error
+}
+
+type chanOutput chan<- Progress
+
+func (out chanOutput) WriteProgress(p Progress) error {
+	// FIXME: workaround for panic in #37735
+	defer func() {
+		recover()
+	}()
+	out <- p
+	return nil
+}
+
+// ChanOutput returns an Output that writes progress updates to the
+// supplied channel.
+func ChanOutput(progressChan chan<- Progress) Output {
+	return chanOutput(progressChan)
+}
+
+type discardOutput struct{}
+
+func (discardOutput) WriteProgress(Progress) error {
+	return nil
+}
+
+// DiscardOutput returns an Output that discards progress
+func DiscardOutput() Output {
+	return discardOutput{}
+}
+
+// Update is a convenience function to write a progress update to the channel.
+func Update(out Output, id, action string) {
+	out.WriteProgress(Progress{ID: id, Action: action})
+}
+
+// Updatef is a convenience function to write a printf-formatted progress update
+// to the channel.
+func Updatef(out Output, id, format string, a ...any) {
+	Update(out, id, fmt.Sprintf(format, a...))
+}
+
+// Message is a convenience function to write a progress message to the channel.
+func Message(out Output, id, message string) {
+	out.WriteProgress(Progress{ID: id, Message: message})
+}
+
+// Messagef is a convenience function to write a printf-formatted progress
+// message to the channel.
+func Messagef(out Output, id, format string, a ...any) {
+	Message(out, id, fmt.Sprintf(format, a...))
+}
+
+// Aux sends auxiliary information over a progress interface, which will not be
+// formatted for the UI. This is used for things such as push signing.
+func Aux(out Output, a any) {
+	out.WriteProgress(Progress{Aux: a})
+}
--- a/api/pkg/progress/progressreader.go
+++ b/api/pkg/progress/progressreader.go
@@ -0,0 +1,66 @@
+package progress
+
+import (
+	"io"
+	"time"
+
+	"golang.org/x/time/rate"
+)
+
+// Reader is a Reader with progress bar.
+type Reader struct {
+	in          io.ReadCloser // Stream to read from
+	out         Output        // Where to send progress bar to
+	size        int64
+	current     int64
+	lastUpdate  int64
+	id          string
+	action      string
+	rateLimiter *rate.Limiter
+}
+
+// NewProgressReader creates a new ProgressReader.
+func NewProgressReader(in io.ReadCloser, out Output, size int64, id, action string) *Reader {
+	return &Reader{
+		in:          in,
+		out:         out,
+		size:        size,
+		id:          id,
+		action:      action,
+		rateLimiter: rate.NewLimiter(rate.Every(100*time.Millisecond), 1),
+	}
+}
+
+func (p *Reader) Read(buf []byte) (int, error) {
+	read, err := p.in.Read(buf)
+	p.current += int64(read)
+	updateEvery := int64(1024 * 512) // 512kB
+	if p.size > 0 {
+		// Update progress for every 1% read if 1% < 512kB
+		if increment := int64(0.01 * float64(p.size)); increment < updateEvery {
+			updateEvery = increment
+		}
+	}
+	if p.current-p.lastUpdate > updateEvery || err != nil {
+		p.updateProgress(err != nil && read == 0)
+		p.lastUpdate = p.current
+	}
+
+	return read, err
+}
+
+// Close closes the progress reader and its underlying reader.
+func (p *Reader) Close() error {
+	if p.current < p.size {
+		// print a full progress bar when closing prematurely
+		p.current = p.size
+		p.updateProgress(false)
+	}
+	return p.in.Close()
+}
+
+func (p *Reader) updateProgress(last bool) {
+	if last || p.current == p.size || p.rateLimiter.Allow() {
+		p.out.WriteProgress(Progress{ID: p.id, Action: p.action, Current: p.current, Total: p.size, LastUpdate: last})
+	}
+}
--- a/api/pkg/progress/progressreader_test.go
+++ b/api/pkg/progress/progressreader_test.go
@@ -1,4 +1,4 @@
-package progress // import "github.com/docker/docker/pkg/progress"
+package progress

 import (
 	"bytes"
--- a/api/pkg/stdcopy/stdcopy.go
+++ b/api/pkg/stdcopy/stdcopy.go
@@ -0,0 +1,146 @@
+package stdcopy
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+)
+
+// StdType is the type of standard stream
+// a writer can multiplex to.
+type StdType byte
+
+const (
+	Stdin     StdType = 0 // Stdin represents standard input stream. It is present for completeness and should NOT be used. When reading the stream with [StdCopy] it is output on [Stdout].
+	Stdout    StdType = 1 // Stdout represents standard output stream.
+	Stderr    StdType = 2 // Stderr represents standard error steam.
+	Systemerr StdType = 3 // Systemerr represents errors originating from the system. When reading the stream with [StdCopy] it is returned as an error.
+)
+
+const (
+	stdWriterPrefixLen = 8
+	stdWriterFdIndex   = 0
+	stdWriterSizeIndex = 4
+
+	startingBufLen = 32*1024 + stdWriterPrefixLen + 1
+)
+
+// StdCopy is a modified version of [io.Copy] to de-multiplex messages
+// from "multiplexedSource" and copy them to destination streams
+// "destOut" and "destErr".
+//
+// StdCopy demultiplexes "multiplexedSource", assuming that it contains
+// two streams, previously multiplexed using a writer created with
+// [NewStdWriter].
+//
+// As it reads from "multiplexedSource", StdCopy writes [Stdout] messages
+// to "destOut", and [Stderr] message to "destErr]. For backward-compatibility,
+// [Stdin] messages are output to "destOut". The [Systemerr] stream provides
+// errors produced by the daemon. It is returned as an error, and terminates
+// processing the stream.
+//
+// StdCopy it reads until it hits [io.EOF] on "multiplexedSource", after
+// which it returns a nil error. In other words: any error returned indicates
+// a real underlying error, which may be when an unknown [StdType] stream
+// is received.
+//
+// The "written" return holds the total number of bytes written to "destOut"
+// and "destErr" combined.
+func StdCopy(destOut, destErr io.Writer, multiplexedSource io.Reader) (written int64, _ error) {
+	var (
+		buf       = make([]byte, startingBufLen)
+		bufLen    = len(buf)
+		nr, nw    int
+		err       error
+		out       io.Writer
+		frameSize int
+	)
+
+	for {
+		// Make sure we have at least a full header
+		for nr < stdWriterPrefixLen {
+			var nr2 int
+			nr2, err = multiplexedSource.Read(buf[nr:])
+			nr += nr2
+			if errors.Is(err, io.EOF) {
+				if nr < stdWriterPrefixLen {
+					return written, nil
+				}
+				break
+			}
+			if err != nil {
+				return 0, err
+			}
+		}
+
+		// Check the first byte to know where to write
+		stream := StdType(buf[stdWriterFdIndex])
+		switch stream {
+		case Stdin:
+			fallthrough
+		case Stdout:
+			// Write on stdout
+			out = destOut
+		case Stderr:
+			// Write on stderr
+			out = destErr
+		case Systemerr:
+			// If we're on Systemerr, we won't write anywhere.
+			// NB: if this code changes later, make sure you don't try to write
+			// to outstream if Systemerr is the stream
+			out = nil
+		default:
+			return 0, fmt.Errorf("unrecognized stream: %d", stream)
+		}
+
+		// Retrieve the size of the frame
+		frameSize = int(binary.BigEndian.Uint32(buf[stdWriterSizeIndex : stdWriterSizeIndex+4]))
+
+		// Check if the buffer is big enough to read the frame.
+		// Extend it if necessary.
+		if frameSize+stdWriterPrefixLen > bufLen {
+			buf = append(buf, make([]byte, frameSize+stdWriterPrefixLen-bufLen+1)...)
+			bufLen = len(buf)
+		}
+
+		// While the amount of bytes read is less than the size of the frame + header, we keep reading
+		for nr < frameSize+stdWriterPrefixLen {
+			var nr2 int
+			nr2, err = multiplexedSource.Read(buf[nr:])
+			nr += nr2
+			if errors.Is(err, io.EOF) {
+				if nr < frameSize+stdWriterPrefixLen {
+					return written, nil
+				}
+				break
+			}
+			if err != nil {
+				return 0, err
+			}
+		}
+
+		// we might have an error from the source mixed up in our multiplexed
+		// stream. if we do, return it.
+		if stream == Systemerr {
+			return written, fmt.Errorf("error from daemon in stream: %s", string(buf[stdWriterPrefixLen:frameSize+stdWriterPrefixLen]))
+		}
+
+		// Write the retrieved frame (without header)
+		nw, err = out.Write(buf[stdWriterPrefixLen : frameSize+stdWriterPrefixLen])
+		if err != nil {
+			return 0, err
+		}
+
+		// If the frame has not been fully written: error
+		if nw != frameSize {
+			return 0, io.ErrShortWrite
+		}
+		written += int64(nw)
+
+		// Move the rest of the buffer to the beginning
+		copy(buf, buf[frameSize+stdWriterPrefixLen:])
+		// Move the index
+		nr -= frameSize + stdWriterPrefixLen
+	}
+}
--- a/api/pkg/streamformatter/streamformatter.go
+++ b/api/pkg/streamformatter/streamformatter.go
@@ -0,0 +1,247 @@
+// Package streamformatter provides helper functions to format a stream.
+package streamformatter
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/go-units"
+	"github.com/moby/moby/api/pkg/progress"
+	"github.com/moby/moby/api/types/jsonstream"
+)
+
+// jsonMessage defines a message struct. It describes
+// the created time, where it from, status, ID of the
+// message. It's used for docker events.
+//
+// It is a reduced set of [jsonmessage.JSONMessage].
+type jsonMessage struct {
+	Stream   string               `json:"stream,omitempty"`
+	Status   string               `json:"status,omitempty"`
+	Progress *jsonstream.Progress `json:"progressDetail,omitempty"`
+	ID       string               `json:"id,omitempty"`
+	Error    *jsonstream.Error    `json:"errorDetail,omitempty"`
+	Aux      *json.RawMessage     `json:"aux,omitempty"` // Aux contains out-of-band data, such as digests for push signing and image id after building.
+
+	// ErrorMessage contains errors encountered during the operation.
+	//
+	// Deprecated: this field is deprecated since docker v0.6.0 / API v1.4. Use [Error.Message] instead. This field will be omitted in a future release.
+	ErrorMessage string `json:"error,omitempty"` // deprecated
+}
+
+const streamNewline = "\r\n"
+
+type jsonProgressFormatter struct{}
+
+func appendNewline(source []byte) []byte {
+	return append(source, []byte(streamNewline)...)
+}
+
+// FormatStatus formats the specified objects according to the specified format (and id).
+func FormatStatus(id, format string, a ...any) []byte {
+	str := fmt.Sprintf(format, a...)
+	b, err := json.Marshal(&jsonMessage{ID: id, Status: str})
+	if err != nil {
+		return FormatError(err)
+	}
+	return appendNewline(b)
+}
+
+// FormatError formats the error as a JSON object
+func FormatError(err error) []byte {
+	jsonError, ok := err.(*jsonstream.Error)
+	if !ok {
+		jsonError = &jsonstream.Error{Message: err.Error()}
+	}
+	if b, err := json.Marshal(&jsonMessage{Error: jsonError, ErrorMessage: err.Error()}); err == nil {
+		return appendNewline(b)
+	}
+	return []byte(`{"error":"format error"}` + streamNewline)
+}
+
+func (sf *jsonProgressFormatter) formatStatus(id, format string, a ...any) []byte {
+	return FormatStatus(id, format, a...)
+}
+
+// formatProgress formats the progress information for a specified action.
+func (sf *jsonProgressFormatter) formatProgress(id, action string, progress *jsonstream.Progress, aux any) []byte {
+	if progress == nil {
+		progress = &jsonstream.Progress{}
+	}
+	var auxJSON *json.RawMessage
+	if aux != nil {
+		auxJSONBytes, err := json.Marshal(aux)
+		if err != nil {
+			return nil
+		}
+		auxJSON = new(json.RawMessage)
+		*auxJSON = auxJSONBytes
+	}
+	b, err := json.Marshal(&jsonMessage{
+		Status:   action,
+		Progress: progress,
+		ID:       id,
+		Aux:      auxJSON,
+	})
+	if err != nil {
+		return nil
+	}
+	return appendNewline(b)
+}
+
+type rawProgressFormatter struct{}
+
+func (sf *rawProgressFormatter) formatStatus(id, format string, a ...any) []byte {
+	return []byte(fmt.Sprintf(format, a...) + streamNewline)
+}
+
+func rawProgressString(p *jsonstream.Progress) string {
+	if p == nil || (p.Current <= 0 && p.Total <= 0) {
+		return ""
+	}
+	if p.Total <= 0 {
+		switch p.Units {
+		case "":
+			return fmt.Sprintf("%8v", units.HumanSize(float64(p.Current)))
+		default:
+			return fmt.Sprintf("%d %s", p.Current, p.Units)
+		}
+	}
+
+	percentage := int(float64(p.Current)/float64(p.Total)*100) / 2
+	if percentage > 50 {
+		percentage = 50
+	}
+
+	numSpaces := 0
+	if 50-percentage > 0 {
+		numSpaces = 50 - percentage
+	}
+	pbBox := fmt.Sprintf("[%s>%s] ", strings.Repeat("=", percentage), strings.Repeat(" ", numSpaces))
+
+	var numbersBox string
+	switch {
+	case p.HideCounts:
+	case p.Units == "": // no units, use bytes
+		current := units.HumanSize(float64(p.Current))
+		total := units.HumanSize(float64(p.Total))
+
+		numbersBox = fmt.Sprintf("%8v/%v", current, total)
+
+		if p.Current > p.Total {
+			// remove total display if the reported current is wonky.
+			numbersBox = fmt.Sprintf("%8v", current)
+		}
+	default:
+		numbersBox = fmt.Sprintf("%d/%d %s", p.Current, p.Total, p.Units)
+
+		if p.Current > p.Total {
+			// remove total display if the reported current is wonky.
+			numbersBox = fmt.Sprintf("%d %s", p.Current, p.Units)
+		}
+	}
+
+	var timeLeftBox string
+	if p.Current > 0 && p.Start > 0 && percentage < 50 {
+		fromStart := time.Since(time.Unix(p.Start, 0))
+		perEntry := fromStart / time.Duration(p.Current)
+		left := time.Duration(p.Total-p.Current) * perEntry
+		timeLeftBox = " " + left.Round(time.Second).String()
+	}
+	return pbBox + numbersBox + timeLeftBox
+}
+
+func (sf *rawProgressFormatter) formatProgress(id, action string, progress *jsonstream.Progress, aux any) []byte {
+	if progress == nil {
+		progress = &jsonstream.Progress{}
+	}
+	endl := "\r"
+	out := rawProgressString(progress)
+	if out == "" {
+		endl += "\n"
+	}
+	return []byte(action + " " + out + endl)
+}
+
+// NewProgressOutput returns a progress.Output object that can be passed to
+// progress.NewProgressReader.
+func NewProgressOutput(out io.Writer) progress.Output {
+	return &progressOutput{sf: &rawProgressFormatter{}, out: out, newLines: true}
+}
+
+// NewJSONProgressOutput returns a progress.Output that formats output
+// using JSON objects
+func NewJSONProgressOutput(out io.Writer, newLines bool) progress.Output {
+	return &progressOutput{sf: &jsonProgressFormatter{}, out: out, newLines: newLines}
+}
+
+type formatProgress interface {
+	formatStatus(id, format string, a ...any) []byte
+	formatProgress(id, action string, progress *jsonstream.Progress, aux any) []byte
+}
+
+type progressOutput struct {
+	sf       formatProgress
+	out      io.Writer
+	newLines bool
+	mu       sync.Mutex
+}
+
+// WriteProgress formats progress information from a ProgressReader.
+func (out *progressOutput) WriteProgress(prog progress.Progress) error {
+	var formatted []byte
+	if prog.Message != "" {
+		formatted = out.sf.formatStatus(prog.ID, prog.Message)
+	} else {
+		jsonProgress := jsonstream.Progress{
+			Current:    prog.Current,
+			Total:      prog.Total,
+			HideCounts: prog.HideCounts,
+			Units:      prog.Units,
+		}
+		formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
+	}
+
+	out.mu.Lock()
+	defer out.mu.Unlock()
+	_, err := out.out.Write(formatted)
+	if err != nil {
+		return err
+	}
+
+	if out.newLines && prog.LastUpdate {
+		_, err = out.out.Write(out.sf.formatStatus("", ""))
+		return err
+	}
+
+	return nil
+}
+
+// AuxFormatter is a streamFormatter that writes aux progress messages
+type AuxFormatter struct {
+	io.Writer
+}
+
+// Emit emits the given interface as an aux progress message
+func (sf *AuxFormatter) Emit(id string, aux any) error {
+	auxJSONBytes, err := json.Marshal(aux)
+	if err != nil {
+		return err
+	}
+	auxJSON := new(json.RawMessage)
+	*auxJSON = auxJSONBytes
+	msgJSON, err := json.Marshal(&jsonMessage{ID: id, Aux: auxJSON})
+	if err != nil {
+		return err
+	}
+	msgJSON = appendNewline(msgJSON)
+	n, err := sf.Writer.Write(msgJSON)
+	if n != len(msgJSON) {
+		return io.ErrShortWrite
+	}
+	return err
+}
--- a/api/pkg/streamformatter/streamformatter_test.go
+++ b/api/pkg/streamformatter/streamformatter_test.go
@@ -1,4 +1,4 @@
-package streamformatter // import "github.com/docker/docker/pkg/streamformatter"
+package streamformatter

 import (
 	"bytes"
@@ -7,9 +7,8 @@ import (
 	"strings"
 	"testing"

-	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/google/go-cmp/cmp"
-	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/moby/moby/api/types/jsonstream"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -22,7 +21,7 @@ func TestRawProgressFormatterFormatStatus(t *testing.T) {

 func TestRawProgressFormatterFormatProgress(t *testing.T) {
 	sf := rawProgressFormatter{}
-	jsonProgress := &jsonmessage.JSONProgress{
+	jsonProgress := &jsonstream.Progress{
 		Current: 15,
 		Total:   30,
 		Start:   1,
@@ -47,7 +46,7 @@ func TestFormatError(t *testing.T) {
 }

 func TestFormatJSONError(t *testing.T) {
-	err := &jsonmessage.JSONError{Code: 50, Message: "Json error"}
+	err := &jsonstream.Error{Code: 50, Message: "Json error"}
 	res := FormatError(err)
 	expected := `{"errorDetail":{"code":50,"message":"Json error"},"error":"Json error"}` + streamNewline
 	assert.Check(t, is.Equal(expected, string(res)))
@@ -55,19 +54,19 @@ func TestFormatJSONError(t *testing.T) {

 func TestJsonProgressFormatterFormatProgress(t *testing.T) {
 	sf := &jsonProgressFormatter{}
-	jsonProgress := &jsonmessage.JSONProgress{
+	jsonProgress := &jsonstream.Progress{
 		Current: 15,
 		Total:   30,
 		Start:   1,
 	}
 	aux := "aux message"
 	res := sf.formatProgress("id", "action", jsonProgress, aux)
-	msg := &jsonmessage.JSONMessage{}
+	msg := &jsonMessage{}

 	assert.NilError(t, json.Unmarshal(res, msg))

 	rawAux := json.RawMessage(`"` + aux + `"`)
-	expected := &jsonmessage.JSONMessage{
+	expected := &jsonMessage{
 		ID:       "id",
 		Status:   "action",
 		Aux:      &rawAux,
@@ -81,7 +80,6 @@ func cmpJSONMessageOpt() cmp.Option {
 		return path.String() == "ProgressMessage"
 	}
 	return cmp.Options{
-		cmpopts.IgnoreUnexported(jsonmessage.JSONProgress{}),
 		// Ignore deprecated property that is a derivative of Progress
 		cmp.FilterPath(progressMessagePath, cmp.Ignore()),
 	}
--- a/api/pkg/streamformatter/streamwriter.go
+++ b/api/pkg/streamformatter/streamwriter.go
@@ -0,0 +1,45 @@
+package streamformatter
+
+import (
+	"encoding/json"
+	"io"
+)
+
+type streamWriter struct {
+	io.Writer
+	lineFormat func([]byte) string
+}
+
+func (sw *streamWriter) Write(buf []byte) (int, error) {
+	formattedBuf := sw.format(buf)
+	n, err := sw.Writer.Write(formattedBuf)
+	if n != len(formattedBuf) {
+		return n, io.ErrShortWrite
+	}
+	return len(buf), err
+}
+
+func (sw *streamWriter) format(buf []byte) []byte {
+	msg := &jsonMessage{Stream: sw.lineFormat(buf)}
+	b, err := json.Marshal(msg)
+	if err != nil {
+		return FormatError(err)
+	}
+	return appendNewline(b)
+}
+
+// NewStdoutWriter returns a writer which formats the output as json message
+// representing stdout lines
+func NewStdoutWriter(out io.Writer) io.Writer {
+	return &streamWriter{Writer: out, lineFormat: func(buf []byte) string {
+		return string(buf)
+	}}
+}
+
+// NewStderrWriter returns a writer which formats the output as json message
+// representing stderr lines
+func NewStderrWriter(out io.Writer) io.Writer {
+	return &streamWriter{Writer: out, lineFormat: func(buf []byte) string {
+		return "\033[91m" + string(buf) + "\033[0m"
+	}}
+}
--- a/api/pkg/streamformatter/streamwriter_test.go
+++ b/api/pkg/streamformatter/streamwriter_test.go
@@ -1,4 +1,4 @@
-package streamformatter // import "github.com/docker/docker/pkg/streamformatter"
+package streamformatter

 import (
 	"bytes"
--- a/api/releases/v1.52.0-beta.toml
+++ b/api/releases/v1.52.0-beta.toml
@@ -0,0 +1,17 @@
+# commit to be tagged for new release
+commit = "HEAD"
+
+project_name = "moby"
+github_repo = "moby/moby"
+sub_path = "api"
+ignore_deps = [ "github.com/moby/moby" ]
+
+# previous release
+previous = "v28.2.2"
+
+pre_release = true
+
+preface = """\
+The first dedicated release for the Moby API. This release continues the 1.x
+line of API compatibility with the 52nd minor release of the 1.x API.
+"""
--- a/api/server/backend/build/backend.go
+++ b/api/server/backend/build/backend.go
@@ -1,128 +0,0 @@
-package build // import "github.com/docker/docker/api/server/backend/build"
-
-import (
-	"context"
-	"fmt"
-	"strconv"
-
-	"github.com/distribution/reference"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/events"
-	"github.com/docker/docker/builder"
-	buildkit "github.com/docker/docker/builder/builder-next"
-	daemonevents "github.com/docker/docker/daemon/events"
-	"github.com/docker/docker/image"
-	"github.com/docker/docker/pkg/stringid"
-	"github.com/pkg/errors"
-	"google.golang.org/grpc"
-)
-
-// ImageComponent provides an interface for working with images
-type ImageComponent interface {
-	SquashImage(from string, to string) (string, error)
-	TagImage(context.Context, image.ID, reference.Named) error
-}
-
-// Builder defines interface for running a build
-type Builder interface {
-	Build(context.Context, backend.BuildConfig) (*builder.Result, error)
-}
-
-// Backend provides build functionality to the API router
-type Backend struct {
-	builder        Builder
-	imageComponent ImageComponent
-	buildkit       *buildkit.Builder
-	eventsService  *daemonevents.Events
-}
-
-// NewBackend creates a new build backend from components
-func NewBackend(components ImageComponent, builder Builder, buildkit *buildkit.Builder, es *daemonevents.Events) (*Backend, error) {
-	return &Backend{imageComponent: components, builder: builder, buildkit: buildkit, eventsService: es}, nil
-}
-
-// RegisterGRPC registers buildkit controller to the grpc server.
-func (b *Backend) RegisterGRPC(s *grpc.Server) {
-	if b.buildkit != nil {
-		b.buildkit.RegisterGRPC(s)
-	}
-}
-
-// Build builds an image from a Source
-func (b *Backend) Build(ctx context.Context, config backend.BuildConfig) (string, error) {
-	options := config.Options
-	useBuildKit := options.Version == types.BuilderBuildKit
-
-	tags, err := sanitizeRepoAndTags(options.Tags)
-	if err != nil {
-		return "", err
-	}
-
-	var build *builder.Result
-	if useBuildKit {
-		build, err = b.buildkit.Build(ctx, config)
-		if err != nil {
-			return "", err
-		}
-	} else {
-		build, err = b.builder.Build(ctx, config)
-		if err != nil {
-			return "", err
-		}
-	}
-
-	if build == nil {
-		return "", nil
-	}
-
-	imageID := build.ImageID
-	if options.Squash {
-		if imageID, err = squashBuild(build, b.imageComponent); err != nil {
-			return "", err
-		}
-		if config.ProgressWriter.AuxFormatter != nil {
-			if err = config.ProgressWriter.AuxFormatter.Emit("moby.image.id", types.BuildResult{ID: imageID}); err != nil {
-				return "", err
-			}
-		}
-	}
-
-	if imageID != "" && !useBuildKit {
-		stdout := config.ProgressWriter.StdoutFormatter
-		_, _ = fmt.Fprintf(stdout, "Successfully built %s\n", stringid.TruncateID(imageID))
-		err = tagImages(ctx, b.imageComponent, config.ProgressWriter.StdoutFormatter, image.ID(imageID), tags)
-	}
-	return imageID, err
-}
-
-// PruneCache removes all cached build sources
-func (b *Backend) PruneCache(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error) {
-	buildCacheSize, cacheIDs, err := b.buildkit.Prune(ctx, opts)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to prune build cache")
-	}
-	b.eventsService.Log(events.ActionPrune, events.BuilderEventType, events.Actor{
-		Attributes: map[string]string{
-			"reclaimed": strconv.FormatInt(buildCacheSize, 10),
-		},
-	})
-	return &types.BuildCachePruneReport{SpaceReclaimed: uint64(buildCacheSize), CachesDeleted: cacheIDs}, nil
-}
-
-// Cancel cancels the build by ID
-func (b *Backend) Cancel(ctx context.Context, id string) error {
-	return b.buildkit.Cancel(ctx, id)
-}
-
-func squashBuild(build *builder.Result, imageComponent ImageComponent) (string, error) {
-	var fromID string
-	if build.FromImage != nil {
-		fromID = build.FromImage.ImageID()
-	}
-	imageID, err := imageComponent.SquashImage(build.ImageID, fromID)
-	if err != nil {
-		return "", errors.Wrap(err, "error squashing image")
-	}
-	return imageID, nil
-}
--- a/api/server/httpstatus/status.go
+++ b/api/server/httpstatus/status.go
@@ -1,143 +0,0 @@
-package httpstatus // import "github.com/docker/docker/api/server/httpstatus"
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-
-	cerrdefs "github.com/containerd/errdefs"
-	"github.com/containerd/log"
-	"github.com/docker/distribution/registry/api/errcode"
-	"github.com/docker/docker/errdefs"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-)
-
-type causer interface {
-	Cause() error
-}
-
-// FromError retrieves status code from error message.
-func FromError(err error) int {
-	if err == nil {
-		log.G(context.TODO()).WithError(err).Error("unexpected HTTP error handling")
-		return http.StatusInternalServerError
-	}
-
-	// Stop right there
-	// Are you sure you should be adding a new error class here? Do one of the existing ones work?
-
-	// Note that the below functions are already checking the error causal chain for matches.
-	switch {
-	case errdefs.IsNotFound(err):
-		return http.StatusNotFound
-	case errdefs.IsInvalidParameter(err):
-		return http.StatusBadRequest
-	case errdefs.IsConflict(err):
-		return http.StatusConflict
-	case errdefs.IsUnauthorized(err):
-		return http.StatusUnauthorized
-	case errdefs.IsUnavailable(err):
-		return http.StatusServiceUnavailable
-	case errdefs.IsForbidden(err):
-		return http.StatusForbidden
-	case errdefs.IsNotModified(err):
-		return http.StatusNotModified
-	case errdefs.IsNotImplemented(err):
-		return http.StatusNotImplemented
-	case errdefs.IsSystem(err) || errdefs.IsUnknown(err) || errdefs.IsDataLoss(err) || errdefs.IsDeadline(err) || errdefs.IsCancelled(err):
-		return http.StatusInternalServerError
-	default:
-		if statusCode := statusCodeFromGRPCError(err); statusCode != http.StatusInternalServerError {
-			return statusCode
-		}
-		if statusCode := statusCodeFromContainerdError(err); statusCode != http.StatusInternalServerError {
-			return statusCode
-		}
-		if statusCode := statusCodeFromDistributionError(err); statusCode != http.StatusInternalServerError {
-			return statusCode
-		}
-		if e, ok := err.(causer); ok {
-			return FromError(e.Cause())
-		}
-
-		log.G(context.TODO()).WithFields(log.Fields{
-			"module":     "api",
-			"error":      err,
-			"error_type": fmt.Sprintf("%T", err),
-		}).Debug("FIXME: Got an API for which error does not match any expected type!!!")
-
-		return http.StatusInternalServerError
-	}
-}
-
-// statusCodeFromGRPCError returns status code according to gRPC error
-func statusCodeFromGRPCError(err error) int {
-	switch status.Code(err) {
-	case codes.InvalidArgument: // code 3
-		return http.StatusBadRequest
-	case codes.NotFound: // code 5
-		return http.StatusNotFound
-	case codes.AlreadyExists: // code 6
-		return http.StatusConflict
-	case codes.PermissionDenied: // code 7
-		return http.StatusForbidden
-	case codes.FailedPrecondition: // code 9
-		return http.StatusBadRequest
-	case codes.Unauthenticated: // code 16
-		return http.StatusUnauthorized
-	case codes.OutOfRange: // code 11
-		return http.StatusBadRequest
-	case codes.Unimplemented: // code 12
-		return http.StatusNotImplemented
-	case codes.Unavailable: // code 14
-		return http.StatusServiceUnavailable
-	default:
-		// codes.Canceled(1)
-		// codes.Unknown(2)
-		// codes.DeadlineExceeded(4)
-		// codes.ResourceExhausted(8)
-		// codes.Aborted(10)
-		// codes.Internal(13)
-		// codes.DataLoss(15)
-		return http.StatusInternalServerError
-	}
-}
-
-// statusCodeFromDistributionError returns status code according to registry errcode
-// code is loosely based on errcode.ServeJSON() in docker/distribution
-func statusCodeFromDistributionError(err error) int {
-	switch errs := err.(type) {
-	case errcode.Errors:
-		if len(errs) < 1 {
-			return http.StatusInternalServerError
-		}
-		if _, ok := errs[0].(errcode.ErrorCoder); ok {
-			return statusCodeFromDistributionError(errs[0])
-		}
-	case errcode.ErrorCoder:
-		return errs.ErrorCode().Descriptor().HTTPStatusCode
-	}
-	return http.StatusInternalServerError
-}
-
-// statusCodeFromContainerdError returns status code for containerd errors when
-// consumed directly (not through gRPC)
-func statusCodeFromContainerdError(err error) int {
-	switch {
-	case cerrdefs.IsInvalidArgument(err):
-		return http.StatusBadRequest
-	case cerrdefs.IsNotFound(err):
-		return http.StatusNotFound
-	case cerrdefs.IsAlreadyExists(err):
-		return http.StatusConflict
-	case cerrdefs.IsFailedPrecondition(err):
-		return http.StatusPreconditionFailed
-	case cerrdefs.IsUnavailable(err):
-		return http.StatusServiceUnavailable
-	case cerrdefs.IsNotImplemented(err):
-		return http.StatusNotImplemented
-	default:
-		return http.StatusInternalServerError
-	}
-}
--- a/api/server/httputils/decoder.go
+++ b/api/server/httputils/decoder.go
@@ -1,15 +0,0 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
-
-import (
-	"io"
-
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/network"
-)
-
-// ContainerDecoder specifies how
-// to translate an io.Reader into
-// container configuration.
-type ContainerDecoder interface {
-	DecodeConfig(src io.Reader) (*container.Config, *container.HostConfig, *network.NetworkingConfig, error)
-}
--- a/api/server/httputils/write_log_stream.go
+++ b/api/server/httputils/write_log_stream.go
@@ -1,89 +0,0 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"sort"
-
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/pkg/ioutils"
-	"github.com/docker/docker/pkg/jsonmessage"
-	"github.com/docker/docker/pkg/stdcopy"
-)
-
-// WriteLogStream writes an encoded byte stream of log messages from the
-// messages channel, multiplexing them with a stdcopy.Writer if mux is true
-func WriteLogStream(_ context.Context, w http.ResponseWriter, msgs <-chan *backend.LogMessage, config *container.LogsOptions, mux bool) {
-	// See https://github.com/moby/moby/issues/47448
-	// Trigger headers to be written immediately.
-	w.WriteHeader(http.StatusOK)
-
-	wf := ioutils.NewWriteFlusher(w)
-	defer wf.Close()
-
-	wf.Flush()
-
-	outStream := io.Writer(wf)
-	errStream := outStream
-	sysErrStream := errStream
-	if mux {
-		sysErrStream = stdcopy.NewStdWriter(outStream, stdcopy.Systemerr)
-		errStream = stdcopy.NewStdWriter(outStream, stdcopy.Stderr)
-		outStream = stdcopy.NewStdWriter(outStream, stdcopy.Stdout)
-	}
-
-	for {
-		msg, ok := <-msgs
-		if !ok {
-			return
-		}
-		// check if the message contains an error. if so, write that error
-		// and exit
-		if msg.Err != nil {
-			fmt.Fprintf(sysErrStream, "Error grabbing logs: %v\n", msg.Err)
-			continue
-		}
-		logLine := msg.Line
-		if config.Details {
-			logLine = append(attrsByteSlice(msg.Attrs), ' ')
-			logLine = append(logLine, msg.Line...)
-		}
-		if config.Timestamps {
-			logLine = append([]byte(msg.Timestamp.Format(jsonmessage.RFC3339NanoFixed)+" "), logLine...)
-		}
-		if msg.Source == "stdout" && config.ShowStdout {
-			_, _ = outStream.Write(logLine)
-		}
-		if msg.Source == "stderr" && config.ShowStderr {
-			_, _ = errStream.Write(logLine)
-		}
-	}
-}
-
-type byKey []backend.LogAttr
-
-func (b byKey) Len() int           { return len(b) }
-func (b byKey) Less(i, j int) bool { return b[i].Key < b[j].Key }
-func (b byKey) Swap(i, j int)      { b[i], b[j] = b[j], b[i] }
-
-func attrsByteSlice(a []backend.LogAttr) []byte {
-	// Note this sorts "a" in-place. That is fine here - nothing else is
-	// going to use Attrs or care about the order.
-	sort.Sort(byKey(a))
-
-	var ret []byte
-	for i, pair := range a {
-		k, v := url.QueryEscape(pair.Key), url.QueryEscape(pair.Value)
-		ret = append(ret, []byte(k)...)
-		ret = append(ret, '=')
-		ret = append(ret, []byte(v)...)
-		if i != len(a)-1 {
-			ret = append(ret, ',')
-		}
-	}
-	return ret
-}
--- a/api/server/middleware.go
+++ b/api/server/middleware.go
@@ -1,24 +0,0 @@
-package server // import "github.com/docker/docker/api/server"
-
-import (
-	"github.com/containerd/log"
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/server/middleware"
-)
-
-// handlerWithGlobalMiddlewares wraps the handler function for a request with
-// the server's global middlewares. The order of the middlewares is backwards,
-// meaning that the first in the list will be evaluated last.
-func (s *Server) handlerWithGlobalMiddlewares(handler httputils.APIFunc) httputils.APIFunc {
-	next := handler
-
-	for _, m := range s.middlewares {
-		next = m.WrapHandler(next)
-	}
-
-	if log.GetLevel() == log.DebugLevel {
-		next = middleware.DebugRequestMiddleware(next)
-	}
-
-	return next
-}
--- a/api/server/middleware/debug.go
+++ b/api/server/middleware/debug.go
@@ -1,114 +0,0 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
-
-import (
-	"bufio"
-	"context"
-	"encoding/json"
-	"io"
-	"net/http"
-	"strings"
-
-	"github.com/containerd/log"
-	"github.com/docker/docker/api/server/httpstatus"
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/pkg/ioutils"
-	"github.com/sirupsen/logrus"
-)
-
-// DebugRequestMiddleware dumps the request to logger
-func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) (retErr error) {
-		logger := log.G(ctx)
-
-		// Use a variable for fields to prevent overhead of repeatedly
-		// calling WithFields.
-		fields := log.Fields{
-			"module":      "api",
-			"method":      r.Method,
-			"request-url": r.RequestURI,
-			"vars":        vars,
-		}
-		logger.WithFields(fields).Debugf("handling %s request", r.Method)
-		defer func() {
-			if retErr != nil {
-				// TODO(thaJeztah): unify this with Server.makeHTTPHandler, which also logs internal server errors as error-log. See https://github.com/moby/moby/pull/48740#discussion_r1816675574
-				fields["error-response"] = retErr
-				fields["status"] = httpstatus.FromError(retErr)
-				logger.WithFields(fields).Debugf("error response for %s request", r.Method)
-			}
-		}()
-
-		if r.Method != http.MethodPost {
-			return handler(ctx, w, r, vars)
-		}
-		if err := httputils.CheckForJSON(r); err != nil {
-			return handler(ctx, w, r, vars)
-		}
-		maxBodySize := 4096 // 4KB
-		if r.ContentLength > int64(maxBodySize) {
-			return handler(ctx, w, r, vars)
-		}
-
-		body := r.Body
-		bufReader := bufio.NewReaderSize(body, maxBodySize)
-		r.Body = ioutils.NewReadCloserWrapper(bufReader, func() error { return body.Close() })
-
-		b, err := bufReader.Peek(maxBodySize)
-		if err != io.EOF {
-			// either there was an error reading, or the buffer is full (in which case the request is too large)
-			return handler(ctx, w, r, vars)
-		}
-
-		var postForm map[string]interface{}
-		if err := json.Unmarshal(b, &postForm); err == nil {
-			maskSecretKeys(postForm)
-			// TODO(thaJeztah): is there a better way to detect if we're using JSON-formatted logs?
-			if _, ok := logger.Logger.Formatter.(*logrus.JSONFormatter); ok {
-				fields["form-data"] = postForm
-			} else {
-				if data, err := json.Marshal(postForm); err != nil {
-					fields["form-data"] = postForm
-				} else {
-					fields["form-data"] = string(data)
-				}
-			}
-		}
-
-		return handler(ctx, w, r, vars)
-	}
-}
-
-func maskSecretKeys(inp interface{}) {
-	if arr, ok := inp.([]interface{}); ok {
-		for _, f := range arr {
-			maskSecretKeys(f)
-		}
-		return
-	}
-
-	if form, ok := inp.(map[string]interface{}); ok {
-		scrub := []string{
-			// Note: The Data field contains the base64-encoded secret in 'secret'
-			// and 'config' create and update requests. Currently, no other POST
-			// API endpoints use a data field, so we scrub this field unconditionally.
-			// Change this handling to be conditional if a new endpoint is added
-			// in future where this field should not be scrubbed.
-			"data",
-			"jointoken",
-			"password",
-			"secret",
-			"signingcakey",
-			"unlockkey",
-		}
-	loop0:
-		for k, v := range form {
-			for _, m := range scrub {
-				if strings.EqualFold(m, k) {
-					form[k] = "*****"
-					continue loop0
-				}
-			}
-			maskSecretKeys(v)
-		}
-	}
-}
--- a/api/server/middleware/debug_test.go
+++ b/api/server/middleware/debug_test.go
@@ -1,75 +0,0 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
-
-import (
-	"testing"
-
-	"gotest.tools/v3/assert"
-	is "gotest.tools/v3/assert/cmp"
-)
-
-func TestMaskSecretKeys(t *testing.T) {
-	tests := []struct {
-		doc      string
-		input    map[string]interface{}
-		expected map[string]interface{}
-	}{
-		{
-			doc:      "secret/config create and update requests",
-			input:    map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}},
-			expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}},
-		},
-		{
-			doc: "masking other fields (recursively)",
-			input: map[string]interface{}{
-				"password":     "pass",
-				"secret":       "secret",
-				"jointoken":    "jointoken",
-				"unlockkey":    "unlockkey",
-				"signingcakey": "signingcakey",
-				"other": map[string]interface{}{
-					"password":     "pass",
-					"secret":       "secret",
-					"jointoken":    "jointoken",
-					"unlockkey":    "unlockkey",
-					"signingcakey": "signingcakey",
-				},
-			},
-			expected: map[string]interface{}{
-				"password":     "*****",
-				"secret":       "*****",
-				"jointoken":    "*****",
-				"unlockkey":    "*****",
-				"signingcakey": "*****",
-				"other": map[string]interface{}{
-					"password":     "*****",
-					"secret":       "*****",
-					"jointoken":    "*****",
-					"unlockkey":    "*****",
-					"signingcakey": "*****",
-				},
-			},
-		},
-		{
-			doc: "case insensitive field matching",
-			input: map[string]interface{}{
-				"PASSWORD": "pass",
-				"other": map[string]interface{}{
-					"PASSWORD": "pass",
-				},
-			},
-			expected: map[string]interface{}{
-				"PASSWORD": "*****",
-				"other": map[string]interface{}{
-					"PASSWORD": "*****",
-				},
-			},
-		},
-	}
-
-	for _, testcase := range tests {
-		t.Run(testcase.doc, func(t *testing.T) {
-			maskSecretKeys(testcase.input)
-			assert.Check(t, is.DeepEqual(testcase.expected, testcase.input))
-		})
-	}
-}
--- a/api/server/middleware/experimental.go
+++ b/api/server/middleware/experimental.go
@@ -1,28 +0,0 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
-
-import (
-	"context"
-	"net/http"
-)
-
-// ExperimentalMiddleware is a the middleware in charge of adding the
-// 'Docker-Experimental' header to every outgoing request
-type ExperimentalMiddleware struct {
-	experimental string
-}
-
-// NewExperimentalMiddleware creates a new ExperimentalMiddleware
-func NewExperimentalMiddleware(experimentalEnabled bool) ExperimentalMiddleware {
-	if experimentalEnabled {
-		return ExperimentalMiddleware{"true"}
-	}
-	return ExperimentalMiddleware{"false"}
-}
-
-// WrapHandler returns a new handler function wrapping the previous one in the request chain.
-func (e ExperimentalMiddleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-		w.Header().Set("Docker-Experimental", e.experimental)
-		return handler(ctx, w, r, vars)
-	}
-}
--- a/api/server/middleware/middleware.go
+++ b/api/server/middleware/middleware.go
@@ -1,12 +0,0 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
-
-import (
-	"context"
-	"net/http"
-)
-
-// Middleware is an interface to allow the use of ordinary functions as Docker API filters.
-// Any struct that has the appropriate signature can be registered as a middleware.
-type Middleware interface {
-	WrapHandler(func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error
-}
--- a/api/server/middleware/version.go
+++ b/api/server/middleware/version.go
@@ -1,86 +0,0 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"runtime"
-
-	"github.com/docker/docker/api"
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/types/versions"
-)
-
-// VersionMiddleware is a middleware that
-// validates the client and server versions.
-type VersionMiddleware struct {
-	serverVersion string
-
-	// defaultAPIVersion is the default API version provided by the API server,
-	// specified as "major.minor". It is usually configured to the latest API
-	// version [github.com/docker/docker/api.DefaultVersion].
-	//
-	// API requests for API versions greater than this version are rejected by
-	// the server and produce a [versionUnsupportedError].
-	defaultAPIVersion string
-
-	// minAPIVersion is the minimum API version provided by the API server,
-	// specified as "major.minor".
-	//
-	// API requests for API versions lower than this version are rejected by
-	// the server and produce a [versionUnsupportedError].
-	minAPIVersion string
-}
-
-// NewVersionMiddleware creates a VersionMiddleware with the given versions.
-func NewVersionMiddleware(serverVersion, defaultAPIVersion, minAPIVersion string) (*VersionMiddleware, error) {
-	if versions.LessThan(defaultAPIVersion, api.MinSupportedAPIVersion) || versions.GreaterThan(defaultAPIVersion, api.DefaultVersion) {
-		return nil, fmt.Errorf("invalid default API version (%s): must be between %s and %s", defaultAPIVersion, api.MinSupportedAPIVersion, api.DefaultVersion)
-	}
-	if versions.LessThan(minAPIVersion, api.MinSupportedAPIVersion) || versions.GreaterThan(minAPIVersion, api.DefaultVersion) {
-		return nil, fmt.Errorf("invalid minimum API version (%s): must be between %s and %s", minAPIVersion, api.MinSupportedAPIVersion, api.DefaultVersion)
-	}
-	if versions.GreaterThan(minAPIVersion, defaultAPIVersion) {
-		return nil, fmt.Errorf("invalid API version: the minimum API version (%s) is higher than the default version (%s)", minAPIVersion, defaultAPIVersion)
-	}
-	return &VersionMiddleware{
-		serverVersion:     serverVersion,
-		defaultAPIVersion: defaultAPIVersion,
-		minAPIVersion:     minAPIVersion,
-	}, nil
-}
-
-type versionUnsupportedError struct {
-	version, minVersion, maxVersion string
-}
-
-func (e versionUnsupportedError) Error() string {
-	if e.minVersion != "" {
-		return fmt.Sprintf("client version %s is too old. Minimum supported API version is %s, please upgrade your client to a newer version", e.version, e.minVersion)
-	}
-	return fmt.Sprintf("client version %s is too new. Maximum supported API version is %s", e.version, e.maxVersion)
-}
-
-func (e versionUnsupportedError) InvalidParameter() {}
-
-// WrapHandler returns a new handler function wrapping the previous one in the request chain.
-func (v VersionMiddleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-		w.Header().Set("Server", fmt.Sprintf("Docker/%s (%s)", v.serverVersion, runtime.GOOS))
-		w.Header().Set("Api-Version", v.defaultAPIVersion)
-		w.Header().Set("Ostype", runtime.GOOS)
-
-		apiVersion := vars["version"]
-		if apiVersion == "" {
-			apiVersion = v.defaultAPIVersion
-		}
-		if versions.LessThan(apiVersion, v.minAPIVersion) {
-			return versionUnsupportedError{version: apiVersion, minVersion: v.minAPIVersion}
-		}
-		if versions.GreaterThan(apiVersion, v.defaultAPIVersion) {
-			return versionUnsupportedError{version: apiVersion, maxVersion: v.defaultAPIVersion}
-		}
-		ctx = context.WithValue(ctx, httputils.APIVersionKey{}, apiVersion)
-		return handler(ctx, w, r, vars)
-	}
-}
--- a/api/server/middleware/version_test.go
+++ b/api/server/middleware/version_test.go
@@ -1,145 +0,0 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"runtime"
-	"testing"
-
-	"github.com/docker/docker/api"
-	"github.com/docker/docker/api/server/httputils"
-	"gotest.tools/v3/assert"
-	is "gotest.tools/v3/assert/cmp"
-)
-
-func TestNewVersionMiddlewareValidation(t *testing.T) {
-	tests := []struct {
-		doc, defaultVersion, minVersion, expectedErr string
-	}{
-		{
-			doc:            "defaults",
-			defaultVersion: api.DefaultVersion,
-			minVersion:     api.MinSupportedAPIVersion,
-		},
-		{
-			doc:            "invalid default lower than min",
-			defaultVersion: api.MinSupportedAPIVersion,
-			minVersion:     api.DefaultVersion,
-			expectedErr:    fmt.Sprintf("invalid API version: the minimum API version (%s) is higher than the default version (%s)", api.DefaultVersion, api.MinSupportedAPIVersion),
-		},
-		{
-			doc:            "invalid default too low",
-			defaultVersion: "0.1",
-			minVersion:     api.MinSupportedAPIVersion,
-			expectedErr:    fmt.Sprintf("invalid default API version (0.1): must be between %s and %s", api.MinSupportedAPIVersion, api.DefaultVersion),
-		},
-		{
-			doc:            "invalid default too high",
-			defaultVersion: "9999.9999",
-			minVersion:     api.DefaultVersion,
-			expectedErr:    fmt.Sprintf("invalid default API version (9999.9999): must be between %s and %s", api.MinSupportedAPIVersion, api.DefaultVersion),
-		},
-		{
-			doc:            "invalid minimum too low",
-			defaultVersion: api.MinSupportedAPIVersion,
-			minVersion:     "0.1",
-			expectedErr:    fmt.Sprintf("invalid minimum API version (0.1): must be between %s and %s", api.MinSupportedAPIVersion, api.DefaultVersion),
-		},
-		{
-			doc:            "invalid minimum too high",
-			defaultVersion: api.DefaultVersion,
-			minVersion:     "9999.9999",
-			expectedErr:    fmt.Sprintf("invalid minimum API version (9999.9999): must be between %s and %s", api.MinSupportedAPIVersion, api.DefaultVersion),
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.doc, func(t *testing.T) {
-			_, err := NewVersionMiddleware("1.2.3", tc.defaultVersion, tc.minVersion)
-			if tc.expectedErr == "" {
-				assert.Check(t, err)
-			} else {
-				assert.Check(t, is.Error(err, tc.expectedErr))
-			}
-		})
-	}
-}
-
-func TestVersionMiddlewareVersion(t *testing.T) {
-	expectedVersion := "<not set>"
-	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-		v := httputils.VersionFromContext(ctx)
-		assert.Check(t, is.Equal(expectedVersion, v))
-		return nil
-	}
-
-	m, err := NewVersionMiddleware("1.2.3", api.DefaultVersion, api.MinSupportedAPIVersion)
-	assert.NilError(t, err)
-	h := m.WrapHandler(handler)
-
-	req, _ := http.NewRequest(http.MethodGet, "/containers/json", nil)
-	resp := httptest.NewRecorder()
-	ctx := context.Background()
-
-	tests := []struct {
-		reqVersion      string
-		expectedVersion string
-		errString       string
-	}{
-		{
-			expectedVersion: api.DefaultVersion,
-		},
-		{
-			reqVersion:      api.MinSupportedAPIVersion,
-			expectedVersion: api.MinSupportedAPIVersion,
-		},
-		{
-			reqVersion: "0.1",
-			errString:  fmt.Sprintf("client version 0.1 is too old. Minimum supported API version is %s, please upgrade your client to a newer version", api.MinSupportedAPIVersion),
-		},
-		{
-			reqVersion: "9999.9999",
-			errString:  fmt.Sprintf("client version 9999.9999 is too new. Maximum supported API version is %s", api.DefaultVersion),
-		},
-	}
-
-	for _, test := range tests {
-		expectedVersion = test.expectedVersion
-
-		err := h(ctx, resp, req, map[string]string{"version": test.reqVersion})
-
-		if test.errString != "" {
-			assert.Check(t, is.Error(err, test.errString))
-		} else {
-			assert.Check(t, err)
-		}
-	}
-}
-
-func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
-	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-		v := httputils.VersionFromContext(ctx)
-		assert.Check(t, len(v) != 0)
-		return nil
-	}
-
-	m, err := NewVersionMiddleware("1.2.3", api.DefaultVersion, api.MinSupportedAPIVersion)
-	assert.NilError(t, err)
-	h := m.WrapHandler(handler)
-
-	req, _ := http.NewRequest(http.MethodGet, "/containers/json", nil)
-	resp := httptest.NewRecorder()
-	ctx := context.Background()
-
-	vars := map[string]string{"version": "0.1"}
-	err = h(ctx, resp, req, vars)
-	assert.Check(t, is.ErrorContains(err, ""))
-
-	hdr := resp.Result().Header
-	assert.Check(t, is.Contains(hdr.Get("Server"), "Docker/1.2.3"))
-	assert.Check(t, is.Contains(hdr.Get("Server"), runtime.GOOS))
-	assert.Check(t, is.Equal(hdr.Get("Api-Version"), api.DefaultVersion))
-	assert.Check(t, is.Equal(hdr.Get("Ostype"), runtime.GOOS))
-}
--- a/api/server/router/build/backend.go
+++ b/api/server/router/build/backend.go
@@ -1,23 +0,0 @@
-package build // import "github.com/docker/docker/api/server/router/build"
-
-import (
-	"context"
-
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/backend"
-)
-
-// Backend abstracts an image builder whose only purpose is to build an image referenced by an imageID.
-type Backend interface {
-	// Build a Docker image returning the id of the image
-	// TODO: make this return a reference instead of string
-	Build(context.Context, backend.BuildConfig) (string, error)
-
-	// Prune build cache
-	PruneCache(context.Context, types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error)
-	Cancel(context.Context, string) error
-}
-
-type experimentalProvider interface {
-	HasExperimental() bool
-}
--- a/api/server/router/build/build.go
+++ b/api/server/router/build/build.go
@@ -1,60 +0,0 @@
-package build // import "github.com/docker/docker/api/server/router/build"
-
-import (
-	"runtime"
-
-	"github.com/docker/docker/api/server/router"
-	"github.com/docker/docker/api/types"
-)
-
-// buildRouter is a router to talk with the build controller
-type buildRouter struct {
-	backend Backend
-	daemon  experimentalProvider
-	routes  []router.Route
-}
-
-// NewRouter initializes a new build router
-func NewRouter(b Backend, d experimentalProvider) router.Router {
-	r := &buildRouter{
-		backend: b,
-		daemon:  d,
-	}
-	r.initRoutes()
-	return r
-}
-
-// Routes returns the available routers to the build controller
-func (r *buildRouter) Routes() []router.Route {
-	return r.routes
-}
-
-func (r *buildRouter) initRoutes() {
-	r.routes = []router.Route{
-		router.NewPostRoute("/build", r.postBuild),
-		router.NewPostRoute("/build/prune", r.postPrune),
-		router.NewPostRoute("/build/cancel", r.postCancel),
-	}
-}
-
-// BuilderVersion derives the default docker builder version from the config.
-//
-// The default on Linux is version "2" (BuildKit), but the daemon can be
-// configured to recommend version "1" (classic Builder). Windows does not
-// yet support BuildKit for native Windows images, and uses "1" (classic builder)
-// as a default.
-//
-// This value is only a recommendation as advertised by the daemon, and it is
-// up to the client to choose which builder to use.
-func BuilderVersion(features map[string]bool) types.BuilderVersion {
-	// TODO(thaJeztah) move the default to daemon/config
-	if runtime.GOOS == "windows" {
-		return types.BuilderV1
-	}
-
-	bv := types.BuilderBuildKit
-	if v, ok := features["buildkit"]; ok && !v {
-		bv = types.BuilderV1
-	}
-	return bv
-}
--- a/api/server/router/checkpoint/backend.go
+++ b/api/server/router/checkpoint/backend.go
@@ -1,10 +0,0 @@
-package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"
-
-import "github.com/docker/docker/api/types/checkpoint"
-
-// Backend for Checkpoint
-type Backend interface {
-	CheckpointCreate(container string, config checkpoint.CreateOptions) error
-	CheckpointDelete(container string, config checkpoint.DeleteOptions) error
-	CheckpointList(container string, config checkpoint.ListOptions) ([]checkpoint.Summary, error)
-}
--- a/api/server/router/checkpoint/checkpoint.go
+++ b/api/server/router/checkpoint/checkpoint.go
@@ -1,36 +0,0 @@
-package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"
-
-import (
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/server/router"
-)
-
-// checkpointRouter is a router to talk with the checkpoint controller
-type checkpointRouter struct {
-	backend Backend
-	decoder httputils.ContainerDecoder
-	routes  []router.Route
-}
-
-// NewRouter initializes a new checkpoint router
-func NewRouter(b Backend, decoder httputils.ContainerDecoder) router.Router {
-	r := &checkpointRouter{
-		backend: b,
-		decoder: decoder,
-	}
-	r.initRoutes()
-	return r
-}
-
-// Routes returns the available routers to the checkpoint controller
-func (r *checkpointRouter) Routes() []router.Route {
-	return r.routes
-}
-
-func (r *checkpointRouter) initRoutes() {
-	r.routes = []router.Route{
-		router.NewGetRoute("/containers/{name:.*}/checkpoints", r.getContainerCheckpoints, router.Experimental),
-		router.NewPostRoute("/containers/{name:.*}/checkpoints", r.postContainerCheckpoint, router.Experimental),
-		router.NewDeleteRoute("/containers/{name}/checkpoints/{checkpoint}", r.deleteContainerCheckpoint, router.Experimental),
-	}
-}
--- a/api/server/router/checkpoint/checkpoint_routes.go
+++ b/api/server/router/checkpoint/checkpoint_routes.go
@@ -1,60 +0,0 @@
-package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"
-
-import (
-	"context"
-	"net/http"
-
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/types/checkpoint"
-)
-
-func (s *checkpointRouter) postContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	var options checkpoint.CreateOptions
-	if err := httputils.ReadJSON(r, &options); err != nil {
-		return err
-	}
-
-	err := s.backend.CheckpointCreate(vars["name"], options)
-	if err != nil {
-		return err
-	}
-
-	w.WriteHeader(http.StatusCreated)
-	return nil
-}
-
-func (s *checkpointRouter) getContainerCheckpoints(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	checkpoints, err := s.backend.CheckpointList(vars["name"], checkpoint.ListOptions{
-		CheckpointDir: r.Form.Get("dir"),
-	})
-	if err != nil {
-		return err
-	}
-
-	return httputils.WriteJSON(w, http.StatusOK, checkpoints)
-}
-
-func (s *checkpointRouter) deleteContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	err := s.backend.CheckpointDelete(vars["name"], checkpoint.DeleteOptions{
-		CheckpointDir: r.Form.Get("dir"),
-		CheckpointID:  vars["checkpoint"],
-	})
-	if err != nil {
-		return err
-	}
-
-	w.WriteHeader(http.StatusNoContent)
-	return nil
-}
--- a/api/server/router/container/backend.go
+++ b/api/server/router/container/backend.go
@@ -1,80 +0,0 @@
-package container // import "github.com/docker/docker/api/server/router/container"
-
-import (
-	"context"
-	"io"
-
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/filters"
-	containerpkg "github.com/docker/docker/container"
-	"github.com/docker/docker/pkg/archive"
-)
-
-// execBackend includes functions to implement to provide exec functionality.
-type execBackend interface {
-	ContainerExecCreate(name string, options *container.ExecOptions) (string, error)
-	ContainerExecInspect(id string) (*backend.ExecInspect, error)
-	ContainerExecResize(ctx context.Context, name string, height, width uint32) error
-	ContainerExecStart(ctx context.Context, name string, options backend.ExecStartConfig) error
-	ExecExists(name string) (bool, error)
-}
-
-// copyBackend includes functions to implement to provide container copy functionality.
-type copyBackend interface {
-	ContainerArchivePath(name string, path string) (content io.ReadCloser, stat *container.PathStat, err error)
-	ContainerExport(ctx context.Context, name string, out io.Writer) error
-	ContainerExtractToDir(name, path string, copyUIDGID, noOverwriteDirNonDir bool, content io.Reader) error
-	ContainerStatPath(name string, path string) (stat *container.PathStat, err error)
-}
-
-// stateBackend includes functions to implement to provide container state lifecycle functionality.
-type stateBackend interface {
-	ContainerCreate(ctx context.Context, config backend.ContainerCreateConfig) (container.CreateResponse, error)
-	ContainerKill(name string, signal string) error
-	ContainerPause(name string) error
-	ContainerRename(oldName, newName string) error
-	ContainerResize(ctx context.Context, name string, height, width uint32) error
-	ContainerRestart(ctx context.Context, name string, options container.StopOptions) error
-	ContainerRm(name string, config *backend.ContainerRmConfig) error
-	ContainerStart(ctx context.Context, name string, checkpoint string, checkpointDir string) error
-	ContainerStop(ctx context.Context, name string, options container.StopOptions) error
-	ContainerUnpause(name string) error
-	ContainerUpdate(name string, hostConfig *container.HostConfig) (container.ContainerUpdateOKBody, error)
-	ContainerWait(ctx context.Context, name string, condition containerpkg.WaitCondition) (<-chan containerpkg.StateStatus, error)
-}
-
-// monitorBackend includes functions to implement to provide containers monitoring functionality.
-type monitorBackend interface {
-	ContainerChanges(ctx context.Context, name string) ([]archive.Change, error)
-	ContainerInspect(ctx context.Context, name string, options backend.ContainerInspectOptions) (*container.InspectResponse, error)
-	ContainerLogs(ctx context.Context, name string, config *container.LogsOptions) (msgs <-chan *backend.LogMessage, tty bool, err error)
-	ContainerStats(ctx context.Context, name string, config *backend.ContainerStatsConfig) error
-	ContainerTop(name string, psArgs string) (*container.ContainerTopOKBody, error)
-	Containers(ctx context.Context, config *container.ListOptions) ([]*container.Summary, error)
-}
-
-// attachBackend includes function to implement to provide container attaching functionality.
-type attachBackend interface {
-	ContainerAttach(name string, c *backend.ContainerAttachConfig) error
-}
-
-// systemBackend includes functions to implement to provide system wide containers functionality
-type systemBackend interface {
-	ContainersPrune(ctx context.Context, pruneFilters filters.Args) (*container.PruneReport, error)
-}
-
-type commitBackend interface {
-	CreateImageFromContainer(ctx context.Context, name string, config *backend.CreateImageConfig) (imageID string, err error)
-}
-
-// Backend is all the methods that need to be implemented to provide container specific functionality.
-type Backend interface {
-	commitBackend
-	execBackend
-	copyBackend
-	stateBackend
-	monitorBackend
-	attachBackend
-	systemBackend
-}
--- a/api/server/router/container/container.go
+++ b/api/server/router/container/container.go
@@ -1,71 +0,0 @@
-package container // import "github.com/docker/docker/api/server/router/container"
-
-import (
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/server/router"
-)
-
-// containerRouter is a router to talk with the container controller
-type containerRouter struct {
-	backend Backend
-	decoder httputils.ContainerDecoder
-	routes  []router.Route
-	cgroup2 bool
-}
-
-// NewRouter initializes a new container router
-func NewRouter(b Backend, decoder httputils.ContainerDecoder, cgroup2 bool) router.Router {
-	r := &containerRouter{
-		backend: b,
-		decoder: decoder,
-		cgroup2: cgroup2,
-	}
-	r.initRoutes()
-	return r
-}
-
-// Routes returns the available routes to the container controller
-func (c *containerRouter) Routes() []router.Route {
-	return c.routes
-}
-
-// initRoutes initializes the routes in container router
-func (c *containerRouter) initRoutes() {
-	c.routes = []router.Route{
-		// HEAD
-		router.NewHeadRoute("/containers/{name:.*}/archive", c.headContainersArchive),
-		// GET
-		router.NewGetRoute("/containers/json", c.getContainersJSON),
-		router.NewGetRoute("/containers/{name:.*}/export", c.getContainersExport),
-		router.NewGetRoute("/containers/{name:.*}/changes", c.getContainersChanges),
-		router.NewGetRoute("/containers/{name:.*}/json", c.getContainersByName),
-		router.NewGetRoute("/containers/{name:.*}/top", c.getContainersTop),
-		router.NewGetRoute("/containers/{name:.*}/logs", c.getContainersLogs),
-		router.NewGetRoute("/containers/{name:.*}/stats", c.getContainersStats),
-		router.NewGetRoute("/containers/{name:.*}/attach/ws", c.wsContainersAttach),
-		router.NewGetRoute("/exec/{id:.*}/json", c.getExecByID),
-		router.NewGetRoute("/containers/{name:.*}/archive", c.getContainersArchive),
-		// POST
-		router.NewPostRoute("/containers/create", c.postContainersCreate),
-		router.NewPostRoute("/containers/{name:.*}/kill", c.postContainersKill),
-		router.NewPostRoute("/containers/{name:.*}/pause", c.postContainersPause),
-		router.NewPostRoute("/containers/{name:.*}/unpause", c.postContainersUnpause),
-		router.NewPostRoute("/containers/{name:.*}/restart", c.postContainersRestart),
-		router.NewPostRoute("/containers/{name:.*}/start", c.postContainersStart),
-		router.NewPostRoute("/containers/{name:.*}/stop", c.postContainersStop),
-		router.NewPostRoute("/containers/{name:.*}/wait", c.postContainersWait),
-		router.NewPostRoute("/containers/{name:.*}/resize", c.postContainersResize),
-		router.NewPostRoute("/containers/{name:.*}/attach", c.postContainersAttach),
-		router.NewPostRoute("/containers/{name:.*}/exec", c.postContainerExecCreate),
-		router.NewPostRoute("/exec/{name:.*}/start", c.postContainerExecStart),
-		router.NewPostRoute("/exec/{name:.*}/resize", c.postContainerExecResize),
-		router.NewPostRoute("/containers/{name:.*}/rename", c.postContainerRename),
-		router.NewPostRoute("/containers/{name:.*}/update", c.postContainerUpdate),
-		router.NewPostRoute("/containers/prune", c.postContainersPrune),
-		router.NewPostRoute("/commit", c.postCommit),
-		// PUT
-		router.NewPutRoute("/containers/{name:.*}/archive", c.putContainersArchive),
-		// DELETE
-		router.NewDeleteRoute("/containers/{name:.*}", c.deleteContainers),
-	}
-}
--- a/Show More
+++ b/Show More