Merge commit from fork

[26.0] AuthZ plugin security fixes
If url includes scheme, urlPath will drop hostname, which would not match the auth check
2026-01-12 11:11:44 +00:00 · 2024-07-23 21:36:28 +02:00 · 2024-07-17 13:09:10 +02:00 · 2024-07-17 13:09:08 +02:00 · 2024-06-08 17:25:26 +02:00 · 2024-05-08 09:43:51 +02:00
4737 changed files with 176601 additions and 388587 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -19,14 +19,11 @@ Please provide the following information:

 **- How to verify it**

-**- Human readable description for the release notes**
+**- Description for the changelog**
 <!--
 Write a short (one line) summary that describes the changes in this
 pull request for inclusion in the changelog.
-It must be placed inside the below triple backticks section.
-
-NOTE: Only fill this section if changes introduced in this PR are user-facing.
-The PR must have a relevant impact/ label.
+It must be placed inside the below triple backticks section:
 -->
 ```markdown changelog

--- a/.github/workflows/.dco.yml
+++ b/.github/workflows/.dco.yml
@@ -3,25 +3,15 @@ name: .dco

 # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 on:
  workflow_call:

 env:
-  ALPINE_VERSION: "3.21"
+  ALPINE_VERSION: 3.16

 jobs:
  run:
    runs-on: ubuntu-20.04
-    timeout-minutes: 10 # guardrails timeout for the whole job
    steps:
      -
        name: Checkout
@@ -49,12 +39,10 @@ jobs:
        name: Validate
        run: |
          docker run --rm \
-            --quiet \
-            -v ./:/workspace \
-            -w /workspace \
+            -v "$(pwd):/workspace" \
            -e VALIDATE_REPO \
            -e VALIDATE_BRANCH \
-            alpine:${{ env.ALPINE_VERSION }} sh -c 'apk add --no-cache -q bash git openssh-client && git config --system --add safe.directory /workspace && hack/validate/dco'
+            alpine:${{ env.ALPINE_VERSION }} sh -c 'apk add --no-cache -q bash git openssh-client && git config --system --add safe.directory /workspace && cd /workspace && hack/validate/dco'
        env:
          VALIDATE_REPO: ${{ github.server_url }}/${{ github.repository }}.git
          VALIDATE_BRANCH: ${{ steps.base-ref.outputs.result }}
--- a/.github/workflows/.test-prepare.yml
+++ b/.github/workflows/.test-prepare.yml
@@ -3,15 +3,6 @@ name: .test-prepare

 # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 on:
  workflow_call:
    outputs:
@@ -22,7 +13,6 @@ on:
 jobs:
  run:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
    outputs:
      matrix: ${{ steps.set.outputs.matrix }}
    steps:
--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -3,15 +3,6 @@ name: .test

 # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 on:
  workflow_call:
    inputs:
@@ -21,57 +12,19 @@ on:
        default: "graphdriver"

 env:
-  GO_VERSION: "1.23.6"
+  GO_VERSION: "1.21.9"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  ITG_CLI_MATRIX_SIZE: 6
  DOCKER_EXPERIMENTAL: 1
  DOCKER_GRAPHDRIVER: ${{ inputs.storage == 'snapshotter' && 'overlayfs' || 'overlay2' }}
  TEST_INTEGRATION_USE_SNAPSHOTTER: ${{ inputs.storage == 'snapshotter' && '1' || '' }}
-  SETUP_BUILDX_VERSION: edge
-  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
-  unit-prepare:
-    runs-on: ubuntu-20.04
-    timeout-minutes: 10 # guardrails timeout for the whole job
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    outputs:
-      includes: ${{ steps.set.outputs.includes }}
-    steps:
-      -
-        name: Create matrix includes
-        id: set
-        uses: actions/github-script@v7
-        with:
-          script: |
-            let includes = [
-              { mode: '' },
-              { mode: 'rootless' },
-              { mode: 'systemd' },
-            ];
-            if ("${{ inputs.storage }}" == "snapshotter") {
-              includes.push({ mode: 'firewalld' });
-            }
-            await core.group(`Set matrix`, async () => {
-              core.info(`matrix: ${JSON.stringify(includes)}`);
-              core.setOutput('includes', JSON.stringify(includes));
-            });
-      -
-        name: Show matrix
-        run: |
-          echo ${{ steps.set.outputs.includes }}
-
  unit:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    needs:
-      - unit-prepare
-    strategy:
-      fail-fast: false
-      matrix:
-        include: ${{ fromJson(needs.unit-prepare.outputs.includes) }}
+    timeout-minutes: 120
    steps:
      -
        name: Checkout
@@ -79,25 +32,12 @@ jobs:
      -
        name: Set up runner
        uses: ./.github/actions/setup-runner
-      -
-        name: Prepare
-        run: |
-          CACHE_DEV_SCOPE=dev
-          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "DOCKER_FIREWALLD=true" >> $GITHUB_ENV
-            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
-          fi
-          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -128,14 +68,14 @@ jobs:
        if: always()
        uses: actions/upload-artifact@v4
        with:
-          name: test-reports-unit-${{ inputs.storage }}-${{ matrix.mode }}
+          name: test-reports-unit-${{ inputs.storage }}
          path: /tmp/reports/*
          retention-days: 1

  unit-report:
    runs-on: ubuntu-20.04
-    timeout-minutes: 10
    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 10
    if: always()
    needs:
      - unit
@@ -145,12 +85,11 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
      -
        name: Download reports
        uses: actions/download-artifact@v4
        with:
-          pattern: test-reports-unit-${{ inputs.storage }}-*
+          name: test-reports-unit-${{ inputs.storage }}
          path: /tmp/reports
      -
        name: Install teststat
@@ -163,8 +102,8 @@ jobs:

  docker-py:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 120
    steps:
      -
        name: Checkout
@@ -178,13 +117,9 @@ jobs:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -220,8 +155,8 @@ jobs:

  integration-flaky:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 120
    steps:
      -
        name: Checkout
@@ -232,13 +167,9 @@ jobs:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -250,51 +181,21 @@ jobs:
        env:
          TEST_SKIP_INTEGRATION_CLI: 1

-  integration-prepare:
-    runs-on: ubuntu-20.04
-    timeout-minutes: 10 # guardrails timeout for the whole job
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    outputs:
-      includes: ${{ steps.set.outputs.includes }}
-    steps:
-      -
-        name: Create matrix includes
-        id: set
-        uses: actions/github-script@v7
-        with:
-          script: |
-            let includes = [
-              { os: 'ubuntu-20.04', mode: '' },
-              { os: 'ubuntu-20.04', mode: 'rootless' },
-              { os: 'ubuntu-20.04', mode: 'systemd' },
-              { os: 'ubuntu-22.04', mode: '' },
-              { os: 'ubuntu-22.04', mode: 'rootless' },
-              { os: 'ubuntu-22.04', mode: 'systemd' },
-              // { os: 'ubuntu-20.04', mode: 'rootless-systemd' }, // FIXME: https://github.com/moby/moby/issues/44084
-              // { os: 'ubuntu-22.04', mode: 'rootless-systemd' }, // FIXME: https://github.com/moby/moby/issues/44084
-            ];
-            if ("${{ inputs.storage }}" == "snapshotter") {
-              includes.push({ os: 'ubuntu-22.04', mode: 'firewalld' });
-            }
-            await core.group(`Set matrix`, async () => {
-              core.info(`matrix: ${JSON.stringify(includes)}`);
-              core.setOutput('includes', JSON.stringify(includes));
-            });
-      -
-        name: Show matrix
-        run: |
-          echo ${{ steps.set.outputs.includes }}
-
  integration:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    needs:
-      - integration-prepare
+    timeout-minutes: 120
    strategy:
      fail-fast: false
      matrix:
-        include: ${{ fromJson(needs.integration-prepare.outputs.includes) }}
+        os:
+          - ubuntu-20.04
+          - ubuntu-22.04
+        mode:
+          - ""
+          - rootless
+          - systemd
+          #- rootless-systemd FIXME: https://github.com/moby/moby/issues/44084
    steps:
      -
        name: Checkout
@@ -316,21 +217,13 @@ jobs:
            echo "SYSTEMD=true" >> $GITHUB_ENV
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}systemd"
          fi
-          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "DOCKER_FIREWALLD=true" >> $GITHUB_ENV
-            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
-          fi
          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -384,8 +277,8 @@ jobs:

  integration-report:
    runs-on: ubuntu-20.04
-    timeout-minutes: 10
    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 10
    if: always()
    needs:
      - integration
@@ -395,7 +288,6 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
      -
        name: Download reports
        uses: actions/download-artifact@v4
@@ -414,10 +306,9 @@ jobs:

  integration-cli-prepare:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
    outputs:
-      matrix: ${{ steps.set.outputs.matrix }}
+      matrix: ${{ steps.tests.outputs.matrix }}
    steps:
      -
        name: Checkout
@@ -427,13 +318,12 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
      -
        name: Install gotestlist
        run:
          go install github.com/crazy-max/gotestlist/cmd/gotestlist@${{ env.GOTESTLIST_VERSION }}
      -
-        name: Create test matrix
+        name: Create matrix
        id: tests
        working-directory: ./integration-cli
        run: |
@@ -445,53 +335,20 @@ jobs:
          matrix="$(gotestlist -d ${{ env.ITG_CLI_MATRIX_SIZE }} -o "./..." -o "DockerSwarmSuite" -o "DockerNetworkSuite|DockerExternalVolumeSuite" ./...)"
          echo "matrix=$matrix" >> $GITHUB_OUTPUT
      -
-        name: Create gha matrix
-        id: set
-        uses: actions/github-script@v7
-        with:
-          script: |
-            let matrix = {
-              test: ${{ steps.tests.outputs.matrix }},
-              include: [],
-            };
-            // For some reasons, GHA doesn't combine a dynamically defined
-            // 'include' with other matrix variables that aren't part of the
-            // include items.
-            // Moreover, since the goal is to run only relevant tests with
-            // firewalld enabled to minimize the number of CI jobs, we
-            // statically define the list of test suites that we want to run.
-            if ("${{ inputs.storage }}" == "snapshotter") {
-              matrix.include.push({
-                'mode': 'firewalld',
-                'test': 'DockerCLINetworkSuite|DockerCLIPortSuite|DockerDaemonSuite'
-              });
-              matrix.include.push({
-                'mode': 'firewalld',
-                'test': 'DockerSwarmSuite'
-              });
-              matrix.include.push({
-                'mode': 'firewalld',
-                'test': 'DockerNetworkSuite'
-              });
-            }
-            await core.group(`Set matrix`, async () => {
-              core.info(`matrix: ${JSON.stringify(matrix)}`);
-              core.setOutput('matrix', JSON.stringify(matrix));
-            });
-      -
-        name: Show final gha matrix
+        name: Show matrix
        run: |
-          echo ${{ steps.set.outputs.matrix }}
+          echo ${{ steps.tests.outputs.matrix }}

  integration-cli:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 120
    needs:
      - integration-cli-prepare
    strategy:
      fail-fast: false
-      matrix: ${{ fromJson(needs.integration-cli-prepare.outputs.matrix) }}
+      matrix:
+        test: ${{ fromJson(needs.integration-cli-prepare.outputs.matrix) }}
    steps:
      -
        name: Checkout
@@ -502,25 +359,12 @@ jobs:
      -
        name: Set up tracing
        uses: ./.github/actions/setup-tracing
-      -
-        name: Prepare
-        run: |
-          CACHE_DEV_SCOPE=dev
-          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "DOCKER_FIREWALLD=true" >> $GITHUB_ENV
-            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
-          fi
-          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -573,8 +417,8 @@ jobs:

  integration-cli-report:
    runs-on: ubuntu-20.04
-    timeout-minutes: 10
    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    timeout-minutes: 10
    if: always()
    needs:
      - integration-cli
@@ -584,7 +428,6 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
      -
        name: Download reports
        uses: actions/download-artifact@v4
--- a/.github/workflows/.windows.yml
+++ b/.github/workflows/.windows.yml
@@ -3,15 +3,6 @@ name: .windows

 # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 on:
  workflow_call:
    inputs:
@@ -28,7 +19,7 @@ on:
        default: false

 env:
-  GO_VERSION: "1.23.6"
+  GO_VERSION: "1.21.10"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
@@ -42,7 +33,6 @@ env:
 jobs:
  build:
    runs-on: ${{ inputs.os }}
-    timeout-minutes: 120 # guardrails timeout for the whole job
    env:
      GOPATH: ${{ github.workspace }}\go
      GOBIN: ${{ github.workspace }}\go\bin
@@ -122,7 +112,7 @@ jobs:

  unit-test:
    runs-on: ${{ inputs.os }}
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    timeout-minutes: 120
    env:
      GOPATH: ${{ github.workspace }}\go
      GOBIN: ${{ github.workspace }}\go\bin
@@ -203,8 +193,7 @@ jobs:
          retention-days: 1

  unit-test-report:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-latest
    if: always()
    needs:
      - unit-test
@@ -214,7 +203,6 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
      -
        name: Download artifacts
        uses: actions/download-artifact@v4
@@ -231,8 +219,7 @@ jobs:
          find /tmp/artifacts -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY

  integration-test-prepare:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.tests.outputs.matrix }}
    steps:
@@ -244,7 +231,6 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
      -
        name: Install gotestlist
        run:
@@ -267,8 +253,8 @@ jobs:

  integration-test:
    runs-on: ${{ inputs.os }}
-    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
+    timeout-minutes: 120
    needs:
      - build
      - integration-test-prepare
@@ -349,12 +335,33 @@ jobs:
            $ErrorActionPreference = "Stop"
            Write-Host "Service removed"
          }
+      -
+        name: Starting containerd
+        if: matrix.runtime == 'containerd'
+        run: |
+          Write-Host "Generating config"
+          & "${{ env.BIN_OUT }}\containerd.exe" config default | Out-File "$env:TEMP\ctn.toml" -Encoding ascii
+          Write-Host "Creating service"
+          New-Item -ItemType Directory "$env:TEMP\ctn-root" -ErrorAction SilentlyContinue | Out-Null
+          New-Item -ItemType Directory "$env:TEMP\ctn-state" -ErrorAction SilentlyContinue | Out-Null
+          Start-Process -Wait "${{ env.BIN_OUT }}\containerd.exe" `
+            -ArgumentList "--log-level=debug", `
+              "--config=$env:TEMP\ctn.toml", `
+              "--address=\\.\pipe\containerd-containerd", `
+              "--root=$env:TEMP\ctn-root", `
+              "--state=$env:TEMP\ctn-state", `
+              "--log-file=$env:TEMP\ctn.log", `
+              "--register-service"
+          Write-Host "Starting service"
+          Start-Service -Name containerd
+          Start-Sleep -Seconds 5
+          Write-Host "Service started successfully!"
      -
        name: Starting test daemon
        run: |
          Write-Host "Creating service"
          If ("${{ matrix.runtime }}" -eq "containerd") {
-            $runtimeArg="--default-runtime=io.containerd.runhcs.v1"
+            $runtimeArg="--containerd=\\.\pipe\containerd-containerd"
            echo "DOCKER_WINDOWS_CONTAINERD_RUNTIME=1" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
          New-Item -ItemType Directory "$env:TEMP\moby-root" -ErrorAction SilentlyContinue | Out-Null
@@ -394,17 +401,6 @@ jobs:
            Start-Sleep -Seconds 1
          }
          Write-Host "Test daemon started and replied!"
-          If ("${{ matrix.runtime }}" -eq "containerd") {
-            $containerdProcesses = Get-Process -Name containerd -ErrorAction:SilentlyContinue
-            If (-not $containerdProcesses) {
-              Throw "containerd process is not running"
-            } else {
-              foreach ($process in $containerdProcesses) {
-                $processPath = (Get-Process -Id $process.Id -FileVersionInfo).FileName
-                Write-Output "Running containerd instance binary Path: $($processPath)"
-              }
-            }
-          }
        env:
          DOCKER_HOST: npipe:////./pipe/docker_engine
      -
@@ -433,7 +429,6 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
      -
        name: Test integration
        if: matrix.test == './...'
@@ -469,6 +464,19 @@ jobs:
          & "${{ env.BIN_OUT }}\docker" info
        env:
          DOCKER_HOST: npipe:////./pipe/docker_engine
+      -
+        name: Stop containerd
+        if: always() && matrix.runtime == 'containerd'
+        run: |
+          $ErrorActionPreference = "SilentlyContinue"
+          Stop-Service -Force -Name containerd
+          $ErrorActionPreference = "Stop"
+      -
+        name: Containerd logs
+        if: always() && matrix.runtime == 'containerd'
+        run: |
+          Copy-Item "$env:TEMP\ctn.log" -Destination ".\bundles\containerd.log"
+          Get-Content "$env:TEMP\ctn.log" | Out-Host
      -
        name: Stop daemon
        if: always()
@@ -504,8 +512,7 @@ jobs:
          retention-days: 1

  integration-test-report:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    runs-on: ubuntu-latest
    continue-on-error: ${{ inputs.storage == 'snapshotter' && github.event_name != 'pull_request' }}
    if: always()
    needs:
@@ -527,7 +534,6 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
      -
        name: Download reports
        uses: actions/download-artifact@v4
--- a/.github/workflows/arm64.yml
+++ b/.github/workflows/arm64.yml
@@ -1,276 +0,0 @@
-name: arm64
-
-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - 'master'
-      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
-  pull_request:
-
-env:
-  GO_VERSION: "1.23.6"
-  TESTSTAT_VERSION: v0.1.25
-  DESTDIR: ./build
-  SETUP_BUILDX_VERSION: edge
-  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
-  DOCKER_EXPERIMENTAL: 1
-
-jobs:
-  validate-dco:
-    uses: ./.github/workflows/.dco.yml
-
-  build:
-    runs-on: ubuntu-22.04-arm
-    timeout-minutes: 20 # guardrails timeout for the whole job
-    needs:
-      - validate-dco
-    strategy:
-      fail-fast: false
-      matrix:
-        target:
-          - binary
-          - dynbinary
-    steps:
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Build
-        uses: docker/bake-action@v6
-        with:
-          targets: ${{ matrix.target }}
-      -
-        name: List artifacts
-        run: |
-          tree -nh ${{ env.DESTDIR }}
-      -
-        name: Check artifacts
-        run: |
-          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
-
-  build-dev:
-    runs-on: ubuntu-22.04-arm
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    needs:
-      - validate-dco
-    steps:
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Build dev image
-        uses: docker/bake-action@v6
-        with:
-          targets: dev
-          set: |
-            *.cache-from=type=gha,scope=dev-arm64
-            *.cache-to=type=gha,scope=dev-arm64,mode=max
-            *.output=type=cacheonly
-
-  test-unit:
-    runs-on: ubuntu-22.04-arm
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    needs:
-      - build-dev
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up runner
-        uses: ./.github/actions/setup-runner
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Build dev image
-        uses: docker/bake-action@v6
-        with:
-          targets: dev
-          set: |
-            dev.cache-from=type=gha,scope=dev-arm64
-      -
-        name: Test
-        run: |
-          make -o build test-unit
-      -
-        name: Prepare reports
-        if: always()
-        run: |
-          mkdir -p bundles /tmp/reports
-          find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
-          tar -xzf /tmp/reports.tar.gz -C /tmp/reports
-          sudo chown -R $(id -u):$(id -g) /tmp/reports
-          tree -nh /tmp/reports
-      -
-        name: Send to Codecov
-        uses: codecov/codecov-action@v4
-        with:
-          directory: ./bundles
-          env_vars: RUNNER_OS
-          flags: unit
-          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
-      -
-        name: Upload reports
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: test-reports-unit-arm64-graphdriver
-          path: /tmp/reports/*
-          retention-days: 1
-
-  test-unit-report:
-    runs-on: ubuntu-20.04
-    timeout-minutes: 10
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: always()
-    needs:
-      - test-unit
-    steps:
-      -
-        name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
-      -
-        name: Download reports
-        uses: actions/download-artifact@v4
-        with:
-          pattern: test-reports-unit-arm64-*
-          path: /tmp/reports
-      -
-        name: Install teststat
-        run: |
-          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
-      -
-        name: Create summary
-        run: |
-          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
-
-  test-integration:
-    runs-on: ubuntu-22.04-arm
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    needs:
-      - build-dev
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up runner
-        uses: ./.github/actions/setup-runner
-      -
-        name: Set up tracing
-        uses: ./.github/actions/setup-tracing
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Build dev image
-        uses: docker/bake-action@v6
-        with:
-          targets: dev
-          set: |
-            dev.cache-from=type=gha,scope=dev-arm64
-      -
-        name: Test
-        run: |
-          make -o build test-integration
-        env:
-          TEST_SKIP_INTEGRATION_CLI: 1
-          TESTCOVERAGE: 1
-      -
-        name: Prepare reports
-        if: always()
-        run: |
-          reportsPath="/tmp/reports/arm64-graphdriver"
-          mkdir -p bundles $reportsPath
-          find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
-          tar -xzf /tmp/reports.tar.gz -C $reportsPath
-          sudo chown -R $(id -u):$(id -g) $reportsPath
-          tree -nh $reportsPath
-          curl -sSLf localhost:16686/api/traces?service=integration-test-client > $reportsPath/jaeger-trace.json
-      -
-        name: Send to Codecov
-        uses: codecov/codecov-action@v4
-        with:
-          directory: ./bundles/test-integration
-          env_vars: RUNNER_OS
-          flags: integration
-          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
-      -
-        name: Test daemon logs
-        if: always()
-        run: |
-          cat bundles/test-integration/docker.log
-      -
-        name: Upload reports
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: test-reports-integration-arm64-graphdriver
-          path: /tmp/reports/*
-          retention-days: 1
-
-  test-integration-report:
-    runs-on: ubuntu-20.04
-    timeout-minutes: 10
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: always()
-    needs:
-      - test-integration
-    steps:
-      -
-        name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
-      -
-        name: Download reports
-        uses: actions/download-artifact@v4
-        with:
-          path: /tmp/reports
-          pattern: test-reports-integration-arm64-*
-          merge-multiple: true
-      -
-        name: Install teststat
-        run: |
-          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
-      -
-        name: Create summary
-        run: |
-          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/bin-image.yml
+++ b/.github/workflows/bin-image.yml
@@ -1,14 +1,5 @@
 name: bin-image

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -19,7 +10,6 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
    tags:
      - 'v*'
  pull_request:
@@ -31,8 +21,6 @@ env:
  PLATFORM: Moby Engine - Nightly
  PRODUCT: moby-bin
  PACKAGER_NAME: The Moby Project
-  SETUP_BUILDX_VERSION: edge
-  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
  validate-dco:
@@ -41,7 +29,6 @@ jobs:

  prepare:
    runs-on: ubuntu-20.04
-    timeout-minutes: 20 # guardrails timeout for the whole job
    outputs:
      platforms: ${{ steps.platforms.outputs.matrix }}
    steps:
@@ -59,7 +46,7 @@ jobs:
          ## push semver tag v23.0.0
          # moby/moby-bin:23.0.0
          # moby/moby-bin:latest
-          ## push semver prerelease tag v23.0.0-beta.1
+          ## push semver prelease tag v23.0.0-beta.1
          # moby/moby-bin:23.0.0-beta.1
          ## push on master
          # moby/moby-bin:master
@@ -94,7 +81,6 @@ jobs:

  build:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
    needs:
      - validate-dco
      - prepare
@@ -104,16 +90,16 @@ jobs:
      matrix:
        platform: ${{ fromJson(needs.prepare.outputs.platforms) }}
    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
      -
        name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
      -
        name: Download meta bake definition
        uses: actions/download-artifact@v4
@@ -126,10 +112,6 @@ jobs:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Login to Docker Hub
        if: github.event_name != 'pull_request' && github.repository == 'moby/moby'
@@ -140,9 +122,8 @@ jobs:
      -
        name: Build
        id: bake
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
-          source: .
          files: |
            ./docker-bake.hcl
            /tmp/bake-meta.json
@@ -170,7 +151,6 @@ jobs:

  merge:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
    needs:
      - build
    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby'
@@ -191,10 +171,6 @@ jobs:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Login to Docker Hub
        uses: docker/login-action@v3
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -1,14 +1,5 @@
 name: buildkit

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -19,14 +10,11 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
  pull_request:

 env:
-  GO_VERSION: "1.23.6"
+  GO_VERSION: "1.21.10"
  DESTDIR: ./build
-  SETUP_BUILDX_VERSION: edge
-  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
  validate-dco:
@@ -34,20 +22,18 @@ jobs:

  build:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
    needs:
      - validate-dco
    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Build
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: binary
      -
@@ -61,7 +47,7 @@ jobs:

  test:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    timeout-minutes: 120
    needs:
      - build
    env:
@@ -101,12 +87,6 @@ jobs:
        uses: actions/checkout@v4
        with:
          path: moby
-      -
-        name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
      -
        name: BuildKit ref
        run: |
@@ -125,10 +105,6 @@ jobs:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Download binary artifacts
        uses: actions/download-artifact@v4
@@ -144,9 +120,8 @@ jobs:
          docker info
      -
        name: Build test image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
-          source: .
          workdir: ./buildkit
          targets: integration-tests
          set: |
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,14 +1,5 @@
 name: ci

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -19,13 +10,10 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
  pull_request:

 env:
  DESTDIR: ./build
-  SETUP_BUILDX_VERSION: edge
-  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
  validate-dco:
@@ -33,7 +21,6 @@ jobs:

  build:
    runs-on: ubuntu-20.04
-    timeout-minutes: 20 # guardrails timeout for the whole job
    needs:
      - validate-dco
    strategy:
@@ -43,16 +30,17 @@ jobs:
          - binary
          - dynbinary
    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Build
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: ${{ matrix.target }}
      -
@@ -65,8 +53,7 @@ jobs:
          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +

  prepare-cross:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20 # guardrails timeout for the whole job
+    runs-on: ubuntu-latest
    needs:
      - validate-dco
    outputs:
@@ -88,7 +75,6 @@ jobs:

  cross:
    runs-on: ubuntu-20.04
-    timeout-minutes: 20 # guardrails timeout for the whole job
    needs:
      - validate-dco
      - prepare-cross
@@ -97,6 +83,11 @@ jobs:
      matrix:
        platform: ${{ fromJson(needs.prepare-cross.outputs.matrix) }}
    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
      -
        name: Prepare
        run: |
@@ -105,13 +96,9 @@ jobs:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Build
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: all
          set: |
@@ -124,33 +111,3 @@ jobs:
        name: Check artifacts
        run: |
          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
-
-  govulncheck:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    permissions:
-      # required to write sarif report
-      security-events: write
-      # required to check out the repository
-      contents: read
-    steps:
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Run
-        uses: docker/bake-action@v6
-        with:
-          targets: govulncheck
-        env:
-          GOVULNCHECK_FORMAT: sarif
-      -
-        name: Upload SARIF report
-        if: ${{ github.event_name != 'pull_request' && github.repository == 'moby/moby' }}
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ env.DESTDIR }}/govulncheck.out
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,71 +0,0 @@
-name: codeql
-
-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
-on:
-  push:
-    branches:
-      - 'master'
-      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
-    tags:
-      - 'v*'
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: ["master"]
-  schedule:
-    #        ┌───────────── minute (0 - 59)
-    #        │ ┌───────────── hour (0 - 23)
-    #        │ │ ┌───────────── day of the month (1 - 31)
-    #        │ │ │ ┌───────────── month (1 - 12)
-    #        │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday)
-    #        │ │ │ │ │
-    #        │ │ │ │ │
-    #        │ │ │ │ │
-    #        * * * * *
-    - cron: '0 9 * * 4'
-
-jobs:
-  codeql:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 2
-      # CodeQL 2.16.4's auto-build added support for multi-module repositories,
-      # and is trying to be smart by searching for modules in every directory,
-      # including vendor directories. If no module is found, it's creating one
-      # which is ... not what we want, so let's give it a "go.mod".
-      # see: https://github.com/docker/cli/pull/4944#issuecomment-2002034698
-      - name: Create go.mod
-        run: |
-          ln -s vendor.mod go.mod
-          ln -s vendor.sum go.sum
-      - name: Update Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.6"
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: go
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-        with:
-          category: "/language:go"
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,14 +1,5 @@
 name: test

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -19,15 +10,12 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
  pull_request:

 env:
-  GO_VERSION: "1.23.6"
+  GO_VERSION: "1.21.10"
  GIT_PAGER: "cat"
  PAGER: "cat"
-  SETUP_BUILDX_VERSION: edge
-  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

 jobs:
  validate-dco:
@@ -35,7 +23,6 @@ jobs:

  build-dev:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
    needs:
      - validate-dco
    strategy:
@@ -51,16 +38,15 @@ jobs:
          if [ "${{ matrix.mode }}" = "systemd" ]; then
            echo "SYSTEMD=true" >> $GITHUB_ENV
          fi
+      -
+        name: Checkout
+        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -85,7 +71,6 @@ jobs:

  validate-prepare:
    runs-on: ubuntu-20.04
-    timeout-minutes: 10 # guardrails timeout for the whole job
    needs:
      - validate-dco
    outputs:
@@ -107,7 +92,7 @@ jobs:

  validate:
    runs-on: ubuntu-20.04
-    timeout-minutes: 30 # guardrails timeout for the whole job
+    timeout-minutes: 120
    needs:
      - validate-prepare
      - build-dev
@@ -127,13 +112,9 @@ jobs:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Build dev image
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: dev
          set: |
@@ -145,7 +126,6 @@ jobs:

  smoke-prepare:
    runs-on: ubuntu-20.04
-    timeout-minutes: 10 # guardrails timeout for the whole job
    needs:
      - validate-dco
    outputs:
@@ -167,7 +147,6 @@ jobs:

  smoke:
    runs-on: ubuntu-20.04
-    timeout-minutes: 20 # guardrails timeout for the whole job
    needs:
      - smoke-prepare
    strategy:
@@ -175,6 +154,9 @@ jobs:
      matrix:
        platform: ${{ fromJson(needs.smoke-prepare.outputs.matrix) }}
    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
      -
        name: Prepare
        run: |
@@ -186,13 +168,9 @@ jobs:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
      -
        name: Test
-        uses: docker/bake-action@v6
+        uses: docker/bake-action@v4
        with:
          targets: binary-smoketest
          set: |
--- a/.github/workflows/validate-pr.yml
+++ b/.github/workflows/validate-pr.yml
@@ -1,22 +1,12 @@
 name: validate-pr

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 on:
  pull_request:
-    types: [opened, edited, labeled, unlabeled, synchronize]
+    types: [opened, edited, labeled, unlabeled]

 jobs:
  check-area-label:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
    steps:
      - name: Missing `area/` label
        if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
@@ -27,10 +17,9 @@ jobs:
        run: exit 0

  check-changelog:
+    if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/')
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
    env:
-      HAS_IMPACT_LABEL: ${{ contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') }}
      PR_BODY: |
        ${{ github.event.pull_request.body }}
    steps:
@@ -42,23 +31,15 @@ jobs:
          # Strip empty lines
          desc=$(echo "$block" |  awk NF)

-          if [ "$HAS_IMPACT_LABEL" = "true" ]; then
-            if [ -z "$desc" ]; then
-              echo "::error::Changelog section is empty. Please provide a description for the changelog."
-              exit 1
-            fi
+          if [ -z "$desc" ]; then
+            echo "::error::Changelog section is empty. Please provide a description for the changelog."
+            exit 1
+          fi

-            len=$(echo -n "$desc" | wc -c)
-            if [[ $len -le 6 ]]; then
-              echo "::error::Description looks too short: $desc"
-              exit 1
-            fi
-          else
-            if [ -n "$desc" ]; then
-              echo "::error::PR has a changelog description, but no changelog label"
-              echo "::error::Please add the relevant 'impact/' label to the PR or remove the changelog description"
-              exit 1
-            fi
+          len=$(echo -n "$desc" | wc -c)
+          if [[ $len -le 6 ]]; then
+            echo "::error::Description looks too short: $desc"
+            exit 1
          fi

          echo "This PR will be included in the release notes with the following note:"
@@ -66,23 +47,16 @@ jobs:

  check-pr-branch:
    runs-on: ubuntu-20.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
    env:
      PR_TITLE: ${{ github.event.pull_request.title }}
    steps:
      # Backports or PR that target a release branch directly should mention the target branch in the title, for example:
      # [X.Y backport] Some change that needs backporting to X.Y
      # [X.Y] Change directly targeting the X.Y branch
-      - name: Check release branch
+      - name: Get branch from PR title
        id: title_branch
-        run: |
-          # get the intended major version prefix ("[27.1 backport]" -> "27.") from the PR title.
-          [[ "$PR_TITLE" =~ ^\[([0-9]*\.)[^]]*\] ]] && branch="${BASH_REMATCH[1]}"
+        run: echo "$PR_TITLE" | sed -n 's/^\[\([0-9]*\.[0-9]*\)[^]]*\].*/branch=\1/p' >> $GITHUB_OUTPUT

-          # get major version prefix from the release branch ("27.x -> "27.")
-          [[ "$GITHUB_BASE_REF" =~ ^([0-9]*\.) ]] && target_branch="${BASH_REMATCH[1]}" || target_branch="$GITHUB_BASE_REF"
-
-          if [[ "$target_branch" != "$branch" ]] && ! [[ "$GITHUB_BASE_REF" == "master" && "$branch" == "" ]]; then
-              echo "::error::PR is opened against the $GITHUB_BASE_REF branch, but its title suggests otherwise."
-              exit 1
-          fi
+      - name: Check release branch
+        if: github.event.pull_request.base.ref != steps.title_branch.outputs.branch && !(github.event.pull_request.base.ref == 'master' && steps.title_branch.outputs.branch == '')
+        run: echo "::error::PR title suggests targetting the ${{ steps.title_branch.outputs.branch }} branch, but is opened against ${{ github.event.pull_request.base.ref }}" && exit 1
--- a/.github/workflows/windows-2019.yml
+++ b/.github/workflows/windows-2019.yml
@@ -1,14 +1,5 @@
 name: windows-2019

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/windows-2022.yml
+++ b/.github/workflows/windows-2022.yml
@@ -1,14 +1,5 @@
 name: windows-2022

-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -19,7 +10,6 @@ on:
    branches:
      - 'master'
      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
  pull_request:

 jobs:
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,124 +1,36 @@
 linters:
  enable:
-    - asasalint     # Detects "[]any" used as argument for variadic "func(...any)".
-    - copyloopvar   # Detects places where loop variables are copied.
    - depguard
-    - dogsled       # Detects assignments with too many blank identifiers.
-    - dupword       # Detects duplicate words.
-    - durationcheck # Detect cases where two time.Duration values are being multiplied in possibly erroneous ways.
-    - errchkjson    # Detects unsupported types passed to json encoding functions and reports if checks for the returned error can be omitted.
-    - exhaustive    # Detects missing options in enum switch statements.
-    - exptostd      # Detects functions from golang.org/x/exp/ that can be replaced by std functions.
-    - fatcontext    # Detects nested contexts in loops and function literals.
-    - gocheckcompilerdirectives # Detects invalid go compiler directive comments (//go:).
+    - dupword         # Checks for duplicate words in the source code.
    - goimports
-    - gosec         # Detects security problems.
+    - gosec
    - gosimple
    - govet
-    - forbidigo
-    - iface         # Detects incorrect use of interfaces. Currently only used for "identical" interfaces in the same package.
    - importas
    - ineffassign
-    - makezero      # Finds slice declarations with non-zero initial length.
-    - mirror        # Detects wrong mirror patterns of bytes/strings usage.
-    - misspell      # Detects commonly misspelled English words in comments.
-    - nilnesserr    # Detects returning nil errors. It combines the features of nilness and nilerr,
-    - nosprintfhostport # Detects misuse of Sprintf to construct a host with port in a URL.
-    - reassign      # Detects reassigning a top-level variable in another package.
-    - revive        # Metalinter; drop-in replacement for golint.
-    - spancheck     # Detects mistakes with OpenTelemetry/Census spans.
+    - misspell
+    - revive
    - staticcheck
    - typecheck
-    - unconvert     # Detects unnecessary type conversions.
+    - unconvert
    - unused
-    - wastedassign  # Detects wasted assignment statements.

  disable:
    - errcheck

-run:
-  # prevent golangci-lint from deducting the go version to lint for through go.mod,
-  # which causes it to fallback to go1.17 semantics.
-  go: "1.23.6"
-  concurrency: 2
-  # Only supported with go modules enabled (build flag -mod=vendor only valid when using modules)
-  # modules-download-mode: vendor
+  run:
+    concurrency: 2
+    modules-download-mode: vendor
+
+    skip-dirs:
+      - docs

 linters-settings:
-  depguard:
-    rules:
-      main:
-        deny:
-          - pkg: io/ioutil
-            desc: The io/ioutil package has been deprecated, see https://go.dev/doc/go1.16#ioutil
-          - pkg: "github.com/stretchr/testify/assert"
-            desc: Use "gotest.tools/v3/assert" instead
-          - pkg: "github.com/stretchr/testify/require"
-            desc: Use "gotest.tools/v3/assert" instead
-          - pkg: "github.com/stretchr/testify/suite"
-            desc: Do not use
-          - pkg: "github.com/containerd/containerd/errdefs"
-            desc: The errdefs package has moved to a separate module, https://github.com/containerd/errdefs
-          - pkg: "github.com/containerd/containerd/log"
-            desc: The logs package has moved to a separate module, https://github.com/containerd/log
-          - pkg: "github.com/containerd/containerd/pkg/userns"
-            desc: Use github.com/moby/sys/userns instead.
-          - pkg: "github.com/tonistiigi/fsutil"
-            desc: The fsutil module does not have a stable API, so we should not have a direct dependency unless necessary.
-
  dupword:
    ignore:
      - "true"    # some tests use this as expected output
      - "false"   # some tests use this as expected output
      - "root"    # for tests using "ls" output with files owned by "root:root"
-
-  exhaustive:
-    # Program elements to check for exhaustiveness.
-    # Default: [ switch ]
-    check:
-      - switch
-      # - map # TODO(thaJeztah): also enable for maps
-    # Presence of "default" case in switch statements satisfies exhaustiveness,
-    # even if all enum members are not listed.
-    # Default: false
-    #
-    # TODO(thaJeztah): consider not allowing this to catch new values being added (and falling through to "default")
-    default-signifies-exhaustive: true
-
-  forbidigo:
-    forbid:
-      - pkg: ^sync/atomic$
-        p: ^atomic\.(Add|CompareAndSwap|Load|Store|Swap).
-        msg: Go 1.19 atomic types should be used instead.
-      - pkg: ^regexp$
-        p: ^regexp\.MustCompile
-        msg: Use internal/lazyregexp.New instead.
-      - pkg: github.com/vishvananda/netlink$
-        p: ^netlink\.(Handle\.)?(AddrList|BridgeVlanList|ChainList|ClassList|ConntrackTableList|ConntrackDeleteFilter$|ConntrackDeleteFilters|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByName|LinkByAlias|LinkList|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteList|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList|XfrmPolicyList|XfrmStateList)
-        msg: Use internal nlwrap package for EINTR handling.
-      - pkg: github.com/docker/docker/internal/nlwrap$
-        p: ^nlwrap.Handle.(BridgeVlanList|ChainList|ClassList|ConntrackDeleteFilter$|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByAlias|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList)
-        msg: Add a wrapper to nlwrap.Handle for EINTR handling and update the list in .golangci.yml.
-    analyze-types: true
-
-  gosec:
-    excludes:
-      - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
-      - G113 # G113: Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772); (only affects go < 1.16.14. and go < 1.17.7)
-      - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/moby/moby/issues/48358)
-      - G204 # G204: Subprocess launched with variable; too many false positives.
-      - G301 # G301: Expect directory permissions to be 0750 or less (also EXC0009); too restrictive
-      - G302 # G302: Expect file permissions to be 0600 or less (also EXC0009); too restrictive
-      - G304 # G304: Potential file inclusion via variable.
-      - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
-      - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
-      - G504 # G504: Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386); (only affects go < 1.6.3)
-
-  govet:
-    enable-all: true
-    disable:
-      - fieldalignment # TODO: evaluate which ones should be updated.
-
  importas:
    # Do not allow unaliased imports of aliased packages.
    no-unaliased: true
@@ -126,33 +38,28 @@ linters-settings:
    alias:
      # Enforce alias to prevent it accidentally being used instead of our
      # own errdefs package (or vice-versa).
-      - pkg: github.com/containerd/errdefs
+      - pkg: github.com/containerd/containerd/errdefs
        alias: cerrdefs
-      - pkg: github.com/containerd/containerd/images
-        alias: c8dimages
      - pkg: github.com/opencontainers/image-spec/specs-go/v1
        alias: ocispec

+  govet:
+    check-shadowing: false
+  depguard:
+    rules:
+      main:
+        deny:
+          - pkg: io/ioutil
+            desc: The io/ioutil package has been deprecated, see https://go.dev/doc/go1.16#ioutil
  revive:
    rules:
      # FIXME make sure all packages have a description. Currently, there's many packages without.
      - name: package-comments
        disabled: true
-
-  spancheck:
-    # Default: ["end"]
-    checks:
-      - end             # check that `span.End()` is called
-      - record-error    # check that `span.RecordError(err)` is called when an error is returned
-      - set-status      # check that `span.SetStatus(codes.Error, msg)` is called when an error is returned
-
 issues:
  # The default exclusion rules are a bit too permissive, so copying the relevant ones below
  exclude-use-default: false

-  exclude-dirs:
-    - docs
-
  exclude-rules:
    # We prefer to use an "exclude-list" so that new "default" exclusions are not
    # automatically inherited. We can decide whether or not to follow upstream
@@ -161,25 +68,50 @@ issues:
    # (unlike the "include" option), the "exclude" option does not take exclusion
    # ID's.
    #
-    # These exclusion patterns are copied from the default excludes at:
-    # https://github.com/golangci/golangci-lint/blob/v1.61.0/pkg/config/issues.go#L11-L104
-    #
-    # The default list of exclusions can be found at:
-    # https://golangci-lint.run/usage/false-positives/#default-exclusions
+    # These exclusion patterns are copied from the default excluses at:
+    # https://github.com/golangci/golangci-lint/blob/v1.46.2/pkg/config/issues.go#L10-L104

    # EXC0001
    - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*print(f|ln)?|os\\.(Un)?Setenv). is not checked"
      linters:
        - errcheck
+    # EXC0006
+    - text: "Use of unsafe calls should be audited"
+      linters:
+        - gosec
+    # EXC0007
+    - text: "Subprocess launch(ed with variable|ing should be audited)"
+      linters:
+        - gosec
+    # EXC0008
+    # TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close" (gosec)
+    - text: "(G104|G307)"
+      linters:
+        - gosec
+    # EXC0009
+    - text: "(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
+      linters:
+        - gosec
+    # EXC0010
+    - text: "Potential file inclusion via variable"
+      linters:
+        - gosec
+
+    # Looks like the match in "EXC0007" above doesn't catch this one
+    # TODO: consider upstreaming this to golangci-lint's default exclusion rules
+    - text: "G204: Subprocess launched with a potential tainted input or cmd arguments"
+      linters:
+        - gosec
+    # Looks like the match in "EXC0009" above doesn't catch this one
+    # TODO: consider upstreaming this to golangci-lint's default exclusion rules
+    - text: "G306: Expect WriteFile permissions to be 0600 or less"
+      linters:
+        - gosec

    # Exclude some linters from running on tests files.
    - path: _test\.go
      linters:
        - errcheck
-
-    - text: "G404: Use of weak random number generator"
-      path: _test\.go
-      linters:
        - gosec

    # Suppress golint complaining about generated types in api/types/
@@ -187,49 +119,11 @@ issues:
      path: "api/types/(volume|container)/"
      linters:
        - revive
-
-    # FIXME: ignoring unused assigns to ctx for now; too many hits in libnetwork/xxx functions that setup traces
-    - text: "assigned to ctx, but never used afterwards"
-      linters:
-        - wastedassign
-
-    - text: "ineffectual assignment to ctx"
-      source: "ctx[, ].*=.*\\(ctx[,)]"
-      linters:
-        - ineffassign
-
-    - text: "SA4006: this value of `ctx` is never used"
-      source: "ctx[, ].*=.*\\(ctx[,)]"
+    # FIXME temporarily suppress these (see https://github.com/gotestyourself/gotest.tools/issues/272)
+    - text: "SA1019: (assert|cmp|is)\\.ErrorType is deprecated"
      linters:
        - staticcheck

-    # Ignore "nested context in function literal (fatcontext)" as we intentionally set up tracing on a base-context for tests.
-    # FIXME(thaJeztah): see if there's a more iodiomatic way to do this.
-    - text: 'nested context in function literal'
-      path: '((main|check)_(linux_|)test\.go)|testutil/helpers\.go'
-      linters:
-        - fatcontext
-
-    - text: '^shadow: declaration of "(ctx|err|ok)" shadows declaration'
-      linters:
-        - govet
-    - text: '^shadow: declaration of "(out)" shadows declaration'
-      path: _test\.go
-      linters:
-        - govet
-    - text: 'use of `regexp.MustCompile` forbidden'
-      path: _test\.go
-      linters:
-        - forbidigo
-    - text: 'use of `regexp.MustCompile` forbidden'
-      path: "internal/lazyregexp"
-      linters:
-        - forbidigo
-    - text: 'use of `regexp.MustCompile` forbidden'
-      path: "libnetwork/cmd/networkdb-test/dbclient"
-      linters:
-        - forbidigo
-
  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
  max-issues-per-linter: 0

--- a/.mailmap
+++ b/.mailmap
@@ -7,7 +7,6 @@
 #
 # For an explanation of this file format, consult gitmailmap(5).

-Aaron Yoshitake <airandfingers@gmail.com>
 Aaron L. Xu <liker.xu@foxmail.com>
 Aaron L. Xu <liker.xu@foxmail.com> <likexu@harmonycloud.cn>
 Aaron Lehmann <alehmann@netflix.com>
@@ -31,11 +30,9 @@ Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> <suda.akihiro@lab.ntt.co.jp>
 Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> <suda.kyoto@gmail.com>
 Akshay Moghe <akshay.moghe@gmail.com>
-Alano Terblanche <alano.terblanche@docker.com>
-Alano Terblanche <alano.terblanche@docker.com> <18033717+Benehiko@users.noreply.github.com>
 Albin Kerouanton <albinker@gmail.com>
-Albin Kerouanton <albinker@gmail.com> <557933+akerouanton@users.noreply.github.com>
 Albin Kerouanton <albinker@gmail.com> <albin@akerouanton.name>
+Albin Kerouanton <albinker@gmail.com> <557933+akerouanton@users.noreply.github.com>
 Aleksa Sarai <asarai@suse.de>
 Aleksa Sarai <asarai@suse.de> <asarai@suse.com>
 Aleksa Sarai <asarai@suse.de> <cyphar@cyphar.com>
@@ -62,8 +59,6 @@ Allen Sun <allensun.shl@alibaba-inc.com> <allen.sun@daocloud.io>
 Allen Sun <allensun.shl@alibaba-inc.com> <shlallen1990@gmail.com>
 Anca Iordache <anca.iordache@docker.com>
 Andrea Denisse Gómez <crypto.andrea@protonmail.ch>
-Andrew Baxter <423qpsxzhh8k3h@s.rendaw.me>
-Andrew Baxter <423qpsxzhh8k3h@s.rendaw.me> andrew <>
 Andrew Kim <taeyeonkim90@gmail.com>
 Andrew Kim <taeyeonkim90@gmail.com> <akim01@fortinet.com>
 Andrew Weiss <andrew.weiss@docker.com> <andrew.weiss@microsoft.com>
@@ -94,8 +89,6 @@ Arnaud Rebillout <arnaud.rebillout@collabora.com>
 Arnaud Rebillout <arnaud.rebillout@collabora.com> <elboulangero@gmail.com>
 Arthur Gautier <baloo@gandi.net> <superbaloo+registrations.github@superbaloo.net>
 Artur Meyster <arthurfbi@yahoo.com>
-Austin Vazquez <macedonv@amazon.com>
-Austin Vazquez <macedonv@amazon.com> <55906459+austinvazquez@users.noreply.github.com>
 Avi Miller <avi.miller@oracle.com> <avi.miller@gmail.com>
 Ben Bonnefoy <frenchben@docker.com>
 Ben Golub <ben.golub@dotcloud.com>
@@ -126,7 +119,6 @@ Brian Goff <cpuguy83@gmail.com> <bgoff@cpuguy83-mbp.home>
 Brian Goff <cpuguy83@gmail.com> <bgoff@cpuguy83-mbp.local>
 Brian Goff <cpuguy83@gmail.com> <brian.goff@microsoft.com>
 Brian Goff <cpuguy83@gmail.com> <cpuguy@hey.com>
-Calvin Liu <flycalvin@qq.com>
 Cameron Sparr <gh@sparr.email>
 Carlos de Paula <me@carlosedp.com>
 Chander Govindarajan <chandergovind@gmail.com>
@@ -138,7 +130,6 @@ Chen Mingjie <chenmingjie0828@163.com>
 Chen Qiu <cheney-90@hotmail.com>
 Chen Qiu <cheney-90@hotmail.com> <21321229@zju.edu.cn>
 Chengfei Shang <cfshang@alauda.io>
-Chentianze <cmoman@126.com>
 Chris Dias <cdias@microsoft.com>
 Chris McKinnel <chris.mckinnel@tangentlabs.co.uk>
 Chris Price <cprice@mirantis.com>
@@ -147,8 +138,6 @@ Chris Telfer <ctelfer@docker.com>
 Chris Telfer <ctelfer@docker.com> <ctelfer@users.noreply.github.com>
 Christopher Biscardi <biscarch@sketcht.com>
 Christopher Latham <sudosurootdev@gmail.com>
-Christopher Petito <chrisjpetito@gmail.com>
-Christopher Petito <chrisjpetito@gmail.com> <47751006+krissetto@users.noreply.github.com>
 Christy Norman <christy@linux.vnet.ibm.com>
 Chun Chen <ramichen@tencent.com> <chenchun.feed@gmail.com>
 Corbin Coleman <corbin.coleman@docker.com>
@@ -184,8 +173,6 @@ Dattatraya Kumbhar <dattatraya.kumbhar@gslab.com>
 Dave Goodchild <buddhamagnet@gmail.com>
 Dave Henderson <dhenderson@gmail.com> <Dave.Henderson@ca.ibm.com>
 Dave Tucker <dt@docker.com> <dave@dtucker.co.uk>
-David Dooling <dooling@gmail.com>
-David Dooling <dooling@gmail.com> <david.dooling@docker.com>
 David M. Karr <davidmichaelkarr@gmail.com>
 David Sheets <dsheets@docker.com> <sheets@alum.mit.edu>
 David Sissitka <me@dsissitka.com>
@@ -232,8 +219,6 @@ Felix Hupfeld <felix@quobyte.com> <quofelix@users.noreply.github.com>
 Felix Ruess <felix.ruess@gmail.com> <felix.ruess@roboception.de>
 Feng Yan <fy2462@gmail.com>
 Fengtu Wang <wangfengtu@huawei.com> <wangfengtu@huawei.com>
-Filipe Pina <hzlu1ot0@duck.com>
-Filipe Pina <hzlu1ot0@duck.com> <636320+fopina@users.noreply.github.com>
 Francisco Carriedo <fcarriedo@gmail.com>
 Frank Rosquin <frank.rosquin+github@gmail.com> <frank.rosquin@gmail.com>
 Frank Yang <yyb196@gmail.com>
@@ -285,7 +270,6 @@ Hollie Teal <hollie@docker.com> <hollie.teal@docker.com>
 Hollie Teal <hollie@docker.com> <hollietealok@users.noreply.github.com>
 hsinko <21551195@zju.edu.cn> <hsinko@users.noreply.github.com>
 Hu Keping <hukeping@huawei.com>
-Huajin Tong <fliterdashen@gmail.com>
 Hui Kang <hkang.sunysb@gmail.com>
 Hui Kang <hkang.sunysb@gmail.com> <kangh@us.ibm.com>
 Huu Nguyen <huu@prismskylabs.com> <whoshuu@gmail.com>
@@ -352,8 +336,6 @@ John Howard <github@lowenna.com> <john.howard@microsoft.com>
 John Howard <github@lowenna.com> <john@lowenna.com>
 John Stephens <johnstep@docker.com> <johnstep@users.noreply.github.com>
 Jon Surrell <jon.surrell@gmail.com> <jon.surrell@automattic.com>
-Jonathan A. Sternberg <jonathansternberg@gmail.com>
-Jonathan A. Sternberg <jonathansternberg@gmail.com> <jonathan.sternberg@docker.com>
 Jonathan Choy <jonathan.j.choy@gmail.com>
 Jonathan Choy <jonathan.j.choy@gmail.com> <oni@tetsujinlabs.com>
 Jordan Arentsen <blissdev@gmail.com>
@@ -496,20 +478,19 @@ Mikael Davranche <mikael.davranche@corp.ovh.com> <mikael.davranche@corp.ovh.net>
 Mike Casas <mkcsas0@gmail.com> <mikecasas@users.noreply.github.com>
 Mike Goelzer <mike.goelzer@docker.com> <mgoelzer@docker.com>
 Milas Bowman <devnull@milas.dev>
-Milas Bowman <devnull@milas.dev> <milas.bowman@docker.com>
 Milas Bowman <devnull@milas.dev> <milasb@gmail.com>
+Milas Bowman <devnull@milas.dev> <milas.bowman@docker.com>
 Milind Chawre <milindchawre@gmail.com>
 Misty Stanley-Jones <misty@docker.com> <misty@apache.org>
 Mohammad Banikazemi <MBanikazemi@gmail.com>
 Mohammad Banikazemi <MBanikazemi@gmail.com> <mb@us.ibm.com>
-Mohd Sadiq <mohdsadiq058@gmail.com> <42430865+msadiq058@users.noreply.github.com>
 Mohd Sadiq <mohdsadiq058@gmail.com> <mohdsadiq058@gmail.com>
+Mohd Sadiq <mohdsadiq058@gmail.com> <42430865+msadiq058@users.noreply.github.com>
 Mohit Soni <mosoni@ebay.com> <mohitsoni1989@gmail.com>
 Moorthy RS <rsmoorthy@gmail.com> <rsmoorthy@users.noreply.github.com>
 Moysés Borges <moysesb@gmail.com>
 Moysés Borges <moysesb@gmail.com> <moyses.furtado@wplex.com.br>
 mrfly <mr.wrfly@gmail.com> <wrfly@users.noreply.github.com>
-Myeongjoon Kim <kimmj8409@gmail.com>
 Nace Oroz <orkica@gmail.com>
 Natasha Jarus <linuxmercedes@gmail.com>
 Nathan LeClaire <nathan.leclaire@docker.com> <nathan.leclaire@gmail.com>
@@ -529,11 +510,8 @@ Olli Janatuinen <olli.janatuinen@gmail.com> <olljanat@users.noreply.github.com>
 Onur Filiz <onur.filiz@microsoft.com>
 Onur Filiz <onur.filiz@microsoft.com> <ofiliz@users.noreply.github.com>
 Ouyang Liduo <oyld0210@163.com>
-Patrick St. laurent <patrick@saint-laurent.us>
 Patrick Stapleton <github@gdi2290.com>
 Paul Liljenberg <liljenberg.paul@gmail.com> <letters@paulnotcom.se>
-Paweł Gronowski <pawel.gronowski@docker.com>
-Paweł Gronowski <pawel.gronowski@docker.com> <me@woland.xyz>
 Pavel Tikhomirov <ptikhomirov@virtuozzo.com> <ptikhomirov@parallels.com>
 Pawel Konczalski <mail@konczalski.de>
 Peter Choi <phkchoi89@gmail.com> <reikani@Peters-MacBook-Pro.local>
@@ -555,21 +533,16 @@ Qin TianHuan <tianhuan@bingotree.cn>
 Ray Tsang <rayt@google.com> <saturnism@users.noreply.github.com>
 Renaud Gaubert <rgaubert@nvidia.com> <renaud.gaubert@gmail.com>
 Richard Scothern <richard.scothern@gmail.com>
-Rob Murray <rob.murray@docker.com>
-Rob Murray <rob.murray@docker.com> <148866618+robmry@users.noreply.github.com>
 Robert Terhaar <rterhaar@atlanticdynamic.com> <robbyt@users.noreply.github.com>
 Roberto G. Hashioka <roberto.hashioka@docker.com> <roberto_hashioka@hotmail.com>
 Roberto Muñoz Fernández <robertomf@gmail.com> <roberto.munoz.fernandez.contractor@bbva.com>
 Robin Thoni <robin@rthoni.com>
-Rodrigo Campos <rodrigoca@microsoft.com>
-Rodrigo Campos <rodrigoca@microsoft.com> <rodrigo@kinvolk.io>
 Roman Dudin <katrmr@gmail.com> <decadent@users.noreply.github.com>
 Rong Zhang <rongzhang@alauda.io>
 Rongxiang Song <tinysong1226@gmail.com>
 Rony Weng <ronyweng@synology.com>
 Ross Boucher <rboucher@gmail.com>
 Rui Cao <ruicao@alauda.io>
-Rui JingAn <quiterace@gmail.com>
 Runshen Zhu <runshen.zhu@gmail.com>
 Ryan Stelly <ryan.stelly@live.com>
 Ryoga Saito <contact@proelbtn.com>
@@ -590,7 +563,6 @@ Sebastiaan van Stijn <github@gone.nl> <sebastiaan@ws-key-sebas3.dpi1.dpi>
 Sebastiaan van Stijn <github@gone.nl> <thaJeztah@users.noreply.github.com>
 Sebastian Thomschke <sebthom@users.noreply.github.com>
 Seongyeol Lim <seongyeol37@gmail.com>
-Serhii Nakon <serhii.n@thescimus.com>
 Shaun Kaasten <shaunk@gmail.com>
 Shawn Landden <shawn@churchofgit.com> <shawnlandden@gmail.com>
 Shengbo Song <thomassong@tencent.com>
--- a/61
+++ b/61
@@ -2,9 +2,7 @@
 # This file lists all contributors to the repository.
 # See hack/generate-authors.sh to make modifications.

-7sunarni <710720732@qq.com>
 Aanand Prasad <aanand.prasad@gmail.com>
-Aarni Koskela <akx@iki.fi>
 Aaron Davidson <aaron@databricks.com>
 Aaron Feng <aaron.feng@gmail.com>
 Aaron Hnatiw <aaron@griddio.com>
@@ -12,8 +10,6 @@ Aaron Huslage <huslage@gmail.com>
 Aaron L. Xu <liker.xu@foxmail.com>
 Aaron Lehmann <alehmann@netflix.com>
 Aaron Welch <welch@packet.net>
-Aaron Yoshitake <airandfingers@gmail.com>
-Abdur Rehman <abdur_rehman@mentor.com>
 Abel Muiño <amuino@gmail.com>
 Abhijeet Kasurde <akasurde@redhat.com>
 Abhinandan Prativadi <aprativadi@gmail.com>
@@ -27,11 +23,9 @@ Adam Avilla <aavilla@yp.com>
 Adam Dobrawy <naczelnik@jawnosc.tk>
 Adam Eijdenberg <adam.eijdenberg@gmail.com>
 Adam Kunk <adam.kunk@tiaa-cref.org>
-Adam Lamers <adam.lamers@wmsdev.pl>
 Adam Miller <admiller@redhat.com>
 Adam Mills <adam@armills.info>
 Adam Pointer <adam.pointer@skybettingandgaming.com>
-Adam Simon <adamsimon85100@gmail.com>
 Adam Singer <financeCoding@gmail.com>
 Adam Thornton <adam.thornton@maryville.com>
 Adam Walz <adam@adamwalz.net>
@@ -68,7 +62,6 @@ alambike <alambike@gmail.com>
 Alan Hoyle <alan@alanhoyle.com>
 Alan Scherger <flyinprogrammer@gmail.com>
 Alan Thompson <cloojure@gmail.com>
-Alano Terblanche <alano.terblanche@docker.com>
 Albert Callarisa <shark234@gmail.com>
 Albert Zhang <zhgwenming@gmail.com>
 Albin Kerouanton <albinker@gmail.com>
@@ -124,7 +117,6 @@ amangoel <amangoel@gmail.com>
 Amen Belayneh <amenbelayneh@gmail.com>
 Ameya Gawde <agawde@mirantis.com>
 Amir Goldstein <amir73il@aquasec.com>
-AmirBuddy <badinlu.amirhossein@gmail.com>
 Amit Bakshi <ambakshi@gmail.com>
 Amit Krishnan <amit.krishnan@oracle.com>
 Amit Shukla <amit.shukla@docker.com>
@@ -149,7 +141,6 @@ Andreas Tiefenthaler <at@an-ti.eu>
 Andrei Gherzan <andrei@resin.io>
 Andrei Ushakov <aushakov@netflix.com>
 Andrei Vagin <avagin@gmail.com>
-Andrew Baxter <423qpsxzhh8k3h@s.rendaw.me>
 Andrew C. Bodine <acbodine@us.ibm.com>
 Andrew Clay Shafer <andrewcshafer@gmail.com>
 Andrew Duckworth <grillopress@gmail.com>
@@ -174,7 +165,6 @@ Andrey Kolomentsev <andrey.kolomentsev@docker.com>
 Andrey Petrov <andrey.petrov@shazow.net>
 Andrey Stolbovsky <andrey.stolbovsky@gmail.com>
 André Martins <aanm90@gmail.com>
-Andrés Maldonado <maldonado@codelutin.com>
 Andy Chambers <anchambers@paypal.com>
 andy diller <dillera@gmail.com>
 Andy Goldstein <agoldste@redhat.com>
@@ -203,7 +193,6 @@ Anton Löfgren <anton.lofgren@gmail.com>
 Anton Nikitin <anton.k.nikitin@gmail.com>
 Anton Polonskiy <anton.polonskiy@gmail.com>
 Anton Tiurin <noxiouz@yandex.ru>
-Antonio Aguilar <antonio@zoftko.com>
 Antonio Murdaca <antonio.murdaca@gmail.com>
 Antonis Kalipetis <akalipetis@gmail.com>
 Antony Messerli <amesserl@rackspace.com>
@@ -226,13 +215,13 @@ Artur Meyster <arthurfbi@yahoo.com>
 Arun Gupta <arun.gupta@gmail.com>
 Asad Saeeduddin <masaeedu@gmail.com>
 Asbjørn Enge <asbjorn@hanafjedle.net>
-Ashly Mathew <ashly.mathew@sap.com>
 Austin Vazquez <macedonv@amazon.com>
 averagehuman <averagehuman@users.noreply.github.com>
 Avi Das <andas222@gmail.com>
 Avi Kivity <avi@scylladb.com>
 Avi Miller <avi.miller@oracle.com>
 Avi Vaid <avaid1996@gmail.com>
+ayoshitake <airandfingers@gmail.com>
 Azat Khuyiyakhmetov <shadow_uz@mail.ru>
 Bao Yonglei <baoyonglei@huawei.com>
 Bardia Keyoumarsi <bkeyouma@ucsc.edu>
@@ -327,7 +316,6 @@ Burke Libbey <burke@libbey.me>
 Byung Kang <byung.kang.ctr@amrdec.army.mil>
 Caleb Spare <cespare@gmail.com>
 Calen Pennington <cale@edx.org>
-Calvin Liu <flycalvin@qq.com>
 Cameron Boehmer <cameron.boehmer@gmail.com>
 Cameron Sparr <gh@sparr.email>
 Cameron Spear <cameronspear@gmail.com>
@@ -353,7 +341,6 @@ Chance Zibolski <chance.zibolski@gmail.com>
 Chander Govindarajan <chandergovind@gmail.com>
 Chanhun Jeong <keyolk@gmail.com>
 Chao Wang <wangchao.fnst@cn.fujitsu.com>
-Charity Kathure <ckathure@microsoft.com>
 Charles Chan <charleswhchan@users.noreply.github.com>
 Charles Hooper <charles.hooper@dotcloud.com>
 Charles Law <claw@conduce.com>
@@ -375,7 +362,6 @@ Chen Qiu <cheney-90@hotmail.com>
 Cheng-mean Liu <soccerl@microsoft.com>
 Chengfei Shang <cfshang@alauda.io>
 Chengguang Xu <cgxu519@gmx.com>
-Chentianze <cmoman@126.com>
 Chenyang Yan <memory.yancy@gmail.com>
 chenyuzhu <chenyuzhi@oschina.cn>
 Chetan Birajdar <birajdar.chetan@gmail.com>
@@ -423,7 +409,6 @@ Christopher Crone <christopher.crone@docker.com>
 Christopher Currie <codemonkey+github@gmail.com>
 Christopher Jones <tophj@linux.vnet.ibm.com>
 Christopher Latham <sudosurootdev@gmail.com>
-Christopher Petito <chrisjpetito@gmail.com>
 Christopher Rigor <crigor@gmail.com>
 Christy Norman <christy@linux.vnet.ibm.com>
 Chun Chen <ramichen@tencent.com>
@@ -489,7 +474,6 @@ Daniel Farrell <dfarrell@redhat.com>
 Daniel Garcia <daniel@danielgarcia.info>
 Daniel Gasienica <daniel@gasienica.ch>
 Daniel Grunwell <mwgrunny@gmail.com>
-Daniel Guns <danbguns@gmail.com>
 Daniel Helfand <helfand.4@gmail.com>
 Daniel Hiltgen <daniel.hiltgen@docker.com>
 Daniel J Walsh <dwalsh@redhat.com>
@@ -685,7 +669,6 @@ Erik Hollensbe <github@hollensbe.org>
 Erik Inge Bolsø <knan@redpill-linpro.com>
 Erik Kristensen <erik@erikkristensen.com>
 Erik Sipsma <erik@sipsma.dev>
-Erik Sjölund <erik.sjolund@gmail.com>
 Erik St. Martin <alakriti@gmail.com>
 Erik Weathers <erikdw@gmail.com>
 Erno Hopearuoho <erno.hopearuoho@gmail.com>
@@ -748,7 +731,6 @@ Feroz Salam <feroz.salam@sourcegraph.com>
 Ferran Rodenas <frodenas@gmail.com>
 Filipe Brandenburger <filbranden@google.com>
 Filipe Oliveira <contato@fmoliveira.com.br>
-Filipe Pina <hzlu1ot0@duck.com>
 Flavio Castelli <fcastelli@suse.com>
 Flavio Crisciani <flavio.crisciani@docker.com>
 Florian <FWirtz@users.noreply.github.com>
@@ -773,7 +755,6 @@ Frank Macreery <frank@macreery.com>
 Frank Rosquin <frank.rosquin+github@gmail.com>
 Frank Villaro-Dixon <frank.villarodixon@merkle.com>
 Frank Yang <yyb196@gmail.com>
-François Scala <github@arcenik.net>
 Fred Lifton <fred.lifton@docker.com>
 Frederick F. Kautz IV <fkautz@redhat.com>
 Frederico F. de Oliveira <FreddieOliveira@users.noreply.github.com>
@@ -794,7 +775,6 @@ Gabriel L. Somlo <gsomlo@gmail.com>
 Gabriel Linder <linder.gabriel@gmail.com>
 Gabriel Monroy <gabriel@opdemand.com>
 Gabriel Nicolas Avellaneda <avellaneda.gabriel@gmail.com>
-Gabriel Tomitsuka <gabriel@tomitsuka.com>
 Gaetan de Villele <gdevillele@gmail.com>
 Galen Sampson <galen.sampson@gmail.com>
 Gang Qiao <qiaohai8866@gmail.com>
@@ -809,9 +789,7 @@ GennadySpb <lipenkov@gmail.com>
 Geoff Levand <geoff@infradead.org>
 Geoffrey Bachelet <grosfrais@gmail.com>
 Geon Kim <geon0250@gmail.com>
-George Adams <georgeadams1995@gmail.com>
 George Kontridze <george@bugsnag.com>
-George Ma <mayangang@outlook.com>
 George MacRorie <gmacr31@gmail.com>
 George Xie <georgexsh@gmail.com>
 Georgi Hristozov <georgi@forkbomb.nl>
@@ -838,7 +816,6 @@ Gopikannan Venugopalsamy <gopikannan.venugopalsamy@gmail.com>
 Gosuke Miyashita <gosukenator@gmail.com>
 Gou Rao <gou@portworx.com>
 Govinda Fichtner <govinda.fichtner@googlemail.com>
-Grace Choi <grace.54109@gmail.com>
 Grant Millar <rid@cylo.io>
 Grant Reaber <grant.reaber@gmail.com>
 Graydon Hoare <graydon@pobox.com>
@@ -898,8 +875,6 @@ Hsing-Yu (David) Chen <davidhsingyuchen@gmail.com>
 hsinko <21551195@zju.edu.cn>
 Hu Keping <hukeping@huawei.com>
 Hu Tao <hutao@cn.fujitsu.com>
-Huajin Tong <fliterdashen@gmail.com>
-huang-jl <1046678590@qq.com>
 HuanHuan Ye <logindaveye@gmail.com>
 Huanzhong Zhang <zhanghuanzhong90@gmail.com>
 Huayi Zhang <irachex@gmail.com>
@@ -934,7 +909,6 @@ Illo Abdulrahim <abdulrahim.illo@nokia.com>
 Ilya Dmitrichenko <errordeveloper@gmail.com>
 Ilya Gusev <mail@igusev.ru>
 Ilya Khlopotov <ilya.khlopotov@gmail.com>
-imalasong <2879499479@qq.com>
 imre Fitos <imre.fitos+github@gmail.com>
 inglesp <peter.inglesby@gmail.com>
 Ingo Gottwald <in.gottwald@gmail.com>
@@ -952,7 +926,6 @@ J Bruni <joaohbruni@yahoo.com.br>
 J. Nunn <jbnunn@gmail.com>
 Jack Danger Canty <jackdanger@squareup.com>
 Jack Laxson <jackjrabbit@gmail.com>
-Jack Walker <90711509+j2walker@users.noreply.github.com>
 Jacob Atzen <jacob@jacobatzen.dk>
 Jacob Edelman <edelman.jd@gmail.com>
 Jacob Tomlinson <jacob@tom.linson.uk>
@@ -979,7 +952,6 @@ James Nugent <james@jen20.com>
 James Sanders <james3sanders@gmail.com>
 James Turnbull <james@lovedthanlost.net>
 James Watkins-Harvey <jwatkins@progi-media.com>
-Jameson Hyde <jameson.hyde@docker.com>
 Jamie Hannaford <jamie@limetree.org>
 Jamshid Afshar <jafshar@yahoo.com>
 Jan Breig <git@pygos.space>
@@ -997,7 +969,6 @@ Jannick Fahlbusch <git@jf-projects.de>
 Januar Wayong <januar@gmail.com>
 Jared Biel <jared.biel@bolderthinking.com>
 Jared Hocutt <jaredh@netapp.com>
-Jaroslav Jindrak <dzejrou@gmail.com>
 Jaroslaw Zabiello <hipertracker@gmail.com>
 Jasmine Hegman <jasmine@jhegman.com>
 Jason A. Donenfeld <Jason@zx2c4.com>
@@ -1013,7 +984,6 @@ Jason Shepherd <jason@jasonshepherd.net>
 Jason Smith <jasonrichardsmith@gmail.com>
 Jason Sommer <jsdirv@gmail.com>
 Jason Stangroome <jason@codeassassin.com>
-Jasper Siepkes <siepkes@serviceplanet.nl>
 Javier Bassi <javierbassi@gmail.com>
 jaxgeller <jacksongeller@gmail.com>
 Jay <teguhwpurwanto@gmail.com>
@@ -1042,7 +1012,6 @@ Jeffrey Bolle <jeffreybolle@gmail.com>
 Jeffrey Morgan <jmorganca@gmail.com>
 Jeffrey van Gogh <jvg@google.com>
 Jenny Gebske <jennifer@gebske.de>
-Jeongseok Kang <piono623@naver.com>
 Jeremy Chambers <jeremy@thehipbot.com>
 Jeremy Grosser <jeremy@synack.me>
 Jeremy Huntwork <jhuntwork@lightcubesolutions.com>
@@ -1060,7 +1029,6 @@ Jezeniel Zapanta <jpzapanta22@gmail.com>
 Jhon Honce <jhonce@redhat.com>
 Ji.Zhilong <zhilongji@gmail.com>
 Jian Liao <jliao@alauda.io>
-Jian Zeng <anonymousknight96@gmail.com>
 Jian Zhang <zhangjian.fnst@cn.fujitsu.com>
 Jiang Jinyang <jjyruby@gmail.com>
 Jianyong Wu <jianyong.wu@arm.com>
@@ -1078,16 +1046,13 @@ Jim Perrin <jperrin@centos.org>
 Jimmy Cuadra <jimmy@jimmycuadra.com>
 Jimmy Puckett <jimmy.puckett@spinen.com>
 Jimmy Song <rootsongjc@gmail.com>
-jinjiadu <jinjiadu@aliyun.com>
 Jinsoo Park <cellpjs@gmail.com>
 Jintao Zhang <zhangjintao9020@gmail.com>
 Jiri Appl <jiria@microsoft.com>
 Jiri Popelka <jpopelka@redhat.com>
 Jiuyue Ma <majiuyue@huawei.com>
 Jiří Župka <jzupka@redhat.com>
-jjimbo137 <115816493+jjimbo137@users.noreply.github.com>
 Joakim Roubert <joakim.roubert@axis.com>
-Joan Grau <grautxo.dev@proton.me>
 Joao Fernandes <joao.fernandes@docker.com>
 Joao Trindade <trindade.joao@gmail.com>
 Joe Beda <joe.github@bedafamily.com>
@@ -1128,7 +1093,6 @@ Jon Johnson <jonjohnson@google.com>
 Jon Surrell <jon.surrell@gmail.com>
 Jon Wedaman <jweede@gmail.com>
 Jonas Dohse <jonas@dohse.ch>
-Jonas Geiler <git@jonasgeiler.com>
 Jonas Heinrich <Jonas@JonasHeinrich.com>
 Jonas Pfenniger <jonas@pfenniger.name>
 Jonathan A. Schweder <jonathanschweder@gmail.com>
@@ -1172,7 +1136,6 @@ Josiah Kiehl <jkiehl@riotgames.com>
 José Tomás Albornoz <jojo@eljojo.net>
 Joyce Jang <mail@joycejang.com>
 JP <jpellerin@leapfrogonline.com>
-JSchltggr <jschltggr@gmail.com>
 Julian Taylor <jtaylor.debian@googlemail.com>
 Julien Barbier <write0@gmail.com>
 Julien Bisconti <veggiemonk@users.noreply.github.com>
@@ -1297,7 +1260,6 @@ Lakshan Perera <lakshan@laktek.com>
 Lalatendu Mohanty <lmohanty@redhat.com>
 Lance Chen <cyen0312@gmail.com>
 Lance Kinley <lkinley@loyaltymethods.com>
-Lars Andringa <l.s.andringa@rug.nl>
 Lars Butler <Lars.Butler@gmail.com>
 Lars Kellogg-Stedman <lars@redhat.com>
 Lars R. Damerow <lars@pixar.com>
@@ -1307,7 +1269,6 @@ Laura Brehm <laurabrehm@hey.com>
 Laura Frank <ljfrank@gmail.com>
 Laurent Bernaille <laurent.bernaille@datadoghq.com>
 Laurent Erignoux <lerignoux@gmail.com>
-Laurent Goderre <laurent.goderre@docker.com>
 Laurie Voss <github@seldo.com>
 Leandro Motta Barros <lmb@stackedboxes.org>
 Leandro Siqueira <leandro.siqueira@gmail.com>
@@ -1388,7 +1349,6 @@ Madhan Raj Mookkandy <MadhanRaj.Mookkandy@microsoft.com>
 Madhav Puri <madhav.puri@gmail.com>
 Madhu Venugopal <mavenugo@gmail.com>
 Mageee <fangpuyi@foxmail.com>
-maggie44 <64841595+maggie44@users.noreply.github.com>
 Mahesh Tiyyagura <tmahesh@gmail.com>
 malnick <malnick@gmail..com>
 Malte Janduda <mail@janduda.net>
@@ -1599,7 +1559,6 @@ Muayyad Alsadi <alsadi@gmail.com>
 Muhammad Zohaib Aslam <zohaibse011@gmail.com>
 Mustafa Akın <mustafa91@gmail.com>
 Muthukumar R <muthur@gmail.com>
-Myeongjoon Kim <kimmj8409@gmail.com>
 Máximo Cuadros <mcuadros@gmail.com>
 Médi-Rémi Hashim <medimatrix@users.noreply.github.com>
 Nace Oroz <orkica@gmail.com>
@@ -1614,7 +1573,6 @@ Natasha Jarus <linuxmercedes@gmail.com>
 Nate Brennand <nate.brennand@clever.com>
 Nate Eagleson <nate@nateeag.com>
 Nate Jones <nate@endot.org>
-Nathan Baulch <nathan.baulch@gmail.com>
 Nathan Carlson <carl4403@umn.edu>
 Nathan Herald <me@nathanherald.com>
 Nathan Hsieh <hsieh.nathan@gmail.com>
@@ -1677,7 +1635,6 @@ Nuutti Kotivuori <naked@iki.fi>
 nzwsch <hi@nzwsch.com>
 O.S. Tezer <ostezer@gmail.com>
 objectified <objectified@gmail.com>
-Octol1ttle <l1ttleofficial@outlook.com>
 Odin Ugedal <odin@ugedal.com>
 Oguz Bilgic <fisyonet@gmail.com>
 Oh Jinkyun <tintypemolly@gmail.com>
@@ -1709,7 +1666,6 @@ Patrick Böänziger <patrick.baenziger@bsi-software.com>
 Patrick Devine <patrick.devine@docker.com>
 Patrick Haas <patrickhaas@google.com>
 Patrick Hemmer <patrick.hemmer@gmail.com>
-Patrick St. laurent <patrick@saint-laurent.us>
 Patrick Stapleton <github@gdi2290.com>
 Patrik Cyvoct <patrik@ptrk.io>
 pattichen <craftsbear@gmail.com>
@@ -1786,7 +1742,6 @@ Pierre Carrier <pierre@meteor.com>
 Pierre Dal-Pra <dalpra.pierre@gmail.com>
 Pierre Wacrenier <pierre.wacrenier@gmail.com>
 Pierre-Alain RIVIERE <pariviere@ippon.fr>
-pinglanlu <pinglanlu@outlook.com>
 Piotr Bogdan <ppbogdan@gmail.com>
 Piotr Karbowski <piotr.karbowski@protonmail.ch>
 Porjo <porjo38@yahoo.com.au>
@@ -1814,7 +1769,6 @@ Quentin Tayssier <qtayssier@gmail.com>
 r0n22 <cameron.regan@gmail.com>
 Rachit Sharma <rachitsharma613@gmail.com>
 Radostin Stoyanov <rstoyanov1@gmail.com>
-Rafael Fernández López <ereslibre@ereslibre.es>
 Rafal Jeczalik <rjeczalik@gmail.com>
 Rafe Colton <rafael.colton@gmail.com>
 Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
@@ -1881,7 +1835,7 @@ Robin Speekenbrink <robin@kingsquare.nl>
 Robin Thoni <robin@rthoni.com>
 robpc <rpcann@gmail.com>
 Rodolfo Carvalho <rhcarvalho@gmail.com>
-Rodrigo Campos <rodrigoca@microsoft.com>
+Rodrigo Campos <rodrigo@kinvolk.io>
 Rodrigo Vaz <rodrigo.vaz@gmail.com>
 Roel Van Nyen <roel.vannyen@gmail.com>
 Roger Peppe <rogpeppe@gmail.com>
@@ -1917,7 +1871,6 @@ Royce Remer <royceremer@gmail.com>
 Rozhnov Alexandr <nox73@ya.ru>
 Rudolph Gottesheim <r.gottesheim@loot.at>
 Rui Cao <ruicao@alauda.io>
-Rui JingAn <quiterace@gmail.com>
 Rui Lopes <rgl@ruilopes.com>
 Ruilin Li <liruilin4@huawei.com>
 Runshen Zhu <runshen.zhu@gmail.com>
@@ -2014,13 +1967,11 @@ Sergey Evstifeev <sergey.evstifeev@gmail.com>
 Sergii Kabashniuk <skabashnyuk@codenvy.com>
 Sergio Lopez <slp@redhat.com>
 Serhat Gülçiçek <serhat25@gmail.com>
-Serhii Nakon <serhii.n@thescimus.com>
 SeungUkLee <lsy931106@gmail.com>
 Sevki Hasirci <s@sevki.org>
 Shane Canon <scanon@lbl.gov>
 Shane da Silva <shane@dasilva.io>
 Shaun Kaasten <shaunk@gmail.com>
-Shaun Thompson <shaun.thompson@docker.com>
 shaunol <shaunol@gmail.com>
 Shawn Landden <shawn@churchofgit.com>
 Shawn Siefkas <shawn.siefkas@meredith.com>
@@ -2039,7 +1990,6 @@ Shijun Qin <qinshijun16@mails.ucas.ac.cn>
 Shishir Mahajan <shishir.mahajan@redhat.com>
 Shoubhik Bose <sbose78@gmail.com>
 Shourya Sarcar <shourya.sarcar@gmail.com>
-Shreenidhi Shedi <shreenidhi.shedi@broadcom.com>
 Shu-Wai Chow <shu-wai.chow@seattlechildrens.org>
 shuai-z <zs.broccoli@gmail.com>
 Shukui Yang <yangshukui@huawei.com>
@@ -2127,7 +2077,6 @@ Sébastien Stormacq <sebsto@users.noreply.github.com>
 Sören Tempel <soeren+git@soeren-tempel.net>
 Tabakhase <mail@tabakhase.com>
 Tadej Janež <tadej.j@nez.si>
-Tadeusz Dudkiewicz <tadeusz.dudkiewicz@rtbhouse.com>
 Takuto Sato <tockn.jp@gmail.com>
 tang0th <tang0th@gmx.com>
 Tangi Colin <tangicolin@gmail.com>
@@ -2135,7 +2084,6 @@ Tatsuki Sugiura <sugi@nemui.org>
 Tatsushi Inagaki <e29253@jp.ibm.com>
 Taylan Isikdemir <taylani@google.com>
 Taylor Jones <monitorjbl@gmail.com>
-tcpdumppy <847462026@qq.com>
 Ted M. Young <tedyoung@gmail.com>
 Tehmasp Chaudhri <tehmasp@gmail.com>
 Tejaswini Duggaraju <naduggar@microsoft.com>
@@ -2228,7 +2176,6 @@ Tomek Mańko <tomek.manko@railgun-solutions.com>
 Tommaso Visconti <tommaso.visconti@gmail.com>
 Tomoya Tabuchi <t@tomoyat1.com>
 Tomáš Hrčka <thrcka@redhat.com>
-Tomáš Virtus <nechtom@gmail.com>
 tonic <tonicbupt@gmail.com>
 Tonny Xu <tonny.xu@gmail.com>
 Tony Abboud <tdabboud@hotmail.com>
@@ -2273,7 +2220,6 @@ Victor I. Wood <viw@t2am.com>
 Victor Lyuboslavsky <victor@victoreda.com>
 Victor Marmol <vmarmol@google.com>
 Victor Palma <palma.victor@gmail.com>
-Victor Toni <victor.toni@gmail.com>
 Victor Vieux <victor.vieux@docker.com>
 Victoria Bialas <victoria.bialas@docker.com>
 Vijaya Kumar K <vijayak@caviumnetworks.com>
@@ -2307,7 +2253,6 @@ VladimirAus <v_roudakov@yahoo.com>
 Vladislav Kolesnikov <vkolesnikov@beget.ru>
 Vlastimil Zeman <vlastimil.zeman@diffblue.com>
 Vojtech Vitek (V-Teq) <vvitek@redhat.com>
-voloder <110066198+voloder@users.noreply.github.com>
 Walter Leibbrandt <github@wrl.co.za>
 Walter Stanish <walter@pratyeka.org>
 Wang Chao <chao.wang@ucloud.cn>
@@ -2325,7 +2270,6 @@ Wassim Dhif <wassimdhif@gmail.com>
 Wataru Ishida <ishida.wataru@lab.ntt.co.jp>
 Wayne Chang <wayne@neverfear.org>
 Wayne Song <wsong@docker.com>
-weebney <weebney@gmail.com>
 Weerasak Chongnguluam <singpor@gmail.com>
 Wei Fu <fuweid89@gmail.com>
 Wei Wu <wuwei4455@gmail.com>
@@ -2420,7 +2364,6 @@ You-Sheng Yang (楊有勝) <vicamo@gmail.com>
 youcai <omegacoleman@gmail.com>
 Youcef YEKHLEF <yyekhlef@gmail.com>
 Youfu Zhang <zhangyoufu@gmail.com>
-YR Chen <stevapple@icloud.com>
 Yu Changchun <yuchangchun1@huawei.com>
 Yu Chengxia <yuchengxia@huawei.com>
 Yu Peng <yu.peng36@zte.com.cn>
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -101,7 +101,7 @@ the contributors guide.
    <td>
      <p>
        Register for the Docker Community Slack at
-	<a href="https://dockr.ly/comm-slack" target="_blank">https://dockr.ly/comm-slack</a>.
+	<a href="https://dockr.ly/slack" target="_blank">https://dockr.ly/slack</a>.
        We use the #moby-project channel for general discussion, and there are separate channels for other Moby projects such as #containerd.
      </p>
    </td>
--- a/96
+++ b/96
@@ -1,38 +1,28 @@
-# syntax=docker/dockerfile:1.7
+# syntax=docker/dockerfile:1

-ARG GO_VERSION=1.23.6
+ARG GO_VERSION=1.21.10
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
-ARG XX_VERSION=1.6.1
+ARG XX_VERSION=1.4.0

 ARG VPNKIT_VERSION=0.5.0

-# DOCKERCLI_VERSION is the version of the CLI to install in the dev-container.
-ARG DOCKERCLI_VERSION=v28.0.0-rc.1
 ARG DOCKERCLI_REPOSITORY="https://github.com/docker/cli.git"
-
+ARG DOCKERCLI_VERSION=v26.0.0
 # cli version used for integration-cli tests
 ARG DOCKERCLI_INTEGRATION_REPOSITORY="https://github.com/docker/cli.git"
 ARG DOCKERCLI_INTEGRATION_VERSION=v17.06.2-ce
-# BUILDX_VERSION is the version of buildx to install in the dev container.
-ARG BUILDX_VERSION=0.20.1
-ARG COMPOSE_VERSION=v2.32.4
+ARG BUILDX_VERSION=0.13.1
+ARG COMPOSE_VERSION=v2.25.0

 ARG SYSTEMD="false"
-ARG FIREWALLD="false"
 ARG DOCKER_STATIC=1

 # REGISTRY_VERSION specifies the version of the registry to download from
 # https://hub.docker.com/r/distribution/distribution. This version of
 # the registry is used to test schema 2 manifests. Generally,  the version
 # specified here should match a current release.
-ARG REGISTRY_VERSION=3.0.0-rc.1
-
-# delve is currently only supported on linux/amd64 and linux/arm64;
-# https://github.com/go-delve/delve/blob/v1.8.1/pkg/proc/native/support_sentinel.go#L1-L6
-ARG DELVE_SUPPORTED=${TARGETPLATFORM#linux/amd64} DELVE_SUPPORTED=${DELVE_SUPPORTED#linux/arm64}
-ARG DELVE_SUPPORTED=${DELVE_SUPPORTED:+"unsupported"}
-ARG DELVE_SUPPORTED=${DELVE_SUPPORTED:-"supported"}
+ARG REGISTRY_VERSION=2.8.3

 # cross compilation helper
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
@@ -141,9 +131,7 @@ RUN /download-frozen-image-v2.sh /build \
        busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
        debian:bookworm-slim@sha256:2bc5c236e9b262645a323e9088dfa3bb1ecb16cc75811daf40a23a824d665be9 \
        hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
-        arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1 \
-        hello-world:amd64@sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042 \
-        hello-world:arm64@sha256:963612c5503f3f1674f315c67089dee577d8cc6afc18565e0b4183ae355fb343
+        arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1

 # delve
 FROM base AS delve-src
@@ -153,10 +141,10 @@ RUN git init . && git remote add origin "https://github.com/go-delve/delve.git"
 # from the https://github.com/go-delve/delve repository.
 # It can be used to run Docker with a possibility of
 # attaching debugger to it.
-ARG DELVE_VERSION=v1.23.0
+ARG DELVE_VERSION=v1.21.1
 RUN git fetch -q --depth 1 origin "${DELVE_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

-FROM base AS delve-supported
+FROM base AS delve-build
 WORKDIR /usr/src/delve
 ARG TARGETPLATFORM
 RUN --mount=from=delve-src,src=/usr/src/delve,rw \
@@ -167,8 +155,16 @@ RUN --mount=from=delve-src,src=/usr/src/delve,rw \
  xx-verify /build/dlv
 EOT

-FROM binary-dummy AS delve-unsupported
-FROM delve-${DELVE_SUPPORTED} AS delve
+# delve is currently only supported on linux/amd64 and linux/arm64;
+# https://github.com/go-delve/delve/blob/v1.8.1/pkg/proc/native/support_sentinel.go#L1-L6
+FROM binary-dummy AS delve-windows
+FROM binary-dummy AS delve-linux-arm
+FROM binary-dummy AS delve-linux-ppc64le
+FROM binary-dummy AS delve-linux-s390x
+FROM delve-build AS delve-linux-amd64
+FROM delve-build AS delve-linux-arm64
+FROM delve-linux-${TARGETARCH} AS delve-linux
+FROM delve-${TARGETOS} AS delve

 FROM base AS tomll
 # GOTOML_VERSION specifies the version of the tomll binary to build and install
@@ -202,7 +198,7 @@ RUN git init . && git remote add origin "https://github.com/containerd/container
 # When updating the binary version you may also need to update the vendor
 # version to pick up bug fixes or new APIs, however, usually the Go packages
 # are built from a commit from the master branch.
-ARG CONTAINERD_VERSION=v1.7.25
+ARG CONTAINERD_VERSION=v1.7.15
 RUN git fetch -q --depth 1 origin "${CONTAINERD_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS containerd-build
@@ -212,6 +208,8 @@ RUN --mount=type=cache,sharing=locked,id=moby-containerd-aptlib,target=/var/lib/
    --mount=type=cache,sharing=locked,id=moby-containerd-aptcache,target=/var/cache/apt \
        apt-get update && xx-apt-get install -y --no-install-recommends \
            gcc \
+            libbtrfs-dev \
+            libsecret-1-dev \
            pkg-config
 ARG DOCKER_STATIC
 RUN --mount=from=containerd-src,src=/usr/src/containerd,rw \
@@ -233,14 +231,14 @@ FROM binary-dummy AS containerd-windows
 FROM containerd-${TARGETOS} AS containerd

 FROM base AS golangci_lint
-ARG GOLANGCI_LINT_VERSION=v1.64.5
+ARG GOLANGCI_LINT_VERSION=v1.55.2
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
        GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
     && /build/golangci-lint --version

 FROM base AS gotestsum
-ARG GOTESTSUM_VERSION=v1.12.0
+ARG GOTESTSUM_VERSION=v1.8.2
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
        GOBIN=/build/ GO111MODULE=on go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
@@ -269,8 +267,7 @@ RUN --mount=source=hack/dockerfile/cli.sh,target=/download-or-build-cli.sh \
    --mount=type=cache,target=/root/.cache/go-build,id=dockercli-build-$TARGETPLATFORM \
        rm -f ./.git/*.lock \
     && /download-or-build-cli.sh ${DOCKERCLI_VERSION} ${DOCKERCLI_REPOSITORY} /build \
-     && /build/docker --version \
-     && /build/docker completion bash >/completion.bash
+     && /build/docker --version

 FROM base AS dockercli-integration
 WORKDIR /go/src/github.com/docker/cli
@@ -292,7 +289,7 @@ RUN git init . && git remote add origin "https://github.com/opencontainers/runc.
 # that is used. If you need to update runc, open a pull request in the containerd
 # project first, and update both after that is merged. When updating RUNC_VERSION,
 # consider updating runc in vendor.mod accordingly.
-ARG RUNC_VERSION=v1.2.5
+ARG RUNC_VERSION=v1.1.12
 RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS runc-build
@@ -301,6 +298,7 @@ ARG TARGETPLATFORM
 RUN --mount=type=cache,sharing=locked,id=moby-runc-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-runc-aptcache,target=/var/cache/apt \
        apt-get update && xx-apt-get install -y --no-install-recommends \
+            dpkg-dev \
            gcc \
            libc6-dev \
            libseccomp-dev \
@@ -360,7 +358,7 @@ FROM base AS rootlesskit-src
 WORKDIR /usr/src/rootlesskit
 RUN git init . && git remote add origin "https://github.com/rootless-containers/rootlesskit.git"
 # When updating, also update vendor.mod and hack/dockerfile/install/rootlesskit.installer accordingly.
-ARG ROOTLESSKIT_VERSION=v2.3.2
+ARG ROOTLESSKIT_VERSION=v2.0.2
 RUN git fetch -q --depth 1 origin "${ROOTLESSKIT_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS rootlesskit-build
@@ -381,6 +379,8 @@ RUN --mount=from=rootlesskit-src,src=/usr/src/rootlesskit,rw \
  export CGO_ENABLED=$([ "$DOCKER_STATIC" = "1" ] && echo "0" || echo "1")
  xx-go build -o /build/rootlesskit -ldflags="$([ "$DOCKER_STATIC" != "1" ] && echo "-linkmode=external")" ./cmd/rootlesskit
  xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /build/rootlesskit
+  xx-go build -o /build/rootlesskit-docker-proxy -ldflags="$([ "$DOCKER_STATIC" != "1" ] && echo "-linkmode=external")" ./cmd/rootlesskit-docker-proxy
+  xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /build/rootlesskit-docker-proxy
 EOT
 COPY --link ./contrib/dockerd-rootless.sh /build/
 COPY --link ./contrib/dockerd-rootless-setuptool.sh /build/
@@ -402,6 +402,7 @@ RUN --mount=type=cache,sharing=locked,id=moby-crun-aptlib,target=/var/lib/apt \
            libseccomp-dev \
            libsystemd-dev \
            libtool \
+            libudev-dev \
            libyajl-dev \
            python3 \
            ;
@@ -454,8 +455,8 @@ FROM binary-dummy AS containerutil-linux
 FROM containerutil-build AS containerutil-windows-amd64
 FROM containerutil-windows-${TARGETARCH} AS containerutil-windows
 FROM containerutil-${TARGETOS} AS containerutil
-FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx
-FROM docker/compose-bin:${COMPOSE_VERSION} AS compose
+FROM docker/buildx-bin:${BUILDX_VERSION} as buildx
+FROM docker/compose-bin:${COMPOSE_VERSION} as compose

 FROM base AS dev-systemd-false
 COPY --link --from=frozen-images /build/ /docker-frozen-images
@@ -505,24 +506,16 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
            systemd-sysv
 ENTRYPOINT ["hack/dind-systemd"]

-FROM dev-systemd-${SYSTEMD} AS dev-firewalld-false
-
-FROM dev-systemd-true AS dev-firewalld-true
-RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
-    --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
-        apt-get update && apt-get install -y --no-install-recommends \
-            firewalld
-RUN sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf
-
-FROM dev-firewalld-${FIREWALLD} AS dev-base
+FROM dev-systemd-${SYSTEMD} AS dev-base
 RUN groupadd -r docker
 RUN useradd --create-home --gid docker unprivilegeduser \
 && mkdir -p /home/unprivilegeduser/.local/share/docker \
 && chown -R unprivilegeduser /home/unprivilegeduser
 # Let us use a .bashrc file
 RUN ln -sfv /go/src/github.com/docker/docker/.bashrc ~/.bashrc
-# Activate bash completion
+# Activate bash completion and include Docker's completion if mounted with DOCKER_BASH_COMPLETION_PATH
 RUN echo "source /usr/share/bash-completion/bash_completion" >> /etc/bash.bashrc
+RUN ln -s /usr/local/completion/bash/docker /etc/bash_completion.d/docker
 RUN ldconfig
 # Set dev environment as safe git directory to prevent "dubious ownership" errors
 # when bind-mounting the source into the dev-container. See https://github.com/moby/moby/pull/44930
@@ -545,7 +538,6 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
            libprotobuf-c1 \
            libyajl2 \
            net-tools \
-            netcat-openbsd \
            patch \
            pigz \
            sudo \
@@ -568,11 +560,14 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
        apt-get update && apt-get install --no-install-recommends -y \
            gcc \
            pkg-config \
+            dpkg-dev \
+            libapparmor-dev \
            libseccomp-dev \
+            libsecret-1-dev \
            libsystemd-dev \
+            libudev-dev \
            yamllint
 COPY --link --from=dockercli             /build/ /usr/local/cli
-COPY --link --from=dockercli             /completion.bash /etc/bash_completion.d/docker
 COPY --link --from=dockercli-integration /build/ /usr/local/cli-integration

 FROM base AS build
@@ -590,10 +585,14 @@ ARG TARGETPLATFORM
 RUN --mount=type=cache,sharing=locked,id=moby-build-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-build-aptcache,target=/var/cache/apt \
        xx-apt-get install --no-install-recommends -y \
+            dpkg-dev \
            gcc \
+            libapparmor-dev \
            libc6-dev \
            libseccomp-dev \
+            libsecret-1-dev \
            libsystemd-dev \
+            libudev-dev \
            pkg-config
 ARG DOCKER_BUILDTAGS
 ARG DOCKER_DEBUG
@@ -616,13 +615,14 @@ RUN <<EOT
 EOT
 RUN --mount=type=bind,target=.,rw \
    --mount=type=tmpfs,target=cli/winresources/dockerd \
+    --mount=type=tmpfs,target=cli/winresources/docker-proxy \
    --mount=type=cache,target=/root/.cache/go-build,id=moby-build-$TARGETPLATFORM <<EOT
  set -e
  target=$([ "$DOCKER_STATIC" = "1" ] && echo "binary" || echo "dynbinary")
  xx-go --wrap
  PKG_CONFIG=$(xx-go env PKG_CONFIG) ./hack/make.sh $target
  xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /tmp/bundles/${target}-daemon/dockerd$([ "$(xx-info os)" = "windows" ] && echo ".exe")
-  [ "$(xx-info os)" != "linux" ] || xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /tmp/bundles/${target}-daemon/docker-proxy
+  xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /tmp/bundles/${target}-daemon/docker-proxy$([ "$(xx-info os)" = "windows" ] && echo ".exe")
  mkdir /build
  mv /tmp/bundles/${target}-daemon/* /build/
 EOT
@@ -650,7 +650,7 @@ COPY --link --from=build         /build  /
 # smoke tests
 # usage:
 # > docker buildx bake binary-smoketest
-FROM base AS smoketest
+FROM --platform=$TARGETPLATFORM base AS smoketest
 WORKDIR /usr/local/bin
 COPY --from=build /build .
 RUN <<EOT
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@@ -5,7 +5,7 @@

 # This represents the bare minimum required to build and test Docker.

-ARG GO_VERSION=1.23.6
+ARG GO_VERSION=1.21.10

 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
@@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 		curl \
 		cmake \
 		git \
+		libapparmor-dev \
 		libseccomp-dev \
 		ca-certificates \
 		e2fsprogs \
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -161,10 +161,10 @@ FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

-ARG GO_VERSION=1.23.6
-ARG GOTESTSUM_VERSION=v1.12.0
+ARG GO_VERSION=1.21.10
+ARG GOTESTSUM_VERSION=v1.8.2
 ARG GOWINRES_VERSION=v0.3.1
-ARG CONTAINERD_VERSION=v1.7.25
+ARG CONTAINERD_VERSION=v1.7.15

 # Environment variable notes:
 #  - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
--- a/165
+++ b/165
@@ -0,0 +1,165 @@
+#!groovy
+pipeline {
+    agent none
+
+    options {
+        buildDiscarder(logRotator(daysToKeepStr: '30'))
+        timeout(time: 2, unit: 'HOURS')
+        timestamps()
+    }
+    parameters {
+        booleanParam(name: 'arm64', defaultValue: true, description: 'ARM (arm64) Build/Test')
+        booleanParam(name: 'dco', defaultValue: true, description: 'Run the DCO check')
+    }
+    environment {
+        DOCKER_BUILDKIT     = '1'
+        DOCKER_EXPERIMENTAL = '1'
+        DOCKER_GRAPHDRIVER  = 'overlay2'
+        CHECK_CONFIG_COMMIT = '33a3680e08d1007e72c3b3f1454f823d8e9948ee'
+        TESTDEBUG           = '0'
+        TIMEOUT             = '120m'
+    }
+    stages {
+        stage('pr-hack') {
+            when { changeRequest() }
+            steps {
+                script {
+                    echo "Workaround for PR auto-cancel feature. Borrowed from https://issues.jenkins-ci.org/browse/JENKINS-43353"
+                    def buildNumber = env.BUILD_NUMBER as int
+                    if (buildNumber > 1) milestone(buildNumber - 1)
+                    milestone(buildNumber)
+                }
+            }
+        }
+        stage('DCO-check') {
+            when {
+                beforeAgent true
+                expression { params.dco }
+            }
+            agent { label 'arm64 && ubuntu-2004' }
+            steps {
+                sh '''
+                docker run --rm \
+                  -v "$WORKSPACE:/workspace" \
+                  -e VALIDATE_REPO=${GIT_URL} \
+                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
+                  alpine sh -c 'apk add --no-cache -q bash git openssh-client && git config --system --add safe.directory /workspace && cd /workspace && hack/validate/dco'
+                '''
+            }
+        }
+        stage('Build') {
+            parallel {
+                stage('arm64') {
+                    when {
+                        beforeAgent true
+                        expression { params.arm64 }
+                    }
+                    agent { label 'arm64 && ubuntu-2004' }
+                    environment {
+                        TEST_SKIP_INTEGRATION_CLI = '1'
+                    }
+
+                    stages {
+                        stage("Print info") {
+                            steps {
+                                sh 'docker version'
+                                sh 'docker info'
+                                sh '''
+                                echo "check-config.sh version: ${CHECK_CONFIG_COMMIT}"
+                                curl -fsSL -o ${WORKSPACE}/check-config.sh "https://raw.githubusercontent.com/moby/moby/${CHECK_CONFIG_COMMIT}/contrib/check-config.sh" \
+                                && bash ${WORKSPACE}/check-config.sh || true
+                                '''
+                            }
+                        }
+                        stage("Build dev image") {
+                            steps {
+                                sh 'docker build --force-rm -t docker:${GIT_COMMIT} .'
+                            }
+                        }
+                        stage("Unit tests") {
+                            steps {
+                                sh '''
+                                sudo modprobe ip6table_filter
+                                '''
+                                sh '''
+                                docker run --rm -t --privileged \
+                                  -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
+                                  --name docker-pr$BUILD_NUMBER \
+                                  -e DOCKER_EXPERIMENTAL \
+                                  -e DOCKER_GITCOMMIT=${GIT_COMMIT} \
+                                  -e DOCKER_GRAPHDRIVER \
+                                  -e VALIDATE_REPO=${GIT_URL} \
+                                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
+                                  docker:${GIT_COMMIT} \
+                                  hack/test/unit
+                                '''
+                            }
+                            post {
+                                always {
+                                    junit testResults: 'bundles/junit-report*.xml', allowEmptyResults: true
+                                }
+                            }
+                        }
+                        stage("Integration tests") {
+                            environment { TEST_SKIP_INTEGRATION_CLI = '1' }
+                            steps {
+                                sh '''
+                                docker run --rm -t --privileged \
+                                  -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
+                                  --name docker-pr$BUILD_NUMBER \
+                                  -e DOCKER_EXPERIMENTAL \
+                                  -e DOCKER_GITCOMMIT=${GIT_COMMIT} \
+                                  -e DOCKER_GRAPHDRIVER \
+                                  -e TESTDEBUG \
+                                  -e TEST_INTEGRATION_USE_SNAPSHOTTER \
+                                  -e TEST_SKIP_INTEGRATION_CLI \
+                                  -e TIMEOUT \
+                                  -e VALIDATE_REPO=${GIT_URL} \
+                                  -e VALIDATE_BRANCH=${CHANGE_TARGET} \
+                                  docker:${GIT_COMMIT} \
+                                  hack/make.sh \
+                                    dynbinary \
+                                    test-integration
+                                '''
+                            }
+                            post {
+                                always {
+                                    junit testResults: 'bundles/**/*-report.xml', allowEmptyResults: true
+                                }
+                            }
+                        }
+                    }
+
+                    post {
+                        always {
+                            sh '''
+                            echo "Ensuring container killed."
+                            docker rm -vf docker-pr$BUILD_NUMBER || true
+                            '''
+
+                            sh '''
+                            echo "Chowning /workspace to jenkins user"
+                            docker run --rm -v "$WORKSPACE:/workspace" busybox chown -R "$(id -u):$(id -g)" /workspace
+                            '''
+
+                            catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE', message: 'Failed to create bundles.tar.gz') {
+                                sh '''
+                                bundleName=arm64-integration
+                                echo "Creating ${bundleName}-bundles.tar.gz"
+                                # exclude overlay2 directories
+                                find bundles -path '*/root/*overlay2' -prune -o -type f \\( -name '*-report.json' -o -name '*.log' -o -name '*.prof' -o -name '*-report.xml' \\) -print | xargs tar -czf ${bundleName}-bundles.tar.gz
+                                '''
+
+                                archiveArtifacts artifacts: '*-bundles.tar.gz', allowEmptyArchive: true
+                            }
+                        }
+                        cleanup {
+                            sh 'make clean'
+                            deleteDir()
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
--- a/18
+++ b/18
@@ -27,7 +27,6 @@
 			"akerouanton",
 			"akihirosuda",
 			"anusha",
-			"austinvazquez",
 			"coolljt0725",
 			"corhere",
 			"cpuguy83",
@@ -39,7 +38,6 @@
 			"laurazard",
 			"mhbauer",
 			"neersighted",
-			"robmry",
 			"rumpl",
 			"runcom",
 			"samuelkarp",
@@ -77,10 +75,10 @@
 			"olljanat",
 			"programmerq",
 			"ripcurld",
+			"robmry",
 			"sam-thibault",
 			"samwhited",
-			"thajeztah",
-			"thompson-shaun",
+			"thajeztah"
 		]

 	[Org.Alumni]
@@ -316,11 +314,6 @@
 	Email = "andrewhsu@docker.com"
 	GitHub = "andrewhsu"

-	[people.austinvazquez]
-	Name = "Austin Vazquez"
-	Email = "macedonv@amazon.com"
-	GitHub = "austinvazquez"
-
 	[people.anusha]
 	Name = "Anusha Ragunathan"
 	Email = "anusha@docker.com"
@@ -433,7 +426,7 @@

 	[people.laurazard]
 	Name = "Laura Brehm"
-	Email = "laurabrehm@hey.com"
+	Email = "laura.brehm@docker.com"
 	GitHub = "laurazard"

 	[people.lk4d4]
@@ -541,11 +534,6 @@
 	Email = "github@gone.nl"
 	GitHub = "thaJeztah"

-	[people.thompson-shaun]
-	Name = "Shaun Thompson"
-	Email = "shaun.thompson@docker.com"
-	GitHub = "thompson-shaun"
-
 	[people.tianon]
 	Name = "Tianon Gravi"
 	Email = "admwiggin@gmail.com"
--- a/41
+++ b/41
@@ -1,6 +1,12 @@
+.PHONY: all binary dynbinary build cross help install manpages run shell test test-docker-py test-integration test-unit validate validate-% win
+
 DOCKER ?= docker
 BUILDX ?= $(DOCKER) buildx

+# set the graph driver as the current graphdriver if not set
+DOCKER_GRAPHDRIVER := $(if $(DOCKER_GRAPHDRIVER),$(DOCKER_GRAPHDRIVER),$(shell docker info -f '{{ .Driver }}' 2>&1))
+export DOCKER_GRAPHDRIVER
+
 DOCKER_GITCOMMIT := $(shell git rev-parse HEAD)
 export DOCKER_GITCOMMIT

@@ -31,6 +37,7 @@ DOCKER_ENVS := \
 	-e DOCKER_BUILD_OPTS \
 	-e DOCKER_BUILD_PKGS \
 	-e DOCKER_BUILDKIT \
+	-e DOCKER_BASH_COMPLETION_PATH \
 	-e DOCKER_CLI_PATH \
 	-e DOCKERCLI_VERSION \
 	-e DOCKERCLI_REPOSITORY \
@@ -38,7 +45,6 @@ DOCKER_ENVS := \
 	-e DOCKERCLI_INTEGRATION_REPOSITORY \
 	-e DOCKER_DEBUG \
 	-e DOCKER_EXPERIMENTAL \
-	-e DOCKER_FIREWALLD \
 	-e DOCKER_GITCOMMIT \
 	-e DOCKER_GRAPHDRIVER \
 	-e DOCKER_LDFLAGS \
@@ -86,7 +92,7 @@ DOCKER_ENVS := \
 # note: BINDDIR is supported for backwards-compatibility here
 BIND_DIR := $(if $(BINDDIR),$(BINDDIR),$(if $(DOCKER_HOST),,bundles))

-# DOCKER_MOUNT can be overridden, but use at your own risk!
+# DOCKER_MOUNT can be overriden, but use at your own risk!
 ifndef DOCKER_MOUNT
 DOCKER_MOUNT := $(if $(BIND_DIR),-v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/docker/docker/$(BIND_DIR)")
 DOCKER_MOUNT := $(if $(DOCKER_BINDDIR_MOUNT_OPTS),$(DOCKER_MOUNT):$(DOCKER_BINDDIR_MOUNT_OPTS),$(DOCKER_MOUNT))
@@ -98,14 +104,8 @@ DOCKER_MOUNT := $(if $(DOCKER_MOUNT),$(DOCKER_MOUNT),-v /go/src/github.com/docke

 DOCKER_MOUNT_CACHE := -v docker-dev-cache:/root/.cache -v docker-mod-cache:/go/pkg/mod/
 DOCKER_MOUNT_CLI := $(if $(DOCKER_CLI_PATH),-v $(shell dirname $(DOCKER_CLI_PATH)):/usr/local/cli,)
-
-ifdef BIND_GIT
-	# Gets the common .git directory (even from inside a git worktree)
-	GITDIR := $(shell realpath $(shell git rev-parse --git-common-dir))
-	MOUNT_GITDIR := $(if $(GITDIR),-v "$(GITDIR):$(GITDIR)")
-endif
-
-DOCKER_MOUNT := $(DOCKER_MOUNT) $(DOCKER_MOUNT_CACHE) $(DOCKER_MOUNT_CLI) $(DOCKER_MOUNT_BASH_COMPLETION) $(MOUNT_GITDIR)
+DOCKER_MOUNT_BASH_COMPLETION := $(if $(DOCKER_BASH_COMPLETION_PATH),-v $(shell dirname $(DOCKER_BASH_COMPLETION_PATH)):/usr/local/completion/bash,)
+DOCKER_MOUNT := $(DOCKER_MOUNT) $(DOCKER_MOUNT_CACHE) $(DOCKER_MOUNT_CLI) $(DOCKER_MOUNT_BASH_COMPLETION)
 endif # ifndef DOCKER_MOUNT

 # This allows to set the docker-dev container name
@@ -150,9 +150,6 @@ DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_INTEGRATION_REPOSITORY
 ifdef DOCKER_SYSTEMD
 DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true
 endif
-ifdef DOCKER_FIREWALLD
-DOCKER_BUILD_ARGS += --build-arg=FIREWALLD=true
-endif

 BUILD_OPTS := ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS}
 BUILD_CMD := $(BUILDX) build
@@ -160,19 +157,15 @@ BAKE_CMD := $(BUILDX) bake

 default: binary

-.PHONY: all
 all: build ## validate all checks, build linux binaries, run all tests,\ncross build non-linux binaries, and generate archives
 	$(DOCKER_RUN_DOCKER) bash -c 'hack/validate/default && hack/make.sh'

-.PHONY: binary
 binary: bundles ## build statically linked linux binaries
 	$(BAKE_CMD) binary

-.PHONY: dynbinary
 dynbinary: bundles ## build dynamically linked linux binaries
 	$(BAKE_CMD) dynbinary

-.PHONY: cross
 cross: bundles ## cross build the binaries
 	$(BAKE_CMD) binary-cross

@@ -186,15 +179,12 @@ clean: clean-cache
 clean-cache: ## remove the docker volumes that are used for caching in the dev-container
 	docker volume rm -f docker-dev-cache docker-mod-cache

-.PHONY: help
 help: ## this help
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z0-9_-]+:.*?## / {gsub("\\\\n",sprintf("\n%22c",""), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)

-.PHONY: install
 install: ## install the linux binaries
 	KEEPBUNDLE=1 hack/make.sh install-binary

-.PHONY: run
 run: build ## run the docker daemon in a container
 	$(DOCKER_RUN_DOCKER) sh -c "KEEPBUNDLE=1 hack/make.sh install-binary run"
 
@@ -207,22 +197,17 @@ endif
 build: bundles
 	$(BUILD_CMD) $(BUILD_OPTS) $(shell_target) --load -t "$(DOCKER_IMAGE)" .

-.PHONY: shell
 shell: build  ## start a shell inside the build env
 	$(DOCKER_RUN_DOCKER) bash

-.PHONY: test
 test: build test-unit ## run the unit, integration and docker-py tests
 	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-integration test-docker-py

-.PHONY: test-docker-py
 test-docker-py: build ## run the docker-py tests
 	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-docker-py

-.PHONY: test-integration-cli
 test-integration-cli: test-integration ## (DEPRECATED) use test-integration

-.PHONY: test-integration
 ifneq ($(and $(TEST_SKIP_INTEGRATION),$(TEST_SKIP_INTEGRATION_CLI)),)
 test-integration:
 	@echo Both integrations suites skipped per environment variables
@@ -231,29 +216,23 @@ test-integration: build ## run the integration tests
 	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-integration
 endif

-.PHONY: test-integration-flaky
 test-integration-flaky: build ## run the stress test for all new integration tests
 	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-integration-flaky

-.PHONY: test-unit
 test-unit: build ## run the unit tests
 	$(DOCKER_RUN_DOCKER) hack/test/unit

-.PHONY: validate
 validate: build ## validate DCO, Seccomp profile generation, gofmt,\n./pkg/ isolation, golint, tests, tomls, go vet and vendor
 	$(DOCKER_RUN_DOCKER) hack/validate/all

-.PHONY: validate-generate-files
 validate-generate-files:
 	$(BUILD_CMD) --target "validate" \
 		--output "type=cacheonly" \
 		--file "./hack/dockerfiles/generate-files.Dockerfile" .

-.PHONY: validate-%
 validate-%: build ## validate specific check
 	$(DOCKER_RUN_DOCKER) hack/validate/$*

-.PHONY: win
 win: bundles ## cross build the binary for windows
 	$(BAKE_CMD) --set *.platform=windows/amd64 binary

--- a/README.md
+++ b/README.md
@@ -1,11 +1,6 @@
 The Moby Project
 ================

-[![PkgGoDev](https://pkg.go.dev/badge/github.com/docker/docker)](https://pkg.go.dev/github.com/docker/docker)
-[![Go Report Card](https://goreportcard.com/badge/github.com/docker/docker)](https://goreportcard.com/report/github.com/docker/docker)
-[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/moby/moby/badge)](https://scorecard.dev/viewer/?uri=github.com/moby/moby)
-
-
 ![Moby Project logo](docs/static_files/moby-project-logo.png "The Moby Project")

 Moby is an open-source project created by Docker to enable and accelerate software containerization.
@@ -37,7 +32,7 @@ New projects can be added if they fit with the community goals. Docker is commit
 However, other projects are also encouraged to use Moby as an upstream, and to reuse the components in diverse ways, and all these uses will be treated in the same way. External maintainers and contributors are welcomed.

 The Moby project is not intended as a location for support or feature requests for Docker products, but as a place for contributors to work on open source code, fix bugs, and make the code more useful.
-The releases are supported by the maintainers, community and users, on a best efforts basis only. For customers who want enterprise or commercial support, [Docker Desktop](https://www.docker.com/products/docker-desktop/) and [Mirantis Container Runtime](https://www.mirantis.com/software/mirantis-container-runtime/) are the appropriate products for these use cases.
+The releases are supported by the maintainers, community and users, on a best efforts basis only, and are not intended for customers who want enterprise or commercial support; Docker EE is the appropriate product for these use cases.

 -----

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,42 +1,9 @@
-# Security Policy
+# Reporting security issues

-The maintainers of the Moby project take security seriously. If you discover
-a security issue, please bring it to their attention right away!
+The Moby maintainers take security seriously. If you discover a security issue, please bring it to their attention right away!

-## Reporting a Vulnerability
+### Reporting a Vulnerability

-Please **DO NOT** file a public issue, instead send your report privately
-to [security@docker.com](mailto:security@docker.com).
+Please **DO NOT** file a public issue, instead send your report privately to security@docker.com.

-Reporter(s) can expect a response within 72 hours, acknowledging the issue was
-received.
-
-## Review Process
-
-After receiving the report, an initial triage and technical analysis is
-performed to confirm the report and determine its scope. We may request
-additional information in this stage of the process.
-
-Once a reviewer has confirmed the relevance of the report, a draft security
-advisory will be created on GitHub. The draft advisory will be used to discuss
-the issue with maintainers, the reporter(s), and where applicable, other
-affected parties under embargo.
-
-If the vulnerability is accepted, a timeline for developing a patch, public
-disclosure, and patch release will be determined. If there is an embargo period
-on public disclosure before the patch release, the reporter(s) are expected to
-participate in the discussion of the timeline and abide by agreed upon dates
-for public disclosure.
-
-## Accreditation
-
-Security reports are greatly appreciated and we will publicly thank you,
-although we will keep your name confidential if you request it. We also like to
-send gifts - if you're into swag, make sure to let us know. We do not currently
-offer a paid security bounty program at this time.
-
-## Supported Versions
-
-This project uses long-lived branches to maintain releases. Refer to
-[BRANCHES-AND-TAGS.md](project/BRANCHES-AND-TAGS.md) in the default branch to
-learn about the current maintenance status of each branch.
+Security reports are greatly appreciated and we will publicly thank you for it, although we keep your name confidential if you request it. We also like to send gifts—if you're into schwag, make sure to let us know. We currently do not offer a paid security bounty program, but are not ruling it out in the future.
--- a/api/common.go
+++ b/api/common.go
@@ -3,7 +3,7 @@ package api // import "github.com/docker/docker/api"
 // Common constants for daemon and client.
 const (
 	// DefaultVersion of the current REST API.
-	DefaultVersion = "1.48"
+	DefaultVersion = "1.45"

 	// MinSupportedAPIVersion is the minimum API version that can be supported
 	// by the API server, specified as "major.minor". Note that the daemon
--- a/api/server/backend/build/backend.go
+++ b/api/server/backend/build/backend.go
@@ -88,9 +88,11 @@ func (b *Backend) Build(ctx context.Context, config backend.BuildConfig) (string
 		}
 	}

-	if imageID != "" && !useBuildKit {
+	if !useBuildKit {
 		stdout := config.ProgressWriter.StdoutFormatter
-		_, _ = fmt.Fprintf(stdout, "Successfully built %s\n", stringid.TruncateID(imageID))
+		fmt.Fprintf(stdout, "Successfully built %s\n", stringid.TruncateID(imageID))
+	}
+	if imageID != "" && !useBuildKit {
 		err = tagImages(ctx, b.imageComponent, config.ProgressWriter.StdoutFormatter, image.ID(imageID), tags)
 	}
 	return imageID, err
--- a/api/server/httpstatus/status.go
+++ b/api/server/httpstatus/status.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"net/http"

-	cerrdefs "github.com/containerd/errdefs"
+	cerrdefs "github.com/containerd/containerd/errdefs"
 	"github.com/containerd/log"
 	"github.com/docker/distribution/registry/api/errcode"
 	"github.com/docker/docker/errdefs"
@@ -24,37 +24,42 @@ func FromError(err error) int {
 		return http.StatusInternalServerError
 	}

+	var statusCode int
+
 	// Stop right there
 	// Are you sure you should be adding a new error class here? Do one of the existing ones work?

 	// Note that the below functions are already checking the error causal chain for matches.
 	switch {
 	case errdefs.IsNotFound(err):
-		return http.StatusNotFound
+		statusCode = http.StatusNotFound
 	case errdefs.IsInvalidParameter(err):
-		return http.StatusBadRequest
+		statusCode = http.StatusBadRequest
 	case errdefs.IsConflict(err):
-		return http.StatusConflict
+		statusCode = http.StatusConflict
 	case errdefs.IsUnauthorized(err):
-		return http.StatusUnauthorized
+		statusCode = http.StatusUnauthorized
 	case errdefs.IsUnavailable(err):
-		return http.StatusServiceUnavailable
+		statusCode = http.StatusServiceUnavailable
 	case errdefs.IsForbidden(err):
-		return http.StatusForbidden
+		statusCode = http.StatusForbidden
 	case errdefs.IsNotModified(err):
-		return http.StatusNotModified
+		statusCode = http.StatusNotModified
 	case errdefs.IsNotImplemented(err):
-		return http.StatusNotImplemented
+		statusCode = http.StatusNotImplemented
 	case errdefs.IsSystem(err) || errdefs.IsUnknown(err) || errdefs.IsDataLoss(err) || errdefs.IsDeadline(err) || errdefs.IsCancelled(err):
-		return http.StatusInternalServerError
+		statusCode = http.StatusInternalServerError
 	default:
-		if statusCode := statusCodeFromGRPCError(err); statusCode != http.StatusInternalServerError {
+		statusCode = statusCodeFromGRPCError(err)
+		if statusCode != http.StatusInternalServerError {
 			return statusCode
 		}
-		if statusCode := statusCodeFromContainerdError(err); statusCode != http.StatusInternalServerError {
+		statusCode = statusCodeFromContainerdError(err)
+		if statusCode != http.StatusInternalServerError {
 			return statusCode
 		}
-		if statusCode := statusCodeFromDistributionError(err); statusCode != http.StatusInternalServerError {
+		statusCode = statusCodeFromDistributionError(err)
+		if statusCode != http.StatusInternalServerError {
 			return statusCode
 		}
 		if e, ok := err.(causer); ok {
@@ -66,9 +71,13 @@ func FromError(err error) int {
 			"error":      err,
 			"error_type": fmt.Sprintf("%T", err),
 		}).Debug("FIXME: Got an API for which error does not match any expected type!!!")
-
-		return http.StatusInternalServerError
 	}
+
+	if statusCode == 0 {
+		statusCode = http.StatusInternalServerError
+	}
+
+	return statusCode
 }

 // statusCodeFromGRPCError returns status code according to gRPC error
--- a/api/server/httputils/form.go
+++ b/api/server/httputils/form.go
@@ -1,17 +1,12 @@
 package httputils // import "github.com/docker/docker/api/server/httputils"

 import (
-	"encoding/json"
 	"fmt"
 	"net/http"
 	"strconv"
 	"strings"

 	"github.com/distribution/reference"
-	"github.com/docker/docker/errdefs"
-	"github.com/pkg/errors"
-
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )

 // BoolValue transforms a form value in different formats into a boolean type.
@@ -29,29 +24,6 @@ func BoolValueOrDefault(r *http.Request, k string, d bool) bool {
 	return BoolValue(r, k)
 }

-// Uint32Value parses a form value into an uint32 type. It returns an error
-// if the field is not set, empty, incorrectly formatted, or out of range.
-func Uint32Value(r *http.Request, field string) (uint32, error) {
-	// strconv.ParseUint returns an "strconv.ErrSyntax" for negative values,
-	// not an "out of range". Strip the prefix before parsing, and use it
-	// later to detect valid, but negative values.
-	v, isNeg := strings.CutPrefix(r.Form.Get(field), "-")
-	if v == "" || v[0] == '+' {
-		// Fast-path for invalid values.
-		return 0, strconv.ErrSyntax
-	}
-
-	i, err := strconv.ParseUint(v, 10, 32)
-	if err != nil {
-		// Unwrap to remove the 'strconv.ParseUint: parsing "some-invalid-value":' prefix.
-		return 0, errors.Unwrap(err)
-	}
-	if isNeg {
-		return 0, strconv.ErrRange
-	}
-	return uint32(i), nil
-}
-
 // Int64ValueOrZero parses a form value into an int64 type.
 // It returns 0 if the parsing fails.
 func Int64ValueOrZero(r *http.Request, k string) int64 {
@@ -137,24 +109,3 @@ func ArchiveFormValues(r *http.Request, vars map[string]string) (ArchiveOptions,
 	}
 	return ArchiveOptions{name, path}, nil
 }
-
-// DecodePlatform decodes the OCI platform JSON string into a Platform struct.
-func DecodePlatform(platformJSON string) (*ocispec.Platform, error) {
-	var p ocispec.Platform
-
-	if err := json.Unmarshal([]byte(platformJSON), &p); err != nil {
-		return nil, errdefs.InvalidParameter(errors.Wrap(err, "failed to parse platform"))
-	}
-
-	hasAnyOptional := (p.Variant != "" || p.OSVersion != "" || len(p.OSFeatures) > 0)
-
-	if p.OS == "" && p.Architecture == "" && hasAnyOptional {
-		return nil, errdefs.InvalidParameter(errors.New("optional platform fields provided, but OS and Architecture are missing"))
-	}
-
-	if p.OS == "" || p.Architecture == "" {
-		return nil, errdefs.InvalidParameter(errors.New("both OS and Architecture must be provided"))
-	}
-
-	return &p, nil
-}
--- a/api/server/httputils/form_test.go
+++ b/api/server/httputils/form_test.go
@@ -1,16 +1,9 @@
 package httputils // import "github.com/docker/docker/api/server/httputils"

 import (
-	"math"
 	"net/http"
 	"net/url"
-	"strconv"
 	"testing"
-
-	"github.com/docker/docker/errdefs"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"gotest.tools/v3/assert"
-	is "gotest.tools/v3/assert/cmp"
 )

 func TestBoolValue(t *testing.T) {
@@ -110,126 +103,3 @@ func TestInt64ValueOrDefaultWithError(t *testing.T) {
 		t.Fatal("Expected an error.")
 	}
 }
-
-func TestUint32Value(t *testing.T) {
-	const valueNotSet = "unset"
-
-	tests := []struct {
-		value       string
-		expected    uint32
-		expectedErr error
-	}{
-		{
-			value:    "0",
-			expected: 0,
-		},
-		{
-			value:    strconv.FormatUint(math.MaxUint32, 10),
-			expected: math.MaxUint32,
-		},
-		{
-			value:       valueNotSet,
-			expectedErr: strconv.ErrSyntax,
-		},
-		{
-			value:       "",
-			expectedErr: strconv.ErrSyntax,
-		},
-		{
-			value:       "-1",
-			expectedErr: strconv.ErrRange,
-		},
-		{
-			value:       "4294967296", // MaxUint32+1
-			expectedErr: strconv.ErrRange,
-		},
-		{
-			value:       "not-a-number",
-			expectedErr: strconv.ErrSyntax,
-		},
-	}
-	for _, tc := range tests {
-		t.Run(tc.value, func(t *testing.T) {
-			r, _ := http.NewRequest(http.MethodPost, "", nil)
-			r.Form = url.Values{}
-			if tc.value != valueNotSet {
-				r.Form.Set("field", tc.value)
-			}
-			out, err := Uint32Value(r, "field")
-			assert.Check(t, is.Equal(tc.expected, out))
-			assert.Check(t, is.ErrorIs(err, tc.expectedErr))
-		})
-	}
-}
-
-func TestDecodePlatform(t *testing.T) {
-	tests := []struct {
-		doc          string
-		platformJSON string
-		expected     *ocispec.Platform
-		expectedErr  string
-	}{
-		{
-			doc:         "empty platform",
-			expectedErr: `failed to parse platform: unexpected end of JSON input`,
-		},
-		{
-			doc:          "not JSON",
-			platformJSON: `linux/ams64`,
-			expectedErr:  `failed to parse platform: invalid character 'l' looking for beginning of value`,
-		},
-		{
-			doc:          "malformed JSON",
-			platformJSON: `{"architecture"`,
-			expectedErr:  `failed to parse platform: unexpected end of JSON input`,
-		},
-		{
-			doc:          "missing os",
-			platformJSON: `{"architecture":"amd64","os":""}`,
-			expectedErr:  `both OS and Architecture must be provided`,
-		},
-		{
-			doc:          "variant without architecture",
-			platformJSON: `{"architecture":"","os":"","variant":"v7"}`,
-			expectedErr:  `optional platform fields provided, but OS and Architecture are missing`,
-		},
-		{
-			doc:          "missing architecture",
-			platformJSON: `{"architecture":"","os":"linux"}`,
-			expectedErr:  `both OS and Architecture must be provided`,
-		},
-		{
-			doc:          "os.version without os and architecture",
-			platformJSON: `{"architecture":"","os":"","os.version":"12.0"}`,
-			expectedErr:  `optional platform fields provided, but OS and Architecture are missing`,
-		},
-		{
-			doc:          "os.features without os and architecture",
-			platformJSON: `{"architecture":"","os":"","os.features":["a","b"]}`,
-			expectedErr:  `optional platform fields provided, but OS and Architecture are missing`,
-		},
-		{
-			doc:          "valid platform",
-			platformJSON: `{"architecture":"arm64","os":"linux","os.version":"12.0", "os.features":["a","b"], "variant": "v7"}`,
-			expected: &ocispec.Platform{
-				Architecture: "arm64",
-				OS:           "linux",
-				OSVersion:    "12.0",
-				OSFeatures:   []string{"a", "b"},
-				Variant:      "v7",
-			},
-		},
-	}
-	for _, tc := range tests {
-		t.Run(tc.doc, func(t *testing.T) {
-			p, err := DecodePlatform(tc.platformJSON)
-			assert.Check(t, is.DeepEqual(p, tc.expected))
-			if tc.expectedErr != "" {
-				assert.Check(t, errdefs.IsInvalidParameter(err))
-				assert.Check(t, is.Error(err, tc.expectedErr))
-			} else {
-				assert.Check(t, err)
-			}
-		})
-	}
-}
--- a/api/server/httputils/write_log_stream.go
+++ b/api/server/httputils/write_log_stream.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"net/http"
 	"net/url"
 	"sort"

@@ -17,11 +16,7 @@ import (

 // WriteLogStream writes an encoded byte stream of log messages from the
 // messages channel, multiplexing them with a stdcopy.Writer if mux is true
-func WriteLogStream(_ context.Context, w http.ResponseWriter, msgs <-chan *backend.LogMessage, config *container.LogsOptions, mux bool) {
-	// See https://github.com/moby/moby/issues/47448
-	// Trigger headers to be written immediately.
-	w.WriteHeader(http.StatusOK)
-
+func WriteLogStream(_ context.Context, w io.Writer, msgs <-chan *backend.LogMessage, config *container.LogsOptions, mux bool) {
 	wf := ioutils.NewWriteFlusher(w)
 	defer wf.Close()

--- a/api/server/middleware/cors.go
+++ b/api/server/middleware/cors.go
@@ -0,0 +1,38 @@
+package middleware // import "github.com/docker/docker/api/server/middleware"
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/containerd/log"
+	"github.com/docker/docker/api/types/registry"
+)
+
+// CORSMiddleware injects CORS headers to each request
+// when it's configured.
+type CORSMiddleware struct {
+	defaultHeaders string
+}
+
+// NewCORSMiddleware creates a new CORSMiddleware with default headers.
+func NewCORSMiddleware(d string) CORSMiddleware {
+	return CORSMiddleware{defaultHeaders: d}
+}
+
+// WrapHandler returns a new handler function wrapping the previous one in the request chain.
+func (c CORSMiddleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		// If "api-cors-header" is not given, but "api-enable-cors" is true, we set cors to "*"
+		// otherwise, all head values will be passed to HTTP handler
+		corsHeaders := c.defaultHeaders
+		if corsHeaders == "" {
+			corsHeaders = "*"
+		}
+
+		log.G(ctx).Debugf("CORS header is enabled and set to: %s", corsHeaders)
+		w.Header().Add("Access-Control-Allow-Origin", corsHeaders)
+		w.Header().Add("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, "+registry.AuthHeader)
+		w.Header().Add("Access-Control-Allow-Methods", "HEAD, GET, POST, DELETE, PUT, OPTIONS")
+		return handler(ctx, w, r, vars)
+	}
+}
--- a/api/server/middleware/debug.go
+++ b/api/server/middleware/debug.go
@@ -9,34 +9,14 @@ import (
 	"strings"

 	"github.com/containerd/log"
-	"github.com/docker/docker/api/server/httpstatus"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/pkg/ioutils"
-	"github.com/sirupsen/logrus"
 )

 // DebugRequestMiddleware dumps the request to logger
 func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) (retErr error) {
-		logger := log.G(ctx)
-
-		// Use a variable for fields to prevent overhead of repeatedly
-		// calling WithFields.
-		fields := log.Fields{
-			"module":      "api",
-			"method":      r.Method,
-			"request-url": r.RequestURI,
-			"vars":        vars,
-		}
-		logger.WithFields(fields).Debugf("handling %s request", r.Method)
-		defer func() {
-			if retErr != nil {
-				// TODO(thaJeztah): unify this with Server.makeHTTPHandler, which also logs internal server errors as error-log. See https://github.com/moby/moby/pull/48740#discussion_r1816675574
-				fields["error-response"] = retErr
-				fields["status"] = httpstatus.FromError(retErr)
-				logger.WithFields(fields).Debugf("error response for %s request", r.Method)
-			}
-		}()
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		log.G(ctx).Debugf("Calling %s %s", r.Method, r.RequestURI)

 		if r.Method != http.MethodPost {
 			return handler(ctx, w, r, vars)
@@ -62,15 +42,11 @@ func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWri
 		var postForm map[string]interface{}
 		if err := json.Unmarshal(b, &postForm); err == nil {
 			maskSecretKeys(postForm)
-			// TODO(thaJeztah): is there a better way to detect if we're using JSON-formatted logs?
-			if _, ok := logger.Logger.Formatter.(*logrus.JSONFormatter); ok {
-				fields["form-data"] = postForm
+			formStr, errMarshal := json.Marshal(postForm)
+			if errMarshal == nil {
+				log.G(ctx).Debugf("form data: %s", string(formStr))
 			} else {
-				if data, err := json.Marshal(postForm); err != nil {
-					fields["form-data"] = postForm
-				} else {
-					fields["form-data"] = string(data)
-				}
+				log.G(ctx).Debugf("form data: %q", postForm)
 			}
 		}

--- a/api/server/middleware/version.go
+++ b/api/server/middleware/version.go
@@ -67,8 +67,8 @@ func (e versionUnsupportedError) InvalidParameter() {}
 func (v VersionMiddleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 		w.Header().Set("Server", fmt.Sprintf("Docker/%s (%s)", v.serverVersion, runtime.GOOS))
-		w.Header().Set("Api-Version", v.defaultAPIVersion)
-		w.Header().Set("Ostype", runtime.GOOS)
+		w.Header().Set("API-Version", v.defaultAPIVersion)
+		w.Header().Set("OSType", runtime.GOOS)

 		apiVersion := vars["version"]
 		if apiVersion == "" {
--- a/api/server/middleware/version_test.go
+++ b/api/server/middleware/version_test.go
@@ -56,6 +56,7 @@ func TestNewVersionMiddlewareValidation(t *testing.T) {
 	}

 	for _, tc := range tests {
+		tc := tc
 		t.Run(tc.doc, func(t *testing.T) {
 			_, err := NewVersionMiddleware("1.2.3", tc.defaultVersion, tc.minVersion)
 			if tc.expectedErr == "" {
@@ -140,6 +141,6 @@ func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
 	hdr := resp.Result().Header
 	assert.Check(t, is.Contains(hdr.Get("Server"), "Docker/1.2.3"))
 	assert.Check(t, is.Contains(hdr.Get("Server"), runtime.GOOS))
-	assert.Check(t, is.Equal(hdr.Get("Api-Version"), api.DefaultVersion))
-	assert.Check(t, is.Equal(hdr.Get("Ostype"), runtime.GOOS))
+	assert.Check(t, is.Equal(hdr.Get("API-Version"), api.DefaultVersion))
+	assert.Check(t, is.Equal(hdr.Get("OSType"), runtime.GOOS))
 }
--- a/api/server/router/build/build_routes.go
+++ b/api/server/router/build/build_routes.go
@@ -13,7 +13,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"syscall"

 	"github.com/containerd/log"
 	"github.com/docker/docker/api/server/httputils"
@@ -26,6 +25,7 @@ import (
 	"github.com/docker/docker/pkg/ioutils"
 	"github.com/docker/docker/pkg/progress"
 	"github.com/docker/docker/pkg/streamformatter"
+	units "github.com/docker/go-units"
 	"github.com/pkg/errors"
 )

@@ -105,7 +105,7 @@ func newImageBuildOptions(ctx context.Context, r *http.Request) (*types.ImageBui
 	}

 	if ulimitsJSON := r.FormValue("ulimits"); ulimitsJSON != "" {
-		buildUlimits := []*container.Ulimit{}
+		buildUlimits := []*units.Ulimit{}
 		if err := json.Unmarshal([]byte(ulimitsJSON), &buildUlimits); err != nil {
 			return nil, invalidParam{errors.Wrap(err, "error reading ulimit settings")}
 		}
@@ -178,55 +178,19 @@ func (br *buildRouter) postPrune(ctx context.Context, w http.ResponseWriter, r *
 	if err != nil {
 		return err
 	}
+	ksfv := r.FormValue("keep-storage")
+	if ksfv == "" {
+		ksfv = "0"
+	}
+	ks, err := strconv.Atoi(ksfv)
+	if err != nil {
+		return invalidParam{errors.Wrapf(err, "keep-storage is in bytes and expects an integer, got %v", ksfv)}
+	}

 	opts := types.BuildCachePruneOptions{
-		All:     httputils.BoolValue(r, "all"),
-		Filters: fltrs,
-	}
-
-	parseBytesFromFormValue := func(name string) (int64, error) {
-		if fv := r.FormValue(name); fv != "" {
-			bs, err := strconv.Atoi(fv)
-			if err != nil {
-				return 0, invalidParam{errors.Wrapf(err, "%s is in bytes and expects an integer, got %v", name, fv)}
-			}
-			return int64(bs), nil
-		}
-		return 0, nil
-	}
-
-	version := httputils.VersionFromContext(ctx)
-	if versions.GreaterThanOrEqualTo(version, "1.48") {
-		bs, err := parseBytesFromFormValue("reserved-space")
-		if err != nil {
-			return err
-		} else if bs == 0 {
-			// Deprecated parameter. Only checked if reserved-space is not used.
-			bs, err = parseBytesFromFormValue("keep-storage")
-			if err != nil {
-				return err
-			}
-		}
-		opts.ReservedSpace = bs
-
-		if bs, err := parseBytesFromFormValue("max-used-space"); err != nil {
-			return err
-		} else {
-			opts.MaxUsedSpace = bs
-		}
-
-		if bs, err := parseBytesFromFormValue("min-free-space"); err != nil {
-			return err
-		} else {
-			opts.MinFreeSpace = bs
-		}
-	} else {
-		// Only keep-storage was valid in pre-1.48 versions.
-		bs, err := parseBytesFromFormValue("keep-storage")
-		if err != nil {
-			return err
-		}
-		opts.ReservedSpace = bs
+		All:         httputils.BoolValue(r, "all"),
+		Filters:     fltrs,
+		KeepStorage: int64(ks),
 	}

 	report, err := br.backend.PruneCache(ctx, opts)
@@ -281,9 +245,8 @@ func (br *buildRouter) postBuild(ctx context.Context, w http.ResponseWriter, r *
 			return err
 		}
 		_, err = output.Write(streamformatter.FormatError(err))
-		// don't log broken pipe errors as this is the normal case when a client aborts.
-		if err != nil && !errors.Is(err, syscall.EPIPE) {
-			log.G(ctx).WithError(err).Warn("could not write error response")
+		if err != nil {
+			log.G(ctx).Warnf("could not write error response: %v", err)
 		}
 		return nil
 	}
@@ -318,9 +281,6 @@ func (br *buildRouter) postBuild(ctx context.Context, w http.ResponseWriter, r *
 		ProgressWriter: buildProgressWriter(out, wantAux, createProgressReader),
 	})
 	if err != nil {
-		if errors.Is(err, context.Canceled) {
-			log.G(ctx).Debug("build canceled")
-		}
 		return errf(err)
 	}

@@ -380,12 +340,8 @@ type flusher interface {
 	Flush()
 }

-type nopFlusher struct{}
-
-func (f *nopFlusher) Flush() {}
-
 func wrapOutputBufferedUntilRequestRead(rc io.ReadCloser, out io.Writer) (io.ReadCloser, io.Writer) {
-	var fl flusher = &nopFlusher{}
+	var fl flusher = &ioutils.NopFlusher{}
 	if f, ok := out.(flusher); ok {
 		fl = f
 	}
--- a/api/server/router/container/backend.go
+++ b/api/server/router/container/backend.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"io"

+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
@@ -13,19 +14,19 @@ import (

 // execBackend includes functions to implement to provide exec functionality.
 type execBackend interface {
-	ContainerExecCreate(name string, options *container.ExecOptions) (string, error)
+	ContainerExecCreate(name string, config *types.ExecConfig) (string, error)
 	ContainerExecInspect(id string) (*backend.ExecInspect, error)
-	ContainerExecResize(ctx context.Context, name string, height, width uint32) error
-	ContainerExecStart(ctx context.Context, name string, options backend.ExecStartConfig) error
+	ContainerExecResize(name string, height, width int) error
+	ContainerExecStart(ctx context.Context, name string, options container.ExecStartOptions) error
 	ExecExists(name string) (bool, error)
 }

 // copyBackend includes functions to implement to provide container copy functionality.
 type copyBackend interface {
-	ContainerArchivePath(name string, path string) (content io.ReadCloser, stat *container.PathStat, err error)
+	ContainerArchivePath(name string, path string) (content io.ReadCloser, stat *types.ContainerPathStat, err error)
 	ContainerExport(ctx context.Context, name string, out io.Writer) error
 	ContainerExtractToDir(name, path string, copyUIDGID, noOverwriteDirNonDir bool, content io.Reader) error
-	ContainerStatPath(name string, path string) (stat *container.PathStat, err error)
+	ContainerStatPath(name string, path string) (stat *types.ContainerPathStat, err error)
 }

 // stateBackend includes functions to implement to provide container state lifecycle functionality.
@@ -34,24 +35,24 @@ type stateBackend interface {
 	ContainerKill(name string, signal string) error
 	ContainerPause(name string) error
 	ContainerRename(oldName, newName string) error
-	ContainerResize(ctx context.Context, name string, height, width uint32) error
+	ContainerResize(name string, height, width int) error
 	ContainerRestart(ctx context.Context, name string, options container.StopOptions) error
 	ContainerRm(name string, config *backend.ContainerRmConfig) error
 	ContainerStart(ctx context.Context, name string, checkpoint string, checkpointDir string) error
 	ContainerStop(ctx context.Context, name string, options container.StopOptions) error
 	ContainerUnpause(name string) error
-	ContainerUpdate(name string, hostConfig *container.HostConfig) (container.UpdateResponse, error)
+	ContainerUpdate(name string, hostConfig *container.HostConfig) (container.ContainerUpdateOKBody, error)
 	ContainerWait(ctx context.Context, name string, condition containerpkg.WaitCondition) (<-chan containerpkg.StateStatus, error)
 }

 // monitorBackend includes functions to implement to provide containers monitoring functionality.
 type monitorBackend interface {
 	ContainerChanges(ctx context.Context, name string) ([]archive.Change, error)
-	ContainerInspect(ctx context.Context, name string, options backend.ContainerInspectOptions) (*container.InspectResponse, error)
+	ContainerInspect(ctx context.Context, name string, size bool, version string) (interface{}, error)
 	ContainerLogs(ctx context.Context, name string, config *container.LogsOptions) (msgs <-chan *backend.LogMessage, tty bool, err error)
 	ContainerStats(ctx context.Context, name string, config *backend.ContainerStatsConfig) error
-	ContainerTop(name string, psArgs string) (*container.TopResponse, error)
-	Containers(ctx context.Context, config *container.ListOptions) ([]*container.Summary, error)
+	ContainerTop(name string, psArgs string) (*container.ContainerTopOKBody, error)
+	Containers(ctx context.Context, config *container.ListOptions) ([]*types.Container, error)
 }

 // attachBackend includes function to implement to provide container attaching functionality.
@@ -61,7 +62,7 @@ type attachBackend interface {

 // systemBackend includes functions to implement to provide system wide containers functionality
 type systemBackend interface {
-	ContainersPrune(ctx context.Context, pruneFilters filters.Args) (*container.PruneReport, error)
+	ContainersPrune(ctx context.Context, pruneFilters filters.Args) (*types.ContainersPruneReport, error)
 }

 type commitBackend interface {
--- a/api/server/router/container/container.go
+++ b/api/server/router/container/container.go
@@ -25,47 +25,47 @@ func NewRouter(b Backend, decoder httputils.ContainerDecoder, cgroup2 bool) rout
 }

 // Routes returns the available routes to the container controller
-func (c *containerRouter) Routes() []router.Route {
-	return c.routes
+func (r *containerRouter) Routes() []router.Route {
+	return r.routes
 }

 // initRoutes initializes the routes in container router
-func (c *containerRouter) initRoutes() {
-	c.routes = []router.Route{
+func (r *containerRouter) initRoutes() {
+	r.routes = []router.Route{
 		// HEAD
-		router.NewHeadRoute("/containers/{name:.*}/archive", c.headContainersArchive),
+		router.NewHeadRoute("/containers/{name:.*}/archive", r.headContainersArchive),
 		// GET
-		router.NewGetRoute("/containers/json", c.getContainersJSON),
-		router.NewGetRoute("/containers/{name:.*}/export", c.getContainersExport),
-		router.NewGetRoute("/containers/{name:.*}/changes", c.getContainersChanges),
-		router.NewGetRoute("/containers/{name:.*}/json", c.getContainersByName),
-		router.NewGetRoute("/containers/{name:.*}/top", c.getContainersTop),
-		router.NewGetRoute("/containers/{name:.*}/logs", c.getContainersLogs),
-		router.NewGetRoute("/containers/{name:.*}/stats", c.getContainersStats),
-		router.NewGetRoute("/containers/{name:.*}/attach/ws", c.wsContainersAttach),
-		router.NewGetRoute("/exec/{id:.*}/json", c.getExecByID),
-		router.NewGetRoute("/containers/{name:.*}/archive", c.getContainersArchive),
+		router.NewGetRoute("/containers/json", r.getContainersJSON),
+		router.NewGetRoute("/containers/{name:.*}/export", r.getContainersExport),
+		router.NewGetRoute("/containers/{name:.*}/changes", r.getContainersChanges),
+		router.NewGetRoute("/containers/{name:.*}/json", r.getContainersByName),
+		router.NewGetRoute("/containers/{name:.*}/top", r.getContainersTop),
+		router.NewGetRoute("/containers/{name:.*}/logs", r.getContainersLogs),
+		router.NewGetRoute("/containers/{name:.*}/stats", r.getContainersStats),
+		router.NewGetRoute("/containers/{name:.*}/attach/ws", r.wsContainersAttach),
+		router.NewGetRoute("/exec/{id:.*}/json", r.getExecByID),
+		router.NewGetRoute("/containers/{name:.*}/archive", r.getContainersArchive),
 		// POST
-		router.NewPostRoute("/containers/create", c.postContainersCreate),
-		router.NewPostRoute("/containers/{name:.*}/kill", c.postContainersKill),
-		router.NewPostRoute("/containers/{name:.*}/pause", c.postContainersPause),
-		router.NewPostRoute("/containers/{name:.*}/unpause", c.postContainersUnpause),
-		router.NewPostRoute("/containers/{name:.*}/restart", c.postContainersRestart),
-		router.NewPostRoute("/containers/{name:.*}/start", c.postContainersStart),
-		router.NewPostRoute("/containers/{name:.*}/stop", c.postContainersStop),
-		router.NewPostRoute("/containers/{name:.*}/wait", c.postContainersWait),
-		router.NewPostRoute("/containers/{name:.*}/resize", c.postContainersResize),
-		router.NewPostRoute("/containers/{name:.*}/attach", c.postContainersAttach),
-		router.NewPostRoute("/containers/{name:.*}/exec", c.postContainerExecCreate),
-		router.NewPostRoute("/exec/{name:.*}/start", c.postContainerExecStart),
-		router.NewPostRoute("/exec/{name:.*}/resize", c.postContainerExecResize),
-		router.NewPostRoute("/containers/{name:.*}/rename", c.postContainerRename),
-		router.NewPostRoute("/containers/{name:.*}/update", c.postContainerUpdate),
-		router.NewPostRoute("/containers/prune", c.postContainersPrune),
-		router.NewPostRoute("/commit", c.postCommit),
+		router.NewPostRoute("/containers/create", r.postContainersCreate),
+		router.NewPostRoute("/containers/{name:.*}/kill", r.postContainersKill),
+		router.NewPostRoute("/containers/{name:.*}/pause", r.postContainersPause),
+		router.NewPostRoute("/containers/{name:.*}/unpause", r.postContainersUnpause),
+		router.NewPostRoute("/containers/{name:.*}/restart", r.postContainersRestart),
+		router.NewPostRoute("/containers/{name:.*}/start", r.postContainersStart),
+		router.NewPostRoute("/containers/{name:.*}/stop", r.postContainersStop),
+		router.NewPostRoute("/containers/{name:.*}/wait", r.postContainersWait),
+		router.NewPostRoute("/containers/{name:.*}/resize", r.postContainersResize),
+		router.NewPostRoute("/containers/{name:.*}/attach", r.postContainersAttach),
+		router.NewPostRoute("/containers/{name:.*}/exec", r.postContainerExecCreate),
+		router.NewPostRoute("/exec/{name:.*}/start", r.postContainerExecStart),
+		router.NewPostRoute("/exec/{name:.*}/resize", r.postContainerExecResize),
+		router.NewPostRoute("/containers/{name:.*}/rename", r.postContainerRename),
+		router.NewPostRoute("/containers/{name:.*}/update", r.postContainerUpdate),
+		router.NewPostRoute("/containers/prune", r.postContainersPrune),
+		router.NewPostRoute("/commit", r.postCommit),
 		// PUT
-		router.NewPutRoute("/containers/{name:.*}/archive", c.putContainersArchive),
+		router.NewPutRoute("/containers/{name:.*}/archive", r.putContainersArchive),
 		// DELETE
-		router.NewDeleteRoute("/containers/{name:.*}", c.deleteContainers),
+		router.NewDeleteRoute("/containers/{name:.*}", r.deleteContainers),
 	}
 }
--- a/api/server/router/container/container_routes.go
+++ b/api/server/router/container/container_routes.go
@@ -10,8 +10,8 @@ import (
 	"strconv"
 	"strings"

+	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/log"
-	"github.com/containerd/platforms"
 	"github.com/docker/docker/api/server/httpstatus"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types"
@@ -22,18 +22,15 @@ import (
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/versions"
 	containerpkg "github.com/docker/docker/container"
-	networkSettings "github.com/docker/docker/daemon/network"
 	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/libnetwork/netlabel"
 	"github.com/docker/docker/pkg/ioutils"
 	"github.com/docker/docker/runconfig"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
-	"go.opentelemetry.io/otel"
 	"golang.org/x/net/websocket"
 )

-func (c *containerRouter) postCommit(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postCommit(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -42,14 +39,7 @@ func (c *containerRouter) postCommit(ctx context.Context, w http.ResponseWriter,
 		return err
 	}

-	// FIXME(thaJeztah): change this to unmarshal just [container.Config]:
-	// The commit endpoint accepts a [container.Config], but the decoder uses a
-	// [container.CreateRequest], which is a superset, and also contains
-	// [container.HostConfig] and [network.NetworkConfig]. Those structs
-	// are discarded here, but decoder.DecodeConfig also performs validation,
-	// so a request containing those additional fields would result in a
-	// validation error.
-	config, _, _, err := c.decoder.DecodeConfig(r.Body)
+	config, _, _, err := s.decoder.DecodeConfig(r.Body)
 	if err != nil && !errors.Is(err, io.EOF) { // Do not fail if body is empty.
 		return err
 	}
@@ -59,7 +49,7 @@ func (c *containerRouter) postCommit(ctx context.Context, w http.ResponseWriter,
 		return errdefs.InvalidParameter(err)
 	}

-	imgID, err := c.backend.CreateImageFromContainer(ctx, r.Form.Get("container"), &backend.CreateImageConfig{
+	imgID, err := s.backend.CreateImageFromContainer(ctx, r.Form.Get("container"), &backend.CreateImageConfig{
 		Pause:   httputils.BoolValueOrDefault(r, "pause", true), // TODO(dnephin): remove pause arg, and always pause in backend
 		Tag:     ref,
 		Author:  r.Form.Get("author"),
@@ -71,10 +61,10 @@ func (c *containerRouter) postCommit(ctx context.Context, w http.ResponseWriter,
 		return err
 	}

-	return httputils.WriteJSON(w, http.StatusCreated, &container.CommitResponse{ID: imgID})
+	return httputils.WriteJSON(w, http.StatusCreated, &types.IDResponse{ID: imgID})
 }

-func (c *containerRouter) getContainersJSON(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) getContainersJSON(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -99,31 +89,15 @@ func (c *containerRouter) getContainersJSON(ctx context.Context, w http.Response
 		config.Limit = limit
 	}

-	containers, err := c.backend.Containers(ctx, config)
+	containers, err := s.backend.Containers(ctx, config)
 	if err != nil {
 		return err
 	}

-	version := httputils.VersionFromContext(ctx)
-
-	if versions.LessThan(version, "1.46") {
-		for _, c := range containers {
-			// Ignore HostConfig.Annotations because it was added in API v1.46.
-			c.HostConfig.Annotations = nil
-		}
-	}
-
-	if versions.LessThan(version, "1.48") {
-		// ImageManifestDescriptor information was added in API 1.48
-		for _, c := range containers {
-			c.ImageManifestDescriptor = nil
-		}
-	}
-
 	return httputils.WriteJSON(w, http.StatusOK, containers)
 }

-func (c *containerRouter) getContainersStats(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) getContainersStats(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -137,23 +111,14 @@ func (c *containerRouter) getContainersStats(ctx context.Context, w http.Respons
 		oneShot = httputils.BoolValueOrDefault(r, "one-shot", false)
 	}

-	return c.backend.ContainerStats(ctx, vars["name"], &backend.ContainerStatsConfig{
-		Stream:  stream,
-		OneShot: oneShot,
-		OutStream: func() io.Writer {
-			// Assume that when this is called the request is OK.
-			w.WriteHeader(http.StatusOK)
-			if !stream {
-				return w
-			}
-			wf := ioutils.NewWriteFlusher(w)
-			wf.Flush()
-			return wf
-		},
+	return s.backend.ContainerStats(ctx, vars["name"], &backend.ContainerStatsConfig{
+		Stream:    stream,
+		OneShot:   oneShot,
+		OutStream: w,
 	})
 }

-func (c *containerRouter) getContainersLogs(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) getContainersLogs(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -180,7 +145,7 @@ func (c *containerRouter) getContainersLogs(ctx context.Context, w http.Response
 		Details:    httputils.BoolValue(r, "details"),
 	}

-	msgs, tty, err := c.backend.ContainerLogs(ctx, containerName, logsConfig)
+	msgs, tty, err := s.backend.ContainerLogs(ctx, containerName, logsConfig)
 	if err != nil {
 		return err
 	}
@@ -199,14 +164,11 @@ func (c *containerRouter) getContainersLogs(ctx context.Context, w http.Response
 	return nil
 }

-func (c *containerRouter) getContainersExport(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	return c.backend.ContainerExport(ctx, vars["name"], w)
+func (s *containerRouter) getContainersExport(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	return s.backend.ContainerExport(ctx, vars["name"], w)
 }

-func (c *containerRouter) postContainersStart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	ctx, span := otel.Tracer("").Start(ctx, "containerRouter.postContainersStart")
-	defer span.End()
-
+func (s *containerRouter) postContainersStart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	// If contentLength is -1, we can assumed chunked encoding
 	// or more technically that the length is unknown
 	// https://golang.org/src/pkg/net/http/request.go#L139
@@ -223,7 +185,7 @@ func (c *containerRouter) postContainersStart(ctx context.Context, w http.Respon
 		return err
 	}

-	if err := c.backend.ContainerStart(ctx, vars["name"], r.Form.Get("checkpoint"), r.Form.Get("checkpoint-dir")); err != nil {
+	if err := s.backend.ContainerStart(ctx, vars["name"], r.Form.Get("checkpoint"), r.Form.Get("checkpoint-dir")); err != nil {
 		return err
 	}

@@ -231,7 +193,7 @@ func (c *containerRouter) postContainersStart(ctx context.Context, w http.Respon
 	return nil
 }

-func (c *containerRouter) postContainersStop(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersStop(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -251,7 +213,7 @@ func (c *containerRouter) postContainersStop(ctx context.Context, w http.Respons
 		options.Timeout = &valSeconds
 	}

-	if err := c.backend.ContainerStop(ctx, vars["name"], options); err != nil {
+	if err := s.backend.ContainerStop(ctx, vars["name"], options); err != nil {
 		return err
 	}

@@ -259,13 +221,13 @@ func (c *containerRouter) postContainersStop(ctx context.Context, w http.Respons
 	return nil
 }

-func (c *containerRouter) postContainersKill(_ context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersKill(_ context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

 	name := vars["name"]
-	if err := c.backend.ContainerKill(name, r.Form.Get("signal")); err != nil {
+	if err := s.backend.ContainerKill(name, r.Form.Get("signal")); err != nil {
 		return errors.Wrapf(err, "cannot kill container: %s", name)
 	}

@@ -273,7 +235,7 @@ func (c *containerRouter) postContainersKill(_ context.Context, w http.ResponseW
 	return nil
 }

-func (c *containerRouter) postContainersRestart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersRestart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -293,7 +255,7 @@ func (c *containerRouter) postContainersRestart(ctx context.Context, w http.Resp
 		options.Timeout = &valSeconds
 	}

-	if err := c.backend.ContainerRestart(ctx, vars["name"], options); err != nil {
+	if err := s.backend.ContainerRestart(ctx, vars["name"], options); err != nil {
 		return err
 	}

@@ -301,12 +263,12 @@ func (c *containerRouter) postContainersRestart(ctx context.Context, w http.Resp
 	return nil
 }

-func (c *containerRouter) postContainersPause(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersPause(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

-	if err := c.backend.ContainerPause(vars["name"]); err != nil {
+	if err := s.backend.ContainerPause(vars["name"]); err != nil {
 		return err
 	}

@@ -315,12 +277,12 @@ func (c *containerRouter) postContainersPause(ctx context.Context, w http.Respon
 	return nil
 }

-func (c *containerRouter) postContainersUnpause(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersUnpause(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

-	if err := c.backend.ContainerUnpause(vars["name"]); err != nil {
+	if err := s.backend.ContainerUnpause(vars["name"]); err != nil {
 		return err
 	}

@@ -329,7 +291,7 @@ func (c *containerRouter) postContainersUnpause(ctx context.Context, w http.Resp
 	return nil
 }

-func (c *containerRouter) postContainersWait(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersWait(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	// Behavior changed in version 1.30 to handle wait condition and to
 	// return headers immediately.
 	version := httputils.VersionFromContext(ctx)
@@ -357,7 +319,7 @@ func (c *containerRouter) postContainersWait(ctx context.Context, w http.Respons
 		}
 	}

-	waitC, err := c.backend.ContainerWait(ctx, vars["name"], waitCondition)
+	waitC, err := s.backend.ContainerWait(ctx, vars["name"], waitCondition)
 	if err != nil {
 		return err
 	}
@@ -394,8 +356,8 @@ func (c *containerRouter) postContainersWait(ctx context.Context, w http.Respons
 	})
 }

-func (c *containerRouter) getContainersChanges(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	changes, err := c.backend.ContainerChanges(ctx, vars["name"])
+func (s *containerRouter) getContainersChanges(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	changes, err := s.backend.ContainerChanges(ctx, vars["name"])
 	if err != nil {
 		return err
 	}
@@ -403,12 +365,12 @@ func (c *containerRouter) getContainersChanges(ctx context.Context, w http.Respo
 	return httputils.WriteJSON(w, http.StatusOK, changes)
 }

-func (c *containerRouter) getContainersTop(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) getContainersTop(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

-	procList, err := c.backend.ContainerTop(vars["name"], r.Form.Get("ps_args"))
+	procList, err := s.backend.ContainerTop(vars["name"], r.Form.Get("ps_args"))
 	if err != nil {
 		return err
 	}
@@ -416,21 +378,21 @@ func (c *containerRouter) getContainersTop(ctx context.Context, w http.ResponseW
 	return httputils.WriteJSON(w, http.StatusOK, procList)
 }

-func (c *containerRouter) postContainerRename(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainerRename(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

 	name := vars["name"]
 	newName := r.Form.Get("name")
-	if err := c.backend.ContainerRename(name, newName); err != nil {
+	if err := s.backend.ContainerRename(name, newName); err != nil {
 		return err
 	}
 	w.WriteHeader(http.StatusNoContent)
 	return nil
 }

-func (c *containerRouter) postContainerUpdate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainerUpdate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -462,7 +424,7 @@ func (c *containerRouter) postContainerUpdate(ctx context.Context, w http.Respon
 	}

 	name := vars["name"]
-	resp, err := c.backend.ContainerUpdate(name, hostConfig)
+	resp, err := s.backend.ContainerUpdate(name, hostConfig)
 	if err != nil {
 		return err
 	}
@@ -470,7 +432,7 @@ func (c *containerRouter) postContainerUpdate(ctx context.Context, w http.Respon
 	return httputils.WriteJSON(w, http.StatusOK, resp)
 }

-func (c *containerRouter) postContainersCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -480,7 +442,7 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo

 	name := r.Form.Get("name")

-	config, hostConfig, networkingConfig, err := c.decoder.DecodeConfig(r.Body)
+	config, hostConfig, networkingConfig, err := s.decoder.DecodeConfig(r.Body)
 	if err != nil {
 		if errors.Is(err, io.EOF) {
 			return errdefs.InvalidParameter(errors.New("invalid JSON: got EOF while reading request body"))
@@ -494,27 +456,15 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 	if hostConfig == nil {
 		hostConfig = &container.HostConfig{}
 	}
+	if hostConfig.NetworkMode == "" {
+		hostConfig.NetworkMode = "default"
+	}
 	if networkingConfig == nil {
 		networkingConfig = &network.NetworkingConfig{}
 	}
 	if networkingConfig.EndpointsConfig == nil {
 		networkingConfig.EndpointsConfig = make(map[string]*network.EndpointSettings)
 	}
-	// The NetworkMode "default" is used as a way to express a container should
-	// be attached to the OS-dependant default network, in an OS-independent
-	// way. Doing this conversion as soon as possible ensures we have less
-	// NetworkMode to handle down the path (including in the
-	// backward-compatibility layer we have just below).
-	//
-	// Note that this is not the only place where this conversion has to be
-	// done (as there are various other places where containers get created).
-	if hostConfig.NetworkMode == "" || hostConfig.NetworkMode.IsDefault() {
-		hostConfig.NetworkMode = networkSettings.DefaultNetwork
-		if nw, ok := networkingConfig.EndpointsConfig[network.NetworkDefault]; ok {
-			networkingConfig.EndpointsConfig[hostConfig.NetworkMode.NetworkName()] = nw
-			delete(networkingConfig.EndpointsConfig, network.NetworkDefault)
-		}
-	}

 	version := httputils.VersionFromContext(ctx)

@@ -542,7 +492,7 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo

 	if versions.LessThan(version, "1.41") {
 		// Older clients expect the default to be "host" on cgroup v1 hosts
-		if !c.cgroup2 && hostConfig.CgroupnsMode.IsEmpty() {
+		if !s.cgroup2 && hostConfig.CgroupnsMode.IsEmpty() {
 			hostConfig.CgroupnsMode = container.CgroupnsModeHost
 		}
 	}
@@ -650,35 +600,13 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 		}
 	}

-	if versions.LessThan(version, "1.48") {
-		for _, epConfig := range networkingConfig.EndpointsConfig {
-			// Before 1.48, all endpoints had the same priority, so
-			// reinitialize this field.
-			epConfig.GwPriority = 0
-		}
-		for _, m := range hostConfig.Mounts {
-			if m.Type == mount.TypeImage {
-				return errdefs.InvalidParameter(errors.New(`Mount type "Image" needs API v1.48 or newer`))
-			}
-		}
-	}
-
 	var warnings []string
-	if warn := handleVolumeDriverBC(version, hostConfig); warn != "" {
-		warnings = append(warnings, warn)
-	}
 	if warn, err := handleMACAddressBC(config, hostConfig, networkingConfig, version); err != nil {
 		return err
 	} else if warn != "" {
 		warnings = append(warnings, warn)
 	}

-	if warn, err := handleSysctlBC(hostConfig, networkingConfig, version); err != nil {
-		return err
-	} else if warn != "" {
-		warnings = append(warnings, warn)
-	}
-
 	if hostConfig.PidsLimit != nil && *hostConfig.PidsLimit <= 0 {
 		// Don't set a limit if either no limit was specified, or "unlimited" was
 		// explicitly set.
@@ -687,7 +615,7 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 		hostConfig.PidsLimit = nil
 	}

-	ccr, err := c.backend.ContainerCreate(ctx, backend.ContainerCreateConfig{
+	ccr, err := s.backend.ContainerCreate(ctx, backend.ContainerCreateConfig{
 		Name:                        name,
 		Config:                      config,
 		HostConfig:                  hostConfig,
@@ -695,12 +623,6 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 		Platform:                    platform,
 		DefaultReadOnlyNonRecursive: defaultReadOnlyNonRecursive,
 	})
-
-	// Log warnings for debugging, regardless if the request was successful or not.
-	if len(ccr.Warnings) > 0 {
-		log.G(ctx).WithField("warnings", ccr.Warnings).Debug("warnings encountered during container create request")
-	}
-
 	if err != nil {
 		return err
 	}
@@ -708,27 +630,6 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 	return httputils.WriteJSON(w, http.StatusCreated, ccr)
 }

-// handleVolumeDriverBC handles the use of the container-wide "VolumeDriver"
-// option when the Mounts API is used for volumes. It produces a warning
-// on API 1.48 and up. Older versions of the API did not produce a warning,
-// but the CLI would do so.
-func handleVolumeDriverBC(version string, hostConfig *container.HostConfig) (warning string) {
-	if hostConfig.VolumeDriver == "" || versions.LessThan(version, "1.48") {
-		return ""
-	}
-	for _, m := range hostConfig.Mounts {
-		if m.Type != mount.TypeVolume {
-			continue
-		}
-		if m.VolumeOptions != nil && m.VolumeOptions.DriverConfig != nil && m.VolumeOptions.DriverConfig.Name != "" {
-			// Driver was configured for this mount, so no ambiguity.
-			continue
-		}
-		return "WARNING: the container-wide volume-driver configuration is ignored for volumes specified via 'mount'. Use '--mount type=volume,volume-driver=...' instead"
-	}
-	return ""
-}
-
 // handleMACAddressBC takes care of backward-compatibility for the container-wide MAC address by mutating the
 // networkingConfig to set the endpoint-specific MACAddress field introduced in API v1.44. It returns a warning message
 // or an error if the container-wide field was specified for API >= v1.44.
@@ -745,15 +646,27 @@ func handleMACAddressBC(config *container.Config, hostConfig *container.HostConf
 			}
 			return "", nil
 		}
-		if !hostConfig.NetworkMode.IsBridge() && !hostConfig.NetworkMode.IsUserDefined() {
+		if !hostConfig.NetworkMode.IsDefault() && !hostConfig.NetworkMode.IsBridge() && !hostConfig.NetworkMode.IsUserDefined() {
 			return "", runconfig.ErrConflictContainerNetworkAndMac
 		}

-		epConfig, err := epConfigForNetMode(version, hostConfig.NetworkMode, networkingConfig)
-		if err != nil {
-			return "", err
+		// There cannot be more than one entry in EndpointsConfig with API < 1.44.
+
+		// If there's no EndpointsConfig, create a place to store the configured address. It is
+		// safe to use NetworkMode as the network name, whether it's a name or id/short-id, as
+		// it will be normalised later and there is no other EndpointSettings object that might
+		// refer to this network/endpoint.
+		if len(networkingConfig.EndpointsConfig) == 0 {
+			nwName := hostConfig.NetworkMode.NetworkName()
+			networkingConfig.EndpointsConfig[nwName] = &network.EndpointSettings{}
+		}
+		// There's exactly one network in EndpointsConfig, either from the API or just-created.
+		// Migrate the container-wide setting to it.
+		// No need to check for a match between NetworkMode and the names/ids in EndpointsConfig,
+		// the old version of the API would have applied the address to this network anyway.
+		for _, ep := range networkingConfig.EndpointsConfig {
+			ep.MacAddress = deprecatedMacAddress
 		}
-		epConfig.MacAddress = deprecatedMacAddress
 		return "", nil
 	}

@@ -762,17 +675,32 @@ func handleMACAddressBC(config *container.Config, hostConfig *container.HostConf
 		return "", nil
 	}
 	var warning string
-	if hostConfig.NetworkMode.IsBridge() || hostConfig.NetworkMode.IsUserDefined() {
-		ep, err := epConfigForNetMode(version, hostConfig.NetworkMode, networkingConfig)
-		if err != nil {
-			return "", errors.Wrap(err, "unable to migrate container-wide MAC address to a specific network")
-		}
-		// ep is the endpoint that needs the container-wide MAC address; migrate the address
-		// to it, or bail out if there's a mismatch.
-		if ep.MacAddress == "" {
-			ep.MacAddress = deprecatedMacAddress
-		} else if ep.MacAddress != deprecatedMacAddress {
-			return "", errdefs.InvalidParameter(errors.New("the container-wide MAC address must match the endpoint-specific MAC address for the main network, or be left empty"))
+	if hostConfig.NetworkMode.IsDefault() || hostConfig.NetworkMode.IsBridge() || hostConfig.NetworkMode.IsUserDefined() {
+		nwName := hostConfig.NetworkMode.NetworkName()
+		// If there's no endpoint config, create a place to store the configured address.
+		if len(networkingConfig.EndpointsConfig) == 0 {
+			networkingConfig.EndpointsConfig[nwName] = &network.EndpointSettings{
+				MacAddress: deprecatedMacAddress,
+			}
+		} else {
+			// There is existing endpoint config - if it's not indexed by NetworkMode.Name(), we
+			// can't tell which network the container-wide settings was intended for. NetworkMode,
+			// the keys in EndpointsConfig and the NetworkID in EndpointsConfig may mix network
+			// name/id/short-id. It's not safe to create EndpointsConfig under the NetworkMode
+			// name to store the container-wide MAC address, because that may result in two sets
+			// of EndpointsConfig for the same network and one set will be discarded later. So,
+			// reject the request ...
+			ep, ok := networkingConfig.EndpointsConfig[nwName]
+			if !ok {
+				return "", errdefs.InvalidParameter(errors.New("if a container-wide MAC address is supplied, HostConfig.NetworkMode must match the identity of a network in NetworkSettings.Networks"))
+			}
+			// ep is the endpoint that needs the container-wide MAC address; migrate the address
+			// to it, or bail out if there's a mismatch.
+			if ep.MacAddress == "" {
+				ep.MacAddress = deprecatedMacAddress
+			} else if ep.MacAddress != deprecatedMacAddress {
+				return "", errdefs.InvalidParameter(errors.New("the container-wide MAC address must match the endpoint-specific MAC address for the main network, or be left empty"))
+			}
 		}
 	}
 	warning = "The container-wide MacAddress field is now deprecated. It should be specified in EndpointsConfig instead."
@@ -781,147 +709,7 @@ func handleMACAddressBC(config *container.Config, hostConfig *container.HostConf
 	return warning, nil
 }

-// handleSysctlBC migrates top level network endpoint-specific '--sysctl'
-// settings to an DriverOpts for an endpoint. This is necessary because sysctls
-// are applied during container task creation, but sysctls that name an interface
-// (for example 'net.ipv6.conf.eth0.forwarding') cannot be applied until the
-// interface has been created. So, these settings are removed from hostConfig.Sysctls
-// and added to DriverOpts[netlabel.EndpointSysctls].
-//
-// Because interface names ('ethN') are allocated sequentially, and the order of
-// network connections is not deterministic on container restart, only 'eth0'
-// would work reliably in a top-level '--sysctl' option, and then only when
-// there's a single initial network connection. So, settings for 'eth0' are
-// migrated to the primary interface, identified by 'hostConfig.NetworkMode'.
-// Settings for other interfaces are treated as errors.
-//
-// In the DriverOpts, because the interface name cannot be determined in advance, the
-// interface name is replaced by "IFNAME". For example, 'net.ipv6.conf.eth0.forwarding'
-// becomes 'net.ipv6.conf.IFNAME.forwarding'. The value in DriverOpts is a
-// comma-separated list.
-//
-// A warning is generated when settings are migrated.
-func handleSysctlBC(
-	hostConfig *container.HostConfig,
-	netConfig *network.NetworkingConfig,
-	version string,
-) (string, error) {
-	if !hostConfig.NetworkMode.IsPrivate() {
-		return "", nil
-	}
-
-	var ep *network.EndpointSettings
-	var toDelete []string
-	var netIfSysctls []string
-	for k, v := range hostConfig.Sysctls {
-		// If the sysctl name matches "net.*.*.eth0.*" ...
-		if spl := strings.SplitN(k, ".", 5); len(spl) == 5 && spl[0] == "net" && strings.HasPrefix(spl[3], "eth") {
-			netIfSysctl := fmt.Sprintf("net.%s.%s.IFNAME.%s=%s", spl[1], spl[2], spl[4], v)
-			// Find the EndpointConfig to migrate settings to, if not already found.
-			if ep == nil {
-				// Per-endpoint sysctls were introduced in API version 1.46. Migration is
-				// needed, but refuse to do it automatically for API 1.48 and newer.
-				if versions.GreaterThan(version, "1.47") {
-					return "", fmt.Errorf("interface specific sysctl setting %q must be supplied using driver option '%s'",
-						k, netlabel.EndpointSysctls)
-				}
-				var err error
-				ep, err = epConfigForNetMode(version, hostConfig.NetworkMode, netConfig)
-				if err != nil {
-					return "", fmt.Errorf("unable to find a network for sysctl %s: %w", k, err)
-				}
-			}
-			// Only try to migrate settings for "eth0", anything else would always
-			// have behaved unpredictably.
-			if spl[3] != "eth0" {
-				return "", fmt.Errorf(`unable to determine network endpoint for sysctl %s, use driver option '%s' to set per-interface sysctls`,
-					k, netlabel.EndpointSysctls)
-			}
-			// Prepare the migration.
-			toDelete = append(toDelete, k)
-			netIfSysctls = append(netIfSysctls, netIfSysctl)
-		}
-	}
-	if ep == nil {
-		return "", nil
-	}
-
-	newDriverOpt := strings.Join(netIfSysctls, ",")
-	warning := fmt.Sprintf(`Migrated sysctl %q to DriverOpts{%q:%q}.`,
-		strings.Join(toDelete, ","),
-		netlabel.EndpointSysctls, newDriverOpt)
-
-	// Append existing per-endpoint sysctls to the migrated sysctls (give priority
-	// to per-endpoint settings).
-	if ep.DriverOpts == nil {
-		ep.DriverOpts = map[string]string{}
-	}
-	if oldDriverOpt, ok := ep.DriverOpts[netlabel.EndpointSysctls]; ok {
-		newDriverOpt += "," + oldDriverOpt
-	}
-	ep.DriverOpts[netlabel.EndpointSysctls] = newDriverOpt
-
-	// Delete migrated settings from the top-level sysctls.
-	for _, k := range toDelete {
-		delete(hostConfig.Sysctls, k)
-	}
-
-	return warning, nil
-}
-
-// epConfigForNetMode finds, or creates, an entry in netConfig.EndpointsConfig
-// corresponding to nwMode.
-//
-// nwMode.NetworkName() may be the network's name, its id, or its short-id.
-//
-// The corresponding endpoint in netConfig.EndpointsConfig may be keyed on a
-// different one of name/id/short-id. If there's any ambiguity (there are
-// endpoints but the names don't match), return an error and do not create a new
-// endpoint, because it might be a duplicate.
-func epConfigForNetMode(
-	version string,
-	nwMode container.NetworkMode,
-	netConfig *network.NetworkingConfig,
-) (*network.EndpointSettings, error) {
-	nwName := nwMode.NetworkName()
-
-	// It's always safe to create an EndpointsConfig entry under nwName if there are
-	// no entries already (because there can't be an entry for this network nwName
-	// refers to under any other name/short-id/id).
-	if len(netConfig.EndpointsConfig) == 0 {
-		es := &network.EndpointSettings{}
-		netConfig.EndpointsConfig = map[string]*network.EndpointSettings{
-			nwName: es,
-		}
-		return es, nil
-	}
-
-	// There cannot be more than one entry in EndpointsConfig with API < 1.44.
-	if versions.LessThan(version, "1.44") {
-		// No need to check for a match between NetworkMode and the names/ids in EndpointsConfig,
-		// the old version of the API would pick this network anyway.
-		for _, ep := range netConfig.EndpointsConfig {
-			return ep, nil
-		}
-	}
-
-	// There is existing endpoint config - if it's not indexed by NetworkMode.Name(), we
-	// can't tell which network the container-wide settings are intended for. NetworkMode,
-	// the keys in EndpointsConfig and the NetworkID in EndpointsConfig may mix network
-	// name/id/short-id. It's not safe to create EndpointsConfig under the NetworkMode
-	// name to store the container-wide setting, because that may result in two sets
-	// of EndpointsConfig for the same network and one set will be discarded later. So,
-	// reject the request ...
-	ep, ok := netConfig.EndpointsConfig[nwName]
-	if !ok {
-		return nil, errdefs.InvalidParameter(
-			errors.New("HostConfig.NetworkMode must match the identity of a network in NetworkSettings.Networks"))
-	}
-
-	return ep, nil
-}
-
-func (c *containerRouter) deleteContainers(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) deleteContainers(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -933,7 +721,7 @@ func (c *containerRouter) deleteContainers(ctx context.Context, w http.ResponseW
 		RemoveLink:   httputils.BoolValue(r, "link"),
 	}

-	if err := c.backend.ContainerRm(name, config); err != nil {
+	if err := s.backend.ContainerRm(name, config); err != nil {
 		return err
 	}

@@ -942,24 +730,24 @@ func (c *containerRouter) deleteContainers(ctx context.Context, w http.ResponseW
 	return nil
 }

-func (c *containerRouter) postContainersResize(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersResize(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

-	height, err := httputils.Uint32Value(r, "h")
+	height, err := strconv.Atoi(r.Form.Get("h"))
 	if err != nil {
-		return errdefs.InvalidParameter(errors.Wrapf(err, "invalid resize height %q", r.Form.Get("h")))
+		return errdefs.InvalidParameter(err)
 	}
-	width, err := httputils.Uint32Value(r, "w")
+	width, err := strconv.Atoi(r.Form.Get("w"))
 	if err != nil {
-		return errdefs.InvalidParameter(errors.Wrapf(err, "invalid resize width %q", r.Form.Get("w")))
+		return errdefs.InvalidParameter(err)
 	}

-	return c.backend.ContainerResize(ctx, vars["name"], height, width)
+	return s.backend.ContainerResize(vars["name"], height, width)
 }

-func (c *containerRouter) postContainersAttach(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersAttach(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	err := httputils.ParseForm(r)
 	if err != nil {
 		return err
@@ -975,7 +763,7 @@ func (c *containerRouter) postContainersAttach(ctx context.Context, w http.Respo
 	}

 	contentType := types.MediaTypeRawStream
-	setupStreams := func(multiplexed bool, cancel func()) (io.ReadCloser, io.Writer, io.Writer, error) {
+	setupStreams := func(multiplexed bool) (io.ReadCloser, io.Writer, io.Writer, error) {
 		conn, _, err := hijacker.Hijack()
 		if err != nil {
 			return nil, nil, nil, err
@@ -988,15 +776,11 @@ func (c *containerRouter) postContainersAttach(ctx context.Context, w http.Respo
 			if multiplexed && versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.42") {
 				contentType = types.MediaTypeMultiplexedStream
 			}
-			// FIXME(thaJeztah): we should not ignore errors here; see https://github.com/moby/moby/pull/48359#discussion_r1725562802
-			fmt.Fprintf(conn, "HTTP/1.1 101 UPGRADED\r\nContent-Type: %v\r\nConnection: Upgrade\r\nUpgrade: tcp\r\n\r\n", contentType)
+			fmt.Fprintf(conn, "HTTP/1.1 101 UPGRADED\r\nContent-Type: "+contentType+"\r\nConnection: Upgrade\r\nUpgrade: tcp\r\n\r\n")
 		} else {
-			// FIXME(thaJeztah): we should not ignore errors here; see https://github.com/moby/moby/pull/48359#discussion_r1725562802
-			fmt.Fprint(conn, "HTTP/1.1 200 OK\r\nContent-Type: application/vnd.docker.raw-stream\r\n\r\n")
+			fmt.Fprintf(conn, "HTTP/1.1 200 OK\r\nContent-Type: application/vnd.docker.raw-stream\r\n\r\n")
 		}

-		go notifyClosed(ctx, conn, cancel)
-
 		closer := func() error {
 			httputils.CloseStreams(conn)
 			return nil
@@ -1015,7 +799,7 @@ func (c *containerRouter) postContainersAttach(ctx context.Context, w http.Respo
 		MuxStreams: true,
 	}

-	if err = c.backend.ContainerAttach(containerName, attachConfig); err != nil {
+	if err = s.backend.ContainerAttach(containerName, attachConfig); err != nil {
 		log.G(ctx).WithError(err).Errorf("Handler for %s %s returned error", r.Method, r.URL.Path)
 		// Remember to close stream if error happens
 		conn, _, errHijack := hijacker.Hijack()
@@ -1031,7 +815,7 @@ func (c *containerRouter) postContainersAttach(ctx context.Context, w http.Respo
 	return nil
 }

-func (c *containerRouter) wsContainersAttach(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) wsContainersAttach(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -1045,7 +829,7 @@ func (c *containerRouter) wsContainersAttach(ctx context.Context, w http.Respons

 	version := httputils.VersionFromContext(ctx)

-	setupStreams := func(multiplexed bool, cancel func()) (io.ReadCloser, io.Writer, io.Writer, error) {
+	setupStreams := func(multiplexed bool) (io.ReadCloser, io.Writer, io.Writer, error) {
 		wsChan := make(chan *websocket.Conn)
 		h := func(conn *websocket.Conn) {
 			wsChan <- conn
@@ -1064,8 +848,6 @@ func (c *containerRouter) wsContainersAttach(ctx context.Context, w http.Respons
 		if versions.GreaterThanOrEqualTo(version, "1.28") {
 			conn.PayloadType = websocket.BinaryFrame
 		}
-
-		// TODO: Close notifications
 		return conn, conn, conn, nil
 	}

@@ -1087,7 +869,7 @@ func (c *containerRouter) wsContainersAttach(ctx context.Context, w http.Respons
 		MuxStreams: false, // never multiplex, as we rely on websocket to manage distinct streams
 	}

-	err = c.backend.ContainerAttach(containerName, attachConfig)
+	err = s.backend.ContainerAttach(containerName, attachConfig)
 	close(done)
 	select {
 	case <-started:
@@ -1102,7 +884,7 @@ func (c *containerRouter) wsContainersAttach(ctx context.Context, w http.Respons
 	return err
 }

-func (c *containerRouter) postContainersPrune(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainersPrune(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -1112,7 +894,7 @@ func (c *containerRouter) postContainersPrune(ctx context.Context, w http.Respon
 		return err
 	}

-	pruneReport, err := c.backend.ContainersPrune(ctx, pruneFilters)
+	pruneReport, err := s.backend.ContainersPrune(ctx, pruneFilters)
 	if err != nil {
 		return err
 	}
--- a/api/server/router/container/container_routes_test.go
+++ b/api/server/router/container/container_routes_test.go
@@ -1,12 +1,10 @@
 package container

 import (
-	"strings"
 	"testing"

 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/libnetwork/netlabel"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -104,7 +102,7 @@ func TestHandleMACAddressBC(t *testing.T) {
 			ctrWideMAC:    "11:22:33:44:55:66",
 			networkMode:   "aNetId",
 			epConfig:      map[string]*network.EndpointSettings{"aNetName": {}},
-			expError:      "unable to migrate container-wide MAC address to a specific network: HostConfig.NetworkMode must match the identity of a network in NetworkSettings.Networks",
+			expError:      "if a container-wide MAC address is supplied, HostConfig.NetworkMode must match the identity of a network in NetworkSettings.Networks",
 			expCtrWideMAC: "11:22:33:44:55:66",
 		},
 		{
@@ -128,8 +126,8 @@ func TestHandleMACAddressBC(t *testing.T) {
 			}
 			epConfig := make(map[string]*network.EndpointSettings, len(tc.epConfig))
 			for k, v := range tc.epConfig {
-				v := *v
-				epConfig[k] = &v
+				v := v
+				epConfig[k] = v
 			}
 			netCfg := &network.NetworkingConfig{
 				EndpointsConfig: epConfig,
@@ -160,191 +158,3 @@ func TestHandleMACAddressBC(t *testing.T) {
 		})
 	}
 }
-
-func TestEpConfigForNetMode(t *testing.T) {
-	testcases := []struct {
-		name        string
-		apiVersion  string
-		networkMode string
-		epConfig    map[string]*network.EndpointSettings
-		expEpId     string
-		expNumEps   int
-		expError    bool
-	}{
-		{
-			name:        "old api no eps",
-			apiVersion:  "1.43",
-			networkMode: "mynet",
-			expNumEps:   1,
-		},
-		{
-			name:        "new api no eps",
-			apiVersion:  "1.44",
-			networkMode: "mynet",
-			expNumEps:   1,
-		},
-		{
-			name:        "old api with ep",
-			apiVersion:  "1.43",
-			networkMode: "mynet",
-			epConfig: map[string]*network.EndpointSettings{
-				"anything": {EndpointID: "epone"},
-			},
-			expEpId:   "epone",
-			expNumEps: 1,
-		},
-		{
-			name:        "new api with matching ep",
-			apiVersion:  "1.44",
-			networkMode: "mynet",
-			epConfig: map[string]*network.EndpointSettings{
-				"mynet": {EndpointID: "epone"},
-			},
-			expEpId:   "epone",
-			expNumEps: 1,
-		},
-		{
-			name:        "new api with mismatched ep",
-			apiVersion:  "1.44",
-			networkMode: "mynet",
-			epConfig: map[string]*network.EndpointSettings{
-				"shortid": {EndpointID: "epone"},
-			},
-			expError: true,
-		},
-	}
-
-	for _, tc := range testcases {
-		t.Run(tc.name, func(t *testing.T) {
-			netConfig := &network.NetworkingConfig{
-				EndpointsConfig: tc.epConfig,
-			}
-			ep, err := epConfigForNetMode(tc.apiVersion, container.NetworkMode(tc.networkMode), netConfig)
-			if tc.expError {
-				assert.Check(t, is.ErrorContains(err, "HostConfig.NetworkMode must match the identity of a network in NetworkSettings.Networks"))
-			} else {
-				assert.Assert(t, err)
-				assert.Check(t, is.Equal(ep.EndpointID, tc.expEpId))
-				assert.Check(t, is.Len(netConfig.EndpointsConfig, tc.expNumEps))
-			}
-		})
-	}
-}
-
-func TestHandleSysctlBC(t *testing.T) {
-	testcases := []struct {
-		name               string
-		apiVersion         string
-		networkMode        string
-		sysctls            map[string]string
-		epConfig           map[string]*network.EndpointSettings
-		expEpSysctls       []string
-		expSysctls         map[string]string
-		expWarningContains []string
-		expError           string
-	}{
-		{
-			name:        "migrate to new ep",
-			apiVersion:  "1.46",
-			networkMode: "mynet",
-			sysctls: map[string]string{
-				"net.ipv6.conf.all.disable_ipv6": "0",
-				"net.ipv6.conf.eth0.accept_ra":   "2",
-				"net.ipv6.conf.eth0.forwarding":  "1",
-			},
-			expSysctls: map[string]string{
-				"net.ipv6.conf.all.disable_ipv6": "0",
-			},
-			expEpSysctls: []string{"net.ipv6.conf.IFNAME.forwarding=1", "net.ipv6.conf.IFNAME.accept_ra=2"},
-			expWarningContains: []string{
-				"Migrated",
-				"net.ipv6.conf.eth0.accept_ra", "net.ipv6.conf.IFNAME.accept_ra=2",
-				"net.ipv6.conf.eth0.forwarding", "net.ipv6.conf.IFNAME.forwarding=1",
-			},
-		},
-		{
-			name:        "migrate nothing",
-			apiVersion:  "1.46",
-			networkMode: "mynet",
-			sysctls: map[string]string{
-				"net.ipv6.conf.all.disable_ipv6": "0",
-			},
-			expSysctls: map[string]string{
-				"net.ipv6.conf.all.disable_ipv6": "0",
-			},
-		},
-		{
-			name:        "migration disabled for newer api",
-			apiVersion:  "1.48",
-			networkMode: "mynet",
-			sysctls: map[string]string{
-				"net.ipv6.conf.eth0.accept_ra": "2",
-			},
-			expError: "must be supplied using driver option 'com.docker.network.endpoint.sysctls'",
-		},
-		{
-			name:        "only migrate eth0",
-			apiVersion:  "1.46",
-			networkMode: "mynet",
-			sysctls: map[string]string{
-				"net.ipv6.conf.eth1.accept_ra": "2",
-			},
-			expError: "unable to determine network endpoint",
-		},
-		{
-			name:        "net name mismatch",
-			apiVersion:  "1.46",
-			networkMode: "mynet",
-			epConfig: map[string]*network.EndpointSettings{
-				"shortid": {EndpointID: "epone"},
-			},
-			sysctls: map[string]string{
-				"net.ipv6.conf.eth1.accept_ra": "2",
-			},
-			expError: "unable to find a network for sysctl",
-		},
-	}
-
-	for _, tc := range testcases {
-		t.Run(tc.name, func(t *testing.T) {
-			hostCfg := &container.HostConfig{
-				NetworkMode: container.NetworkMode(tc.networkMode),
-				Sysctls:     map[string]string{},
-			}
-			for k, v := range tc.sysctls {
-				hostCfg.Sysctls[k] = v
-			}
-			netCfg := &network.NetworkingConfig{
-				EndpointsConfig: tc.epConfig,
-			}
-
-			warnings, err := handleSysctlBC(hostCfg, netCfg, tc.apiVersion)
-
-			for _, s := range tc.expWarningContains {
-				assert.Check(t, is.Contains(warnings, s))
-			}
-
-			if tc.expError != "" {
-				assert.Check(t, is.ErrorContains(err, tc.expError))
-			} else {
-				assert.Check(t, err)
-
-				assert.Check(t, is.DeepEqual(hostCfg.Sysctls, tc.expSysctls))
-
-				ep := netCfg.EndpointsConfig[tc.networkMode]
-				if ep == nil {
-					assert.Check(t, is.Nil(tc.expEpSysctls))
-				} else {
-					got, ok := ep.DriverOpts[netlabel.EndpointSysctls]
-					assert.Check(t, ok)
-					// Check for expected ep-sysctls.
-					for _, want := range tc.expEpSysctls {
-						assert.Check(t, is.Contains(got, want))
-					}
-					// Check for unexpected ep-sysctls.
-					assert.Check(t, is.Len(got, len(strings.Join(tc.expEpSysctls, ","))))
-				}
-			}
-		})
-	}
-}
--- a/api/server/router/container/copy.go
+++ b/api/server/router/container/copy.go
@@ -10,12 +10,12 @@ import (
 	"net/http"

 	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types"
 	gddohttputil "github.com/golang/gddo/httputil"
 )

 // setContainerPathStatHeader encodes the stat to JSON, base64 encode, and place in a header.
-func setContainerPathStatHeader(stat *container.PathStat, header http.Header) error {
+func setContainerPathStatHeader(stat *types.ContainerPathStat, header http.Header) error {
 	statJSON, err := json.Marshal(stat)
 	if err != nil {
 		return err
@@ -29,13 +29,13 @@ func setContainerPathStatHeader(stat *container.PathStat, header http.Header) er
 	return nil
 }

-func (c *containerRouter) headContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) headContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	v, err := httputils.ArchiveFormValues(r, vars)
 	if err != nil {
 		return err
 	}

-	stat, err := c.backend.ContainerStatPath(v.Name, v.Path)
+	stat, err := s.backend.ContainerStatPath(v.Name, v.Path)
 	if err != nil {
 		return err
 	}
@@ -66,13 +66,13 @@ func writeCompressedResponse(w http.ResponseWriter, r *http.Request, body io.Rea
 	return err
 }

-func (c *containerRouter) getContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) getContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	v, err := httputils.ArchiveFormValues(r, vars)
 	if err != nil {
 		return err
 	}

-	tarArchive, stat, err := c.backend.ContainerArchivePath(v.Name, v.Path)
+	tarArchive, stat, err := s.backend.ContainerArchivePath(v.Name, v.Path)
 	if err != nil {
 		return err
 	}
@@ -86,7 +86,7 @@ func (c *containerRouter) getContainersArchive(ctx context.Context, w http.Respo
 	return writeCompressedResponse(w, r, tarArchive)
 }

-func (c *containerRouter) putContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) putContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	v, err := httputils.ArchiveFormValues(r, vars)
 	if err != nil {
 		return err
@@ -95,5 +95,5 @@ func (c *containerRouter) putContainersArchive(ctx context.Context, w http.Respo
 	noOverwriteDirNonDir := httputils.BoolValue(r, "noOverwriteDirNonDir")
 	copyUIDGID := httputils.BoolValue(r, "copyUIDGID")

-	return c.backend.ContainerExtractToDir(v.Name, v.Path, copyUIDGID, noOverwriteDirNonDir, r.Body)
+	return s.backend.ContainerExtractToDir(v.Name, v.Path, copyUIDGID, noOverwriteDirNonDir, r.Body)
 }
--- a/api/server/router/container/exec.go
+++ b/api/server/router/container/exec.go
@@ -5,20 +5,19 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"strconv"

 	"github.com/containerd/log"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/pkg/stdcopy"
-	"github.com/pkg/errors"
 )

-func (c *containerRouter) getExecByID(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	eConfig, err := c.backend.ContainerExecInspect(vars["id"])
+func (s *containerRouter) getExecByID(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	eConfig, err := s.backend.ContainerExecInspect(vars["id"])
 	if err != nil {
 		return err
 	}
@@ -34,12 +33,12 @@ func (execCommandError) Error() string {

 func (execCommandError) InvalidParameter() {}

-func (c *containerRouter) postContainerExecCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainerExecCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}

-	execConfig := &container.ExecOptions{}
+	execConfig := &types.ExecConfig{}
 	if err := httputils.ReadJSON(r, execConfig); err != nil {
 		return err
 	}
@@ -55,19 +54,19 @@ func (c *containerRouter) postContainerExecCreate(ctx context.Context, w http.Re
 	}

 	// Register an instance of Exec in container.
-	id, err := c.backend.ContainerExecCreate(vars["name"], execConfig)
+	id, err := s.backend.ContainerExecCreate(vars["name"], execConfig)
 	if err != nil {
 		log.G(ctx).Errorf("Error setting up exec command in container %s: %v", vars["name"], err)
 		return err
 	}

-	return httputils.WriteJSON(w, http.StatusCreated, &container.ExecCreateResponse{
+	return httputils.WriteJSON(w, http.StatusCreated, &types.IDResponse{
 		ID: id,
 	})
 }

 // TODO(vishh): Refactor the code to avoid having to specify stream config as part of both create and start.
-func (c *containerRouter) postContainerExecStart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainerExecStart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -78,30 +77,30 @@ func (c *containerRouter) postContainerExecStart(ctx context.Context, w http.Res
 		stdout, stderr, outStream io.Writer
 	)

-	options := &container.ExecStartOptions{}
-	if err := httputils.ReadJSON(r, options); err != nil {
+	execStartCheck := &types.ExecStartCheck{}
+	if err := httputils.ReadJSON(r, execStartCheck); err != nil {
 		return err
 	}

-	if exists, err := c.backend.ExecExists(execName); !exists {
+	if exists, err := s.backend.ExecExists(execName); !exists {
 		return err
 	}

-	if options.ConsoleSize != nil {
+	if execStartCheck.ConsoleSize != nil {
 		version := httputils.VersionFromContext(ctx)

 		// Not supported before 1.42
 		if versions.LessThan(version, "1.42") {
-			options.ConsoleSize = nil
+			execStartCheck.ConsoleSize = nil
 		}

 		// No console without tty
-		if !options.Tty {
-			options.ConsoleSize = nil
+		if !execStartCheck.Tty {
+			execStartCheck.ConsoleSize = nil
 		}
 	}

-	if !options.Detach {
+	if !execStartCheck.Detach {
 		var err error
 		// Setting up the streaming http interface.
 		inStream, outStream, err = httputils.HijackConnection(w)
@@ -112,60 +111,59 @@ func (c *containerRouter) postContainerExecStart(ctx context.Context, w http.Res

 		if _, ok := r.Header["Upgrade"]; ok {
 			contentType := types.MediaTypeRawStream
-			if !options.Tty && versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.42") {
+			if !execStartCheck.Tty && versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.42") {
 				contentType = types.MediaTypeMultiplexedStream
 			}
-			_, _ = fmt.Fprint(outStream, "HTTP/1.1 101 UPGRADED\r\nContent-Type: "+contentType+"\r\nConnection: Upgrade\r\nUpgrade: tcp\r\n")
+			fmt.Fprint(outStream, "HTTP/1.1 101 UPGRADED\r\nContent-Type: "+contentType+"\r\nConnection: Upgrade\r\nUpgrade: tcp\r\n")
 		} else {
-			_, _ = fmt.Fprint(outStream, "HTTP/1.1 200 OK\r\nContent-Type: application/vnd.docker.raw-stream\r\n")
+			fmt.Fprint(outStream, "HTTP/1.1 200 OK\r\nContent-Type: application/vnd.docker.raw-stream\r\n")
 		}

 		// copy headers that were removed as part of hijack
 		if err := w.Header().WriteSubset(outStream, nil); err != nil {
 			return err
 		}
-		_, _ = fmt.Fprint(outStream, "\r\n")
+		fmt.Fprint(outStream, "\r\n")

 		stdin = inStream
-		if options.Tty {
-			stdout = outStream
-		} else {
+		stdout = outStream
+		if !execStartCheck.Tty {
 			stderr = stdcopy.NewStdWriter(outStream, stdcopy.Stderr)
 			stdout = stdcopy.NewStdWriter(outStream, stdcopy.Stdout)
 		}
 	}

-	// Now run the user process in container.
-	//
-	// TODO: Maybe we should we pass ctx here if we're not detaching?
-	err := c.backend.ContainerExecStart(context.Background(), execName, backend.ExecStartConfig{
+	options := container.ExecStartOptions{
 		Stdin:       stdin,
 		Stdout:      stdout,
 		Stderr:      stderr,
-		ConsoleSize: options.ConsoleSize,
-	})
-	if err != nil {
-		if options.Detach {
+		ConsoleSize: execStartCheck.ConsoleSize,
+	}
+
+	// Now run the user process in container.
+	// Maybe we should we pass ctx here if we're not detaching?
+	if err := s.backend.ContainerExecStart(context.Background(), execName, options); err != nil {
+		if execStartCheck.Detach {
 			return err
 		}
-		_, _ = fmt.Fprintf(stdout, "%v\r\n", err)
+		stdout.Write([]byte(err.Error() + "\r\n"))
 		log.G(ctx).Errorf("Error running exec %s in container: %v", execName, err)
 	}
 	return nil
 }

-func (c *containerRouter) postContainerExecResize(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (s *containerRouter) postContainerExecResize(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
-	height, err := httputils.Uint32Value(r, "h")
+	height, err := strconv.Atoi(r.Form.Get("h"))
 	if err != nil {
-		return errdefs.InvalidParameter(errors.Wrapf(err, "invalid resize height %q", r.Form.Get("h")))
+		return errdefs.InvalidParameter(err)
 	}
-	width, err := httputils.Uint32Value(r, "w")
+	width, err := strconv.Atoi(r.Form.Get("w"))
 	if err != nil {
-		return errdefs.InvalidParameter(errors.Wrapf(err, "invalid resize width %q", r.Form.Get("w")))
+		return errdefs.InvalidParameter(err)
 	}

-	return c.backend.ContainerExecResize(ctx, vars["name"], height, width)
+	return s.backend.ContainerExecResize(vars["name"], height, width)
 }
--- a/api/server/router/container/inspect.go
+++ b/api/server/router/container/inspect.go
@@ -1,6 +1,3 @@
-// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
-
 package container // import "github.com/docker/docker/api/server/router/container"

 import (
@@ -8,34 +5,17 @@ import (
 	"net/http"

 	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/versions"
-	"github.com/docker/docker/internal/sliceutil"
-	"github.com/docker/docker/pkg/stringid"
 )

 // getContainersByName inspects container's configuration and serializes it as json.
-func (c *containerRouter) getContainersByName(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	ctr, err := c.backend.ContainerInspect(ctx, vars["name"], backend.ContainerInspectOptions{
-		Size: httputils.BoolValue(r, "size"),
-	})
+func (s *containerRouter) getContainersByName(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	displaySize := httputils.BoolValue(r, "size")
+
+	version := httputils.VersionFromContext(ctx)
+	json, err := s.backend.ContainerInspect(ctx, vars["name"], displaySize, version)
 	if err != nil {
 		return err
 	}

-	version := httputils.VersionFromContext(ctx)
-	if versions.LessThan(version, "1.45") {
-		shortCID := stringid.TruncateID(ctr.ID)
-		for nwName, ep := range ctr.NetworkSettings.Networks {
-			if container.NetworkMode(nwName).IsUserDefined() {
-				ep.Aliases = sliceutil.Dedup(append(ep.Aliases, shortCID, ctr.Config.Hostname))
-			}
-		}
-	}
-	if versions.LessThan(version, "1.48") {
-		ctr.ImageManifestDescriptor = nil
-	}
-
-	return httputils.WriteJSON(w, http.StatusOK, ctr)
+	return httputils.WriteJSON(w, http.StatusOK, json)
 }
--- a/api/server/router/container/notify_linux.go
+++ b/api/server/router/container/notify_linux.go
@@ -1,54 +0,0 @@
-package container
-
-import (
-	"context"
-	"net"
-	"syscall"
-
-	"github.com/containerd/log"
-	"github.com/docker/docker/internal/unix_noeintr"
-	"golang.org/x/sys/unix"
-)
-
-func notifyClosed(ctx context.Context, conn net.Conn, notify func()) {
-	sc, ok := conn.(syscall.Conn)
-	if !ok {
-		log.G(ctx).Debug("notifyClosed: conn does not support close notifications")
-		return
-	}
-
-	rc, err := sc.SyscallConn()
-	if err != nil {
-		log.G(ctx).WithError(err).Warn("notifyClosed: failed get raw conn for close notifications")
-		return
-	}
-
-	epFd, err := unix_noeintr.EpollCreate()
-	if err != nil {
-		log.G(ctx).WithError(err).Warn("notifyClosed: failed to create epoll fd")
-		return
-	}
-	defer unix.Close(epFd)
-
-	err = rc.Control(func(fd uintptr) {
-		err := unix_noeintr.EpollCtl(epFd, unix.EPOLL_CTL_ADD, int(fd), &unix.EpollEvent{
-			Events: unix.EPOLLHUP,
-			Fd:     int32(fd),
-		})
-		if err != nil {
-			log.G(ctx).WithError(err).Warn("notifyClosed: failed to register fd for close notifications")
-			return
-		}
-
-		events := make([]unix.EpollEvent, 1)
-		if _, err := unix_noeintr.EpollWait(epFd, events, -1); err != nil {
-			log.G(ctx).WithError(err).Warn("notifyClosed: failed to wait for close notifications")
-			return
-		}
-		notify()
-	})
-	if err != nil {
-		log.G(ctx).WithError(err).Warn("notifyClosed: failed to register for close notifications")
-		return
-	}
-}
--- a/api/server/router/container/notify_unsupported.go
+++ b/api/server/router/container/notify_unsupported.go
@@ -1,10 +0,0 @@
-//go:build !linux
-
-package container
-
-import (
-	"context"
-	"net"
-)
-
-func notifyClosed(ctx context.Context, conn net.Conn, notify func()) {}
--- a/api/server/router/debug/debug.go
+++ b/api/server/router/debug/debug.go
@@ -24,13 +24,13 @@ type debugRouter struct {

 func (r *debugRouter) initRoutes() {
 	r.routes = []router.Route{
-		router.NewGetRoute("/debug/vars", frameworkAdaptHandler(expvar.Handler())),
-		router.NewGetRoute("/debug/pprof/", frameworkAdaptHandlerFunc(pprof.Index)),
-		router.NewGetRoute("/debug/pprof/cmdline", frameworkAdaptHandlerFunc(pprof.Cmdline)),
-		router.NewGetRoute("/debug/pprof/profile", frameworkAdaptHandlerFunc(pprof.Profile)),
-		router.NewGetRoute("/debug/pprof/symbol", frameworkAdaptHandlerFunc(pprof.Symbol)),
-		router.NewGetRoute("/debug/pprof/trace", frameworkAdaptHandlerFunc(pprof.Trace)),
-		router.NewGetRoute("/debug/pprof/{name}", handlePprof),
+		router.NewGetRoute("/vars", frameworkAdaptHandler(expvar.Handler())),
+		router.NewGetRoute("/pprof/", frameworkAdaptHandlerFunc(pprof.Index)),
+		router.NewGetRoute("/pprof/cmdline", frameworkAdaptHandlerFunc(pprof.Cmdline)),
+		router.NewGetRoute("/pprof/profile", frameworkAdaptHandlerFunc(pprof.Profile)),
+		router.NewGetRoute("/pprof/symbol", frameworkAdaptHandlerFunc(pprof.Symbol)),
+		router.NewGetRoute("/pprof/trace", frameworkAdaptHandlerFunc(pprof.Trace)),
+		router.NewGetRoute("/pprof/{name}", handlePprof),
 	}
 }

--- a/api/server/router/grpc/grpc.go
+++ b/api/server/router/grpc/grpc.go
@@ -1,21 +1,12 @@
-// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
-
 package grpc // import "github.com/docker/docker/api/server/router/grpc"

 import (
 	"context"
-	"fmt"
-	"os"
 	"strings"

-	"github.com/containerd/containerd/v2/defaults"
-	"github.com/containerd/log"
 	"github.com/docker/docker/api/server/router"
-	"github.com/docker/docker/internal/otelutil"
+	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	"github.com/moby/buildkit/util/grpcerrors"
-	"github.com/moby/buildkit/util/stack"
-	"github.com/moby/buildkit/util/tracing"
 	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 	"golang.org/x/net/http2"
 	"google.golang.org/grpc"
@@ -29,18 +20,12 @@ type grpcRouter struct {

 // NewRouter initializes a new grpc http router
 func NewRouter(backends ...Backend) router.Router {
-	tp, _ := otelutil.NewTracerProvider(context.Background(), false)
-	opts := []grpc.ServerOption{
-		grpc.StatsHandler(tracing.ServerStatsHandler(otelgrpc.WithTracerProvider(tp))),
-		grpc.ChainUnaryInterceptor(unaryInterceptor, grpcerrors.UnaryServerInterceptor),
-		grpc.StreamInterceptor(grpcerrors.StreamServerInterceptor),
-		grpc.MaxRecvMsgSize(defaults.DefaultMaxRecvMsgSize),
-		grpc.MaxSendMsgSize(defaults.DefaultMaxSendMsgSize),
-	}
+	unary := grpc.UnaryInterceptor(grpc_middleware.ChainUnaryServer(unaryInterceptor(), grpcerrors.UnaryServerInterceptor))
+	stream := grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(otelgrpc.StreamServerInterceptor(), grpcerrors.StreamServerInterceptor)) //nolint:staticcheck // TODO(thaJeztah): ignore SA1019 for deprecated options: see https://github.com/moby/moby/issues/47437

 	r := &grpcRouter{
 		h2Server:   &http2.Server{},
-		grpcServer: grpc.NewServer(opts...),
+		grpcServer: grpc.NewServer(unary, stream),
 	}
 	for _, b := range backends {
 		b.RegisterGRPC(r.grpcServer)
@@ -60,20 +45,16 @@ func (gr *grpcRouter) initRoutes() {
 	}
 }

-func unaryInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp any, err error) {
-	// This method is used by the clients to send their traces to buildkit so they can be included
-	// in the daemon trace and stored in the build history record. This method can not be traced because
-	// it would cause an infinite loop.
-	if strings.HasSuffix(info.FullMethod, "opentelemetry.proto.collector.trace.v1.TraceService/Export") {
-		return handler(ctx, req)
-	}
+func unaryInterceptor() grpc.UnaryServerInterceptor {
+	withTrace := otelgrpc.UnaryServerInterceptor() //nolint:staticcheck // TODO(thaJeztah): ignore SA1019 for deprecated options: see https://github.com/moby/moby/issues/47437

-	resp, err = handler(ctx, req)
-	if err != nil {
-		log.G(ctx).WithError(err).Error(info.FullMethod)
-		if log.GetLevel() >= log.DebugLevel {
-			fmt.Fprintf(os.Stderr, "%+v", stack.Formatter(grpcerrors.FromGRPC(err)))
+	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
+		// This method is used by the clients to send their traces to buildkit so they can be included
+		// in the daemon trace and stored in the build history record. This method can not be traced because
+		// it would cause an infinite loop.
+		if strings.HasSuffix(info.FullMethod, "opentelemetry.proto.collector.trace.v1.TraceService/Export") {
+			return handler(ctx, req)
 		}
+		return withTrace(ctx, req, info, handler)
 	}
-	return resp, err
 }
--- a/api/server/router/image/backend.go
+++ b/api/server/router/image/backend.go
@@ -5,6 +5,7 @@ import (
 	"io"

 	"github.com/distribution/reference"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/image"
@@ -23,23 +24,22 @@ type Backend interface {

 type imageBackend interface {
 	ImageDelete(ctx context.Context, imageRef string, force, prune bool) ([]image.DeleteResponse, error)
-	ImageHistory(ctx context.Context, imageName string, platform *ocispec.Platform) ([]*image.HistoryResponseItem, error)
+	ImageHistory(ctx context.Context, imageName string) ([]*image.HistoryResponseItem, error)
 	Images(ctx context.Context, opts image.ListOptions) ([]*image.Summary, error)
 	GetImage(ctx context.Context, refOrID string, options backend.GetImageOpts) (*dockerimage.Image, error)
-	ImageInspect(ctx context.Context, refOrID string, options backend.ImageInspectOpts) (*image.InspectResponse, error)
 	TagImage(ctx context.Context, id dockerimage.ID, newRef reference.Named) error
-	ImagesPrune(ctx context.Context, pruneFilters filters.Args) (*image.PruneReport, error)
+	ImagesPrune(ctx context.Context, pruneFilters filters.Args) (*types.ImagesPruneReport, error)
 }

 type importExportBackend interface {
-	LoadImage(ctx context.Context, inTar io.ReadCloser, platform *ocispec.Platform, outStream io.Writer, quiet bool) error
+	LoadImage(ctx context.Context, inTar io.ReadCloser, outStream io.Writer, quiet bool) error
 	ImportImage(ctx context.Context, ref reference.Named, platform *ocispec.Platform, msg string, layerReader io.Reader, changes []string) (dockerimage.ID, error)
-	ExportImage(ctx context.Context, names []string, platform *ocispec.Platform, outStream io.Writer) error
+	ExportImage(ctx context.Context, names []string, outStream io.Writer) error
 }

 type registryBackend interface {
 	PullImage(ctx context.Context, ref reference.Named, platform *ocispec.Platform, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) error
-	PushImage(ctx context.Context, ref reference.Named, platform *ocispec.Platform, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) error
+	PushImage(ctx context.Context, ref reference.Named, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) error
 }

 type Searcher interface {
--- a/api/server/router/image/image.go
+++ b/api/server/router/image/image.go
@@ -2,6 +2,8 @@ package image // import "github.com/docker/docker/api/server/router/image"

 import (
 	"github.com/docker/docker/api/server/router"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
 	"github.com/docker/docker/reference"
 )

@@ -10,15 +12,19 @@ type imageRouter struct {
 	backend          Backend
 	searcher         Searcher
 	referenceBackend reference.Store
+	imageStore       image.Store
+	layerStore       layer.Store
 	routes           []router.Route
 }

 // NewRouter initializes a new image router
-func NewRouter(backend Backend, searcher Searcher, referenceBackend reference.Store) router.Router {
+func NewRouter(backend Backend, searcher Searcher, referenceBackend reference.Store, imageStore image.Store, layerStore layer.Store) router.Router {
 	ir := &imageRouter{
 		backend:          backend,
 		searcher:         searcher,
 		referenceBackend: referenceBackend,
+		imageStore:       imageStore,
+		layerStore:       layerStore,
 	}
 	ir.initRoutes()
 	return ir
--- a/api/server/router/image/image_routes.go
+++ b/api/server/router/image/image_routes.go
@@ -10,10 +10,11 @@ import (
 	"strings"
 	"time"

-	"github.com/containerd/platforms"
+	"github.com/containerd/containerd/platforms"
 	"github.com/distribution/reference"
 	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/filters"
 	imagetypes "github.com/docker/docker/api/types/image"
@@ -55,7 +56,7 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit
 		if p := r.FormValue("platform"); p != "" {
 			sp, err := platforms.Parse(p)
 			if err != nil {
-				return errdefs.InvalidParameter(err)
+				return err
 			}
 			platform = &sp
 		}
@@ -141,7 +142,7 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit
 		id, progressErr = ir.backend.ImportImage(ctx, tagRef, platform, comment, layerReader, r.Form["changes"])

 		if progressErr == nil {
-			_, _ = output.Write(streamformatter.FormatStatus("", "%v", id.String()))
+			output.Write(streamformatter.FormatStatus("", id.String()))
 		}
 	}
 	if progressErr != nil {
@@ -204,24 +205,7 @@ func (ir *imageRouter) postImagesPush(ctx context.Context, w http.ResponseWriter
 		ref = r
 	}

-	var platform *ocispec.Platform
-	// Platform is optional, and only supported in API version 1.46 and later.
-	// However the PushOptions struct previously was an alias for the PullOptions struct
-	// which also contained a Platform field.
-	// This means that older clients may be sending a platform field, even
-	// though it wasn't really supported by the server.
-	// Don't break these clients and just ignore the platform field on older APIs.
-	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.46") {
-		if formPlatform := r.Form.Get("platform"); formPlatform != "" {
-			p, err := httputils.DecodePlatform(formPlatform)
-			if err != nil {
-				return err
-			}
-			platform = p
-		}
-	}
-
-	if err := ir.backend.PushImage(ctx, ref, platform, metaHeaders, authConfig, output); err != nil {
+	if err := ir.backend.PushImage(ctx, ref, metaHeaders, authConfig, output); err != nil {
 		if !output.Flushed() {
 			return err
 		}
@@ -246,22 +230,7 @@ func (ir *imageRouter) getImagesGet(ctx context.Context, w http.ResponseWriter,
 		names = r.Form["names"]
 	}

-	var platform *ocispec.Platform
-	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.48") {
-		if formPlatforms := r.Form["platform"]; len(formPlatforms) > 1 {
-			// TODO(thaJeztah): remove once we support multiple platforms: see https://github.com/moby/moby/issues/48759
-			return errdefs.InvalidParameter(errors.New("multiple platform parameters not supported"))
-		}
-		if formPlatform := r.Form.Get("platform"); formPlatform != "" {
-			p, err := httputils.DecodePlatform(formPlatform)
-			if err != nil {
-				return err
-			}
-			platform = p
-		}
-	}
-
-	if err := ir.backend.ExportImage(ctx, names, platform, output); err != nil {
+	if err := ir.backend.ExportImage(ctx, names, output); err != nil {
 		if !output.Flushed() {
 			return err
 		}
@@ -274,28 +243,13 @@ func (ir *imageRouter) postImagesLoad(ctx context.Context, w http.ResponseWriter
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
-
-	var platform *ocispec.Platform
-	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.48") {
-		if formPlatforms := r.Form["platform"]; len(formPlatforms) > 1 {
-			// TODO(thaJeztah): remove once we support multiple platforms: see https://github.com/moby/moby/issues/48759
-			return errdefs.InvalidParameter(errors.New("multiple platform parameters not supported"))
-		}
-		if formPlatform := r.Form.Get("platform"); formPlatform != "" {
-			p, err := httputils.DecodePlatform(formPlatform)
-			if err != nil {
-				return err
-			}
-			platform = p
-		}
-	}
 	quiet := httputils.BoolValueOrDefault(r, "quiet", true)

 	w.Header().Set("Content-Type", "application/json")

 	output := ioutils.NewWriteFlusher(w)
 	defer output.Close()
-	if err := ir.backend.LoadImage(ctx, r.Body, platform, output, quiet); err != nil {
+	if err := ir.backend.LoadImage(ctx, r.Body, output, quiet); err != nil {
 		_, _ = output.Write(streamformatter.FormatError(err))
 	}
 	return nil
@@ -332,29 +286,14 @@ func (ir *imageRouter) deleteImages(ctx context.Context, w http.ResponseWriter,
 }

 func (ir *imageRouter) getImagesByName(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	var manifests bool
-	if r.Form.Get("manifests") != "" && versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.48") {
-		manifests = httputils.BoolValue(r, "manifests")
-	}
-
-	imageInspect, err := ir.backend.ImageInspect(ctx, vars["name"], backend.ImageInspectOpts{
-		Manifests: manifests,
-	})
+	img, err := ir.backend.GetImage(ctx, vars["name"], backend.GetImageOpts{Details: true})
 	if err != nil {
 		return err
 	}

-	// Make sure we output empty arrays instead of nil. While Go nil slice is functionally equivalent to an empty slice,
-	// it matters for the JSON representation.
-	if imageInspect.RepoTags == nil {
-		imageInspect.RepoTags = []string{}
-	}
-	if imageInspect.RepoDigests == nil {
-		imageInspect.RepoDigests = []string{}
+	imageInspect, err := ir.toImageInspect(img)
+	if err != nil {
+		return err
 	}

 	version := httputils.VersionFromContext(ctx)
@@ -371,12 +310,77 @@ func (ir *imageRouter) getImagesByName(ctx context.Context, w http.ResponseWrite
 		imageInspect.Container = ""        //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
 		imageInspect.ContainerConfig = nil //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
 	}
-	if versions.LessThan(version, "1.48") {
-		imageInspect.Descriptor = nil
-	}
 	return httputils.WriteJSON(w, http.StatusOK, imageInspect)
 }

+func (ir *imageRouter) toImageInspect(img *image.Image) (*types.ImageInspect, error) {
+	var repoTags, repoDigests []string
+	for _, ref := range img.Details.References {
+		switch ref.(type) {
+		case reference.NamedTagged:
+			repoTags = append(repoTags, reference.FamiliarString(ref))
+		case reference.Canonical:
+			repoDigests = append(repoDigests, reference.FamiliarString(ref))
+		}
+	}
+
+	comment := img.Comment
+	if len(comment) == 0 && len(img.History) > 0 {
+		comment = img.History[len(img.History)-1].Comment
+	}
+
+	// Make sure we output empty arrays instead of nil.
+	if repoTags == nil {
+		repoTags = []string{}
+	}
+	if repoDigests == nil {
+		repoDigests = []string{}
+	}
+
+	var created string
+	if img.Created != nil {
+		created = img.Created.Format(time.RFC3339Nano)
+	}
+
+	return &types.ImageInspect{
+		ID:              img.ID().String(),
+		RepoTags:        repoTags,
+		RepoDigests:     repoDigests,
+		Parent:          img.Parent.String(),
+		Comment:         comment,
+		Created:         created,
+		Container:       img.Container,        //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
+		ContainerConfig: &img.ContainerConfig, //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
+		DockerVersion:   img.DockerVersion,
+		Author:          img.Author,
+		Config:          img.Config,
+		Architecture:    img.Architecture,
+		Variant:         img.Variant,
+		Os:              img.OperatingSystem(),
+		OsVersion:       img.OSVersion,
+		Size:            img.Details.Size,
+		GraphDriver: types.GraphDriverData{
+			Name: img.Details.Driver,
+			Data: img.Details.Metadata,
+		},
+		RootFS: rootFSToAPIType(img.RootFS),
+		Metadata: imagetypes.Metadata{
+			LastTagTime: img.Details.LastUpdated,
+		},
+	}, nil
+}
+
+func rootFSToAPIType(rootfs *image.RootFS) types.RootFS {
+	var layers []string
+	for _, l := range rootfs.DiffIDs {
+		layers = append(layers, l.String())
+	}
+	return types.RootFS{
+		Type:   rootfs.Type,
+		Layers: layers,
+	}
+}
+
 func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
@@ -402,16 +406,10 @@ func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter,
 		sharedSize = httputils.BoolValue(r, "shared-size")
 	}

-	var manifests bool
-	if versions.GreaterThanOrEqualTo(version, "1.47") {
-		manifests = httputils.BoolValue(r, "manifests")
-	}
-
 	images, err := ir.backend.Images(ctx, imagetypes.ListOptions{
 		All:        httputils.BoolValue(r, "all"),
 		Filters:    imageFilters,
 		SharedSize: sharedSize,
-		Manifests:  manifests,
 	})
 	if err != nil {
 		return err
@@ -419,7 +417,6 @@ func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter,

 	useNone := versions.LessThan(version, "1.43")
 	withVirtualSize := versions.LessThan(version, "1.44")
-	noDescriptor := versions.LessThan(version, "1.48")
 	for _, img := range images {
 		if useNone {
 			if len(img.RepoTags) == 0 && len(img.RepoDigests) == 0 {
@@ -437,30 +434,13 @@ func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter,
 		if withVirtualSize {
 			img.VirtualSize = img.Size //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.44.
 		}
-		if noDescriptor {
-			img.Descriptor = nil
-		}
 	}

 	return httputils.WriteJSON(w, http.StatusOK, images)
 }

 func (ir *imageRouter) getImagesHistory(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	var platform *ocispec.Platform
-	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.48") {
-		if formPlatform := r.Form.Get("platform"); formPlatform != "" {
-			p, err := httputils.DecodePlatform(formPlatform)
-			if err != nil {
-				return err
-			}
-			platform = p
-		}
-	}
-	history, err := ir.backend.ImageHistory(ctx, vars["name"], platform)
+	history, err := ir.backend.ImageHistory(ctx, vars["name"])
 	if err != nil {
 		return err
 	}
--- a/api/server/router/network/backend.go
+++ b/api/server/router/network/backend.go
@@ -3,6 +3,7 @@ package network // import "github.com/docker/docker/api/server/router/network"
 import (
 	"context"

+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/network"
@@ -11,20 +12,20 @@ import (
 // Backend is all the methods that need to be implemented
 // to provide network specific functionality.
 type Backend interface {
-	GetNetworks(filters.Args, backend.NetworkListConfig) ([]network.Inspect, error)
-	CreateNetwork(nc network.CreateRequest) (*network.CreateResponse, error)
-	ConnectContainerToNetwork(ctx context.Context, containerName, networkName string, endpointConfig *network.EndpointSettings) error
+	GetNetworks(filters.Args, backend.NetworkListConfig) ([]types.NetworkResource, error)
+	CreateNetwork(nc types.NetworkCreateRequest) (*types.NetworkCreateResponse, error)
+	ConnectContainerToNetwork(containerName, networkName string, endpointConfig *network.EndpointSettings) error
 	DisconnectContainerFromNetwork(containerName string, networkName string, force bool) error
 	DeleteNetwork(networkID string) error
-	NetworksPrune(ctx context.Context, pruneFilters filters.Args) (*network.PruneReport, error)
+	NetworksPrune(ctx context.Context, pruneFilters filters.Args) (*types.NetworksPruneReport, error)
 }

 // ClusterBackend is all the methods that need to be implemented
 // to provide cluster network specific functionality.
 type ClusterBackend interface {
-	GetNetworks(filters.Args) ([]network.Inspect, error)
-	GetNetwork(name string) (network.Inspect, error)
-	GetNetworksByName(name string) ([]network.Inspect, error)
-	CreateNetwork(nc network.CreateRequest) (string, error)
+	GetNetworks(filters.Args) ([]types.NetworkResource, error)
+	GetNetwork(name string) (types.NetworkResource, error)
+	GetNetworksByName(name string) ([]types.NetworkResource, error)
+	CreateNetwork(nc types.NetworkCreateRequest) (string, error)
 	RemoveNetwork(name string) error
 }
--- a/api/server/router/network/network_routes.go
+++ b/api/server/router/network/network_routes.go
@@ -7,6 +7,7 @@ import (
 	"strings"

 	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/network"
@@ -31,7 +32,7 @@ func (n *networkRouter) getNetworksList(ctx context.Context, w http.ResponseWrit
 		return err
 	}

-	var list []network.Summary
+	var list []types.NetworkResource
 	nr, err := n.cluster.GetNetworks(filter)
 	if err == nil {
 		list = nr
@@ -59,7 +60,7 @@ func (n *networkRouter) getNetworksList(ctx context.Context, w http.ResponseWrit
 	}

 	if list == nil {
-		list = []network.Summary{}
+		list = []types.NetworkResource{}
 	}

 	return httputils.WriteJSON(w, http.StatusOK, list)
@@ -75,13 +76,13 @@ func (e invalidRequestError) Error() string {

 func (e invalidRequestError) InvalidParameter() {}

-type ambiguousResultsError string
+type ambigousResultsError string

-func (e ambiguousResultsError) Error() string {
+func (e ambigousResultsError) Error() string {
 	return "network " + string(e) + " is ambiguous"
 }

-func (ambiguousResultsError) InvalidParameter() {}
+func (ambigousResultsError) InvalidParameter() {}

 func (n *networkRouter) getNetwork(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
@@ -108,8 +109,8 @@ func (n *networkRouter) getNetwork(ctx context.Context, w http.ResponseWriter, r

 	// For full name and partial ID, save the result first, and process later
 	// in case multiple records was found based on the same term
-	listByFullName := map[string]network.Inspect{}
-	listByPartialID := map[string]network.Inspect{}
+	listByFullName := map[string]types.NetworkResource{}
+	listByPartialID := map[string]types.NetworkResource{}

 	// TODO(@cpuguy83): All this logic for figuring out which network to return does not belong here
 	// Instead there should be a backend function to just get one network.
@@ -182,7 +183,7 @@ func (n *networkRouter) getNetwork(ctx context.Context, w http.ResponseWriter, r
 		}
 	}
 	if len(listByFullName) > 1 {
-		return errors.Wrapf(ambiguousResultsError(term), "%d matches found based on name", len(listByFullName))
+		return errors.Wrapf(ambigousResultsError(term), "%d matches found based on name", len(listByFullName))
 	}

 	// Find based on partial ID, returns true only if no duplicates
@@ -192,7 +193,7 @@ func (n *networkRouter) getNetwork(ctx context.Context, w http.ResponseWriter, r
 		}
 	}
 	if len(listByPartialID) > 1 {
-		return errors.Wrapf(ambiguousResultsError(term), "%d matches found based on ID prefix", len(listByPartialID))
+		return errors.Wrapf(ambigousResultsError(term), "%d matches found based on ID prefix", len(listByPartialID))
 	}

 	return libnetwork.ErrNoSuchNetwork(term)
@@ -203,7 +204,7 @@ func (n *networkRouter) postNetworkCreate(ctx context.Context, w http.ResponseWr
 		return err
 	}

-	var create network.CreateRequest
+	var create types.NetworkCreateRequest
 	if err := httputils.ReadJSON(r, &create); err != nil {
 		return err
 	}
@@ -212,13 +213,6 @@ func (n *networkRouter) postNetworkCreate(ctx context.Context, w http.ResponseWr
 		return libnetwork.NetworkNameError(create.Name)
 	}

-	version := httputils.VersionFromContext(ctx)
-
-	// EnableIPv4 was introduced in API 1.48.
-	if versions.LessThan(version, "1.48") {
-		create.EnableIPv4 = nil
-	}
-
 	// For a Swarm-scoped network, this call to backend.CreateNetwork is used to
 	// validate the configuration. The network will not be created but, if the
 	// configuration is valid, ManagerRedirectError will be returned and handled
@@ -232,7 +226,7 @@ func (n *networkRouter) postNetworkCreate(ctx context.Context, w http.ResponseWr
 		if err != nil {
 			return err
 		}
-		nw = &network.CreateResponse{
+		nw = &types.NetworkCreateResponse{
 			ID: id,
 		}
 	}
@@ -245,7 +239,7 @@ func (n *networkRouter) postNetworkConnect(ctx context.Context, w http.ResponseW
 		return err
 	}

-	var connect network.ConnectOptions
+	var connect types.NetworkConnect
 	if err := httputils.ReadJSON(r, &connect); err != nil {
 		return err
 	}
@@ -254,7 +248,7 @@ func (n *networkRouter) postNetworkConnect(ctx context.Context, w http.ResponseW
 	// The reason is that, In case of attachable network in swarm scope, the actual local network
 	// may not be available at the time. At the same time, inside daemon `ConnectContainerToNetwork`
 	// does the ambiguity check anyway. Therefore, passing the name to daemon would be enough.
-	return n.backend.ConnectContainerToNetwork(ctx, connect.Container, vars["id"], connect.EndpointConfig)
+	return n.backend.ConnectContainerToNetwork(connect.Container, vars["id"], connect.EndpointConfig)
 }

 func (n *networkRouter) postNetworkDisconnect(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
@@ -262,7 +256,7 @@ func (n *networkRouter) postNetworkDisconnect(ctx context.Context, w http.Respon
 		return err
 	}

-	var disconnect network.DisconnectOptions
+	var disconnect types.NetworkDisconnect
 	if err := httputils.ReadJSON(r, &disconnect); err != nil {
 		return err
 	}
@@ -317,9 +311,9 @@ func (n *networkRouter) postNetworksPrune(ctx context.Context, w http.ResponseWr
 // For full name and partial ID, save the result first, and process later
 // in case multiple records was found based on the same term
 // TODO (yongtang): should we wrap with version here for backward compatibility?
-func (n *networkRouter) findUniqueNetwork(term string) (network.Inspect, error) {
-	listByFullName := map[string]network.Inspect{}
-	listByPartialID := map[string]network.Inspect{}
+func (n *networkRouter) findUniqueNetwork(term string) (types.NetworkResource, error) {
+	listByFullName := map[string]types.NetworkResource{}
+	listByPartialID := map[string]types.NetworkResource{}

 	filter := filters.NewArgs(filters.Arg("idOrName", term))
 	networks, _ := n.backend.GetNetworks(filter, backend.NetworkListConfig{Detailed: true})
@@ -369,7 +363,7 @@ func (n *networkRouter) findUniqueNetwork(term string) (network.Inspect, error)
 		}
 	}
 	if len(listByFullName) > 1 {
-		return network.Inspect{}, errdefs.InvalidParameter(errors.Errorf("network %s is ambiguous (%d matches found based on name)", term, len(listByFullName)))
+		return types.NetworkResource{}, errdefs.InvalidParameter(errors.Errorf("network %s is ambiguous (%d matches found based on name)", term, len(listByFullName)))
 	}

 	// Find based on partial ID, returns true only if no duplicates
@@ -379,8 +373,8 @@ func (n *networkRouter) findUniqueNetwork(term string) (network.Inspect, error)
 		}
 	}
 	if len(listByPartialID) > 1 {
-		return network.Inspect{}, errdefs.InvalidParameter(errors.Errorf("network %s is ambiguous (%d matches found based on ID prefix)", term, len(listByPartialID)))
+		return types.NetworkResource{}, errdefs.InvalidParameter(errors.Errorf("network %s is ambiguous (%d matches found based on ID prefix)", term, len(listByPartialID)))
 	}

-	return network.Inspect{}, errdefs.NotFound(libnetwork.ErrNoSuchNetwork(term))
+	return types.NetworkResource{}, errdefs.NotFound(libnetwork.ErrNoSuchNetwork(term))
 }
--- a/api/server/router/swarm/cluster_routes.go
+++ b/api/server/router/swarm/cluster_routes.go
@@ -209,6 +209,10 @@ func (sr *swarmRouter) createService(ctx context.Context, w http.ResponseWriter,
 	if err := httputils.ReadJSON(r, &service); err != nil {
 		return err
 	}
+	// TODO(thaJeztah): remove logentries check and migration code in release v26.0.0.
+	if service.TaskTemplate.LogDriver != nil && service.TaskTemplate.LogDriver.Name == "logentries" {
+		return errdefs.InvalidParameter(errors.New("the logentries logging driver has been deprecated and removed"))
+	}

 	// Get returns "" if the header does not exist
 	encodedAuth := r.Header.Get(registry.AuthHeader)
@@ -220,6 +224,14 @@ func (sr *swarmRouter) createService(ctx context.Context, w http.ResponseWriter,
 		adjustForAPIVersion(v, &service)
 	}

+	version := httputils.VersionFromContext(ctx)
+	if versions.LessThan(version, "1.44") {
+		if service.TaskTemplate.ContainerSpec != nil && service.TaskTemplate.ContainerSpec.Healthcheck != nil {
+			// StartInterval was added in API 1.44
+			service.TaskTemplate.ContainerSpec.Healthcheck.StartInterval = 0
+		}
+	}
+
 	resp, err := sr.backend.CreateService(service, encodedAuth, queryRegistry)
 	if err != nil {
 		log.G(ctx).WithFields(log.Fields{
@@ -237,6 +249,10 @@ func (sr *swarmRouter) updateService(ctx context.Context, w http.ResponseWriter,
 	if err := httputils.ReadJSON(r, &service); err != nil {
 		return err
 	}
+	// TODO(thaJeztah): remove logentries check and migration code in release v26.0.0.
+	if service.TaskTemplate.LogDriver != nil && service.TaskTemplate.LogDriver.Name == "logentries" {
+		return errdefs.InvalidParameter(errors.New("the logentries logging driver has been deprecated and removed"))
+	}

 	rawVersion := r.URL.Query().Get("version")
 	version, err := strconv.ParseUint(rawVersion, 10, 64)
--- a/api/server/router/swarm/helpers.go
+++ b/api/server/router/swarm/helpers.go
@@ -78,16 +78,6 @@ func adjustForAPIVersion(cliVersion string, service *swarm.ServiceSpec) {
 	if cliVersion == "" {
 		return
 	}
-	if versions.LessThan(cliVersion, "1.46") {
-		if service.TaskTemplate.ContainerSpec != nil {
-			for i, mount := range service.TaskTemplate.ContainerSpec.Mounts {
-				if mount.TmpfsOptions != nil {
-					mount.TmpfsOptions.Options = nil
-					service.TaskTemplate.ContainerSpec.Mounts[i] = mount
-				}
-			}
-		}
-	}
 	if versions.LessThan(cliVersion, "1.40") {
 		if service.TaskTemplate.ContainerSpec != nil {
 			// Sysctls for docker swarm services weren't supported before
@@ -131,24 +121,11 @@ func adjustForAPIVersion(cliVersion string, service *swarm.ServiceSpec) {
 	}

 	if versions.LessThan(cliVersion, "1.44") {
-		if service.TaskTemplate.ContainerSpec != nil {
-			// seccomp, apparmor, and no_new_privs were added in 1.44.
-			if service.TaskTemplate.ContainerSpec.Privileges != nil {
-				service.TaskTemplate.ContainerSpec.Privileges.Seccomp = nil
-				service.TaskTemplate.ContainerSpec.Privileges.AppArmor = nil
-				service.TaskTemplate.ContainerSpec.Privileges.NoNewPrivileges = false
-			}
-			if service.TaskTemplate.ContainerSpec.Healthcheck != nil {
-				// StartInterval was added in API 1.44
-				service.TaskTemplate.ContainerSpec.Healthcheck.StartInterval = 0
-			}
-		}
-	}
-
-	if versions.LessThan(cliVersion, "1.46") {
-		if service.TaskTemplate.ContainerSpec != nil && service.TaskTemplate.ContainerSpec.OomScoreAdj != 0 {
-			// OomScoreAdj was added in API 1.46
-			service.TaskTemplate.ContainerSpec.OomScoreAdj = 0
+		// seccomp, apparmor, and no_new_privs were added in 1.44.
+		if service.TaskTemplate.ContainerSpec != nil && service.TaskTemplate.ContainerSpec.Privileges != nil {
+			service.TaskTemplate.ContainerSpec.Privileges.Seccomp = nil
+			service.TaskTemplate.ContainerSpec.Privileges.AppArmor = nil
+			service.TaskTemplate.ContainerSpec.Privileges.NoNewPrivileges = false
 		}
 	}
 }
--- a/api/server/router/swarm/helpers_test.go
+++ b/api/server/router/swarm/helpers_test.go
@@ -4,9 +4,8 @@ import (
 	"reflect"
 	"testing"

-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/go-units"
 )

 func TestAdjustForAPIVersion(t *testing.T) {
@@ -39,25 +38,13 @@ func TestAdjustForAPIVersion(t *testing.T) {
 						ConfigName: "configRuntime",
 					},
 				},
-				Ulimits: []*container.Ulimit{
+				Ulimits: []*units.Ulimit{
 					{
 						Name: "nofile",
 						Soft: 100,
 						Hard: 200,
 					},
 				},
-				Mounts: []mount.Mount{
-					{
-						Type:   mount.TypeTmpfs,
-						Source: "/foo",
-						Target: "/bar",
-						TmpfsOptions: &mount.TmpfsOptions{
-							Options: [][]string{
-								{"exec"},
-							},
-						},
-					},
-				},
 			},
 			Placement: &swarm.Placement{
 				MaxReplicas: 222,
@@ -70,19 +57,6 @@ func TestAdjustForAPIVersion(t *testing.T) {
 		},
 	}

-	adjustForAPIVersion("1.46", spec)
-	if !reflect.DeepEqual(
-		spec.TaskTemplate.ContainerSpec.Mounts[0].TmpfsOptions.Options,
-		[][]string{{"exec"}},
-	) {
-		t.Error("TmpfsOptions.Options was stripped from spec")
-	}
-
-	adjustForAPIVersion("1.45", spec)
-	if len(spec.TaskTemplate.ContainerSpec.Mounts[0].TmpfsOptions.Options) != 0 {
-		t.Error("TmpfsOptions.Options not stripped from spec")
-	}
-
 	// first, does calling this with a later version correctly NOT strip
 	// fields? do the later version first, so we can reuse this spec in the
 	// next test.
--- a/api/server/router/system/system.go
+++ b/api/server/router/system/system.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.19

 package system // import "github.com/docker/docker/api/server/router/system"

--- a/api/server/router/system/system_routes.go
+++ b/api/server/router/system/system_routes.go
@@ -81,6 +81,7 @@ func (s *systemRouter) getInfo(ctx context.Context, w http.ResponseWriter, r *ht
 				nameOnly = append(nameOnly, so.Name)
 			}
 			info.SecurityOptions = nameOnly
+			info.ExecutionDriver = "<not supported>" //nolint:staticcheck // ignore SA1019 (ExecutionDriver is deprecated)
 		}
 		if versions.LessThan(version, "1.39") {
 			if info.KernelVersion == "" {
@@ -96,22 +97,6 @@ func (s *systemRouter) getInfo(ctx context.Context, w http.ResponseWriter, r *ht
 				info.Runtimes[k] = system.RuntimeWithStatus{Runtime: rt.Runtime}
 			}
 		}
-		if versions.LessThan(version, "1.46") {
-			// Containerd field introduced in API v1.46.
-			info.Containerd = nil
-		}
-		if versions.LessThan(version, "1.47") {
-			// Field is omitted in API 1.48 and up, but should still be included
-			// in older versions, even if no values are set.
-			info.RegistryConfig.AllowNondistributableArtifactsCIDRs = []*registry.NetIPNet{}
-			info.RegistryConfig.AllowNondistributableArtifactsHostnames = []string{}
-		}
-
-		// TODO(thaJeztah): Expected commits are deprecated, and should no longer be set in API 1.49.
-		info.ContainerdCommit.Expected = info.ContainerdCommit.ID //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.49.
-		info.RuncCommit.Expected = info.RuncCommit.ID             //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.49.
-		info.InitCommit.Expected = info.InitCommit.ID             //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.49.
-
 		if versions.GreaterThanOrEqualTo(version, "1.42") {
 			info.KernelMemory = false
 		}
@@ -278,7 +263,6 @@ func (s *systemRouter) getEvents(ctx context.Context, w http.ResponseWriter, r *
 	}

 	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(http.StatusOK)
 	output := ioutils.NewWriteFlusher(w)
 	defer output.Close()
 	output.Flush()
@@ -288,18 +272,7 @@ func (s *systemRouter) getEvents(ctx context.Context, w http.ResponseWriter, r *
 	buffered, l := s.backend.SubscribeToEvents(since, until, ef)
 	defer s.backend.UnsubscribeFromEvents(l)

-	shouldSkip := func(ev events.Message) bool { return false }
-	if versions.LessThan(httputils.VersionFromContext(ctx), "1.46") {
-		// Image create events were added in API 1.46
-		shouldSkip = func(ev events.Message) bool {
-			return ev.Type == "image" && ev.Action == "create"
-		}
-	}
-
 	for _, ev := range buffered {
-		if shouldSkip(ev) {
-			continue
-		}
 		if err := enc.Encode(ev); err != nil {
 			return err
 		}
@@ -317,9 +290,6 @@ func (s *systemRouter) getEvents(ctx context.Context, w http.ResponseWriter, r *
 				log.G(ctx).Warnf("unexpected event message: %q", ev)
 				continue
 			}
-			if shouldSkip(jev) {
-				continue
-			}
 			if err := enc.Encode(jev); err != nil {
 				return err
 			}
--- a/api/server/router/volume/backend.go
+++ b/api/server/router/volume/backend.go
@@ -3,9 +3,11 @@ package volume // import "github.com/docker/docker/api/server/router/volume"
 import (
 	"context"

+	"github.com/docker/docker/volume/service/opts"
+	// TODO return types need to be refactored into pkg
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/volume"
-	"github.com/docker/docker/volume/service/opts"
 )

 // Backend is the methods that need to be implemented to provide
@@ -15,7 +17,7 @@ type Backend interface {
 	Get(ctx context.Context, name string, opts ...opts.GetOption) (*volume.Volume, error)
 	Create(ctx context.Context, name, driverName string, opts ...opts.CreateOption) (*volume.Volume, error)
 	Remove(ctx context.Context, name string, opts ...opts.RemoveOption) error
-	Prune(ctx context.Context, pruneFilters filters.Args) (*volume.PruneReport, error)
+	Prune(ctx context.Context, pruneFilters filters.Args) (*types.VolumesPruneReport, error)
 }

 // ClusterBackend is the backend used for Swarm Cluster Volumes. Regular
--- a/api/server/router/volume/volume_routes_test.go
+++ b/api/server/router/volume/volume_routes_test.go
@@ -11,6 +11,7 @@ import (
 	"gotest.tools/v3/assert"

 	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/volume"
 	"github.com/docker/docker/errdefs"
@@ -188,16 +189,17 @@ func TestCreateRegularVolume(t *testing.T) {
 		Driver: "foodriver",
 	}

-	var buf bytes.Buffer
-	err := json.NewEncoder(&buf).Encode(volumeCreate)
-	assert.NilError(t, err)
+	buf := bytes.Buffer{}
+	e := json.NewEncoder(&buf)
+	e.Encode(volumeCreate)

 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
 	req := httptest.NewRequest("POST", "/volumes/create", &buf)
 	req.Header.Add("Content-Type", "application/json")

 	resp := httptest.NewRecorder()
-	err = v.postVolumesCreate(ctx, resp, req, nil)
+	err := v.postVolumesCreate(ctx, resp, req, nil)
+
 	assert.NilError(t, err)

 	respVolume := volume.Volume{}
@@ -226,16 +228,16 @@ func TestCreateSwarmVolumeNoSwarm(t *testing.T) {
 		Driver:            "someCSI",
 	}

-	var buf bytes.Buffer
-	err := json.NewEncoder(&buf).Encode(volumeCreate)
-	assert.NilError(t, err)
+	buf := bytes.Buffer{}
+	json.NewEncoder(&buf).Encode(volumeCreate)

 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
 	req := httptest.NewRequest("POST", "/volumes/create", &buf)
 	req.Header.Add("Content-Type", "application/json")

 	resp := httptest.NewRecorder()
-	err = v.postVolumesCreate(ctx, resp, req, nil)
+	err := v.postVolumesCreate(ctx, resp, req, nil)
+
 	assert.Assert(t, err != nil)
 	assert.Assert(t, errdefs.IsUnavailable(err))
 }
@@ -255,16 +257,16 @@ func TestCreateSwarmVolumeNotManager(t *testing.T) {
 		Driver:            "someCSI",
 	}

-	var buf bytes.Buffer
-	err := json.NewEncoder(&buf).Encode(volumeCreate)
-	assert.NilError(t, err)
+	buf := bytes.Buffer{}
+	json.NewEncoder(&buf).Encode(volumeCreate)

 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
 	req := httptest.NewRequest("POST", "/volumes/create", &buf)
 	req.Header.Add("Content-Type", "application/json")

 	resp := httptest.NewRecorder()
-	err = v.postVolumesCreate(ctx, resp, req, nil)
+	err := v.postVolumesCreate(ctx, resp, req, nil)
+
 	assert.Assert(t, err != nil)
 	assert.Assert(t, errdefs.IsUnavailable(err))
 }
@@ -287,16 +289,16 @@ func TestCreateVolumeCluster(t *testing.T) {
 		Driver:            "someCSI",
 	}

-	var buf bytes.Buffer
-	err := json.NewEncoder(&buf).Encode(volumeCreate)
-	assert.NilError(t, err)
+	buf := bytes.Buffer{}
+	json.NewEncoder(&buf).Encode(volumeCreate)

 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
 	req := httptest.NewRequest("POST", "/volumes/create", &buf)
 	req.Header.Add("Content-Type", "application/json")

 	resp := httptest.NewRecorder()
-	err = v.postVolumesCreate(ctx, resp, req, nil)
+	err := v.postVolumesCreate(ctx, resp, req, nil)
+
 	assert.NilError(t, err)

 	respVolume := volume.Volume{}
@@ -334,17 +336,15 @@ func TestUpdateVolume(t *testing.T) {
 		Spec: &volume.ClusterVolumeSpec{},
 	}

-	var buf bytes.Buffer
-	err := json.NewEncoder(&buf).Encode(volumeUpdate)
-	assert.NilError(t, err)
-
+	buf := bytes.Buffer{}
+	json.NewEncoder(&buf).Encode(volumeUpdate)
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
 	req := httptest.NewRequest("POST", "/volumes/vol1/update?version=0", &buf)
 	req.Header.Add("Content-Type", "application/json")

 	resp := httptest.NewRecorder()

-	err = v.putVolumesUpdate(ctx, resp, req, map[string]string{"name": "vol1"})
+	err := v.putVolumesUpdate(ctx, resp, req, map[string]string{"name": "vol1"})
 	assert.NilError(t, err)

 	assert.Equal(t, c.volumes["vol1"].ClusterVolume.Meta.Version.Index, uint64(1))
@@ -363,17 +363,15 @@ func TestUpdateVolumeNoSwarm(t *testing.T) {
 		Spec: &volume.ClusterVolumeSpec{},
 	}

-	var buf bytes.Buffer
-	err := json.NewEncoder(&buf).Encode(volumeUpdate)
-	assert.NilError(t, err)
-
+	buf := bytes.Buffer{}
+	json.NewEncoder(&buf).Encode(volumeUpdate)
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
 	req := httptest.NewRequest("POST", "/volumes/vol1/update?version=0", &buf)
 	req.Header.Add("Content-Type", "application/json")

 	resp := httptest.NewRecorder()

-	err = v.putVolumesUpdate(ctx, resp, req, map[string]string{"name": "vol1"})
+	err := v.putVolumesUpdate(ctx, resp, req, map[string]string{"name": "vol1"})
 	assert.Assert(t, err != nil)
 	assert.Assert(t, errdefs.IsUnavailable(err))
 }
@@ -395,17 +393,15 @@ func TestUpdateVolumeNotFound(t *testing.T) {
 		Spec: &volume.ClusterVolumeSpec{},
 	}

-	var buf bytes.Buffer
-	err := json.NewEncoder(&buf).Encode(volumeUpdate)
-	assert.NilError(t, err)
-
+	buf := bytes.Buffer{}
+	json.NewEncoder(&buf).Encode(volumeUpdate)
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
 	req := httptest.NewRequest("POST", "/volumes/vol1/update?version=0", &buf)
 	req.Header.Add("Content-Type", "application/json")

 	resp := httptest.NewRecorder()

-	err = v.putVolumesUpdate(ctx, resp, req, map[string]string{"name": "vol1"})
+	err := v.putVolumesUpdate(ctx, resp, req, map[string]string{"name": "vol1"})
 	assert.Assert(t, err != nil)
 	assert.Assert(t, errdefs.IsNotFound(err))
 }
@@ -586,7 +582,7 @@ type fakeVolumeBackend struct {
 }

 func (b *fakeVolumeBackend) List(_ context.Context, _ filters.Args) ([]*volume.Volume, []string, error) {
-	var volumes []*volume.Volume
+	volumes := []*volume.Volume{}
 	for _, v := range b.volumes {
 		volumes = append(volumes, v)
 	}
@@ -640,7 +636,7 @@ func (b *fakeVolumeBackend) Remove(_ context.Context, name string, o ...opts.Rem
 	return nil
 }

-func (b *fakeVolumeBackend) Prune(_ context.Context, _ filters.Args) (*volume.PruneReport, error) {
+func (b *fakeVolumeBackend) Prune(_ context.Context, _ filters.Args) (*types.VolumesPruneReport, error) {
 	return nil, nil
 }

@@ -676,12 +672,13 @@ func (c *fakeClusterBackend) GetVolume(nameOrID string) (volume.Volume, error) {
 	return volume.Volume{}, errdefs.NotFound(fmt.Errorf("volume %s not found", nameOrID))
 }

-func (c *fakeClusterBackend) GetVolumes(_ volume.ListOptions) ([]*volume.Volume, error) {
+func (c *fakeClusterBackend) GetVolumes(options volume.ListOptions) ([]*volume.Volume, error) {
 	if err := c.checkSwarm(); err != nil {
 		return nil, err
 	}

-	var volumes []*volume.Volume
+	volumes := []*volume.Volume{}
+
 	for _, v := range c.volumes {
 		volumes = append(volumes, v)
 	}
--- a/api/server/server.go
+++ b/api/server/server.go
@@ -9,6 +9,7 @@ import (
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/server/middleware"
 	"github.com/docker/docker/api/server/router"
+	"github.com/docker/docker/api/server/router/debug"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/dockerversion"
 	"github.com/gorilla/mux"
@@ -65,22 +66,26 @@ func (s *Server) makeHTTPHandler(handler httputils.APIFunc, operation string) ht
 }

 // CreateMux returns a new mux with all the routers registered.
-func (s *Server) CreateMux(ctx context.Context, routers ...router.Router) *mux.Router {
-	log.G(ctx).Debug("Registering routers")
+func (s *Server) CreateMux(routers ...router.Router) *mux.Router {
 	m := mux.NewRouter()
+
+	log.G(context.TODO()).Debug("Registering routers")
 	for _, apiRouter := range routers {
 		for _, r := range apiRouter.Routes() {
-			if ctx.Err() != nil {
-				return m
-			}
-			log.G(ctx).WithFields(log.Fields{"method": r.Method(), "path": r.Path()}).Debug("Registering route")
 			f := s.makeHTTPHandler(r.Handler(), r.Method()+" "+r.Path())
+
+			log.G(context.TODO()).Debugf("Registering %s, %s", r.Method(), r.Path())
 			m.Path(versionMatcher + r.Path()).Methods(r.Method()).Handler(f)
 			m.Path(r.Path()).Methods(r.Method()).Handler(f)
 		}
 	}

-	// Setup handlers for undefined paths and methods
+	debugRouter := debug.NewRouter()
+	for _, r := range debugRouter.Routes() {
+		f := s.makeHTTPHandler(r.Handler(), r.Method()+" "+r.Path())
+		m.Path("/debug" + r.Path()).Handler(f)
+	}
+
 	notFoundHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		_ = httputils.WriteJSON(w, http.StatusNotFound, &types.ErrorResponse{
 			Message: "page not found",
--- a/api/swagger.yaml
+++ b/api/swagger.yaml
--- a/api/types/auxprogress/push.go
+++ b/api/types/auxprogress/push.go
@@ -1,26 +0,0 @@
-package auxprogress
-
-import (
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-)
-
-// ManifestPushedInsteadOfIndex is a note that is sent when a manifest is pushed
-// instead of an index.  It is sent when the pushed image is an multi-platform
-// index, but the whole index couldn't be pushed.
-type ManifestPushedInsteadOfIndex struct {
-	ManifestPushedInsteadOfIndex bool `json:"manifestPushedInsteadOfIndex"` // Always true
-
-	// OriginalIndex is the descriptor of the original image index.
-	OriginalIndex ocispec.Descriptor `json:"originalIndex"`
-
-	// SelectedManifest is the descriptor of the manifest that was pushed instead.
-	SelectedManifest ocispec.Descriptor `json:"selectedManifest"`
-}
-
-// ContentMissing is a note that is sent when push fails because the content is missing.
-type ContentMissing struct {
-	ContentMissing bool `json:"contentMissing"` // Always true
-
-	// Desc is the descriptor of the root object that was attempted to be pushed.
-	Desc ocispec.Descriptor `json:"desc"`
-}
--- a/api/types/backend/backend.go
+++ b/api/types/backend/backend.go
@@ -30,7 +30,7 @@ type ContainerRmConfig struct {

 // ContainerAttachConfig holds the streams to use when connecting to a container to view logs.
 type ContainerAttachConfig struct {
-	GetStreams func(multiplexed bool, cancel func()) (io.ReadCloser, io.Writer, io.Writer, error)
+	GetStreams func(multiplexed bool) (io.ReadCloser, io.Writer, io.Writer, error)
 	UseStdin   bool
 	UseStdout  bool
 	UseStderr  bool
@@ -89,22 +89,7 @@ type LogSelector struct {
 type ContainerStatsConfig struct {
 	Stream    bool
 	OneShot   bool
-	OutStream func() io.Writer
-}
-
-// ContainerInspectOptions defines options for the backend.ContainerInspect
-// call.
-type ContainerInspectOptions struct {
-	// Size controls whether to propagate the container's size fields.
-	Size bool
-}
-
-// ExecStartConfig holds the options to start container's exec.
-type ExecStartConfig struct {
-	Stdin       io.Reader
-	Stdout      io.Writer
-	Stderr      io.Writer
-	ConsoleSize *[2]uint `json:",omitempty"`
+	OutStream io.Writer
 }

 // ExecInspect holds information about a running process started
@@ -148,11 +133,7 @@ type CreateImageConfig struct {
 // from the backend.
 type GetImageOpts struct {
 	Platform *ocispec.Platform
-}
-
-// ImageInspectOpts holds parameters to inspect an image.
-type ImageInspectOpts struct {
-	Manifests bool
+	Details  bool
 }

 // CommitConfig is the configuration for creating an image as part of a build.
--- a/api/types/client.go
+++ b/api/types/client.go
@@ -2,16 +2,44 @@ package types // import "github.com/docker/docker/api/types"

 import (
 	"bufio"
-	"context"
 	"io"
 	"net"

 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/registry"
+	units "github.com/docker/go-units"
 )

-// NewHijackedResponse initializes a [HijackedResponse] type.
+// ContainerExecInspect holds information returned by exec inspect.
+type ContainerExecInspect struct {
+	ExecID      string `json:"ID"`
+	ContainerID string
+	Running     bool
+	ExitCode    int
+	Pid         int
+}
+
+// CopyToContainerOptions holds information
+// about files to copy into a container
+type CopyToContainerOptions struct {
+	AllowOverwriteDirWithFile bool
+	CopyUIDGID                bool
+}
+
+// EventsOptions holds parameters to filter events with.
+type EventsOptions struct {
+	Since   string
+	Until   string
+	Filters filters.Args
+}
+
+// NetworkListOptions holds parameters to filter the list of networks with.
+type NetworkListOptions struct {
+	Filters filters.Args
+}
+
+// NewHijackedResponse intializes a HijackedResponse type
 func NewHijackedResponse(conn net.Conn, mediaType string) HijackedResponse {
 	return HijackedResponse{Conn: conn, Reader: bufio.NewReader(conn), mediaType: mediaType}
 }
@@ -73,7 +101,7 @@ type ImageBuildOptions struct {
 	NetworkMode    string
 	ShmSize        int64
 	Dockerfile     string
-	Ulimits        []*container.Ulimit
+	Ulimits        []*units.Ulimit
 	// BuildArgs needs to be a *string instead of just a string so that
 	// we can tell the difference between "" (empty string) and no value
 	// at all (nil). See the parsing of buildArgs in
@@ -94,7 +122,7 @@ type ImageBuildOptions struct {
 	Target      string
 	SessionID   string
 	Platform    string
-	// Version specifies the version of the underlying builder to use
+	// Version specifies the version of the unerlying builder to use
 	Version BuilderVersion
 	// BuildID is an optional identifier that can be passed together with the
 	// build request. The same identifier can be used to gracefully cancel the
@@ -129,6 +157,35 @@ type ImageBuildResponse struct {
 	OSType string
 }

+// ImageImportSource holds source information for ImageImport
+type ImageImportSource struct {
+	Source     io.Reader // Source is the data to send to the server to create this image from. You must set SourceName to "-" to leverage this.
+	SourceName string    // SourceName is the name of the image to pull. Set to "-" to leverage the Source attribute.
+}
+
+// ImageLoadResponse returns information to the client about a load process.
+type ImageLoadResponse struct {
+	// Body must be closed to avoid a resource leak
+	Body io.ReadCloser
+	JSON bool
+}
+
+// RequestPrivilegeFunc is a function interface that
+// clients can supply to retry operations after
+// getting an authorization error.
+// This function returns the registry authentication
+// header value in base 64 format, or an error
+// if the privilege request fails.
+type RequestPrivilegeFunc func() (string, error)
+
+// ImageSearchOptions holds parameters to search images with.
+type ImageSearchOptions struct {
+	RegistryAuth  string
+	PrivilegeFunc RequestPrivilegeFunc
+	Filters       filters.Args
+	Limit         int
+}
+
 // NodeListOptions holds parameters to list nodes with.
 type NodeListOptions struct {
 	Filters filters.Args
@@ -227,19 +284,12 @@ type PluginDisableOptions struct {

 // PluginInstallOptions holds parameters to install a plugin.
 type PluginInstallOptions struct {
-	Disabled             bool
-	AcceptAllPermissions bool
-	RegistryAuth         string // RegistryAuth is the base64 encoded credentials for the registry
-	RemoteRef            string // RemoteRef is the plugin name on the registry
-
-	// PrivilegeFunc is a function that clients can supply to retry operations
-	// after getting an authorization error. This function returns the registry
-	// authentication header value in base64 encoded format, or an error if the
-	// privilege request fails.
-	//
-	// For details, refer to [github.com/docker/docker/api/types/registry.RequestAuthConfig].
-	PrivilegeFunc         func(context.Context) (string, error)
-	AcceptPermissionsFunc func(context.Context, PluginPrivileges) (bool, error)
+	Disabled              bool
+	AcceptAllPermissions  bool
+	RegistryAuth          string // RegistryAuth is the base64 encoded credentials for the registry
+	RemoteRef             string // RemoteRef is the plugin name on the registry
+	PrivilegeFunc         RequestPrivilegeFunc
+	AcceptPermissionsFunc func(PluginPrivileges) (bool, error)
 	Args                  []string
 }

--- a/api/types/configs.go
+++ b/api/types/configs.go
@@ -0,0 +1,18 @@
+package types // import "github.com/docker/docker/api/types"
+
+// ExecConfig is a small subset of the Config struct that holds the configuration
+// for the exec feature of docker.
+type ExecConfig struct {
+	User         string   // User that will run the command
+	Privileged   bool     // Is the container in privileged mode
+	Tty          bool     // Attach standard streams to a tty.
+	ConsoleSize  *[2]uint `json:",omitempty"` // Initial console size [height, width]
+	AttachStdin  bool     // Attach the standard input, makes possible user interaction
+	AttachStderr bool     // Attach the standard error
+	AttachStdout bool     // Attach the standard output
+	Detach       bool     // Execute in detach mode
+	DetachKeys   string   // Escape keys for detach
+	Env          []string // Environment variables
+	WorkingDir   string   // Working directory
+	Cmd          []string // Execution commands and args
+}
--- a/api/types/container/commit.go
+++ b/api/types/container/commit.go
@@ -1,7 +0,0 @@
-package container
-
-import "github.com/docker/docker/api/types/common"
-
-// CommitResponse response for the commit API call, containing the ID of the
-// image that was produced.
-type CommitResponse = common.IDResponse
--- a/api/types/container/config.go
+++ b/api/types/container/config.go
@@ -1,6 +1,7 @@
 package container // import "github.com/docker/docker/api/types/container"

 import (
+	"io"
 	"time"

 	"github.com/docker/docker/api/types/strslice"
@@ -35,6 +36,14 @@ type StopOptions struct {
 // HealthConfig holds configuration settings for the HEALTHCHECK feature.
 type HealthConfig = dockerspec.HealthcheckConfig

+// ExecStartOptions holds the options to start container's exec.
+type ExecStartOptions struct {
+	Stdin       io.Reader
+	Stdout      io.Writer
+	Stderr      io.Writer
+	ConsoleSize *[2]uint `json:",omitempty"`
+}
+
 // Config contains the configuration data about a container.
 // It should hold only portable information about the container.
 // Here, "portable" means "independent from the host we are running on".
--- a/api/types/container/container.go
+++ b/api/types/container/container.go
@@ -1,188 +0,0 @@
-package container
-
-import (
-	"io"
-	"os"
-	"time"
-
-	"github.com/docker/docker/api/types/mount"
-	"github.com/docker/docker/api/types/storage"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-)
-
-// ContainerUpdateOKBody OK response to ContainerUpdate operation
-//
-// Deprecated: use [UpdateResponse]. This alias will be removed in the next release.
-type ContainerUpdateOKBody = UpdateResponse
-
-// ContainerTopOKBody OK response to ContainerTop operation
-//
-// Deprecated: use [TopResponse]. This alias will be removed in the next release.
-type ContainerTopOKBody = TopResponse
-
-// PruneReport contains the response for Engine API:
-// POST "/containers/prune"
-type PruneReport struct {
-	ContainersDeleted []string
-	SpaceReclaimed    uint64
-}
-
-// PathStat is used to encode the header from
-// GET "/containers/{name:.*}/archive"
-// "Name" is the file or directory name.
-type PathStat struct {
-	Name       string      `json:"name"`
-	Size       int64       `json:"size"`
-	Mode       os.FileMode `json:"mode"`
-	Mtime      time.Time   `json:"mtime"`
-	LinkTarget string      `json:"linkTarget"`
-}
-
-// CopyToContainerOptions holds information
-// about files to copy into a container
-type CopyToContainerOptions struct {
-	AllowOverwriteDirWithFile bool
-	CopyUIDGID                bool
-}
-
-// StatsResponseReader wraps an io.ReadCloser to read (a stream of) stats
-// for a container, as produced by the GET "/stats" endpoint.
-//
-// The OSType field is set to the server's platform to allow
-// platform-specific handling of the response.
-//
-// TODO(thaJeztah): remove this wrapper, and make OSType part of [StatsResponse].
-type StatsResponseReader struct {
-	Body   io.ReadCloser `json:"body"`
-	OSType string        `json:"ostype"`
-}
-
-// MountPoint represents a mount point configuration inside the container.
-// This is used for reporting the mountpoints in use by a container.
-type MountPoint struct {
-	// Type is the type of mount, see `Type<foo>` definitions in
-	// github.com/docker/docker/api/types/mount.Type
-	Type mount.Type `json:",omitempty"`
-
-	// Name is the name reference to the underlying data defined by `Source`
-	// e.g., the volume name.
-	Name string `json:",omitempty"`
-
-	// Source is the source location of the mount.
-	//
-	// For volumes, this contains the storage location of the volume (within
-	// `/var/lib/docker/volumes/`). For bind-mounts, and `npipe`, this contains
-	// the source (host) part of the bind-mount. For `tmpfs` mount points, this
-	// field is empty.
-	Source string
-
-	// Destination is the path relative to the container root (`/`) where the
-	// Source is mounted inside the container.
-	Destination string
-
-	// Driver is the volume driver used to create the volume (if it is a volume).
-	Driver string `json:",omitempty"`
-
-	// Mode is a comma separated list of options supplied by the user when
-	// creating the bind/volume mount.
-	//
-	// The default is platform-specific (`"z"` on Linux, empty on Windows).
-	Mode string
-
-	// RW indicates whether the mount is mounted writable (read-write).
-	RW bool
-
-	// Propagation describes how mounts are propagated from the host into the
-	// mount point, and vice-versa. Refer to the Linux kernel documentation
-	// for details:
-	// https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt
-	//
-	// This field is not used on Windows.
-	Propagation mount.Propagation
-}
-
-// State stores container's running state
-// it's part of ContainerJSONBase and returned by "inspect" command
-type State struct {
-	Status     string // String representation of the container state. Can be one of "created", "running", "paused", "restarting", "removing", "exited", or "dead"
-	Running    bool
-	Paused     bool
-	Restarting bool
-	OOMKilled  bool
-	Dead       bool
-	Pid        int
-	ExitCode   int
-	Error      string
-	StartedAt  string
-	FinishedAt string
-	Health     *Health `json:",omitempty"`
-}
-
-// Summary contains response of Engine API:
-// GET "/containers/json"
-type Summary struct {
-	ID                      string `json:"Id"`
-	Names                   []string
-	Image                   string
-	ImageID                 string
-	ImageManifestDescriptor *ocispec.Descriptor `json:"ImageManifestDescriptor,omitempty"`
-	Command                 string
-	Created                 int64
-	Ports                   []Port
-	SizeRw                  int64 `json:",omitempty"`
-	SizeRootFs              int64 `json:",omitempty"`
-	Labels                  map[string]string
-	State                   string
-	Status                  string
-	HostConfig              struct {
-		NetworkMode string            `json:",omitempty"`
-		Annotations map[string]string `json:",omitempty"`
-	}
-	NetworkSettings *NetworkSettingsSummary
-	Mounts          []MountPoint
-}
-
-// ContainerJSONBase contains response of Engine API GET "/containers/{name:.*}/json"
-// for API version 1.18 and older.
-//
-// TODO(thaJeztah): combine ContainerJSONBase and InspectResponse into a single struct.
-// The split between ContainerJSONBase (ContainerJSONBase) and InspectResponse (InspectResponse)
-// was done in commit 6deaa58ba5f051039643cedceee97c8695e2af74 (https://github.com/moby/moby/pull/13675).
-// ContainerJSONBase contained all fields for API < 1.19, and InspectResponse
-// held fields that were added in API 1.19 and up. Given that the minimum
-// supported API version is now 1.24, we no longer use the separate type.
-type ContainerJSONBase struct {
-	ID              string `json:"Id"`
-	Created         string
-	Path            string
-	Args            []string
-	State           *State
-	Image           string
-	ResolvConfPath  string
-	HostnamePath    string
-	HostsPath       string
-	LogPath         string
-	Name            string
-	RestartCount    int
-	Driver          string
-	Platform        string
-	MountLabel      string
-	ProcessLabel    string
-	AppArmorProfile string
-	ExecIDs         []string
-	HostConfig      *HostConfig
-	GraphDriver     storage.DriverData
-	SizeRw          *int64 `json:",omitempty"`
-	SizeRootFs      *int64 `json:",omitempty"`
-}
-
-// InspectResponse is the response for the GET "/containers/{name:.*}/json"
-// endpoint.
-type InspectResponse struct {
-	*ContainerJSONBase
-	Mounts          []MountPoint
-	Config          *Config
-	NetworkSettings *NetworkSettings
-	// ImageManifestDescriptor is the descriptor of a platform-specific manifest of the image used to create the container.
-	ImageManifestDescriptor *ocispec.Descriptor `json:"ImageManifestDescriptor,omitempty"`
-}
--- a/api/types/container/container_top.go
+++ b/api/types/container/container_top.go
@@ -0,0 +1,22 @@
+package container // import "github.com/docker/docker/api/types/container"
+
+// ----------------------------------------------------------------------------
+// Code generated by `swagger generate operation`. DO NOT EDIT.
+//
+// See hack/generate-swagger-api.sh
+// ----------------------------------------------------------------------------
+
+// ContainerTopOKBody OK response to ContainerTop operation
+// swagger:model ContainerTopOKBody
+type ContainerTopOKBody struct {
+
+	// Each process running in the container, where each is process
+	// is an array of values corresponding to the titles.
+	//
+	// Required: true
+	Processes [][]string `json:"Processes"`
+
+	// The ps column titles
+	// Required: true
+	Titles []string `json:"Titles"`
+}
--- a/api/types/container/container_update.go
+++ b/api/types/container/container_update.go
@@ -0,0 +1,16 @@
+package container // import "github.com/docker/docker/api/types/container"
+
+// ----------------------------------------------------------------------------
+// Code generated by `swagger generate operation`. DO NOT EDIT.
+//
+// See hack/generate-swagger-api.sh
+// ----------------------------------------------------------------------------
+
+// ContainerUpdateOKBody OK response to ContainerUpdate operation
+// swagger:model ContainerUpdateOKBody
+type ContainerUpdateOKBody struct {
+
+	// warnings
+	// Required: true
+	Warnings []string `json:"Warnings"`
+}
--- a/api/types/container/create_request.go
+++ b/api/types/container/create_request.go
@@ -1,13 +0,0 @@
-package container
-
-import "github.com/docker/docker/api/types/network"
-
-// CreateRequest is the request message sent to the server for container
-// create calls. It is a config wrapper that holds the container [Config]
-// (portable) and the corresponding [HostConfig] (non-portable) and
-// [network.NetworkingConfig].
-type CreateRequest struct {
-	*Config
-	HostConfig       *HostConfig               `json:"HostConfig,omitempty"`
-	NetworkingConfig *network.NetworkingConfig `json:"NetworkingConfig,omitempty"`
-}
--- a/api/types/container/exec.go
+++ b/api/types/container/exec.go
@@ -1,51 +0,0 @@
-package container
-
-import "github.com/docker/docker/api/types/common"
-
-// ExecCreateResponse is the response for a successful exec-create request.
-// It holds the ID of the exec that was created.
-//
-// TODO(thaJeztah): make this a distinct type.
-type ExecCreateResponse = common.IDResponse
-
-// ExecOptions is a small subset of the Config struct that holds the configuration
-// for the exec feature of docker.
-type ExecOptions struct {
-	User         string   // User that will run the command
-	Privileged   bool     // Is the container in privileged mode
-	Tty          bool     // Attach standard streams to a tty.
-	ConsoleSize  *[2]uint `json:",omitempty"` // Initial console size [height, width]
-	AttachStdin  bool     // Attach the standard input, makes possible user interaction
-	AttachStderr bool     // Attach the standard error
-	AttachStdout bool     // Attach the standard output
-	Detach       bool     // Execute in detach mode
-	DetachKeys   string   // Escape keys for detach
-	Env          []string // Environment variables
-	WorkingDir   string   // Working directory
-	Cmd          []string // Execution commands and args
-}
-
-// ExecStartOptions is a temp struct used by execStart
-// Config fields is part of ExecConfig in runconfig package
-type ExecStartOptions struct {
-	// ExecStart will first check if it's detached
-	Detach bool
-	// Check if there's a tty
-	Tty bool
-	// Terminal size [height, width], unused if Tty == false
-	ConsoleSize *[2]uint `json:",omitempty"`
-}
-
-// ExecAttachOptions is a temp struct used by execAttach.
-//
-// TODO(thaJeztah): make this a separate type; ContainerExecAttach does not use the Detach option, and cannot run detached.
-type ExecAttachOptions = ExecStartOptions
-
-// ExecInspect holds information returned by exec inspect.
-type ExecInspect struct {
-	ExecID      string `json:"ID"`
-	ContainerID string
-	Running     bool
-	ExitCode    int
-	Pid         int
-}
--- a/api/types/container/health.go
+++ b/api/types/container/health.go
@@ -1,26 +0,0 @@
-package container
-
-import "time"
-
-// Health states
-const (
-	NoHealthcheck = "none"      // Indicates there is no healthcheck
-	Starting      = "starting"  // Starting indicates that the container is not yet ready
-	Healthy       = "healthy"   // Healthy indicates that the container is running correctly
-	Unhealthy     = "unhealthy" // Unhealthy indicates that the container has a problem
-)
-
-// Health stores information about the container's healthcheck results
-type Health struct {
-	Status        string               // Status is one of [Starting], [Healthy] or [Unhealthy].
-	FailingStreak int                  // FailingStreak is the number of consecutive failures
-	Log           []*HealthcheckResult // Log contains the last few results (oldest first)
-}
-
-// HealthcheckResult stores information about a single run of a healthcheck probe
-type HealthcheckResult struct {
-	Start    time.Time // Start is the time this check started
-	End      time.Time // End is the time this check ended
-	ExitCode int       // ExitCode meanings: 0=healthy, 1=unhealthy, 2=reserved (considered unhealthy), else=error running probe
-	Output   string    // Output from last check
-}
--- a/api/types/container/hostconfig.go
+++ b/api/types/container/hostconfig.go
@@ -1,7 +1,6 @@
 package container // import "github.com/docker/docker/api/types/container"

 import (
-	"errors"
 	"fmt"
 	"strings"

@@ -10,7 +9,7 @@ import (
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/strslice"
 	"github.com/docker/go-connections/nat"
-	"github.com/docker/go-units"
+	units "github.com/docker/go-units"
 )

 // CgroupnsMode represents the cgroup namespace mode of the container
@@ -326,12 +325,12 @@ func ValidateRestartPolicy(policy RestartPolicy) error {
 			if policy.MaximumRetryCount < 0 {
 				msg += " and cannot be negative"
 			}
-			return &errInvalidParameter{errors.New(msg)}
+			return &errInvalidParameter{fmt.Errorf(msg)}
 		}
 		return nil
 	case RestartPolicyOnFailure:
 		if policy.MaximumRetryCount < 0 {
-			return &errInvalidParameter{errors.New("invalid restart policy: maximum retry count cannot be negative")}
+			return &errInvalidParameter{fmt.Errorf("invalid restart policy: maximum retry count cannot be negative")}
 		}
 		return nil
 	case "":
@@ -361,12 +360,6 @@ type LogConfig struct {
 	Config map[string]string
 }

-// Ulimit is an alias for [units.Ulimit], which may be moving to a different
-// location or become a local type. This alias is to help transitioning.
-//
-// Users are recommended to use this alias instead of using [units.Ulimit] directly.
-type Ulimit = units.Ulimit
-
 // Resources contains container's resources (cgroups config, ulimits...)
 type Resources struct {
 	// Applicable to all platforms
@@ -394,14 +387,14 @@ type Resources struct {

 	// KernelMemory specifies the kernel memory limit (in bytes) for the container.
 	// Deprecated: kernel 5.4 deprecated kmem.limit_in_bytes.
-	KernelMemory      int64     `json:",omitempty"`
-	KernelMemoryTCP   int64     `json:",omitempty"` // Hard limit for kernel TCP buffer memory (in bytes)
-	MemoryReservation int64     // Memory soft limit (in bytes)
-	MemorySwap        int64     // Total memory usage (memory + swap); set `-1` to enable unlimited swap
-	MemorySwappiness  *int64    // Tuning container memory swappiness behaviour
-	OomKillDisable    *bool     // Whether to disable OOM Killer or not
-	PidsLimit         *int64    // Setting PIDs limit for a container; Set `0` or `-1` for unlimited, or `null` to not change.
-	Ulimits           []*Ulimit // List of ulimits to be set in the container
+	KernelMemory      int64           `json:",omitempty"`
+	KernelMemoryTCP   int64           `json:",omitempty"` // Hard limit for kernel TCP buffer memory (in bytes)
+	MemoryReservation int64           // Memory soft limit (in bytes)
+	MemorySwap        int64           // Total memory usage (memory + swap); set `-1` to enable unlimited swap
+	MemorySwappiness  *int64          // Tuning container memory swappiness behaviour
+	OomKillDisable    *bool           // Whether to disable OOM Killer or not
+	PidsLimit         *int64          // Setting PIDs limit for a container; Set `0` or `-1` for unlimited, or `null` to not change.
+	Ulimits           []*units.Ulimit // List of ulimits to be set in the container

 	// Applicable to Windows
 	CPUCount           int64  `json:"CpuCount"`   // CPU count
--- a/api/types/container/hostconfig_test.go
+++ b/api/types/container/hostconfig_test.go
@@ -3,6 +3,7 @@ package container
 import (
 	"testing"

+	"github.com/docker/docker/errdefs"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -90,24 +91,15 @@ func TestValidateRestartPolicy(t *testing.T) {
 	}

 	for _, tc := range tests {
+		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			err := ValidateRestartPolicy(tc.input)
 			if tc.expectedErr == "" {
 				assert.Check(t, err)
 			} else {
-				assert.Check(t, is.ErrorType(err, isInvalidParameter))
+				assert.Check(t, is.ErrorType(err, errdefs.IsInvalidParameter))
 				assert.Check(t, is.Error(err, tc.expectedErr))
 			}
 		})
 	}
 }
-
-// isInvalidParameter is a minimal implementation of [github.com/docker/docker/errdefs.IsInvalidParameter],
-// because this was the only import of that package in api/types, which is the
-// package imported by external users.
-func isInvalidParameter(err error) bool {
-	_, ok := err.(interface {
-		InvalidParameter()
-	})
-	return ok
-}
--- a/api/types/container/hostconfig_unix.go
+++ b/api/types/container/hostconfig_unix.go
@@ -9,6 +9,24 @@ func (i Isolation) IsValid() bool {
 	return i.IsDefault()
 }

+// NetworkName returns the name of the network stack.
+func (n NetworkMode) NetworkName() string {
+	if n.IsBridge() {
+		return network.NetworkBridge
+	} else if n.IsHost() {
+		return network.NetworkHost
+	} else if n.IsContainer() {
+		return "container"
+	} else if n.IsNone() {
+		return network.NetworkNone
+	} else if n.IsDefault() {
+		return network.NetworkDefault
+	} else if n.IsUserDefined() {
+		return n.UserDefined()
+	}
+	return ""
+}
+
 // IsBridge indicates whether container uses the bridge network stack
 func (n NetworkMode) IsBridge() bool {
 	return n == network.NetworkBridge
@@ -23,23 +41,3 @@ func (n NetworkMode) IsHost() bool {
 func (n NetworkMode) IsUserDefined() bool {
 	return !n.IsDefault() && !n.IsBridge() && !n.IsHost() && !n.IsNone() && !n.IsContainer()
 }
-
-// NetworkName returns the name of the network stack.
-func (n NetworkMode) NetworkName() string {
-	switch {
-	case n.IsDefault():
-		return network.NetworkDefault
-	case n.IsBridge():
-		return network.NetworkBridge
-	case n.IsHost():
-		return network.NetworkHost
-	case n.IsNone():
-		return network.NetworkNone
-	case n.IsContainer():
-		return "container"
-	case n.IsUserDefined():
-		return n.UserDefined()
-	default:
-		return ""
-	}
-}
--- a/api/types/container/hostconfig_windows.go
+++ b/api/types/container/hostconfig_windows.go
@@ -2,11 +2,6 @@ package container // import "github.com/docker/docker/api/types/container"

 import "github.com/docker/docker/api/types/network"

-// IsValid indicates if an isolation technology is valid
-func (i Isolation) IsValid() bool {
-	return i.IsDefault() || i.IsHyperV() || i.IsProcess()
-}
-
 // IsBridge indicates whether container uses the bridge network stack
 // in windows it is given the name NAT
 func (n NetworkMode) IsBridge() bool {
@@ -24,24 +19,24 @@ func (n NetworkMode) IsUserDefined() bool {
 	return !n.IsDefault() && !n.IsNone() && !n.IsBridge() && !n.IsContainer()
 }

+// IsValid indicates if an isolation technology is valid
+func (i Isolation) IsValid() bool {
+	return i.IsDefault() || i.IsHyperV() || i.IsProcess()
+}
+
 // NetworkName returns the name of the network stack.
 func (n NetworkMode) NetworkName() string {
-	switch {
-	case n.IsDefault():
+	if n.IsDefault() {
 		return network.NetworkDefault
-	case n.IsBridge():
+	} else if n.IsBridge() {
 		return network.NetworkNat
-	case n.IsHost():
-		// Windows currently doesn't support host network-mode, so
-		// this would currently never happen..
-		return network.NetworkHost
-	case n.IsNone():
+	} else if n.IsNone() {
 		return network.NetworkNone
-	case n.IsContainer():
+	} else if n.IsContainer() {
 		return "container"
-	case n.IsUserDefined():
+	} else if n.IsUserDefined() {
 		return n.UserDefined()
-	default:
-		return ""
 	}
+
+	return ""
 }
--- a/api/types/container/network_settings.go
+++ b/api/types/container/network_settings.go
@@ -1,56 +0,0 @@
-package container
-
-import (
-	"github.com/docker/docker/api/types/network"
-	"github.com/docker/go-connections/nat"
-)
-
-// NetworkSettings exposes the network settings in the api
-type NetworkSettings struct {
-	NetworkSettingsBase
-	DefaultNetworkSettings
-	Networks map[string]*network.EndpointSettings
-}
-
-// NetworkSettingsBase holds networking state for a container when inspecting it.
-type NetworkSettingsBase struct {
-	Bridge     string      // Bridge contains the name of the default bridge interface iff it was set through the daemon --bridge flag.
-	SandboxID  string      // SandboxID uniquely represents a container's network stack
-	SandboxKey string      // SandboxKey identifies the sandbox
-	Ports      nat.PortMap // Ports is a collection of PortBinding indexed by Port
-
-	// HairpinMode specifies if hairpin NAT should be enabled on the virtual interface
-	//
-	// Deprecated: This field is never set and will be removed in a future release.
-	HairpinMode bool
-	// LinkLocalIPv6Address is an IPv6 unicast address using the link-local prefix
-	//
-	// Deprecated: This field is never set and will be removed in a future release.
-	LinkLocalIPv6Address string
-	// LinkLocalIPv6PrefixLen is the prefix length of an IPv6 unicast address
-	//
-	// Deprecated: This field is never set and will be removed in a future release.
-	LinkLocalIPv6PrefixLen int
-	SecondaryIPAddresses   []network.Address // Deprecated: This field is never set and will be removed in a future release.
-	SecondaryIPv6Addresses []network.Address // Deprecated: This field is never set and will be removed in a future release.
-}
-
-// DefaultNetworkSettings holds network information
-// during the 2 release deprecation period.
-// It will be removed in Docker 1.11.
-type DefaultNetworkSettings struct {
-	EndpointID          string // EndpointID uniquely represents a service endpoint in a Sandbox
-	Gateway             string // Gateway holds the gateway address for the network
-	GlobalIPv6Address   string // GlobalIPv6Address holds network's global IPv6 address
-	GlobalIPv6PrefixLen int    // GlobalIPv6PrefixLen represents mask length of network's global IPv6 address
-	IPAddress           string // IPAddress holds the IPv4 address for the network
-	IPPrefixLen         int    // IPPrefixLen represents mask length of network's IPv4 address
-	IPv6Gateway         string // IPv6Gateway holds gateway address specific for IPv6
-	MacAddress          string // MacAddress holds the MAC address for the network
-}
-
-// NetworkSettingsSummary provides a summary of container's networks
-// in /containers/json
-type NetworkSettingsSummary struct {
-	Networks map[string]*network.EndpointSettings
-}
--- a/api/types/container/top_response.go
+++ b/api/types/container/top_response.go
@@ -1,18 +0,0 @@
-package container
-
-// This file was generated by the swagger tool.
-// Editing this file might prove futile when you re-run the swagger generate command
-
-// TopResponse ContainerTopResponse
-//
-// Container "top" response.
-// swagger:model TopResponse
-type TopResponse struct {
-
-	// Each process running in the container, where each process
-	// is an array of values corresponding to the titles.
-	Processes [][]string `json:"Processes"`
-
-	// The ps column titles
-	Titles []string `json:"Titles"`
-}
--- a/api/types/container/update_response.go
+++ b/api/types/container/update_response.go
@@ -1,14 +0,0 @@
-package container
-
-// This file was generated by the swagger tool.
-// Editing this file might prove futile when you re-run the swagger generate command
-
-// UpdateResponse ContainerUpdateResponse
-//
-// Response for a successful container-update.
-// swagger:model UpdateResponse
-type UpdateResponse struct {
-
-	// Warnings encountered when updating the container.
-	Warnings []string `json:"Warnings"`
-}
--- a/api/types/events/events.go
+++ b/api/types/events/events.go
@@ -1,5 +1,4 @@
 package events // import "github.com/docker/docker/api/types/events"
-import "github.com/docker/docker/api/types/filters"

 // Type is used for event-types.
 type Type string
@@ -126,10 +125,3 @@ type Message struct {
 	Time     int64 `json:"time,omitempty"`
 	TimeNano int64 `json:"timeNano,omitempty"`
 }
-
-// ListOptions holds parameters to filter events with.
-type ListOptions struct {
-	Since   string
-	Until   string
-	Filters filters.Args
-}
--- a/api/types/filters/errors.go
+++ b/api/types/filters/errors.go
@@ -22,3 +22,16 @@ func (e invalidFilter) Error() string {

 // InvalidParameter marks this error as ErrInvalidParameter
 func (e invalidFilter) InvalidParameter() {}
+
+// unreachableCode is an error indicating that the code path was not expected to be reached.
+type unreachableCode struct {
+	Filter string
+	Value  []string
+}
+
+// System marks this error as ErrSystem
+func (e unreachableCode) System() {}
+
+func (e unreachableCode) Error() string {
+	return fmt.Sprintf("unreachable code reached for filter: %q with values: %s", e.Filter, e.Value)
+}
--- a/api/types/filters/parse.go
+++ b/api/types/filters/parse.go
@@ -196,10 +196,11 @@ func (args Args) Match(field, source string) bool {
 }

 // GetBoolOrDefault returns a boolean value of the key if the key is present
-// and is interpretable as a boolean value. Otherwise the default value is returned.
+// and is intepretable as a boolean value. Otherwise the default value is returned.
 // Error is not nil only if the filter values are not valid boolean or are conflicting.
 func (args Args) GetBoolOrDefault(key string, defaultValue bool) (bool, error) {
 	fieldValues, ok := args.fields[key]
+
 	if !ok {
 		return defaultValue, nil
 	}
@@ -210,11 +211,20 @@ func (args Args) GetBoolOrDefault(key string, defaultValue bool) (bool, error) {

 	isFalse := fieldValues["0"] || fieldValues["false"]
 	isTrue := fieldValues["1"] || fieldValues["true"]
-	if isFalse == isTrue {
-		// Either no or conflicting truthy/falsy value were provided
+
+	conflicting := isFalse && isTrue
+	invalid := !isFalse && !isTrue
+
+	if conflicting || invalid {
 		return defaultValue, &invalidFilter{key, args.Get(key)}
+	} else if isFalse {
+		return false, nil
+	} else if isTrue {
+		return true, nil
 	}
-	return isTrue, nil
+
+	// This code shouldn't be reached.
+	return defaultValue, &unreachableCode{Filter: key, Value: args.Get(key)}
 }

 // ExactMatch returns true if the source matches exactly one of the values.
--- a/api/types/filters/parse_test.go
+++ b/api/types/filters/parse_test.go
@@ -2,6 +2,7 @@ package filters // import "github.com/docker/docker/api/types/filters"

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"sort"
 	"testing"
@@ -11,49 +12,53 @@ import (
 )

 func TestMarshalJSON(t *testing.T) {
-	a := NewArgs(
-		Arg("created", "today"),
-		Arg("image.name", "ubuntu*"),
-		Arg("image.name", "*untu"),
-	)
+	fields := map[string]map[string]bool{
+		"created":    {"today": true},
+		"image.name": {"ubuntu*": true, "*untu": true},
+	}
+	a := Args{fields: fields}

-	s, err := a.MarshalJSON()
-	assert.Check(t, err)
-	const expected = `{"created":{"today":true},"image.name":{"*untu":true,"ubuntu*":true}}`
-	assert.Check(t, is.Equal(string(s), expected))
+	_, err := a.MarshalJSON()
+	if err != nil {
+		t.Errorf("failed to marshal the filters: %s", err)
+	}
 }

 func TestMarshalJSONWithEmpty(t *testing.T) {
-	s, err := json.Marshal(NewArgs())
-	assert.Check(t, err)
-	const expected = `{}`
-	assert.Check(t, is.Equal(string(s), expected))
+	_, err := json.Marshal(NewArgs())
+	if err != nil {
+		t.Errorf("failed to marshal the filters: %s", err)
+	}
 }

 func TestToJSON(t *testing.T) {
-	a := NewArgs(
-		Arg("created", "today"),
-		Arg("image.name", "ubuntu*"),
-		Arg("image.name", "*untu"),
-	)
+	fields := map[string]map[string]bool{
+		"created":    {"today": true},
+		"image.name": {"ubuntu*": true, "*untu": true},
+	}
+	a := Args{fields: fields}

-	s, err := ToJSON(a)
-	assert.Check(t, err)
-	const expected = `{"created":{"today":true},"image.name":{"*untu":true,"ubuntu*":true}}`
-	assert.Check(t, is.Equal(s, expected))
+	_, err := ToJSON(a)
+	if err != nil {
+		t.Errorf("failed to marshal the filters: %s", err)
+	}
 }

 func TestToParamWithVersion(t *testing.T) {
-	a := NewArgs(
-		Arg("created", "today"),
-		Arg("image.name", "ubuntu*"),
-		Arg("image.name", "*untu"),
-	)
+	fields := map[string]map[string]bool{
+		"created":    {"today": true},
+		"image.name": {"ubuntu*": true, "*untu": true},
+	}
+	a := Args{fields: fields}

 	str1, err := ToParamWithVersion("1.21", a)
-	assert.Check(t, err)
+	if err != nil {
+		t.Errorf("failed to marshal the filters with version < 1.22: %s", err)
+	}
 	str2, err := ToParamWithVersion("1.22", a)
-	assert.Check(t, err)
+	if err != nil {
+		t.Errorf("failed to marshal the filters with version >= 1.22: %s", err)
+	}
 	if str1 != `{"created":["today"],"image.name":["*untu","ubuntu*"]}` &&
 		str1 != `{"created":["today"],"image.name":["ubuntu*","*untu"]}` {
 		t.Errorf("incorrectly marshaled the filters: %s", str1)
@@ -87,30 +92,39 @@ func TestFromJSON(t *testing.T) {
 	}

 	for _, invalid := range invalids {
-		t.Run(invalid, func(t *testing.T) {
-			_, err := FromJSON(invalid)
-			if err == nil {
-				t.Fatalf("Expected an error with %v, got nothing", invalid)
-			}
-			var invalidFilterError *invalidFilter
-			assert.Check(t, is.ErrorType(err, invalidFilterError))
-			wrappedErr := fmt.Errorf("something went wrong: %w", err)
-			assert.Check(t, is.ErrorIs(wrappedErr, err))
-		})
+		_, err := FromJSON(invalid)
+		if err == nil {
+			t.Fatalf("Expected an error with %v, got nothing", invalid)
+		}
+		var invalidFilterError *invalidFilter
+		if !errors.As(err, &invalidFilterError) {
+			t.Fatalf("Expected an invalidFilter error, got %T", err)
+		}
+		wrappedErr := fmt.Errorf("something went wrong: %w", err)
+		if !errors.Is(wrappedErr, err) {
+			t.Errorf("Expected a wrapped error to be detected as invalidFilter")
+		}
 	}

 	for expectedArgs, matchers := range valid {
 		for _, jsonString := range matchers {
 			args, err := FromJSON(jsonString)
-			assert.Check(t, err)
-			assert.Check(t, is.Equal(args.Len(), expectedArgs.Len()))
+			if err != nil {
+				t.Fatal(err)
+			}
+			if args.Len() != expectedArgs.Len() {
+				t.Fatalf("Expected %v, go %v", expectedArgs, args)
+			}
 			for key, expectedValues := range expectedArgs.fields {
 				values := args.Get(key)
-				assert.Check(t, is.Len(values, len(expectedValues)), expectedArgs)
+
+				if len(values) != len(expectedValues) {
+					t.Fatalf("Expected %v, go %v", expectedArgs, args)
+				}

 				for _, v := range values {
 					if !expectedValues[v] {
-						t.Errorf("Expected %v, go %v", expectedArgs, args)
+						t.Fatalf("Expected %v, go %v", expectedArgs, args)
 					}
 				}
 			}
@@ -120,12 +134,17 @@ func TestFromJSON(t *testing.T) {

 func TestEmpty(t *testing.T) {
 	a := Args{}
-	assert.Check(t, is.Equal(a.Len(), 0))
 	v, err := ToJSON(a)
-	assert.Check(t, err)
+	if err != nil {
+		t.Errorf("failed to marshal the filters: %s", err)
+	}
 	v1, err := FromJSON(v)
-	assert.Check(t, err)
-	assert.Check(t, is.Equal(v1.Len(), 0))
+	if err != nil {
+		t.Errorf("%s", err)
+	}
+	if a.Len() != v1.Len() {
+		t.Error("these should both be empty sets")
+	}
 }

 func TestArgsMatchKVListEmptySources(t *testing.T) {
@@ -166,7 +185,7 @@ func TestArgsMatchKVList(t *testing.T) {

 	for args, field := range matches {
 		if !args.MatchKVList(field, sources) {
-			t.Errorf("Expected true for %v on %v, got false", sources, args)
+			t.Fatalf("Expected true for %v on %v, got false", sources, args)
 		}
 	}

@@ -192,7 +211,7 @@ func TestArgsMatchKVList(t *testing.T) {

 	for args, field := range differs {
 		if args.MatchKVList(field, sources) {
-			t.Errorf("Expected false for %v on %v, got true", sources, args)
+			t.Fatalf("Expected false for %v on %v, got true", sources, args)
 		}
 	}
 }
@@ -230,7 +249,8 @@ func TestArgsMatch(t *testing.T) {
 	}

 	for args, field := range matches {
-		assert.Check(t, args.Match(field, source), "Expected field %s to match %s", field, source)
+		assert.Check(t, args.Match(field, source),
+			"Expected field %s to match %s", field, source)
 	}

 	differs := map[*Args]string{
@@ -270,62 +290,89 @@ func TestArgsMatch(t *testing.T) {
 func TestAdd(t *testing.T) {
 	f := NewArgs()
 	f.Add("status", "running")
-	v := f.Get("status")
-	assert.Check(t, is.DeepEqual(v, []string{"running"}))
+	v := f.fields["status"]
+	if len(v) != 1 || !v["running"] {
+		t.Fatalf("Expected to include a running status, got %v", v)
+	}

 	f.Add("status", "paused")
-	v = f.Get("status")
-	assert.Check(t, is.Len(v, 2))
-	assert.Check(t, is.Contains(v, "running"))
-	assert.Check(t, is.Contains(v, "paused"))
+	if len(v) != 2 || !v["paused"] {
+		t.Fatalf("Expected to include a paused status, got %v", v)
+	}
 }

 func TestDel(t *testing.T) {
 	f := NewArgs()
 	f.Add("status", "running")
 	f.Del("status", "running")
-	assert.Check(t, is.Equal(f.Len(), 0))
-	assert.Check(t, is.DeepEqual(f.Get("status"), []string{}))
+	v := f.fields["status"]
+	if v["running"] {
+		t.Fatal("Expected to not include a running status filter, got true")
+	}
 }

 func TestLen(t *testing.T) {
 	f := NewArgs()
-	assert.Check(t, is.Equal(f.Len(), 0))
+	if f.Len() != 0 {
+		t.Fatal("Expected to not include any field")
+	}
 	f.Add("status", "running")
-	assert.Check(t, is.Equal(f.Len(), 1))
+	if f.Len() != 1 {
+		t.Fatal("Expected to include one field")
+	}
 }

 func TestExactMatch(t *testing.T) {
 	f := NewArgs()

-	assert.Check(t, f.ExactMatch("status", "running"), "Expected to match `running` when there are no filters")
+	if !f.ExactMatch("status", "running") {
+		t.Fatal("Expected to match `running` when there are no filters, got false")
+	}

 	f.Add("status", "running")
 	f.Add("status", "pause*")

-	assert.Check(t, f.ExactMatch("status", "running"), "Expected to match `running` with one of the filters")
-	assert.Check(t, !f.ExactMatch("status", "paused"), "Expected to not match `paused` with one of the filters")
+	if !f.ExactMatch("status", "running") {
+		t.Fatal("Expected to match `running` with one of the filters, got false")
+	}
+
+	if f.ExactMatch("status", "paused") {
+		t.Fatal("Expected to not match `paused` with one of the filters, got true")
+	}
 }

 func TestOnlyOneExactMatch(t *testing.T) {
 	f := NewArgs()

-	assert.Check(t, f.ExactMatch("status", "running"), "Expected to match `running` when there are no filters")
+	if !f.UniqueExactMatch("status", "running") {
+		t.Fatal("Expected to match `running` when there are no filters, got false")
+	}

 	f.Add("status", "running")
-	assert.Check(t, f.ExactMatch("status", "running"), "Expected to match `running` with one of the filters")
-	assert.Check(t, !f.UniqueExactMatch("status", "paused"), "Expected to not match `paused` with one of the filters")
+
+	if !f.UniqueExactMatch("status", "running") {
+		t.Fatal("Expected to match `running` with one of the filters, got false")
+	}
+
+	if f.UniqueExactMatch("status", "paused") {
+		t.Fatal("Expected to not match `paused` with one of the filters, got true")
+	}

 	f.Add("status", "pause")
-	assert.Check(t, !f.UniqueExactMatch("status", "running"), "Expected to not match only `running` with two filters")
+	if f.UniqueExactMatch("status", "running") {
+		t.Fatal("Expected to not match only `running` with two filters, got true")
+	}
 }

 func TestContains(t *testing.T) {
 	f := NewArgs()
-	assert.Check(t, !f.Contains("status"))
-
+	if f.Contains("status") {
+		t.Fatal("Expected to not contain a status key, got true")
+	}
 	f.Add("status", "running")
-	assert.Check(t, f.Contains("status"))
+	if !f.Contains("status") {
+		t.Fatal("Expected to contain a status key, got false")
+	}
 }

 func TestValidate(t *testing.T) {
@@ -337,14 +384,23 @@ func TestValidate(t *testing.T) {
 		"dangling": true,
 	}

-	assert.Check(t, f.Validate(valid))
+	if err := f.Validate(valid); err != nil {
+		t.Fatal(err)
+	}

 	f.Add("bogus", "running")
 	err := f.Validate(valid)
+	if err == nil {
+		t.Fatal("Expected to return an error, got nil")
+	}
 	var invalidFilterError *invalidFilter
-	assert.Check(t, is.ErrorType(err, invalidFilterError))
+	if !errors.As(err, &invalidFilterError) {
+		t.Errorf("Expected an invalidFilter error, got %T", err)
+	}
 	wrappedErr := fmt.Errorf("something went wrong: %w", err)
-	assert.Check(t, is.ErrorIs(wrappedErr, err))
+	if !errors.Is(wrappedErr, err) {
+		t.Errorf("Expected a wrapped error to be detected as invalidFilter")
+	}
 }

 func TestWalkValues(t *testing.T) {
@@ -358,23 +414,23 @@ func TestWalkValues(t *testing.T) {
 		}
 		return nil
 	})
-	assert.Check(t, err)
+	if err != nil {
+		t.Fatalf("Expected no error, got %v", err)
+	}

-	loops1 := 0
 	err = f.WalkValues("status", func(value string) error {
-		loops1++
-		return nil
+		return errors.New("return")
 	})
-	assert.Check(t, err)
-	assert.Check(t, is.Equal(loops1, 2), "Expected to not iterate when the field doesn't exist")
+	if err == nil {
+		t.Fatal("Expected to get an error, got nil")
+	}

-	loops2 := 0
-	err = f.WalkValues("unknown-key", func(value string) error {
-		loops2++
-		return nil
+	err = f.WalkValues("foo", func(value string) error {
+		return errors.New("return")
 	})
-	assert.Check(t, err)
-	assert.Check(t, is.Equal(loops2, 0), "Expected to not iterate when the field doesn't exist")
+	if err != nil {
+		t.Fatalf("Expected to not iterate when the field doesn't exist, got %v", err)
+	}
 }

 func TestFuzzyMatch(t *testing.T) {
@@ -390,7 +446,7 @@ func TestFuzzyMatch(t *testing.T) {
 	for source, match := range cases {
 		got := f.FuzzyMatch("container", source)
 		if got != match {
-			t.Errorf("Expected %v, got %v: %s", match, got, source)
+			t.Fatalf("Expected %v, got %v: %s", match, got, source)
 		}
 	}
 }
@@ -484,6 +540,7 @@ func TestGetBoolOrDefault(t *testing.T) {
 			expectedValue: false,
 		},
 	} {
+		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			a := NewArgs()

@@ -511,7 +568,7 @@ func TestGetBoolOrDefault(t *testing.T) {
 				assert.Check(t, is.DeepEqual(expected.Value, actual.Value))

 				wrappedErr := fmt.Errorf("something went wrong: %w", err)
-				assert.Check(t, is.ErrorIs(wrappedErr, err), "Expected a wrapped error to be detected as invalidFilter")
+				assert.Check(t, errors.Is(wrappedErr, err), "Expected a wrapped error to be detected as invalidFilter")
 			}

 			assert.Check(t, is.Equal(tc.expectedValue, value))
--- a/api/types/storage/driver_data.go
+++ b/api/types/storage/driver_data.go
@@ -1,13 +1,13 @@
-package storage
+package types

 // This file was generated by the swagger tool.
 // Editing this file might prove futile when you re-run the swagger generate command

-// DriverData Information about the storage driver used to store the container's and
+// GraphDriverData Information about the storage driver used to store the container's and
 // image's filesystem.
 //
-// swagger:model DriverData
-type DriverData struct {
+// swagger:model GraphDriverData
+type GraphDriverData struct {

 	// Low-level storage metadata, provided as key/value pairs.
 	//
--- a/api/types/common/id_response.go
+++ b/api/types/common/id_response.go
@@ -1,10 +1,10 @@
-package common
+package types

 // This file was generated by the swagger tool.
 // Editing this file might prove futile when you re-run the swagger generate command

 // IDResponse Response to an API call that returns just an Id
-// swagger:model IDResponse
+// swagger:model IdResponse
 type IDResponse struct {

 	// The id of the newly created object.
--- a/api/types/image/image.go
+++ b/api/types/image/image.go
@@ -1,47 +1,9 @@
 package image

-import (
-	"io"
-	"time"
-)
+import "time"

 // Metadata contains engine-local data about the image.
 type Metadata struct {
 	// LastTagTime is the date and time at which the image was last tagged.
 	LastTagTime time.Time `json:",omitempty"`
 }
-
-// PruneReport contains the response for Engine API:
-// POST "/images/prune"
-type PruneReport struct {
-	ImagesDeleted  []DeleteResponse
-	SpaceReclaimed uint64
-}
-
-// LoadResponse returns information to the client about a load process.
-//
-// TODO(thaJeztah): remove this type, and just use an io.ReadCloser
-//
-// This type was added in https://github.com/moby/moby/pull/18878, related
-// to https://github.com/moby/moby/issues/19177;
-//
-// Make docker load to output json when the response content type is json
-// Swarm hijacks the response from docker load and returns JSON rather
-// than plain text like the Engine does. This makes the API library to return
-// information to figure that out.
-//
-// However the "load" endpoint unconditionally returns JSON;
-// https://github.com/moby/moby/blob/7b9d2ef6e5518a3d3f3cc418459f8df786cfbbd1/api/server/router/image/image_routes.go#L248-L255
-//
-// PR https://github.com/moby/moby/pull/21959 made the response-type depend
-// on whether "quiet" was set, but this logic got changed in a follow-up
-// https://github.com/moby/moby/pull/25557, which made the JSON response-type
-// unconditionally, but the output produced depend on whether"quiet" was set.
-//
-// We should deprecated the "quiet" option, as it's really a client
-// responsibility.
-type LoadResponse struct {
-	// Body must be closed to avoid a resource leak
-	Body io.ReadCloser
-	JSON bool
-}
--- a/api/types/image/image_inspect.go
+++ b/api/types/image/image_inspect.go
@@ -1,140 +0,0 @@
-package image
-
-import (
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/storage"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-)
-
-// RootFS returns Image's RootFS description including the layer IDs.
-type RootFS struct {
-	Type   string   `json:",omitempty"`
-	Layers []string `json:",omitempty"`
-}
-
-// InspectResponse contains response of Engine API:
-// GET "/images/{name:.*}/json"
-type InspectResponse struct {
-	// ID is the content-addressable ID of an image.
-	//
-	// This identifier is a content-addressable digest calculated from the
-	// image's configuration (which includes the digests of layers used by
-	// the image).
-	//
-	// Note that this digest differs from the `RepoDigests` below, which
-	// holds digests of image manifests that reference the image.
-	ID string `json:"Id"`
-
-	// RepoTags is a list of image names/tags in the local image cache that
-	// reference this image.
-	//
-	// Multiple image tags can refer to the same image, and this list may be
-	// empty if no tags reference the image, in which case the image is
-	// "untagged", in which case it can still be referenced by its ID.
-	RepoTags []string
-
-	// RepoDigests is a list of content-addressable digests of locally available
-	// image manifests that the image is referenced from. Multiple manifests can
-	// refer to the same image.
-	//
-	// These digests are usually only available if the image was either pulled
-	// from a registry, or if the image was pushed to a registry, which is when
-	// the manifest is generated and its digest calculated.
-	RepoDigests []string
-
-	// Parent is the ID of the parent image.
-	//
-	// Depending on how the image was created, this field may be empty and
-	// is only set for images that were built/created locally. This field
-	// is empty if the image was pulled from an image registry.
-	Parent string
-
-	// Comment is an optional message that can be set when committing or
-	// importing the image.
-	Comment string
-
-	// Created is the date and time at which the image was created, formatted in
-	// RFC 3339 nano-seconds (time.RFC3339Nano).
-	//
-	// This information is only available if present in the image,
-	// and omitted otherwise.
-	Created string `json:",omitempty"`
-
-	// Container is the ID of the container that was used to create the image.
-	//
-	// Depending on how the image was created, this field may be empty.
-	//
-	// Deprecated: this field is omitted in API v1.45, but kept for backward compatibility.
-	Container string `json:",omitempty"`
-
-	// ContainerConfig is an optional field containing the configuration of the
-	// container that was last committed when creating the image.
-	//
-	// Previous versions of Docker builder used this field to store build cache,
-	// and it is not in active use anymore.
-	//
-	// Deprecated: this field is omitted in API v1.45, but kept for backward compatibility.
-	ContainerConfig *container.Config `json:",omitempty"`
-
-	// DockerVersion is the version of Docker that was used to build the image.
-	//
-	// Depending on how the image was created, this field may be empty.
-	DockerVersion string
-
-	// Author is the name of the author that was specified when committing the
-	// image, or as specified through MAINTAINER (deprecated) in the Dockerfile.
-	Author string
-	Config *container.Config
-
-	// Architecture is the hardware CPU architecture that the image runs on.
-	Architecture string
-
-	// Variant is the CPU architecture variant (presently ARM-only).
-	Variant string `json:",omitempty"`
-
-	// OS is the Operating System the image is built to run on.
-	Os string
-
-	// OsVersion is the version of the Operating System the image is built to
-	// run on (especially for Windows).
-	OsVersion string `json:",omitempty"`
-
-	// Size is the total size of the image including all layers it is composed of.
-	Size int64
-
-	// VirtualSize is the total size of the image including all layers it is
-	// composed of.
-	//
-	// Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-	VirtualSize int64 `json:"VirtualSize,omitempty"`
-
-	// GraphDriver holds information about the storage driver used to store the
-	// container's and image's filesystem.
-	GraphDriver storage.DriverData
-
-	// RootFS contains information about the image's RootFS, including the
-	// layer IDs.
-	RootFS RootFS
-
-	// Metadata of the image in the local cache.
-	//
-	// This information is local to the daemon, and not part of the image itself.
-	Metadata Metadata
-
-	// Descriptor is the OCI descriptor of the image target.
-	// It's only set if the daemon provides a multi-platform image store.
-	//
-	// WARNING: This is experimental and may change at any time without any backward
-	// compatibility.
-	Descriptor *ocispec.Descriptor `json:"Descriptor,omitempty"`
-
-	// Manifests is a list of image manifests available in this image.  It
-	// provides a more detailed view of the platform-specific image manifests or
-	// other image-attached data like build attestations.
-	//
-	// Only available if the daemon provides a multi-platform image store.
-	//
-	// WARNING: This is experimental and may change at any time without any backward
-	// compatibility.
-	Manifests []ManifestSummary `json:"Manifests,omitempty"`
-}
--- a/api/types/image/manifest.go
+++ b/api/types/image/manifest.go
@@ -1,99 +0,0 @@
-package image
-
-import (
-	"github.com/opencontainers/go-digest"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-)
-
-type ManifestKind string
-
-const (
-	ManifestKindImage       ManifestKind = "image"
-	ManifestKindAttestation ManifestKind = "attestation"
-	ManifestKindUnknown     ManifestKind = "unknown"
-)
-
-type ManifestSummary struct {
-	// ID is the content-addressable ID of an image and is the same as the
-	// digest of the image manifest.
-	//
-	// Required: true
-	ID string `json:"ID"`
-
-	// Descriptor is the OCI descriptor of the image.
-	//
-	// Required: true
-	Descriptor ocispec.Descriptor `json:"Descriptor"`
-
-	// Indicates whether all the child content (image config, layers) is
-	// fully available locally
-	//
-	// Required: true
-	Available bool `json:"Available"`
-
-	// Size is the size information of the content related to this manifest.
-	// Note: These sizes only take the locally available content into account.
-	//
-	// Required: true
-	Size struct {
-		// Content is the size (in bytes) of all the locally present
-		// content in the content store (e.g. image config, layers)
-		// referenced by this manifest and its children.
-		// This only includes blobs in the content store.
-		Content int64 `json:"Content"`
-
-		// Total is the total size (in bytes) of all the locally present
-		// data (both distributable and non-distributable) that's related to
-		// this manifest and its children.
-		// This equal to the sum of [Content] size AND all the sizes in the
-		// [Size] struct present in the Kind-specific data struct.
-		// For example, for an image kind (Kind == ManifestKindImage),
-		// this would include the size of the image content and unpacked
-		// image snapshots ([Size.Content] + [ImageData.Size.Unpacked]).
-		Total int64 `json:"Total"`
-	} `json:"Size"`
-
-	// Kind is the kind of the image manifest.
-	//
-	// Required: true
-	Kind ManifestKind `json:"Kind"`
-
-	// Fields below are specific to the kind of the image manifest.
-
-	// Present only if Kind == ManifestKindImage.
-	ImageData *ImageProperties `json:"ImageData,omitempty"`
-
-	// Present only if Kind == ManifestKindAttestation.
-	AttestationData *AttestationProperties `json:"AttestationData,omitempty"`
-}
-
-type ImageProperties struct {
-	// Platform is the OCI platform object describing the platform of the image.
-	//
-	// Required: true
-	Platform ocispec.Platform `json:"Platform"`
-
-	Size struct {
-		// Unpacked is the size (in bytes) of the locally unpacked
-		// (uncompressed) image content that's directly usable by the containers
-		// running this image.
-		// It's independent of the distributable content - e.g.
-		// the image might still have an unpacked data that's still used by
-		// some container even when the distributable/compressed content is
-		// already gone.
-		//
-		// Required: true
-		Unpacked int64 `json:"Unpacked"`
-	}
-
-	// Containers is an array containing the IDs of the containers that are
-	// using this image.
-	//
-	// Required: true
-	Containers []string `json:"Containers"`
-}
-
-type AttestationProperties struct {
-	// For is the digest of the image manifest that this attestation is for.
-	For digest.Digest `json:"For"`
-}
--- a/api/types/image/opts.go
+++ b/api/types/image/opts.go
@@ -1,18 +1,6 @@
 package image

-import (
-	"context"
-	"io"
-
-	"github.com/docker/docker/api/types/filters"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-)
-
-// ImportSource holds source information for ImageImport
-type ImportSource struct {
-	Source     io.Reader // Source is the data to send to the server to create this image from. You must set SourceName to "-" to leverage this.
-	SourceName string    // SourceName is the name of the image to pull. Set to "-" to leverage the Source attribute.
-}
+import "github.com/docker/docker/api/types/filters"

 // ImportOptions holds information to import images from the client host.
 type ImportOptions struct {
@@ -38,29 +26,13 @@ type PullOptions struct {
 	// authentication header value in base64 encoded format, or an error if the
 	// privilege request fails.
 	//
-	// For details, refer to [github.com/docker/docker/api/types/registry.RequestAuthConfig].
-	PrivilegeFunc func(context.Context) (string, error)
+	// Also see [github.com/docker/docker/api/types.RequestPrivilegeFunc].
+	PrivilegeFunc func() (string, error)
 	Platform      string
 }

 // PushOptions holds information to push images.
-type PushOptions struct {
-	All          bool
-	RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry
-
-	// PrivilegeFunc is a function that clients can supply to retry operations
-	// after getting an authorization error. This function returns the registry
-	// authentication header value in base64 encoded format, or an error if the
-	// privilege request fails.
-	//
-	// For details, refer to [github.com/docker/docker/api/types/registry.RequestAuthConfig].
-	PrivilegeFunc func(context.Context) (string, error)
-
-	// Platform is an optional field that selects a specific platform to push
-	// when the image is a multi-platform image.
-	// Using this will only push a single platform-specific manifest.
-	Platform *ocispec.Platform `json:",omitempty"`
-}
+type PushOptions PullOptions

 // ListOptions holds parameters to list images with.
 type ListOptions struct {
@@ -76,9 +48,6 @@ type ListOptions struct {

 	// ContainerCount indicates whether container count should be computed.
 	ContainerCount bool
-
-	// Manifests indicates whether the image manifests should be returned.
-	Manifests bool
 }

 // RemoveOptions holds parameters to remove images.
@@ -86,31 +55,3 @@ type RemoveOptions struct {
 	Force         bool
 	PruneChildren bool
 }
-
-// HistoryOptions holds parameters to get image history.
-type HistoryOptions struct {
-	// Platform from the manifest list to use for history.
-	Platform *ocispec.Platform
-}
-
-// LoadOptions holds parameters to load images.
-type LoadOptions struct {
-	// Quiet suppresses progress output
-	Quiet bool
-
-	// Platforms selects the platforms to load if the image is a
-	// multi-platform image and has multiple variants.
-	Platforms []ocispec.Platform
-}
-
-type InspectOptions struct {
-	// Manifests returns the image manifests.
-	Manifests bool
-}
-
-// SaveOptions holds parameters to save images.
-type SaveOptions struct {
-	// Platforms selects the platforms to save if the image is a
-	// multi-platform image and has multiple variants.
-	Platforms []ocispec.Platform
-}
--- a/api/types/image/summary.go
+++ b/api/types/image/summary.go
@@ -1,7 +1,10 @@
 package image

-import ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command

+// Summary summary
+// swagger:model Summary
 type Summary struct {

 	// Number of containers using this image. Includes both stopped and running
@@ -14,7 +17,7 @@ type Summary struct {
 	Containers int64 `json:"Containers"`

 	// Date and time at which the image was created as a Unix timestamp
-	// (number of seconds since EPOCH).
+	// (number of seconds sinds EPOCH).
 	//
 	// Required: true
 	Created int64 `json:"Created"`
@@ -44,21 +47,6 @@ type Summary struct {
 	// Required: true
 	ParentID string `json:"ParentId"`

-	// Descriptor is the OCI descriptor of the image target.
-	// It's only set if the daemon provides a multi-platform image store.
-	//
-	// WARNING: This is experimental and may change at any time without any backward
-	// compatibility.
-	Descriptor *ocispec.Descriptor `json:"Descriptor,omitempty"`
-
-	// Manifests is a list of image manifests available in this image.  It
-	// provides a more detailed view of the platform-specific image manifests or
-	// other image-attached data like build attestations.
-	//
-	// WARNING: This is experimental and may change at any time without any backward
-	// compatibility.
-	Manifests []ManifestSummary `json:"Manifests,omitempty"`
-
 	// List of content-addressable digests of locally available image manifests
 	// that the image is referenced from. Multiple manifests can refer to the
 	// same image.
--- a/api/types/mount/mount.go
+++ b/api/types/mount/mount.go
@@ -19,8 +19,6 @@ const (
 	TypeNamedPipe Type = "npipe"
 	// TypeCluster is the type for Swarm Cluster Volumes.
 	TypeCluster Type = "cluster"
-	// TypeImage is the type for mounting another image's filesystem
-	TypeImage Type = "image"
 )

 // Mount represents a mount (volume).
@@ -36,7 +34,6 @@ type Mount struct {

 	BindOptions    *BindOptions    `json:",omitempty"`
 	VolumeOptions  *VolumeOptions  `json:",omitempty"`
-	ImageOptions   *ImageOptions   `json:",omitempty"`
 	TmpfsOptions   *TmpfsOptions   `json:",omitempty"`
 	ClusterOptions *ClusterOptions `json:",omitempty"`
 }
@@ -103,10 +100,6 @@ type VolumeOptions struct {
 	DriverConfig *Driver           `json:",omitempty"`
 }

-type ImageOptions struct {
-	Subpath string `json:",omitempty"`
-}
-
 // Driver represents a volume driver.
 type Driver struct {
 	Name    string            `json:",omitempty"`
@@ -126,11 +119,7 @@ type TmpfsOptions struct {
 	SizeBytes int64 `json:",omitempty"`
 	// Mode of the tmpfs upon creation
 	Mode os.FileMode `json:",omitempty"`
-	// Options to be passed to the tmpfs mount. An array of arrays. Flag
-	// options should be provided as 1-length arrays. Other types should be
-	// provided as 2-length arrays, where the first item is the key and the
-	// second the value.
-	Options [][]string `json:",omitempty"`
+
 	// TODO(stevvooe): There are several more tmpfs flags, specified in the
 	// daemon, that are accepted. Only the most basic are added for now.
 	//
--- a/api/types/network/create_response.go
+++ b/api/types/network/create_response.go
@@ -1,19 +0,0 @@
-package network
-
-// This file was generated by the swagger tool.
-// Editing this file might prove futile when you re-run the swagger generate command
-
-// CreateResponse NetworkCreateResponse
-//
-// OK response to NetworkCreate operation
-// swagger:model CreateResponse
-type CreateResponse struct {
-
-	// The ID of the created network.
-	// Required: true
-	ID string `json:"Id"`
-
-	// Warnings encountered when creating the container
-	// Required: true
-	Warning string `json:"Warning"`
-}
--- a/api/types/network/endpoint.go
+++ b/api/types/network/endpoint.go
@@ -18,13 +18,6 @@ type EndpointSettings struct {
 	// Once the container is running, it becomes operational data (it may contain a
 	// generated address).
 	MacAddress string
-	DriverOpts map[string]string
-
-	// GwPriority determines which endpoint will provide the default gateway
-	// for the container. The endpoint with the highest priority will be used.
-	// If multiple endpoints have the same priority, they are lexicographically
-	// sorted based on their network name, and the one that sorts first is picked.
-	GwPriority int
 	// Operational data
 	NetworkID           string
 	EndpointID          string
@@ -34,6 +27,7 @@ type EndpointSettings struct {
 	IPv6Gateway         string
 	GlobalIPv6Address   string
 	GlobalIPv6PrefixLen int
+	DriverOpts          map[string]string
 	// DNSNames holds all the (non fully qualified) DNS names associated to this endpoint. First entry is used to
 	// generate PTR records.
 	DNSNames []string
--- a/api/types/network/endpoint_test.go
+++ b/api/types/network/endpoint_test.go
@@ -23,7 +23,7 @@ func (stub subnetStub) Contains(addr net.IP) bool {
 }

 func TestEndpointIPAMConfigWithOutOfRangeAddrs(t *testing.T) {
-	tests := []struct {
+	testcases := []struct {
 		name           string
 		ipamConfig     *EndpointIPAMConfig
 		v4Subnets      []NetworkSubnet
@@ -80,7 +80,8 @@ func TestEndpointIPAMConfigWithOutOfRangeAddrs(t *testing.T) {
 		},
 	}

-	for _, tc := range tests {
+	for _, tc := range testcases {
+		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()

@@ -101,10 +102,11 @@ func TestEndpointIPAMConfigWithOutOfRangeAddrs(t *testing.T) {
 			}
 		})
 	}
+
 }

 func TestEndpointIPAMConfigWithInvalidConfig(t *testing.T) {
-	tests := []struct {
+	testcases := []struct {
 		name           string
 		ipamConfig     *EndpointIPAMConfig
 		expectedErrors []string
@@ -161,7 +163,8 @@ func TestEndpointIPAMConfigWithInvalidConfig(t *testing.T) {
 		},
 	}

-	for _, tc := range tests {
+	for _, tc := range testcases {
+		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()

--- a/api/types/network/ipam_test.go
+++ b/api/types/network/ipam_test.go
@@ -8,7 +8,7 @@ import (
 )

 func TestNetworkWithInvalidIPAM(t *testing.T) {
-	tests := []struct {
+	testcases := []struct {
 		name           string
 		ipam           IPAM
 		ipv6           bool
@@ -123,7 +123,8 @@ func TestNetworkWithInvalidIPAM(t *testing.T) {
 		},
 	}

-	for _, tc := range tests {
+	for _, tc := range testcases {
+		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()

--- a/api/types/network/network.go
+++ b/api/types/network/network.go
@@ -1,8 +1,6 @@
 package network // import "github.com/docker/docker/api/types/network"

 import (
-	"time"
-
 	"github.com/docker/docker/api/types/filters"
 )

@@ -19,84 +17,6 @@ const (
 	NetworkNat = "nat"
 )

-// CreateRequest is the request message sent to the server for network create call.
-type CreateRequest struct {
-	CreateOptions
-	Name string // Name is the requested name of the network.
-
-	// Deprecated: CheckDuplicate is deprecated since API v1.44, but it defaults to true when sent by the client
-	// package to older daemons.
-	CheckDuplicate *bool `json:",omitempty"`
-}
-
-// CreateOptions holds options to create a network.
-type CreateOptions struct {
-	Driver     string            // Driver is the driver-name used to create the network (e.g. `bridge`, `overlay`)
-	Scope      string            // Scope describes the level at which the network exists (e.g. `swarm` for cluster-wide or `local` for machine level).
-	EnableIPv4 *bool             `json:",omitempty"` // EnableIPv4 represents whether to enable IPv4.
-	EnableIPv6 *bool             `json:",omitempty"` // EnableIPv6 represents whether to enable IPv6.
-	IPAM       *IPAM             // IPAM is the network's IP Address Management.
-	Internal   bool              // Internal represents if the network is used internal only.
-	Attachable bool              // Attachable represents if the global scope is manually attachable by regular containers from workers in swarm mode.
-	Ingress    bool              // Ingress indicates the network is providing the routing-mesh for the swarm cluster.
-	ConfigOnly bool              // ConfigOnly creates a config-only network. Config-only networks are place-holder networks for network configurations to be used by other networks. ConfigOnly networks cannot be used directly to run containers or services.
-	ConfigFrom *ConfigReference  // ConfigFrom specifies the source which will provide the configuration for this network. The specified network must be a config-only network; see [CreateOptions.ConfigOnly].
-	Options    map[string]string // Options specifies the network-specific options to use for when creating the network.
-	Labels     map[string]string // Labels holds metadata specific to the network being created.
-}
-
-// ListOptions holds parameters to filter the list of networks with.
-type ListOptions struct {
-	Filters filters.Args
-}
-
-// InspectOptions holds parameters to inspect network.
-type InspectOptions struct {
-	Scope   string
-	Verbose bool
-}
-
-// ConnectOptions represents the data to be used to connect a container to the
-// network.
-type ConnectOptions struct {
-	Container      string
-	EndpointConfig *EndpointSettings `json:",omitempty"`
-}
-
-// DisconnectOptions represents the data to be used to disconnect a container
-// from the network.
-type DisconnectOptions struct {
-	Container string
-	Force     bool
-}
-
-// Inspect is the body of the "get network" http response message.
-type Inspect struct {
-	Name       string                      // Name is the name of the network
-	ID         string                      `json:"Id"` // ID uniquely identifies a network on a single machine
-	Created    time.Time                   // Created is the time the network created
-	Scope      string                      // Scope describes the level at which the network exists (e.g. `swarm` for cluster-wide or `local` for machine level)
-	Driver     string                      // Driver is the Driver name used to create the network (e.g. `bridge`, `overlay`)
-	EnableIPv4 bool                        // EnableIPv4 represents whether IPv4 is enabled
-	EnableIPv6 bool                        // EnableIPv6 represents whether IPv6 is enabled
-	IPAM       IPAM                        // IPAM is the network's IP Address Management
-	Internal   bool                        // Internal represents if the network is used internal only
-	Attachable bool                        // Attachable represents if the global scope is manually attachable by regular containers from workers in swarm mode.
-	Ingress    bool                        // Ingress indicates the network is providing the routing-mesh for the swarm cluster.
-	ConfigFrom ConfigReference             // ConfigFrom specifies the source which will provide the configuration for this network.
-	ConfigOnly bool                        // ConfigOnly networks are place-holder networks for network configurations to be used by other networks. ConfigOnly networks cannot be used directly to run containers or services.
-	Containers map[string]EndpointResource // Containers contains endpoints belonging to the network
-	Options    map[string]string           // Options holds the network specific options to use for when creating the network
-	Labels     map[string]string           // Labels holds metadata specific to the network being created
-	Peers      []PeerInfo                  `json:",omitempty"` // List of peer nodes for an overlay network
-	Services   map[string]ServiceInfo      `json:",omitempty"`
-}
-
-// Summary is used as response when listing networks. It currently is an alias
-// for [Inspect], but may diverge in the future, as not all information may
-// be included when listing networks.
-type Summary = Inspect
-
 // Address represents an IP address
 type Address struct {
 	Addr      string
@@ -125,16 +45,6 @@ type ServiceInfo struct {
 	Tasks        []Task
 }

-// EndpointResource contains network resources allocated and used for a
-// container in a network.
-type EndpointResource struct {
-	Name        string
-	EndpointID  string
-	MacAddress  string
-	IPv4Address string
-	IPv6Address string
-}
-
 // NetworkingConfig represents the container's networking configuration for each of its interfaces
 // Carries the networking configs specified in the `docker run` and `docker network connect` commands
 type NetworkingConfig struct {
@@ -160,9 +70,3 @@ var acceptedFilters = map[string]bool{
 func ValidateFilters(filter filters.Args) error {
 	return filter.Validate(acceptedFilters)
 }
-
-// PruneReport contains the response for Engine API:
-// POST "/networks/prune"
-type PruneReport struct {
-	NetworksDeleted []string
-}
--- a/api/types/container/port.go
+++ b/api/types/container/port.go
@@ -1,4 +1,4 @@
-package container
+package types

 // This file was generated by the swagger tool.
 // Editing this file might prove futile when you re-run the swagger generate command
--- a/api/types/registry/authconfig.go
+++ b/api/types/registry/authconfig.go
@@ -1,29 +1,17 @@
 package registry // import "github.com/docker/docker/api/types/registry"
 import (
-	"context"
 	"encoding/base64"
 	"encoding/json"
-	"fmt"
 	"io"
 	"strings"
+
+	"github.com/pkg/errors"
 )

 // AuthHeader is the name of the header used to send encoded registry
 // authorization credentials for registry operations (push/pull).
 const AuthHeader = "X-Registry-Auth"

-// RequestAuthConfig is a function interface that clients can supply
-// to retry operations after getting an authorization error.
-//
-// The function must return the [AuthHeader] value ([AuthConfig]), encoded
-// in base64url format ([RFC4648, section 5]), which can be decoded by
-// [DecodeAuthConfig].
-//
-// It must return an error if the privilege request fails.
-//
-// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5
-type RequestAuthConfig func(context.Context) (string, error)
-
 // AuthConfig contains authorization information for connecting to a Registry.
 type AuthConfig struct {
 	Username string `json:"username,omitempty"`
@@ -46,9 +34,10 @@ type AuthConfig struct {
 }

 // EncodeAuthConfig serializes the auth configuration as a base64url encoded
-// ([RFC4648, section 5]) JSON string for sending through the X-Registry-Auth header.
+// RFC4648, section 5) JSON string for sending through the X-Registry-Auth header.
 //
-// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5
+// For details on base64url encoding, see:
+// - RFC4648, section 5:   https://tools.ietf.org/html/rfc4648#section-5
 func EncodeAuthConfig(authConfig AuthConfig) (string, error) {
 	buf, err := json.Marshal(authConfig)
 	if err != nil {
@@ -57,14 +46,15 @@ func EncodeAuthConfig(authConfig AuthConfig) (string, error) {
 	return base64.URLEncoding.EncodeToString(buf), nil
 }

-// DecodeAuthConfig decodes base64url encoded ([RFC4648, section 5]) JSON
+// DecodeAuthConfig decodes base64url encoded (RFC4648, section 5) JSON
 // authentication information as sent through the X-Registry-Auth header.
 //
-// This function always returns an [AuthConfig], even if an error occurs. It is up
+// This function always returns an AuthConfig, even if an error occurs. It is up
 // to the caller to decide if authentication is required, and if the error can
 // be ignored.
 //
-// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5
+// For details on base64url encoding, see:
+// - RFC4648, section 5:   https://tools.ietf.org/html/rfc4648#section-5
 func DecodeAuthConfig(authEncoded string) (*AuthConfig, error) {
 	if authEncoded == "" {
 		return &AuthConfig{}, nil
@@ -79,7 +69,7 @@ func DecodeAuthConfig(authEncoded string) (*AuthConfig, error) {
 // clients and API versions. Current clients and API versions expect authentication
 // to be provided through the X-Registry-Auth header.
 //
-// Like [DecodeAuthConfig], this function always returns an [AuthConfig], even if an
+// Like DecodeAuthConfig, this function always returns an AuthConfig, even if an
 // error occurs. It is up to the caller to decide if authentication is required,
 // and if the error can be ignored.
 func DecodeAuthConfigBody(rdr io.ReadCloser) (*AuthConfig, error) {
@@ -97,7 +87,7 @@ func decodeAuthConfigFromReader(rdr io.Reader) (*AuthConfig, error) {
 }

 func invalid(err error) error {
-	return errInvalidParameter{fmt.Errorf("invalid X-Registry-Auth header: %w", err)}
+	return errInvalidParameter{errors.Wrap(err, "invalid X-Registry-Auth header")}
 }

 type errInvalidParameter struct{ error }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Sebastiaan van Stijn	a312606256	Merge commit from fork [26.0] AuthZ plugin security fixes	2024-07-23 21:36:28 +02:00
Jameson Hyde	754d8f168e	If url includes scheme, urlPath will drop hostname, which would not match the auth check Signed-off-by: Jameson Hyde <jameson.hyde@docker.com> (cherry picked from commit 754fb8d9d03895ae3ab60d2ad778152b0d835206) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `5282cb25d0`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-07-17 13:09:10 +02:00
Jameson Hyde	4c31251093	Authz plugin security fixes for 0-length content and path validation Signed-off-by: Jameson Hyde <jameson.hyde@docker.com> fix comments (cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `2ac8a479c5`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-07-17 13:09:08 +02:00
Sebastiaan van Stijn	8ce163b7dc	Merge pull request #47807 from vvoland/v26.0-47805 [26.0 backport] update to go1.21.10	2024-06-08 17:25:26 +02:00
Paweł Gronowski	ac366556b7	update to go1.21.10 - https://github.com/golang/go/issues?q=milestone%3AGo1.21.10+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.21.9...go1.21.10 These minor releases include 2 security fixes following the security policy: - cmd/go: arbitrary code execution during build on darwin On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive. Thanks to Juho Forsén of Mattermost for reporting this issue. This is CVE-2024-24787 and Go issue https://go.dev/issue/67119. - net: malformed DNS message can cause infinite loop A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. Thanks to long-name-let-people-remember-you on GitHub for reporting this issue, and to Mateusz Poliwczak for bringing the issue to our attention. This is CVE-2024-24788 and Go issue https://go.dev/issue/66754. View the release notes for more information: https://go.dev/doc/devel/release#go1.22.3 - Description for the changelog ```markdown changelog Update Go runtime to 1.21.10 ``` Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `6c97e0e0b5`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-05-08 09:43:51 +02:00
Paweł Gronowski	54aee20458	Merge pull request #47758 from austinvazquez/cherry-pick-ab570ab3d62038b3d26f96a9bb585d0b6095b9b4-to-26.0 [26.0 backport] fix: avoid nil dereference on image history Created value	2024-04-25 17:42:59 +02:00
Christopher Petito	bd6b5b6d37	nil dereference fix on image history Created value Issue was caused by the changes here https://github.com/moby/moby/pull/45504 First released in v25.0.0-beta.1 Signed-off-by: Christopher Petito <47751006+krissetto@users.noreply.github.com> (cherry picked from commit `ab570ab3d6`) Signed-off-by: Austin Vazquez <macedonv@amazon.com>	2024-04-23 23:19:52 +00:00
Sebastiaan van Stijn	7cef0d9cd1	Merge pull request from GHSA-x84c-p2g9-rqv9 [26.0 backport] Disable IPv6 for endpoints in '--ipv6=false' networks.	2024-04-18 17:50:34 +02:00
Rob Murray	841c4c8057	Disable IPv6 for endpoints in '--ipv6=false' networks. No IPAM IPv6 address is given to an interface in a network with '--ipv6=false', but the kernel would assign a link-local address and, in a macvlan/ipvlan network, the interface may get a SLAAC-assigned address. So, disable IPv6 on the interface to avoid that. Signed-off-by: Rob Murray <rob.murray@docker.com>	2024-04-16 14:58:04 +01:00
Paweł Gronowski	60b9add796	Merge pull request #47705 from robmry/backport-26.0/47662_ipvlan_l3_dns [26.0 backport] Enable external DNS for ipvlan-l3, and disable it for macvlan/ipvlan with no parent interface	2024-04-10 14:59:53 +02:00
Rob Murray	8ad7f863b3	Run ipvlan tests even if 'modprobe ipvlan' fails This reverts commit `a77e147d32`. The ipvlan integration tests have been skipped in CI because of a check intended to ensure the kernel has ipvlan support - which failed, but seems to be unnecessary (probably because kernels have moved on). Signed-off-by: Rob Murray <rob.murray@docker.com>	2024-04-10 11:48:58 +01:00
Rob Murray	dc2755273e	Stop macvlan with no parent from using ext-dns We document that an macvlan network with no parent interface is equivalent to a '--internal' network. But, in this case, an macvlan network was still configured with a gateway. So, DNS proxying would be enabled in the internal resolver (and, if the host's resolver was on a localhost address, requests to external resolvers from the host's network namespace would succeed). This change disables configuration of a gateway for a macvlan Endpoint if no parent interface is specified. (Note if a parent interface with no external network is supplied as '-o parent=<dummy>', the gateway will still be set up. Documentation will need to be updated to note that '--internal' should be used to prevent DNS request forwarding in this case.) Signed-off-by: Rob Murray <rob.murray@docker.com>	2024-04-10 11:48:58 +01:00
Rob Murray	7b570f00ba	Enable DNS proxying for ipvlan-l3 The internal DNS resolver should only forward requests to external resolvers if the libnetwork.Sandbox served by the resolver has external network access (so, no forwarding for '--internal' networks). The test for external network access was whether the Sandbox had an Endpoint with a gateway configured. However, an ipvlan-l3 networks with external network access does not have a gateway, it has a default route bound to an interface. Also, we document that an ipvlan network with no parent interface is equivalent to a '--internal' network. But, in this case, an ipvlan-l2 network was configured with a gateway. So, DNS proxying would be enabled in the internal resolver (and, if the host's resolver was on a localhost address, requests to external resolvers from the host's network namespace would succeed). So, this change adjusts the test for enabling DNS proxying to include a check for '--internal' (as a shortcut) and, for non-internal networks, checks for a default route as well as a gateway. It also disables configuration of a gateway or a default route for an ipvlan Endpoint if no parent interface is specified. (Note if a parent interface with no external network is supplied as '-o parent=<dummy>', the gateway/default route will still be set up and external DNS proxying will be enabled. The network must be configured as '--internal' to prevent that from happening.) Signed-off-by: Rob Murray <rob.murray@docker.com>	2024-04-10 11:48:58 +01:00
Rob Murray	8cdcc4f3c7	Move dummy DNS server to integration/internal/network Signed-off-by: Rob Murray <rob.murray@docker.com>	2024-04-10 11:48:58 +01:00
Paweł Gronowski	ed752f6544	Merge pull request #47701 from vvoland/v26.0-47691 [26.0 backport] vendor: github.com/containerd/containerd v1.7.15	2024-04-09 14:15:36 +02:00
Paweł Gronowski	9db1b6f28c	Merge pull request #47702 from vvoland/v26.0-47647 [26.0 backport] github/ci: Check if backport is opened against the expected branch	2024-04-09 13:50:28 +02:00
Sebastiaan van Stijn	6261281247	Merge pull request #47700 from vvoland/v26.0-47673 [26.0 backport] vendor: golang.org/x/net v0.23.0	2024-04-09 13:33:11 +02:00
Sebastiaan van Stijn	90355e5166	Merge pull request #47696 from vvoland/v26.0-47658 [26.0 backport] Fix cases where we are wrapping a nil error	2024-04-09 13:29:51 +02:00
Paweł Gronowski	72615b19db	github/ci: Check if backport is opened against the expected branch Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `61269e718f`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-04-09 12:13:00 +02:00
Paweł Gronowski	23e7919e0a	Merge pull request #47694 from cpuguy83/26_oci_tar_no_platform [26.0] save: Remove platform from config descriptor	2024-04-09 12:11:11 +02:00
Paweł Gronowski	c943936458	vendor: github.com/containerd/containerd v1.7.15 full diff: https://github.com/containerd/containerd/compare/v1.7.14...v1.7.15 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `5ae5969739`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-04-09 12:10:09 +02:00
Sebastiaan van Stijn	8b7940f037	vendor: golang.org/x/net v0.23.0 full diff: https://github.com/golang/net/compare/v0.22.0...v0.23.0 Includes a fix for CVE-2023-45288, which is also addressed in go1.22.2 and go1.21.9; > http2: close connections when receiving too many headers > > Maintaining HPACK state requires that we parse and process > all HEADERS and CONTINUATION frames on a connection. > When a request's headers exceed MaxHeaderBytes, we don't > allocate memory to store the excess headers but we do > parse them. This permits an attacker to cause an HTTP/2 > endpoint to read arbitrary amounts of data, all associated > with a request which is going to be rejected. > > Set a limit on the amount of excess header frames we > will process before closing a connection. > > Thanks to Bartek Nowotarski for reporting this issue. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit `d66589496e`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-04-09 11:25:28 +02:00
Sebastiaan van Stijn	55207ea637	vendor: golang.org/x/net v0.22.0, golang.org/x/crypto v0.21.0 full diffs changes relevant to vendored code: - https://github.com/golang/net/compare/v0.18.0...v0.22.0 - websocket: add support for dialing with context - http2: remove suspicious uint32->v conversion in frame code - http2: send an error of FLOW_CONTROL_ERROR when exceed the maximum octets - https://github.com/golang/crypto/compare/v0.17.0...v0.21.0 - internal/poly1305: drop Go 1.12 compatibility - internal/poly1305: improve sum_ppc64le.s - ocsp: don't use iota for externally defined constants Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit `e1ca74361b`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-04-09 11:25:24 +02:00
Brian Goff	a7fa5e1deb	Fix cases where we are wrapping a nil error This was using `errors.Wrap` when there was no error to wrap, meanwhile we are supposed to be creating a new error. Found this while investigating some log corruption issues and unexpectedly getting a nil reader and a nil error from `getTailReader`. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit `0a48d26fbc`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-04-09 10:19:58 +02:00
Sebastiaan van Stijn	8730cccee2	Merge pull request #47692 from vvoland/v26.0-47689 [26.0 backport] update containerd binary to v1.7.15	2024-04-09 09:42:11 +02:00
Brian Goff	61d547bf00	save: Remove platform from config descriptor This was brought up by bmitch that its not expected to have a platform object in the config descriptor. Also checked with tianon who agreed, its not _wrong_ but is unexpected and doesn't neccessarily make sense to have it there. Also, while technically incorrect, ECR is throwing an error when it sees this. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit `9160b9fda6`) Signed-off-by: Brian Goff <cpuguy83@gmail.com>	2024-04-08 17:11:50 +00:00
Sebastiaan van Stijn	0c9ff4ca23	Merge pull request #47690 from vvoland/v26.0-47682 [26.0 backport] ci/validate-pr: Use `::error::` command to print errors	2024-04-08 19:07:59 +02:00
Paweł Gronowski	46ca4a74b4	update containerd binary to v1.7.15 Update the containerd binary that's used in CI - full diff: https://github.com/containerd/containerd/compare/v1.7.13...v1.7.15 - release notes: https://github.com/containerd/containerd/releases/tag/v1.7.15 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `3485cfbb1e`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-04-08 18:09:01 +02:00
Paweł Gronowski	dea47c0810	ci/validate-pr: Use `::error::` command to print errors This will make Github render the log line as an error. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `fb92caf2aa`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-04-08 14:21:21 +02:00
Sebastiaan van Stijn	f3842ab533	Merge pull request #47671 from vvoland/v26.0-47670 [26.0 backport] update to go1.21.9	2024-04-04 14:30:13 +02:00
Paweł Gronowski	e0815819de	update to go1.21.9 go1.21.9 (released 2024-04-03) includes a security fix to the net/http package, as well as bug fixes to the linker, and the go/types and net/http packages. See the [Go 1.21.9 milestone](https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved) for more details. These minor releases include 1 security fixes following the security policy: - http2: close connections when receiving too many headers Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. Set a limit on the amount of excess header frames we will process before closing a connection. Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue. This is CVE-2023-45288 and Go issue https://go.dev/issue/65051. View the release notes for more information: https://go.dev/doc/devel/release#go1.22.2 - https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.21.8...go1.21.9 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `329d403e20`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-04-04 10:15:00 +02:00
Paweł Gronowski	07c797281e	Merge pull request #47637 from vvoland/v26.0-47610 [26.0 backport] Dockerfile: update docker CLI to v26.0.0	2024-04-02 10:39:01 +02:00
Albin Kerouanton	f2550b3c09	Merge pull request #47646 from vvoland/v26.0-47621 [26.0 backport] Restore the SetKey prestart hook.	2024-03-28 10:15:52 +00:00
Rob Murray	fc14d8f932	Restore the SetKey prestart hook. Partially reverts `0046b16` "daemon: set libnetwork sandbox key w/o OCI hook" Running SetKey to store the OCI Sandbox key after task creation, rather than from the OCI prestart hook, meant it happened after sysctl settings were applied by the runtime - which was the intention, we wanted to complete Sandbox configuration after IPv6 had been disabled by a sysctl if that was going to happen. But, it meant '--sysctl' options for a specfic network interface caused container task creation to fail, because the interface is only moved into the network namespace during SetKey. This change restores the SetKey prestart hook, and regenerates config files that depend on the container's support for IPv6 after the task has been created. It also adds a regression test that makes sure it's possible to set an interface-specfic sysctl. Signed-off-by: Rob Murray <rob.murray@docker.com> (cherry picked from commit `fde80fe2e7`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-03-28 10:05:08 +01:00
Paweł Gronowski	c035ef2283	Merge pull request #47638 from vvoland/v26.0-47636 [26.0 backport] ci: update workflow artifacts retention	2024-03-27 16:58:28 +01:00
CrazyMax	703f14793e	ci: update workflow artifacts retention Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> (cherry picked from commit `aff003139c`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-03-27 13:21:09 +01:00
Paweł Gronowski	30e94dadbc	Dockerfile: update docker CLI to v26.0.0 Update the CLI that's used in the dev-container - full diff: https://github.com/docker/cli/compare/v26.0.0-rc2...v26.0.0 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `ea72f9f72c`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-03-27 13:17:05 +01:00