Merge pull request #50247 from vvoland/50245-28.x

[28.x backport] docs: cut api docs for v1.51

.dockerignore

@@ -1,4 +1,6 @@
-.git
-bundles/
-cli/winresources/**/winres.json
-cli/winresources/**/*.syso
+/.git
+
+# build artifacts
+/bundles/
+/cli/winresources/dockerd/winres.json
+/cli/winresources/dockerd/*.syso

.github/workflows/.test-unit.yml

@@ -0,0 +1,123 @@
+# reusable workflow
+name: .test-unit
+
+# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025
+
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+
+env:
+  GO_VERSION: "1.24.4"
+  GOTESTLIST_VERSION: v0.3.1
+  TESTSTAT_VERSION: v0.1.25
+  SETUP_BUILDX_VERSION: edge
+  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
+
+jobs:
+  unit:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        mode:
+          - ""
+          - firewalld
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up runner
+        uses: ./.github/actions/setup-runner
+      -
+        name: Prepare
+        run: |
+          CACHE_DEV_SCOPE=dev
+          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
+            echo "FIREWALLD=true" >> $GITHUB_ENV
+            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
+          fi
+          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.SETUP_BUILDX_VERSION }}
+          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build dev image
+        uses: docker/bake-action@v6
+        with:
+          targets: dev
+          set: |
+            dev.cache-from=type=gha,scope=${{ env.CACHE_DEV_SCOPE }}
+      -
+        name: Test
+        run: |
+          make -o build test-unit
+      -
+        name: Prepare reports
+        if: always()
+        run: |
+          mkdir -p bundles /tmp/reports
+          find bundles -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
+          tar -xzf /tmp/reports.tar.gz -C /tmp/reports
+          sudo chown -R $(id -u):$(id -g) /tmp/reports
+          tree -nh /tmp/reports
+      -
+        name: Send to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          directory: ./bundles
+          env_vars: RUNNER_OS
+          flags: unit
+          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
+      -
+        name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-reports-unit--${{ matrix.mode }}
+          path: /tmp/reports/*
+          retention-days: 1
+
+  unit-report:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    if: always()
+    needs:
+      - unit
+    steps:
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: vendor.sum
+      -
+        name: Download reports
+        uses: actions/download-artifact@v4
+        with:
+          pattern: test-reports-unit-*
+          path: /tmp/reports
+      -
+        name: Install teststat
+        run: |
+          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
+      -
+        name: Create summary
+        run: |
+          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY

.github/workflows/.test.yml

@@ -21,7 +21,7 @@ on:
         default: "graphdriver"
 
 env:
-  GO_VERSION: "1.23.7"
+  GO_VERSION: "1.24.4"
   GOTESTLIST_VERSION: v0.3.1
   TESTSTAT_VERSION: v0.1.25
   ITG_CLI_MATRIX_SIZE: 6
@@ -32,135 +32,6 @@ env:
   SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
 
 jobs:
-  unit-prepare:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10 # guardrails timeout for the whole job
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    outputs:
-      includes: ${{ steps.set.outputs.includes }}
-    steps:
-      -
-        name: Create matrix includes
-        id: set
-        uses: actions/github-script@v7
-        with:
-          script: |
-            let includes = [
-              { mode: '' },
-              { mode: 'rootless' },
-              { mode: 'systemd' },
-            ];
-            if ("${{ inputs.storage }}" == "snapshotter") {
-              includes.push({ mode: 'firewalld' });
-            }
-            await core.group(`Set matrix`, async () => {
-              core.info(`matrix: ${JSON.stringify(includes)}`);
-              core.setOutput('includes', JSON.stringify(includes));
-            });
-      -
-        name: Show matrix
-        run: |
-          echo ${{ steps.set.outputs.includes }}
-
-  unit:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    needs:
-      - unit-prepare
-    strategy:
-      fail-fast: false
-      matrix:
-        include: ${{ fromJson(needs.unit-prepare.outputs.includes) }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up runner
-        uses: ./.github/actions/setup-runner
-      -
-        name: Prepare
-        run: |
-          CACHE_DEV_SCOPE=dev
-          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "DOCKER_FIREWALLD=true" >> $GITHUB_ENV
-            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
-          fi
-          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Build dev image
-        uses: docker/bake-action@v6
-        with:
-          targets: dev
-          set: |
-            dev.cache-from=type=gha,scope=dev
-      -
-        name: Test
-        run: |
-          make -o build test-unit
-      -
-        name: Prepare reports
-        if: always()
-        run: |
-          mkdir -p bundles /tmp/reports
-          find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
-          tar -xzf /tmp/reports.tar.gz -C /tmp/reports
-          sudo chown -R $(id -u):$(id -g) /tmp/reports
-          tree -nh /tmp/reports
-      -
-        name: Send to Codecov
-        uses: codecov/codecov-action@v4
-        with:
-          directory: ./bundles
-          env_vars: RUNNER_OS
-          flags: unit
-          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
-      -
-        name: Upload reports
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: test-reports-unit-${{ inputs.storage }}-${{ matrix.mode }}
-          path: /tmp/reports/*
-          retention-days: 1
-
-  unit-report:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10
-    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: always()
-    needs:
-      - unit
-    steps:
-      -
-        name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
-      -
-        name: Download reports
-        uses: actions/download-artifact@v4
-        with:
-          pattern: test-reports-unit-${{ inputs.storage }}-*
-          path: /tmp/reports
-      -
-        name: Install teststat
-        run: |
-          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
-      -
-        name: Create summary
-        run: |
-          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
-
   docker-py:
     runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
@@ -219,7 +90,7 @@ jobs:
           retention-days: 1
 
   integration-flaky:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
     continue-on-error: ${{ github.event_name != 'pull_request' }}
     steps:
@@ -264,14 +135,12 @@ jobs:
         with:
           script: |
             let includes = [
-              { os: 'ubuntu-20.04', mode: '' },
-              { os: 'ubuntu-20.04', mode: 'rootless' },
-              { os: 'ubuntu-20.04', mode: 'systemd' },
-              { os: 'ubuntu-24.04', mode: '' },
+              { os: 'ubuntu-22.04', mode: '' },
               { os: 'ubuntu-22.04', mode: 'rootless' },
+              { os: 'ubuntu-22.04', mode: 'systemd' },
+              { os: 'ubuntu-24.04', mode: '' },
               // { os: 'ubuntu-24.04', mode: 'rootless' },  // FIXME: https://github.com/moby/moby/pull/49579#issuecomment-2698622223
               { os: 'ubuntu-24.04', mode: 'systemd' },
-              // { os: 'ubuntu-20.04', mode: 'rootless-systemd' }, // FIXME: https://github.com/moby/moby/issues/44084
               // { os: 'ubuntu-24.04', mode: 'rootless-systemd' }, // FIXME: https://github.com/moby/moby/issues/44084
             ];
             if ("${{ inputs.storage }}" == "snapshotter") {
@@ -318,7 +187,7 @@ jobs:
             CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}systemd"
           fi
           if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "DOCKER_FIREWALLD=true" >> $GITHUB_ENV
+            echo "FIREWALLD=true" >> $GITHUB_ENV
             CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
           fi
           echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
@@ -485,7 +354,7 @@ jobs:
           echo ${{ steps.set.outputs.matrix }}
 
   integration-cli:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
     continue-on-error: ${{ github.event_name != 'pull_request' }}
     needs:
@@ -508,7 +377,7 @@ jobs:
         run: |
           CACHE_DEV_SCOPE=dev
           if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "DOCKER_FIREWALLD=true" >> $GITHUB_ENV
+            echo "FIREWALLD=true" >> $GITHUB_ENV
             CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
           fi
           echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV

.github/workflows/.windows.yml

@@ -28,7 +28,7 @@ on:
         default: false
 
 env:
-  GO_VERSION: "1.23.7"
+  GO_VERSION: "1.24.4"
   GOTESTLIST_VERSION: v0.3.1
   TESTSTAT_VERSION: v0.1.25
   WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore

.github/workflows/arm64.yml

@@ -23,7 +23,7 @@ on:
   pull_request:
 
 env:
-  GO_VERSION: "1.23.7"
+  GO_VERSION: "1.24.4"
   TESTSTAT_VERSION: v0.1.25
   DESTDIR: ./build
   SETUP_BUILDX_VERSION: edge

.github/workflows/bin-image.yml

@@ -65,13 +65,10 @@ jobs:
           # moby/moby-bin:master
           ## push on 23.0 branch
           # moby/moby-bin:23.0
-          ## any push
-          # moby/moby-bin:sha-ad132f5
           tags: |
             type=semver,pattern={{version}}
             type=ref,event=branch
             type=ref,event=pr
-            type=sha
       -
         name: Rename meta bake definition file
         # see https://github.com/docker/metadata-action/issues/381#issuecomment-1918607161
@@ -94,7 +91,7 @@ jobs:
 
   build:
     runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    timeout-minutes: 20 # guardrails timeout for the whole job
     needs:
       - validate-dco
       - prepare
@@ -170,7 +167,7 @@ jobs:
 
   merge:
     runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    timeout-minutes: 40 # guardrails timeout for the whole job
     needs:
       - build
     if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby'

.github/workflows/buildkit.yml

@@ -23,7 +23,7 @@ on:
   pull_request:
 
 env:
-  GO_VERSION: "1.23.7"
+  GO_VERSION: "1.24.4"
   DESTDIR: ./build
   SETUP_BUILDX_VERSION: edge
   SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
@@ -32,7 +32,7 @@ jobs:
   validate-dco:
     uses: ./.github/workflows/.dco.yml
 
-  build:
+  build-linux:
     runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
     needs:
@@ -59,11 +59,11 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
-  test:
+  test-linux:
     runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
     needs:
-      - build
+      - build-linux
     env:
       TEST_IMAGE_BUILD: "0"
       TEST_IMAGE_ID: "buildkit-tests"
@@ -162,3 +162,213 @@ jobs:
           TESTPKGS: "./${{ matrix.pkg }}"
           TESTFLAGS: "-v --parallel=1 --timeout=30m --run=//worker=${{ matrix.worker }}$"
         working-directory: buildkit
+
+  build-windows:
+    runs-on: windows-2022
+    timeout-minutes: 120
+    needs:
+      - validate-dco
+    env:
+      GOPATH: ${{ github.workspace }}\go
+      GOBIN: ${{ github.workspace }}\go\bin
+      BIN_OUT: ${{ github.workspace }}\out
+      WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
+      WINDOWS_BASE_TAG_2022: ltsc2022
+      TEST_IMAGE_NAME: moby:test
+      TEST_CTN_NAME: moby
+    defaults:
+      run:
+        working-directory: ${{ env.GOPATH }}/src/github.com/docker/docker
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: ${{ env.GOPATH }}/src/github.com/docker/docker
+
+      - name: Env
+        run: |
+          Get-ChildItem Env: | Out-String
+      - name: Moby - Init
+        run: |
+          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
+          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
+          echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: vendor.sum
+      - name: Cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~\AppData\Local\go-build
+            ~\go\pkg\mod
+            ${{ github.workspace }}\go-build
+            ${{ env.GOPATH }}\pkg\mod
+          key: ${{ inputs.os }}-${{ github.job }}-${{ hashFiles('**/vendor.sum') }}
+          restore-keys: |
+            ${{ inputs.os }}-${{ github.job }}-
+
+      - name: Docker info
+        run: |
+          docker info
+
+      - name: Build base image
+        run: |
+          & docker build `
+            --build-arg WINDOWS_BASE_IMAGE `
+            --build-arg WINDOWS_BASE_IMAGE_TAG `
+            --build-arg GO_VERSION `
+            -t ${{ env.TEST_IMAGE_NAME }} `
+            -f Dockerfile.windows .
+
+      - name: Build binaries
+        run: |
+          & docker run --name ${{ env.TEST_CTN_NAME }} -e "DOCKER_GITCOMMIT=${{ github.sha }}" `
+              -v "${{ github.workspace }}\go-build:C:\Users\ContainerAdministrator\AppData\Local\go-build" `
+              -v "${{ github.workspace }}\go\pkg\mod:C:\gopath\pkg\mod" `
+              ${{ env.TEST_IMAGE_NAME }} hack\make.ps1 -Daemon -Client
+          go install github.com/distribution/distribution/v3/cmd/registry@latest
+
+      - name: Checkout BuildKit
+        uses: actions/checkout@v4
+        with:
+          repository: moby/buildkit
+          ref: master
+          path: buildkit
+
+      - name: Add buildctl to binaries
+        run: |
+          go install ./cmd/buildctl
+        working-directory: buildkit
+
+      - name: Copy artifacts
+        run: |
+          New-Item -ItemType "directory" -Path "${{ env.BIN_OUT }}"
+          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\gopath\src\github.com\docker\docker\bundles\docker.exe" ${{ env.BIN_OUT }}\
+          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\gopath\src\github.com\docker\docker\bundles\dockerd.exe" ${{ env.BIN_OUT }}\
+          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\gopath\bin\gotestsum.exe" ${{ env.BIN_OUT }}\
+          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\containerd\bin\containerd.exe" ${{ env.BIN_OUT }}\
+          docker cp "${{ env.TEST_CTN_NAME }}`:c`:\containerd\bin\containerd-shim-runhcs-v1.exe" ${{ env.BIN_OUT }}\
+          cp ${{ env.GOPATH }}\bin\registry.exe ${{ env.BIN_OUT }}
+          cp ${{ env.GOPATH }}\bin\buildctl.exe ${{ env.BIN_OUT }}
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-windows
+          path: ${{ env.BIN_OUT }}/*
+          if-no-files-found: error
+          retention-days: 2
+
+  test-windows:
+    runs-on: windows-2022
+    timeout-minutes: 120 # guardrails timeout for the whole job
+    needs:
+      - build-windows
+    env:
+      TEST_IMAGE_BUILD: "0"
+      TEST_IMAGE_ID: "buildkit-tests"
+      GOPATH: ${{ github.workspace }}\go
+      GOBIN: ${{ github.workspace }}\go\bin
+      BIN_OUT: ${{ github.workspace }}\out
+      TESTFLAGS: "-v --timeout=90m"
+      TEST_DOCKERD: "1"
+    strategy:
+      fail-fast: false
+      matrix:
+        worker:
+          - dockerd-containerd
+        pkg:
+          - ./client#1-4
+          - ./client#2-4
+          - ./client#3-4
+          - ./client#4-4
+          - ./cmd/buildctl
+          - ./frontend
+          - ./frontend/dockerfile#1-12
+          - ./frontend/dockerfile#2-12
+          - ./frontend/dockerfile#3-12
+          - ./frontend/dockerfile#4-12
+          - ./frontend/dockerfile#5-12
+          - ./frontend/dockerfile#6-12
+          - ./frontend/dockerfile#7-12
+          - ./frontend/dockerfile#8-12
+          - ./frontend/dockerfile#9-12
+          - ./frontend/dockerfile#10-12
+          - ./frontend/dockerfile#11-12
+          - ./frontend/dockerfile#12-12
+    steps:
+      - name: Prepare
+        shell: bash
+        run: |
+          disabledFeatures="cache_backend_azblob,cache_backend_s3"
+          if [ "${{ matrix.worker }}" = "dockerd" ]; then
+            disabledFeatures="${disabledFeatures},merge_diff"
+          fi
+          echo "BUILDKIT_TEST_DISABLE_FEATURES=${disabledFeatures}" >> $GITHUB_ENV
+      - name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@v3
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: moby
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: vendor.sum
+      - name: BuildKit ref
+        shell: bash
+        run: |
+          echo "$(./hack/buildkit-ref)" >> $GITHUB_ENV
+        working-directory: moby
+      - name: Checkout BuildKit ${{ env.BUILDKIT_REF }}
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ env.BUILDKIT_REPO }}
+          ref: ${{ env.BUILDKIT_REF }}
+          path: buildkit
+
+      - name: Download Moby artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: build-windows
+          path: ${{ env.BIN_OUT }}
+
+      - name: Add binaries to PATH
+        run: |
+          ls ${{ env.BIN_OUT }}
+          Write-Output "${{ env.BIN_OUT }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+
+      - name: Test Prep
+        shell: bash
+        run: |
+          TESTPKG=$(echo "${{ matrix.pkg }}" | awk '-F#' '{print $1}')
+          echo "TESTPKG=$TESTPKG" >> $GITHUB_ENV
+          echo "TEST_REPORT_NAME=${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.worker }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+          testFlags="${{ env.TESTFLAGS }}"
+          testSlice=$(echo "${{ matrix.pkg }}" | awk '-F#' '{print $2}')
+          testSliceOffset=""
+          if [ -n "$testSlice" ]; then
+           testSliceOffset="slice=$testSlice/"
+          fi
+          if [ -n "${{ matrix.worker }}" ]; then
+           testFlags="${testFlags} --run=TestIntegration/$testSliceOffset.*/worker=${{ matrix.worker }}"
+          fi
+          echo "TESTFLAGS=${testFlags}" >> $GITHUB_ENV
+      - name: Test
+        shell: bash
+        run: |
+          mkdir -p ./bin/testreports
+          gotestsum \
+            --jsonfile="./bin/testreports/go-test-report-${{ env.TEST_REPORT_NAME }}.json" \
+            --junitfile="./bin/testreports/junit-report-${{ env.TEST_REPORT_NAME }}.xml" \
+            --packages="${{ env.TESTPKG }}" \
+            -- \
+              "-mod=vendor" \
+              "-coverprofile" "./bin/testreports/coverage-${{ env.TEST_REPORT_NAME }}.txt" \
+              "-covermode" "atomic" ${{ env.TESTFLAGS }}
+        working-directory: buildkit

.github/workflows/ci.yml

@@ -154,3 +154,23 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ env.DESTDIR }}/govulncheck.out
+
+  build-dind:
+    runs-on: ubuntu-24.04
+    needs:
+      - validate-dco
+    steps:
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.SETUP_BUILDX_VERSION }}
+          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build dind image
+        uses: docker/bake-action@v6
+        with:
+          targets: dind
+          set: |
+            *.output=type=cacheonly

.github/workflows/codeql.yml

@@ -58,7 +58,7 @@ jobs:
       - name: Update Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.23.7"
+          go-version: "1.24.4"
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:

.github/workflows/test.yml

@@ -23,7 +23,7 @@ on:
   pull_request:
 
 env:
-  GO_VERSION: "1.23.7"
+  GO_VERSION: "1.24.4"
   GIT_PAGER: "cat"
   PAGER: "cat"
   SETUP_BUILDX_VERSION: edge
@@ -83,6 +83,13 @@ jobs:
     with:
       storage: ${{ matrix.storage }}
 
+  test-unit:
+    needs:
+      - build-dev
+      - validate-dco
+    uses: ./.github/workflows/.test-unit.yml
+    secrets: inherit
+
   validate-prepare:
     runs-on: ubuntu-24.04
     timeout-minutes: 10 # guardrails timeout for the whole job

.gitignore

@@ -14,10 +14,9 @@ thumbs.db
 .editorconfig
 
 # build artifacts
-bundles/
-cli/winresources/*/*.syso
-cli/winresources/*/winres.json
-contrib/builder/rpm/*/changelog
+/bundles/
+/cli/winresources/dockerd/*.syso
+/cli/winresources/dockerd/winres.json
 
 # ci artifacts
 *.exe

.golangci.yml

@@ -1,244 +1,345 @@
-linters:
-  enable:
-    - asasalint     # Detects "[]any" used as argument for variadic "func(...any)".
-    - copyloopvar   # Detects places where loop variables are copied.
-    - depguard
-    - dogsled       # Detects assignments with too many blank identifiers.
-    - dupword       # Detects duplicate words.
-    - durationcheck # Detect cases where two time.Duration values are being multiplied in possibly erroneous ways.
-    - errchkjson    # Detects unsupported types passed to json encoding functions and reports if checks for the returned error can be omitted.
-    - exhaustive    # Detects missing options in enum switch statements.
-    - exptostd      # Detects functions from golang.org/x/exp/ that can be replaced by std functions.
-    - fatcontext    # Detects nested contexts in loops and function literals.
-    - gocheckcompilerdirectives # Detects invalid go compiler directive comments (//go:).
-    - goimports
-    - gosec         # Detects security problems.
-    - gosimple
-    - govet
-    - forbidigo
-    - iface         # Detects incorrect use of interfaces. Currently only used for "identical" interfaces in the same package.
-    - importas
-    - ineffassign
-    - makezero      # Finds slice declarations with non-zero initial length.
-    - mirror        # Detects wrong mirror patterns of bytes/strings usage.
-    - misspell      # Detects commonly misspelled English words in comments.
-    - nakedret      # Detects uses of naked returns.
-    - nilnesserr    # Detects returning nil errors. It combines the features of nilness and nilerr,
-    - nosprintfhostport # Detects misuse of Sprintf to construct a host with port in a URL.
-    - reassign      # Detects reassigning a top-level variable in another package.
-    - revive        # Metalinter; drop-in replacement for golint.
-    - spancheck     # Detects mistakes with OpenTelemetry/Census spans.
-    - staticcheck
-    - typecheck
-    - unconvert     # Detects unnecessary type conversions.
-    - unused
-    - wastedassign  # Detects wasted assignment statements.
-
-  disable:
-    - errcheck
+version: "2"
 
 run:
   # prevent golangci-lint from deducting the go version to lint for through go.mod,
   # which causes it to fallback to go1.17 semantics.
-  go: "1.23.7"
+  go: "1.24.4"
   concurrency: 2
   # Only supported with go modules enabled (build flag -mod=vendor only valid when using modules)
   # modules-download-mode: vendor
 
-linters-settings:
-  depguard:
+formatters:
+  enable:
+    - gofmt
+    - goimports
+
+linters:
+  enable:
+    - asasalint                 # Detects "[]any" used as argument for variadic "func(...any)".
+    - copyloopvar               # Detects places where loop variables are copied.
+    - depguard
+    - dogsled                   # Detects assignments with too many blank identifiers.
+    - dupword                   # Detects duplicate words.
+    - durationcheck             # Detect cases where two time.Duration values are being multiplied in possibly erroneous ways.
+    - errorlint                 # Detects code that will cause problems with the error wrapping scheme introduced in Go 1.13.
+    - errchkjson                # Detects unsupported types passed to json encoding functions and reports if checks for the returned error can be omitted.
+    - exhaustive                # Detects missing options in enum switch statements.
+    - exptostd                  # Detects functions from golang.org/x/exp/ that can be replaced by std functions.
+    - fatcontext                # Detects nested contexts in loops and function literals.
+    - forbidigo
+    - gocheckcompilerdirectives # Detects invalid go compiler directive comments (//go:).
+    - gocritic                  # Detects for bugs, performance and style issues.
+    - gosec                     # Detects security problems.
+    - govet
+    - iface                     # Detects incorrect use of interfaces. Currently only used for "identical" interfaces in the same package.
+    - importas
+    - ineffassign
+    - makezero                  # Finds slice declarations with non-zero initial length.
+    - mirror                    # Detects wrong mirror patterns of bytes/strings usage.
+    - misspell                  # Detects commonly misspelled English words in comments.
+    - nakedret                  # Detects uses of naked returns.
+    - nilnesserr                # Detects returning nil errors. It combines the features of nilness and nilerr,
+    - nosprintfhostport         # Detects misuse of Sprintf to construct a host with port in a URL.
+    - reassign                  # Detects reassigning a top-level variable in another package.
+    - revive                    # Metalinter; drop-in replacement for golint.
+    - spancheck                 # Detects mistakes with OpenTelemetry/Census spans.
+    - staticcheck
+    - thelper
+    - unconvert                 # Detects unnecessary type conversions.
+    - unused
+    - usestdlibvars             # Detects the possibility to use variables/constants from the Go standard library.
+    - wastedassign              # Detects wasted assignment statements.
+
+  disable:
+    - errcheck
+    - spancheck # FIXME
+
+  settings:
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: "github.com/stretchr/testify/assert"
+              desc: Use "gotest.tools/v3/assert" instead
+            - pkg: "github.com/stretchr/testify/require"
+              desc: Use "gotest.tools/v3/assert" instead
+            - pkg: "github.com/stretchr/testify/suite"
+              desc: Do not use
+            - pkg: "github.com/containerd/containerd/pkg/userns"
+              desc: Use github.com/moby/sys/userns instead.
+            - pkg: "github.com/tonistiigi/fsutil"
+              desc: The fsutil module does not have a stable API, so we should not have a direct dependency unless necessary.
+
+    dupword:
+      ignore:
+        - "true"    # some tests use this as expected output
+        - "false"   # some tests use this as expected output
+        - "root"    # for tests using "ls" output with files owned by "root:root"
+
+    errorlint:
+      # Check whether fmt.Errorf uses the %w verb for formatting errors.
+      # See the https://github.com/polyfloyd/go-errorlint for caveats.
+      errorf: false
+      # Check for plain type assertions and type switches.
+      asserts: false
+
+    exhaustive:
+      # Program elements to check for exhaustiveness.
+      # Default: [ switch ]
+      check:
+        - switch
+        # - map # TODO(thaJeztah): also enable for maps
+      # Presence of "default" case in switch statements satisfies exhaustiveness,
+      # even if all enum members are not listed.
+      # Default: false
+      #
+      # TODO(thaJeztah): consider not allowing this to catch new values being added (and falling through to "default")
+      default-signifies-exhaustive: true
+
+    forbidigo:
+      forbid:
+        - pkg: ^sync/atomic$
+          pattern: ^atomic\.(Add|CompareAndSwap|Load|Store|Swap).
+          msg: Go 1.19 atomic types should be used instead.
+        - pkg: ^regexp$
+          pattern: ^regexp\.MustCompile
+          msg: Use internal/lazyregexp.New instead.
+        - pkg: github.com/vishvananda/netlink$
+          pattern: ^netlink\.(Handle\.)?(AddrList|BridgeVlanList|ChainList|ClassList|ConntrackTableList|ConntrackDeleteFilter$|ConntrackDeleteFilters|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByName|LinkByAlias|LinkList|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteList|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList|XfrmPolicyList|XfrmStateList)
+          msg: Use internal nlwrap package for EINTR handling.
+        - pkg: github.com/docker/docker/internal/nlwrap$
+          pattern: ^nlwrap.Handle.(BridgeVlanList|ChainList|ClassList|ConntrackDeleteFilter$|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByAlias|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList)
+          msg: Add a wrapper to nlwrap.Handle for EINTR handling and update the list in .golangci.yml.
+      analyze-types: true
+
+    gocritic:
+      disabled-checks:
+        - appendAssign
+        - appendCombine
+        - assignOp
+        - builtinShadow
+        - builtinShadowDecl
+        - captLocal
+        - commentedOutCode
+        - deferInLoop
+        - dupImport
+        - dupSubExpr
+        - elseif
+        - emptyFallthrough
+        - equalFold
+        - evalOrder
+        - exitAfterDefer
+        - exposedSyncMutex
+        - filepathJoin
+        - hexLiteral
+        - hugeParam
+        - ifElseChain
+        - importShadow
+        - indexAlloc
+        - methodExprCall
+        - nestingReduce
+        - nilValReturn
+        - octalLiteral
+        - paramTypeCombine
+        - preferStringWriter
+        - ptrToRefParam
+        - rangeValCopy
+        - redundantSprint
+        - regexpMust
+        - regexpSimplify
+        - singleCaseSwitch
+        - sloppyReassign
+        - stringXbytes
+        - typeAssertChain
+        - typeDefFirst
+        - typeUnparen
+        - uncheckedInlineErr
+        - unlambda
+        - unnamedResult
+        - unnecessaryDefer
+        - unslice
+        - valSwap
+        - whyNoLint
+      enable-all: true
+
+    gosec:
+      excludes:
+        - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
+        - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/moby/moby/issues/48358)
+        - G204 # G204: Subprocess launched with variable; too many false positives.
+        - G301 # G301: Expect directory permissions to be 0750 or less (also EXC0009); too restrictive
+        - G302 # G302: Expect file permissions to be 0600 or less (also EXC0009); too restrictive
+        - G304 # G304: Potential file inclusion via variable.
+        - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
+        - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
+        - G504 # G504: Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386); (only affects go < 1.6.3)
+
+    govet:
+      enable-all: true
+      disable:
+        - fieldalignment # TODO: evaluate which ones should be updated.
+
+    importas:
+      # Do not allow unaliased imports of aliased packages.
+      no-unaliased: true
+
+      alias:
+          # Enforce alias to prevent it accidentally being used instead of our
+          # own errdefs package (or vice-versa).
+        - pkg: github.com/containerd/errdefs
+          alias: cerrdefs
+        - pkg: github.com/containerd/containerd/images
+          alias: c8dimages
+        - pkg: github.com/opencontainers/image-spec/specs-go/v1
+          alias: ocispec
+        - pkg: go.etcd.io/bbolt
+          alias: bolt
+          # Enforce that gotest.tools/v3/assert/cmp is always aliased as "is"
+        - pkg: gotest.tools/v3/assert/cmp
+          alias: is
+
+    nakedret:
+      # Disallow naked returns if func has more lines of code than this setting.
+      # Default: 30
+      max-func-lines: 0
+
+    revive:
+      rules:
+          # FIXME make sure all packages have a description. Currently, there's many packages without.
+        - name: package-comments
+          disabled: true
+
+    staticcheck:
+      checks:
+        - all
+        - -QF1008 # Omit embedded fields from selector expression; https://staticcheck.dev/docs/checks/#QF1008
+        - -ST1000 # Incorrect or missing package comment; https://staticcheck.dev/docs/checks/#ST1000
+        - -ST1003 # Poorly chosen identifier; https://staticcheck.dev/docs/checks/#ST1003
+        - -ST1005 # Incorrectly formatted error string; https://staticcheck.dev/docs/checks/#ST1005
+
+    spancheck:
+      # Default: ["end"]
+      checks:
+        - end             # check that `span.End()` is called
+        - record-error    # check that `span.RecordError(err)` is called when an error is returned
+        - set-status      # check that `span.SetStatus(codes.Error, msg)` is called when an error is returned
+
+    thelper:
+      test:
+        # Check *testing.T is first param (or after context.Context) of helper function.
+        first: false
+        # Check t.Helper() begins helper function.
+        begin: false
+      benchmark:
+        # Check *testing.B is first param (or after context.Context) of helper function.
+        first: false
+        # Check b.Helper() begins helper function.
+        begin: false
+      tb:
+        # Check *testing.TB is first param (or after context.Context) of helper function.
+        first: false
+        # Check *testing.TB param has name tb.
+        name: false
+        # Check tb.Helper() begins helper function.
+        begin: false
+      fuzz:
+        # Check *testing.F is first param (or after context.Context) of helper function.
+        first: false
+        # Check f.Helper() begins helper function.
+        begin: false
+
+    usestdlibvars:
+      # Suggest the use of http.MethodXX.
+      http-method: true
+      # Suggest the use of http.StatusXX.
+      http-status-code: true
+
+  exclusions:
+    paths:
+      - volume/drivers/proxy.go # TODO: this is a generated file but with an invalid header, see https://github.com/moby/moby/pull/46274
+
     rules:
-      main:
-        deny:
-          - pkg: io/ioutil
-            desc: The io/ioutil package has been deprecated, see https://go.dev/doc/go1.16#ioutil
-          - pkg: "github.com/stretchr/testify/assert"
-            desc: Use "gotest.tools/v3/assert" instead
-          - pkg: "github.com/stretchr/testify/require"
-            desc: Use "gotest.tools/v3/assert" instead
-          - pkg: "github.com/stretchr/testify/suite"
-            desc: Do not use
-          - pkg: "github.com/containerd/containerd/errdefs"
-            desc: The errdefs package has moved to a separate module, https://github.com/containerd/errdefs
-          - pkg: "github.com/containerd/containerd/log"
-            desc: The logs package has moved to a separate module, https://github.com/containerd/log
-          - pkg: "github.com/containerd/containerd/pkg/userns"
-            desc: Use github.com/moby/sys/userns instead.
-          - pkg: "github.com/tonistiigi/fsutil"
-            desc: The fsutil module does not have a stable API, so we should not have a direct dependency unless necessary.
+        # We prefer to use an "linters.exclusions.rules" so that new "default" exclusions are not
+        # automatically inherited. We can decide whether or not to follow upstream
+        # defaults when updating golang-ci-lint versions.
+        # Unfortunately, this means we have to copy the whole exclusion pattern, as
+        # (unlike the "include" option), the "exclude" option does not take exclusion
+        # ID's.
+        #
+        # These exclusion patterns are copied from the default excludes at:
+        # https://github.com/golangci/golangci-lint/blob/v1.61.0/pkg/config/issues.go#L11-L104
+        #
+        # The default list of exclusions can be found at:
+        # https://golangci-lint.run/usage/false-positives/#default-exclusions
 
-  dupword:
-    ignore:
-      - "true"    # some tests use this as expected output
-      - "false"   # some tests use this as expected output
-      - "root"    # for tests using "ls" output with files owned by "root:root"
+        # Exclude some linters from running on tests files.
+      - path: _test\.go
+        linters:
+          - errcheck
 
-  exhaustive:
-    # Program elements to check for exhaustiveness.
-    # Default: [ switch ]
-    check:
-      - switch
-      # - map # TODO(thaJeztah): also enable for maps
-    # Presence of "default" case in switch statements satisfies exhaustiveness,
-    # even if all enum members are not listed.
+      - text: "G404: Use of weak random number generator"
+        path: _test\.go
+        linters:
+          - gosec
+
+        # Suppress golint complaining about generated types in api/types/
+      - text: "type name will be used as (container|volume)\\.(Container|Volume).* by other packages, and that stutters; consider calling this"
+        path: "api/types/(volume|container)/"
+        linters:
+          - revive
+
+        # FIXME: ignoring unused assigns to ctx for now; too many hits in libnetwork/xxx functions that setup traces
+      - text: "assigned to ctx, but never used afterwards"
+        linters:
+          - wastedassign
+
+      - text: "ineffectual assignment to ctx"
+        source: "ctx[, ].*=.*\\(ctx[,)]"
+        linters:
+          - ineffassign
+
+      - text: "SA4006: this value of ctx is never used"
+        source: "ctx[, ].*=.*\\(ctx[,)]"
+        linters:
+          - staticcheck
+
+        # FIXME(thaJeztah): ignoring these transitional utilities until BuildKit is vendored with https://github.com/moby/moby/pull/49743
+      - text: "SA1019: idtools\\.(ToUserIdentityMapping|FromUserIdentityMapping|IdentityMapping) is deprecated"
+        linters:
+          - staticcheck
+
+        # Ignore "nested context in function literal (fatcontext)" as we intentionally set up tracing on a base-context for tests.
+        # FIXME(thaJeztah): see if there's a more iodiomatic way to do this.
+      - text: 'nested context in function literal'
+        path: '((main|check)_(linux_|)test\.go)|testutil/helpers\.go'
+        linters:
+          - fatcontext
+
+      - text: '^shadow: declaration of "(ctx|err|ok)" shadows declaration'
+        linters:
+          - govet
+      - text: '^shadow: declaration of "(out)" shadows declaration'
+        path: _test\.go
+        linters:
+          - govet
+      - text: 'use of `regexp.MustCompile` forbidden'
+        path: _test\.go
+        linters:
+          - forbidigo
+      - text: 'use of `regexp.MustCompile` forbidden'
+        path: "internal/lazyregexp"
+        linters:
+          - forbidigo
+      - text: 'use of `regexp.MustCompile` forbidden'
+        path: "libnetwork/cmd/networkdb-test/dbclient"
+        linters:
+          - forbidigo
+
+    # Log a warning if an exclusion rule is unused.
     # Default: false
-    #
-    # TODO(thaJeztah): consider not allowing this to catch new values being added (and falling through to "default")
-    default-signifies-exhaustive: true
-
-  forbidigo:
-    forbid:
-      - pkg: ^sync/atomic$
-        p: ^atomic\.(Add|CompareAndSwap|Load|Store|Swap).
-        msg: Go 1.19 atomic types should be used instead.
-      - pkg: ^regexp$
-        p: ^regexp\.MustCompile
-        msg: Use internal/lazyregexp.New instead.
-      - pkg: github.com/vishvananda/netlink$
-        p: ^netlink\.(Handle\.)?(AddrList|BridgeVlanList|ChainList|ClassList|ConntrackTableList|ConntrackDeleteFilter$|ConntrackDeleteFilters|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByName|LinkByAlias|LinkList|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteList|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList|XfrmPolicyList|XfrmStateList)
-        msg: Use internal nlwrap package for EINTR handling.
-      - pkg: github.com/docker/docker/internal/nlwrap$
-        p: ^nlwrap.Handle.(BridgeVlanList|ChainList|ClassList|ConntrackDeleteFilter$|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByAlias|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList)
-        msg: Add a wrapper to nlwrap.Handle for EINTR handling and update the list in .golangci.yml.
-    analyze-types: true
-
-  gosec:
-    excludes:
-      - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
-      - G113 # G113: Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772); (only affects go < 1.16.14. and go < 1.17.7)
-      - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/moby/moby/issues/48358)
-      - G204 # G204: Subprocess launched with variable; too many false positives.
-      - G301 # G301: Expect directory permissions to be 0750 or less (also EXC0009); too restrictive
-      - G302 # G302: Expect file permissions to be 0600 or less (also EXC0009); too restrictive
-      - G304 # G304: Potential file inclusion via variable.
-      - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
-      - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
-      - G504 # G504: Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386); (only affects go < 1.6.3)
-
-  govet:
-    enable-all: true
-    disable:
-      - fieldalignment # TODO: evaluate which ones should be updated.
-
-  importas:
-    # Do not allow unaliased imports of aliased packages.
-    no-unaliased: true
-
-    alias:
-      # Enforce alias to prevent it accidentally being used instead of our
-      # own errdefs package (or vice-versa).
-      - pkg: github.com/containerd/errdefs
-        alias: cerrdefs
-      - pkg: github.com/containerd/containerd/images
-        alias: c8dimages
-      - pkg: github.com/opencontainers/image-spec/specs-go/v1
-        alias: ocispec
-      # Enforce that gotest.tools/v3/assert/cmp is always aliased as "is"
-      - pkg: gotest.tools/v3/assert/cmp
-        alias: is
-
-  nakedret:
-    # Disallow naked returns if func has more lines of code than this setting.
-    # Default: 30
-     max-func-lines: 0
-
-  revive:
-    rules:
-      # FIXME make sure all packages have a description. Currently, there's many packages without.
-      - name: package-comments
-        disabled: true
-
-  spancheck:
-    # Default: ["end"]
-    checks:
-      - end             # check that `span.End()` is called
-      - record-error    # check that `span.RecordError(err)` is called when an error is returned
-      - set-status      # check that `span.SetStatus(codes.Error, msg)` is called when an error is returned
+    warn-unused: true
 
 issues:
-  # The default exclusion rules are a bit too permissive, so copying the relevant ones below
-  exclude-use-default: false
-
-  exclude-dirs:
-    - docs
-
-  exclude-rules:
-    # We prefer to use an "exclude-list" so that new "default" exclusions are not
-    # automatically inherited. We can decide whether or not to follow upstream
-    # defaults when updating golang-ci-lint versions.
-    # Unfortunately, this means we have to copy the whole exclusion pattern, as
-    # (unlike the "include" option), the "exclude" option does not take exclusion
-    # ID's.
-    #
-    # These exclusion patterns are copied from the default excludes at:
-    # https://github.com/golangci/golangci-lint/blob/v1.61.0/pkg/config/issues.go#L11-L104
-    #
-    # The default list of exclusions can be found at:
-    # https://golangci-lint.run/usage/false-positives/#default-exclusions
-
-    # EXC0001
-    - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*print(f|ln)?|os\\.(Un)?Setenv). is not checked"
-      linters:
-        - errcheck
-
-    # Exclude some linters from running on tests files.
-    - path: _test\.go
-      linters:
-        - errcheck
-
-    - text: "G404: Use of weak random number generator"
-      path: _test\.go
-      linters:
-        - gosec
-
-    # Suppress golint complaining about generated types in api/types/
-    - text: "type name will be used as (container|volume)\\.(Container|Volume).* by other packages, and that stutters; consider calling this"
-      path: "api/types/(volume|container)/"
-      linters:
-        - revive
-
-    # FIXME: ignoring unused assigns to ctx for now; too many hits in libnetwork/xxx functions that setup traces
-    - text: "assigned to ctx, but never used afterwards"
-      linters:
-        - wastedassign
-
-    - text: "ineffectual assignment to ctx"
-      source: "ctx[, ].*=.*\\(ctx[,)]"
-      linters:
-        - ineffassign
-
-    - text: "SA4006: this value of `ctx` is never used"
-      source: "ctx[, ].*=.*\\(ctx[,)]"
-      linters:
-        - staticcheck
-
-    # Ignore "nested context in function literal (fatcontext)" as we intentionally set up tracing on a base-context for tests.
-    # FIXME(thaJeztah): see if there's a more iodiomatic way to do this.
-    - text: 'nested context in function literal'
-      path: '((main|check)_(linux_|)test\.go)|testutil/helpers\.go'
-      linters:
-        - fatcontext
-
-    - text: '^shadow: declaration of "(ctx|err|ok)" shadows declaration'
-      linters:
-        - govet
-    - text: '^shadow: declaration of "(out)" shadows declaration'
-      path: _test\.go
-      linters:
-        - govet
-    - text: 'use of `regexp.MustCompile` forbidden'
-      path: _test\.go
-      linters:
-        - forbidigo
-    - text: 'use of `regexp.MustCompile` forbidden'
-      path: "internal/lazyregexp"
-      linters:
-        - forbidigo
-    - text: 'use of `regexp.MustCompile` forbidden'
-      path: "libnetwork/cmd/networkdb-test/dbclient"
-      linters:
-        - forbidigo
-
   # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
   max-issues-per-linter: 0
 

.mailmap

@@ -94,8 +94,9 @@ Arnaud Rebillout <arnaud.rebillout@collabora.com>
 Arnaud Rebillout <arnaud.rebillout@collabora.com> <elboulangero@gmail.com>
 Arthur Gautier <baloo@gandi.net> <superbaloo+registrations.github@superbaloo.net>
 Artur Meyster <arthurfbi@yahoo.com>
-Austin Vazquez <macedonv@amazon.com>
-Austin Vazquez <macedonv@amazon.com> <55906459+austinvazquez@users.noreply.github.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com> <55906459+austinvazquez@users.noreply.github.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com> <macedonv@amazon.com>
 Avi Miller <avi.miller@oracle.com> <avi.miller@gmail.com>
 Ben Bonnefoy <frenchben@docker.com>
 Ben Golub <ben.golub@dotcloud.com>
@@ -138,6 +139,7 @@ Chen Mingjie <chenmingjie0828@163.com>
 Chen Qiu <cheney-90@hotmail.com>
 Chen Qiu <cheney-90@hotmail.com> <21321229@zju.edu.cn>
 Chengfei Shang <cfshang@alauda.io>
+Chengyu Zhu <hudson@cyzhu.com>
 Chentianze <cmoman@126.com>
 Chris Dias <cdias@microsoft.com>
 Chris McKinnel <chris.mckinnel@tangentlabs.co.uk>

AUTHORS

@@ -2,6 +2,7 @@
 # This file lists all contributors to the repository.
 # See hack/generate-authors.sh to make modifications.
 
+17neverends <ionianrise@gmail.com>
 7sunarni <710720732@qq.com>
 Aanand Prasad <aanand.prasad@gmail.com>
 Aarni Koskela <akx@iki.fi>
@@ -189,6 +190,7 @@ Anes Hasicic <anes.hasicic@gmail.com>
 Angel Velazquez <angelcar@amazon.com>
 Anil Belur <askb23@gmail.com>
 Anil Madhavapeddy <anil@recoil.org>
+Anirudh Aithal <aithal@amazon.com>
 Ankit Jain <ajatkj@yahoo.co.in>
 Ankush Agarwal <ankushagarwal11@gmail.com>
 Anonmily <michelle@michelleliu.io>
@@ -227,7 +229,7 @@ Arun Gupta <arun.gupta@gmail.com>
 Asad Saeeduddin <masaeedu@gmail.com>
 Asbjørn Enge <asbjorn@hanafjedle.net>
 Ashly Mathew <ashly.mathew@sap.com>
-Austin Vazquez <macedonv@amazon.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com>
 averagehuman <averagehuman@users.noreply.github.com>
 Avi Das <andas222@gmail.com>
 Avi Kivity <avi@scylladb.com>
@@ -293,6 +295,7 @@ Brandon Liu <bdon@bdon.org>
 Brandon Philips <brandon.philips@coreos.com>
 Brandon Rhodes <brandon@rhodesmill.org>
 Brendan Dixon <brendand@microsoft.com>
+Brendon Smith <bws@bws.bio>
 Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 Brent Salisbury <brent.salisbury@docker.com>
 Brett Higgins <brhiggins@arbor.net>
@@ -347,6 +350,7 @@ Casey Bisson <casey.bisson@joyent.com>
 Catalin Pirvu <pirvu.catalin94@gmail.com>
 Ce Gao <ce.gao@outlook.com>
 Cedric Davies <cedricda@microsoft.com>
+Cesar Talledo <cesar.talledo@docker.com>
 Cezar Sa Espinola <cezarsa@gmail.com>
 Chad Swenson <chadswen@gmail.com>
 Chance Zibolski <chance.zibolski@gmail.com>
@@ -375,6 +379,7 @@ Chen Qiu <cheney-90@hotmail.com>
 Cheng-mean Liu <soccerl@microsoft.com>
 Chengfei Shang <cfshang@alauda.io>
 Chengguang Xu <cgxu519@gmx.com>
+Chengyu Zhu <hudson@cyzhu.com>
 Chentianze <cmoman@126.com>
 Chenyang Yan <memory.yancy@gmail.com>
 chenyuzhu <chenyuzhi@oschina.cn>
@@ -1207,6 +1212,7 @@ K. Heller <pestophagous@gmail.com>
 Kai Blin <kai@samba.org>
 Kai Qiang Wu (Kennan) <wkq5325@gmail.com>
 Kaijie Chen <chen@kaijie.org>
+Kaita Nakamura <kaita.nakamura0830@gmail.com>
 Kamil Domański <kamil@domanski.co>
 Kamjar Gerami <kami.gerami@gmail.com>
 Kanstantsin Shautsou <kanstantsin.sha@gmail.com>
@@ -1281,6 +1287,7 @@ Krasi Georgiev <krasi@vip-consult.solutions>
 Krasimir Georgiev <support@vip-consult.co.uk>
 Kris-Mikael Krister <krismikael@protonmail.com>
 Kristian Haugene <kristian.haugene@capgemini.com>
+Kristian Heljas <kristian@kristian.ee>
 Kristina Zabunova <triara.xiii@gmail.com>
 Krystian Wojcicki <kwojcicki@sympatico.ca>
 Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
@@ -1482,6 +1489,7 @@ Matthias Kühnle <git.nivoc@neverbox.com>
 Matthias Rampke <mr@soundcloud.com>
 Matthieu Fronton <m@tthieu.fr>
 Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
+Matthieu MOREL <matthieu.morel35@gmail.com>
 Mattias Jernberg <nostrad@gmail.com>
 Mauricio Garavaglia <mauricio@medallia.com>
 mauriyouth <mauriyouth@gmail.com>
@@ -1712,6 +1720,7 @@ Patrick Hemmer <patrick.hemmer@gmail.com>
 Patrick St. laurent <patrick@saint-laurent.us>
 Patrick Stapleton <github@gdi2290.com>
 Patrik Cyvoct <patrik@ptrk.io>
+Patrik Leifert <patrikleifert@hotmail.com>
 pattichen <craftsbear@gmail.com>
 Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
 Paul <paul9869@gmail.com>
@@ -1870,6 +1879,7 @@ Robert Obryk <robryk@gmail.com>
 Robert Schneider <mail@shakeme.info>
 Robert Shade <robert.shade@gmail.com>
 Robert Stern <lexandro2000@gmail.com>
+Robert Sturla <robertsturla@outlook.com>
 Robert Terhaar <rterhaar@atlanticdynamic.com>
 Robert Wallis <smilingrob@gmail.com>
 Robert Wang <robert@arctic.tw>

CONTRIBUTING.md

@@ -83,6 +83,39 @@ contributions, see [the advanced contribution
 section](https://docs.docker.com/opensource/workflow/advanced-contributing/) in
 the contributors guide.
 
+### Where to put your changes
+
+You can make changes to any Go package within Moby outside of the vendor directory. There are no
+restrictions on packages but a few guidelines to follow for deciding on making these changes.
+When adding new packages, first consider putting them in an internal directory to prevent
+unintended importing from other modules. Code changes should either go under `api`, `client`,
+or `daemon` modules, or one of the integration test directories.
+
+Try to put a new package under the appropriate directories. The root directory is reserved for
+configuration and build files, no source files will be accepted in the root.
+
+- `api` - All types shared by client and daemon along with swagger definitions.
+- `client` - All Go files for the docker client
+- `contrib` - Files, configurations, and packages related to external tools or libraries
+- `daemon` - All Go files and packages for building the daemon
+- `docs` - All Moby technical documentation using markdown
+- `hack` - All scripts used for testing, development, and CI
+- `integration` - Testing the integration of the API, client, and daemon
+- `integration-cli` - Deprecated integration tests of the docker cli with the daemon, no new tests allowed
+- `pkg` - Legacy Go packages used externally, no new packages should be added here
+- `project` - All files related to Moby project governance
+- `vendor` - Autogenerated vendor files from `make vendor` command, do not manually edit files here
+
+The daemon module has many subpackages. Consider putting new packages under one of these
+directories.
+
+- `daemon/cmd` - All Go main packages and the packages used only for that main package
+- `daemon/internal` - All utility packages used by daemon and not intended for external use
+- `daemon/man`- All Moby reference manuals used for the `man` command
+- `daemon/plugins` - All included daemon plugins which are intended to be registered via init
+- `daemon/pkg` - All libraries used by daemon and for integration testing
+- `daemon/version` - Version package with the current daemon version
+
 ### Connect with other Moby Project contributors
 
 <table class="tg">

Dockerfile

@@ -1,22 +1,27 @@
-# syntax=docker/dockerfile:1.7
+# syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.23.7
+ARG GO_VERSION=1.24.4
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
 ARG XX_VERSION=1.6.1
 
-ARG VPNKIT_VERSION=0.5.0
+# VPNKIT_VERSION is the version of the vpnkit binary which is used as a fallback
+# network driver for rootless.
+ARG VPNKIT_VERSION=0.6.0
 
 # DOCKERCLI_VERSION is the version of the CLI to install in the dev-container.
-ARG DOCKERCLI_VERSION=v28.0.1
+ARG DOCKERCLI_VERSION=v28.2.2
 ARG DOCKERCLI_REPOSITORY="https://github.com/docker/cli.git"
 
 # cli version used for integration-cli tests
 ARG DOCKERCLI_INTEGRATION_REPOSITORY="https://github.com/docker/cli.git"
-ARG DOCKERCLI_INTEGRATION_VERSION=v17.06.2-ce
+ARG DOCKERCLI_INTEGRATION_VERSION=v18.06.3-ce
+
 # BUILDX_VERSION is the version of buildx to install in the dev container.
-ARG BUILDX_VERSION=0.20.1
-ARG COMPOSE_VERSION=v2.33.1
+ARG BUILDX_VERSION=0.24.0
+
+# COMPOSE_VERSION is the version of compose to install in the dev container.
+ARG COMPOSE_VERSION=v2.36.2
 
 ARG SYSTEMD="false"
 ARG FIREWALLD="false"
@@ -26,11 +31,16 @@ ARG DOCKER_STATIC=1
 # https://hub.docker.com/r/distribution/distribution. This version of
 # the registry is used to test schema 2 manifests. Generally,  the version
 # specified here should match a current release.
-ARG REGISTRY_VERSION=3.0.0-rc.1
+ARG REGISTRY_VERSION=3.0.0
 
 # delve is currently only supported on linux/amd64 and linux/arm64;
-# https://github.com/go-delve/delve/blob/v1.8.1/pkg/proc/native/support_sentinel.go#L1-L6
-ARG DELVE_SUPPORTED=${TARGETPLATFORM#linux/amd64} DELVE_SUPPORTED=${DELVE_SUPPORTED#linux/arm64}
+# https://github.com/go-delve/delve/blob/v1.24.1/pkg/proc/native/support_sentinel.go#L1
+# https://github.com/go-delve/delve/blob/v1.24.1/pkg/proc/native/support_sentinel_linux.go#L1
+#
+# ppc64le support was added in v1.21.1, but is still experimental, and requires
+# the "-tags exp.linuxppc64le" build-tag to be set:
+# https://github.com/go-delve/delve/commit/71f12207175a1cc09668f856340d8a543c87dcca
+ARG DELVE_SUPPORTED=${TARGETPLATFORM#linux/amd64} DELVE_SUPPORTED=${DELVE_SUPPORTED#linux/arm64} DELVE_SUPPORTED=${DELVE_SUPPORTED#linux/ppc64le}
 ARG DELVE_SUPPORTED=${DELVE_SUPPORTED:+"unsupported"}
 ARG DELVE_SUPPORTED=${DELVE_SUPPORTED:-"supported"}
 
@@ -47,6 +57,11 @@ COPY --from=build-dummy /build /build
 # base
 FROM --platform=$BUILDPLATFORM ${GOLANG_IMAGE} AS base
 COPY --from=xx / /
+# Disable collecting local telemetry, as collected by Go and Delve;
+#
+# - https://github.com/go-delve/delve/blob/v1.24.1/CHANGELOG.md#1231-2024-09-23
+# - https://go.dev/doc/telemetry#background
+RUN go telemetry off && [ "$(go telemetry)" = "off" ] || { echo "Failed to disable Go telemetry"; exit 1; }
 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN apt-get update && apt-get install --no-install-recommends -y file
 ENV GO111MODULE=off
@@ -63,41 +78,8 @@ RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \
         && /build/criu --version
 
 # registry
-FROM base AS registry-src
-WORKDIR /usr/src/registry
-RUN git init . && git remote add origin "https://github.com/distribution/distribution.git"
-
-FROM base AS registry
-WORKDIR /go/src/github.com/docker/distribution
-
-# REGISTRY_VERSION_SCHEMA1 specifies the version of the registry to build and
-# install from the https://github.com/docker/distribution repository. This is
-# an older (pre v2.3.0) version of the registry that only supports schema1
-# manifests. This version of the registry is not working on arm64, so installation
-# is skipped on that architecture.
-ARG REGISTRY_VERSION_SCHEMA1=v2.1.0
-ARG TARGETPLATFORM
-RUN --mount=from=registry-src,src=/usr/src/registry,rw \
-    --mount=type=cache,target=/root/.cache/go-build,id=registry-build-$TARGETPLATFORM \
-    --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=tmpfs,target=/go/src <<EOT
-  set -ex
-  export GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH"
-  # Make the /build directory no matter what so that it doesn't fail on arm64 or
-  # any other platform where we don't build this registry
-  mkdir /build
-  case $TARGETPLATFORM in
-    linux/amd64|linux/arm/v7|linux/ppc64le|linux/s390x)
-      git fetch -q --depth 1 origin "${REGISTRY_VERSION_SCHEMA1}" +refs/tags/*:refs/tags/*
-      git checkout -q FETCH_HEAD
-      CGO_ENABLED=0 xx-go build -o /build/registry-v2-schema1 -v ./cmd/registry
-      xx-verify /build/registry-v2-schema1
-      ;;
-  esac
-EOT
-
-FROM distribution/distribution:$REGISTRY_VERSION AS registry-v2
-RUN mkdir /build && mv /bin/registry /build/registry-v2
+FROM distribution/distribution:$REGISTRY_VERSION AS registry
+RUN mkdir /build && mv /bin/registry /build/registry
 
 # go-swagger
 FROM base AS swagger-src
@@ -153,7 +135,7 @@ RUN git init . && git remote add origin "https://github.com/go-delve/delve.git"
 # from the https://github.com/go-delve/delve repository.
 # It can be used to run Docker with a possibility of
 # attaching debugger to it.
-ARG DELVE_VERSION=v1.23.0
+ARG DELVE_VERSION=v1.24.1
 RUN git fetch -q --depth 1 origin "${DELVE_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
 
 FROM base AS delve-supported
@@ -220,10 +202,10 @@ FROM binary-dummy AS containerd-windows
 FROM containerd-${TARGETOS} AS containerd
 
 FROM base AS golangci_lint
-ARG GOLANGCI_LINT_VERSION=v1.64.5
+ARG GOLANGCI_LINT_VERSION=v2.1.5
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
+        GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/v2/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
      && /build/golangci-lint --version
 
 FROM base AS gotestsum
@@ -279,7 +261,7 @@ RUN git init . && git remote add origin "https://github.com/opencontainers/runc.
 # that is used. If you need to update runc, open a pull request in the containerd
 # project first, and update both after that is merged. When updating RUNC_VERSION,
 # consider updating runc in vendor.mod accordingly.
-ARG RUNC_VERSION=v1.2.5
+ARG RUNC_VERSION=v1.2.6
 RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
 
 FROM base AS runc-build
@@ -377,7 +359,8 @@ FROM binary-dummy AS rootlesskit-windows
 FROM rootlesskit-${TARGETOS} AS rootlesskit
 
 FROM base AS crun
-ARG CRUN_VERSION=1.12
+# CRUN_VERSION is the version of crun to install in the dev-container.
+ARG CRUN_VERSION=1.21
 RUN --mount=type=cache,sharing=locked,id=moby-crun-aptlib,target=/var/lib/apt \
     --mount=type=cache,sharing=locked,id=moby-crun-aptcache,target=/var/cache/apt \
         apt-get update && apt-get install -y --no-install-recommends \
@@ -408,8 +391,8 @@ FROM scratch AS vpnkit-linux-arm
 FROM scratch AS vpnkit-linux-ppc64le
 FROM scratch AS vpnkit-linux-riscv64
 FROM scratch AS vpnkit-linux-s390x
-FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-linux-amd64
-FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-linux-arm64
+FROM moby/vpnkit-bin:${VPNKIT_VERSION} AS vpnkit-linux-amd64
+FROM moby/vpnkit-bin:${VPNKIT_VERSION} AS vpnkit-linux-arm64
 FROM vpnkit-linux-${TARGETARCH} AS vpnkit-linux
 FROM vpnkit-${TARGETOS} AS vpnkit
 
@@ -451,7 +434,6 @@ COPY --link --from=delve         /build/ /usr/local/bin/
 COPY --link --from=gowinres      /build/ /usr/local/bin/
 COPY --link --from=tini          /build/ /usr/local/bin/
 COPY --link --from=registry      /build/ /usr/local/bin/
-COPY --link --from=registry-v2   /build/ /usr/local/bin/
 
 # Skip the CRIU stage for now, as the opensuse package repository is sometimes
 # unstable, and we're currently not using it in CI.
@@ -498,7 +480,6 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
     --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
         apt-get update && apt-get install -y --no-install-recommends \
             firewalld
-RUN sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf
 
 FROM dev-firewalld-${FIREWALLD} AS dev-base
 RUN groupadd -r docker
@@ -531,6 +512,7 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
             libnl-3-200 \
             libprotobuf-c1 \
             libyajl2 \
+            nano \
             net-tools \
             netcat-openbsd \
             patch \
@@ -648,6 +630,15 @@ FROM dev-base AS devcontainer
 COPY --link . .
 COPY --link --from=gopls         /build/ /usr/local/bin/
 
+# usage:
+# > docker buildx bake dind
+# > docker run -d --restart always --privileged --name devdind -p 12375:2375 docker-dind --debug --host=tcp://0.0.0.0:2375 --tlsverify=false
+FROM docker:dind AS dind
+COPY --link --from=dockercli /build/docker /usr/local/bin/
+COPY --link --from=buildx    /buildx /usr/local/libexec/docker/cli-plugins/docker-buildx
+COPY --link --from=compose   /docker-compose /usr/local/libexec/docker/cli-plugins/docker-compose
+COPY --link --from=all       / /usr/local/bin/
+
 # usage:
 # > make shell
 # > SYSTEMD=true make shell

Dockerfile.simple

@@ -5,7 +5,7 @@
 
 # This represents the bare minimum required to build and test Docker.
 
-ARG GO_VERSION=1.23.7
+ARG GO_VERSION=1.24.4
 
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
@@ -35,10 +35,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 		vim-common \
 	&& rm -rf /var/lib/apt/lists/*
 
-# Install runc, containerd, tini and docker-proxy
+# Install runc, containerd, and tini
 # Please edit hack/dockerfile/install/<name>.installer to update them.
 COPY hack/dockerfile/install hack/dockerfile/install
-RUN for i in runc containerd tini proxy dockercli; \
+RUN set -e; for i in runc containerd tini dockercli; \
 		do hack/dockerfile/install/install.sh $i; \
 	done
 ENV PATH=/usr/local/cli:$PATH

Dockerfile.windows

@@ -161,9 +161,11 @@ FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
-ARG GO_VERSION=1.23.7
+ARG GO_VERSION=1.24.4
 ARG GOTESTSUM_VERSION=v1.12.0
-ARG GOWINRES_VERSION=v0.3.1
+
+# GOWINRES_VERSION is the version of go-winres to install.
+ARG GOWINRES_VERSION=v0.3.3
 ARG CONTAINERD_VERSION=v1.7.27
 
 # Environment variable notes:

MAINTAINERS

@@ -7,6 +7,7 @@
 "akerouanton","Albin Kerouanton","albinker@gmail.com"
 "AkihiroSuda","Akihiro Suda","akihiro.suda.cz@hco.ntt.co.jp"
 "austinvazquez","Austin Vazquez","macedonv@amazon.com"
+"corhere","Cory Snider","csnider@mirantis.com"
 "cpuguy83","Brian Goff","cpuguy83@gmail.com"
 "robmry","Rob Murray","rob.murray@docker.com"
 "thaJeztah","Sebastiaan van Stijn","github@gone.nl"
@@ -17,7 +18,6 @@
 # REVIEWERS
 # GitHub ID, Name, Email address, GPG fingerprint
 "coolljt0725","Lei Jitang","leijitang@huawei.com"
-"corhere","Cory Snider","csnider@mirantis.com"
 "crazy-max","Kevin Alvarez","contact@crazymax.dev"
 "dmcgowan","Derek McGowan","derek@mcgstyle.net"
 "estesp","Phil Estes","estesp@linux.vnet.ibm.com"

Makefile

@@ -38,7 +38,6 @@ DOCKER_ENVS := \
 	-e DOCKERCLI_INTEGRATION_REPOSITORY \
 	-e DOCKER_DEBUG \
 	-e DOCKER_EXPERIMENTAL \
-	-e DOCKER_FIREWALLD \
 	-e DOCKER_GITCOMMIT \
 	-e DOCKER_GRAPHDRIVER \
 	-e DOCKER_LDFLAGS \
@@ -50,6 +49,7 @@ DOCKER_ENVS := \
 	-e DOCKER_USERLANDPROXY \
 	-e DOCKERD_ARGS \
 	-e DELVE_PORT \
+	-e FIREWALLD \
 	-e GITHUB_ACTIONS \
 	-e TEST_FORCE_VALIDATE \
 	-e TEST_INTEGRATION_DIR \
@@ -57,7 +57,6 @@ DOCKER_ENVS := \
 	-e TEST_INTEGRATION_FAIL_FAST \
 	-e TEST_SKIP_INTEGRATION \
 	-e TEST_SKIP_INTEGRATION_CLI \
-	-e TEST_IGNORE_CGROUP_CHECK \
 	-e TESTCOVERAGE \
 	-e TESTDEBUG \
 	-e TESTDIRS \
@@ -84,11 +83,11 @@ DOCKER_ENVS := \
 # to allow `make BIND_DIR=. shell` or `make BIND_DIR= test`
 # (default to no bind mount if DOCKER_HOST is set)
 # note: BINDDIR is supported for backwards-compatibility here
-BIND_DIR := $(if $(BINDDIR),$(BINDDIR),$(if $(DOCKER_HOST),,bundles))
+BIND_DIR := $(if $(BINDDIR),$(BINDDIR),$(if $(DOCKER_HOST),,.))
 
 # DOCKER_MOUNT can be overridden, but use at your own risk!
 ifndef DOCKER_MOUNT
-DOCKER_MOUNT := $(if $(BIND_DIR),-v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/docker/docker/$(BIND_DIR)")
+DOCKER_MOUNT := $(if $(BIND_DIR),-v "$(BIND_DIR):/go/src/github.com/docker/docker/$(BIND_DIR)")
 DOCKER_MOUNT := $(if $(DOCKER_BINDDIR_MOUNT_OPTS),$(DOCKER_MOUNT):$(DOCKER_BINDDIR_MOUNT_OPTS),$(DOCKER_MOUNT))
 
 # This allows the test suite to be able to run without worrying about the underlying fs used by the container running the daemon (e.g. aufs-on-aufs), so long as the host running the container is running a supported fs.
@@ -150,7 +149,7 @@ DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_INTEGRATION_REPOSITORY
 ifdef DOCKER_SYSTEMD
 DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true
 endif
-ifdef DOCKER_FIREWALLD
+ifdef FIREWALLD
 DOCKER_BUILD_ARGS += --build-arg=FIREWALLD=true
 endif
 
@@ -204,7 +203,7 @@ build: shell_target := --target=dev-base
 else
 build: shell_target := --target=dev
 endif
-build: bundles
+build: validate-bind-dir bundles
 	$(BUILD_CMD) $(BUILD_OPTS) $(shell_target) --load -t "$(DOCKER_IMAGE)" .
 
 .PHONY: shell
@@ -285,3 +284,10 @@ generate-files:
 		--file "./hack/dockerfiles/generate-files.Dockerfile" .
 	cp -R "$($@_TMP_OUT)"/. .
 	rm -rf "$($@_TMP_OUT)"/*
+
+.PHONY: validate-bind-dir
+validate-bind-dir:
+	@case "$(BIND_DIR)" in \
+		".."*|"/"*) echo "Make needs to be run from the project-root directory, with BIND_DIR set to \".\" or a subdir"; \
+		exit 1 ;; \
+	esac

api/common.go

@@ -1,9 +1,9 @@
-package api // import "github.com/docker/docker/api"
+package api
 
 // Common constants for daemon and client.
 const (
 	// DefaultVersion of the current REST API.
-	DefaultVersion = "1.48"
+	DefaultVersion = "1.51"
 
 	// MinSupportedAPIVersion is the minimum API version that can be supported
 	// by the API server, specified as "major.minor". Note that the daemon

api/server/backend/build/backend.go

@@ -1,4 +1,4 @@
-package build // import "github.com/docker/docker/api/server/backend/build"
+package build
 
 import (
 	"context"
@@ -6,8 +6,8 @@ import (
 	"strconv"
 
 	"github.com/distribution/reference"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/builder"
 	buildkit "github.com/docker/docker/builder/builder-next"
@@ -52,37 +52,37 @@ func (b *Backend) RegisterGRPC(s *grpc.Server) {
 // Build builds an image from a Source
 func (b *Backend) Build(ctx context.Context, config backend.BuildConfig) (string, error) {
 	options := config.Options
-	useBuildKit := options.Version == types.BuilderBuildKit
+	useBuildKit := options.Version == build.BuilderBuildKit
 
 	tags, err := sanitizeRepoAndTags(options.Tags)
 	if err != nil {
 		return "", err
 	}
 
-	var build *builder.Result
+	var buildResult *builder.Result
 	if useBuildKit {
-		build, err = b.buildkit.Build(ctx, config)
+		buildResult, err = b.buildkit.Build(ctx, config)
 		if err != nil {
 			return "", err
 		}
 	} else {
-		build, err = b.builder.Build(ctx, config)
+		buildResult, err = b.builder.Build(ctx, config)
 		if err != nil {
 			return "", err
 		}
 	}
 
-	if build == nil {
+	if buildResult == nil {
 		return "", nil
 	}
 
-	imageID := build.ImageID
+	imageID := buildResult.ImageID
 	if options.Squash {
-		if imageID, err = squashBuild(build, b.imageComponent); err != nil {
+		if imageID, err = squashBuild(buildResult, b.imageComponent); err != nil {
 			return "", err
 		}
 		if config.ProgressWriter.AuxFormatter != nil {
-			if err = config.ProgressWriter.AuxFormatter.Emit("moby.image.id", types.BuildResult{ID: imageID}); err != nil {
+			if err = config.ProgressWriter.AuxFormatter.Emit("moby.image.id", build.Result{ID: imageID}); err != nil {
 				return "", err
 			}
 		}
@@ -97,7 +97,7 @@ func (b *Backend) Build(ctx context.Context, config backend.BuildConfig) (string
 }
 
 // PruneCache removes all cached build sources
-func (b *Backend) PruneCache(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error) {
+func (b *Backend) PruneCache(ctx context.Context, opts build.CachePruneOptions) (*build.CachePruneReport, error) {
 	buildCacheSize, cacheIDs, err := b.buildkit.Prune(ctx, opts)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to prune build cache")
@@ -107,7 +107,7 @@ func (b *Backend) PruneCache(ctx context.Context, opts types.BuildCachePruneOpti
 			"reclaimed": strconv.FormatInt(buildCacheSize, 10),
 		},
 	})
-	return &types.BuildCachePruneReport{SpaceReclaimed: uint64(buildCacheSize), CachesDeleted: cacheIDs}, nil
+	return &build.CachePruneReport{SpaceReclaimed: uint64(buildCacheSize), CachesDeleted: cacheIDs}, nil
 }
 
 // Cancel cancels the build by ID

api/server/backend/build/tag.go

@@ -1,4 +1,4 @@
-package build // import "github.com/docker/docker/api/server/backend/build"
+package build
 
 import (
 	"context"
@@ -24,7 +24,7 @@ func tagImages(ctx context.Context, ic ImageComponent, stdout io.Writer, imageID
 // sanitizeRepoAndTags parses the raw "t" parameter received from the client
 // to a slice of repoAndTag. It removes duplicates, and validates each name
 // to not contain a digest.
-func sanitizeRepoAndTags(names []string) (repoAndTags []reference.Named, err error) {
+func sanitizeRepoAndTags(names []string) (repoAndTags []reference.Named, _ error) {
 	uniqNames := map[string]struct{}{}
 	for _, repo := range names {
 		if repo == "" {

api/server/httpstatus/status.go

@@ -1,4 +1,4 @@
-package httpstatus // import "github.com/docker/docker/api/server/httpstatus"
+package httpstatus
 
 import (
 	"context"
@@ -8,15 +8,10 @@ import (
 	cerrdefs "github.com/containerd/errdefs"
 	"github.com/containerd/log"
 	"github.com/docker/distribution/registry/api/errcode"
-	"github.com/docker/docker/errdefs"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
 
-type causer interface {
-	Cause() error
-}
-
 // FromError retrieves status code from error message.
 func FromError(err error) int {
 	if err == nil {
@@ -24,48 +19,55 @@ func FromError(err error) int {
 		return http.StatusInternalServerError
 	}
 
-	// Stop right there
-	// Are you sure you should be adding a new error class here? Do one of the existing ones work?
+	// Resolve the error to ensure status is chosen from the first outermost error
+	rerr := cerrdefs.Resolve(err)
 
 	// Note that the below functions are already checking the error causal chain for matches.
+	// Only check errors from the errdefs package, no new error type checking may be added
 	switch {
-	case errdefs.IsNotFound(err):
+	case cerrdefs.IsNotFound(rerr):
 		return http.StatusNotFound
-	case errdefs.IsInvalidParameter(err):
+	case cerrdefs.IsInvalidArgument(rerr):
 		return http.StatusBadRequest
-	case errdefs.IsConflict(err):
+	case cerrdefs.IsConflict(rerr):
 		return http.StatusConflict
-	case errdefs.IsUnauthorized(err):
+	case cerrdefs.IsUnauthorized(rerr):
 		return http.StatusUnauthorized
-	case errdefs.IsUnavailable(err):
+	case cerrdefs.IsUnavailable(rerr):
 		return http.StatusServiceUnavailable
-	case errdefs.IsForbidden(err):
+	case cerrdefs.IsPermissionDenied(rerr):
 		return http.StatusForbidden
-	case errdefs.IsNotModified(err):
+	case cerrdefs.IsNotModified(rerr):
 		return http.StatusNotModified
-	case errdefs.IsNotImplemented(err):
+	case cerrdefs.IsNotImplemented(rerr):
 		return http.StatusNotImplemented
-	case errdefs.IsSystem(err) || errdefs.IsUnknown(err) || errdefs.IsDataLoss(err) || errdefs.IsDeadline(err) || errdefs.IsCancelled(err):
+	case cerrdefs.IsInternal(rerr) || cerrdefs.IsDataLoss(rerr) || cerrdefs.IsDeadlineExceeded(rerr) || cerrdefs.IsCanceled(rerr):
 		return http.StatusInternalServerError
 	default:
 		if statusCode := statusCodeFromGRPCError(err); statusCode != http.StatusInternalServerError {
 			return statusCode
 		}
-		if statusCode := statusCodeFromContainerdError(err); statusCode != http.StatusInternalServerError {
-			return statusCode
-		}
 		if statusCode := statusCodeFromDistributionError(err); statusCode != http.StatusInternalServerError {
 			return statusCode
 		}
-		if e, ok := err.(causer); ok {
-			return FromError(e.Cause())
+		switch e := err.(type) {
+		case interface{ Unwrap() error }:
+			return FromError(e.Unwrap())
+		case interface{ Unwrap() []error }:
+			for _, ue := range e.Unwrap() {
+				if statusCode := FromError(ue); statusCode != http.StatusInternalServerError {
+					return statusCode
+				}
+			}
 		}
 
-		log.G(context.TODO()).WithFields(log.Fields{
-			"module":     "api",
-			"error":      err,
-			"error_type": fmt.Sprintf("%T", err),
-		}).Debug("FIXME: Got an API for which error does not match any expected type!!!")
+		if !cerrdefs.IsUnknown(err) {
+			log.G(context.TODO()).WithFields(log.Fields{
+				"module":     "api",
+				"error":      err,
+				"error_type": fmt.Sprintf("%T", err),
+			}).Debug("FIXME: Got an API for which error does not match any expected type!!!")
+		}
 
 		return http.StatusInternalServerError
 	}
@@ -120,24 +122,3 @@ func statusCodeFromDistributionError(err error) int {
 	}
 	return http.StatusInternalServerError
 }
-
-// statusCodeFromContainerdError returns status code for containerd errors when
-// consumed directly (not through gRPC)
-func statusCodeFromContainerdError(err error) int {
-	switch {
-	case cerrdefs.IsInvalidArgument(err):
-		return http.StatusBadRequest
-	case cerrdefs.IsNotFound(err):
-		return http.StatusNotFound
-	case cerrdefs.IsAlreadyExists(err):
-		return http.StatusConflict
-	case cerrdefs.IsFailedPrecondition(err):
-		return http.StatusPreconditionFailed
-	case cerrdefs.IsUnavailable(err):
-		return http.StatusServiceUnavailable
-	case cerrdefs.IsNotImplemented(err):
-		return http.StatusNotImplemented
-	default:
-		return http.StatusInternalServerError
-	}
-}

api/server/httputils/decoder.go

@@ -1,4 +1,4 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
+package httputils
 
 import (
 	"io"

api/server/httputils/form.go

@@ -1,4 +1,4 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
+package httputils
 
 import (
 	"encoding/json"
@@ -16,8 +16,12 @@ import (
 
 // BoolValue transforms a form value in different formats into a boolean type.
 func BoolValue(r *http.Request, k string) bool {
-	s := strings.ToLower(strings.TrimSpace(r.FormValue(k)))
-	return !(s == "" || s == "0" || s == "no" || s == "false" || s == "none")
+	switch strings.ToLower(strings.TrimSpace(r.FormValue(k))) {
+	case "", "0", "no", "false", "none":
+		return false
+	default:
+		return true
+	}
 }
 
 // BoolValueOrDefault returns the default bool passed if the query param is
@@ -158,3 +162,22 @@ func DecodePlatform(platformJSON string) (*ocispec.Platform, error) {
 
 	return &p, nil
 }
+
+// DecodePlatforms decodes the OCI platform JSON string into a Platform struct.
+//
+// Typically, the argument is a value of: r.Form["platform"]
+func DecodePlatforms(platformJSONs []string) ([]ocispec.Platform, error) {
+	if len(platformJSONs) == 0 {
+		return nil, nil
+	}
+
+	var output []ocispec.Platform
+	for _, platform := range platformJSONs {
+		p, err := DecodePlatform(platform)
+		if err != nil {
+			return nil, err
+		}
+		output = append(output, *p)
+	}
+	return output, nil
+}

api/server/httputils/form_test.go

@@ -1,4 +1,4 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
+package httputils
 
 import (
 	"math"
@@ -7,7 +7,7 @@ import (
 	"strconv"
 	"testing"
 
-	"github.com/docker/docker/errdefs"
+	cerrdefs "github.com/containerd/errdefs"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -30,7 +30,7 @@ func TestBoolValue(t *testing.T) {
 	for c, e := range cases {
 		v := url.Values{}
 		v.Set("test", c)
-		r, _ := http.NewRequest(http.MethodPost, "", nil)
+		r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
 		r.Form = v
 
 		a := BoolValue(r, "test")
@@ -41,14 +41,14 @@ func TestBoolValue(t *testing.T) {
 }
 
 func TestBoolValueOrDefault(t *testing.T) {
-	r, _ := http.NewRequest(http.MethodGet, "", nil)
+	r, _ := http.NewRequest(http.MethodGet, "", http.NoBody)
 	if !BoolValueOrDefault(r, "queryparam", true) {
 		t.Fatal("Expected to get true default value, got false")
 	}
 
 	v := url.Values{}
 	v.Set("param", "")
-	r, _ = http.NewRequest(http.MethodGet, "", nil)
+	r, _ = http.NewRequest(http.MethodGet, "", http.NoBody)
 	r.Form = v
 	if BoolValueOrDefault(r, "param", true) {
 		t.Fatal("Expected not to get true")
@@ -66,7 +66,7 @@ func TestInt64ValueOrZero(t *testing.T) {
 	for c, e := range cases {
 		v := url.Values{}
 		v.Set("test", c)
-		r, _ := http.NewRequest(http.MethodPost, "", nil)
+		r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
 		r.Form = v
 
 		a := Int64ValueOrZero(r, "test")
@@ -86,7 +86,7 @@ func TestInt64ValueOrDefault(t *testing.T) {
 	for c, e := range cases {
 		v := url.Values{}
 		v.Set("test", c)
-		r, _ := http.NewRequest(http.MethodPost, "", nil)
+		r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
 		r.Form = v
 
 		a, err := Int64ValueOrDefault(r, "test", -1)
@@ -102,7 +102,7 @@ func TestInt64ValueOrDefault(t *testing.T) {
 func TestInt64ValueOrDefaultWithError(t *testing.T) {
 	v := url.Values{}
 	v.Set("test", "invalid")
-	r, _ := http.NewRequest(http.MethodPost, "", nil)
+	r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
 	r.Form = v
 
 	_, err := Int64ValueOrDefault(r, "test", -1)
@@ -150,7 +150,7 @@ func TestUint32Value(t *testing.T) {
 	}
 	for _, tc := range tests {
 		t.Run(tc.value, func(t *testing.T) {
-			r, _ := http.NewRequest(http.MethodPost, "", nil)
+			r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
 			r.Form = url.Values{}
 			if tc.value != valueNotSet {
 				r.Form.Set("field", tc.value)
@@ -225,7 +225,7 @@ func TestDecodePlatform(t *testing.T) {
 			p, err := DecodePlatform(tc.platformJSON)
 			assert.Check(t, is.DeepEqual(p, tc.expected))
 			if tc.expectedErr != "" {
-				assert.Check(t, errdefs.IsInvalidParameter(err))
+				assert.Check(t, cerrdefs.IsInvalidArgument(err))
 				assert.Check(t, is.Error(err, tc.expectedErr))
 			} else {
 				assert.Check(t, err)

api/server/httputils/httputils.go

@@ -1,4 +1,4 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
+package httputils
 
 import (
 	"context"
@@ -74,7 +74,7 @@ func ReadJSON(r *http.Request, out interface{}) error {
 	err = dec.Decode(out)
 	defer r.Body.Close()
 	if err != nil {
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			return errdefs.InvalidParameter(errors.New("invalid JSON: got EOF while reading request body"))
 		}
 		return errdefs.InvalidParameter(errors.Wrap(err, "invalid JSON"))

api/server/httputils/httputils_test.go

@@ -1,4 +1,4 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
+package httputils
 
 import (
 	"net/http"
@@ -33,7 +33,7 @@ func TestJsonContentType(t *testing.T) {
 
 func TestReadJSON(t *testing.T) {
 	t.Run("nil body", func(t *testing.T) {
-		req, err := http.NewRequest(http.MethodPost, "https://example.com/some/path", nil)
+		req, err := http.NewRequest(http.MethodPost, "https://example.com/some/path", http.NoBody)
 		if err != nil {
 			t.Error(err)
 		}

api/server/httputils/write_log_stream.go

@@ -1,4 +1,4 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
+package httputils
 
 import (
 	"context"

api/server/middleware.go

@@ -1,4 +1,4 @@
-package server // import "github.com/docker/docker/api/server"
+package server
 
 import (
 	"github.com/containerd/log"

api/server/middleware/debug.go

@@ -1,4 +1,4 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
+package middleware
 
 import (
 	"bufio"
@@ -17,7 +17,7 @@ import (
 
 // DebugRequestMiddleware dumps the request to logger
 func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) (retErr error) {
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 		logger := log.G(ctx)
 
 		// Use a variable for fields to prevent overhead of repeatedly
@@ -28,25 +28,27 @@ func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWri
 			"request-url": r.RequestURI,
 			"vars":        vars,
 		}
-		logger.WithFields(fields).Debugf("handling %s request", r.Method)
-		defer func() {
-			if retErr != nil {
+		handleWithLogs := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+			logger.WithFields(fields).Debugf("handling %s request", r.Method)
+			err := handler(ctx, w, r, vars)
+			if err != nil {
 				// TODO(thaJeztah): unify this with Server.makeHTTPHandler, which also logs internal server errors as error-log. See https://github.com/moby/moby/pull/48740#discussion_r1816675574
-				fields["error-response"] = retErr
-				fields["status"] = httpstatus.FromError(retErr)
+				fields["error-response"] = err
+				fields["status"] = httpstatus.FromError(err)
 				logger.WithFields(fields).Debugf("error response for %s request", r.Method)
 			}
-		}()
+			return err
+		}
 
 		if r.Method != http.MethodPost {
-			return handler(ctx, w, r, vars)
+			return handleWithLogs(ctx, w, r, vars)
 		}
 		if err := httputils.CheckForJSON(r); err != nil {
-			return handler(ctx, w, r, vars)
+			return handleWithLogs(ctx, w, r, vars)
 		}
 		maxBodySize := 4096 // 4KB
 		if r.ContentLength > int64(maxBodySize) {
-			return handler(ctx, w, r, vars)
+			return handleWithLogs(ctx, w, r, vars)
 		}
 
 		body := r.Body
@@ -56,7 +58,7 @@ func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWri
 		b, err := bufReader.Peek(maxBodySize)
 		if err != io.EOF {
 			// either there was an error reading, or the buffer is full (in which case the request is too large)
-			return handler(ctx, w, r, vars)
+			return handleWithLogs(ctx, w, r, vars)
 		}
 
 		var postForm map[string]interface{}
@@ -74,7 +76,7 @@ func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWri
 			}
 		}
 
-		return handler(ctx, w, r, vars)
+		return handleWithLogs(ctx, w, r, vars)
 	}
 }
 

api/server/middleware/debug_test.go

@@ -1,4 +1,4 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
+package middleware
 
 import (
 	"testing"

api/server/middleware/experimental.go

@@ -1,4 +1,4 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
+package middleware
 
 import (
 	"context"

api/server/middleware/middleware.go

@@ -1,4 +1,4 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
+package middleware
 
 import (
 	"context"

api/server/middleware/version.go

@@ -1,4 +1,4 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
+package middleware
 
 import (
 	"context"

api/server/middleware/version_test.go

@@ -1,4 +1,4 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
+package middleware
 
 import (
 	"context"
@@ -79,7 +79,7 @@ func TestVersionMiddlewareVersion(t *testing.T) {
 	assert.NilError(t, err)
 	h := m.WrapHandler(handler)
 
-	req, _ := http.NewRequest(http.MethodGet, "/containers/json", nil)
+	req, _ := http.NewRequest(http.MethodGet, "/containers/json", http.NoBody)
 	resp := httptest.NewRecorder()
 	ctx := context.Background()
 
@@ -121,7 +121,7 @@ func TestVersionMiddlewareVersion(t *testing.T) {
 func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
 	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 		v := httputils.VersionFromContext(ctx)
-		assert.Check(t, len(v) != 0)
+		assert.Check(t, v != "")
 		return nil
 	}
 
@@ -129,7 +129,7 @@ func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
 	assert.NilError(t, err)
 	h := m.WrapHandler(handler)
 
-	req, _ := http.NewRequest(http.MethodGet, "/containers/json", nil)
+	req, _ := http.NewRequest(http.MethodGet, "/containers/json", http.NoBody)
 	resp := httptest.NewRecorder()
 	ctx := context.Background()
 

api/server/router/build/backend.go

@@ -1,10 +1,10 @@
-package build // import "github.com/docker/docker/api/server/router/build"
+package build
 
 import (
 	"context"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/build"
 )
 
 // Backend abstracts an image builder whose only purpose is to build an image referenced by an imageID.
@@ -13,8 +13,8 @@ type Backend interface {
 	// TODO: make this return a reference instead of string
 	Build(context.Context, backend.BuildConfig) (string, error)
 
-	// Prune build cache
-	PruneCache(context.Context, types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error)
+	// PruneCache prunes the build cache.
+	PruneCache(context.Context, build.CachePruneOptions) (*build.CachePruneReport, error)
 	Cancel(context.Context, string) error
 }
 

api/server/router/build/build.go

@@ -1,10 +1,10 @@
-package build // import "github.com/docker/docker/api/server/router/build"
+package build
 
 import (
 	"runtime"
 
 	"github.com/docker/docker/api/server/router"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/build"
 )
 
 // buildRouter is a router to talk with the build controller
@@ -25,15 +25,15 @@ func NewRouter(b Backend, d experimentalProvider) router.Router {
 }
 
 // Routes returns the available routers to the build controller
-func (r *buildRouter) Routes() []router.Route {
-	return r.routes
+func (br *buildRouter) Routes() []router.Route {
+	return br.routes
 }
 
-func (r *buildRouter) initRoutes() {
-	r.routes = []router.Route{
-		router.NewPostRoute("/build", r.postBuild),
-		router.NewPostRoute("/build/prune", r.postPrune),
-		router.NewPostRoute("/build/cancel", r.postCancel),
+func (br *buildRouter) initRoutes() {
+	br.routes = []router.Route{
+		router.NewPostRoute("/build", br.postBuild),
+		router.NewPostRoute("/build/prune", br.postPrune),
+		router.NewPostRoute("/build/cancel", br.postCancel),
 	}
 }
 
@@ -46,15 +46,22 @@ func (r *buildRouter) initRoutes() {
 //
 // This value is only a recommendation as advertised by the daemon, and it is
 // up to the client to choose which builder to use.
-func BuilderVersion(features map[string]bool) types.BuilderVersion {
+func BuilderVersion(features map[string]bool) build.BuilderVersion {
 	// TODO(thaJeztah) move the default to daemon/config
+	bv := build.BuilderBuildKit
 	if runtime.GOOS == "windows" {
-		return types.BuilderV1
+		// BuildKit is not yet the default on Windows.
+		bv = build.BuilderV1
 	}
 
-	bv := types.BuilderBuildKit
-	if v, ok := features["buildkit"]; ok && !v {
-		bv = types.BuilderV1
+	// Allow the features field in the daemon config to override the
+	// default builder to advertise.
+	if enable, ok := features["buildkit"]; ok {
+		if enable {
+			bv = build.BuilderBuildKit
+		} else {
+			bv = build.BuilderV1
+		}
 	}
 	return bv
 }

api/server/router/build/build_routes.go

@@ -1,4 +1,4 @@
-package build // import "github.com/docker/docker/api/server/router/build"
+package build
 
 import (
 	"bufio"
@@ -17,8 +17,8 @@ import (
 
 	"github.com/containerd/log"
 	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/registry"
@@ -35,9 +35,9 @@ type invalidParam struct {
 
 func (e invalidParam) InvalidParameter() {}
 
-func newImageBuildOptions(ctx context.Context, r *http.Request) (*types.ImageBuildOptions, error) {
-	options := &types.ImageBuildOptions{
-		Version:        types.BuilderV1, // Builder V1 is the default, but can be overridden
+func newImageBuildOptions(ctx context.Context, r *http.Request) (*build.ImageBuildOptions, error) {
+	options := &build.ImageBuildOptions{
+		Version:        build.BuilderV1, // Builder V1 is the default, but can be overridden
 		Dockerfile:     r.FormValue("dockerfile"),
 		SuppressOutput: httputils.BoolValue(r, "q"),
 		NoCache:        httputils.BoolValue(r, "nocache"),
@@ -81,7 +81,7 @@ func newImageBuildOptions(ctx context.Context, r *http.Request) (*types.ImageBui
 	if versions.GreaterThanOrEqualTo(version, "1.40") {
 		outputsJSON := r.FormValue("outputs")
 		if outputsJSON != "" {
-			var outputs []types.ImageBuildOutput
+			var outputs []build.ImageBuildOutput
 			if err := json.Unmarshal([]byte(outputsJSON), &outputs); err != nil {
 				return nil, invalidParam{errors.Wrap(err, "invalid outputs specified")}
 			}
@@ -159,12 +159,12 @@ func newImageBuildOptions(ctx context.Context, r *http.Request) (*types.ImageBui
 	return options, nil
 }
 
-func parseVersion(s string) (types.BuilderVersion, error) {
-	switch types.BuilderVersion(s) {
-	case types.BuilderV1:
-		return types.BuilderV1, nil
-	case types.BuilderBuildKit:
-		return types.BuilderBuildKit, nil
+func parseVersion(s string) (build.BuilderVersion, error) {
+	switch build.BuilderVersion(s) {
+	case build.BuilderV1:
+		return build.BuilderV1, nil
+	case build.BuilderBuildKit:
+		return build.BuilderBuildKit, nil
 	default:
 		return "", invalidParam{errors.Errorf("invalid version %q", s)}
 	}
@@ -179,7 +179,7 @@ func (br *buildRouter) postPrune(ctx context.Context, w http.ResponseWriter, r *
 		return err
 	}
 
-	opts := types.BuildCachePruneOptions{
+	opts := build.CachePruneOptions{
 		All:     httputils.BoolValue(r, "all"),
 		Filters: fltrs,
 	}
@@ -197,17 +197,18 @@ func (br *buildRouter) postPrune(ctx context.Context, w http.ResponseWriter, r *
 
 	version := httputils.VersionFromContext(ctx)
 	if versions.GreaterThanOrEqualTo(version, "1.48") {
-		bs, err := parseBytesFromFormValue("reserved-space")
-		if err != nil {
+		if bs, err := parseBytesFromFormValue("reserved-space"); err != nil {
 			return err
-		} else if bs == 0 {
-			// Deprecated parameter. Only checked if reserved-space is not used.
-			bs, err = parseBytesFromFormValue("keep-storage")
-			if err != nil {
-				return err
+		} else {
+			if bs == 0 {
+				// Deprecated parameter. Only checked if reserved-space is not used.
+				bs, err = parseBytesFromFormValue("keep-storage")
+				if err != nil {
+					return err
+				}
 			}
+			opts.ReservedSpace = bs
 		}
-		opts.ReservedSpace = bs
 
 		if bs, err := parseBytesFromFormValue("max-used-space"); err != nil {
 			return err
@@ -222,11 +223,11 @@ func (br *buildRouter) postPrune(ctx context.Context, w http.ResponseWriter, r *
 		}
 	} else {
 		// Only keep-storage was valid in pre-1.48 versions.
-		bs, err := parseBytesFromFormValue("keep-storage")
-		if err != nil {
+		if bs, err := parseBytesFromFormValue("keep-storage"); err != nil {
 			return err
+		} else {
+			opts.ReservedSpace = bs
 		}
-		opts.ReservedSpace = bs
 	}
 
 	report, err := br.backend.PruneCache(ctx, opts)

api/server/router/checkpoint/backend.go

@@ -1,4 +1,4 @@
-package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"
+package checkpoint
 
 import "github.com/docker/docker/api/types/checkpoint"
 

api/server/router/checkpoint/checkpoint.go

@@ -1,4 +1,4 @@
-package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"
+package checkpoint
 
 import (
 	"github.com/docker/docker/api/server/httputils"
@@ -23,14 +23,14 @@ func NewRouter(b Backend, decoder httputils.ContainerDecoder) router.Router {
 }
 
 // Routes returns the available routers to the checkpoint controller
-func (r *checkpointRouter) Routes() []router.Route {
-	return r.routes
+func (cr *checkpointRouter) Routes() []router.Route {
+	return cr.routes
 }
 
-func (r *checkpointRouter) initRoutes() {
-	r.routes = []router.Route{
-		router.NewGetRoute("/containers/{name:.*}/checkpoints", r.getContainerCheckpoints, router.Experimental),
-		router.NewPostRoute("/containers/{name:.*}/checkpoints", r.postContainerCheckpoint, router.Experimental),
-		router.NewDeleteRoute("/containers/{name}/checkpoints/{checkpoint}", r.deleteContainerCheckpoint, router.Experimental),
+func (cr *checkpointRouter) initRoutes() {
+	cr.routes = []router.Route{
+		router.NewGetRoute("/containers/{name:.*}/checkpoints", cr.getContainerCheckpoints, router.Experimental),
+		router.NewPostRoute("/containers/{name:.*}/checkpoints", cr.postContainerCheckpoint, router.Experimental),
+		router.NewDeleteRoute("/containers/{name}/checkpoints/{checkpoint}", cr.deleteContainerCheckpoint, router.Experimental),
 	}
 }

api/server/router/checkpoint/checkpoint_routes.go

@@ -1,4 +1,4 @@
-package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"
+package checkpoint
 
 import (
 	"context"
@@ -8,7 +8,7 @@ import (
 	"github.com/docker/docker/api/types/checkpoint"
 )
 
-func (s *checkpointRouter) postContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (cr *checkpointRouter) postContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -18,7 +18,7 @@ func (s *checkpointRouter) postContainerCheckpoint(ctx context.Context, w http.R
 		return err
 	}
 
-	err := s.backend.CheckpointCreate(vars["name"], options)
+	err := cr.backend.CheckpointCreate(vars["name"], options)
 	if err != nil {
 		return err
 	}
@@ -27,12 +27,12 @@ func (s *checkpointRouter) postContainerCheckpoint(ctx context.Context, w http.R
 	return nil
 }
 
-func (s *checkpointRouter) getContainerCheckpoints(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (cr *checkpointRouter) getContainerCheckpoints(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
 
-	checkpoints, err := s.backend.CheckpointList(vars["name"], checkpoint.ListOptions{
+	checkpoints, err := cr.backend.CheckpointList(vars["name"], checkpoint.ListOptions{
 		CheckpointDir: r.Form.Get("dir"),
 	})
 	if err != nil {
@@ -42,12 +42,12 @@ func (s *checkpointRouter) getContainerCheckpoints(ctx context.Context, w http.R
 	return httputils.WriteJSON(w, http.StatusOK, checkpoints)
 }
 
-func (s *checkpointRouter) deleteContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (cr *checkpointRouter) deleteContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
 
-	err := s.backend.CheckpointDelete(vars["name"], checkpoint.DeleteOptions{
+	err := cr.backend.CheckpointDelete(vars["name"], checkpoint.DeleteOptions{
 		CheckpointDir: r.Form.Get("dir"),
 		CheckpointID:  vars["checkpoint"],
 	})

api/server/router/container/backend.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/server/router/container"
+package container
 
 import (
 	"context"
@@ -7,8 +7,7 @@ import (
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
-	containerpkg "github.com/docker/docker/container"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
 )
 
 // execBackend includes functions to implement to provide exec functionality.
@@ -41,7 +40,7 @@ type stateBackend interface {
 	ContainerStop(ctx context.Context, name string, options container.StopOptions) error
 	ContainerUnpause(name string) error
 	ContainerUpdate(name string, hostConfig *container.HostConfig) (container.UpdateResponse, error)
-	ContainerWait(ctx context.Context, name string, condition containerpkg.WaitCondition) (<-chan containerpkg.StateStatus, error)
+	ContainerWait(ctx context.Context, name string, condition container.WaitCondition) (<-chan container.StateStatus, error)
 }
 
 // monitorBackend includes functions to implement to provide containers monitoring functionality.

api/server/router/container/container.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/server/router/container"
+package container
 
 import (
 	"github.com/docker/docker/api/server/httputils"

api/server/router/container/container_routes.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/server/router/container"
+package container
 
 import (
 	"context"
@@ -21,7 +21,6 @@ import (
 	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/versions"
-	containerpkg "github.com/docker/docker/container"
 	networkSettings "github.com/docker/docker/daemon/network"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/libnetwork/netlabel"
@@ -164,7 +163,7 @@ func (c *containerRouter) getContainersLogs(ctx context.Context, w http.Response
 	// any error after the stream starts (i.e. container not found, wrong parameters)
 	// with the appropriate status code.
 	stdout, stderr := httputils.BoolValue(r, "stdout"), httputils.BoolValue(r, "stderr")
-	if !(stdout || stderr) {
+	if !stdout && !stderr {
 		return errdefs.InvalidParameter(errors.New("Bad parameters: you must choose at least one stream"))
 	}
 
@@ -337,7 +336,7 @@ func (c *containerRouter) postContainersWait(ctx context.Context, w http.Respons
 	legacyRemovalWaitPre134 := false
 
 	// The wait condition defaults to "not-running".
-	waitCondition := containerpkg.WaitConditionNotRunning
+	waitCondition := container.WaitConditionNotRunning
 	if !legacyBehaviorPre130 {
 		if err := httputils.ParseForm(r); err != nil {
 			return err
@@ -345,11 +344,11 @@ func (c *containerRouter) postContainersWait(ctx context.Context, w http.Respons
 		if v := r.Form.Get("condition"); v != "" {
 			switch container.WaitCondition(v) {
 			case container.WaitConditionNotRunning:
-				waitCondition = containerpkg.WaitConditionNotRunning
+				waitCondition = container.WaitConditionNotRunning
 			case container.WaitConditionNextExit:
-				waitCondition = containerpkg.WaitConditionNextExit
+				waitCondition = container.WaitConditionNextExit
 			case container.WaitConditionRemoved:
-				waitCondition = containerpkg.WaitConditionRemoved
+				waitCondition = container.WaitConditionRemoved
 				legacyRemovalWaitPre134 = versions.LessThan(version, "1.34")
 			default:
 				return errdefs.InvalidParameter(errors.Errorf("invalid condition: %q", v))
@@ -960,21 +959,17 @@ func (c *containerRouter) postContainersResize(ctx context.Context, w http.Respo
 }
 
 func (c *containerRouter) postContainersAttach(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	err := httputils.ParseForm(r)
-	if err != nil {
+	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
 	containerName := vars["name"]
-
-	_, upgrade := r.Header["Upgrade"]
-	detachKeys := r.FormValue("detachKeys")
-
 	hijacker, ok := w.(http.Hijacker)
 	if !ok {
 		return errdefs.InvalidParameter(errors.Errorf("error attaching to container %s, hijack connection missing", containerName))
 	}
 
 	contentType := types.MediaTypeRawStream
+	_, upgrade := r.Header["Upgrade"]
 	setupStreams := func(multiplexed bool, cancel func()) (io.ReadCloser, io.Writer, io.Writer, error) {
 		conn, _, err := hijacker.Hijack()
 		if err != nil {
@@ -1004,18 +999,16 @@ func (c *containerRouter) postContainersAttach(ctx context.Context, w http.Respo
 		return ioutils.NewReadCloserWrapper(conn, closer), conn, conn, nil
 	}
 
-	attachConfig := &backend.ContainerAttachConfig{
+	if err := c.backend.ContainerAttach(containerName, &backend.ContainerAttachConfig{
 		GetStreams: setupStreams,
 		UseStdin:   httputils.BoolValue(r, "stdin"),
 		UseStdout:  httputils.BoolValue(r, "stdout"),
 		UseStderr:  httputils.BoolValue(r, "stderr"),
 		Logs:       httputils.BoolValue(r, "logs"),
 		Stream:     httputils.BoolValue(r, "stream"),
-		DetachKeys: detachKeys,
+		DetachKeys: r.FormValue("detachKeys"),
 		MuxStreams: true,
-	}
-
-	if err = c.backend.ContainerAttach(containerName, attachConfig); err != nil {
+	}); err != nil {
 		log.G(ctx).WithError(err).Errorf("Handler for %s %s returned error", r.Method, r.URL.Path)
 		// Remember to close stream if error happens
 		conn, _, errHijack := hijacker.Hijack()
@@ -1037,9 +1030,6 @@ func (c *containerRouter) wsContainersAttach(ctx context.Context, w http.Respons
 	}
 	containerName := vars["name"]
 
-	var err error
-	detachKeys := r.FormValue("detachKeys")
-
 	done := make(chan struct{})
 	started := make(chan struct{})
 
@@ -1076,18 +1066,16 @@ func (c *containerRouter) wsContainersAttach(ctx context.Context, w http.Respons
 		useStderr = httputils.BoolValue(r, "stderr")
 	}
 
-	attachConfig := &backend.ContainerAttachConfig{
+	err := c.backend.ContainerAttach(containerName, &backend.ContainerAttachConfig{
 		GetStreams: setupStreams,
 		UseStdin:   useStdin,
 		UseStdout:  useStdout,
 		UseStderr:  useStderr,
 		Logs:       httputils.BoolValue(r, "logs"),
 		Stream:     httputils.BoolValue(r, "stream"),
-		DetachKeys: detachKeys,
+		DetachKeys: r.FormValue("detachKeys"),
 		MuxStreams: false, // never multiplex, as we rely on websocket to manage distinct streams
-	}
-
-	err = c.backend.ContainerAttach(containerName, attachConfig)
+	})
 	close(done)
 	select {
 	case <-started:

api/server/router/container/copy.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/server/router/container"
+package container
 
 import (
 	"compress/flate"

api/server/router/container/exec.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/server/router/container"
+package container
 
 import (
 	"context"

api/server/router/container/inspect.go

@@ -1,7 +1,7 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
-package container // import "github.com/docker/docker/api/server/router/container"
+package container
 
 import (
 	"context"

api/server/router/debug/debug.go

@@ -1,4 +1,4 @@
-package debug // import "github.com/docker/docker/api/server/router/debug"
+package debug
 
 import (
 	"context"

api/server/router/debug/debug_routes.go

@@ -1,4 +1,4 @@
-package debug // import "github.com/docker/docker/api/server/router/debug"
+package debug
 
 import (
 	"context"

api/server/router/distribution/backend.go

@@ -1,4 +1,4 @@
-package distribution // import "github.com/docker/docker/api/server/router/distribution"
+package distribution
 
 import (
 	"context"

api/server/router/distribution/distribution.go

@@ -1,4 +1,4 @@
-package distribution // import "github.com/docker/docker/api/server/router/distribution"
+package distribution
 
 import "github.com/docker/docker/api/server/router"
 
@@ -18,14 +18,14 @@ func NewRouter(backend Backend) router.Router {
 }
 
 // Routes returns the available routes
-func (r *distributionRouter) Routes() []router.Route {
-	return r.routes
+func (dr *distributionRouter) Routes() []router.Route {
+	return dr.routes
 }
 
 // initRoutes initializes the routes in the distribution router
-func (r *distributionRouter) initRoutes() {
-	r.routes = []router.Route{
+func (dr *distributionRouter) initRoutes() {
+	dr.routes = []router.Route{
 		// GET
-		router.NewGetRoute("/distribution/{name:.*}/json", r.getDistributionInfo),
+		router.NewGetRoute("/distribution/{name:.*}/json", dr.getDistributionInfo),
 	}
 }

api/server/router/distribution/distribution_routes.go

@@ -1,10 +1,9 @@
-package distribution // import "github.com/docker/docker/api/server/router/distribution"
+package distribution
 
 import (
 	"context"
 	"encoding/json"
 	"net/http"
-	"os"
 
 	"github.com/distribution/reference"
 	"github.com/docker/distribution"
@@ -19,7 +18,7 @@ import (
 	"github.com/pkg/errors"
 )
 
-func (s *distributionRouter) getDistributionInfo(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+func (dr *distributionRouter) getDistributionInfo(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
 	}
@@ -45,7 +44,7 @@ func (s *distributionRouter) getDistributionInfo(ctx context.Context, w http.Res
 	// For a search it is not an error if no auth was given. Ignore invalid
 	// AuthConfig to increase compatibility with the existing API.
 	authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))
-	repos, err := s.backend.GetRepositories(ctx, namedRef, authConfig)
+	repos, err := dr.backend.GetRepositories(ctx, namedRef, authConfig)
 	if err != nil {
 		return err
 	}
@@ -66,7 +65,7 @@ func (s *distributionRouter) getDistributionInfo(ctx context.Context, w http.Res
 	// - https://github.com/moby/moby/blob/12c7411b6b7314bef130cd59f1c7384a7db06d0b/distribution/pull.go#L76-L152
 	var lastErr error
 	for _, repo := range repos {
-		distributionInspect, err := s.fetchManifest(ctx, repo, namedRef)
+		distributionInspect, err := dr.fetchManifest(ctx, repo, namedRef)
 		if err != nil {
 			lastErr = err
 			continue
@@ -76,7 +75,7 @@ func (s *distributionRouter) getDistributionInfo(ctx context.Context, w http.Res
 	return lastErr
 }
 
-func (s *distributionRouter) fetchManifest(ctx context.Context, distrepo distribution.Repository, namedRef reference.Named) (registry.DistributionInspect, error) {
+func (dr *distributionRouter) fetchManifest(ctx context.Context, distrepo distribution.Repository, namedRef reference.Named) (registry.DistributionInspect, error) {
 	var distributionInspect registry.DistributionInspect
 	if canonicalRef, ok := namedRef.(reference.Canonical); !ok {
 		namedRef = reference.TagNameOnly(namedRef)
@@ -109,14 +108,14 @@ func (s *distributionRouter) fetchManifest(ctx context.Context, distrepo distrib
 	}
 	mnfst, err := mnfstsrvc.Get(ctx, distributionInspect.Descriptor.Digest)
 	if err != nil {
-		switch err {
-		case reference.ErrReferenceInvalidFormat,
-			reference.ErrTagInvalidFormat,
-			reference.ErrDigestInvalidFormat,
-			reference.ErrNameContainsUppercase,
-			reference.ErrNameEmpty,
-			reference.ErrNameTooLong,
-			reference.ErrNameNotCanonical:
+		switch {
+		case errors.Is(err, reference.ErrReferenceInvalidFormat),
+			errors.Is(err, reference.ErrTagInvalidFormat),
+			errors.Is(err, reference.ErrDigestInvalidFormat),
+			errors.Is(err, reference.ErrNameContainsUppercase),
+			errors.Is(err, reference.ErrNameEmpty),
+			errors.Is(err, reference.ErrNameTooLong),
+			errors.Is(err, reference.ErrNameNotCanonical):
 			return registry.DistributionInspect{}, errdefs.InvalidParameter(err)
 		}
 		return registry.DistributionInspect{}, err
@@ -154,15 +153,10 @@ func (s *distributionRouter) fetchManifest(ctx context.Context, distrepo distrib
 				distributionInspect.Platforms = append(distributionInspect.Platforms, platform)
 			}
 		}
+
+	// TODO(thaJeztah); we only use this to produce a nice error, but as a result, we can't remove libtrust as dependency - see if we can reduce the dependencies, but still able to detect it's a deprecated manifest
 	case *schema1.SignedManifest:
-		if os.Getenv("DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE") == "" {
-			return registry.DistributionInspect{}, distributionpkg.DeprecatedSchema1ImageError(namedRef)
-		}
-		platform := ocispec.Platform{
-			Architecture: mnfstObj.Architecture,
-			OS:           "linux",
-		}
-		distributionInspect.Platforms = append(distributionInspect.Platforms, platform)
+		return registry.DistributionInspect{}, distributionpkg.DeprecatedSchema1ImageError(namedRef)
 	}
 	return distributionInspect, nil
 }

api/server/router/experimental.go

@@ -1,4 +1,4 @@
-package router // import "github.com/docker/docker/api/server/router"
+package router
 
 import (
 	"context"

api/server/router/grpc/backend.go

@@ -1,4 +1,4 @@
-package grpc // import "github.com/docker/docker/api/server/router/grpc"
+package grpc
 
 import "google.golang.org/grpc"
 

api/server/router/grpc/grpc.go

@@ -1,7 +1,7 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
-package grpc // import "github.com/docker/docker/api/server/router/grpc"
+package grpc
 
 import (
 	"context"
@@ -60,7 +60,7 @@ func (gr *grpcRouter) initRoutes() {
 	}
 }
 
-func unaryInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp any, err error) {
+func unaryInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp any, _ error) {
 	// This method is used by the clients to send their traces to buildkit so they can be included
 	// in the daemon trace and stored in the build history record. This method can not be traced because
 	// it would cause an infinite loop.
@@ -68,11 +68,11 @@ func unaryInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo,
 		return handler(ctx, req)
 	}
 
-	resp, err = handler(ctx, req)
+	resp, err := handler(ctx, req)
 	if err != nil {
 		log.G(ctx).WithError(err).Error(info.FullMethod)
 		if log.GetLevel() >= log.DebugLevel {
-			fmt.Fprintf(os.Stderr, "%+v", stack.Formatter(grpcerrors.FromGRPC(err)))
+			_, _ = fmt.Fprintf(os.Stderr, "%+v", stack.Formatter(grpcerrors.FromGRPC(err)))
 		}
 	}
 	return resp, err

api/server/router/grpc/grpc_routes.go

@@ -1,4 +1,4 @@
-package grpc // import "github.com/docker/docker/api/server/router/grpc"
+package grpc
 
 import (
 	"context"

api/server/router/image/backend.go

@@ -1,4 +1,4 @@
-package image // import "github.com/docker/docker/api/server/router/image"
+package image
 
 import (
 	"context"
@@ -22,7 +22,7 @@ type Backend interface {
 }
 
 type imageBackend interface {
-	ImageDelete(ctx context.Context, imageRef string, force, prune bool) ([]image.DeleteResponse, error)
+	ImageDelete(ctx context.Context, imageRef string, options image.RemoveOptions) ([]image.DeleteResponse, error)
 	ImageHistory(ctx context.Context, imageName string, platform *ocispec.Platform) ([]*image.HistoryResponseItem, error)
 	Images(ctx context.Context, opts image.ListOptions) ([]*image.Summary, error)
 	GetImage(ctx context.Context, refOrID string, options backend.GetImageOpts) (*dockerimage.Image, error)

api/server/router/image/image.go

@@ -1,24 +1,21 @@
-package image // import "github.com/docker/docker/api/server/router/image"
+package image
 
 import (
 	"github.com/docker/docker/api/server/router"
-	"github.com/docker/docker/reference"
 )
 
 // imageRouter is a router to talk with the image controller
 type imageRouter struct {
-	backend          Backend
-	searcher         Searcher
-	referenceBackend reference.Store
-	routes           []router.Route
+	backend  Backend
+	searcher Searcher
+	routes   []router.Route
 }
 
 // NewRouter initializes a new image router
-func NewRouter(backend Backend, searcher Searcher, referenceBackend reference.Store) router.Router {
+func NewRouter(backend Backend, searcher Searcher) router.Router {
 	ir := &imageRouter{
-		backend:          backend,
-		searcher:         searcher,
-		referenceBackend: referenceBackend,
+		backend:  backend,
+		searcher: searcher,
 	}
 	ir.initRoutes()
 	return ir

api/server/router/image/image_routes.go

@@ -1,4 +1,4 @@
-package image // import "github.com/docker/docker/api/server/router/image"
+package image
 
 import (
 	"context"
@@ -110,7 +110,7 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit
 			return errdefs.InvalidParameter(err)
 		}
 
-		if len(comment) == 0 {
+		if comment == "" {
 			comment = "Imported from " + src
 		}
 
@@ -323,7 +323,20 @@ func (ir *imageRouter) deleteImages(ctx context.Context, w http.ResponseWriter,
 	force := httputils.BoolValue(r, "force")
 	prune := !httputils.BoolValue(r, "noprune")
 
-	list, err := ir.backend.ImageDelete(ctx, name, force, prune)
+	var platforms []ocispec.Platform
+	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.50") {
+		p, err := httputils.DecodePlatforms(r.Form["platforms"])
+		if err != nil {
+			return err
+		}
+		platforms = p
+	}
+
+	list, err := ir.backend.ImageDelete(ctx, name, imagetypes.RemoveOptions{
+		Force:         force,
+		PruneChildren: prune,
+		Platforms:     platforms,
+	})
 	if err != nil {
 		return err
 	}
@@ -341,13 +354,35 @@ func (ir *imageRouter) getImagesByName(ctx context.Context, w http.ResponseWrite
 		manifests = httputils.BoolValue(r, "manifests")
 	}
 
-	imageInspect, err := ir.backend.ImageInspect(ctx, vars["name"], backend.ImageInspectOpts{
+	var platform *ocispec.Platform
+	if r.Form.Get("platform") != "" && versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.49") {
+		p, err := httputils.DecodePlatform(r.Form.Get("platform"))
+		if err != nil {
+			return errdefs.InvalidParameter(err)
+		}
+		platform = p
+	}
+
+	if manifests && platform != nil {
+		return errdefs.InvalidParameter(errors.New("conflicting options: manifests and platform options cannot both be set"))
+	}
+
+	resp, err := ir.backend.ImageInspect(ctx, vars["name"], backend.ImageInspectOpts{
 		Manifests: manifests,
+		Platform:  platform,
 	})
 	if err != nil {
 		return err
 	}
 
+	// inspectResponse preserves fields in the response that have an
+	// "omitempty" in the OCI spec, but didn't omit such fields in
+	// legacy responses before API v1.50.
+	imageInspect := &inspectCompatResponse{
+		InspectResponse: resp,
+		legacyConfig:    legacyConfigFields["current"],
+	}
+
 	// Make sure we output empty arrays instead of nil. While Go nil slice is functionally equivalent to an empty slice,
 	// it matters for the JSON representation.
 	if imageInspect.RepoTags == nil {
@@ -374,6 +409,10 @@ func (ir *imageRouter) getImagesByName(ctx context.Context, w http.ResponseWrite
 	if versions.LessThan(version, "1.48") {
 		imageInspect.Descriptor = nil
 	}
+	if versions.LessThan(version, "1.50") {
+		imageInspect.legacyConfig = legacyConfigFields["v1.49"]
+	}
+
 	return httputils.WriteJSON(w, http.StatusOK, imageInspect)
 }
 
@@ -420,6 +459,7 @@ func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter,
 	useNone := versions.LessThan(version, "1.43")
 	withVirtualSize := versions.LessThan(version, "1.44")
 	noDescriptor := versions.LessThan(version, "1.48")
+	noContainers := versions.LessThan(version, "1.51")
 	for _, img := range images {
 		if useNone {
 			if len(img.RepoTags) == 0 && len(img.RepoDigests) == 0 {
@@ -440,6 +480,9 @@ func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter,
 		if noDescriptor {
 			img.Descriptor = nil
 		}
+		if noContainers {
+			img.Containers = -1
+		}
 	}
 
 	return httputils.WriteJSON(w, http.StatusOK, images)

api/server/router/image/inspect_response.go

@@ -0,0 +1,88 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.23
+
+package image
+
+import (
+	"encoding/json"
+	"maps"
+
+	"github.com/docker/docker/api/types/image"
+)
+
+// legacyConfigFields defines legacy image-config fields to include in
+// API responses on older API versions.
+var legacyConfigFields = map[string]map[string]any{
+	// Legacy fields for API v1.49 and lower. These fields are deprecated
+	// and omitted in newer API versions; see https://github.com/moby/moby/pull/48457
+	"v1.49": {
+		"AttachStderr": false,
+		"AttachStdin":  false,
+		"AttachStdout": false,
+		"Cmd":          nil,
+		"Domainname":   "",
+		"Entrypoint":   nil,
+		"Env":          nil,
+		"Hostname":     "",
+		"Image":        "",
+		"Labels":       nil,
+		"OnBuild":      nil,
+		"OpenStdin":    false,
+		"StdinOnce":    false,
+		"Tty":          false,
+		"User":         "",
+		"Volumes":      nil,
+		"WorkingDir":   "",
+	},
+	// Legacy fields for current API versions (v1.50 and up). These fields
+	// did not have an "omitempty" and were always included in the response,
+	// even if not set; see https://github.com/moby/moby/issues/50134
+	"current": {
+		"Cmd":        nil,
+		"Entrypoint": nil,
+		"Env":        nil,
+		"Labels":     nil,
+		"OnBuild":    nil,
+		"User":       "",
+		"Volumes":    nil,
+		"WorkingDir": "",
+	},
+}
+
+// inspectCompatResponse is a wrapper around [image.InspectResponse] with a
+// custom marshal function for legacy [api/types/container.Config} fields
+// that have been removed, or did not have omitempty.
+type inspectCompatResponse struct {
+	*image.InspectResponse
+	legacyConfig map[string]any
+}
+
+// MarshalJSON implements a custom marshaler to include legacy fields
+// in API responses.
+func (ir *inspectCompatResponse) MarshalJSON() ([]byte, error) {
+	type tmp *image.InspectResponse
+	base, err := json.Marshal((tmp)(ir.InspectResponse))
+	if err != nil {
+		return nil, err
+	}
+	if len(ir.legacyConfig) == 0 {
+		return base, nil
+	}
+
+	type resp struct {
+		*image.InspectResponse
+		Config map[string]any
+	}
+
+	var merged resp
+	err = json.Unmarshal(base, &merged)
+	if err != nil {
+		return base, nil
+	}
+
+	// prevent mutating legacyConfigFields.
+	cfg := maps.Clone(ir.legacyConfig)
+	maps.Copy(cfg, merged.Config)
+	merged.Config = cfg
+	return json.Marshal(merged)
+}

api/server/router/image/inspect_response_test.go

@@ -0,0 +1,74 @@
+package image
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/docker/docker/api/types/image"
+	dockerspec "github.com/moby/docker-image-spec/specs-go/v1"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestInspectResponse(t *testing.T) {
+	tests := []struct {
+		doc          string
+		cfg          *ocispec.ImageConfig
+		legacyConfig map[string]any
+		expected     string
+	}{
+		{
+			doc:      "empty",
+			expected: `null`,
+		},
+		{
+			doc: "no legacy config",
+			cfg: &ocispec.ImageConfig{
+				Cmd:        []string{"/bin/sh"},
+				StopSignal: "SIGQUIT",
+			},
+			expected: `{"Cmd":["/bin/sh"],"StopSignal":"SIGQUIT"}`,
+		},
+		{
+			doc: "api < v1.50",
+			cfg: &ocispec.ImageConfig{
+				Cmd:        []string{"/bin/sh"},
+				StopSignal: "SIGQUIT",
+			},
+			legacyConfig: legacyConfigFields["v1.49"],
+			expected:     `{"AttachStderr":false,"AttachStdin":false,"AttachStdout":false,"Cmd":["/bin/sh"],"Domainname":"","Entrypoint":null,"Env":null,"Hostname":"","Image":"","Labels":null,"OnBuild":null,"OpenStdin":false,"StdinOnce":false,"StopSignal":"SIGQUIT","Tty":false,"User":"","Volumes":null,"WorkingDir":""}`,
+		},
+		{
+			doc: "api >= v1.50",
+			cfg: &ocispec.ImageConfig{
+				Cmd:        []string{"/bin/sh"},
+				StopSignal: "SIGQUIT",
+			},
+			legacyConfig: legacyConfigFields["current"],
+			expected:     `{"Cmd":["/bin/sh"],"Entrypoint":null,"Env":null,"Labels":null,"OnBuild":null,"StopSignal":"SIGQUIT","User":"","Volumes":null,"WorkingDir":""}`,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.doc, func(t *testing.T) {
+			imgInspect := &image.InspectResponse{}
+			if tc.cfg != nil {
+				// Verify that fields that are set override the legacy values,
+				// or appended if not part of the legacy values.
+				imgInspect.Config = &dockerspec.DockerOCIImageConfig{
+					ImageConfig: *tc.cfg,
+				}
+			}
+			out, err := json.Marshal(&inspectCompatResponse{
+				InspectResponse: imgInspect,
+				legacyConfig:    tc.legacyConfig,
+			})
+			assert.NilError(t, err)
+
+			var outMap struct{ Config json.RawMessage }
+			err = json.Unmarshal(out, &outMap)
+			assert.NilError(t, err)
+			assert.Check(t, is.Equal(string(outMap.Config), tc.expected))
+		})
+	}
+}

api/server/router/local.go

@@ -1,4 +1,4 @@
-package router // import "github.com/docker/docker/api/server/router"
+package router
 
 import (
 	"net/http"

api/server/router/network/backend.go

@@ -1,4 +1,4 @@
-package network // import "github.com/docker/docker/api/server/router/network"
+package network
 
 import (
 	"context"
@@ -12,7 +12,7 @@ import (
 // to provide network specific functionality.
 type Backend interface {
 	GetNetworks(filters.Args, backend.NetworkListConfig) ([]network.Inspect, error)
-	CreateNetwork(nc network.CreateRequest) (*network.CreateResponse, error)
+	CreateNetwork(ctx context.Context, nc network.CreateRequest) (*network.CreateResponse, error)
 	ConnectContainerToNetwork(ctx context.Context, containerName, networkName string, endpointConfig *network.EndpointSettings) error
 	DisconnectContainerFromNetwork(containerName string, networkName string, force bool) error
 	DeleteNetwork(networkID string) error

api/server/router/network/network.go

@@ -1,4 +1,4 @@
-package network // import "github.com/docker/docker/api/server/router/network"
+package network
 
 import (
 	"github.com/docker/docker/api/server/router"
@@ -22,22 +22,22 @@ func NewRouter(b Backend, c ClusterBackend) router.Router {
 }
 
 // Routes returns the available routes to the network controller
-func (r *networkRouter) Routes() []router.Route {
-	return r.routes
+func (n *networkRouter) Routes() []router.Route {
+	return n.routes
 }
 
-func (r *networkRouter) initRoutes() {
-	r.routes = []router.Route{
+func (n *networkRouter) initRoutes() {
+	n.routes = []router.Route{
 		// GET
-		router.NewGetRoute("/networks", r.getNetworksList),
-		router.NewGetRoute("/networks/", r.getNetworksList),
-		router.NewGetRoute("/networks/{id:.+}", r.getNetwork),
+		router.NewGetRoute("/networks", n.getNetworksList),
+		router.NewGetRoute("/networks/", n.getNetworksList),
+		router.NewGetRoute("/networks/{id:.+}", n.getNetwork),
 		// POST
-		router.NewPostRoute("/networks/create", r.postNetworkCreate),
-		router.NewPostRoute("/networks/{id:.*}/connect", r.postNetworkConnect),
-		router.NewPostRoute("/networks/{id:.*}/disconnect", r.postNetworkDisconnect),
-		router.NewPostRoute("/networks/prune", r.postNetworksPrune),
+		router.NewPostRoute("/networks/create", n.postNetworkCreate),
+		router.NewPostRoute("/networks/{id:.*}/connect", n.postNetworkConnect),
+		router.NewPostRoute("/networks/{id:.*}/disconnect", n.postNetworkDisconnect),
+		router.NewPostRoute("/networks/prune", n.postNetworksPrune),
 		// DELETE
-		router.NewDeleteRoute("/networks/{id:.*}", r.deleteNetwork),
+		router.NewDeleteRoute("/networks/{id:.*}", n.deleteNetwork),
 	}
 }

api/server/router/network/network_routes.go

@@ -1,4 +1,4 @@
-package network // import "github.com/docker/docker/api/server/router/network"
+package network
 
 import (
 	"context"
@@ -145,7 +145,7 @@ func (n *networkRouter) getNetwork(ctx context.Context, w http.ResponseWriter, r
 			// ex: overlay/partial_ID or name/swarm_scope
 			if nwv, ok := listByPartialID[nwk.ID]; ok {
 				nwk = nwv
-			} else if nwv, ok := listByFullName[nwk.ID]; ok {
+			} else if nwv, ok = listByFullName[nwk.ID]; ok {
 				nwk = nwv
 			}
 			return httputils.WriteJSON(w, http.StatusOK, nwk)
@@ -223,7 +223,7 @@ func (n *networkRouter) postNetworkCreate(ctx context.Context, w http.ResponseWr
 	// validate the configuration. The network will not be created but, if the
 	// configuration is valid, ManagerRedirectError will be returned and handled
 	// below.
-	nw, err := n.backend.CreateNetwork(create)
+	nw, err := n.backend.CreateNetwork(ctx, create)
 	if err != nil {
 		if _, ok := err.(libnetwork.ManagerRedirectError); !ok {
 			return err

api/server/router/plugin/backend.go

@@ -1,4 +1,4 @@
-package plugin // import "github.com/docker/docker/api/server/router/plugin"
+package plugin
 
 import (
 	"context"

api/server/router/plugin/plugin.go

@@ -1,4 +1,4 @@
-package plugin // import "github.com/docker/docker/api/server/router/plugin"
+package plugin
 
 import "github.com/docker/docker/api/server/router"
 
@@ -18,22 +18,22 @@ func NewRouter(b Backend) router.Router {
 }
 
 // Routes returns the available routers to the plugin controller
-func (r *pluginRouter) Routes() []router.Route {
-	return r.routes
+func (pr *pluginRouter) Routes() []router.Route {
+	return pr.routes
 }
 
-func (r *pluginRouter) initRoutes() {
-	r.routes = []router.Route{
-		router.NewGetRoute("/plugins", r.listPlugins),
-		router.NewGetRoute("/plugins/{name:.*}/json", r.inspectPlugin),
-		router.NewGetRoute("/plugins/privileges", r.getPrivileges),
-		router.NewDeleteRoute("/plugins/{name:.*}", r.removePlugin),
-		router.NewPostRoute("/plugins/{name:.*}/enable", r.enablePlugin),
-		router.NewPostRoute("/plugins/{name:.*}/disable", r.disablePlugin),
-		router.NewPostRoute("/plugins/pull", r.pullPlugin),
-		router.NewPostRoute("/plugins/{name:.*}/push", r.pushPlugin),
-		router.NewPostRoute("/plugins/{name:.*}/upgrade", r.upgradePlugin),
-		router.NewPostRoute("/plugins/{name:.*}/set", r.setPlugin),
-		router.NewPostRoute("/plugins/create", r.createPlugin),
+func (pr *pluginRouter) initRoutes() {
+	pr.routes = []router.Route{
+		router.NewGetRoute("/plugins", pr.listPlugins),
+		router.NewGetRoute("/plugins/{name:.*}/json", pr.inspectPlugin),
+		router.NewGetRoute("/plugins/privileges", pr.getPrivileges),
+		router.NewDeleteRoute("/plugins/{name:.*}", pr.removePlugin),
+		router.NewPostRoute("/plugins/{name:.*}/enable", pr.enablePlugin),
+		router.NewPostRoute("/plugins/{name:.*}/disable", pr.disablePlugin),
+		router.NewPostRoute("/plugins/pull", pr.pullPlugin),
+		router.NewPostRoute("/plugins/{name:.*}/push", pr.pushPlugin),
+		router.NewPostRoute("/plugins/{name:.*}/upgrade", pr.upgradePlugin),
+		router.NewPostRoute("/plugins/{name:.*}/set", pr.setPlugin),
+		router.NewPostRoute("/plugins/create", pr.createPlugin),
 	}
 }

api/server/router/plugin/plugin_routes.go

@@ -1,4 +1,4 @@
-package plugin // import "github.com/docker/docker/api/server/router/plugin"
+package plugin
 
 import (
 	"context"

api/server/router/router.go

@@ -1,4 +1,4 @@
-package router // import "github.com/docker/docker/api/server/router"
+package router
 
 import "github.com/docker/docker/api/server/httputils"
 

api/server/router/session/backend.go

@@ -1,4 +1,4 @@
-package session // import "github.com/docker/docker/api/server/router/session"
+package session
 
 import (
 	"context"

api/server/router/session/session.go

@@ -1,4 +1,4 @@
-package session // import "github.com/docker/docker/api/server/router/session"
+package session
 
 import "github.com/docker/docker/api/server/router"
 
@@ -18,12 +18,12 @@ func NewRouter(b Backend) router.Router {
 }
 
 // Routes returns the available routers to the session controller
-func (r *sessionRouter) Routes() []router.Route {
-	return r.routes
+func (sr *sessionRouter) Routes() []router.Route {
+	return sr.routes
 }
 
-func (r *sessionRouter) initRoutes() {
-	r.routes = []router.Route{
-		router.NewPostRoute("/session", r.startSession),
+func (sr *sessionRouter) initRoutes() {
+	sr.routes = []router.Route{
+		router.NewPostRoute("/session", sr.startSession),
 	}
 }

api/server/router/session/session_routes.go

@@ -1,4 +1,4 @@
-package session // import "github.com/docker/docker/api/server/router/session"
+package session
 
 import (
 	"context"

api/server/router/swarm/backend.go

@@ -1,9 +1,8 @@
-package swarm // import "github.com/docker/docker/api/server/router/swarm"
+package swarm
 
 import (
 	"context"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/swarm"
@@ -18,24 +17,24 @@ type Backend interface {
 	Update(uint64, swarm.Spec, swarm.UpdateFlags) error
 	GetUnlockKey() (string, error)
 	UnlockSwarm(req swarm.UnlockRequest) error
-	GetServices(types.ServiceListOptions) ([]swarm.Service, error)
+	GetServices(swarm.ServiceListOptions) ([]swarm.Service, error)
 	GetService(idOrName string, insertDefaults bool) (swarm.Service, error)
 	CreateService(swarm.ServiceSpec, string, bool) (*swarm.ServiceCreateResponse, error)
-	UpdateService(string, uint64, swarm.ServiceSpec, types.ServiceUpdateOptions, bool) (*swarm.ServiceUpdateResponse, error)
+	UpdateService(string, uint64, swarm.ServiceSpec, swarm.ServiceUpdateOptions, bool) (*swarm.ServiceUpdateResponse, error)
 	RemoveService(string) error
 	ServiceLogs(context.Context, *backend.LogSelector, *container.LogsOptions) (<-chan *backend.LogMessage, error)
-	GetNodes(types.NodeListOptions) ([]swarm.Node, error)
+	GetNodes(swarm.NodeListOptions) ([]swarm.Node, error)
 	GetNode(string) (swarm.Node, error)
 	UpdateNode(string, uint64, swarm.NodeSpec) error
 	RemoveNode(string, bool) error
-	GetTasks(types.TaskListOptions) ([]swarm.Task, error)
+	GetTasks(swarm.TaskListOptions) ([]swarm.Task, error)
 	GetTask(string) (swarm.Task, error)
-	GetSecrets(opts types.SecretListOptions) ([]swarm.Secret, error)
+	GetSecrets(opts swarm.SecretListOptions) ([]swarm.Secret, error)
 	CreateSecret(s swarm.SecretSpec) (string, error)
 	RemoveSecret(idOrName string) error
 	GetSecret(id string) (swarm.Secret, error)
 	UpdateSecret(idOrName string, version uint64, spec swarm.SecretSpec) error
-	GetConfigs(opts types.ConfigListOptions) ([]swarm.Config, error)
+	GetConfigs(opts swarm.ConfigListOptions) ([]swarm.Config, error)
 	CreateConfig(s swarm.ConfigSpec) (string, error)
 	RemoveConfig(id string) error
 	GetConfig(id string) (swarm.Config, error)

api/server/router/swarm/cluster.go

@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/server/router/swarm"
+package swarm
 
 import "github.com/docker/docker/api/server/router"
 

api/server/router/swarm/cluster_routes.go

@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/server/router/swarm"
+package swarm
 
 import (
 	"context"
@@ -8,7 +8,6 @@ import (
 
 	"github.com/containerd/log"
 	"github.com/docker/docker/api/server/httputils"
-	basictypes "github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/registry"
@@ -140,7 +139,7 @@ func (sr *swarmRouter) getUnlockKey(ctx context.Context, w http.ResponseWriter,
 		return err
 	}
 
-	return httputils.WriteJSON(w, http.StatusOK, &basictypes.SwarmUnlockKeyResponse{
+	return httputils.WriteJSON(w, http.StatusOK, &types.UnlockKeyResponse{
 		UnlockKey: unlockKey,
 	})
 }
@@ -166,7 +165,7 @@ func (sr *swarmRouter) getServices(ctx context.Context, w http.ResponseWriter, r
 		}
 	}
 
-	services, err := sr.backend.GetServices(basictypes.ServiceListOptions{Filters: filter, Status: status})
+	services, err := sr.backend.GetServices(types.ServiceListOptions{Filters: filter, Status: status})
 	if err != nil {
 		log.G(ctx).WithContext(ctx).WithError(err).Debug("Error getting services")
 		return err
@@ -245,7 +244,7 @@ func (sr *swarmRouter) updateService(ctx context.Context, w http.ResponseWriter,
 		return errdefs.InvalidParameter(err)
 	}
 
-	var flags basictypes.ServiceUpdateOptions
+	var flags types.ServiceUpdateOptions
 
 	// Get returns "" if the header does not exist
 	flags.EncodedRegistryAuth = r.Header.Get(registry.AuthHeader)
@@ -314,7 +313,7 @@ func (sr *swarmRouter) getNodes(ctx context.Context, w http.ResponseWriter, r *h
 		return err
 	}
 
-	nodes, err := sr.backend.GetNodes(basictypes.NodeListOptions{Filters: filter})
+	nodes, err := sr.backend.GetNodes(types.NodeListOptions{Filters: filter})
 	if err != nil {
 		log.G(ctx).WithContext(ctx).WithError(err).Debug("Error getting nodes")
 		return err
@@ -385,7 +384,7 @@ func (sr *swarmRouter) getTasks(ctx context.Context, w http.ResponseWriter, r *h
 		return err
 	}
 
-	tasks, err := sr.backend.GetTasks(basictypes.TaskListOptions{Filters: filter})
+	tasks, err := sr.backend.GetTasks(types.TaskListOptions{Filters: filter})
 	if err != nil {
 		log.G(ctx).WithContext(ctx).WithError(err).Debug("Error getting tasks")
 		return err
@@ -416,7 +415,7 @@ func (sr *swarmRouter) getSecrets(ctx context.Context, w http.ResponseWriter, r
 		return err
 	}
 
-	secrets, err := sr.backend.GetSecrets(basictypes.SecretListOptions{Filters: filters})
+	secrets, err := sr.backend.GetSecrets(types.SecretListOptions{Filters: filters})
 	if err != nil {
 		return err
 	}
@@ -439,7 +438,7 @@ func (sr *swarmRouter) createSecret(ctx context.Context, w http.ResponseWriter,
 		return err
 	}
 
-	return httputils.WriteJSON(w, http.StatusCreated, &basictypes.SecretCreateResponse{
+	return httputils.WriteJSON(w, http.StatusCreated, &types.SecretCreateResponse{
 		ID: id,
 	})
 }
@@ -487,7 +486,7 @@ func (sr *swarmRouter) getConfigs(ctx context.Context, w http.ResponseWriter, r
 		return err
 	}
 
-	configs, err := sr.backend.GetConfigs(basictypes.ConfigListOptions{Filters: filters})
+	configs, err := sr.backend.GetConfigs(types.ConfigListOptions{Filters: filters})
 	if err != nil {
 		return err
 	}
@@ -511,7 +510,7 @@ func (sr *swarmRouter) createConfig(ctx context.Context, w http.ResponseWriter,
 		return err
 	}
 
-	return httputils.WriteJSON(w, http.StatusCreated, &basictypes.ConfigCreateResponse{
+	return httputils.WriteJSON(w, http.StatusCreated, &types.ConfigCreateResponse{
 		ID: id,
 	})
 }

api/server/router/swarm/helpers.go

@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/server/router/swarm"
+package swarm
 
 import (
 	"context"
@@ -22,7 +22,7 @@ func (sr *swarmRouter) swarmLogs(ctx context.Context, w http.ResponseWriter, r *
 	// any error after the stream starts (i.e. container not found, wrong parameters)
 	// with the appropriate status code.
 	stdout, stderr := httputils.BoolValue(r, "stdout"), httputils.BoolValue(r, "stderr")
-	if !(stdout || stderr) {
+	if !stdout && !stderr {
 		return fmt.Errorf("Bad parameters: you must choose at least one stream")
 	}
 

api/server/router/swarm/helpers_test.go

@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/server/router/swarm"
+package swarm
 
 import (
 	"reflect"

api/server/router/system/backend.go

@@ -1,10 +1,11 @@
-package system // import "github.com/docker/docker/api/server/router/system"
+package system
 
 import (
 	"context"
 	"time"
 
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/registry"
@@ -29,7 +30,7 @@ type DiskUsageOptions struct {
 type Backend interface {
 	SystemInfo(context.Context) (*system.Info, error)
 	SystemVersion(context.Context) (types.Version, error)
-	SystemDiskUsage(ctx context.Context, opts DiskUsageOptions) (*types.DiskUsage, error)
+	SystemDiskUsage(ctx context.Context, opts DiskUsageOptions) (*system.DiskUsage, error)
 	SubscribeToEvents(since, until time.Time, ef filters.Args) ([]events.Message, chan interface{})
 	UnsubscribeFromEvents(chan interface{})
 	AuthenticateToRegistry(ctx context.Context, authConfig *registry.AuthConfig) (string, string, error)
@@ -41,6 +42,11 @@ type ClusterBackend interface {
 	Info(context.Context) swarm.Info
 }
 
+// BuildBackend provides build specific system information.
+type BuildBackend interface {
+	DiskUsage(context.Context) ([]*build.CacheRecord, error)
+}
+
 // StatusProvider provides methods to get the swarm status of the current node.
 type StatusProvider interface {
 	Status() string

api/server/router/system/info_response.go

@@ -0,0 +1,39 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.23
+
+package system
+
+import (
+	"encoding/json"
+
+	"github.com/docker/docker/api/types/system"
+)
+
+// infoResponse is a wrapper around [system.Info] with a custom
+// marshal function for legacy fields.
+type infoResponse struct {
+	*system.Info
+
+	// extraFields is for internal use to include deprecated fields on older API versions.
+	extraFields map[string]any
+}
+
+// MarshalJSON implements a custom marshaler to include legacy fields
+// in API responses.
+func (sc *infoResponse) MarshalJSON() ([]byte, error) {
+	type tmp *system.Info
+	base, err := json.Marshal((tmp)(sc.Info))
+	if err != nil {
+		return nil, err
+	}
+	if len(sc.extraFields) == 0 {
+		return base, nil
+	}
+	var merged map[string]any
+	_ = json.Unmarshal(base, &merged)
+
+	for k, v := range sc.extraFields {
+		merged[k] = v
+	}
+	return json.Marshal(merged)
+}

api/server/router/system/info_response_test.go

@@ -0,0 +1,33 @@
+package system
+
+import (
+	"encoding/json"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/system"
+)
+
+func TestLegacyFields(t *testing.T) {
+	infoResp := &infoResponse{
+		Info: &system.Info{
+			Containers: 10,
+		},
+		extraFields: map[string]any{
+			"LegacyFoo": false,
+			"LegacyBar": true,
+		},
+	}
+
+	data, err := json.MarshalIndent(infoResp, "", "  ")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if expected := `"LegacyFoo": false`; !strings.Contains(string(data), expected) {
+		t.Errorf("legacy fields should contain %s: %s", expected, string(data))
+	}
+	if expected := `"LegacyBar": true`; !strings.Contains(string(data), expected) {
+		t.Errorf("legacy fields should contain %s: %s", expected, string(data))
+	}
+}

api/server/router/system/system.go

@@ -1,12 +1,10 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
-package system // import "github.com/docker/docker/api/server/router/system"
+package system
 
 import (
 	"github.com/docker/docker/api/server/router"
-	"github.com/docker/docker/api/types/system"
-	buildkit "github.com/docker/docker/builder/builder-next"
 	"resenje.org/singleflight"
 )
 
@@ -16,17 +14,17 @@ type systemRouter struct {
 	backend  Backend
 	cluster  ClusterBackend
 	routes   []router.Route
-	builder  *buildkit.Builder
+	builder  BuildBackend
 	features func() map[string]bool
 
 	// collectSystemInfo is a single-flight for the /info endpoint,
 	// unique per API version (as different API versions may return
 	// a different API response).
-	collectSystemInfo singleflight.Group[string, *system.Info]
+	collectSystemInfo singleflight.Group[string, *infoResponse]
 }
 
 // NewRouter initializes a new system router
-func NewRouter(b Backend, c ClusterBackend, builder *buildkit.Builder, features func() map[string]bool) router.Router {
+func NewRouter(b Backend, c ClusterBackend, builder BuildBackend, features func() map[string]bool) router.Router {
 	r := &systemRouter{
 		backend:  b,
 		cluster:  c,

api/server/router/system/system_routes.go

@@ -1,4 +1,7 @@
-package system // import "github.com/docker/docker/api/server/router/system"
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.23
+
+package system
 
 import (
 	"context"
@@ -11,6 +14,7 @@ import (
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/server/router/build"
 	"github.com/docker/docker/api/types"
+	buildtypes "github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/registry"
@@ -59,7 +63,7 @@ func (s *systemRouter) swarmStatus() string {
 
 func (s *systemRouter) getInfo(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	version := httputils.VersionFromContext(ctx)
-	info, _, _ := s.collectSystemInfo.Do(ctx, version, func(ctx context.Context) (*system.Info, error) {
+	info, _, _ := s.collectSystemInfo.Do(ctx, version, func(ctx context.Context) (*infoResponse, error) {
 		info, err := s.backend.SystemInfo(ctx)
 		if err != nil {
 			return nil, err
@@ -103,20 +107,40 @@ func (s *systemRouter) getInfo(ctx context.Context, w http.ResponseWriter, r *ht
 		if versions.LessThan(version, "1.47") {
 			// Field is omitted in API 1.48 and up, but should still be included
 			// in older versions, even if no values are set.
-			info.RegistryConfig.AllowNondistributableArtifactsCIDRs = []*registry.NetIPNet{}
-			info.RegistryConfig.AllowNondistributableArtifactsHostnames = []string{}
+			info.RegistryConfig.ExtraFields = map[string]any{
+				"AllowNondistributableArtifactsCIDRs":     json.RawMessage(nil),
+				"AllowNondistributableArtifactsHostnames": json.RawMessage(nil),
+			}
+		}
+		if versions.LessThan(version, "1.49") {
+			// FirewallBackend field introduced in API v1.49.
+			info.FirewallBackend = nil
 		}
 
-		// TODO(thaJeztah): Expected commits are deprecated, and should no longer be set in API 1.49.
-		info.ContainerdCommit.Expected = info.ContainerdCommit.ID //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.49.
-		info.RuncCommit.Expected = info.RuncCommit.ID             //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.49.
-		info.InitCommit.Expected = info.InitCommit.ID             //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.49.
-
+		extraFields := map[string]any{}
+		if versions.LessThan(version, "1.49") {
+			// Expected commits are omitted in API 1.49, but should still be
+			// included in older versions.
+			info.ContainerdCommit.Expected = info.ContainerdCommit.ID //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.49.
+			info.RuncCommit.Expected = info.RuncCommit.ID             //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.49.
+			info.InitCommit.Expected = info.InitCommit.ID             //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.49.
+		}
 		if versions.GreaterThanOrEqualTo(version, "1.42") {
 			info.KernelMemory = false
 		}
-		return info, nil
+		if versions.LessThan(version, "1.50") {
+			info.DiscoveredDevices = nil
+
+			// These fields are omitted in > API 1.49, and always false
+			// older API versions.
+			extraFields = map[string]any{
+				"BridgeNfIptables":  json.RawMessage("false"),
+				"BridgeNfIp6tables": json.RawMessage("false"),
+			}
+		}
+		return &infoResponse{Info: info, extraFields: extraFields}, nil
 	})
+
 	return httputils.WriteJSON(w, http.StatusOK, info)
 }
 
@@ -159,7 +183,7 @@ func (s *systemRouter) getDiskUsage(ctx context.Context, w http.ResponseWriter,
 
 	eg, ctx := errgroup.WithContext(ctx)
 
-	var systemDiskUsage *types.DiskUsage
+	var systemDiskUsage *system.DiskUsage
 	if getContainers || getImages || getVolumes {
 		eg.Go(func() error {
 			var err error
@@ -172,7 +196,7 @@ func (s *systemRouter) getDiskUsage(ctx context.Context, w http.ResponseWriter,
 		})
 	}
 
-	var buildCache []*types.BuildCache
+	var buildCache []*buildtypes.CacheRecord
 	if getBuildCache {
 		eg.Go(func() error {
 			var err error
@@ -183,7 +207,7 @@ func (s *systemRouter) getDiskUsage(ctx context.Context, w http.ResponseWriter,
 			if buildCache == nil {
 				// Ensure empty `BuildCache` field is represented as empty JSON array(`[]`)
 				// instead of `null` to be consistent with `Images`, `Containers` etc.
-				buildCache = []*types.BuildCache{}
+				buildCache = []*buildtypes.CacheRecord{}
 			}
 			return nil
 		})
@@ -208,23 +232,42 @@ func (s *systemRouter) getDiskUsage(ctx context.Context, w http.ResponseWriter,
 			b.Parent = "" //nolint:staticcheck // ignore SA1019 (Parent field is deprecated)
 		}
 	}
-	if versions.LessThan(version, "1.44") {
-		for _, b := range systemDiskUsage.Images {
+	if versions.LessThan(version, "1.44") && systemDiskUsage != nil && systemDiskUsage.Images != nil {
+		for _, b := range systemDiskUsage.Images.Items {
 			b.VirtualSize = b.Size //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.44.
 		}
 	}
 
-	du := types.DiskUsage{
-		BuildCache:  buildCache,
-		BuilderSize: builderSize,
+	du := system.DiskUsage{}
+	if getBuildCache {
+		du.BuildCache = &buildtypes.CacheDiskUsage{
+			TotalSize: builderSize,
+			Items:     buildCache,
+		}
 	}
 	if systemDiskUsage != nil {
-		du.LayersSize = systemDiskUsage.LayersSize
 		du.Images = systemDiskUsage.Images
 		du.Containers = systemDiskUsage.Containers
 		du.Volumes = systemDiskUsage.Volumes
 	}
-	return httputils.WriteJSON(w, http.StatusOK, du)
+
+	// Use the old struct for the API return value.
+	var v types.DiskUsage
+	if du.Images != nil {
+		v.LayersSize = du.Images.TotalSize
+		v.Images = du.Images.Items
+	}
+	if du.Containers != nil {
+		v.Containers = du.Containers.Items
+	}
+	if du.Volumes != nil {
+		v.Volumes = du.Volumes.Items
+	}
+	if du.BuildCache != nil {
+		v.BuildCache = du.BuildCache.Items
+	}
+	v.BuilderSize = builderSize
+	return httputils.WriteJSON(w, http.StatusOK, v)
 }
 
 type invalidRequestError struct {

api/server/router/volume/backend.go

@@ -1,4 +1,4 @@
-package volume // import "github.com/docker/docker/api/server/router/volume"
+package volume
 
 import (
 	"context"

api/server/router/volume/volume.go

@@ -1,4 +1,4 @@
-package volume // import "github.com/docker/docker/api/server/router/volume"
+package volume
 
 import "github.com/docker/docker/api/server/router"
 
@@ -20,21 +20,21 @@ func NewRouter(b Backend, cb ClusterBackend) router.Router {
 }
 
 // Routes returns the available routes to the volumes controller
-func (r *volumeRouter) Routes() []router.Route {
-	return r.routes
+func (v *volumeRouter) Routes() []router.Route {
+	return v.routes
 }
 
-func (r *volumeRouter) initRoutes() {
-	r.routes = []router.Route{
+func (v *volumeRouter) initRoutes() {
+	v.routes = []router.Route{
 		// GET
-		router.NewGetRoute("/volumes", r.getVolumesList),
-		router.NewGetRoute("/volumes/{name:.*}", r.getVolumeByName),
+		router.NewGetRoute("/volumes", v.getVolumesList),
+		router.NewGetRoute("/volumes/{name:.*}", v.getVolumeByName),
 		// POST
-		router.NewPostRoute("/volumes/create", r.postVolumesCreate),
-		router.NewPostRoute("/volumes/prune", r.postVolumesPrune),
+		router.NewPostRoute("/volumes/create", v.postVolumesCreate),
+		router.NewPostRoute("/volumes/prune", v.postVolumesPrune),
 		// PUT
-		router.NewPutRoute("/volumes/{name:.*}", r.putVolumesUpdate),
+		router.NewPutRoute("/volumes/{name:.*}", v.putVolumesUpdate),
 		// DELETE
-		router.NewDeleteRoute("/volumes/{name:.*}", r.deleteVolumes),
+		router.NewDeleteRoute("/volumes/{name:.*}", v.deleteVolumes),
 	}
 }

api/server/router/volume/volume_routes.go

@@ -1,4 +1,4 @@
-package volume // import "github.com/docker/docker/api/server/router/volume"
+package volume
 
 import (
 	"context"
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"strconv"
 
+	cerrdefs "github.com/containerd/errdefs"
 	"github.com/containerd/log"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types/filters"
@@ -69,7 +70,7 @@ func (v *volumeRouter) getVolumeByName(ctx context.Context, w http.ResponseWrite
 	// if the volume is not found in the regular volume backend, and the client
 	// is using an API version greater than 1.42 (when cluster volumes were
 	// introduced), then check if Swarm has the volume.
-	if errdefs.IsNotFound(err) && versions.GreaterThanOrEqualTo(version, clusterVolumesVersion) && v.cluster.IsManager() {
+	if cerrdefs.IsNotFound(err) && versions.GreaterThanOrEqualTo(version, clusterVolumesVersion) && v.cluster.IsManager() {
 		swarmVol, err := v.cluster.GetVolume(vars["name"])
 		// if swarm returns an error and that error indicates that swarm is not
 		// initialized, return original NotFound error. Otherwise, we'd return
@@ -164,7 +165,7 @@ func (v *volumeRouter) deleteVolumes(ctx context.Context, w http.ResponseWriter,
 	// errors at this stage. Note that no "not found" error is produced if
 	// "force" is enabled.
 	err := v.backend.Remove(ctx, vars["name"], opts.WithPurgeOnError(force))
-	if err != nil && !errdefs.IsNotFound(err) {
+	if err != nil && !cerrdefs.IsNotFound(err) {
 		return err
 	}
 
@@ -172,7 +173,7 @@ func (v *volumeRouter) deleteVolumes(ctx context.Context, w http.ResponseWriter,
 	// is enabled, the volume backend won't return an error for non-existing
 	// volumes, so we don't know if removal succeeded (or not volume existed).
 	// In that case we always try to delete cluster volumes as well.
-	if errdefs.IsNotFound(err) || force {
+	if cerrdefs.IsNotFound(err) || force {
 		version := httputils.VersionFromContext(ctx)
 		if versions.GreaterThanOrEqualTo(version, clusterVolumesVersion) && v.cluster.IsManager() {
 			err = v.cluster.RemoveVolume(vars["name"], force)

api/server/router/volume/volume_routes_test.go

@@ -5,11 +5,13 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"net/http/httptest"
 	"testing"
 
 	"gotest.tools/v3/assert"
 
+	cerrdefs "github.com/containerd/errdefs"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/volume"
@@ -20,7 +22,7 @@ import (
 func callGetVolume(v *volumeRouter, name string) (*httptest.ResponseRecorder, error) {
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
 	vars := map[string]string{"name": name}
-	req := httptest.NewRequest("GET", fmt.Sprintf("/volumes/%s", name), nil)
+	req := httptest.NewRequest(http.MethodGet, fmt.Sprintf("/volumes/%s", name), http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.getVolumeByName(ctx, resp, req, vars)
@@ -30,7 +32,7 @@ func callGetVolume(v *volumeRouter, name string) (*httptest.ResponseRecorder, er
 func callListVolumes(v *volumeRouter) (*httptest.ResponseRecorder, error) {
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
 	vars := map[string]string{}
-	req := httptest.NewRequest("GET", "/volumes", nil)
+	req := httptest.NewRequest(http.MethodGet, "/volumes", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.getVolumesList(ctx, resp, req, vars)
@@ -46,7 +48,7 @@ func TestGetVolumeByNameNotFoundNoSwarm(t *testing.T) {
 	_, err := callGetVolume(v, "notReal")
 
 	assert.Assert(t, err != nil)
-	assert.Assert(t, errdefs.IsNotFound(err))
+	assert.Assert(t, cerrdefs.IsNotFound(err))
 }
 
 func TestGetVolumeByNameNotFoundNotManager(t *testing.T) {
@@ -58,7 +60,7 @@ func TestGetVolumeByNameNotFoundNotManager(t *testing.T) {
 	_, err := callGetVolume(v, "notReal")
 
 	assert.Assert(t, err != nil)
-	assert.Assert(t, errdefs.IsNotFound(err))
+	assert.Assert(t, cerrdefs.IsNotFound(err))
 }
 
 func TestGetVolumeByNameNotFound(t *testing.T) {
@@ -70,7 +72,7 @@ func TestGetVolumeByNameNotFound(t *testing.T) {
 	_, err := callGetVolume(v, "notReal")
 
 	assert.Assert(t, err != nil)
-	assert.Assert(t, errdefs.IsNotFound(err))
+	assert.Assert(t, cerrdefs.IsNotFound(err))
 }
 
 func TestGetVolumeByNameFoundRegular(t *testing.T) {
@@ -193,7 +195,7 @@ func TestCreateRegularVolume(t *testing.T) {
 	assert.NilError(t, err)
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("POST", "/volumes/create", &buf)
+	req := httptest.NewRequest(http.MethodPost, "/volumes/create", &buf)
 	req.Header.Add("Content-Type", "application/json")
 
 	resp := httptest.NewRecorder()
@@ -231,13 +233,13 @@ func TestCreateSwarmVolumeNoSwarm(t *testing.T) {
 	assert.NilError(t, err)
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("POST", "/volumes/create", &buf)
+	req := httptest.NewRequest(http.MethodPost, "/volumes/create", &buf)
 	req.Header.Add("Content-Type", "application/json")
 
 	resp := httptest.NewRecorder()
 	err = v.postVolumesCreate(ctx, resp, req, nil)
 	assert.Assert(t, err != nil)
-	assert.Assert(t, errdefs.IsUnavailable(err))
+	assert.Assert(t, cerrdefs.IsUnavailable(err))
 }
 
 func TestCreateSwarmVolumeNotManager(t *testing.T) {
@@ -260,13 +262,13 @@ func TestCreateSwarmVolumeNotManager(t *testing.T) {
 	assert.NilError(t, err)
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("POST", "/volumes/create", &buf)
+	req := httptest.NewRequest(http.MethodPost, "/volumes/create", &buf)
 	req.Header.Add("Content-Type", "application/json")
 
 	resp := httptest.NewRecorder()
 	err = v.postVolumesCreate(ctx, resp, req, nil)
 	assert.Assert(t, err != nil)
-	assert.Assert(t, errdefs.IsUnavailable(err))
+	assert.Assert(t, cerrdefs.IsUnavailable(err))
 }
 
 func TestCreateVolumeCluster(t *testing.T) {
@@ -292,7 +294,7 @@ func TestCreateVolumeCluster(t *testing.T) {
 	assert.NilError(t, err)
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("POST", "/volumes/create", &buf)
+	req := httptest.NewRequest(http.MethodPost, "/volumes/create", &buf)
 	req.Header.Add("Content-Type", "application/json")
 
 	resp := httptest.NewRecorder()
@@ -339,7 +341,7 @@ func TestUpdateVolume(t *testing.T) {
 	assert.NilError(t, err)
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("POST", "/volumes/vol1/update?version=0", &buf)
+	req := httptest.NewRequest(http.MethodPost, "/volumes/vol1/update?version=0", &buf)
 	req.Header.Add("Content-Type", "application/json")
 
 	resp := httptest.NewRecorder()
@@ -368,14 +370,14 @@ func TestUpdateVolumeNoSwarm(t *testing.T) {
 	assert.NilError(t, err)
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("POST", "/volumes/vol1/update?version=0", &buf)
+	req := httptest.NewRequest(http.MethodPost, "/volumes/vol1/update?version=0", &buf)
 	req.Header.Add("Content-Type", "application/json")
 
 	resp := httptest.NewRecorder()
 
 	err = v.putVolumesUpdate(ctx, resp, req, map[string]string{"name": "vol1"})
 	assert.Assert(t, err != nil)
-	assert.Assert(t, errdefs.IsUnavailable(err))
+	assert.Assert(t, cerrdefs.IsUnavailable(err))
 }
 
 func TestUpdateVolumeNotFound(t *testing.T) {
@@ -400,14 +402,14 @@ func TestUpdateVolumeNotFound(t *testing.T) {
 	assert.NilError(t, err)
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("POST", "/volumes/vol1/update?version=0", &buf)
+	req := httptest.NewRequest(http.MethodPost, "/volumes/vol1/update?version=0", &buf)
 	req.Header.Add("Content-Type", "application/json")
 
 	resp := httptest.NewRecorder()
 
 	err = v.putVolumesUpdate(ctx, resp, req, map[string]string{"name": "vol1"})
 	assert.Assert(t, err != nil)
-	assert.Assert(t, errdefs.IsNotFound(err))
+	assert.Assert(t, cerrdefs.IsNotFound(err))
 }
 
 func TestVolumeRemove(t *testing.T) {
@@ -426,7 +428,7 @@ func TestVolumeRemove(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("DELETE", "/volumes/vol1", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})
@@ -453,7 +455,7 @@ func TestVolumeRemoveSwarm(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("DELETE", "/volumes/vol1", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})
@@ -470,12 +472,12 @@ func TestVolumeRemoveNotFoundNoSwarm(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("DELETE", "/volumes/vol1", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})
 	assert.Assert(t, err != nil)
-	assert.Assert(t, errdefs.IsNotFound(err), err.Error())
+	assert.Assert(t, cerrdefs.IsNotFound(err), err.Error())
 }
 
 func TestVolumeRemoveNotFoundNoManager(t *testing.T) {
@@ -487,12 +489,12 @@ func TestVolumeRemoveNotFoundNoManager(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("DELETE", "/volumes/vol1", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})
 	assert.Assert(t, err != nil)
-	assert.Assert(t, errdefs.IsNotFound(err))
+	assert.Assert(t, cerrdefs.IsNotFound(err))
 }
 
 func TestVolumeRemoveFoundNoSwarm(t *testing.T) {
@@ -511,7 +513,7 @@ func TestVolumeRemoveFoundNoSwarm(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("DELETE", "/volumes/vol1", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})
@@ -534,12 +536,12 @@ func TestVolumeRemoveNoSwarmInUse(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("DELETE", "/volumes/inuse", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/inuse", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "inuse"})
 	assert.Assert(t, err != nil)
-	assert.Assert(t, errdefs.IsConflict(err))
+	assert.Assert(t, cerrdefs.IsConflict(err))
 }
 
 func TestVolumeRemoveSwarmForce(t *testing.T) {
@@ -562,16 +564,16 @@ func TestVolumeRemoveSwarmForce(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest("DELETE", "/volumes/vol1", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})
 
 	assert.Assert(t, err != nil)
-	assert.Assert(t, errdefs.IsConflict(err))
+	assert.Assert(t, cerrdefs.IsConflict(err))
 
 	ctx = context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req = httptest.NewRequest("DELETE", "/volumes/vol1?force=1", nil)
+	req = httptest.NewRequest(http.MethodDelete, "/volumes/vol1?force=1", http.NoBody)
 	resp = httptest.NewRecorder()
 
 	err = v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})

api/server/server.go

@@ -1,4 +1,4 @@
-package server // import "github.com/docker/docker/api/server"
+package server
 
 import (
 	"context"
@@ -10,9 +10,12 @@ import (
 	"github.com/docker/docker/api/server/middleware"
 	"github.com/docker/docker/api/server/router"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/internal/otelutil"
 	"github.com/gorilla/mux"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
+	"go.opentelemetry.io/otel/baggage"
 )
 
 // versionMatcher defines a variable matcher to be parsed by the router
@@ -42,7 +45,10 @@ func (s *Server) makeHTTPHandler(handler httputils.APIFunc, operation string) ht
 
 		// use intermediate variable to prevent "should not use basic type
 		// string as key in context.WithValue" golint errors
-		ctx := context.WithValue(r.Context(), dockerversion.UAStringKey{}, r.Header.Get("User-Agent"))
+		ua := r.Header.Get("User-Agent")
+		ctx := baggage.ContextWithBaggage(context.WithValue(r.Context(), dockerversion.UAStringKey{}, ua), otelutil.MustNewBaggage(
+			otelutil.MustNewMemberRaw(otelutil.TriggerKey, "api"),
+		))
 
 		r = r.WithContext(ctx)
 		handlerFunc := s.handlerWithGlobalMiddlewares(handler)
@@ -54,12 +60,23 @@ func (s *Server) makeHTTPHandler(handler httputils.APIFunc, operation string) ht
 
 		if err := handlerFunc(ctx, w, r, vars); err != nil {
 			statusCode := httpstatus.FromError(err)
-			if statusCode >= 500 {
+			if statusCode >= http.StatusInternalServerError {
 				log.G(ctx).Errorf("Handler for %s %s returned error: %v", r.Method, r.URL.Path, err)
 			}
-			_ = httputils.WriteJSON(w, statusCode, &types.ErrorResponse{
-				Message: err.Error(),
-			})
+			// While we no longer support API versions older 1.24 [api.MinSupportedAPIVersion],
+			// a client may try to connect using an older version and expect a plain-text error
+			// instead of a JSON error. This would result in an "API version too old" error
+			// formatted in JSON being printed as-is.
+			//
+			// Let's be nice, and return errors in plain-text to provide a more readable error
+			// to help the user understand the API version they're using is no longer supported.
+			if v := vars["version"]; v != "" && versions.LessThan(v, "1.24") {
+				http.Error(w, err.Error(), statusCode)
+			} else {
+				_ = httputils.WriteJSON(w, statusCode, &types.ErrorResponse{
+					Message: err.Error(),
+				})
+			}
 		}
 	}), operation).ServeHTTP
 }

api/server/server_test.go

@@ -1,4 +1,4 @@
-package server // import "github.com/docker/docker/api/server"
+package server
 
 import (
 	"context"
@@ -21,7 +21,7 @@ func TestMiddlewares(t *testing.T) {
 	}
 	srv.UseMiddleware(*m)
 
-	req, _ := http.NewRequest(http.MethodGet, "/containers/json", nil)
+	req, _ := http.NewRequest(http.MethodGet, "/containers/json", http.NoBody)
 	resp := httptest.NewRecorder()
 	ctx := context.Background()
 

api/swagger.yaml

@@ -19,10 +19,10 @@ produces:
 consumes:
   - "application/json"
   - "text/plain"
-basePath: "/v1.48"
+basePath: "/v1.51"
 info:
   title: "Docker Engine API"
-  version: "1.48"
+  version: "1.51"
   x-logo:
     url: "https://docs.docker.com/assets/images/logo-docker-main.png"
   description: |
@@ -55,8 +55,8 @@ info:
     the URL is not supported by the daemon, a HTTP `400 Bad Request` error message
     is returned.
 
-    If you omit the version-prefix, the current version of the API (v1.48) is used.
-    For example, calling `/info` is the same as calling `/v1.48/info`. Using the
+    If you omit the version-prefix, the current version of the API (v1.50) is used.
+    For example, calling `/info` is the same as calling `/v1.51/info`. Using the
     API without a version-prefix is deprecated and will be removed in a future release.
 
     Engine releases in the near future should support this version of the API,
@@ -1428,63 +1428,10 @@ definitions:
       when starting a container from the image.
     type: "object"
     properties:
-      Hostname:
-        description: |
-          The hostname to use for the container, as a valid RFC 1123 hostname.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.48.
-        type: "string"
-        example: ""
-      Domainname:
-        description: |
-          The domain name to use for the container.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.48.
-        type: "string"
-        example: ""
       User:
         description: "The user that commands are run as inside the container."
         type: "string"
         example: "web:web"
-      AttachStdin:
-        description: |
-          Whether to attach to `stdin`.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
-      AttachStdout:
-        description: |
-          Whether to attach to `stdout`.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
-      AttachStderr:
-        description: |
-          Whether to attach to `stderr`.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
       ExposedPorts:
         description: |
           An object mapping ports to an empty object in the form:
@@ -1501,39 +1448,6 @@ definitions:
           "80/tcp": {},
           "443/tcp": {}
         }
-      Tty:
-        description: |
-          Attach standard streams to a TTY, including `stdin` if it is not closed.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
-      OpenStdin:
-        description: |
-          Open `stdin`
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
-      StdinOnce:
-        description: |
-          Close `stdin` after one attached client disconnects.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
       Env:
         description: |
           A list of environment variables to set inside the container in the
@@ -1559,18 +1473,6 @@ definitions:
         default: false
         example: false
         x-nullable: true
-      Image:
-        description: |
-          The name (or reference) of the image to use when creating the container,
-          or which was used when the container was created.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.48.
-        type: "string"
-        default: ""
-        example: ""
       Volumes:
         description: |
           An object mapping mount point paths inside the container to empty
@@ -1599,30 +1501,6 @@ definitions:
         items:
           type: "string"
         example: []
-      NetworkDisabled:
-        description: |
-          Disable networking for the container.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
-        x-nullable: true
-      MacAddress:
-        description: |
-          MAC address of the container.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.48.
-        type: "string"
-        default: ""
-        example: ""
-        x-nullable: true
       OnBuild:
         description: |
           `ONBUILD` metadata that were defined in the image's `Dockerfile`.
@@ -1645,17 +1523,6 @@ definitions:
         type: "string"
         example: "SIGTERM"
         x-nullable: true
-      StopTimeout:
-        description: |
-          Timeout to stop a container in seconds.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.48.
-        type: "integer"
-        default: 10
-        x-nullable: true
       Shell:
         description: |
           Shell for when `RUN`, `CMD`, and `ENTRYPOINT` uses a shell.
@@ -1666,19 +1533,11 @@ definitions:
         example: ["/bin/sh", "-c"]
     # FIXME(thaJeztah): temporarily using a full example to remove some "omitempty" fields. Remove once the fields are removed.
     example:
-      "Hostname": ""
-      "Domainname": ""
       "User": "web:web"
-      "AttachStdin": false
-      "AttachStdout": false
-      "AttachStderr": false
       "ExposedPorts": {
         "80/tcp": {},
         "443/tcp": {}
       }
-      "Tty": false
-      "OpenStdin": false
-      "StdinOnce": false
       "Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
       "Cmd": ["/bin/sh"]
       "Healthcheck": {
@@ -1690,7 +1549,6 @@ definitions:
         "StartInterval": 0
       }
       "ArgsEscaped": true
-      "Image": ""
       "Volumes": {
         "/app/data": {},
         "/app/config": {}
@@ -2338,8 +2196,7 @@ definitions:
           Number of containers using this image. Includes both stopped and running
           containers.
 
-          This size is not calculated by default, and depends on which API endpoint
-          is used. `-1` indicates that the value has not been set / calculated.
+          `-1` indicates that the value has not been set / calculated.
         x-nullable: false
         type: "integer"
         example: 2
@@ -2956,6 +2813,23 @@ definitions:
       progressDetail:
         $ref: "#/definitions/ProgressDetail"
 
+  DeviceInfo:
+    type: "object"
+    description: |
+      DeviceInfo represents a device that can be used by a container.
+    properties:
+      Source:
+        type: "string"
+        example: "cdi"
+        description: |
+          The origin device driver.
+      ID:
+        type: "string"
+        example: "vendor.com/gpu=0"
+        description: |
+          The unique identifier for the device within its source driver.
+          For CDI devices, this would be an FQDN like "vendor.com/gpu=0".
+
   ErrorDetail:
     type: "object"
     properties:
@@ -5988,7 +5862,7 @@ definitions:
         type: "integer"
         format: "uint64"
         x-nullable: true
-        example: 18446744073709551615
+        example: "18446744073709551615"
 
   ContainerThrottlingData:
     description: |
@@ -6856,6 +6730,17 @@ definitions:
               description: "The network pool size"
               type: "integer"
               example: "24"
+      FirewallBackend:
+        $ref: "#/definitions/FirewallInfo"
+      DiscoveredDevices:
+        description: |
+          List of devices discovered by device drivers.
+
+          Each device includes information about its source driver, kind, name,
+          and additional driver-specific attributes.
+        type: "array"
+        items:
+          $ref: "#/definitions/DeviceInfo"
       Warnings:
         description: |
           List of warnings / informational messages about missing features, or
@@ -6939,6 +6824,37 @@ definitions:
             default: "plugins.moby"
             example: "plugins.moby"
 
+  FirewallInfo:
+    description: |
+      Information about the daemon's firewalling configuration.
+
+      This field is currently only used on Linux, and omitted on other platforms.
+    type: "object"
+    x-nullable: true
+    properties:
+      Driver:
+        description: |
+          The name of the firewall backend driver.
+        type: "string"
+        example: "nftables"
+      Info:
+        description: |
+          Information about the firewall backend, provided as
+          "label" / "value" pairs.
+
+          <p><br /></p>
+
+          > **Note**: The information returned in this field, including the
+          > formatting of values and labels, should not be considered stable,
+          > and may change without notice.
+        type: "array"
+        items:
+          type: "array"
+          items:
+            type: "string"
+        example:
+          - ["ReloadedAt", "2025-01-01T00:00:00Z"]
+
   # PluginsInfo is a temp struct holding Plugins name
   # registered with docker daemon. It is used by Info struct
   PluginsInfo:
@@ -6984,32 +6900,6 @@ definitions:
     type: "object"
     x-nullable: true
     properties:
-      AllowNondistributableArtifactsCIDRs:
-        description: |
-          List of IP ranges to which nondistributable artifacts can be pushed,
-          using the CIDR syntax [RFC 4632](https://tools.ietf.org/html/4632).
-
-          <p><br /></p>
-
-          > **Deprecated**: Pushing nondistributable artifacts is now always enabled
-          > and this field is always `null`. This field will be removed in a API v1.49.
-        type: "array"
-        items:
-          type: "string"
-        example: []
-      AllowNondistributableArtifactsHostnames:
-        description: |
-          List of registry hostnames to which nondistributable artifacts can be
-          pushed, using the format `<hostname>[:<port>]` or `<IP address>[:<port>]`.
-
-          <p><br /></p>
-
-          > **Deprecated**: Pushing nondistributable artifacts is now always enabled
-          > and this field is always `null`. This field will be removed in a API v1.49.
-        type: "array"
-        items:
-          type: "string"
-        example: []
       InsecureRegistryCIDRs:
         description: |
           List of IP ranges of insecure registries, using the CIDR syntax
@@ -7179,13 +7069,6 @@ definitions:
         description: "Actual commit ID of external tool."
         type: "string"
         example: "cfb82a876ecc11b5ca0977d1733adbe58599088a"
-      Expected:
-        description: |
-          Commit ID of external tool expected by dockerd as set at build time.
-
-          **Deprecated**: This field is deprecated and will be omitted in a API v1.49.
-        type: "string"
-        example: "2d41c047c83e09a6d61d464906feb2a2f3c52aa4"
 
   SwarmInfo:
     description: |
@@ -9934,6 +9817,18 @@ paths:
           description: "Do not delete untagged parent images"
           type: "boolean"
           default: false
+        - name: "platforms"
+          in: "query"
+          description: |
+            Select platform-specific content to delete.
+            Multiple values are accepted.
+            Each platform is a OCI platform encoded as a JSON string.
+          type: "array"
+          items:
+            # This should be OCIPlatform
+            # but $ref is not supported for array in query in Swagger 2.0
+            # $ref: "#/definitions/OCIPlatform"
+            type: "string"
       tags: ["Image"]
   /images/search:
     get:
@@ -10491,13 +10386,9 @@ paths:
 
         ### Image tarball format
 
-        An image tarball contains one directory per image layer (named using its long ID), each containing these files:
+        An image tarball contains [Content as defined in the OCI Image Layout Specification](https://github.com/opencontainers/image-spec/blob/v1.1.1/image-layout.md#content).
 
-        - `VERSION`: currently `1.0` - the file format version
-        - `json`: detailed layer information, similar to `docker inspect layer_id`
-        - `layer.tar`: A tarfile containing the filesystem changes in this layer
-
-        The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories for storing attribute changes and deletions.
+        Additionally, includes the manifest.json file associated with a backwards compatible docker save format.
 
         If the tarball defines a repository, the tarball should also include a `repositories` file at the root that contains a list of repository and tag names mapped to layer IDs.
 
@@ -10537,6 +10428,7 @@ paths:
             If not provided, the full multi-platform image will be saved.
 
             Example: `{"os": "linux", "architecture": "arm", "variant": "v5"}`
+      tags: ["Image"]
   /images/get:
     get:
       summary: "Export several images"
@@ -10571,6 +10463,16 @@ paths:
           type: "array"
           items:
             type: "string"
+        - name: "platform"
+          type: "string"
+          in: "query"
+          description: |
+            JSON encoded OCI platform describing a platform which will be used
+            to select a platform-specific image to be saved if the image is
+            multi-platform.
+            If not provided, the full multi-platform image will be saved.
+
+            Example: `{"os": "linux", "architecture": "arm", "variant": "v5"}`
       tags: ["Image"]
   /images/load:
     post:

api/templates/server/operation.gotmpl

@@ -1,4 +1,4 @@
-package {{ .Package }} // import "github.com/docker/docker/api/types/{{ .Package }}"
+package {{ .Package }}
 
 // ----------------------------------------------------------------------------
 // Code generated by `swagger generate operation`. DO NOT EDIT.

api/types/backend/backend.go

@@ -1,5 +1,5 @@
 // Package backend includes types to send information to server backends.
-package backend // import "github.com/docker/docker/api/types/backend"
+package backend
 
 import (
 	"io"
@@ -153,13 +153,14 @@ type GetImageOpts struct {
 // ImageInspectOpts holds parameters to inspect an image.
 type ImageInspectOpts struct {
 	Manifests bool
+	Platform  *ocispec.Platform
 }
 
 // CommitConfig is the configuration for creating an image as part of a build.
 type CommitConfig struct {
 	Author              string
 	Comment             string
-	Config              *container.Config
+	Config              *container.Config // TODO(thaJeztah); change this to [dockerspec.DockerOCIImageConfig]
 	ContainerConfig     *container.Config
 	ContainerID         string
 	ContainerMountLabel string

api/types/backend/build.go

@@ -1,9 +1,9 @@
-package backend // import "github.com/docker/docker/api/types/backend"
+package backend
 
 import (
 	"io"
 
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/pkg/streamformatter"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -34,7 +34,7 @@ type ProgressWriter struct {
 type BuildConfig struct {
 	Source         io.ReadCloser
 	ProgressWriter ProgressWriter
-	Options        *types.ImageBuildOptions
+	Options        *build.ImageBuildOptions
 }
 
 // GetImageAndLayerOptions are the options supported by GetImageAndReleasableLayer

api/types/blkiodev/blkio.go

@@ -1,4 +1,4 @@
-package blkiodev // import "github.com/docker/docker/api/types/blkiodev"
+package blkiodev
 
 import "fmt"
 

api/types/build/build.go

@@ -0,0 +1,91 @@
+package build
+
+import (
+	"io"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/registry"
+)
+
+// BuilderVersion sets the version of underlying builder to use
+type BuilderVersion string
+
+const (
+	// BuilderV1 is the first generation builder in docker daemon
+	BuilderV1 BuilderVersion = "1"
+	// BuilderBuildKit is builder based on moby/buildkit project
+	BuilderBuildKit BuilderVersion = "2"
+)
+
+// Result contains the image id of a successful build.
+type Result struct {
+	ID string
+}
+
+// ImageBuildOptions holds the information
+// necessary to build images.
+type ImageBuildOptions struct {
+	Tags           []string
+	SuppressOutput bool
+	RemoteContext  string
+	NoCache        bool
+	Remove         bool
+	ForceRemove    bool
+	PullParent     bool
+	Isolation      container.Isolation
+	CPUSetCPUs     string
+	CPUSetMems     string
+	CPUShares      int64
+	CPUQuota       int64
+	CPUPeriod      int64
+	Memory         int64
+	MemorySwap     int64
+	CgroupParent   string
+	NetworkMode    string
+	ShmSize        int64
+	Dockerfile     string
+	Ulimits        []*container.Ulimit
+	// BuildArgs needs to be a *string instead of just a string so that
+	// we can tell the difference between "" (empty string) and no value
+	// at all (nil). See the parsing of buildArgs in
+	// api/server/router/build/build_routes.go for even more info.
+	BuildArgs   map[string]*string
+	AuthConfigs map[string]registry.AuthConfig
+	Context     io.Reader
+	Labels      map[string]string
+	// squash the resulting image's layers to the parent
+	// preserves the original image and creates a new one from the parent with all
+	// the changes applied to a single layer
+	Squash bool
+	// CacheFrom specifies images that are used for matching cache. Images
+	// specified here do not need to have a valid parent chain to match cache.
+	CacheFrom   []string
+	SecurityOpt []string
+	ExtraHosts  []string // List of extra hosts
+	Target      string
+	SessionID   string
+	Platform    string
+	// Version specifies the version of the underlying builder to use
+	Version BuilderVersion
+	// BuildID is an optional identifier that can be passed together with the
+	// build request. The same identifier can be used to gracefully cancel the
+	// build with the cancel request.
+	BuildID string
+	// Outputs defines configurations for exporting build results. Only supported
+	// in BuildKit mode
+	Outputs []ImageBuildOutput
+}
+
+// ImageBuildOutput defines configuration for exporting a build result
+type ImageBuildOutput struct {
+	Type  string
+	Attrs map[string]string
+}
+
+// ImageBuildResponse holds information
+// returned by a server after building
+// an image.
+type ImageBuildResponse struct {
+	Body   io.ReadCloser
+	OSType string
+}

api/types/build/cache.go

@@ -0,0 +1,52 @@
+package build
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/filters"
+)
+
+// CacheRecord contains information about a build cache record.
+type CacheRecord struct {
+	// ID is the unique ID of the build cache record.
+	ID string
+	// Parent is the ID of the parent build cache record.
+	//
+	// Deprecated: deprecated in API v1.42 and up, as it was deprecated in BuildKit; use Parents instead.
+	Parent string `json:"Parent,omitempty"`
+	// Parents is the list of parent build cache record IDs.
+	Parents []string `json:" Parents,omitempty"`
+	// Type is the cache record type.
+	Type string
+	// Description is a description of the build-step that produced the build cache.
+	Description string
+	// InUse indicates if the build cache is in use.
+	InUse bool
+	// Shared indicates if the build cache is shared.
+	Shared bool
+	// Size is the amount of disk space used by the build cache (in bytes).
+	Size int64
+	// CreatedAt is the date and time at which the build cache was created.
+	CreatedAt time.Time
+	// LastUsedAt is the date and time at which the build cache was last used.
+	LastUsedAt *time.Time
+	UsageCount int
+}
+
+// CachePruneOptions hold parameters to prune the build cache.
+type CachePruneOptions struct {
+	All           bool
+	ReservedSpace int64
+	MaxUsedSpace  int64
+	MinFreeSpace  int64
+	Filters       filters.Args
+
+	KeepStorage int64 // Deprecated: deprecated in API 1.48.
+}
+
+// CachePruneReport contains the response for Engine API:
+// POST "/build/prune"
+type CachePruneReport struct {
+	CachesDeleted  []string
+	SpaceReclaimed uint64
+}

api/types/build/disk_usage.go

@@ -0,0 +1,8 @@
+package build
+
+// CacheDiskUsage contains disk usage for the build cache.
+type CacheDiskUsage struct {
+	TotalSize   int64
+	Reclaimable int64
+	Items       []*CacheRecord
+}

api/types/client.go

@@ -1,14 +1,9 @@
-package types // import "github.com/docker/docker/api/types"
+package types
 
 import (
 	"bufio"
 	"context"
-	"io"
 	"net"
-
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/filters"
-	"github.com/docker/docker/api/types/registry"
 )
 
 // NewHijackedResponse initializes a [HijackedResponse] type.
@@ -51,165 +46,6 @@ func (h *HijackedResponse) CloseWrite() error {
 	return nil
 }
 
-// ImageBuildOptions holds the information
-// necessary to build images.
-type ImageBuildOptions struct {
-	Tags           []string
-	SuppressOutput bool
-	RemoteContext  string
-	NoCache        bool
-	Remove         bool
-	ForceRemove    bool
-	PullParent     bool
-	Isolation      container.Isolation
-	CPUSetCPUs     string
-	CPUSetMems     string
-	CPUShares      int64
-	CPUQuota       int64
-	CPUPeriod      int64
-	Memory         int64
-	MemorySwap     int64
-	CgroupParent   string
-	NetworkMode    string
-	ShmSize        int64
-	Dockerfile     string
-	Ulimits        []*container.Ulimit
-	// BuildArgs needs to be a *string instead of just a string so that
-	// we can tell the difference between "" (empty string) and no value
-	// at all (nil). See the parsing of buildArgs in
-	// api/server/router/build/build_routes.go for even more info.
-	BuildArgs   map[string]*string
-	AuthConfigs map[string]registry.AuthConfig
-	Context     io.Reader
-	Labels      map[string]string
-	// squash the resulting image's layers to the parent
-	// preserves the original image and creates a new one from the parent with all
-	// the changes applied to a single layer
-	Squash bool
-	// CacheFrom specifies images that are used for matching cache. Images
-	// specified here do not need to have a valid parent chain to match cache.
-	CacheFrom   []string
-	SecurityOpt []string
-	ExtraHosts  []string // List of extra hosts
-	Target      string
-	SessionID   string
-	Platform    string
-	// Version specifies the version of the underlying builder to use
-	Version BuilderVersion
-	// BuildID is an optional identifier that can be passed together with the
-	// build request. The same identifier can be used to gracefully cancel the
-	// build with the cancel request.
-	BuildID string
-	// Outputs defines configurations for exporting build results. Only supported
-	// in BuildKit mode
-	Outputs []ImageBuildOutput
-}
-
-// ImageBuildOutput defines configuration for exporting a build result
-type ImageBuildOutput struct {
-	Type  string
-	Attrs map[string]string
-}
-
-// BuilderVersion sets the version of underlying builder to use
-type BuilderVersion string
-
-const (
-	// BuilderV1 is the first generation builder in docker daemon
-	BuilderV1 BuilderVersion = "1"
-	// BuilderBuildKit is builder based on moby/buildkit project
-	BuilderBuildKit BuilderVersion = "2"
-)
-
-// ImageBuildResponse holds information
-// returned by a server after building
-// an image.
-type ImageBuildResponse struct {
-	Body   io.ReadCloser
-	OSType string
-}
-
-// NodeListOptions holds parameters to list nodes with.
-type NodeListOptions struct {
-	Filters filters.Args
-}
-
-// NodeRemoveOptions holds parameters to remove nodes with.
-type NodeRemoveOptions struct {
-	Force bool
-}
-
-// ServiceCreateOptions contains the options to use when creating a service.
-type ServiceCreateOptions struct {
-	// EncodedRegistryAuth is the encoded registry authorization credentials to
-	// use when updating the service.
-	//
-	// This field follows the format of the X-Registry-Auth header.
-	EncodedRegistryAuth string
-
-	// QueryRegistry indicates whether the service update requires
-	// contacting a registry. A registry may be contacted to retrieve
-	// the image digest and manifest, which in turn can be used to update
-	// platform or other information about the service.
-	QueryRegistry bool
-}
-
-// Values for RegistryAuthFrom in ServiceUpdateOptions
-const (
-	RegistryAuthFromSpec         = "spec"
-	RegistryAuthFromPreviousSpec = "previous-spec"
-)
-
-// ServiceUpdateOptions contains the options to be used for updating services.
-type ServiceUpdateOptions struct {
-	// EncodedRegistryAuth is the encoded registry authorization credentials to
-	// use when updating the service.
-	//
-	// This field follows the format of the X-Registry-Auth header.
-	EncodedRegistryAuth string
-
-	// TODO(stevvooe): Consider moving the version parameter of ServiceUpdate
-	// into this field. While it does open API users up to racy writes, most
-	// users may not need that level of consistency in practice.
-
-	// RegistryAuthFrom specifies where to find the registry authorization
-	// credentials if they are not given in EncodedRegistryAuth. Valid
-	// values are "spec" and "previous-spec".
-	RegistryAuthFrom string
-
-	// Rollback indicates whether a server-side rollback should be
-	// performed. When this is set, the provided spec will be ignored.
-	// The valid values are "previous" and "none". An empty value is the
-	// same as "none".
-	Rollback string
-
-	// QueryRegistry indicates whether the service update requires
-	// contacting a registry. A registry may be contacted to retrieve
-	// the image digest and manifest, which in turn can be used to update
-	// platform or other information about the service.
-	QueryRegistry bool
-}
-
-// ServiceListOptions holds parameters to list services with.
-type ServiceListOptions struct {
-	Filters filters.Args
-
-	// Status indicates whether the server should include the service task
-	// count of running and desired tasks.
-	Status bool
-}
-
-// ServiceInspectOptions holds parameters related to the "service inspect"
-// operation.
-type ServiceInspectOptions struct {
-	InsertDefaults bool
-}
-
-// TaskListOptions holds parameters to list tasks with.
-type TaskListOptions struct {
-	Filters filters.Args
-}
-
 // PluginRemoveOptions holds parameters to remove plugins.
 type PluginRemoveOptions struct {
 	Force bool
@@ -243,13 +79,6 @@ type PluginInstallOptions struct {
 	Args                  []string
 }
 
-// SwarmUnlockKeyResponse contains the response for Engine API:
-// GET /swarm/unlockkey
-type SwarmUnlockKeyResponse struct {
-	// UnlockKey is the unlock key in ASCII-armored format.
-	UnlockKey string
-}
-
 // PluginCreateOptions hold all options to plugin create.
 type PluginCreateOptions struct {
 	RepoName string

api/types/container/config.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/types/container"
+package container
 
 import (
 	"time"