Merge pull request #51410 from austinvazquez/test-containerd-1.7.29

[28.x] Dockerfile: test containerd v1.7.29

.github/workflows/.test-unit.yml

@@ -16,7 +16,7 @@ on:
   workflow_call:
 
 env:
-  GO_VERSION: "1.24.3"
+  GO_VERSION: "1.24.9"
   GOTESTLIST_VERSION: v0.3.1
   TESTSTAT_VERSION: v0.1.25
   SETUP_BUILDX_VERSION: edge
@@ -106,7 +106,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
       -
         name: Download reports
         uses: actions/download-artifact@v4

.github/workflows/.test.yml

@@ -21,7 +21,7 @@ on:
         default: "graphdriver"
 
 env:
-  GO_VERSION: "1.24.3"
+  GO_VERSION: "1.24.9"
   GOTESTLIST_VERSION: v0.3.1
   TESTSTAT_VERSION: v0.1.25
   ITG_CLI_MATRIX_SIZE: 6
@@ -265,7 +265,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
       -
         name: Download reports
         uses: actions/download-artifact@v4
@@ -297,7 +297,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
       -
         name: Install gotestlist
         run:
@@ -454,7 +454,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
       -
         name: Download reports
         uses: actions/download-artifact@v4

.github/workflows/.windows.yml

@@ -28,12 +28,12 @@ on:
         default: false
 
 env:
-  GO_VERSION: "1.24.3"
+  GO_VERSION: "1.24.9"
   GOTESTLIST_VERSION: v0.3.1
   TESTSTAT_VERSION: v0.1.25
   WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
-  WINDOWS_BASE_TAG_2019: ltsc2019
   WINDOWS_BASE_TAG_2022: ltsc2022
+  WINDOWS_BASE_TAG_2025: ltsc2025
   TEST_IMAGE_NAME: moby:test
   TEST_CTN_NAME: moby
   DOCKER_BUILDKIT: 0
@@ -65,23 +65,11 @@ jobs:
         run: |
           New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
           New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
-          If ("${{ inputs.os }}" -eq "windows-2019") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2025") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
           } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
             echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
           }
-      -
-        name: Cache
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-            ${{ github.workspace }}\go-build
-            ${{ env.GOPATH }}\pkg\mod
-          key: ${{ inputs.os }}-${{ github.job }}-${{ hashFiles('**/vendor.sum') }}
-          restore-keys: |
-            ${{ inputs.os }}-${{ github.job }}-
       -
         name: Docker info
         run: |
@@ -92,15 +80,12 @@ jobs:
           & docker build `
             --build-arg WINDOWS_BASE_IMAGE `
             --build-arg WINDOWS_BASE_IMAGE_TAG `
-            --build-arg GO_VERSION `
             -t ${{ env.TEST_IMAGE_NAME }} `
             -f Dockerfile.windows .
       -
         name: Build binaries
         run: |
           & docker run --name ${{ env.TEST_CTN_NAME }} -e "DOCKER_GITCOMMIT=${{ github.sha }}" `
-              -v "${{ github.workspace }}\go-build:C:\Users\ContainerAdministrator\AppData\Local\go-build" `
-              -v "${{ github.workspace }}\go\pkg\mod:C:\gopath\pkg\mod" `
               ${{ env.TEST_IMAGE_NAME }} hack\make.ps1 -Daemon -Client
       -
         name: Copy artifacts
@@ -145,23 +130,11 @@ jobs:
           New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
           New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
           New-Item -ItemType "directory" -Path "bundles"
-          If ("${{ inputs.os }}" -eq "windows-2019") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2025") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
           } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
             echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
           }
-      -
-        name: Cache
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-            ${{ github.workspace }}\go-build
-            ${{ env.GOPATH }}\pkg\mod
-          key: ${{ inputs.os }}-${{ github.job }}-${{ hashFiles('**/vendor.sum') }}
-          restore-keys: |
-            ${{ inputs.os }}-${{ github.job }}-
       -
         name: Docker info
         run: |
@@ -172,15 +145,12 @@ jobs:
           & docker build `
             --build-arg WINDOWS_BASE_IMAGE `
             --build-arg WINDOWS_BASE_IMAGE_TAG `
-            --build-arg GO_VERSION `
             -t ${{ env.TEST_IMAGE_NAME }} `
             -f Dockerfile.windows .
       -
         name: Test
         run: |
           & docker run --name ${{ env.TEST_CTN_NAME }} -e "DOCKER_GITCOMMIT=${{ github.sha }}" `
-            -v "${{ github.workspace }}\go-build:C:\Users\ContainerAdministrator\AppData\Local\go-build" `
-            -v "${{ github.workspace }}\go\pkg\mod:C:\gopath\pkg\mod" `
             -v "${{ env.GOPATH }}\src\github.com\docker\docker\bundles:C:\gopath\src\github.com\docker\docker\bundles" `
             ${{ env.TEST_IMAGE_NAME }} hack\make.ps1 -TestUnit
       -
@@ -214,7 +184,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
       -
         name: Download artifacts
         uses: actions/download-artifact@v4
@@ -244,7 +214,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
       -
         name: Install gotestlist
         run:
@@ -297,6 +267,12 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: ${{ env.GOPATH }}/src/github.com/docker/docker
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
       -
         name: Set up Jaeger
         run: |
@@ -321,8 +297,8 @@ jobs:
         name: Init
         run: |
           New-Item -ItemType "directory" -Path "bundles"
-          If ("${{ inputs.os }}" -eq "windows-2019") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2025") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
           } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
             echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
           }
@@ -428,12 +404,6 @@ jobs:
           & "${{ env.BIN_OUT }}\docker" images
         env:
           DOCKER_HOST: npipe:////./pipe/docker_engine
-      -
-        name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
       -
         name: Test integration
         if: matrix.test == './...'
@@ -527,7 +497,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
       -
         name: Download reports
         uses: actions/download-artifact@v4

.github/workflows/arm64.yml

@@ -23,7 +23,7 @@ on:
   pull_request:
 
 env:
-  GO_VERSION: "1.24.3"
+  GO_VERSION: "1.24.9"
   TESTSTAT_VERSION: v0.1.25
   DESTDIR: ./build
   SETUP_BUILDX_VERSION: edge
@@ -37,6 +37,7 @@ jobs:
   build:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - validate-dco
     strategy:
@@ -70,6 +71,7 @@ jobs:
   build-dev:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - validate-dco
     steps:
@@ -87,12 +89,13 @@ jobs:
           targets: dev
           set: |
             *.cache-from=type=gha,scope=dev-arm64
-            *.cache-to=type=gha,scope=dev-arm64,mode=max
+            *.cache-to=type=gha,scope=dev-arm64
             *.output=type=cacheonly
 
   test-unit:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - build-dev
     steps:
@@ -109,6 +112,9 @@ jobs:
           version: ${{ env.SETUP_BUILDX_VERSION }}
           driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
           buildkitd-flags: --debug
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
       -
         name: Build dev image
         uses: docker/bake-action@v6
@@ -150,7 +156,7 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 10
     continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: always()
+    if: always() && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only'))
     needs:
       - test-unit
     steps:
@@ -159,7 +165,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
       -
         name: Download reports
         uses: actions/download-artifact@v4
@@ -179,6 +185,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 120 # guardrails timeout for the whole job
     continue-on-error: ${{ github.event_name != 'pull_request' }}
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - build-dev
     steps:
@@ -198,6 +205,9 @@ jobs:
           version: ${{ env.SETUP_BUILDX_VERSION }}
           driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
           buildkitd-flags: --debug
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
       -
         name: Build dev image
         uses: docker/bake-action@v6
@@ -249,7 +259,7 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 10
     continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: always()
+    if: always() && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only'))
     needs:
       - test-integration
     steps:
@@ -258,7 +268,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
       -
         name: Download reports
         uses: actions/download-artifact@v4

.github/workflows/bin-image.yml

@@ -42,6 +42,7 @@ jobs:
   prepare:
     runs-on: ubuntu-24.04
     timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     outputs:
       platforms: ${{ steps.platforms.outputs.matrix }}
     steps:
@@ -65,13 +66,12 @@ jobs:
           # moby/moby-bin:master
           ## push on 23.0 branch
           # moby/moby-bin:23.0
-          ## any push
-          # moby/moby-bin:sha-ad132f5
           tags: |
             type=semver,pattern={{version}}
             type=ref,event=branch
             type=ref,event=pr
-            type=sha
+            type=semver,pattern={{major}}
+            type=semver,pattern={{major}}.{{minor}}
       -
         name: Rename meta bake definition file
         # see https://github.com/docker/metadata-action/issues/381#issuecomment-1918607161
@@ -94,11 +94,11 @@ jobs:
 
   build:
     runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only')) }}
     needs:
       - validate-dco
       - prepare
-    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled')
     strategy:
       fail-fast: false
       matrix:
@@ -170,10 +170,10 @@ jobs:
 
   merge:
     runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    timeout-minutes: 40 # guardrails timeout for the whole job
+    if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby' }}
     needs:
       - build
-    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby'
     steps:
       -
         name: Download meta bake definition

.github/workflows/buildkit.yml

@@ -23,7 +23,7 @@ on:
   pull_request:
 
 env:
-  GO_VERSION: "1.24.3"
+  GO_VERSION: "1.24.9"
   DESTDIR: ./build
   SETUP_BUILDX_VERSION: edge
   SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
@@ -35,6 +35,7 @@ jobs:
   build-linux:
     runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - validate-dco
     steps:
@@ -62,6 +63,7 @@ jobs:
   test-linux:
     runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - build-linux
     env:
@@ -106,7 +108,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
       -
         name: BuildKit ref
         run: |
@@ -166,6 +168,7 @@ jobs:
   build-windows:
     runs-on: windows-2022
     timeout-minutes: 120
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - validate-dco
     env:
@@ -188,6 +191,7 @@ jobs:
       - name: Env
         run: |
           Get-ChildItem Env: | Out-String
+
       - name: Moby - Init
         run: |
           New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
@@ -198,18 +202,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
-      - name: Cache
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-            ${{ github.workspace }}\go-build
-            ${{ env.GOPATH }}\pkg\mod
-          key: ${{ inputs.os }}-${{ github.job }}-${{ hashFiles('**/vendor.sum') }}
-          restore-keys: |
-            ${{ inputs.os }}-${{ github.job }}-
+          cache: false
 
       - name: Docker info
         run: |
@@ -220,7 +213,6 @@ jobs:
           & docker build `
             --build-arg WINDOWS_BASE_IMAGE `
             --build-arg WINDOWS_BASE_IMAGE_TAG `
-            --build-arg GO_VERSION `
             -t ${{ env.TEST_IMAGE_NAME }} `
             -f Dockerfile.windows .
 
@@ -266,6 +258,7 @@ jobs:
   test-windows:
     runs-on: windows-2022
     timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - build-windows
     env:
@@ -309,22 +302,27 @@ jobs:
             disabledFeatures="${disabledFeatures},merge_diff"
           fi
           echo "BUILDKIT_TEST_DISABLE_FEATURES=${disabledFeatures}" >> $GITHUB_ENV
+
       - name: Expose GitHub Runtime
         uses: crazy-max/ghaction-github-runtime@v3
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
           path: moby
+
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
+
       - name: BuildKit ref
         shell: bash
         run: |
           echo "$(./hack/buildkit-ref)" >> $GITHUB_ENV
         working-directory: moby
+
       - name: Checkout BuildKit ${{ env.BUILDKIT_REF }}
         uses: actions/checkout@v4
         with:
@@ -359,6 +357,7 @@ jobs:
            testFlags="${testFlags} --run=TestIntegration/$testSliceOffset.*/worker=${{ matrix.worker }}"
           fi
           echo "TESTFLAGS=${testFlags}" >> $GITHUB_ENV
+
       - name: Test
         shell: bash
         run: |

.github/workflows/ci.yml

@@ -67,6 +67,7 @@ jobs:
   prepare-cross:
     runs-on: ubuntu-24.04
     timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - validate-dco
     outputs:
@@ -89,6 +90,7 @@ jobs:
   cross:
     runs-on: ubuntu-24.04
     timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - validate-dco
       - prepare-cross
@@ -128,6 +130,7 @@ jobs:
   govulncheck:
     runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
+    # Always run security checks, even with 'ci/validate-only' label
     permissions:
       # required to write sarif report
       security-events: write
@@ -157,6 +160,7 @@ jobs:
 
   build-dind:
     runs-on: ubuntu-24.04
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - validate-dco
     steps:

.github/workflows/codeql.yml

@@ -32,6 +32,9 @@ on:
     #        * * * * *
     - cron: '0 9 * * 4'
 
+env:
+  GO_VERSION: "1.24.9"
+
 jobs:
   codeql:
     runs-on: ubuntu-24.04
@@ -55,10 +58,11 @@ jobs:
         run: |
           ln -s vendor.mod go.mod
           ln -s vendor.sum go.sum
-      - name: Update Go
+      - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.24.3"
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:

.github/workflows/test.yml

@@ -23,7 +23,7 @@ on:
   pull_request:
 
 env:
-  GO_VERSION: "1.24.3"
+  GO_VERSION: "1.24.9"
   GIT_PAGER: "cat"
   PAGER: "cat"
   SETUP_BUILDX_VERSION: edge
@@ -44,6 +44,7 @@ jobs:
         mode:
           - ""
           - systemd
+          - firewalld
     steps:
       -
         name: Prepare
@@ -65,10 +66,11 @@ jobs:
           targets: dev
           set: |
             *.cache-from=type=gha,scope=dev${{ matrix.mode }}
-            *.cache-to=type=gha,scope=dev${{ matrix.mode }},mode=max
+            *.cache-to=type=gha,scope=dev${{ matrix.mode }}
             *.output=type=cacheonly
 
   test:
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - build-dev
       - validate-dco
@@ -84,6 +86,7 @@ jobs:
       storage: ${{ matrix.storage }}
 
   test-unit:
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - build-dev
       - validate-dco
@@ -153,6 +156,7 @@ jobs:
   smoke-prepare:
     runs-on: ubuntu-24.04
     timeout-minutes: 10 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - validate-dco
     outputs:
@@ -175,6 +179,7 @@ jobs:
   smoke:
     runs-on: ubuntu-24.04
     timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - smoke-prepare
     strategy:

.github/workflows/windows-2022.yml

@@ -14,13 +14,9 @@ concurrency:
   cancel-in-progress: true
 
 on:
+  schedule:
+    - cron: '0 10 * * *'
   workflow_dispatch:
-  push:
-    branches:
-      - 'master'
-      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
-  pull_request:
 
 jobs:
   validate-dco:
@@ -32,6 +28,7 @@ jobs:
       - validate-dco
 
   run:
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - test-prepare
     uses: ./.github/workflows/.windows.yml

.github/workflows/windows-2025.yml

@@ -1,4 +1,4 @@
-name: windows-2019
+name: windows-2025
 
 # Default to 'contents: read', which grants actions to read commits.
 #
@@ -14,9 +14,13 @@ concurrency:
   cancel-in-progress: true
 
 on:
-  schedule:
-    - cron: '0 10 * * *'
   workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
+  pull_request:
 
 jobs:
   validate-dco:
@@ -28,6 +32,7 @@ jobs:
       - validate-dco
 
   run:
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
     needs:
       - test-prepare
     uses: ./.github/workflows/.windows.yml
@@ -37,6 +42,6 @@ jobs:
       matrix:
         storage: ${{ fromJson(needs.test-prepare.outputs.matrix) }}
     with:
-      os: windows-2019
+      os: windows-2025
       storage: ${{ matrix.storage }}
       send_coverage: false

.golangci.yml

@@ -3,7 +3,7 @@ version: "2"
 run:
   # prevent golangci-lint from deducting the go version to lint for through go.mod,
   # which causes it to fallback to go1.17 semantics.
-  go: "1.24.3"
+  go: "1.24.9"
   concurrency: 2
   # Only supported with go modules enabled (build flag -mod=vendor only valid when using modules)
   # modules-download-mode: vendor
@@ -21,12 +21,14 @@ linters:
     - dogsled                   # Detects assignments with too many blank identifiers.
     - dupword                   # Detects duplicate words.
     - durationcheck             # Detect cases where two time.Duration values are being multiplied in possibly erroneous ways.
+    - errorlint                 # Detects code that will cause problems with the error wrapping scheme introduced in Go 1.13.
     - errchkjson                # Detects unsupported types passed to json encoding functions and reports if checks for the returned error can be omitted.
     - exhaustive                # Detects missing options in enum switch statements.
     - exptostd                  # Detects functions from golang.org/x/exp/ that can be replaced by std functions.
     - fatcontext                # Detects nested contexts in loops and function literals.
     - forbidigo
     - gocheckcompilerdirectives # Detects invalid go compiler directive comments (//go:).
+    - gocritic                  # Detects for bugs, performance and style issues.
     - gosec                     # Detects security problems.
     - govet
     - iface                     # Detects incorrect use of interfaces. Currently only used for "identical" interfaces in the same package.
@@ -42,6 +44,7 @@ linters:
     - revive                    # Metalinter; drop-in replacement for golint.
     - spancheck                 # Detects mistakes with OpenTelemetry/Census spans.
     - staticcheck
+    - thelper
     - unconvert                 # Detects unnecessary type conversions.
     - unused
     - usestdlibvars             # Detects the possibility to use variables/constants from the Go standard library.
@@ -73,6 +76,13 @@ linters:
         - "false"   # some tests use this as expected output
         - "root"    # for tests using "ls" output with files owned by "root:root"
 
+    errorlint:
+      # Check whether fmt.Errorf uses the %w verb for formatting errors.
+      # See the https://github.com/polyfloyd/go-errorlint for caveats.
+      errorf: false
+      # Check for plain type assertions and type switches.
+      asserts: false
+
     exhaustive:
       # Program elements to check for exhaustiveness.
       # Default: [ switch ]
@@ -102,6 +112,56 @@ linters:
           msg: Add a wrapper to nlwrap.Handle for EINTR handling and update the list in .golangci.yml.
       analyze-types: true
 
+    gocritic:
+      disabled-checks:
+        - appendAssign
+        - appendCombine
+        - assignOp
+        - builtinShadow
+        - builtinShadowDecl
+        - captLocal
+        - commentedOutCode
+        - deferInLoop
+        - dupImport
+        - dupSubExpr
+        - elseif
+        - emptyFallthrough
+        - equalFold
+        - evalOrder
+        - exitAfterDefer
+        - exposedSyncMutex
+        - filepathJoin
+        - hexLiteral
+        - hugeParam
+        - ifElseChain
+        - importShadow
+        - indexAlloc
+        - methodExprCall
+        - nestingReduce
+        - nilValReturn
+        - octalLiteral
+        - paramTypeCombine
+        - preferStringWriter
+        - ptrToRefParam
+        - rangeValCopy
+        - redundantSprint
+        - regexpMust
+        - regexpSimplify
+        - singleCaseSwitch
+        - sloppyReassign
+        - stringXbytes
+        - typeAssertChain
+        - typeDefFirst
+        - typeUnparen
+        - uncheckedInlineErr
+        - unlambda
+        - unnamedResult
+        - unnecessaryDefer
+        - unslice
+        - valSwap
+        - whyNoLint
+      enable-all: true
+
     gosec:
       excludes:
         - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
@@ -164,6 +224,30 @@ linters:
         - record-error    # check that `span.RecordError(err)` is called when an error is returned
         - set-status      # check that `span.SetStatus(codes.Error, msg)` is called when an error is returned
 
+    thelper:
+      test:
+        # Check *testing.T is first param (or after context.Context) of helper function.
+        first: false
+        # Check t.Helper() begins helper function.
+        begin: false
+      benchmark:
+        # Check *testing.B is first param (or after context.Context) of helper function.
+        first: false
+        # Check b.Helper() begins helper function.
+        begin: false
+      tb:
+        # Check *testing.TB is first param (or after context.Context) of helper function.
+        first: false
+        # Check *testing.TB param has name tb.
+        name: false
+        # Check tb.Helper() begins helper function.
+        begin: false
+      fuzz:
+        # Check *testing.F is first param (or after context.Context) of helper function.
+        first: false
+        # Check f.Helper() begins helper function.
+        begin: false
+
     usestdlibvars:
       # Suggest the use of http.MethodXX.
       http-method: true
@@ -220,7 +304,7 @@ linters:
           - staticcheck
 
         # FIXME(thaJeztah): ignoring these transitional utilities until BuildKit is vendored with https://github.com/moby/moby/pull/49743
-      - text: "SA1019: idtools\\.(ToUserIdentityMapping|FromUserIdentityMapping) is deprecated"
+      - text: "SA1019: idtools\\.(ToUserIdentityMapping|FromUserIdentityMapping|IdentityMapping) is deprecated"
         linters:
           - staticcheck
 
@@ -250,6 +334,11 @@ linters:
         path: "libnetwork/cmd/networkdb-test/dbclient"
         linters:
           - forbidigo
+      
+      # Ignore deprecated disk usage type warnings which will be moved internal to the daemon backend in the next major release.
+      - text: "SA1019: ((buildtypes|build).CacheDiskUsage|(container|containertypes|image|volume|volumetypes).DiskUsage) is deprecated"
+        linters:
+          - staticcheck
 
     # Log a warning if an exclusion rule is unused.
     # Default: false

CONTRIBUTING.md

@@ -83,6 +83,39 @@ contributions, see [the advanced contribution
 section](https://docs.docker.com/opensource/workflow/advanced-contributing/) in
 the contributors guide.
 
+### Where to put your changes
+
+You can make changes to any Go package within Moby outside of the vendor directory. There are no
+restrictions on packages but a few guidelines to follow for deciding on making these changes.
+When adding new packages, first consider putting them in an internal directory to prevent
+unintended importing from other modules. Code changes should either go under `api`, `client`,
+or `daemon` modules, or one of the integration test directories.
+
+Try to put a new package under the appropriate directories. The root directory is reserved for
+configuration and build files, no source files will be accepted in the root.
+
+- `api` - All types shared by client and daemon along with swagger definitions.
+- `client` - All Go files for the docker client
+- `contrib` - Files, configurations, and packages related to external tools or libraries
+- `daemon` - All Go files and packages for building the daemon
+- `docs` - All Moby technical documentation using markdown
+- `hack` - All scripts used for testing, development, and CI
+- `integration` - Testing the integration of the API, client, and daemon
+- `integration-cli` - Deprecated integration tests of the docker cli with the daemon, no new tests allowed
+- `pkg` - Legacy Go packages used externally, no new packages should be added here
+- `project` - All files related to Moby project governance
+- `vendor` - Autogenerated vendor files from `make vendor` command, do not manually edit files here
+
+The daemon module has many subpackages. Consider putting new packages under one of these
+directories.
+
+- `daemon/cmd` - All Go main packages and the packages used only for that main package
+- `daemon/internal` - All utility packages used by daemon and not intended for external use
+- `daemon/man`- All Moby reference manuals used for the `man` command
+- `daemon/plugins` - All included daemon plugins which are intended to be registered via init
+- `daemon/pkg` - All libraries used by daemon and for integration testing
+- `daemon/version` - Version package with the current daemon version
+
 ### Connect with other Moby Project contributors
 
 <table class="tg">

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.24.3
+ARG GO_VERSION=1.24.9
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
 ARG XX_VERSION=1.6.1
@@ -10,7 +10,7 @@ ARG XX_VERSION=1.6.1
 ARG VPNKIT_VERSION=0.6.0
 
 # DOCKERCLI_VERSION is the version of the CLI to install in the dev-container.
-ARG DOCKERCLI_VERSION=v28.2.0-rc.2
+ARG DOCKERCLI_VERSION=v28.2.2
 ARG DOCKERCLI_REPOSITORY="https://github.com/docker/cli.git"
 
 # cli version used for integration-cli tests
@@ -171,7 +171,7 @@ RUN git init . && git remote add origin "https://github.com/containerd/container
 # When updating the binary version you may also need to update the vendor
 # version to pick up bug fixes or new APIs, however, usually the Go packages
 # are built from a commit from the master branch.
-ARG CONTAINERD_VERSION=v1.7.27
+ARG CONTAINERD_VERSION=v1.7.29
 RUN git fetch -q --depth 1 origin "${CONTAINERD_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
 
 FROM base AS containerd-build
@@ -209,7 +209,8 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
      && /build/golangci-lint --version
 
 FROM base AS gotestsum
-ARG GOTESTSUM_VERSION=v1.12.0
+# GOTESTSUM_VERSION is the version of gotest.tools/gotestsum to install.
+ARG GOTESTSUM_VERSION=v1.12.3
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
         GOBIN=/build/ GO111MODULE=on go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
@@ -259,9 +260,8 @@ WORKDIR /usr/src/runc
 RUN git init . && git remote add origin "https://github.com/opencontainers/runc.git"
 # RUNC_VERSION should match the version that is used by the containerd version
 # that is used. If you need to update runc, open a pull request in the containerd
-# project first, and update both after that is merged. When updating RUNC_VERSION,
-# consider updating runc in vendor.mod accordingly.
-ARG RUNC_VERSION=v1.2.6
+# project first, and update both after that is merged.
+ARG RUNC_VERSION=v1.3.3
 RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
 
 FROM base AS runc-build

Dockerfile.simple

@@ -5,7 +5,7 @@
 
 # This represents the bare minimum required to build and test Docker.
 
-ARG GO_VERSION=1.24.3
+ARG GO_VERSION=1.24.9
 
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"

Dockerfile.windows

@@ -161,12 +161,14 @@ FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
-ARG GO_VERSION=1.24.3
-ARG GOTESTSUM_VERSION=v1.12.0
+ARG GO_VERSION=1.24.9
+
+# GOTESTSUM_VERSION is the version of gotest.tools/gotestsum to install.
+ARG GOTESTSUM_VERSION=v1.12.3
 
 # GOWINRES_VERSION is the version of go-winres to install.
 ARG GOWINRES_VERSION=v0.3.3
-ARG CONTAINERD_VERSION=v1.7.27
+ARG CONTAINERD_VERSION=v1.7.29
 
 # Environment variable notes:
 #  - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
@@ -257,14 +259,11 @@ RUN `
   Remove-Item C:\gitsetup.zip; `
   `
   Write-Host INFO: Downloading containerd; `
-  Install-Package -Force 7Zip4PowerShell; `
   $location='https://github.com/containerd/containerd/releases/download/'+$Env:CONTAINERD_VERSION+'/containerd-'+$Env:CONTAINERD_VERSION.TrimStart('v')+'-windows-amd64.tar.gz'; `
   Download-File $location C:\containerd.tar.gz; `
   New-Item -Path C:\containerd -ItemType Directory; `
-  Expand-7Zip C:\containerd.tar.gz C:\; `
-  Expand-7Zip C:\containerd.tar C:\containerd; `
+  tar -xzf C:\containerd.tar.gz -C C:\containerd; `
   Remove-Item C:\containerd.tar.gz; `
-  Remove-Item C:\containerd.tar; `
   `
   # Ensure all directories exist that we will require below....
   $srcDir = """$Env:GOPATH`\src\github.com\docker\docker\bundles"""; `

Makefile

@@ -203,7 +203,7 @@ build: shell_target := --target=dev-base
 else
 build: shell_target := --target=dev
 endif
-build: bundles
+build: validate-bind-dir bundles
 	$(BUILD_CMD) $(BUILD_OPTS) $(shell_target) --load -t "$(DOCKER_IMAGE)" .
 
 .PHONY: shell
@@ -284,3 +284,10 @@ generate-files:
 		--file "./hack/dockerfiles/generate-files.Dockerfile" .
 	cp -R "$($@_TMP_OUT)"/. .
 	rm -rf "$($@_TMP_OUT)"/*
+
+.PHONY: validate-bind-dir
+validate-bind-dir:
+	@case "$(BIND_DIR)" in \
+		".."*|"/"*) echo "Make needs to be run from the project-root directory, with BIND_DIR set to \".\" or a subdir"; \
+		exit 1 ;; \
+	esac

TESTING.md

@@ -121,6 +121,6 @@ automatically set the other above mentioned environment variables accordingly.
 You can change a version of golang used for building stuff that is being tested
 by setting `GO_VERSION` variable, for example:
 
-```
-make GO_VERSION=1.12.8 test
+```bash
+make GO_VERSION=1.24.8 test
 ```

api/common.go

@@ -1,9 +1,9 @@
-package api // import "github.com/docker/docker/api"
+package api
 
 // Common constants for daemon and client.
 const (
 	// DefaultVersion of the current REST API.
-	DefaultVersion = "1.50"
+	DefaultVersion = "1.51"
 
 	// MinSupportedAPIVersion is the minimum API version that can be supported
 	// by the API server, specified as "major.minor". Note that the daemon

api/server/backend/build/backend.go

@@ -1,4 +1,4 @@
-package build // import "github.com/docker/docker/api/server/backend/build"
+package build
 
 import (
 	"context"

api/server/backend/build/tag.go

@@ -1,4 +1,4 @@
-package build // import "github.com/docker/docker/api/server/backend/build"
+package build
 
 import (
 	"context"

api/server/httpstatus/status.go

@@ -1,4 +1,4 @@
-package httpstatus // import "github.com/docker/docker/api/server/httpstatus"
+package httpstatus
 
 import (
 	"context"

api/server/httputils/decoder.go

@@ -1,4 +1,4 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
+package httputils
 
 import (
 	"io"

api/server/httputils/form.go

@@ -1,4 +1,4 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
+package httputils
 
 import (
 	"encoding/json"

api/server/httputils/form_test.go

@@ -1,4 +1,4 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
+package httputils
 
 import (
 	"math"
@@ -30,7 +30,7 @@ func TestBoolValue(t *testing.T) {
 	for c, e := range cases {
 		v := url.Values{}
 		v.Set("test", c)
-		r, _ := http.NewRequest(http.MethodPost, "", nil)
+		r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
 		r.Form = v
 
 		a := BoolValue(r, "test")
@@ -41,14 +41,14 @@ func TestBoolValue(t *testing.T) {
 }
 
 func TestBoolValueOrDefault(t *testing.T) {
-	r, _ := http.NewRequest(http.MethodGet, "", nil)
+	r, _ := http.NewRequest(http.MethodGet, "", http.NoBody)
 	if !BoolValueOrDefault(r, "queryparam", true) {
 		t.Fatal("Expected to get true default value, got false")
 	}
 
 	v := url.Values{}
 	v.Set("param", "")
-	r, _ = http.NewRequest(http.MethodGet, "", nil)
+	r, _ = http.NewRequest(http.MethodGet, "", http.NoBody)
 	r.Form = v
 	if BoolValueOrDefault(r, "param", true) {
 		t.Fatal("Expected not to get true")
@@ -66,7 +66,7 @@ func TestInt64ValueOrZero(t *testing.T) {
 	for c, e := range cases {
 		v := url.Values{}
 		v.Set("test", c)
-		r, _ := http.NewRequest(http.MethodPost, "", nil)
+		r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
 		r.Form = v
 
 		a := Int64ValueOrZero(r, "test")
@@ -86,7 +86,7 @@ func TestInt64ValueOrDefault(t *testing.T) {
 	for c, e := range cases {
 		v := url.Values{}
 		v.Set("test", c)
-		r, _ := http.NewRequest(http.MethodPost, "", nil)
+		r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
 		r.Form = v
 
 		a, err := Int64ValueOrDefault(r, "test", -1)
@@ -102,7 +102,7 @@ func TestInt64ValueOrDefault(t *testing.T) {
 func TestInt64ValueOrDefaultWithError(t *testing.T) {
 	v := url.Values{}
 	v.Set("test", "invalid")
-	r, _ := http.NewRequest(http.MethodPost, "", nil)
+	r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
 	r.Form = v
 
 	_, err := Int64ValueOrDefault(r, "test", -1)
@@ -150,7 +150,7 @@ func TestUint32Value(t *testing.T) {
 	}
 	for _, tc := range tests {
 		t.Run(tc.value, func(t *testing.T) {
-			r, _ := http.NewRequest(http.MethodPost, "", nil)
+			r, _ := http.NewRequest(http.MethodPost, "", http.NoBody)
 			r.Form = url.Values{}
 			if tc.value != valueNotSet {
 				r.Form.Set("field", tc.value)

api/server/httputils/httputils.go

@@ -1,4 +1,4 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
+package httputils
 
 import (
 	"context"
@@ -74,7 +74,7 @@ func ReadJSON(r *http.Request, out interface{}) error {
 	err = dec.Decode(out)
 	defer r.Body.Close()
 	if err != nil {
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			return errdefs.InvalidParameter(errors.New("invalid JSON: got EOF while reading request body"))
 		}
 		return errdefs.InvalidParameter(errors.Wrap(err, "invalid JSON"))

api/server/httputils/httputils_test.go

@@ -1,4 +1,4 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
+package httputils
 
 import (
 	"net/http"
@@ -33,7 +33,7 @@ func TestJsonContentType(t *testing.T) {
 
 func TestReadJSON(t *testing.T) {
 	t.Run("nil body", func(t *testing.T) {
-		req, err := http.NewRequest(http.MethodPost, "https://example.com/some/path", nil)
+		req, err := http.NewRequest(http.MethodPost, "https://example.com/some/path", http.NoBody)
 		if err != nil {
 			t.Error(err)
 		}

api/server/httputils/write_log_stream.go

@@ -1,4 +1,4 @@
-package httputils // import "github.com/docker/docker/api/server/httputils"
+package httputils
 
 import (
 	"context"
@@ -11,10 +11,13 @@ import (
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/pkg/ioutils"
-	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/docker/docker/pkg/stdcopy"
 )
 
+// rfc3339NanoFixed is time.RFC3339Nano with nanoseconds padded using zeros to
+// ensure the formatted time isalways the same number of characters.
+const rfc3339NanoFixed = "2006-01-02T15:04:05.000000000Z07:00"
+
 // WriteLogStream writes an encoded byte stream of log messages from the
 // messages channel, multiplexing them with a stdcopy.Writer if mux is true
 func WriteLogStream(_ context.Context, w http.ResponseWriter, msgs <-chan *backend.LogMessage, config *container.LogsOptions, mux bool) {
@@ -53,7 +56,7 @@ func WriteLogStream(_ context.Context, w http.ResponseWriter, msgs <-chan *backe
 			logLine = append(logLine, msg.Line...)
 		}
 		if config.Timestamps {
-			logLine = append([]byte(msg.Timestamp.Format(jsonmessage.RFC3339NanoFixed)+" "), logLine...)
+			logLine = append([]byte(msg.Timestamp.Format(rfc3339NanoFixed)+" "), logLine...)
 		}
 		if msg.Source == "stdout" && config.ShowStdout {
 			_, _ = outStream.Write(logLine)

api/server/middleware.go

@@ -1,4 +1,4 @@
-package server // import "github.com/docker/docker/api/server"
+package server
 
 import (
 	"github.com/containerd/log"

api/server/middleware/debug.go

@@ -1,4 +1,4 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
+package middleware
 
 import (
 	"bufio"

api/server/middleware/debug_test.go

@@ -1,4 +1,4 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
+package middleware
 
 import (
 	"testing"

api/server/middleware/experimental.go

@@ -1,4 +1,4 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
+package middleware
 
 import (
 	"context"

api/server/middleware/middleware.go

@@ -1,4 +1,4 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
+package middleware
 
 import (
 	"context"

api/server/middleware/version.go

@@ -1,4 +1,4 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
+package middleware
 
 import (
 	"context"

api/server/middleware/version_test.go

@@ -1,4 +1,4 @@
-package middleware // import "github.com/docker/docker/api/server/middleware"
+package middleware
 
 import (
 	"context"
@@ -79,7 +79,7 @@ func TestVersionMiddlewareVersion(t *testing.T) {
 	assert.NilError(t, err)
 	h := m.WrapHandler(handler)
 
-	req, _ := http.NewRequest(http.MethodGet, "/containers/json", nil)
+	req, _ := http.NewRequest(http.MethodGet, "/containers/json", http.NoBody)
 	resp := httptest.NewRecorder()
 	ctx := context.Background()
 
@@ -121,7 +121,7 @@ func TestVersionMiddlewareVersion(t *testing.T) {
 func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
 	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 		v := httputils.VersionFromContext(ctx)
-		assert.Check(t, len(v) != 0)
+		assert.Check(t, v != "")
 		return nil
 	}
 
@@ -129,7 +129,7 @@ func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
 	assert.NilError(t, err)
 	h := m.WrapHandler(handler)
 
-	req, _ := http.NewRequest(http.MethodGet, "/containers/json", nil)
+	req, _ := http.NewRequest(http.MethodGet, "/containers/json", http.NoBody)
 	resp := httptest.NewRecorder()
 	ctx := context.Background()
 

api/server/router/build/backend.go

@@ -1,4 +1,4 @@
-package build // import "github.com/docker/docker/api/server/router/build"
+package build
 
 import (
 	"context"

api/server/router/build/build.go

@@ -1,4 +1,4 @@
-package build // import "github.com/docker/docker/api/server/router/build"
+package build
 
 import (
 	"runtime"

api/server/router/build/build_routes.go

@@ -1,4 +1,4 @@
-package build // import "github.com/docker/docker/api/server/router/build"
+package build
 
 import (
 	"bufio"

api/server/router/checkpoint/backend.go

@@ -1,4 +1,4 @@
-package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"
+package checkpoint
 
 import "github.com/docker/docker/api/types/checkpoint"
 

api/server/router/checkpoint/checkpoint.go

@@ -1,4 +1,4 @@
-package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"
+package checkpoint
 
 import (
 	"github.com/docker/docker/api/server/httputils"

api/server/router/checkpoint/checkpoint_routes.go

@@ -1,4 +1,4 @@
-package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"
+package checkpoint
 
 import (
 	"context"
@@ -38,6 +38,9 @@ func (cr *checkpointRouter) getContainerCheckpoints(ctx context.Context, w http.
 	if err != nil {
 		return err
 	}
+	if checkpoints == nil {
+		checkpoints = []checkpoint.Summary{}
+	}
 
 	return httputils.WriteJSON(w, http.StatusOK, checkpoints)
 }

api/server/router/container/backend.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/server/router/container"
+package container
 
 import (
 	"context"

api/server/router/container/container.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/server/router/container"
+package container
 
 import (
 	"github.com/docker/docker/api/server/httputils"

api/server/router/container/container_routes.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/server/router/container"
+package container
 
 import (
 	"context"
@@ -531,7 +531,7 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 		}
 
 		// Ignore KernelMemoryTCP because it was added in API 1.40.
-		hostConfig.KernelMemoryTCP = 0
+		hostConfig.KernelMemoryTCP = 0 //nolint:staticcheck // ignore SA1019 This field is still used for legacy support.
 
 		// Older clients (API < 1.40) expects the default to be shareable, make them happy
 		if hostConfig.IpcMode.IsEmpty() {

api/server/router/container/copy.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/server/router/container"
+package container
 
 import (
 	"compress/flate"

api/server/router/container/exec.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/server/router/container"
+package container
 
 import (
 	"context"

api/server/router/container/inspect.go

@@ -1,7 +1,7 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
 //go:build go1.23
 
-package container // import "github.com/docker/docker/api/server/router/container"
+package container
 
 import (
 	"context"

api/server/router/debug/debug.go

@@ -1,4 +1,4 @@
-package debug // import "github.com/docker/docker/api/server/router/debug"
+package debug
 
 import (
 	"context"

api/server/router/debug/debug_routes.go

@@ -1,4 +1,4 @@
-package debug // import "github.com/docker/docker/api/server/router/debug"
+package debug
 
 import (
 	"context"

api/server/router/distribution/backend.go

@@ -1,4 +1,4 @@
-package distribution // import "github.com/docker/docker/api/server/router/distribution"
+package distribution
 
 import (
 	"context"

api/server/router/distribution/distribution.go

@@ -1,4 +1,4 @@
-package distribution // import "github.com/docker/docker/api/server/router/distribution"
+package distribution
 
 import "github.com/docker/docker/api/server/router"
 

api/server/router/distribution/distribution_routes.go

@@ -1,4 +1,4 @@
-package distribution // import "github.com/docker/docker/api/server/router/distribution"
+package distribution
 
 import (
 	"context"
@@ -108,14 +108,14 @@ func (dr *distributionRouter) fetchManifest(ctx context.Context, distrepo distri
 	}
 	mnfst, err := mnfstsrvc.Get(ctx, distributionInspect.Descriptor.Digest)
 	if err != nil {
-		switch err {
-		case reference.ErrReferenceInvalidFormat,
-			reference.ErrTagInvalidFormat,
-			reference.ErrDigestInvalidFormat,
-			reference.ErrNameContainsUppercase,
-			reference.ErrNameEmpty,
-			reference.ErrNameTooLong,
-			reference.ErrNameNotCanonical:
+		switch {
+		case errors.Is(err, reference.ErrReferenceInvalidFormat),
+			errors.Is(err, reference.ErrTagInvalidFormat),
+			errors.Is(err, reference.ErrDigestInvalidFormat),
+			errors.Is(err, reference.ErrNameContainsUppercase),
+			errors.Is(err, reference.ErrNameEmpty),
+			errors.Is(err, reference.ErrNameTooLong),
+			errors.Is(err, reference.ErrNameNotCanonical):
 			return registry.DistributionInspect{}, errdefs.InvalidParameter(err)
 		}
 		return registry.DistributionInspect{}, err

api/server/router/experimental.go

@@ -1,4 +1,4 @@
-package router // import "github.com/docker/docker/api/server/router"
+package router
 
 import (
 	"context"

api/server/router/grpc/backend.go

@@ -1,4 +1,4 @@
-package grpc // import "github.com/docker/docker/api/server/router/grpc"
+package grpc
 
 import "google.golang.org/grpc"
 

api/server/router/grpc/grpc.go

@@ -1,7 +1,7 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
 //go:build go1.23
 
-package grpc // import "github.com/docker/docker/api/server/router/grpc"
+package grpc
 
 import (
 	"context"

api/server/router/grpc/grpc_routes.go

@@ -1,4 +1,4 @@
-package grpc // import "github.com/docker/docker/api/server/router/grpc"
+package grpc
 
 import (
 	"context"

api/server/router/image/backend.go

@@ -1,4 +1,4 @@
-package image // import "github.com/docker/docker/api/server/router/image"
+package image
 
 import (
 	"context"

api/server/router/image/image.go

@@ -1,4 +1,4 @@
-package image // import "github.com/docker/docker/api/server/router/image"
+package image
 
 import (
 	"github.com/docker/docker/api/server/router"

api/server/router/image/image_routes.go

@@ -1,4 +1,4 @@
-package image // import "github.com/docker/docker/api/server/router/image"
+package image
 
 import (
 	"context"
@@ -15,7 +15,6 @@ import (
 	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	imagetypes "github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/registry"
@@ -27,8 +26,6 @@ import (
 	"github.com/docker/docker/pkg/ioutils"
 	"github.com/docker/docker/pkg/progress"
 	"github.com/docker/docker/pkg/streamformatter"
-	"github.com/docker/go-connections/nat"
-	dockerspec "github.com/moby/docker-image-spec/specs-go/v1"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -103,6 +100,8 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit
 
 		// For a pull it is not an error if no auth was given. Ignore invalid
 		// AuthConfig to increase compatibility with the existing API.
+		//
+		// TODO(thaJeztah): accept empty values but return an error when failing to decode.
 		authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))
 		progressErr = ir.backend.PullImage(ctx, ref, platform, metaHeaders, authConfig, output)
 	} else { // import
@@ -113,7 +112,7 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit
 			return errdefs.InvalidParameter(err)
 		}
 
-		if len(comment) == 0 {
+		if comment == "" {
 			comment = "Imported from " + src
 		}
 
@@ -168,19 +167,11 @@ func (ir *imageRouter) postImagesPush(ctx context.Context, w http.ResponseWriter
 		return err
 	}
 
-	var authConfig *registry.AuthConfig
-	if authEncoded := r.Header.Get(registry.AuthHeader); authEncoded != "" {
-		// the new format is to handle the authConfig as a header. Ignore invalid
-		// AuthConfig to increase compatibility with the existing API.
-		authConfig, _ = registry.DecodeAuthConfig(authEncoded)
-	} else {
-		// the old format is supported for compatibility if there was no authConfig header
-		var err error
-		authConfig, err = registry.DecodeAuthConfigBody(r.Body)
-		if err != nil {
-			return errors.Wrap(err, "bad parameters and missing X-Registry-Auth")
-		}
-	}
+	// Handle the authConfig as a header, but ignore invalid AuthConfig
+	// to increase compatibility with the existing API.
+	//
+	// TODO(thaJeztah): accept empty values but return an error when failing to decode.
+	authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))
 
 	output := ioutils.NewWriteFlusher(w)
 	defer output.Close()
@@ -370,7 +361,7 @@ func (ir *imageRouter) getImagesByName(ctx context.Context, w http.ResponseWrite
 		return errdefs.InvalidParameter(errors.New("conflicting options: manifests and platform options cannot both be set"))
 	}
 
-	imageInspect, err := ir.backend.ImageInspect(ctx, vars["name"], backend.ImageInspectOpts{
+	resp, err := ir.backend.ImageInspect(ctx, vars["name"], backend.ImageInspectOpts{
 		Manifests: manifests,
 		Platform:  platform,
 	})
@@ -378,6 +369,14 @@ func (ir *imageRouter) getImagesByName(ctx context.Context, w http.ResponseWrite
 		return err
 	}
 
+	// inspectResponse preserves fields in the response that have an
+	// "omitempty" in the OCI spec, but didn't omit such fields in
+	// legacy responses before API v1.50.
+	imageInspect := &inspectCompatResponse{
+		InspectResponse: resp,
+		legacyConfig:    legacyConfigFields["current"],
+	}
+
 	// Make sure we output empty arrays instead of nil. While Go nil slice is functionally equivalent to an empty slice,
 	// it matters for the JSON representation.
 	if imageInspect.RepoTags == nil {
@@ -405,14 +404,7 @@ func (ir *imageRouter) getImagesByName(ctx context.Context, w http.ResponseWrite
 		imageInspect.Descriptor = nil
 	}
 	if versions.LessThan(version, "1.50") {
-		type imageInspectLegacy struct {
-			imagetypes.InspectResponse
-			LegacyConfig *container.Config `json:"Config"`
-		}
-		return httputils.WriteJSON(w, http.StatusOK, imageInspectLegacy{
-			InspectResponse: *imageInspect,
-			LegacyConfig:    dockerOCIImageConfigToContainerConfig(*imageInspect.Config),
-		})
+		imageInspect.legacyConfig = legacyConfigFields["v1.49"]
 	}
 
 	return httputils.WriteJSON(w, http.StatusOK, imageInspect)
@@ -461,6 +453,7 @@ func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter,
 	useNone := versions.LessThan(version, "1.43")
 	withVirtualSize := versions.LessThan(version, "1.44")
 	noDescriptor := versions.LessThan(version, "1.48")
+	noContainers := versions.LessThan(version, "1.51")
 	for _, img := range images {
 		if useNone {
 			if len(img.RepoTags) == 0 && len(img.RepoDigests) == 0 {
@@ -481,6 +474,9 @@ func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter,
 		if noDescriptor {
 			img.Descriptor = nil
 		}
+		if noContainers {
+			img.Containers = -1
+		}
 	}
 
 	return httputils.WriteJSON(w, http.StatusOK, images)
@@ -598,27 +594,3 @@ func validateRepoName(name reference.Named) error {
 	}
 	return nil
 }
-
-// FIXME(thaJeztah): this is a copy of dockerOCIImageConfigToContainerConfig in daemon/containerd: https://github.com/moby/moby/blob/6b617699c500522aa6526cfcae4558333911b11f/daemon/containerd/imagespec.go#L107-L128
-func dockerOCIImageConfigToContainerConfig(cfg dockerspec.DockerOCIImageConfig) *container.Config {
-	exposedPorts := make(nat.PortSet, len(cfg.ExposedPorts))
-	for k, v := range cfg.ExposedPorts {
-		exposedPorts[nat.Port(k)] = v
-	}
-
-	return &container.Config{
-		Entrypoint:   cfg.Entrypoint,
-		Env:          cfg.Env,
-		Cmd:          cfg.Cmd,
-		User:         cfg.User,
-		WorkingDir:   cfg.WorkingDir,
-		ExposedPorts: exposedPorts,
-		Volumes:      cfg.Volumes,
-		Labels:       cfg.Labels,
-		ArgsEscaped:  cfg.ArgsEscaped, //nolint:staticcheck // Ignore SA1019. Need to keep it in image.
-		StopSignal:   cfg.StopSignal,
-		Healthcheck:  cfg.Healthcheck,
-		OnBuild:      cfg.OnBuild,
-		Shell:        cfg.Shell,
-	}
-}

api/server/router/image/inspect_response.go

@@ -0,0 +1,88 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.23
+
+package image
+
+import (
+	"encoding/json"
+	"maps"
+
+	"github.com/docker/docker/api/types/image"
+)
+
+// legacyConfigFields defines legacy image-config fields to include in
+// API responses on older API versions.
+var legacyConfigFields = map[string]map[string]any{
+	// Legacy fields for API v1.49 and lower. These fields are deprecated
+	// and omitted in newer API versions; see https://github.com/moby/moby/pull/48457
+	"v1.49": {
+		"AttachStderr": false,
+		"AttachStdin":  false,
+		"AttachStdout": false,
+		"Cmd":          nil,
+		"Domainname":   "",
+		"Entrypoint":   nil,
+		"Env":          nil,
+		"Hostname":     "",
+		"Image":        "",
+		"Labels":       nil,
+		"OnBuild":      nil,
+		"OpenStdin":    false,
+		"StdinOnce":    false,
+		"Tty":          false,
+		"User":         "",
+		"Volumes":      nil,
+		"WorkingDir":   "",
+	},
+	// Legacy fields for current API versions (v1.50 and up). These fields
+	// did not have an "omitempty" and were always included in the response,
+	// even if not set; see https://github.com/moby/moby/issues/50134
+	"current": {
+		"Cmd":        nil,
+		"Entrypoint": nil,
+		"Env":        nil,
+		"Labels":     nil,
+		"OnBuild":    nil,
+		"User":       "",
+		"Volumes":    nil,
+		"WorkingDir": "",
+	},
+}
+
+// inspectCompatResponse is a wrapper around [image.InspectResponse] with a
+// custom marshal function for legacy [api/types/container.Config} fields
+// that have been removed, or did not have omitempty.
+type inspectCompatResponse struct {
+	*image.InspectResponse
+	legacyConfig map[string]any
+}
+
+// MarshalJSON implements a custom marshaler to include legacy fields
+// in API responses.
+func (ir *inspectCompatResponse) MarshalJSON() ([]byte, error) {
+	type tmp *image.InspectResponse
+	base, err := json.Marshal((tmp)(ir.InspectResponse))
+	if err != nil {
+		return nil, err
+	}
+	if len(ir.legacyConfig) == 0 {
+		return base, nil
+	}
+
+	type resp struct {
+		*image.InspectResponse
+		Config map[string]any
+	}
+
+	var merged resp
+	err = json.Unmarshal(base, &merged)
+	if err != nil {
+		return base, nil
+	}
+
+	// prevent mutating legacyConfigFields.
+	cfg := maps.Clone(ir.legacyConfig)
+	maps.Copy(cfg, merged.Config)
+	merged.Config = cfg
+	return json.Marshal(merged)
+}

api/server/router/image/inspect_response_test.go

@@ -0,0 +1,74 @@
+package image
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/docker/docker/api/types/image"
+	dockerspec "github.com/moby/docker-image-spec/specs-go/v1"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestInspectResponse(t *testing.T) {
+	tests := []struct {
+		doc          string
+		cfg          *ocispec.ImageConfig
+		legacyConfig map[string]any
+		expected     string
+	}{
+		{
+			doc:      "empty",
+			expected: `null`,
+		},
+		{
+			doc: "no legacy config",
+			cfg: &ocispec.ImageConfig{
+				Cmd:        []string{"/bin/sh"},
+				StopSignal: "SIGQUIT",
+			},
+			expected: `{"Cmd":["/bin/sh"],"StopSignal":"SIGQUIT"}`,
+		},
+		{
+			doc: "api < v1.50",
+			cfg: &ocispec.ImageConfig{
+				Cmd:        []string{"/bin/sh"},
+				StopSignal: "SIGQUIT",
+			},
+			legacyConfig: legacyConfigFields["v1.49"],
+			expected:     `{"AttachStderr":false,"AttachStdin":false,"AttachStdout":false,"Cmd":["/bin/sh"],"Domainname":"","Entrypoint":null,"Env":null,"Hostname":"","Image":"","Labels":null,"OnBuild":null,"OpenStdin":false,"StdinOnce":false,"StopSignal":"SIGQUIT","Tty":false,"User":"","Volumes":null,"WorkingDir":""}`,
+		},
+		{
+			doc: "api >= v1.50",
+			cfg: &ocispec.ImageConfig{
+				Cmd:        []string{"/bin/sh"},
+				StopSignal: "SIGQUIT",
+			},
+			legacyConfig: legacyConfigFields["current"],
+			expected:     `{"Cmd":["/bin/sh"],"Entrypoint":null,"Env":null,"Labels":null,"OnBuild":null,"StopSignal":"SIGQUIT","User":"","Volumes":null,"WorkingDir":""}`,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.doc, func(t *testing.T) {
+			imgInspect := &image.InspectResponse{}
+			if tc.cfg != nil {
+				// Verify that fields that are set override the legacy values,
+				// or appended if not part of the legacy values.
+				imgInspect.Config = &dockerspec.DockerOCIImageConfig{
+					ImageConfig: *tc.cfg,
+				}
+			}
+			out, err := json.Marshal(&inspectCompatResponse{
+				InspectResponse: imgInspect,
+				legacyConfig:    tc.legacyConfig,
+			})
+			assert.NilError(t, err)
+
+			var outMap struct{ Config json.RawMessage }
+			err = json.Unmarshal(out, &outMap)
+			assert.NilError(t, err)
+			assert.Check(t, is.Equal(string(outMap.Config), tc.expected))
+		})
+	}
+}

api/server/router/local.go

@@ -1,4 +1,4 @@
-package router // import "github.com/docker/docker/api/server/router"
+package router
 
 import (
 	"net/http"

api/server/router/network/backend.go

@@ -1,4 +1,4 @@
-package network // import "github.com/docker/docker/api/server/router/network"
+package network
 
 import (
 	"context"

api/server/router/network/network.go

@@ -1,4 +1,4 @@
-package network // import "github.com/docker/docker/api/server/router/network"
+package network
 
 import (
 	"github.com/docker/docker/api/server/router"

api/server/router/network/network_routes.go

@@ -1,4 +1,4 @@
-package network // import "github.com/docker/docker/api/server/router/network"
+package network
 
 import (
 	"context"

api/server/router/plugin/backend.go

@@ -1,4 +1,4 @@
-package plugin // import "github.com/docker/docker/api/server/router/plugin"
+package plugin
 
 import (
 	"context"

api/server/router/plugin/plugin.go

@@ -1,4 +1,4 @@
-package plugin // import "github.com/docker/docker/api/server/router/plugin"
+package plugin
 
 import "github.com/docker/docker/api/server/router"
 

api/server/router/plugin/plugin_routes.go

@@ -1,4 +1,4 @@
-package plugin // import "github.com/docker/docker/api/server/router/plugin"
+package plugin
 
 import (
 	"context"

api/server/router/router.go

@@ -1,4 +1,4 @@
-package router // import "github.com/docker/docker/api/server/router"
+package router
 
 import "github.com/docker/docker/api/server/httputils"
 

api/server/router/session/backend.go

@@ -1,4 +1,4 @@
-package session // import "github.com/docker/docker/api/server/router/session"
+package session
 
 import (
 	"context"

api/server/router/session/session.go

@@ -1,4 +1,4 @@
-package session // import "github.com/docker/docker/api/server/router/session"
+package session
 
 import "github.com/docker/docker/api/server/router"
 

api/server/router/session/session_routes.go

@@ -1,4 +1,4 @@
-package session // import "github.com/docker/docker/api/server/router/session"
+package session
 
 import (
 	"context"

api/server/router/swarm/backend.go

@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/server/router/swarm"
+package swarm
 
 import (
 	"context"

api/server/router/swarm/cluster.go

@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/server/router/swarm"
+package swarm
 
 import "github.com/docker/docker/api/server/router"
 

api/server/router/swarm/cluster_routes.go

@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/server/router/swarm"
+package swarm
 
 import (
 	"context"

api/server/router/swarm/helpers.go

@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/server/router/swarm"
+package swarm
 
 import (
 	"context"

api/server/router/swarm/helpers_test.go

@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/server/router/swarm"
+package swarm
 
 import (
 	"reflect"

api/server/router/system/backend.go

@@ -1,10 +1,11 @@
-package system // import "github.com/docker/docker/api/server/router/system"
+package system
 
 import (
 	"context"
 	"time"
 
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/filters"
@@ -13,24 +14,12 @@ import (
 	"github.com/docker/docker/api/types/system"
 )
 
-// DiskUsageOptions holds parameters for system disk usage query.
-type DiskUsageOptions struct {
-	// Containers controls whether container disk usage should be computed.
-	Containers bool
-
-	// Images controls whether image disk usage should be computed.
-	Images bool
-
-	// Volumes controls whether volume disk usage should be computed.
-	Volumes bool
-}
-
 // Backend is the methods that need to be implemented to provide
 // system specific functionality.
 type Backend interface {
 	SystemInfo(context.Context) (*system.Info, error)
 	SystemVersion(context.Context) (types.Version, error)
-	SystemDiskUsage(ctx context.Context, opts DiskUsageOptions) (*system.DiskUsage, error)
+	SystemDiskUsage(ctx context.Context, opts backend.DiskUsageOptions) (*backend.DiskUsage, error)
 	SubscribeToEvents(since, until time.Time, ef filters.Args) ([]events.Message, chan interface{})
 	UnsubscribeFromEvents(chan interface{})
 	AuthenticateToRegistry(ctx context.Context, authConfig *registry.AuthConfig) (string, string, error)

api/server/router/system/system.go

@@ -1,7 +1,7 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
 //go:build go1.23
 
-package system // import "github.com/docker/docker/api/server/router/system"
+package system
 
 import (
 	"github.com/docker/docker/api/server/router"

api/server/router/system/system_routes.go

@@ -1,7 +1,7 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
 //go:build go1.23
 
-package system // import "github.com/docker/docker/api/server/router/system"
+package system
 
 import (
 	"context"
@@ -14,6 +14,7 @@ import (
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/server/router/build"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
 	buildtypes "github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/filters"
@@ -183,11 +184,11 @@ func (s *systemRouter) getDiskUsage(ctx context.Context, w http.ResponseWriter,
 
 	eg, ctx := errgroup.WithContext(ctx)
 
-	var systemDiskUsage *system.DiskUsage
+	var systemDiskUsage *backend.DiskUsage
 	if getContainers || getImages || getVolumes {
 		eg.Go(func() error {
 			var err error
-			systemDiskUsage, err = s.backend.SystemDiskUsage(ctx, DiskUsageOptions{
+			systemDiskUsage, err = s.backend.SystemDiskUsage(ctx, backend.DiskUsageOptions{
 				Containers: getContainers,
 				Images:     getImages,
 				Volumes:    getVolumes,
@@ -238,7 +239,7 @@ func (s *systemRouter) getDiskUsage(ctx context.Context, w http.ResponseWriter,
 		}
 	}
 
-	du := system.DiskUsage{}
+	du := backend.DiskUsage{}
 	if getBuildCache {
 		du.BuildCache = &buildtypes.CacheDiskUsage{
 			TotalSize: builderSize,

api/server/router/volume/backend.go

@@ -1,4 +1,4 @@
-package volume // import "github.com/docker/docker/api/server/router/volume"
+package volume
 
 import (
 	"context"

api/server/router/volume/volume.go

@@ -1,4 +1,4 @@
-package volume // import "github.com/docker/docker/api/server/router/volume"
+package volume
 
 import "github.com/docker/docker/api/server/router"
 

api/server/router/volume/volume_routes.go

@@ -1,4 +1,4 @@
-package volume // import "github.com/docker/docker/api/server/router/volume"
+package volume
 
 import (
 	"context"

api/server/router/volume/volume_routes_test.go

@@ -22,7 +22,7 @@ import (
 func callGetVolume(v *volumeRouter, name string) (*httptest.ResponseRecorder, error) {
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
 	vars := map[string]string{"name": name}
-	req := httptest.NewRequest(http.MethodGet, fmt.Sprintf("/volumes/%s", name), nil)
+	req := httptest.NewRequest(http.MethodGet, fmt.Sprintf("/volumes/%s", name), http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.getVolumeByName(ctx, resp, req, vars)
@@ -32,7 +32,7 @@ func callGetVolume(v *volumeRouter, name string) (*httptest.ResponseRecorder, er
 func callListVolumes(v *volumeRouter) (*httptest.ResponseRecorder, error) {
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
 	vars := map[string]string{}
-	req := httptest.NewRequest(http.MethodGet, "/volumes", nil)
+	req := httptest.NewRequest(http.MethodGet, "/volumes", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.getVolumesList(ctx, resp, req, vars)
@@ -428,7 +428,7 @@ func TestVolumeRemove(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})
@@ -455,7 +455,7 @@ func TestVolumeRemoveSwarm(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})
@@ -472,7 +472,7 @@ func TestVolumeRemoveNotFoundNoSwarm(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})
@@ -489,7 +489,7 @@ func TestVolumeRemoveNotFoundNoManager(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})
@@ -513,7 +513,7 @@ func TestVolumeRemoveFoundNoSwarm(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})
@@ -536,7 +536,7 @@ func TestVolumeRemoveNoSwarmInUse(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest(http.MethodDelete, "/volumes/inuse", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/inuse", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "inuse"})
@@ -564,7 +564,7 @@ func TestVolumeRemoveSwarmForce(t *testing.T) {
 	}
 
 	ctx := context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", nil)
+	req := httptest.NewRequest(http.MethodDelete, "/volumes/vol1", http.NoBody)
 	resp := httptest.NewRecorder()
 
 	err := v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})
@@ -573,7 +573,7 @@ func TestVolumeRemoveSwarmForce(t *testing.T) {
 	assert.Assert(t, cerrdefs.IsConflict(err))
 
 	ctx = context.WithValue(context.Background(), httputils.APIVersionKey{}, clusterVolumesVersion)
-	req = httptest.NewRequest(http.MethodDelete, "/volumes/vol1?force=1", nil)
+	req = httptest.NewRequest(http.MethodDelete, "/volumes/vol1?force=1", http.NoBody)
 	resp = httptest.NewRecorder()
 
 	err = v.deleteVolumes(ctx, resp, req, map[string]string{"name": "vol1"})

api/server/server.go

@@ -1,4 +1,4 @@
-package server // import "github.com/docker/docker/api/server"
+package server
 
 import (
 	"context"

api/server/server_test.go

@@ -1,4 +1,4 @@
-package server // import "github.com/docker/docker/api/server"
+package server
 
 import (
 	"context"
@@ -21,7 +21,7 @@ func TestMiddlewares(t *testing.T) {
 	}
 	srv.UseMiddleware(*m)
 
-	req, _ := http.NewRequest(http.MethodGet, "/containers/json", nil)
+	req, _ := http.NewRequest(http.MethodGet, "/containers/json", http.NoBody)
 	resp := httptest.NewRecorder()
 	ctx := context.Background()
 

api/swagger.yaml

@@ -19,10 +19,10 @@ produces:
 consumes:
   - "application/json"
   - "text/plain"
-basePath: "/v1.50"
+basePath: "/v1.51"
 info:
   title: "Docker Engine API"
-  version: "1.50"
+  version: "1.51"
   x-logo:
     url: "https://docs.docker.com/assets/images/logo-docker-main.png"
   description: |
@@ -56,7 +56,7 @@ info:
     is returned.
 
     If you omit the version-prefix, the current version of the API (v1.50) is used.
-    For example, calling `/info` is the same as calling `/v1.50/info`. Using the
+    For example, calling `/info` is the same as calling `/v1.51/info`. Using the
     API without a version-prefix is deprecated and will be removed in a future release.
 
     Engine releases in the near future should support this version of the API,
@@ -81,7 +81,6 @@ info:
     {
       "username": "string",
       "password": "string",
-      "email": "string",
       "serveraddress": "string"
     }
     ```
@@ -637,6 +636,9 @@ definitions:
           by the default (runc) runtime.
 
           This field is omitted when empty.
+
+          **Deprecated**: This field is deprecated as kernel 6.12 has deprecated `memory.kmem.tcp.limit_in_bytes` field
+          for cgroups v1. This field will be removed in a future release.
         type: "integer"
         format: "int64"
       MemoryReservation:
@@ -1531,37 +1533,6 @@ definitions:
         items:
           type: "string"
         example: ["/bin/sh", "-c"]
-    # FIXME(thaJeztah): temporarily using a full example to remove some "omitempty" fields. Remove once the fields are removed.
-    example:
-      "User": "web:web"
-      "ExposedPorts": {
-        "80/tcp": {},
-        "443/tcp": {}
-      }
-      "Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
-      "Cmd": ["/bin/sh"]
-      "Healthcheck": {
-        "Test": ["string"],
-        "Interval": 0,
-        "Timeout": 0,
-        "Retries": 0,
-        "StartPeriod": 0,
-        "StartInterval": 0
-      }
-      "ArgsEscaped": true
-      "Volumes": {
-        "/app/data": {},
-        "/app/config": {}
-      }
-      "WorkingDir": "/public/"
-      "Entrypoint": []
-      "OnBuild": []
-      "Labels": {
-        "com.example.some-label": "some-value",
-        "com.example.some-other-label": "some-other-value"
-      }
-      "StopSignal": "SIGTERM"
-      "Shell": ["/bin/sh", "-c"]
 
   NetworkingConfig:
     description: |
@@ -1608,6 +1579,8 @@ definitions:
       Bridge:
         description: |
           Name of the default bridge interface when dockerd's --bridge flag is set.
+
+          Deprecated: This field is only set when the daemon is started with the --bridge flag specified.
         type: "string"
         example: "docker0"
       SandboxID:
@@ -1965,6 +1938,11 @@ definitions:
           Depending on how the image was created, this field may be empty and
           is only set for images that were built/created locally. This field
           is empty if the image was pulled from an image registry.
+
+          > **Deprecated**: This field is only set when using the deprecated
+          > legacy builder. It is included in API responses for informational
+          > purposes, but should not be depended on as it will be omitted
+          > once the legacy builder is removed.
         type: "string"
         x-nullable: false
         example: ""
@@ -1990,6 +1968,11 @@ definitions:
           The version of Docker that was used to build the image.
 
           Depending on how the image was created, this field may be empty.
+
+          > **Deprecated**: This field is only set when using the deprecated
+          > legacy builder. It is included in API responses for informational
+          > purposes, but should not be depended on as it will be omitted
+          > once the legacy builder is removed.
         type: "string"
         x-nullable: false
         example: "27.0.1"
@@ -2034,14 +2017,6 @@ definitions:
         format: "int64"
         x-nullable: false
         example: 1239828
-      VirtualSize:
-        description: |
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 1239828
       GraphDriver:
         $ref: "#/definitions/DriverData"
       RootFS:
@@ -2174,14 +2149,6 @@ definitions:
         format: "int64"
         x-nullable: false
         example: 1239828
-      VirtualSize:
-        description: |-
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 172064416
       Labels:
         description: "User-defined key/value metadata."
         type: "object"
@@ -2196,8 +2163,7 @@ definitions:
           Number of containers using this image. Includes both stopped and running
           containers.
 
-          This size is not calculated by default, and depends on which API endpoint
-          is used. `-1` indicates that the value has not been set / calculated.
+          `-1` indicates that the value has not been set / calculated.
         x-nullable: false
         type: "integer"
         example: 2
@@ -2235,6 +2201,10 @@ definitions:
       password:
         type: "string"
       email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
         type: "string"
       serveraddress:
         type: "string"
@@ -2683,14 +2653,6 @@ definitions:
         description: |
           Unique ID of the build cache record.
         example: "ndlpt0hhvkqcdfkputsk4cq9c"
-      Parent:
-        description: |
-          ID of the parent build cache record.
-
-          > **Deprecated**: This field is deprecated, and omitted if empty.
-        type: "string"
-        x-nullable: true
-        example: ""
       Parents:
         description: |
           List of parent build cache record IDs.
@@ -2914,7 +2876,8 @@ definitions:
           be used. If multiple endpoints have the same priority, endpoints are
           lexicographically sorted based on their network name, and the one
           that sorts first is picked.
-        type: "number"
+        type: "integer"
+        format: "int64"
         example:
           - 10
 
@@ -3171,10 +3134,15 @@ definitions:
           - Args
         properties:
           DockerVersion:
-            description: "Docker Version used to create the plugin"
+            description: |-
+              Docker Version used to create the plugin.
+
+              Depending on how the plugin was created, this field may be empty or omitted.
+
+              Deprecated: this field is no longer set, and will be removed in the next API version.
             type: "string"
             x-nullable: false
-            example: "17.06.0-ce"
+            x-omitempty: true
           Description:
             type: "string"
             x-nullable: false
@@ -4392,6 +4360,7 @@ definitions:
           A counter that triggers an update even if no relevant parameters have
           been changed.
         type: "integer"
+        format: "uint64"
       Runtime:
         description: |
           Runtime is the type of runtime specified for the task executor.
@@ -5863,7 +5832,7 @@ definitions:
         type: "integer"
         format: "uint64"
         x-nullable: true
-        example: 18446744073709551615
+        example: "18446744073709551615"
 
   ContainerThrottlingData:
     description: |
@@ -6375,6 +6344,8 @@ definitions:
 
           Kernel memory TCP limits are not supported when using cgroups v2, which
           does not support the corresponding `memory.kmem.tcp.limit_in_bytes` cgroup.
+
+          **Deprecated**: This field is deprecated as kernel 6.12 has deprecated kernel memory TCP accounting.
         type: "boolean"
         example: true
       CpuCfsPeriod:
@@ -6412,29 +6383,6 @@ definitions:
         description: "Indicates IPv4 forwarding is enabled."
         type: "boolean"
         example: true
-      BridgeNfIptables:
-        description: |
-          Indicates if `bridge-nf-call-iptables` is available on the host when
-          the daemon was started.
-
-          <p><br /></p>
-
-          > **Deprecated**: netfilter module is now loaded on-demand and no longer
-          > during daemon startup, making this field obsolete. This field is always
-          > `false` and will be removed in a API v1.49.
-        type: "boolean"
-        example: false
-      BridgeNfIp6tables:
-        description: |
-          Indicates if `bridge-nf-call-ip6tables` is available on the host.
-
-          <p><br /></p>
-
-          > **Deprecated**: netfilter module is now loaded on-demand, and no longer
-          > during daemon startup, making this field obsolete. This field is always
-          > `false` and will be removed in a API v1.49.
-        type: "boolean"
-        example: false
       Debug:
         description: |
           Indicates if the daemon is running in debug-mode / with debug-level

api/templates/server/operation.gotmpl

@@ -1,4 +1,4 @@
-package {{ .Package }} // import "github.com/docker/docker/api/types/{{ .Package }}"
+package {{ .Package }}
 
 // ----------------------------------------------------------------------------
 // Code generated by `swagger generate operation`. DO NOT EDIT.

api/types/backend/backend.go

@@ -1,5 +1,5 @@
 // Package backend includes types to send information to server backends.
-package backend // import "github.com/docker/docker/api/types/backend"
+package backend
 
 import (
 	"io"

api/types/backend/build.go

@@ -1,4 +1,4 @@
-package backend // import "github.com/docker/docker/api/types/backend"
+package backend
 
 import (
 	"io"

api/types/backend/disk_usage.go

@@ -0,0 +1,29 @@
+package backend
+
+import (
+	"github.com/docker/docker/api/types/build"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/api/types/volume"
+)
+
+// DiskUsageOptions holds parameters for system disk usage query.
+type DiskUsageOptions struct {
+	// Containers controls whether container disk usage should be computed.
+	Containers bool
+
+	// Images controls whether image disk usage should be computed.
+	Images bool
+
+	// Volumes controls whether volume disk usage should be computed.
+	Volumes bool
+}
+
+// DiskUsage contains the information returned by the backend for the
+// GET "/system/df" endpoint.
+type DiskUsage struct {
+	Images     *image.DiskUsage
+	Containers *container.DiskUsage
+	Volumes    *volume.DiskUsage
+	BuildCache *build.CacheDiskUsage
+}

api/types/blkiodev/blkio.go

@@ -1,4 +1,4 @@
-package blkiodev // import "github.com/docker/docker/api/types/blkiodev"
+package blkiodev
 
 import "fmt"
 

api/types/build/disk_usage.go

@@ -1,6 +1,8 @@
 package build
 
 // CacheDiskUsage contains disk usage for the build cache.
+//
+// Deprecated: this type is no longer used and will be removed in the next release.
 type CacheDiskUsage struct {
 	TotalSize   int64
 	Reclaimable int64

api/types/client.go

@@ -1,4 +1,4 @@
-package types // import "github.com/docker/docker/api/types"
+package types
 
 import (
 	"bufio"

api/types/container/config.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/types/container"
+package container
 
 import (
 	"time"

api/types/container/disk_usage.go

@@ -1,6 +1,8 @@
 package container
 
 // DiskUsage contains disk usage for containers.
+//
+// Deprecated: this type is no longer used and will be removed in the next release.
 type DiskUsage struct {
 	TotalSize   int64
 	Reclaimable int64

api/types/container/exec.go

@@ -18,11 +18,13 @@ type ExecOptions struct {
 	AttachStdin  bool     // Attach the standard input, makes possible user interaction
 	AttachStderr bool     // Attach the standard error
 	AttachStdout bool     // Attach the standard output
-	Detach       bool     // Execute in detach mode
 	DetachKeys   string   // Escape keys for detach
 	Env          []string // Environment variables
 	WorkingDir   string   // Working directory
 	Cmd          []string // Execution commands and args
+
+	// Deprecated: the Detach field is not used, and will be removed in a future release.
+	Detach bool
 }
 
 // ExecStartOptions is a temp struct used by execStart

api/types/container/hostconfig.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/types/container"
+package container
 
 import (
 	"errors"
@@ -394,7 +394,12 @@ type Resources struct {
 
 	// KernelMemory specifies the kernel memory limit (in bytes) for the container.
 	// Deprecated: kernel 5.4 deprecated kmem.limit_in_bytes.
-	KernelMemory      int64     `json:",omitempty"`
+	KernelMemory int64 `json:",omitempty"`
+	// Hard limit for kernel TCP buffer memory (in bytes).
+	//
+	// Deprecated: This field is deprecated and will be removed in the next release.
+	// Starting with 6.12, the kernel has deprecated kernel memory tcp accounting
+	// for cgroups v1.
 	KernelMemoryTCP   int64     `json:",omitempty"` // Hard limit for kernel TCP buffer memory (in bytes)
 	MemoryReservation int64     // Memory soft limit (in bytes)
 	MemorySwap        int64     // Total memory usage (memory + swap); set `-1` to enable unlimited swap

api/types/container/hostconfig_unix.go

@@ -1,6 +1,6 @@
 //go:build !windows
 
-package container // import "github.com/docker/docker/api/types/container"
+package container
 
 import "github.com/docker/docker/api/types/network"
 

api/types/container/hostconfig_windows.go

@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/types/container"
+package container
 
 import "github.com/docker/docker/api/types/network"