Merge pull request #51370 from vvoland/vendor-api

vendor: github.com/moby/moby/api v1.52.0-beta.4
2026-01-11 18:51:37 +00:00 · 2025-10-31 19:11:57 +01:00 · 2025-10-31 18:57:59 +01:00 · 2025-10-31 18:55:28 +01:00 · 2025-10-31 18:41:46 +01:00 · 2025-10-31 18:23:12 +01:00
4566 changed files with 247342 additions and 137463 deletions
--- a/.codecov.yml
+++ b/.codecov.yml
--- a/.dockerignore
+++ b/.dockerignore
@@ -2,5 +2,5 @@

 # build artifacts
 /bundles/
-/cli/winresources/dockerd/winres.json
-/cli/winresources/dockerd/*.syso
+/cmd/dockerd/winresources/winres.json
+/cmd/dockerd/*.syso
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1 @@
 Dockerfile* linguist-language=Dockerfile
-vendor.mod linguist-language=Go-Module
-vendor.sum linguist-language=Go-Checksums
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -0,0 +1,159 @@
+module/client:
+  - changed-files:
+    - any-glob-to-any-file: 'client/**'
+
+module/api:
+  - changed-files:
+    - any-glob-to-any-file: 'api/**'
+
+area/daemon:
+  - changed-files:
+    - any-glob-to-any-file: 'daemon/**'
+
+area/builder/buildkit:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*buildkit*'
+      - 'daemon/internal/builder-next/**'
+
+area/builder/classic-builder:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'daemon/images/*_build*'
+      - 'daemon/builder/**'
+
+area/builder:
+  - labels:
+    - any-glob-to-any-file:
+      - '**/*buildkit*'
+      - 'daemon/internal/builder-next/**'
+      - 'daemon/images/*_build*'
+      - 'daemon/builder/**'
+
+area/networking:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'daemon/network*'
+      - 'daemon/network/**'
+      - 'api/types/network/**'
+      - 'integration/network/**'
+      - 'integration/networking/**'
+
+area/volumes:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'daemon/volume/**'
+      - 'api/types/volume/**'
+      - 'integration/volume/**'
+
+area/swarm:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'daemon/cluster/**'
+      - 'api/types/swarm/**'
+
+area/images:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'daemon/images/**'
+      - 'api/types/image/**'
+      - 'integration/image/**'
+
+area/logging:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'daemon/logger/**'
+      - '**/*log*'
+
+area/security:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*seccomp*'
+      - '**/*apparmor*'
+      - '**/*selinux*'
+
+area/security/apparmor:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*apparmor*'
+      - 'contrib/apparmor/**'
+
+area/security/selinux:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*selinux*'
+      - 'contrib/selinux/**'
+
+area/security/seccomp:
+  - changed-files:
+    - any-glob-to-any-file: '**/*seccomp*'
+
+area/systemd:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*systemd*'
+      - 'contrib/init/systemd/**'
+
+area/contrib:
+  - changed-files:
+    - any-glob-to-any-file: 'contrib/**'
+
+area/packaging:
+  - changed-files:
+    - any-glob-to-any-file:
+      # files used in packaging
+      - 'contrib/dockerd-rootless.sh'
+      - 'contrib/dockerd-rootless-setuptool.sh'
+      - 'contrib/init/systemd/**'
+
+containerd-integration:
+  - changed-files:
+    - any-glob-to-any-file: 'daemon/containerd/**'
+
+area/rootless:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*rootless*'
+      - 'contrib/dockerd-rootless*'
+
+area/testing:
+  - changed-files:
+    - any-glob-to-all-files:
+      - 'integration/**'
+      - 'integration-cli/**'
+      - '**/*_test.go'
+      - 'internal/test*'
+      - 'internal/testutil/**'
+
+area/docs:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'api/docs/*.yaml'
+      - 'docs/**'
+      - '**/*.md'
+      - 'man/**'
+
+area/dependencies:
+- all:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'go.mod'
+      - 'go.sum'
+      - 'vendor/**'
+    - all-globs-to-all-files:
+      - '!client/**'
+      - '!api/**'
+
+area/ci:
+  - changed-files:
+    - any-glob-to-any-file: '.github/**'
+
+platform/windows:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/*_windows.go'
+      - 'Dockerfile.windows'
+
+impact/changelog:
+  - changed-files:
+    - any-glob-to-any-file: 'api/docs/CHANGELOG.md'
--- a/.github/workflows/.dco.yml
+++ b/.github/workflows/.dco.yml
@@ -16,7 +16,7 @@ on:
  workflow_call:

 env:
-  ALPINE_VERSION: "3.21"
+  ALPINE_VERSION: "3.22"

 jobs:
  run:
--- a/.github/workflows/.test-prepare.yml
+++ b/.github/workflows/.test-prepare.yml
@@ -1,45 +0,0 @@
-# reusable workflow
-name: .test-prepare
-
-# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025
-
-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
-on:
-  workflow_call:
-    outputs:
-      matrix:
-        description: Test matrix
-        value: ${{ jobs.run.outputs.matrix }}
-
-jobs:
-  run:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    outputs:
-      matrix: ${{ steps.set.outputs.matrix }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Create matrix
-        id: set
-        uses: actions/github-script@v7
-        with:
-          script: |
-            let matrix = ['graphdriver'];
-            if ("${{ contains(github.event.pull_request.labels.*.name, 'containerd-integration') || github.event_name != 'pull_request' }}" == "true") {
-              matrix.push('snapshotter');
-            }
-            await core.group(`Set matrix`, async () => {
-              core.info(`matrix: ${JSON.stringify(matrix)}`);
-              core.setOutput('matrix', JSON.stringify(matrix));
-            });
--- a/.github/workflows/.test-unit.yml
+++ b/.github/workflows/.test-unit.yml
@@ -16,7 +16,7 @@ on:
  workflow_call:

 env:
-  GO_VERSION: "1.24.4"
+  GO_VERSION: "1.25.3"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  SETUP_BUILDX_VERSION: edge
@@ -106,7 +106,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -21,13 +21,13 @@ on:
        default: "graphdriver"

 env:
-  GO_VERSION: "1.24.4"
+  GO_VERSION: "1.25.3"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  ITG_CLI_MATRIX_SIZE: 6
  DOCKER_EXPERIMENTAL: 1
  DOCKER_GRAPHDRIVER: ${{ inputs.storage == 'snapshotter' && 'overlayfs' || 'overlay2' }}
-  TEST_INTEGRATION_USE_SNAPSHOTTER: ${{ inputs.storage == 'snapshotter' && '1' || '' }}
+  TEST_INTEGRATION_USE_GRAPHDRIVER: ${{ inputs.storage == 'graphdriver' && '1' || '' }}
  SETUP_BUILDX_VERSION: edge
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

@@ -144,7 +144,9 @@ jobs:
              // { os: 'ubuntu-24.04', mode: 'rootless-systemd' }, // FIXME: https://github.com/moby/moby/issues/44084
            ];
            if ("${{ inputs.storage }}" == "snapshotter") {
-              includes.push({ os: 'ubuntu-24.04', mode: 'firewalld' });
+              includes.push({ os: 'ubuntu-24.04', mode: 'iptables+firewalld' });
+              includes.push({ os: 'ubuntu-24.04', mode: 'nftables' });
+              includes.push({ os: 'ubuntu-24.04', mode: 'nftables+firewalld' });
            }
            await core.group(`Set matrix`, async () => {
              core.info(`matrix: ${JSON.stringify(includes)}`);
@@ -190,6 +192,9 @@ jobs:
            echo "FIREWALLD=true" >> $GITHUB_ENV
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
          fi
+          if [[ "${{ matrix.mode }}" == *"nftables"* ]]; then
+            echo "DOCKER_FIREWALL_BACKEND=nftables" >> $GITHUB_ENV
+          fi
          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
@@ -265,7 +270,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
@@ -297,7 +302,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Install gotestlist
        run:
@@ -328,19 +333,43 @@ jobs:
            // 'include' with other matrix variables that aren't part of the
            // include items.
            // Moreover, since the goal is to run only relevant tests with
-            // firewalld enabled to minimize the number of CI jobs, we
+            // firewalld/nftables enabled to minimize the number of CI jobs, we
            // statically define the list of test suites that we want to run.
            if ("${{ inputs.storage }}" == "snapshotter") {
              matrix.include.push({
-                'mode': 'firewalld',
+                'mode': 'iptables+firewalld',
                'test': 'DockerCLINetworkSuite|DockerCLIPortSuite|DockerDaemonSuite'
              });
              matrix.include.push({
-                'mode': 'firewalld',
+                'mode': 'iptables+firewalld',
                'test': 'DockerSwarmSuite'
              });
              matrix.include.push({
-                'mode': 'firewalld',
+                'mode': 'iptables+firewalld',
+                'test': 'DockerNetworkSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables',
+                'test': 'DockerCLINetworkSuite|DockerCLIPortSuite|DockerDaemonSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables',
+                'test': 'DockerSwarmSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables',
+                'test': 'DockerNetworkSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables+firewalld',
+                'test': 'DockerCLINetworkSuite|DockerCLIPortSuite|DockerDaemonSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables+firewalld',
+                'test': 'DockerSwarmSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables+firewalld',
                'test': 'DockerNetworkSuite'
              });
            }
@@ -380,6 +409,9 @@ jobs:
            echo "FIREWALLD=true" >> $GITHUB_ENV
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
          fi
+          if [[ "${{ matrix.mode }}" == *"nftables"* ]]; then
+            echo "DOCKER_FIREWALL_BACKEND=nftables" >> $GITHUB_ENV
+          fi
          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
@@ -437,7 +469,7 @@ jobs:
        if: always()
        uses: actions/upload-artifact@v4
        with:
-          name: test-reports-integration-cli-${{ inputs.storage }}-${{ env.TESTREPORTS_NAME }}
+          name: test-reports-integration-cli-${{ inputs.storage }}-${{ matrix.mode }}-${{ env.TESTREPORTS_NAME }}
          path: /tmp/reports/*
          retention-days: 1

@@ -454,13 +486,13 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
        with:
          path: /tmp/reports
-          pattern: test-reports-integration-cli-${{ inputs.storage }}-*
+          pattern: test-reports-integration-cli-${{ inputs.storage }}-${{ matrix.mode }}-*
          merge-multiple: true
      -
        name: Install teststat
--- a/.github/workflows/.vm.yml
+++ b/.github/workflows/.vm.yml
@@ -0,0 +1,205 @@
+# reusable workflow
+name: .vm
+
+# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025
+
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+    inputs:
+      template:
+        required: true
+        type: string
+
+env:
+  GO_VERSION: "1.25.3"
+  TESTSTAT_VERSION: v0.1.25
+
+jobs:
+  integration:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+    strategy:
+      fail-fast: false
+      matrix:
+        mode:
+          - ""
+          - rootless
+
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Lima
+        uses: lima-vm/lima-actions/setup@03b96d61959e83b2c737e44162c3088e81de0886  # v1.0.1
+        id: lima-actions-setup
+      -
+        name: Cache ~/.cache/lima
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/lima
+          key: lima-${{ steps.lima-actions-setup.outputs.version }}-${{ inputs.template }}
+      -
+        name: Start the guest VM
+        run: |
+          # --plain is set because the built-in containerd support conflicts with Docker
+          limactl start \
+            --name=default \
+            --cpus=4 \
+            --memory=12 \
+            --plain \
+            ${{ inputs.template }}
+      -
+        name: Load kernel modules in the guest VM
+        run: |
+          set -eux -o pipefail
+          cat <<-EOF | lima sudo tee /etc/modules-load.d/docker.conf
+          br_netfilter
+          bridge
+          ip6_tables
+          ip6table_filter
+          ip6table_nat
+          ip_tables
+          ip_vs
+          iptable_filter
+          iptable_nat
+          nf_tables
+          overlay
+          tap
+          tun
+          veth
+          x_tables
+          xt_addrtype
+          xt_comment
+          xt_conntrack
+          xt_mark
+          xt_multiport
+          xt_nat
+          xt_tcpudp
+          EOF
+          lima sudo systemctl restart systemd-modules-load.service
+      -
+        name: Install dockerd in the guest VM
+        run: |
+          set -eux -o pipefail
+          lima sudo mkdir -p /etc/systemd/system/docker.socket.d
+          cat <<-EOF | lima sudo tee /etc/systemd/system/docker.socket.d/override.conf
+          [Socket]
+          SocketUser=$(whoami)
+          EOF
+          # TODO: use native packages for AlmaLinux: https://github.com/docker/packaging/pull/138
+          lima sudo dnf config-manager --add-repo=https://download.docker.com/linux/rhel/docker-ce.repo
+          lima sudo dnf -q -y install --nobest docker-ce make
+          lima sudo systemctl enable --now docker
+          lima docker info
+      -
+        name: Copy the current directory
+        run: |
+          set -eux -o pipefail
+          limactl cp -r . default:/tmp/docker
+      -
+        name: Test
+        run: |
+          set -eux -o pipefail
+          DOCKER_ROOTLESS=
+          DOCKER_GRAPHDRIVER=overlay2
+          if [[ "${{ matrix.mode }}" == *"rootless"* ]]; then
+            DOCKER_ROOTLESS=1
+            if lima grep -q "AlmaLinux release 8" /etc/system-release; then
+              # kernel prior to 5.11 needs fuse-overlayfs
+              DOCKER_GRAPHDRIVER=fuse-overlayfs
+            fi
+          fi
+
+          DOCKER_IGNORE_BR_NETFILTER_ERROR=
+          if lima grep -q "AlmaLinux release 8" /etc/system-release; then
+            # DOCKER_IGNORE_BR_NETFILTER_ERROR=1 is set because /proc/sys/net/bridge does not appear in
+            # a container when the kernel is older than 5.3.
+            # https://web.archive.org/web/20201123224428/github.com/lxc/lxd/issues/3306#issuecomment-502857864
+            DOCKER_IGNORE_BR_NETFILTER_ERROR=1
+          fi
+
+          # TODO: just propagate the env from the host: https://github.com/lima-vm/lima/issues/3430
+          # TODO: enable GHA cache?
+          LIMA_WORKDIR=/tmp/docker lima \
+            TEST_SKIP_INTEGRATION_CLI=1 \
+            TEST_INTEGRATION_USE_GRAPHDRIVER=1 \
+            DOCKER_ROOTLESS=${DOCKER_ROOTLESS} \
+            DOCKER_GRAPHDRIVER=${DOCKER_GRAPHDRIVER} \
+            DOCKER_IGNORE_BR_NETFILTER_ERROR=${DOCKER_IGNORE_BR_NETFILTER_ERROR} \
+            make test-integration
+      -
+        name: Prepare reports
+        if: always()
+        run: |
+          set -eux -o pipefail
+          limactl cp -v -r default:/tmp/docker/bundles . || true
+          reportsName="$(basename ${{ inputs.template }})"
+          if [ -n "${{ matrix.mode }}" ]; then
+            reportsName="$reportsName-${{ matrix.mode }}"
+          fi
+          reportsPath="/tmp/reports/$reportsName"
+          echo "TESTREPORTS_NAME=$reportsName" >> $GITHUB_ENV
+
+          mkdir -p bundles $reportsPath
+          find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
+          tar -xzf /tmp/reports.tar.gz -C $reportsPath
+          sudo chown -R $(id -u):$(id -g) $reportsPath
+          tree -nh $reportsPath
+      -
+        name: Test daemon logs
+        if: always()
+        run: |
+          cat bundles/test-integration/docker.log
+      -
+        name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-reports-integration-${{ env.TESTREPORTS_NAME }}
+          path: /tmp/reports/*
+          retention-days: 1
+
+  integration-report:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    if: always() && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only'))
+    needs:
+      - integration
+    steps:
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+      -
+        name: Prepare reports
+        run: echo "TESTREPORTS_NAME=$(basename ${{ inputs.template }})*" >> $GITHUB_ENV
+      -
+        name: Download reports
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/reports
+          pattern: test-reports-integration-${{ env.TESTREPORTS_NAME }}
+          merge-multiple: true
+      -
+        name: Install teststat
+        run: |
+          go install github.com/vearutop/teststat@${{ env.TESTSTAT_VERSION }}
+      -
+        name: Create summary
+        run: |
+          find /tmp/reports -type f -name '*-go-test-report.json' -exec teststat -markdown {} \+ >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/.windows.yml
+++ b/.github/workflows/.windows.yml
@@ -28,12 +28,12 @@ on:
        default: false

 env:
-  GO_VERSION: "1.24.4"
+  GO_VERSION: "1.25.3"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
-  WINDOWS_BASE_TAG_2019: ltsc2019
  WINDOWS_BASE_TAG_2022: ltsc2022
+  WINDOWS_BASE_TAG_2025: ltsc2025
  TEST_IMAGE_NAME: moby:test
  TEST_CTN_NAME: moby
  DOCKER_BUILDKIT: 0
@@ -65,23 +65,11 @@ jobs:
        run: |
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
-          If ("${{ inputs.os }}" -eq "windows-2019") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2025") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
-      -
-        name: Cache
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-            ${{ github.workspace }}\go-build
-            ${{ env.GOPATH }}\pkg\mod
-          key: ${{ inputs.os }}-${{ github.job }}-${{ hashFiles('**/vendor.sum') }}
-          restore-keys: |
-            ${{ inputs.os }}-${{ github.job }}-
      -
        name: Docker info
        run: |
@@ -92,15 +80,12 @@ jobs:
          & docker build `
            --build-arg WINDOWS_BASE_IMAGE `
            --build-arg WINDOWS_BASE_IMAGE_TAG `
-            --build-arg GO_VERSION `
            -t ${{ env.TEST_IMAGE_NAME }} `
            -f Dockerfile.windows .
      -
        name: Build binaries
        run: |
          & docker run --name ${{ env.TEST_CTN_NAME }} -e "DOCKER_GITCOMMIT=${{ github.sha }}" `
-              -v "${{ github.workspace }}\go-build:C:\Users\ContainerAdministrator\AppData\Local\go-build" `
-              -v "${{ github.workspace }}\go\pkg\mod:C:\gopath\pkg\mod" `
              ${{ env.TEST_IMAGE_NAME }} hack\make.ps1 -Daemon -Client
      -
        name: Copy artifacts
@@ -145,23 +130,11 @@ jobs:
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
          New-Item -ItemType "directory" -Path "bundles"
-          If ("${{ inputs.os }}" -eq "windows-2019") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2025") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
-      -
-        name: Cache
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-            ${{ github.workspace }}\go-build
-            ${{ env.GOPATH }}\pkg\mod
-          key: ${{ inputs.os }}-${{ github.job }}-${{ hashFiles('**/vendor.sum') }}
-          restore-keys: |
-            ${{ inputs.os }}-${{ github.job }}-
      -
        name: Docker info
        run: |
@@ -172,15 +145,12 @@ jobs:
          & docker build `
            --build-arg WINDOWS_BASE_IMAGE `
            --build-arg WINDOWS_BASE_IMAGE_TAG `
-            --build-arg GO_VERSION `
            -t ${{ env.TEST_IMAGE_NAME }} `
            -f Dockerfile.windows .
      -
        name: Test
        run: |
          & docker run --name ${{ env.TEST_CTN_NAME }} -e "DOCKER_GITCOMMIT=${{ github.sha }}" `
-            -v "${{ github.workspace }}\go-build:C:\Users\ContainerAdministrator\AppData\Local\go-build" `
-            -v "${{ github.workspace }}\go\pkg\mod:C:\gopath\pkg\mod" `
            -v "${{ env.GOPATH }}\src\github.com\docker\docker\bundles:C:\gopath\src\github.com\docker\docker\bundles" `
            ${{ env.TEST_IMAGE_NAME }} hack\make.ps1 -TestUnit
      -
@@ -214,7 +184,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Download artifacts
        uses: actions/download-artifact@v4
@@ -244,7 +214,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Install gotestlist
        run:
@@ -297,6 +267,12 @@ jobs:
        uses: actions/checkout@v4
        with:
          path: ${{ env.GOPATH }}/src/github.com/docker/docker
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
      -
        name: Set up Jaeger
        run: |
@@ -321,8 +297,8 @@ jobs:
        name: Init
        run: |
          New-Item -ItemType "directory" -Path "bundles"
-          If ("${{ inputs.os }}" -eq "windows-2019") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2025") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
@@ -366,10 +342,13 @@ jobs:
              "--exec-root=$env:TEMP\moby-exec", `
              "--pidfile=$env:TEMP\docker.pid", `
              "--register-service"
-          If ("${{ inputs.storage }}" -eq "snapshotter") {
+          If ("${{ inputs.storage }}" -eq "graphdriver") {
            # Make the env-var visible to the service-managed dockerd, as there's no CLI flag for this option.
-            & reg add "HKLM\SYSTEM\CurrentControlSet\Services\docker" /v Environment /t REG_MULTI_SZ /s '@' /d TEST_INTEGRATION_USE_SNAPSHOTTER=1 
-            echo "TEST_INTEGRATION_USE_SNAPSHOTTER=1" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+            & reg add "HKLM\SYSTEM\CurrentControlSet\Services\docker" /v Environment /t REG_MULTI_SZ /s '@' /d "DOCKER_MIN_API_VERSION=1.24@TEST_INTEGRATION_USE_GRAPHDRIVER=1"
+            echo "TEST_INTEGRATION_USE_GRAPHDRIVER=1" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          } Else {
+            # Make the env-var visible to the service-managed dockerd, as there's no CLI flag for this option.
+            & reg add "HKLM\SYSTEM\CurrentControlSet\Services\docker" /v Environment /t REG_MULTI_SZ /s '@' /d DOCKER_MIN_API_VERSION=1.24
          }
          Write-Host "Starting service"
          Start-Service -Name docker
@@ -428,12 +407,6 @@ jobs:
          & "${{ env.BIN_OUT }}\docker" images
        env:
          DOCKER_HOST: npipe:////./pipe/docker_engine
-      -
-        name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
      -
        name: Test integration
        if: matrix.test == './...'
@@ -441,7 +414,6 @@ jobs:
          .\hack\make.ps1 -TestIntegration
        env:
          DOCKER_HOST: npipe:////./pipe/docker_engine
-          GO111MODULE: "off"
          TEST_CLIENT_BINARY: ${{ env.BIN_OUT }}\docker
      -
        name: Test integration-cli
@@ -450,7 +422,6 @@ jobs:
          .\hack\make.ps1 -TestIntegrationCli
        env:
          DOCKER_HOST: npipe:////./pipe/docker_engine
-          GO111MODULE: "off"
          TEST_CLIENT_BINARY: ${{ env.BIN_OUT }}\docker
          INTEGRATION_TESTRUN: ${{ matrix.test }}
      -
@@ -527,7 +498,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
--- a/.github/workflows/arm64.yml
+++ b/.github/workflows/arm64.yml
@@ -23,7 +23,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.24.4"
+  GO_VERSION: "1.25.3"
  TESTSTAT_VERSION: v0.1.25
  DESTDIR: ./build
  SETUP_BUILDX_VERSION: edge
@@ -37,6 +37,7 @@ jobs:
  build:
    runs-on: ubuntu-24.04-arm
    timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
    strategy:
@@ -70,6 +71,7 @@ jobs:
  build-dev:
    runs-on: ubuntu-24.04-arm
    timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
    steps:
@@ -87,12 +89,13 @@ jobs:
          targets: dev
          set: |
            *.cache-from=type=gha,scope=dev-arm64
-            *.cache-to=type=gha,scope=dev-arm64,mode=max
+            *.cache-to=type=gha,scope=dev-arm64
            *.output=type=cacheonly

  test-unit:
    runs-on: ubuntu-24.04-arm
    timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - build-dev
    steps:
@@ -109,6 +112,9 @@ jobs:
          version: ${{ env.SETUP_BUILDX_VERSION }}
          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
          buildkitd-flags: --debug
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
      -
        name: Build dev image
        uses: docker/bake-action@v6
@@ -150,7 +156,7 @@ jobs:
    runs-on: ubuntu-24.04
    timeout-minutes: 10
    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: always()
+    if: always() && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only'))
    needs:
      - test-unit
    steps:
@@ -159,7 +165,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
@@ -179,6 +185,7 @@ jobs:
    runs-on: ubuntu-24.04-arm
    timeout-minutes: 120 # guardrails timeout for the whole job
    continue-on-error: ${{ github.event_name != 'pull_request' }}
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - build-dev
    steps:
@@ -198,6 +205,9 @@ jobs:
          version: ${{ env.SETUP_BUILDX_VERSION }}
          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
          buildkitd-flags: --debug
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
      -
        name: Build dev image
        uses: docker/bake-action@v6
@@ -249,7 +259,7 @@ jobs:
    runs-on: ubuntu-24.04
    timeout-minutes: 10
    continue-on-error: ${{ github.event_name != 'pull_request' }}
-    if: always()
+    if: always() && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only'))
    needs:
      - test-integration
    steps:
@@ -258,7 +268,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: Download reports
        uses: actions/download-artifact@v4
--- a/.github/workflows/bin-image.yml
+++ b/.github/workflows/bin-image.yml
@@ -22,6 +22,7 @@ on:
      - '[0-9]+.x'
    tags:
      - 'v*'
+      - 'docker-v*'
  pull_request:

 env:
@@ -42,6 +43,7 @@ jobs:
  prepare:
    runs-on: ubuntu-24.04
    timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    outputs:
      platforms: ${{ steps.platforms.outputs.matrix }}
    steps:
@@ -58,17 +60,21 @@ jobs:
          ### versioning strategy
          ## push semver tag v23.0.0
          # moby/moby-bin:23.0.0
+          # moby/moby-bin:23.0
+          # moby/moby-bin:23
          # moby/moby-bin:latest
          ## push semver prerelease tag v23.0.0-beta.1
          # moby/moby-bin:23.0.0-beta.1
          ## push on master
          # moby/moby-bin:master
-          ## push on 23.0 branch
-          # moby/moby-bin:23.0
+          ## push on 28.x branch
+          # moby/moby-bin:28.x
          tags: |
-            type=semver,pattern={{version}}
            type=ref,event=branch
            type=ref,event=pr
+            type=semver,pattern={{version}},match=docker-(.*)
+            type=semver,pattern={{major}}.{{minor}},match=docker-(.*)
+            type=semver,pattern={{major}},match=docker-(.*)
      -
        name: Rename meta bake definition file
        # see https://github.com/docker/metadata-action/issues/381#issuecomment-1918607161
@@ -91,11 +97,11 @@ jobs:

  build:
    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only')) }}
    needs:
      - validate-dco
      - prepare
-    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled')
    strategy:
      fail-fast: false
      matrix:
@@ -167,10 +173,10 @@ jobs:

  merge:
    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    timeout-minutes: 40 # guardrails timeout for the whole job
+    if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby' }}
    needs:
      - build
-    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby'
    steps:
      -
        name: Download meta bake definition
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -23,7 +23,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.24.4"
+  GO_VERSION: "1.25.3"
  DESTDIR: ./build
  SETUP_BUILDX_VERSION: edge
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
@@ -35,6 +35,7 @@ jobs:
  build-linux:
    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
    steps:
@@ -62,6 +63,7 @@ jobs:
  test-linux:
    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - build-linux
    env:
@@ -106,7 +108,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
      -
        name: BuildKit ref
        run: |
@@ -166,6 +168,7 @@ jobs:
  build-windows:
    runs-on: windows-2022
    timeout-minutes: 120
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
    env:
@@ -188,6 +191,7 @@ jobs:
      - name: Env
        run: |
          Get-ChildItem Env: | Out-String
+
      - name: Moby - Init
        run: |
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
@@ -198,18 +202,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
-      - name: Cache
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~\AppData\Local\go-build
-            ~\go\pkg\mod
-            ${{ github.workspace }}\go-build
-            ${{ env.GOPATH }}\pkg\mod
-          key: ${{ inputs.os }}-${{ github.job }}-${{ hashFiles('**/vendor.sum') }}
-          restore-keys: |
-            ${{ inputs.os }}-${{ github.job }}-
+          cache: false

      - name: Docker info
        run: |
@@ -220,7 +213,6 @@ jobs:
          & docker build `
            --build-arg WINDOWS_BASE_IMAGE `
            --build-arg WINDOWS_BASE_IMAGE_TAG `
-            --build-arg GO_VERSION `
            -t ${{ env.TEST_IMAGE_NAME }} `
            -f Dockerfile.windows .

@@ -266,6 +258,7 @@ jobs:
  test-windows:
    runs-on: windows-2022
    timeout-minutes: 120 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - build-windows
    env:
@@ -309,22 +302,27 @@ jobs:
            disabledFeatures="${disabledFeatures},merge_diff"
          fi
          echo "BUILDKIT_TEST_DISABLE_FEATURES=${disabledFeatures}" >> $GITHUB_ENV
+
      - name: Expose GitHub Runtime
        uses: crazy-max/ghaction-github-runtime@v3
+
      - name: Checkout
        uses: actions/checkout@v4
        with:
          path: moby
+
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: vendor.sum
+          cache: false
+
      - name: BuildKit ref
        shell: bash
        run: |
          echo "$(./hack/buildkit-ref)" >> $GITHUB_ENV
        working-directory: moby
+
      - name: Checkout BuildKit ${{ env.BUILDKIT_REF }}
        uses: actions/checkout@v4
        with:
@@ -359,6 +357,7 @@ jobs:
           testFlags="${testFlags} --run=TestIntegration/$testSliceOffset.*/worker=${{ matrix.worker }}"
          fi
          echo "TESTFLAGS=${testFlags}" >> $GITHUB_ENV
+
      - name: Test
        shell: bash
        run: |
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -67,6 +67,7 @@ jobs:
  prepare-cross:
    runs-on: ubuntu-24.04
    timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
    outputs:
@@ -89,6 +90,7 @@ jobs:
  cross:
    runs-on: ubuntu-24.04
    timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
      - prepare-cross
@@ -128,6 +130,7 @@ jobs:
  govulncheck:
    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
+    # Always run security checks, even with 'ci/validate-only' label
    permissions:
      # required to write sarif report
      security-events: write
@@ -157,6 +160,7 @@ jobs:

  build-dind:
    runs-on: ubuntu-24.04
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
    steps:
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -17,6 +17,7 @@ on:
      - '[0-9]+.x'
    tags:
      - 'v*'
+      - 'docker-v*'
  pull_request:
    # The branches below must be a subset of the branches above
    branches: ["master"]
@@ -32,6 +33,9 @@ on:
    #        * * * * *
    - cron: '0 9 * * 4'

+env:
+  GO_VERSION: "1.25.3"
+
 jobs:
  codeql:
    runs-on: ubuntu-24.04
@@ -46,19 +50,11 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 2
-      # CodeQL 2.16.4's auto-build added support for multi-module repositories,
-      # and is trying to be smart by searching for modules in every directory,
-      # including vendor directories. If no module is found, it's creating one
-      # which is ... not what we want, so let's give it a "go.mod".
-      # see: https://github.com/docker/cli/pull/4944#issuecomment-2002034698
-      - name: Create go.mod
-        run: |
-          ln -s vendor.mod go.mod
-          ln -s vendor.sum go.sum
-      - name: Update Go
+      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.24.4"
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -0,0 +1,18 @@
+name: "Labeler"
+on:
+  pull_request_target:
+
+permissions:
+  contents: read
+
+jobs:
+  labeler:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Labels
+        uses: actions/labeler@v6
+        with:
+          sync-labels: false
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -23,7 +23,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.24.4"
+  GO_VERSION: "1.25.3"
  GIT_PAGER: "cat"
  PAGER: "cat"
  SETUP_BUILDX_VERSION: edge
@@ -44,6 +44,7 @@ jobs:
        mode:
          - ""
          - systemd
+          - firewalld
    steps:
      -
        name: Prepare
@@ -65,10 +66,11 @@ jobs:
          targets: dev
          set: |
            *.cache-from=type=gha,scope=dev${{ matrix.mode }}
-            *.cache-to=type=gha,scope=dev${{ matrix.mode }},mode=max
+            *.cache-to=type=gha,scope=dev${{ matrix.mode }}
            *.output=type=cacheonly

  test:
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - build-dev
      - validate-dco
@@ -84,6 +86,7 @@ jobs:
      storage: ${{ matrix.storage }}

  test-unit:
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - build-dev
      - validate-dco
@@ -153,6 +156,7 @@ jobs:
  smoke-prepare:
    runs-on: ubuntu-24.04
    timeout-minutes: 10 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - validate-dco
    outputs:
@@ -175,6 +179,7 @@ jobs:
  smoke:
    runs-on: ubuntu-24.04
    timeout-minutes: 20 # guardrails timeout for the whole job
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    needs:
      - smoke-prepare
    strategy:
--- a/.github/workflows/validate-pr.yml
+++ b/.github/workflows/validate-pr.yml
@@ -14,15 +14,20 @@ on:
    types: [opened, edited, labeled, unlabeled, synchronize]

 jobs:
-  check-area-label:
+  check-labels:
    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
    steps:
      - name: Missing `area/` label
-        if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
+        if: always() && contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
        run: |
          echo "::error::Every PR with an 'impact/*' label should also have an 'area/*' label"
          exit 1
+      - name: Missing `kind/` label
+        if: always() && contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'kind/')
+        run: |
+          echo "::error::Every PR with an 'impact/*' label should also have a 'kind/*' label"
+          exit 1
      - name: OK
        run: exit 0

--- a/.github/workflows/vm.yml
+++ b/.github/workflows/vm.yml
@@ -0,0 +1,46 @@
+name: vm
+
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
+  pull_request:
+
+jobs:
+  validate-dco:
+    uses: ./.github/workflows/.dco.yml
+
+  vm:
+    needs:
+      - validate-dco
+    uses: ./.github/workflows/.vm.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        template:
+          # EL 8 is used for running the tests with cgroup v1.
+          # Do not upgrade this to EL 9 until formally deprecating the cgroup v1 support.
+          #
+          # FIXME: use almalinux-8, then probably no need to keep oraclelinux-8 here.
+          # On almalinux-8, port forwarding tests are failing:
+          # https://github.com/moby/moby/pull/49819#issuecomment-2815676000
+          - template://oraclelinux-8  # Oracle's kernel 5.15
+          # - template://almalinux-8  # kernel 4.18
+    with:
+      template: ${{ matrix.template }}
--- a/.github/workflows/windows-2019.yml
+++ b/.github/workflows/windows-2019.yml
@@ -1,42 +0,0 @@
-name: windows-2019
-
-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-on:
-  schedule:
-    - cron: '0 10 * * *'
-  workflow_dispatch:
-
-jobs:
-  validate-dco:
-    uses: ./.github/workflows/.dco.yml
-
-  test-prepare:
-    uses: ./.github/workflows/.test-prepare.yml
-    needs:
-      - validate-dco
-
-  run:
-    needs:
-      - test-prepare
-    uses: ./.github/workflows/.windows.yml
-    secrets: inherit
-    strategy:
-      fail-fast: false
-      matrix:
-        storage: ${{ fromJson(needs.test-prepare.outputs.matrix) }}
-    with:
-      os: windows-2019
-      storage: ${{ matrix.storage }}
-      send_coverage: false
--- a/.github/workflows/windows-2022.yml
+++ b/.github/workflows/windows-2022.yml
@@ -14,32 +14,25 @@ concurrency:
  cancel-in-progress: true

 on:
+  schedule:
+    - cron: '0 10 * * *'
  workflow_dispatch:
-  push:
-    branches:
-      - 'master'
-      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
-  pull_request:

 jobs:
  validate-dco:
    uses: ./.github/workflows/.dco.yml

-  test-prepare:
-    uses: ./.github/workflows/.test-prepare.yml
-    needs:
-      - validate-dco
-
  run:
-    needs:
-      - test-prepare
+    needs: validate-dco
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
    uses: ./.github/workflows/.windows.yml
    secrets: inherit
    strategy:
      fail-fast: false
      matrix:
-        storage: ${{ fromJson(needs.test-prepare.outputs.matrix) }}
+        storage:
+          - graphdriver
+          - snapshotter
    with:
      os: windows-2022
      storage: ${{ matrix.storage }}
--- a/.github/workflows/windows-2025.yml
+++ b/.github/workflows/windows-2025.yml
@@ -0,0 +1,43 @@
+name: windows-2025
+
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
+  pull_request:
+
+jobs:
+  validate-dco:
+    uses: ./.github/workflows/.dco.yml
+
+  run:
+    needs: validate-dco
+    if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
+    uses: ./.github/workflows/.windows.yml
+    secrets: inherit
+    strategy:
+      fail-fast: false
+      matrix:
+        storage:
+          - graphdriver
+          - snapshotter
+    with:
+      os: windows-2025
+      storage: ${{ matrix.storage }}
+      send_coverage: false
--- a/.gitignore
+++ b/.gitignore
@@ -15,8 +15,8 @@ thumbs.db

 # build artifacts
 /bundles/
-/cli/winresources/dockerd/*.syso
-/cli/winresources/dockerd/winres.json
+/cmd/dockerd/winresources/winres.json
+/cmd/dockerd/*.syso

 # ci artifacts
 *.exe
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -3,7 +3,7 @@ version: "2"
 run:
  # prevent golangci-lint from deducting the go version to lint for through go.mod,
  # which causes it to fallback to go1.17 semantics.
-  go: "1.24.4"
+  go: "1.25.3"
  concurrency: 2
  # Only supported with go modules enabled (build flag -mod=vendor only valid when using modules)
  # modules-download-mode: vendor
@@ -69,6 +69,8 @@ linters:
              desc: Use github.com/moby/sys/userns instead.
            - pkg: "github.com/tonistiigi/fsutil"
              desc: The fsutil module does not have a stable API, so we should not have a direct dependency unless necessary.
+            - pkg: "github.com/hashicorp/go-multierror"
+              desc: "Use errors.Join instead"

    dupword:
      ignore:
@@ -103,11 +105,11 @@ linters:
          msg: Go 1.19 atomic types should be used instead.
        - pkg: ^regexp$
          pattern: ^regexp\.MustCompile
-          msg: Use internal/lazyregexp.New instead.
+          msg: Use daemon/internal/lazyregexp.New instead.
        - pkg: github.com/vishvananda/netlink$
          pattern: ^netlink\.(Handle\.)?(AddrList|BridgeVlanList|ChainList|ClassList|ConntrackTableList|ConntrackDeleteFilter$|ConntrackDeleteFilters|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByName|LinkByAlias|LinkList|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteList|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList|XfrmPolicyList|XfrmStateList)
          msg: Use internal nlwrap package for EINTR handling.
-        - pkg: github.com/docker/docker/internal/nlwrap$
+        - pkg: github.com/moby/moby/v2/internal/nlwrap$
          pattern: ^nlwrap.Handle.(BridgeVlanList|ChainList|ClassList|ConntrackDeleteFilter$|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByAlias|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList)
          msg: Add a wrapper to nlwrap.Handle for EINTR handling and update the list in .golangci.yml.
      analyze-types: true
@@ -192,6 +194,8 @@ linters:
          alias: c8dimages
        - pkg: github.com/opencontainers/image-spec/specs-go/v1
          alias: ocispec
+        - pkg: github.com/moby/docker-image-spec/specs-go/v1
+          alias: dockerspec
        - pkg: go.etcd.io/bbolt
          alias: bolt
          # Enforce that gotest.tools/v3/assert/cmp is always aliased as "is"
@@ -204,10 +208,20 @@ linters:
      max-func-lines: 0

    revive:
+      # Only listed rules are applied
+      # https://github.com/mgechev/revive/blob/HEAD/RULES_DESCRIPTIONS.md
      rules:
+        - name: increment-decrement
          # FIXME make sure all packages have a description. Currently, there's many packages without.
        - name: package-comments
          disabled: true
+        - name: redefines-builtin-id
+        - name: superfluous-else
+          arguments:
+            - preserve-scope
+        - name: use-any
+        - name: use-errors-new
+        - name: var-declaration

    staticcheck:
      checks:
@@ -255,9 +269,6 @@ linters:
      http-status-code: true

  exclusions:
-    paths:
-      - volume/drivers/proxy.go # TODO: this is a generated file but with an invalid header, see https://github.com/moby/moby/pull/46274
-
    rules:
        # We prefer to use an "linters.exclusions.rules" so that new "default" exclusions are not
        # automatically inherited. We can decide whether or not to follow upstream
@@ -303,11 +314,6 @@ linters:
        linters:
          - staticcheck

-        # FIXME(thaJeztah): ignoring these transitional utilities until BuildKit is vendored with https://github.com/moby/moby/pull/49743
-      - text: "SA1019: idtools\\.(ToUserIdentityMapping|FromUserIdentityMapping) is deprecated"
-        linters:
-          - staticcheck
-
        # Ignore "nested context in function literal (fatcontext)" as we intentionally set up tracing on a base-context for tests.
        # FIXME(thaJeztah): see if there's a more iodiomatic way to do this.
      - text: 'nested context in function literal'
@@ -327,13 +333,21 @@ linters:
        linters:
          - forbidigo
      - text: 'use of `regexp.MustCompile` forbidden'
-        path: "internal/lazyregexp"
+        path: "daemon/internal/lazyregexp"
+        linters:
+          - forbidigo
+      - text: 'use of `regexp.MustCompile` forbidden'
+        path: "internal/testutils"
        linters:
          - forbidigo
      - text: 'use of `regexp.MustCompile` forbidden'
        path: "libnetwork/cmd/networkdb-test/dbclient"
        linters:
          - forbidigo
+      - text: 'use of `regexp.MustCompile` forbidden'
+        path: "registry/"
+        linters:
+          - forbidigo

    # Log a warning if an exclusion rule is unused.
    # Default: false
--- a/.mailmap
+++ b/.mailmap
@@ -97,6 +97,7 @@ Artur Meyster <arthurfbi@yahoo.com>
 Austin Vazquez <austin.vazquez.dev@gmail.com>
 Austin Vazquez <austin.vazquez.dev@gmail.com> <55906459+austinvazquez@users.noreply.github.com>
 Austin Vazquez <austin.vazquez.dev@gmail.com> <macedonv@amazon.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com> <austin.vazquez@docker.com>
 Avi Miller <avi.miller@oracle.com> <avi.miller@gmail.com>
 Ben Bonnefoy <frenchben@docker.com>
 Ben Golub <ben.golub@dotcloud.com>
--- a/20
+++ b/20
@@ -23,6 +23,7 @@ Abhishek Chanda <abhishek.becs@gmail.com>
 Abhishek Sharma <abhishek@asharma.me>
 Abin Shahab <ashahab@altiscale.com>
 Abirdcfly <fp544037857@gmail.com>
+Abubacarr Ceesay <abubacarr671@gmail.com>
 Ada Mancini <ada@docker.com>
 Adam Avilla <aavilla@yp.com>
 Adam Dobrawy <naczelnik@jawnosc.tk>
@@ -49,6 +50,7 @@ Adrian Mouat <adrian.mouat@gmail.com>
 Adrian Oprea <adrian@codesi.nz>
 Adrien Folie <folie.adrien@gmail.com>
 Adrien Gallouët <adrien@gallouet.fr>
+Adrien Pompée <adrien.pompee@atmosphere.aero>
 Ahmed Kamal <email.ahmedkamal@googlemail.com>
 Ahmet Alp Balkan <ahmetb@microsoft.com>
 Aidan Feldman <aidan.feldman@gmail.com>
@@ -81,6 +83,7 @@ Aleksandrs Fadins <aleks@s-ko.net>
 Alena Prokharchyk <alena@rancher.com>
 Alessandro Boch <aboch@tetrationanalytics.com>
 Alessio Biancalana <dottorblaster@gmail.com>
+Alessio Perugini <alessio@perugini.xyz>
 Alex Chan <alex@alexwlchan.net>
 Alex Chen <alexchenunix@gmail.com>
 Alex Coventry <alx@empirical.com>
@@ -171,6 +174,7 @@ Andrew Po <absourd.noise@gmail.com>
 Andrew Weiss <andrew.weiss@docker.com>
 Andrew Williams <williams.andrew@gmail.com>
 Andrews Medina <andrewsmedina@gmail.com>
+Andrey Epifanov <aepifanov@mirantis.com>
 Andrey Kolomentsev <andrey.kolomentsev@docker.com>
 Andrey Petrov <andrey.petrov@shazow.net>
 Andrey Stolbovsky <andrey.stolbovsky@gmail.com>
@@ -200,6 +204,7 @@ Anthon van der Neut <anthon@mnt.org>
 Anthony Baire <Anthony.Baire@irisa.fr>
 Anthony Bishopric <git@anthonybishopric.com>
 Anthony Dahanne <anthony.dahanne@gmail.com>
+Anthony Nandaa <profnandaa@gmail.com>
 Anthony Sottile <asottile@umich.edu>
 Anton Löfgren <anton.lofgren@gmail.com>
 Anton Nikitin <anton.k.nikitin@gmail.com>
@@ -345,6 +350,7 @@ Carlos Alexandro Becker <caarlos0@gmail.com>
 Carlos de Paula <me@carlosedp.com>
 Carlos Sanchez <carlos@apache.org>
 Carol Fager-Higgins <carol.fager-higgins@docker.com>
+carsontham <carsontham@outlook.com>
 Cary <caryhartline@users.noreply.github.com>
 Casey Bisson <casey.bisson@joyent.com>
 Catalin Pirvu <pirvu.catalin94@gmail.com>
@@ -871,6 +877,7 @@ haining.cao <haining.cao@daocloud.io>
 Hakan Özler <hakan.ozler@kodcu.com>
 Hamish Hutchings <moredhel@aoeu.me>
 Hannes Ljungberg <hannes@5monkeys.se>
+Hannes Ortmeier <ortmeier.hannes@gmail.com>
 Hans Kristian Flaatten <hans@starefossen.com>
 Hans Rødtang <hansrodtang@gmail.com>
 Hao Shu Wei <haoshuwei24@gmail.com>
@@ -890,6 +897,7 @@ heartlock <21521209@zju.edu.cn>
 Hector Castro <hectcastro@gmail.com>
 Helen Xie <chenjg@harmonycloud.cn>
 Henning Sprang <henning.sprang@gmail.com>
+Henry Wang <henwang@amazon.com>
 Hiroshi Hatake <hatake@clear-code.com>
 Hiroyuki Sasagawa <hs19870702@gmail.com>
 Hobofan <goisser94@gmail.com>
@@ -1089,6 +1097,7 @@ Jintao Zhang <zhangjintao9020@gmail.com>
 Jiri Appl <jiria@microsoft.com>
 Jiri Popelka <jpopelka@redhat.com>
 Jiuyue Ma <majiuyue@huawei.com>
+Jiří Moravčík <jiri.moravcik@gmail.com>
 Jiří Župka <jzupka@redhat.com>
 jjimbo137 <115816493+jjimbo137@users.noreply.github.com>
 Joakim Roubert <joakim.roubert@axis.com>
@@ -1320,6 +1329,7 @@ Leandro Motta Barros <lmb@stackedboxes.org>
 Leandro Siqueira <leandro.siqueira@gmail.com>
 Lee Calcote <leecalcote@gmail.com>
 Lee Chao <932819864@qq.com>
+Lee Gaines <leetgaines@gmail.com>
 Lee, Meng-Han <sunrisedm4@gmail.com>
 Lei Gong <lgong@alauda.io>
 Lei Jitang <leijitang@huawei.com>
@@ -1407,6 +1417,7 @@ Manuel Meurer <manuel@krautcomputing.com>
 Manuel Rüger <manuel@rueg.eu>
 Manuel Woelker <github@manuel.woelker.org>
 mapk0y <mapk0y@gmail.com>
+Marat Abrarov <abrarov@gmail.com>
 Marat Radchenko <marat@slonopotamus.org>
 Marc Abramowitz <marc@marc-abramowitz.com>
 Marc Kuo <kuomarc2@gmail.com>
@@ -1421,6 +1432,7 @@ Marcus Linke <marcus.linke@gmx.de>
 Marcus Martins <marcus@docker.com>
 Marcus Ramberg <marcus@nordaaker.com>
 Marek Goldmann <marek.goldmann@gmail.com>
+Maria Glushenok <glushenokm@gmail.com>
 Marian Marinov <mm@yuhu.biz>
 Marianna Tessel <mtesselh@gmail.com>
 Mario Loriedo <mario.loriedo@gmail.com>
@@ -1504,6 +1516,7 @@ Maxime Petazzoni <max@signalfuse.com>
 Maximiliano Maccanti <maccanti@amazon.com>
 Maxwell <csuhp007@gmail.com>
 Meaglith Ma <genedna@gmail.com>
+Medhy DOHOU <52136144+PowerPixel@users.noreply.github.com>
 meejah <meejah@meejah.ca>
 Megan Kostick <mkostick@us.ibm.com>
 Mehul Kar <mehul.kar@gmail.com>
@@ -1604,6 +1617,7 @@ Moysés Borges <moysesb@gmail.com>
 mrfly <mr.wrfly@gmail.com>
 Mrunal Patel <mrunalp@gmail.com>
 Muayyad Alsadi <alsadi@gmail.com>
+Muhammad Daffa Dinaya <muhammaddaffadinaya@gmail.com>
 Muhammad Zohaib Aslam <zohaibse011@gmail.com>
 Mustafa Akın <mustafa91@gmail.com>
 Muthukumar R <muthur@gmail.com>
@@ -2023,12 +2037,14 @@ Sergey Alekseev <sergey.alekseev.minsk@gmail.com>
 Sergey Evstifeev <sergey.evstifeev@gmail.com>
 Sergii Kabashniuk <skabashnyuk@codenvy.com>
 Sergio Lopez <slp@redhat.com>
+Serhan Tutar <randomnoise@users.noreply.github.com>
 Serhat Gülçiçek <serhat25@gmail.com>
 Serhii Nakon <serhii.n@thescimus.com>
 SeungUkLee <lsy931106@gmail.com>
 Sevki Hasirci <s@sevki.org>
 Shane Canon <scanon@lbl.gov>
 Shane da Silva <shane@dasilva.io>
+Shang Mu <smu@princeton.edu>
 Shaun Kaasten <shaunk@gmail.com>
 Shaun Thompson <shaun.thompson@docker.com>
 shaunol <shaunol@gmail.com>
@@ -2120,6 +2136,7 @@ Stéphane Este-Gracias <sestegra@gmail.com>
 Stig Larsson <stig@larsson.dev>
 Su Wang <su.wang@docker.com>
 Subhajit Ghosh <isubuz.g@gmail.com>
+Sudheendra Gopinath <sudheendra.gopinath@amd.com>
 Sujith Haridasan <sujith.h@gmail.com>
 Sun Gengze <690388648@qq.com>
 Sun Jianbo <wonderflow.sun@gmail.com>
@@ -2176,6 +2193,7 @@ Thomas Tanaka <thomas.tanaka@oracle.com>
 Thomas Texier <sharkone@en-mousse.org>
 Ti Zhou <tizhou1986@gmail.com>
 Tiago Seabra <tlgs@users.noreply.github.com>
+Tiago Teixeira <tiago.teixeira@ecorobotix.com>
 Tianon Gravi <admwiggin@gmail.com>
 Tianyi Wang <capkurmagati@gmail.com>
 Tibor Vass <teabee89@gmail.com>
@@ -2276,6 +2294,7 @@ Valentin Kulesh <valentin.kulesh@virtuozzo.com>
 vanderliang <lansheng@meili-inc.com>
 Velko Ivanov <vivanov@deeperplane.com>
 Veres Lajos <vlajos@gmail.com>
+Viacheslav Gagara <viacheslavg@gmail.com>
 Victor Algaze <valgaze@gmail.com>
 Victor Coisne <victor.coisne@dotcloud.com>
 Victor Costan <costan@gmail.com>
@@ -2492,5 +2511,6 @@ Zunayed Ali <zunayed@gmail.com>
 徐俊杰 <paco.xu@daocloud.io>
 慕陶 <jihui.xjh@alibaba-inc.com>
 搏通 <yufeng.pyf@alibaba-inc.com>
+纯真 <38834411+chunzhennn@users.noreply.github.com>
 黄艳红00139573 <huang.yanhong@zte.com.cn>
 정재영 <jjy600901@gmail.com>
--- a/86
+++ b/86
@@ -1,27 +1,30 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.24.4
+ARG GO_VERSION=1.25.3
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
-ARG XX_VERSION=1.6.1
+
+# XX_VERSION specifies the version of the xx utility to use.
+# It must be a valid tag in the docker.io/tonistiigi/xx image repository.
+ARG XX_VERSION=1.7.0

 # VPNKIT_VERSION is the version of the vpnkit binary which is used as a fallback
 # network driver for rootless.
 ARG VPNKIT_VERSION=0.6.0

 # DOCKERCLI_VERSION is the version of the CLI to install in the dev-container.
-ARG DOCKERCLI_VERSION=v28.2.2
+ARG DOCKERCLI_VERSION=v28.5.0
 ARG DOCKERCLI_REPOSITORY="https://github.com/docker/cli.git"

 # cli version used for integration-cli tests
 ARG DOCKERCLI_INTEGRATION_REPOSITORY="https://github.com/docker/cli.git"
-ARG DOCKERCLI_INTEGRATION_VERSION=v18.06.3-ce
+ARG DOCKERCLI_INTEGRATION_VERSION=v25.0.5

 # BUILDX_VERSION is the version of buildx to install in the dev container.
-ARG BUILDX_VERSION=0.24.0
+ARG BUILDX_VERSION=0.29.1

 # COMPOSE_VERSION is the version of compose to install in the dev container.
-ARG COMPOSE_VERSION=v2.36.2
+ARG COMPOSE_VERSION=v2.40.0

 ARG SYSTEMD="false"
 ARG FIREWALLD="false"
@@ -34,8 +37,8 @@ ARG DOCKER_STATIC=1
 ARG REGISTRY_VERSION=3.0.0

 # delve is currently only supported on linux/amd64 and linux/arm64;
-# https://github.com/go-delve/delve/blob/v1.24.1/pkg/proc/native/support_sentinel.go#L1
-# https://github.com/go-delve/delve/blob/v1.24.1/pkg/proc/native/support_sentinel_linux.go#L1
+# https://github.com/go-delve/delve/blob/v1.25.0/pkg/proc/native/support_sentinel.go#L1
+# https://github.com/go-delve/delve/blob/v1.25.0/pkg/proc/native/support_sentinel_linux.go#L1
 #
 # ppc64le support was added in v1.21.1, but is still experimental, and requires
 # the "-tags exp.linuxppc64le" build-tag to be set:
@@ -64,7 +67,6 @@ COPY --from=xx / /
 RUN go telemetry off && [ "$(go telemetry)" = "off" ] || { echo "Failed to disable Go telemetry"; exit 1; }
 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN apt-get update && apt-get install --no-install-recommends -y file
-ENV GO111MODULE=off
 ENV GOTOOLCHAIN=local

 FROM base AS criu
@@ -82,25 +84,18 @@ FROM distribution/distribution:$REGISTRY_VERSION AS registry
 RUN mkdir /build && mv /bin/registry /build/registry

 # go-swagger
-FROM base AS swagger-src
-WORKDIR /usr/src/swagger
-# Currently uses a fork from https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix
-# TODO: move to under moby/ or fix upstream go-swagger to work for us.
-RUN git init . && git remote add origin "https://github.com/kolyshkin/go-swagger.git"
-# GO_SWAGGER_COMMIT specifies the version of the go-swagger binary to build and
-# install. Go-swagger is used in CI for validating swagger.yaml in hack/validate/swagger-gen
-ARG GO_SWAGGER_COMMIT=c56166c036004ba7a3a321e5951ba472b9ae298c
-RUN git fetch -q --depth 1 origin "${GO_SWAGGER_COMMIT}" && git checkout -q FETCH_HEAD
-
 FROM base AS swagger
 WORKDIR /go/src/github.com/go-swagger/go-swagger
 ARG TARGETPLATFORM
-RUN --mount=from=swagger-src,src=/usr/src/swagger,rw \
-    --mount=type=cache,target=/root/.cache/go-build,id=swagger-build-$TARGETPLATFORM \
+# GO_SWAGGER_VERSION specifies the version of the go-swagger binary to install.
+# Go-swagger is used in CI for generating types from swagger.yaml in
+# hack/validate/swagger-gen
+ARG GO_SWAGGER_VERSION=v0.33.1
+RUN --mount=type=cache,target=/root/.cache/go-build,id=swagger-build-$TARGETPLATFORM \
    --mount=type=cache,target=/go/pkg/mod \
    --mount=type=tmpfs,target=/go/src/ <<EOT
  set -e
-  xx-go build -o /build/swagger ./cmd/swagger
+  GOBIN=/build CGO_ENABLED=0 xx-go install "github.com/go-swagger/go-swagger/cmd/swagger@${GO_SWAGGER_VERSION}"
  xx-verify /build/swagger
 EOT

@@ -121,7 +116,7 @@ ARG TARGETVARIANT
 RUN /download-frozen-image-v2.sh /build \
        busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
        busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
-        debian:bookworm-slim@sha256:2bc5c236e9b262645a323e9088dfa3bb1ecb16cc75811daf40a23a824d665be9 \
+        debian:trixie-slim@sha256:c85a2732e97694ea77237c61304b3bb410e0e961dd6ee945997a06c788c545bb \
        hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
        arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1 \
        hello-world:amd64@sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042 \
@@ -135,7 +130,7 @@ RUN git init . && git remote add origin "https://github.com/go-delve/delve.git"
 # from the https://github.com/go-delve/delve repository.
 # It can be used to run Docker with a possibility of
 # attaching debugger to it.
-ARG DELVE_VERSION=v1.24.1
+ARG DELVE_VERSION=v1.25.2
 RUN git fetch -q --depth 1 origin "${DELVE_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS delve-supported
@@ -145,7 +140,7 @@ RUN --mount=from=delve-src,src=/usr/src/delve,rw \
    --mount=type=cache,target=/root/.cache/go-build,id=delve-build-$TARGETPLATFORM \
    --mount=type=cache,target=/go/pkg/mod <<EOT
  set -e
-  GO111MODULE=on xx-go build -o /build/dlv ./cmd/dlv
+  xx-go build -o /build/dlv ./cmd/dlv
  xx-verify /build/dlv
 EOT

@@ -157,7 +152,7 @@ FROM base AS gowinres
 ARG GOWINRES_VERSION=v0.3.1
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \
+        GOBIN=/build CGO_ENABLED=0 go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \
     && /build/go-winres --help

 # containerd
@@ -167,11 +162,8 @@ RUN git init . && git remote add origin "https://github.com/containerd/container
 # CONTAINERD_VERSION is used to build containerd binaries, and used for the
 # integration tests. The distributed docker .deb and .rpm packages depend on a
 # separate (containerd.io) package, which may be a different version as is
-# specified here. The containerd golang package is also pinned in vendor.mod.
-# When updating the binary version you may also need to update the vendor
-# version to pick up bug fixes or new APIs, however, usually the Go packages
-# are built from a commit from the master branch.
-ARG CONTAINERD_VERSION=v1.7.27
+# specified here.
+ARG CONTAINERD_VERSION=v2.1.4
 RUN git fetch -q --depth 1 origin "${CONTAINERD_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS containerd-build
@@ -205,27 +197,28 @@ FROM base AS golangci_lint
 ARG GOLANGCI_LINT_VERSION=v2.1.5
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/v2/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
+        GOBIN=/build CGO_ENABLED=0 go install "github.com/golangci/golangci-lint/v2/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
     && /build/golangci-lint --version

 FROM base AS gotestsum
-ARG GOTESTSUM_VERSION=v1.12.0
+# GOTESTSUM_VERSION is the version of gotest.tools/gotestsum to install.
+ARG GOTESTSUM_VERSION=v1.13.0
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
+        GOBIN=/build CGO_ENABLED=0 go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
     && /build/gotestsum --version

 FROM base AS shfmt
 ARG SHFMT_VERSION=v3.8.0
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \
+        GOBIN=/build CGO_ENABLED=0 go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \
     && /build/shfmt --version

 FROM base AS gopls
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "golang.org/x/tools/gopls@latest" \
+        GOBIN=/build CGO_ENABLED=0 go install "golang.org/x/tools/gopls@latest" \
     && /build/gopls version

 FROM base AS dockercli
@@ -257,11 +250,11 @@ RUN --mount=source=hack/dockerfile/cli.sh,target=/download-or-build-cli.sh \
 FROM base AS runc-src
 WORKDIR /usr/src/runc
 RUN git init . && git remote add origin "https://github.com/opencontainers/runc.git"
-# RUNC_VERSION should match the version that is used by the containerd version
+# RUNC_VERSION sets the version of runc to install in the dev-container.
+# This version should usually match the version that is used by the containerd version
 # that is used. If you need to update runc, open a pull request in the containerd
-# project first, and update both after that is merged. When updating RUNC_VERSION,
-# consider updating runc in vendor.mod accordingly.
-ARG RUNC_VERSION=v1.2.6
+# project first, and update both after that is merged.
+ARG RUNC_VERSION=v1.3.2
 RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS runc-build
@@ -328,8 +321,8 @@ FROM tini-${TARGETOS} AS tini
 FROM base AS rootlesskit-src
 WORKDIR /usr/src/rootlesskit
 RUN git init . && git remote add origin "https://github.com/rootless-containers/rootlesskit.git"
-# When updating, also update vendor.mod and hack/dockerfile/install/rootlesskit.installer accordingly.
-ARG ROOTLESSKIT_VERSION=v2.3.4
+# When updating, also update go.mod and hack/dockerfile/install/rootlesskit.installer accordingly.
+ARG ROOTLESSKIT_VERSION=v2.3.5
 RUN git fetch -q --depth 1 origin "${ROOTLESSKIT_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS rootlesskit-build
@@ -341,7 +334,6 @@ RUN --mount=type=cache,sharing=locked,id=moby-rootlesskit-aptlib,target=/var/lib
            gcc \
            libc6-dev \
            pkg-config
-ENV GO111MODULE=on
 ARG DOCKER_STATIC
 RUN --mount=from=rootlesskit-src,src=/usr/src/rootlesskit,rw \
    --mount=type=cache,target=/go/pkg/mod \
@@ -502,6 +494,7 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
            apparmor \
            bash-completion \
            bzip2 \
+            fuse-overlayfs \
            inetutils-ping \
            iproute2 \
            iptables \
@@ -509,6 +502,7 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
            jq \
            libcap2-bin \
            libnet1 \
+            libnftables-dev \
            libnl-3-200 \
            libprotobuf-c1 \
            libyajl2 \
@@ -542,20 +536,21 @@ COPY --link --from=dockercli-integration /build/ /usr/local/cli-integration
 FROM base AS build
 COPY --from=gowinres /build/ /usr/local/bin/
 WORKDIR /go/src/github.com/docker/docker
-ENV GO111MODULE=off
 ENV CGO_ENABLED=1
 RUN --mount=type=cache,sharing=locked,id=moby-build-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-build-aptcache,target=/var/cache/apt \
        apt-get update && apt-get install --no-install-recommends -y \
            clang \
            lld \
-            llvm
+            llvm \
+            icoutils
 ARG TARGETPLATFORM
 RUN --mount=type=cache,sharing=locked,id=moby-build-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-build-aptcache,target=/var/cache/apt \
        xx-apt-get install --no-install-recommends -y \
            gcc \
            libc6-dev \
+            libnftables-dev \
            libseccomp-dev \
            libsystemd-dev \
            pkg-config
@@ -579,7 +574,6 @@ RUN <<EOT
  fi
 EOT
 RUN --mount=type=bind,target=.,rw \
-    --mount=type=tmpfs,target=cli/winresources/dockerd \
    --mount=type=cache,target=/root/.cache/go-build,id=moby-build-$TARGETPLATFORM <<EOT
  set -e
  target=$([ "$DOCKER_STATIC" = "1" ] && echo "binary" || echo "dynbinary")
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@@ -5,18 +5,17 @@

 # This represents the bare minimum required to build and test Docker.

-ARG GO_VERSION=1.24.4
+ARG GO_VERSION=1.25.3

 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"

 FROM ${GOLANG_IMAGE}
-ENV GO111MODULE=off
 ENV GOTOOLCHAIN=local

 # Compile and runtime deps
-# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
-# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#build-dependencies
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
 		build-essential \
 		curl \
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -161,12 +161,17 @@ FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

-ARG GO_VERSION=1.24.4
-ARG GOTESTSUM_VERSION=v1.12.0
+ARG GO_VERSION=1.25.3
+
+# GOTESTSUM_VERSION is the version of gotest.tools/gotestsum to install.
+ARG GOTESTSUM_VERSION=v1.13.0

 # GOWINRES_VERSION is the version of go-winres to install.
 ARG GOWINRES_VERSION=v0.3.3
-ARG CONTAINERD_VERSION=v1.7.27
+
+# TODO: Update containerd version to match Linux version once 
+# https://github.com/microsoft/hcsshim/issues/2488 is resolved.
+ARG CONTAINERD_VERSION=v2.0.6

 # Environment variable notes:
 #  - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
@@ -176,7 +181,6 @@ ENV GO_VERSION=${GO_VERSION} `
    CONTAINERD_VERSION=${CONTAINERD_VERSION} `
    GIT_VERSION=2.11.1 `
    GOPATH=C:\gopath `
-    GO111MODULE=off `
    GOTOOLCHAIN=local `
    FROM_DOCKERFILE=1 `
    GOTESTSUM_VERSION=${GOTESTSUM_VERSION} `
@@ -257,14 +261,11 @@ RUN `
  Remove-Item C:\gitsetup.zip; `
  `
  Write-Host INFO: Downloading containerd; `
-  Install-Package -Force 7Zip4PowerShell; `
  $location='https://github.com/containerd/containerd/releases/download/'+$Env:CONTAINERD_VERSION+'/containerd-'+$Env:CONTAINERD_VERSION.TrimStart('v')+'-windows-amd64.tar.gz'; `
  Download-File $location C:\containerd.tar.gz; `
  New-Item -Path C:\containerd -ItemType Directory; `
-  Expand-7Zip C:\containerd.tar.gz C:\; `
-  Expand-7Zip C:\containerd.tar C:\containerd; `
+  tar -xzf C:\containerd.tar.gz -C C:\containerd; `
  Remove-Item C:\containerd.tar.gz; `
-  Remove-Item C:\containerd.tar; `
  `
  # Ensure all directories exist that we will require below....
  $srcDir = """$Env:GOPATH`\src\github.com\docker\docker\bundles"""; `
@@ -276,13 +277,11 @@ RUN `

 RUN `
  Function Install-GoTestSum() { `
-    $Env:GO111MODULE = 'on'; `
    $tmpGobin = "${Env:GOBIN_TMP}"; `
    $Env:GOBIN = """${Env:GOPATH}`\bin"""; `
    Write-Host "INFO: Installing gotestsum version $Env:GOTESTSUM_VERSION in $Env:GOBIN"; `
    &go install "gotest.tools/gotestsum@${Env:GOTESTSUM_VERSION}"; `
    $Env:GOBIN = "${tmpGobin}"; `
-    $Env:GO111MODULE = 'off'; `
    if ($LASTEXITCODE -ne 0) {  `
      Throw '"gotestsum install failed..."'; `
    } `
@@ -292,13 +291,11 @@ RUN `

 RUN `
  Function Install-GoWinres() { `
-    $Env:GO111MODULE = 'on'; `
    $tmpGobin = "${Env:GOBIN_TMP}"; `
    $Env:GOBIN = """${Env:GOPATH}`\bin"""; `
    Write-Host "INFO: Installing go-winres version $Env:GOWINRES_VERSION in $Env:GOBIN"; `
    &go install "github.com/tc-hib/go-winres@${Env:GOWINRES_VERSION}"; `
    $Env:GOBIN = "${tmpGobin}"; `
-    $Env:GO111MODULE = 'off'; `
    if ($LASTEXITCODE -ne 0) {  `
      Throw '"go-winres install failed..."'; `
    } `
--- a/2
+++ b/2
@@ -6,7 +6,7 @@
 # GitHub ID, Name, Email address, GPG fingerprint
 "akerouanton","Albin Kerouanton","albinker@gmail.com"
 "AkihiroSuda","Akihiro Suda","akihiro.suda.cz@hco.ntt.co.jp"
-"austinvazquez","Austin Vazquez","macedonv@amazon.com"
+"austinvazquez","Austin Vazquez","austin.vazquez.dev@gmail.com"
 "corhere","Cory Snider","csnider@mirantis.com"
 "cpuguy83","Brian Goff","cpuguy83@gmail.com"
 "robmry","Rob Murray","rob.murray@docker.com"
--- a/4
+++ b/4
@@ -38,8 +38,10 @@ DOCKER_ENVS := \
 	-e DOCKERCLI_INTEGRATION_REPOSITORY \
 	-e DOCKER_DEBUG \
 	-e DOCKER_EXPERIMENTAL \
+	-e DOCKER_FIREWALL_BACKEND \
 	-e DOCKER_GITCOMMIT \
 	-e DOCKER_GRAPHDRIVER \
+	-e DOCKER_IGNORE_BR_NETFILTER_ERROR \
 	-e DOCKER_LDFLAGS \
 	-e DOCKER_PORT \
 	-e DOCKER_REMAP_ROOT \
@@ -53,7 +55,7 @@ DOCKER_ENVS := \
 	-e GITHUB_ACTIONS \
 	-e TEST_FORCE_VALIDATE \
 	-e TEST_INTEGRATION_DIR \
-	-e TEST_INTEGRATION_USE_SNAPSHOTTER \
+	-e TEST_INTEGRATION_USE_GRAPHDRIVER \
 	-e TEST_INTEGRATION_FAIL_FAST \
 	-e TEST_SKIP_INTEGRATION \
 	-e TEST_SKIP_INTEGRATION_CLI \
--- a/README.md
+++ b/README.md
@@ -1,9 +1,11 @@
 The Moby Project
 ================

-[![PkgGoDev](https://pkg.go.dev/badge/github.com/docker/docker)](https://pkg.go.dev/github.com/docker/docker)
-[![Go Report Card](https://goreportcard.com/badge/github.com/docker/docker)](https://goreportcard.com/report/github.com/docker/docker)
+[![PkgGoDev](https://pkg.go.dev/badge/github.com/moby/moby/v2)](https://pkg.go.dev/github.com/moby/moby/v2)
+![GitHub License](https://img.shields.io/github/license/moby/moby)
+[![Go Report Card](https://goreportcard.com/badge/github.com/moby/moby/v2)](https://goreportcard.com/report/github.com/moby/moby/v2)
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/moby/moby/badge)](https://scorecard.dev/viewer/?uri=github.com/moby/moby)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10989/badge)](https://www.bestpractices.dev/projects/10989)


 ![Moby Project logo](docs/static_files/moby-project-logo.png "The Moby Project")
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -113,5 +113,5 @@ We see gRPC as the natural communication layer between decoupled components.

 In addition to pushing out large components into other projects, much of the
 internal code structure, and in particular the
-["Daemon"](https://godoc.org/github.com/docker/docker/daemon#Daemon) object,
+["Daemon"](https://pkg.go.dev/github.com/moby/moby/v2/daemon#Daemon) object,
 should be split into smaller, more manageable, and more testable components.
--- a/TESTING.md
+++ b/TESTING.md
@@ -8,11 +8,11 @@ questions you may have as an aspiring Moby contributor.
 Moby has two test suites (and one legacy test suite):

 * Unit tests - use standard `go test` and
-  [gotest.tools/assert](https://godoc.org/gotest.tools/assert) assertions. They are located in
+  [gotest.tools/v3/assert](https://pkg.go.dev/gotest.tools/v3/assert) assertions. They are located in
  the package they test. Unit tests should be fast and test only their own 
  package.
 * API integration tests - use standard `go test` and
-  [gotest.tools/assert](https://godoc.org/gotest.tools/assert) assertions. They are located in
+  [gotest.tools/v3/assert](https://pkg.go.dev/gotest.tools/v3/assert) assertions. They are located in
  `./integration/<component>` directories, where `component` is: container,
  image, volume, etc. These tests perform HTTP requests to an API endpoint and
  check the HTTP response and daemon state after the call.
@@ -57,17 +57,28 @@ Instead, implement new tests under `integration/`.
 ### Integration tests environment considerations

 When adding new tests or modifying existing tests under `integration/`, testing
-environment should be properly considered. `skip.If` from 
-[gotest.tools/skip](https://godoc.org/gotest.tools/skip) can be used to make the 
+environment should be properly considered. [`skip.If`](https://pkg.go.dev/gotest.tools/v3/skip#If) from 
+[gotest.tools/v3/skip](https://pkg.go.dev/gotest.tools/v3/skip) can be used to make the 
 test run conditionally. Full testing environment conditions can be found at 
-[environment.go](https://github.com/moby/moby/blob/6b6eeed03b963a27085ea670f40cd5ff8a61f32e/testutil/environment/environment.go)
+[environment.go](https://github.com/moby/moby/blob/311b2c87e125c6d4198014369e313135cf928a8a/testutil/environment/environment.go)

 Here is a quick example. If the test needs to interact with a docker daemon on 
 the same host, the following condition should be checked within the test code

 ```go
-skip.If(t, testEnv.IsRemoteDaemon())
-// your integration test code
+package example
+
+import (
+	"testing"
+
+	"gotest.tools/v3/skip"
+)
+
+func TestSomething(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon(), "test requires a local daemon")
+
+	// your integration test code
+}
 ```

 If a remote daemon is detected, the test will be skipped.
@@ -78,11 +89,11 @@ If a remote daemon is detected, the test will be skipped.

 To run the unit test suite:

-```
+```bash
 make test-unit
 ```

-or `hack/test/unit` from inside a `BINDDIR=. make shell` container or properly
+or `hack/test/unit` from inside a `make shell` container or properly
 configured environment.

 The following environment variables may be used to run a subset of tests:
@@ -95,7 +106,7 @@ The following environment variables may be used to run a subset of tests:

 To run the integration test suite:

-```
+```bash
 make test-integration
 ```

@@ -121,6 +132,6 @@ automatically set the other above mentioned environment variables accordingly.
 You can change a version of golang used for building stuff that is being tested
 by setting `GO_VERSION` variable, for example:

-```
-make GO_VERSION=1.12.8 test
+```bash
+make GO_VERSION=1.24.8 test
 ```
--- a/VENDORING.md
+++ b/VENDORING.md
@@ -1,46 +0,0 @@
-# Vendoring policies
-
-This document outlines recommended Vendoring policies for Docker repositories.
-(Example, libnetwork is a Docker repo and logrus is not.)
-
-## Vendoring using tags
-
-Commit ID based vendoring provides little/no information about the updates
-vendored. To fix this, vendors will now require that repositories use annotated
-tags along with commit ids to snapshot commits. Annotated tags by themselves
-are not sufficient, since the same tag can be force updated to reference
-different commits.
-
-Each tag should:
- Follow Semantic Versioning rules (refer to section on "Semantic Versioning")
- Have a corresponding entry in the change tracking document.
-
-Each repo should:
- Have a change tracking document between tags/releases. Ex: CHANGELOG.md,
-github releases file.
-
-The goal here is for consuming repos to be able to use the tag version and
-changelog updates to determine whether the vendoring will cause any breaking or
-backward incompatible changes. This also means that repos can specify having
-dependency on a package of a specific version or greater up to the next major
-release, without encountering breaking changes.
-
-## Semantic Versioning
-Annotated version tags should follow [Semantic Versioning](http://semver.org) policies:
-
-"Given a version number MAJOR.MINOR.PATCH, increment the:
-
-   1. MAJOR version when you make incompatible API changes,
-   2. MINOR version when you add functionality in a backwards-compatible manner, and
-   3. PATCH version when you make backwards-compatible bug fixes.
-
-Additional labels for pre-release and build metadata are available as extensions
-to the MAJOR.MINOR.PATCH format."
-
-## Vendoring cadence
-In order to avoid huge vendoring changes, it is recommended to have a regular
-cadence for vendoring updates. e.g. monthly.
-
-## Pre-merge vendoring tests
-All related repos will be vendored into docker/docker.
-CI on docker/docker should catch any breaking changes involving multiple repos.
--- a/api/README.md
+++ b/api/README.md
@@ -1,12 +1,18 @@
-# Working on the Engine API
+# Engine API
+
+[![PkgGoDev](https://pkg.go.dev/badge/github.com/moby/moby/api)](https://pkg.go.dev/github.com/moby/moby/api)
+![GitHub License](https://img.shields.io/github/license/moby/moby)
+[![Go Report Card](https://goreportcard.com/badge/github.com/moby/moby/api)](https://goreportcard.com/report/github.com/moby/moby/api)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/moby/moby/badge)](https://scorecard.dev/viewer/?uri=github.com/moby/moby)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10989/badge)](https://www.bestpractices.dev/projects/10989)
+

 The Engine API is an HTTP API used by the command-line client to communicate with the daemon. It can also be used by third-party software to control the daemon.

 It consists of various components in this repository:

 - `api/swagger.yaml` A Swagger definition of the API.
- `api/types/` Types shared by both the client and server, representing various objects, options, responses, etc. Most are written manually, but some are automatically generated from the Swagger definition. See [#27919](https://github.com/docker/docker/issues/27919) for progress on this.
- `cli/` The command-line client.
+- `api/types/` Types shared by both the client and server, representing various objects, options, responses, etc. Most are written manually, but some are automatically generated from the Swagger definition. See [#27919](https://github.com/moby/moby/issues/27919) for progress on this.
 - `client/` The Go client used by the command-line client. It can also be used by third-party Go programs.
 - `daemon/` The daemon, which serves the API.

@@ -21,6 +27,7 @@ The API is defined by the [Swagger](http://swagger.io/specification/) definition
 ## Updating the API documentation

 The API documentation is generated entirely from `api/swagger.yaml`. If you make updates to the API, edit this file to represent the change in the documentation.
+Documentation for each API version can be found in the [docs directory](docs/README.md), which also provides a [CHANGELOG.md](docs/CHANGELOG.md). 

 The file is split into two main sections:

@@ -29,7 +36,7 @@ The file is split into two main sections:

 To make an edit, first look for the endpoint you want to edit under `paths`, then make the required edits. Endpoints may reference reusable objects with `$ref`, which can be found in the `definitions` section.

-There is hopefully enough example material in the file for you to copy a similar pattern from elsewhere in the file (e.g. adding new fields or endpoints), but for the full reference, see the [Swagger specification](https://github.com/docker/docker/issues/27919).
+There is hopefully enough example material in the file for you to copy a similar pattern from elsewhere in the file (e.g. adding new fields or endpoints), but for the full reference, see the [Swagger specification](https://github.com/moby/moby/issues/27919).

 `swagger.yaml` is validated by `hack/validate/swagger` to ensure it is a valid Swagger definition. This is useful when making edits to ensure you are doing the right thing.

@@ -39,4 +46,4 @@ When you make edits to `swagger.yaml`, you may want to check the generated API d

 Run `make swagger-docs` and a preview will be running at `http://localhost:9000`. Some of the styling may be incorrect, but you'll be able to ensure that it is generating the correct documentation.

-The production documentation is generated by vendoring `swagger.yaml` into [docker/docker.github.io](https://github.com/docker/docker.github.io).
+The production documentation is generated by vendoring `swagger.yaml` into [docker/docs](https://github.com/docker/docs).
--- a/api/common.go
+++ b/api/common.go
@@ -1,20 +0,0 @@
-package api
-
-// Common constants for daemon and client.
-const (
-	// DefaultVersion of the current REST API.
-	DefaultVersion = "1.51"
-
-	// MinSupportedAPIVersion is the minimum API version that can be supported
-	// by the API server, specified as "major.minor". Note that the daemon
-	// may be configured with a different minimum API version, as returned
-	// in [github.com/docker/docker/api/types.Version.MinAPIVersion].
-	//
-	// API requests for API versions lower than the configured version produce
-	// an error.
-	MinSupportedAPIVersion = "1.24"
-
-	// NoBaseImageSpecifier is the symbol used by the FROM
-	// command to specify that no base image is to be used.
-	NoBaseImageSpecifier = "scratch"
-)
--- a/api/docs/CHANGELOG.md
+++ b/api/docs/CHANGELOG.md
--- a/api/docs/README.md
+++ b/api/docs/README.md
@@ -0,0 +1,26 @@
+# API Documentation
+
+This directory contains versioned documents for each version of the API
+specification supported by this module. While this module provides support
+for older API versions, support should be considered "best-effort", especially
+for very old versions. Users are recommended to use the latest API versions,
+and only rely on older API versions for compatibility with older clients.
+
+Newer API versions tend to be backward-compatible with older versions,
+with some exceptions where features were deprecated. For an overview
+of changes for each version, refer to [CHANGELOG.md](CHANGELOG.md).
+
+The latest version of the API specification can be found [at the root directory
+of this module](../swagger.yaml) which may contain unreleased changes.
+
+For API version v1.24, documentation is only available in markdown
+format, for later versions [Swagger (OpenAPI) v2.0](https://swagger.io/specification/v2/)
+specifications can be found in this directory. The Moby project itself
+primarily uses these swagger files to produce the API documentation;
+while we attempt to make these files match the actual implementation,
+the OpenAPI 2.0 specification has limitations that prevent us from
+expressing all options provided. There may be discrepancies (for which
+we welcome contributions). If you find bugs, or discrepancies, please
+open a ticket (or pull request).
+
+
--- a/api/docs/v1.24.md
+++ b/api/docs/v1.24.md
@@ -310,7 +310,6 @@ Create a container
             "Memory": 0,
             "MemorySwap": 0,
             "MemoryReservation": 0,
-             "KernelMemory": 0,
             "CpuPercent": 80,
             "CpuShares": 512,
             "CpuPeriod": 100000,
@@ -438,7 +437,6 @@ Create a container
    -   **MemorySwap** - Total memory limit (memory + swap); set `-1` to enable unlimited swap.
          You must use this with `memory` and make the swap value larger than `memory`.
    -   **MemoryReservation** - Memory soft limit in bytes.
-    -   **KernelMemory** - Kernel memory limit in bytes.
    -   **CpuPercent** - An integer value containing the usable percentage of the available CPUs. (Windows daemon only)
    -   **CpuShares** - An integer value containing the container's CPU Shares
          (ie. the relative weight vs other containers).
@@ -627,7 +625,6 @@ Return low-level information on the container `id`
 			"Memory": 0,
 			"MemorySwap": 0,
 			"MemoryReservation": 0,
-			"KernelMemory": 0,
 			"OomKillDisable": false,
 			"OomScoreAdj": 500,
 			"NetworkMode": "bridge",
@@ -1197,7 +1194,6 @@ Update configuration of one or more containers.
         "Memory": 314572800,
         "MemorySwap": 514288000,
         "MemoryReservation": 209715200,
-         "KernelMemory": 52428800,
         "RestartPolicy": {
           "MaximumRetryCount": 4,
           "Name": "on-failure"
@@ -1830,8 +1826,7 @@ a base64-encoded AuthConfig object.
        ```
    {
            "username": "jdoe",
-            "password": "secret",
-            "email": "jdoe@acme.com"
+            "password": "secret"
    }
        ```

@@ -2066,8 +2061,7 @@ The push is cancelled if the HTTP connection is closed.
        ```
    {
            "username": "jdoe",
-            "password": "secret",
-            "email": "jdoe@acme.com",
+            "password": "secret"
    }
        ```

@@ -2498,8 +2492,6 @@ Docker daemon report the following event:
    Transfer-Encoding: chunked

    {
-      "status": "pull",
-      "id": "alpine:latest",
      "Type": "image",
      "Action": "pull",
      "Actor": {
@@ -2512,9 +2504,6 @@ Docker daemon report the following event:
      "timeNano": 1461943101301854122
    }
    {
-      "status": "create",
-      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
-      "from": "alpine",
      "Type": "container",
      "Action": "create",
      "Actor": {
@@ -2529,9 +2518,6 @@ Docker daemon report the following event:
      "timeNano": 1461943101381709551
    }
    {
-      "status": "attach",
-      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
-      "from": "alpine",
      "Type": "container",
      "Action": "attach",
      "Actor": {
@@ -2560,9 +2546,6 @@ Docker daemon report the following event:
      "timeNano": 1461943101394865557
    }
    {
-      "status": "start",
-      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
-      "from": "alpine",
      "Type": "container",
      "Action": "start",
      "Actor": {
@@ -2577,9 +2560,6 @@ Docker daemon report the following event:
      "timeNano": 1461943101607533796
    }
    {
-      "status": "resize",
-      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
-      "from": "alpine",
      "Type": "container",
      "Action": "resize",
      "Actor": {
@@ -2596,9 +2576,6 @@ Docker daemon report the following event:
      "timeNano": 1461943101610269268
    }
    {
-      "status": "die",
-      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
-      "from": "alpine",
      "Type": "container",
      "Action": "die",
      "Actor": {
@@ -2628,9 +2605,6 @@ Docker daemon report the following event:
      "timeNano": 1461943105230860245
    }
    {
-      "status": "destroy",
-      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
-      "from": "alpine",
      "Type": "container",
      "Action": "destroy",
      "Actor": {
--- a/api/docs/v1.25.yaml
+++ b/api/docs/v1.25.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -432,10 +431,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -984,6 +979,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -1975,6 +1974,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
@@ -2712,7 +2712,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -3012,7 +3011,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -3693,7 +3691,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
@@ -5100,7 +5097,6 @@ paths:
              IndexServerAddress: "https://index.docker.io/v1/"
              InitPath: "/usr/bin/docker"
              InitSha1: ""
-              KernelMemory: true
              KernelVersion: "3.12.0-1-amd64"
              Labels:
                - "storage=ssd"
--- a/api/docs/v1.26.yaml
+++ b/api/docs/v1.26.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -432,10 +431,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -984,6 +979,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -1979,6 +1978,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
@@ -2716,7 +2716,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
--- a/api/docs/v1.27.yaml
+++ b/api/docs/v1.27.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -434,10 +433,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -989,6 +984,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2051,6 +2050,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
@@ -2775,7 +2775,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -3075,7 +3074,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
--- a/api/docs/v1.28.yaml
+++ b/api/docs/v1.28.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -440,10 +439,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1027,6 +1022,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2104,6 +2103,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
@@ -2864,7 +2864,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -3164,7 +3163,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -3855,7 +3853,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
@@ -5287,7 +5284,6 @@ paths:
              IndexServerAddress: "https://index.docker.io/v1/"
              InitPath: "/usr/bin/docker"
              InitSha1: ""
-              KernelMemory: true
              KernelVersion: "3.12.0-1-amd64"
              Labels:
                - "storage=ssd"
--- a/api/docs/v1.29.yaml
+++ b/api/docs/v1.29.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -443,10 +442,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1033,6 +1028,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2125,6 +2124,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
@@ -2897,7 +2897,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -3197,7 +3196,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -3888,7 +3886,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
@@ -5320,7 +5317,6 @@ paths:
              IndexServerAddress: "https://index.docker.io/v1/"
              InitPath: "/usr/bin/docker"
              InitSha1: ""
-              KernelMemory: true
              KernelVersion: "3.12.0-1-amd64"
              Labels:
                - "storage=ssd"
--- a/api/docs/v1.30.yaml
+++ b/api/docs/v1.30.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -445,10 +444,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1043,6 +1038,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2303,6 +2302,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3110,7 +3110,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
--- a/api/docs/v1.31.yaml
+++ b/api/docs/v1.31.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -445,10 +444,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1049,6 +1044,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2332,6 +2331,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -2861,7 +2861,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -3183,7 +3183,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
--- a/api/docs/v1.32.yaml
+++ b/api/docs/v1.32.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -449,10 +448,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1308,6 +1303,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2783,6 +2782,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3333,7 +3333,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -3518,10 +3518,6 @@ definitions:
        description: "Indicates if the host has memory swap limit support enabled."
        type: "boolean"
        example: true
-      KernelMemory:
-        description: "Indicates if the host has kernel memory limit support enabled."
-        type: "boolean"
-        example: true
      CpuCfsPeriod:
        description: "Indicates if CPU CFS(Completely Fair Scheduler) period is supported by the host."
        type: "boolean"
@@ -4395,7 +4391,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -4703,7 +4698,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -5392,7 +5386,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
--- a/api/docs/v1.33.yaml
+++ b/api/docs/v1.33.yaml
@@ -60,7 +60,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -453,10 +452,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1312,6 +1307,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2787,6 +2786,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3337,7 +3337,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -3522,10 +3522,6 @@ definitions:
        description: "Indicates if the host has memory swap limit support enabled."
        type: "boolean"
        example: true
-      KernelMemory:
-        description: "Indicates if the host has kernel memory limit support enabled."
-        type: "boolean"
-        example: true
      CpuCfsPeriod:
        description: "Indicates if CPU CFS(Completely Fair Scheduler) period is supported by the host."
        type: "boolean"
@@ -4399,7 +4395,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -4707,7 +4702,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -5396,7 +5390,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
--- a/api/docs/v1.34.yaml
+++ b/api/docs/v1.34.yaml
@@ -62,7 +62,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -455,10 +454,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1322,6 +1317,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2797,6 +2796,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3365,7 +3365,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -3550,10 +3550,6 @@ definitions:
        description: "Indicates if the host has memory swap limit support enabled."
        type: "boolean"
        example: true
-      KernelMemory:
-        description: "Indicates if the host has kernel memory limit support enabled."
-        type: "boolean"
-        example: true
      CpuCfsPeriod:
        description: "Indicates if CPU CFS(Completely Fair Scheduler) period is supported by the host."
        type: "boolean"
@@ -4427,7 +4423,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -4735,7 +4730,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -5424,7 +5418,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
--- a/api/docs/v1.35.yaml
+++ b/api/docs/v1.35.yaml
@@ -71,7 +71,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -466,10 +465,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1319,6 +1314,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2801,6 +2800,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3369,7 +3369,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -3554,10 +3554,6 @@ definitions:
        description: "Indicates if the host has memory swap limit support enabled."
        type: "boolean"
        example: true
-      KernelMemory:
-        description: "Indicates if the host has kernel memory limit support enabled."
-        type: "boolean"
-        example: true
      CpuCfsPeriod:
        description: "Indicates if CPU CFS(Completely Fair Scheduler) period is supported by the host."
        type: "boolean"
@@ -4431,7 +4427,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -4739,7 +4734,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -5433,7 +5427,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
--- a/api/docs/v1.36.yaml
+++ b/api/docs/v1.36.yaml
@@ -71,7 +71,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -1319,6 +1318,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2814,6 +2817,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3382,7 +3386,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
--- a/api/docs/v1.37.yaml
+++ b/api/docs/v1.37.yaml
@@ -71,7 +71,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -1322,6 +1321,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2817,6 +2820,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3388,7 +3392,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
--- a/api/docs/v1.38.yaml
+++ b/api/docs/v1.38.yaml
@@ -71,7 +71,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -467,10 +466,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -1333,6 +1328,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2871,6 +2870,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3442,7 +3442,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -3641,10 +3641,6 @@ definitions:
        description: "Indicates if the host has memory swap limit support enabled."
        type: "boolean"
        example: true
-      KernelMemory:
-        description: "Indicates if the host has kernel memory limit support enabled."
-        type: "boolean"
-        example: true
      CpuCfsPeriod:
        description: "Indicates if CPU CFS(Completely Fair Scheduler) period is supported by the host."
        type: "boolean"
@@ -4518,7 +4514,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -4836,7 +4831,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -5543,7 +5537,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
--- a/api/docs/v1.39.yaml
+++ b/api/docs/v1.39.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -530,11 +529,6 @@ definitions:
        description: "Disk limit (in bytes)."
        type: "integer"
        format: "int64"
-      KernelMemory:
-        description: "Kernel memory limit in bytes."
-        type: "integer"
-        format: "int64"
-        example: 209715200
      MemoryReservation:
        description: "Memory soft limit in bytes."
        type: "integer"
@@ -2109,6 +2103,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -3913,6 +3911,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4503,7 +4502,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -4889,10 +4888,6 @@ definitions:
        description: "Indicates if the host has memory swap limit support enabled."
        type: "boolean"
        example: true
-      KernelMemory:
-        description: "Indicates if the host has kernel memory limit support enabled."
-        type: "boolean"
-        example: true
      CpuCfsPeriod:
        description: |
          Indicates if CPU CFS(Completely Fair Scheduler) period is supported by
@@ -5823,7 +5818,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                NanoCpus: 500000
                CpuPercent: 80
                CpuShares: 512
@@ -6097,7 +6091,6 @@ paths:
                Memory: 0
                MemorySwap: 0
                MemoryReservation: 0
-                KernelMemory: 0
                OomKillDisable: false
                OomScoreAdj: 500
                NetworkMode: "bridge"
@@ -6835,7 +6828,6 @@ paths:
              Memory: 314572800
              MemorySwap: 514288000
              MemoryReservation: 209715200
-              KernelMemory: 52428800
              RestartPolicy:
                MaximumRetryCount: 4
                Name: "on-failure"
--- a/api/docs/v1.40.yaml
+++ b/api/docs/v1.40.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2169,6 +2168,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -4039,6 +4042,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4627,7 +4631,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -7948,7 +7952,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.41.yaml
+++ b/api/docs/v1.41.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2200,6 +2199,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -4204,6 +4207,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4876,7 +4880,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8237,7 +8241,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.42.yaml
+++ b/api/docs/v1.42.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2203,6 +2202,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2616,14 +2619,6 @@ definitions:
        description: |
          Unique ID of the build cache record.
        example: "ndlpt0hhvkqcdfkputsk4cq9c"
-      Parent:
-        description: |
-          ID of the parent build cache record.
-
-          > **Deprecated**: This field is deprecated, and omitted if empty.
-        type: "string"
-        x-nullable: true
-        example: ""
      Parents:
        description: |
          List of parent build cache record IDs.
@@ -4223,6 +4218,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4895,7 +4891,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8487,7 +8483,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.43.yaml
+++ b/api/docs/v1.43.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2234,6 +2233,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2647,14 +2650,6 @@ definitions:
        description: |
          Unique ID of the build cache record.
        example: "ndlpt0hhvkqcdfkputsk4cq9c"
-      Parent:
-        description: |
-          ID of the parent build cache record.
-
-          > **Deprecated**: This field is deprecated, and omitted if empty.
-        type: "string"
-        x-nullable: true
-        example: ""
      Parents:
        description: |
          List of parent build cache record IDs.
@@ -4254,6 +4249,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4926,7 +4922,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8505,7 +8501,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.44.yaml
+++ b/api/docs/v1.44.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2086,14 +2085,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 1239828
      GraphDriver:
        $ref: "#/definitions/GraphDriverData"
      RootFS:
@@ -2225,14 +2216,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |-
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 172064416
      Labels:
        description: "User-defined key/value metadata."
        type: "object"
@@ -2261,6 +2244,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2674,14 +2661,6 @@ definitions:
        description: |
          Unique ID of the build cache record.
        example: "ndlpt0hhvkqcdfkputsk4cq9c"
-      Parent:
-        description: |
-          ID of the parent build cache record.
-
-          > **Deprecated**: This field is deprecated, and omitted if empty.
-        type: "string"
-        x-nullable: true
-        example: ""
      Parents:
        description: |
          List of parent build cache record IDs.
@@ -4322,6 +4301,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5041,7 +5021,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8662,7 +8642,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.45.yaml
+++ b/api/docs/v1.45.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2072,14 +2071,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 1239828
      GraphDriver:
        $ref: "#/definitions/GraphDriverData"
      RootFS:
@@ -2211,14 +2202,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |-
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 172064416
      Labels:
        description: "User-defined key/value metadata."
        type: "object"
@@ -2247,6 +2230,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2660,14 +2647,6 @@ definitions:
        description: |
          Unique ID of the build cache record.
        example: "ndlpt0hhvkqcdfkputsk4cq9c"
-      Parent:
-        description: |
-          ID of the parent build cache record.
-
-          > **Deprecated**: This field is deprecated, and omitted if empty.
-        type: "string"
-        x-nullable: true
-        example: ""
      Parents:
        description: |
          List of parent build cache record IDs.
@@ -4308,6 +4287,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5027,7 +5007,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8648,7 +8628,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.46.yaml
+++ b/api/docs/v1.46.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2099,14 +2098,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 1239828
      GraphDriver:
        $ref: "#/definitions/GraphDriverData"
      RootFS:
@@ -2239,14 +2230,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |-
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 172064416
      Labels:
        description: "User-defined key/value metadata."
        type: "object"
@@ -2275,6 +2258,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2706,14 +2693,6 @@ definitions:
        description: |
          Unique ID of the build cache record.
        example: "ndlpt0hhvkqcdfkputsk4cq9c"
-      Parent:
-        description: |
-          ID of the parent build cache record.
-
-          > **Deprecated**: This field is deprecated, and omitted if empty.
-        type: "string"
-        x-nullable: true
-        example: ""
      Parents:
        description: |
          List of parent build cache record IDs.
@@ -4361,6 +4340,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5086,7 +5066,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8769,7 +8749,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.47.yaml
+++ b/api/docs/v1.47.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2099,14 +2098,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 1239828
      GraphDriver:
        $ref: "#/definitions/DriverData"
      RootFS:
@@ -2239,14 +2230,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |-
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 172064416
      Labels:
        description: "User-defined key/value metadata."
        type: "object"
@@ -2288,6 +2271,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2724,14 +2711,6 @@ definitions:
        description: |
          Unique ID of the build cache record.
        example: "ndlpt0hhvkqcdfkputsk4cq9c"
-      Parent:
-        description: |
-          ID of the parent build cache record.
-
-          > **Deprecated**: This field is deprecated, and omitted if empty.
-        type: "string"
-        x-nullable: true
-        example: ""
      Parents:
        description: |
          List of parent build cache record IDs.
@@ -4379,6 +4358,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5104,7 +5084,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8910,7 +8890,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.48.yaml
+++ b/api/docs/v1.48.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2176,14 +2175,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 1239828
      GraphDriver:
        $ref: "#/definitions/DriverData"
      RootFS:
@@ -2316,14 +2307,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |-
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 172064416
      Labels:
        description: "User-defined key/value metadata."
        type: "object"
@@ -2377,6 +2360,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2825,14 +2812,6 @@ definitions:
        description: |
          Unique ID of the build cache record.
        example: "ndlpt0hhvkqcdfkputsk4cq9c"
-      Parent:
-        description: |
-          ID of the parent build cache record.
-
-          > **Deprecated**: This field is deprecated, and omitted if empty.
-        type: "string"
-        x-nullable: true
-        example: ""
      Parents:
        description: |
          List of parent build cache record IDs.
@@ -3039,7 +3018,8 @@ definitions:
          be used. If multiple endpoints have the same priority, endpoints are
          lexicographically sorted based on their network name, and the one
          that sorts first is picked.
-        type: "number"
+        type: "integer"
+        format: "int64"
        example:
          - 10

@@ -4517,6 +4497,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5512,7 +5493,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -6546,7 +6527,7 @@ definitions:

          > **Deprecated**: netfilter module is now loaded on-demand and no longer
          > during daemon startup, making this field obsolete. This field is always
-          > `false` and will be removed in a API v1.49.
+          > `false` and will be removed in a API v1.50.
        type: "boolean"
        example: false
      BridgeNfIp6tables:
@@ -6557,7 +6538,7 @@ definitions:

          > **Deprecated**: netfilter module is now loaded on-demand, and no longer
          > during daemon startup, making this field obsolete. This field is always
-          > `false` and will be removed in a API v1.49.
+          > `false` and will be removed in a API v1.50.
        type: "boolean"
        example: false
      Debug:
@@ -9454,7 +9435,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
@@ -9492,7 +9484,7 @@ paths:
            Amount of disk space in bytes to keep for cache

            > **Deprecated**: This parameter is deprecated and has been renamed to "reserved-space".
-            > It is kept for backward compatibility and will be removed in API v1.49.
+            > It is kept for backward compatibility and will be removed in API v1.52.
          type: "integer"
          format: "int64"
        - name: "reserved-space"
--- a/api/docs/v1.49.yaml
+++ b/api/docs/v1.49.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -2176,14 +2175,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 1239828
      GraphDriver:
        $ref: "#/definitions/DriverData"
      RootFS:
@@ -2316,14 +2307,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |-
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 172064416
      Labels:
        description: "User-defined key/value metadata."
        type: "object"
@@ -2377,6 +2360,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2825,14 +2812,6 @@ definitions:
        description: |
          Unique ID of the build cache record.
        example: "ndlpt0hhvkqcdfkputsk4cq9c"
-      Parent:
-        description: |
-          ID of the parent build cache record.
-
-          > **Deprecated**: This field is deprecated, and omitted if empty.
-        type: "string"
-        x-nullable: true
-        example: ""
      Parents:
        description: |
          List of parent build cache record IDs.
@@ -3039,7 +3018,8 @@ definitions:
          be used. If multiple endpoints have the same priority, endpoints are
          lexicographically sorted based on their network name, and the one
          that sorts first is picked.
-        type: "number"
+        type: "integer"
+        format: "int64"
        example:
          - 10

@@ -4517,6 +4497,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5512,7 +5493,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -6546,7 +6527,7 @@ definitions:

          > **Deprecated**: netfilter module is now loaded on-demand and no longer
          > during daemon startup, making this field obsolete. This field is always
-          > `false` and will be removed in a API v1.49.
+          > `false` and will be removed in a API v1.50.
        type: "boolean"
        example: false
      BridgeNfIp6tables:
@@ -6557,7 +6538,7 @@ definitions:

          > **Deprecated**: netfilter module is now loaded on-demand, and no longer
          > during daemon startup, making this field obsolete. This field is always
-          > `false` and will be removed in a API v1.49.
+          > `false` and will be removed in a API v1.50.
        type: "boolean"
        example: false
      Debug:
@@ -9454,7 +9435,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
@@ -9492,7 +9484,7 @@ paths:
            Amount of disk space in bytes to keep for cache

            > **Deprecated**: This parameter is deprecated and has been renamed to "reserved-space".
-            > It is kept for backward compatibility and will be removed in API v1.49.
+            > It is kept for backward compatibility and will be removed in API v1.52.
          type: "integer"
          format: "int64"
        - name: "reserved-space"
--- a/api/docs/v1.50.yaml
+++ b/api/docs/v1.50.yaml
@@ -81,7 +81,6 @@ info:
    {
      "username": "string",
      "password": "string",
-      "email": "string",
      "serveraddress": "string"
    }
    ```
@@ -1531,37 +1530,6 @@ definitions:
        items:
          type: "string"
        example: ["/bin/sh", "-c"]
-    # FIXME(thaJeztah): temporarily using a full example to remove some "omitempty" fields. Remove once the fields are removed.
-    example:
-      "User": "web:web"
-      "ExposedPorts": {
-        "80/tcp": {},
-        "443/tcp": {}
-      }
-      "Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
-      "Cmd": ["/bin/sh"]
-      "Healthcheck": {
-        "Test": ["string"],
-        "Interval": 0,
-        "Timeout": 0,
-        "Retries": 0,
-        "StartPeriod": 0,
-        "StartInterval": 0
-      }
-      "ArgsEscaped": true
-      "Volumes": {
-        "/app/data": {},
-        "/app/config": {}
-      }
-      "WorkingDir": "/public/"
-      "Entrypoint": []
-      "OnBuild": []
-      "Labels": {
-        "com.example.some-label": "some-value",
-        "com.example.some-other-label": "some-other-value"
-      }
-      "StopSignal": "SIGTERM"
-      "Shell": ["/bin/sh", "-c"]

  NetworkingConfig:
    description: |
@@ -2034,14 +2002,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 1239828
      GraphDriver:
        $ref: "#/definitions/DriverData"
      RootFS:
@@ -2174,14 +2134,6 @@ definitions:
        format: "int64"
        x-nullable: false
        example: 1239828
-      VirtualSize:
-        description: |-
-          Total size of the image including all layers it is composed of.
-
-          Deprecated: this field is omitted in API v1.44, but kept for backward compatibility. Use Size instead.
-        type: "integer"
-        format: "int64"
-        example: 172064416
      Labels:
        description: "User-defined key/value metadata."
        type: "object"
@@ -2235,6 +2187,10 @@ definitions:
      password:
        type: "string"
      email:
+        description: |
+          Email is an optional value associated with the username.
+
+          > **Deprecated**: This field is deprecated since docker 1.11 (API v1.23) and will be removed in a future release.
        type: "string"
      serveraddress:
        type: "string"
@@ -2683,14 +2639,6 @@ definitions:
        description: |
          Unique ID of the build cache record.
        example: "ndlpt0hhvkqcdfkputsk4cq9c"
-      Parent:
-        description: |
-          ID of the parent build cache record.
-
-          > **Deprecated**: This field is deprecated, and omitted if empty.
-        type: "string"
-        x-nullable: true
-        example: ""
      Parents:
        description: |
          List of parent build cache record IDs.
@@ -2914,7 +2862,8 @@ definitions:
          be used. If multiple endpoints have the same priority, endpoints are
          lexicographically sorted based on their network name, and the one
          that sorts first is picked.
-        type: "number"
+        type: "integer"
+        format: "int64"
        example:
          - 10

@@ -4392,6 +4341,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5387,7 +5337,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -6412,29 +6362,6 @@ definitions:
        description: "Indicates IPv4 forwarding is enabled."
        type: "boolean"
        example: true
-      BridgeNfIptables:
-        description: |
-          Indicates if `bridge-nf-call-iptables` is available on the host when
-          the daemon was started.
-
-          <p><br /></p>
-
-          > **Deprecated**: netfilter module is now loaded on-demand and no longer
-          > during daemon startup, making this field obsolete. This field is always
-          > `false` and will be removed in a API v1.49.
-        type: "boolean"
-        example: false
-      BridgeNfIp6tables:
-        description: |
-          Indicates if `bridge-nf-call-ip6tables` is available on the host.
-
-          <p><br /></p>
-
-          > **Deprecated**: netfilter module is now loaded on-demand, and no longer
-          > during daemon startup, making this field obsolete. This field is always
-          > `false` and will be removed in a API v1.49.
-        type: "boolean"
-        example: false
      Debug:
        description: |
          Indicates if the daemon is running in debug-mode / with debug-level
@@ -9338,7 +9265,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
@@ -9376,7 +9314,7 @@ paths:
            Amount of disk space in bytes to keep for cache

            > **Deprecated**: This parameter is deprecated and has been renamed to "reserved-space".
-            > It is kept for backward compatibility and will be removed in API v1.49.
+            > It is kept for backward compatibility and will be removed in API v1.52.
          type: "integer"
          format: "int64"
        - name: "reserved-space"
--- a/api/docs/v1.51.yaml
+++ b/api/docs/v1.51.yaml
--- a/api/docs/v1.52.yaml
+++ b/api/docs/v1.52.yaml
--- a/api/go.mod
+++ b/api/go.mod
@@ -0,0 +1,14 @@
+module github.com/moby/moby/api
+
+go 1.23.0
+
+require (
+	github.com/docker/go-units v0.5.0
+	github.com/moby/docker-image-spec v1.3.1
+	github.com/opencontainers/go-digest v1.0.0
+	github.com/opencontainers/image-spec v1.1.1
+	gotest.tools/v3 v3.5.2
+	pgregory.net/rapid v1.2.0
+)
+
+require github.com/google/go-cmp v0.7.0 // indirect
--- a/api/go.sum
+++ b/api/go.sum
@@ -0,0 +1,14 @@
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
--- a/api/pkg/authconfig/authconfig.go
+++ b/api/pkg/authconfig/authconfig.go
@@ -0,0 +1,92 @@
+package authconfig
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/moby/moby/api/types/registry"
+)
+
+// Encode serializes the auth configuration as a base64url encoded
+// ([RFC4648, section 5]) JSON string for sending through the X-Registry-Auth header.
+//
+// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5
+func Encode(authConfig registry.AuthConfig) (string, error) {
+	// Older daemons (or registries) may not handle an empty string,
+	// which resulted in an "io.EOF" when unmarshaling or decoding.
+	//
+	// FIXME(thaJeztah): find exactly what code-paths are impacted by this.
+	// if authConfig == (AuthConfig{}) { return "", nil }
+	buf, err := json.Marshal(authConfig)
+	if err != nil {
+		return "", errInvalidParameter{err}
+	}
+	return base64.URLEncoding.EncodeToString(buf), nil
+}
+
+// Decode decodes base64url encoded ([RFC4648, section 5]) JSON
+// authentication information as sent through the X-Registry-Auth header.
+//
+// This function always returns an [AuthConfig], even if an error occurs. It is up
+// to the caller to decide if authentication is required, and if the error can
+// be ignored.
+//
+// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5
+func Decode(authEncoded string) (*registry.AuthConfig, error) {
+	if authEncoded == "" {
+		return &registry.AuthConfig{}, nil
+	}
+
+	decoded, err := base64.URLEncoding.DecodeString(authEncoded)
+	if err != nil {
+		var e base64.CorruptInputError
+		if errors.As(err, &e) {
+			return &registry.AuthConfig{}, invalid(errors.New("must be a valid base64url-encoded string"))
+		}
+		return &registry.AuthConfig{}, invalid(err)
+	}
+
+	if bytes.Equal(decoded, []byte("{}")) {
+		return &registry.AuthConfig{}, nil
+	}
+
+	return decode(bytes.NewReader(decoded))
+}
+
+// DecodeRequestBody decodes authentication information as sent as JSON in the
+// body of a request. This function is to provide backward compatibility with old
+// clients and API versions. Current clients and API versions expect authentication
+// to be provided through the X-Registry-Auth header.
+//
+// Like [Decode], this function always returns an [AuthConfig], even if an
+// error occurs. It is up to the caller to decide if authentication is required,
+// and if the error can be ignored.
+func DecodeRequestBody(r io.ReadCloser) (*registry.AuthConfig, error) {
+	return decode(r)
+}
+
+func decode(r io.Reader) (*registry.AuthConfig, error) {
+	authConfig := &registry.AuthConfig{}
+	if err := json.NewDecoder(r).Decode(authConfig); err != nil {
+		// always return an (empty) AuthConfig to increase compatibility with
+		// the existing API.
+		return &registry.AuthConfig{}, invalid(fmt.Errorf("invalid JSON: %w", err))
+	}
+	return authConfig, nil
+}
+
+func invalid(err error) error {
+	return errInvalidParameter{fmt.Errorf("invalid X-Registry-Auth header: %w", err)}
+}
+
+type errInvalidParameter struct{ error }
+
+func (errInvalidParameter) InvalidParameter() {}
+
+func (e errInvalidParameter) Cause() error { return e.error }
+
+func (e errInvalidParameter) Unwrap() error { return e.error }
--- a/api/pkg/authconfig/authconfig_test.go
+++ b/api/pkg/authconfig/authconfig_test.go
@@ -0,0 +1,191 @@
+package authconfig
+
+import (
+	"encoding/base64"
+	"strings"
+	"testing"
+
+	"github.com/moby/moby/api/types/registry"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestDecodeAuthConfig(t *testing.T) {
+	tests := []struct {
+		doc         string
+		input       string
+		inputBase64 string
+		expected    registry.AuthConfig
+		expectedErr string
+	}{
+		{
+			doc:         "empty",
+			input:       ``,
+			inputBase64: ``,
+			expected:    registry.AuthConfig{},
+		},
+		{
+			doc:         "empty JSON",
+			input:       `{}`,
+			inputBase64: `e30=`,
+			expected:    registry.AuthConfig{},
+		},
+		{
+			doc:         "malformed JSON",
+			input:       `{`,
+			inputBase64: `ew==`,
+			expected:    registry.AuthConfig{},
+			expectedErr: `invalid X-Registry-Auth header: invalid JSON: unexpected EOF`,
+		},
+		{
+			doc:         "test authConfig",
+			input:       `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`,
+			inputBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifQ==`,
+			expected: registry.AuthConfig{
+				Username:      "testuser",
+				Password:      "testpassword",
+				ServerAddress: "example.com",
+			},
+		},
+		{
+			// FIXME(thaJeztah): we should not accept multiple JSON documents.
+			doc:         "multiple authConfig",
+			input:       `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}{"username":"testuser2","password":"testpassword2","serveraddress":"example.org"}`,
+			inputBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifXsidXNlcm5hbWUiOiJ0ZXN0dXNlcjIiLCJwYXNzd29yZCI6InRlc3RwYXNzd29yZDIiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5vcmcifQ==`,
+			expected: registry.AuthConfig{
+				Username:      "testuser",
+				Password:      "testpassword",
+				ServerAddress: "example.com",
+			},
+		},
+		// We currently only support base64url encoding with padding, so
+		// un-padded should produce an error.
+		//
+		// RFC4648, section 5: https://tools.ietf.org/html/rfc4648#section-5
+		// RFC4648, section 3.2: https://tools.ietf.org/html/rfc4648#section-3.2
+		{
+			doc:         "empty JSON no padding",
+			input:       `{}`,
+			inputBase64: `e30`,
+			expected:    registry.AuthConfig{},
+			expectedErr: `invalid X-Registry-Auth header: must be a valid base64url-encoded string`,
+		},
+		{
+			doc:         "test authConfig",
+			input:       `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`,
+			inputBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifQ`,
+			expected:    registry.AuthConfig{},
+			expectedErr: `invalid X-Registry-Auth header: must be a valid base64url-encoded string`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.doc, func(t *testing.T) {
+			if tc.inputBase64 != "" {
+				// Sanity check to make sure our fixtures are correct.
+				b64 := base64.URLEncoding.EncodeToString([]byte(tc.input))
+				if !strings.HasSuffix(tc.inputBase64, "=") {
+					b64 = strings.TrimRight(b64, "=")
+				}
+				assert.Check(t, is.Equal(b64, tc.inputBase64))
+			}
+
+			out, err := Decode(tc.inputBase64)
+			if tc.expectedErr != "" {
+				assert.Check(t, is.ErrorType(err, errInvalidParameter{}))
+				assert.Check(t, is.Error(err, tc.expectedErr))
+			} else {
+				assert.NilError(t, err)
+				assert.Equal(t, *out, tc.expected)
+			}
+		})
+	}
+}
+
+func TestEncodeAuthConfig(t *testing.T) {
+	tests := []struct {
+		doc       string
+		input     registry.AuthConfig
+		outBase64 string
+		outPlain  string
+	}{
+		{
+			// Older daemons (or registries) may not handle an empty string,
+			// which resulted in an "io.EOF" when unmarshaling or decoding.
+			//
+			// FIXME(thaJeztah): find exactly what code-paths are impacted by this.
+			doc:       "empty",
+			input:     registry.AuthConfig{},
+			outBase64: `e30=`,
+			outPlain:  `{}`,
+		},
+		{
+			doc: "test authConfig",
+			input: registry.AuthConfig{
+				Username:      "testuser",
+				Password:      "testpassword",
+				ServerAddress: "example.com",
+			},
+			outBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifQ==`,
+			outPlain:  `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`,
+		},
+	}
+	for _, tc := range tests {
+		// Sanity check to make sure our fixtures are correct.
+		b64 := base64.URLEncoding.EncodeToString([]byte(tc.outPlain))
+		assert.Check(t, is.Equal(b64, tc.outBase64))
+
+		t.Run(tc.doc, func(t *testing.T) {
+			out, err := Encode(tc.input)
+			assert.NilError(t, err)
+			assert.Equal(t, out, tc.outBase64)
+
+			authJSON, err := base64.URLEncoding.DecodeString(out)
+			assert.NilError(t, err)
+			assert.Equal(t, string(authJSON), tc.outPlain)
+		})
+	}
+}
+
+func BenchmarkDecodeAuthConfig(b *testing.B) {
+	cases := []struct {
+		doc         string
+		inputBase64 string
+		invalid     bool
+	}{
+		{
+			doc:         "empty",
+			inputBase64: ``,
+		},
+		{
+			doc:         "empty JSON",
+			inputBase64: `e30=`,
+		},
+		{
+			doc:         "valid",
+			inputBase64: base64.URLEncoding.EncodeToString([]byte(`{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`)),
+		},
+		{
+			doc:         "invalid base64",
+			inputBase64: "not-base64",
+			invalid:     true,
+		},
+		{
+			doc:         "malformed JSON",
+			inputBase64: `ew==`,
+			invalid:     true,
+		},
+	}
+
+	for _, tc := range cases {
+		b.Run(tc.doc, func(b *testing.B) {
+			b.ReportAllocs()
+			for i := 0; i < b.N; i++ {
+				_, err := Decode(tc.inputBase64)
+				if !tc.invalid && err != nil {
+					b.Fatal(err)
+				}
+			}
+		})
+	}
+}
--- a/api/pkg/stdcopy/stdcopy.go
+++ b/api/pkg/stdcopy/stdcopy.go
@@ -0,0 +1,146 @@
+package stdcopy
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+)
+
+// StdType is the type of standard stream
+// a writer can multiplex to.
+type StdType byte
+
+const (
+	Stdin     StdType = 0 // Stdin represents standard input stream. It is present for completeness and should NOT be used. When reading the stream with [StdCopy] it is output on [Stdout].
+	Stdout    StdType = 1 // Stdout represents standard output stream.
+	Stderr    StdType = 2 // Stderr represents standard error steam.
+	Systemerr StdType = 3 // Systemerr represents errors originating from the system. When reading the stream with [StdCopy] it is returned as an error.
+)
+
+const (
+	stdWriterPrefixLen = 8
+	stdWriterFdIndex   = 0
+	stdWriterSizeIndex = 4
+
+	startingBufLen = 32*1024 + stdWriterPrefixLen + 1
+)
+
+// StdCopy is a modified version of [io.Copy] to de-multiplex messages
+// from "multiplexedSource" and copy them to destination streams
+// "destOut" and "destErr".
+//
+// StdCopy demultiplexes "multiplexedSource", assuming that it contains
+// two streams, previously multiplexed using a writer created with
+// [NewStdWriter].
+//
+// As it reads from "multiplexedSource", StdCopy writes [Stdout] messages
+// to "destOut", and [Stderr] message to "destErr]. For backward-compatibility,
+// [Stdin] messages are output to "destOut". The [Systemerr] stream provides
+// errors produced by the daemon. It is returned as an error, and terminates
+// processing the stream.
+//
+// StdCopy it reads until it hits [io.EOF] on "multiplexedSource", after
+// which it returns a nil error. In other words: any error returned indicates
+// a real underlying error, which may be when an unknown [StdType] stream
+// is received.
+//
+// The "written" return holds the total number of bytes written to "destOut"
+// and "destErr" combined.
+func StdCopy(destOut, destErr io.Writer, multiplexedSource io.Reader) (written int64, _ error) {
+	var (
+		buf       = make([]byte, startingBufLen)
+		bufLen    = len(buf)
+		nr, nw    int
+		err       error
+		out       io.Writer
+		frameSize int
+	)
+
+	for {
+		// Make sure we have at least a full header
+		for nr < stdWriterPrefixLen {
+			var nr2 int
+			nr2, err = multiplexedSource.Read(buf[nr:])
+			nr += nr2
+			if errors.Is(err, io.EOF) {
+				if nr < stdWriterPrefixLen {
+					return written, nil
+				}
+				break
+			}
+			if err != nil {
+				return 0, err
+			}
+		}
+
+		// Check the first byte to know where to write
+		stream := StdType(buf[stdWriterFdIndex])
+		switch stream {
+		case Stdin:
+			fallthrough
+		case Stdout:
+			// Write on stdout
+			out = destOut
+		case Stderr:
+			// Write on stderr
+			out = destErr
+		case Systemerr:
+			// If we're on Systemerr, we won't write anywhere.
+			// NB: if this code changes later, make sure you don't try to write
+			// to outstream if Systemerr is the stream
+			out = nil
+		default:
+			return 0, fmt.Errorf("unrecognized stream: %d", stream)
+		}
+
+		// Retrieve the size of the frame
+		frameSize = int(binary.BigEndian.Uint32(buf[stdWriterSizeIndex : stdWriterSizeIndex+4]))
+
+		// Check if the buffer is big enough to read the frame.
+		// Extend it if necessary.
+		if frameSize+stdWriterPrefixLen > bufLen {
+			buf = append(buf, make([]byte, frameSize+stdWriterPrefixLen-bufLen+1)...)
+			bufLen = len(buf)
+		}
+
+		// While the amount of bytes read is less than the size of the frame + header, we keep reading
+		for nr < frameSize+stdWriterPrefixLen {
+			var nr2 int
+			nr2, err = multiplexedSource.Read(buf[nr:])
+			nr += nr2
+			if errors.Is(err, io.EOF) {
+				if nr < frameSize+stdWriterPrefixLen {
+					return written, nil
+				}
+				break
+			}
+			if err != nil {
+				return 0, err
+			}
+		}
+
+		// we might have an error from the source mixed up in our multiplexed
+		// stream. if we do, return it.
+		if stream == Systemerr {
+			return written, fmt.Errorf("error from daemon in stream: %s", string(buf[stdWriterPrefixLen:frameSize+stdWriterPrefixLen]))
+		}
+
+		// Write the retrieved frame (without header)
+		nw, err = out.Write(buf[stdWriterPrefixLen : frameSize+stdWriterPrefixLen])
+		if err != nil {
+			return 0, err
+		}
+
+		// If the frame has not been fully written: error
+		if nw != frameSize {
+			return 0, io.ErrShortWrite
+		}
+		written += int64(nw)
+
+		// Move the rest of the buffer to the beginning
+		copy(buf, buf[frameSize+stdWriterPrefixLen:])
+		// Move the index
+		nr -= frameSize + stdWriterPrefixLen
+	}
+}
--- a/api/releases/v1.52.0-beta.toml
+++ b/api/releases/v1.52.0-beta.toml
@@ -0,0 +1,17 @@
+# commit to be tagged for new release
+commit = "HEAD"
+
+project_name = "moby"
+github_repo = "moby/moby"
+sub_path = "api"
+ignore_deps = [ "github.com/moby/moby" ]
+
+# previous release
+previous = "v28.2.2"
+
+pre_release = true
+
+preface = """\
+The first dedicated release for the Moby API. This release continues the 1.x
+line of API compatibility with the 52nd minor release of the 1.x API.
+"""
--- a/api/server/backend/build/backend.go
+++ b/api/server/backend/build/backend.go
@@ -1,128 +0,0 @@
-package build
-
-import (
-	"context"
-	"fmt"
-	"strconv"
-
-	"github.com/distribution/reference"
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/build"
-	"github.com/docker/docker/api/types/events"
-	"github.com/docker/docker/builder"
-	buildkit "github.com/docker/docker/builder/builder-next"
-	daemonevents "github.com/docker/docker/daemon/events"
-	"github.com/docker/docker/image"
-	"github.com/docker/docker/pkg/stringid"
-	"github.com/pkg/errors"
-	"google.golang.org/grpc"
-)
-
-// ImageComponent provides an interface for working with images
-type ImageComponent interface {
-	SquashImage(from string, to string) (string, error)
-	TagImage(context.Context, image.ID, reference.Named) error
-}
-
-// Builder defines interface for running a build
-type Builder interface {
-	Build(context.Context, backend.BuildConfig) (*builder.Result, error)
-}
-
-// Backend provides build functionality to the API router
-type Backend struct {
-	builder        Builder
-	imageComponent ImageComponent
-	buildkit       *buildkit.Builder
-	eventsService  *daemonevents.Events
-}
-
-// NewBackend creates a new build backend from components
-func NewBackend(components ImageComponent, builder Builder, buildkit *buildkit.Builder, es *daemonevents.Events) (*Backend, error) {
-	return &Backend{imageComponent: components, builder: builder, buildkit: buildkit, eventsService: es}, nil
-}
-
-// RegisterGRPC registers buildkit controller to the grpc server.
-func (b *Backend) RegisterGRPC(s *grpc.Server) {
-	if b.buildkit != nil {
-		b.buildkit.RegisterGRPC(s)
-	}
-}
-
-// Build builds an image from a Source
-func (b *Backend) Build(ctx context.Context, config backend.BuildConfig) (string, error) {
-	options := config.Options
-	useBuildKit := options.Version == build.BuilderBuildKit
-
-	tags, err := sanitizeRepoAndTags(options.Tags)
-	if err != nil {
-		return "", err
-	}
-
-	var buildResult *builder.Result
-	if useBuildKit {
-		buildResult, err = b.buildkit.Build(ctx, config)
-		if err != nil {
-			return "", err
-		}
-	} else {
-		buildResult, err = b.builder.Build(ctx, config)
-		if err != nil {
-			return "", err
-		}
-	}
-
-	if buildResult == nil {
-		return "", nil
-	}
-
-	imageID := buildResult.ImageID
-	if options.Squash {
-		if imageID, err = squashBuild(buildResult, b.imageComponent); err != nil {
-			return "", err
-		}
-		if config.ProgressWriter.AuxFormatter != nil {
-			if err = config.ProgressWriter.AuxFormatter.Emit("moby.image.id", build.Result{ID: imageID}); err != nil {
-				return "", err
-			}
-		}
-	}
-
-	if imageID != "" && !useBuildKit {
-		stdout := config.ProgressWriter.StdoutFormatter
-		_, _ = fmt.Fprintf(stdout, "Successfully built %s\n", stringid.TruncateID(imageID))
-		err = tagImages(ctx, b.imageComponent, config.ProgressWriter.StdoutFormatter, image.ID(imageID), tags)
-	}
-	return imageID, err
-}
-
-// PruneCache removes all cached build sources
-func (b *Backend) PruneCache(ctx context.Context, opts build.CachePruneOptions) (*build.CachePruneReport, error) {
-	buildCacheSize, cacheIDs, err := b.buildkit.Prune(ctx, opts)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to prune build cache")
-	}
-	b.eventsService.Log(events.ActionPrune, events.BuilderEventType, events.Actor{
-		Attributes: map[string]string{
-			"reclaimed": strconv.FormatInt(buildCacheSize, 10),
-		},
-	})
-	return &build.CachePruneReport{SpaceReclaimed: uint64(buildCacheSize), CachesDeleted: cacheIDs}, nil
-}
-
-// Cancel cancels the build by ID
-func (b *Backend) Cancel(ctx context.Context, id string) error {
-	return b.buildkit.Cancel(ctx, id)
-}
-
-func squashBuild(build *builder.Result, imageComponent ImageComponent) (string, error) {
-	var fromID string
-	if build.FromImage != nil {
-		fromID = build.FromImage.ImageID()
-	}
-	imageID, err := imageComponent.SquashImage(build.ImageID, fromID)
-	if err != nil {
-		return "", errors.Wrap(err, "error squashing image")
-	}
-	return imageID, nil
-}
--- a/api/server/httputils/decoder.go
+++ b/api/server/httputils/decoder.go
@@ -1,15 +0,0 @@
-package httputils
-
-import (
-	"io"
-
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/network"
-)
-
-// ContainerDecoder specifies how
-// to translate an io.Reader into
-// container configuration.
-type ContainerDecoder interface {
-	DecodeConfig(src io.Reader) (*container.Config, *container.HostConfig, *network.NetworkingConfig, error)
-}
--- a/api/server/httputils/write_log_stream.go
+++ b/api/server/httputils/write_log_stream.go
@@ -1,89 +0,0 @@
-package httputils
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"sort"
-
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/pkg/ioutils"
-	"github.com/docker/docker/pkg/jsonmessage"
-	"github.com/docker/docker/pkg/stdcopy"
-)
-
-// WriteLogStream writes an encoded byte stream of log messages from the
-// messages channel, multiplexing them with a stdcopy.Writer if mux is true
-func WriteLogStream(_ context.Context, w http.ResponseWriter, msgs <-chan *backend.LogMessage, config *container.LogsOptions, mux bool) {
-	// See https://github.com/moby/moby/issues/47448
-	// Trigger headers to be written immediately.
-	w.WriteHeader(http.StatusOK)
-
-	wf := ioutils.NewWriteFlusher(w)
-	defer wf.Close()
-
-	wf.Flush()
-
-	outStream := io.Writer(wf)
-	errStream := outStream
-	sysErrStream := errStream
-	if mux {
-		sysErrStream = stdcopy.NewStdWriter(outStream, stdcopy.Systemerr)
-		errStream = stdcopy.NewStdWriter(outStream, stdcopy.Stderr)
-		outStream = stdcopy.NewStdWriter(outStream, stdcopy.Stdout)
-	}
-
-	for {
-		msg, ok := <-msgs
-		if !ok {
-			return
-		}
-		// check if the message contains an error. if so, write that error
-		// and exit
-		if msg.Err != nil {
-			fmt.Fprintf(sysErrStream, "Error grabbing logs: %v\n", msg.Err)
-			continue
-		}
-		logLine := msg.Line
-		if config.Details {
-			logLine = append(attrsByteSlice(msg.Attrs), ' ')
-			logLine = append(logLine, msg.Line...)
-		}
-		if config.Timestamps {
-			logLine = append([]byte(msg.Timestamp.Format(jsonmessage.RFC3339NanoFixed)+" "), logLine...)
-		}
-		if msg.Source == "stdout" && config.ShowStdout {
-			_, _ = outStream.Write(logLine)
-		}
-		if msg.Source == "stderr" && config.ShowStderr {
-			_, _ = errStream.Write(logLine)
-		}
-	}
-}
-
-type byKey []backend.LogAttr
-
-func (b byKey) Len() int           { return len(b) }
-func (b byKey) Less(i, j int) bool { return b[i].Key < b[j].Key }
-func (b byKey) Swap(i, j int)      { b[i], b[j] = b[j], b[i] }
-
-func attrsByteSlice(a []backend.LogAttr) []byte {
-	// Note this sorts "a" in-place. That is fine here - nothing else is
-	// going to use Attrs or care about the order.
-	sort.Sort(byKey(a))
-
-	var ret []byte
-	for i, pair := range a {
-		k, v := url.QueryEscape(pair.Key), url.QueryEscape(pair.Value)
-		ret = append(ret, []byte(k)...)
-		ret = append(ret, '=')
-		ret = append(ret, []byte(v)...)
-		if i != len(a)-1 {
-			ret = append(ret, ',')
-		}
-	}
-	return ret
-}
--- a/api/server/middleware/debug.go
+++ b/api/server/middleware/debug.go
@@ -1,116 +0,0 @@
-package middleware
-
-import (
-	"bufio"
-	"context"
-	"encoding/json"
-	"io"
-	"net/http"
-	"strings"
-
-	"github.com/containerd/log"
-	"github.com/docker/docker/api/server/httpstatus"
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/pkg/ioutils"
-	"github.com/sirupsen/logrus"
-)
-
-// DebugRequestMiddleware dumps the request to logger
-func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-		logger := log.G(ctx)
-
-		// Use a variable for fields to prevent overhead of repeatedly
-		// calling WithFields.
-		fields := log.Fields{
-			"module":      "api",
-			"method":      r.Method,
-			"request-url": r.RequestURI,
-			"vars":        vars,
-		}
-		handleWithLogs := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-			logger.WithFields(fields).Debugf("handling %s request", r.Method)
-			err := handler(ctx, w, r, vars)
-			if err != nil {
-				// TODO(thaJeztah): unify this with Server.makeHTTPHandler, which also logs internal server errors as error-log. See https://github.com/moby/moby/pull/48740#discussion_r1816675574
-				fields["error-response"] = err
-				fields["status"] = httpstatus.FromError(err)
-				logger.WithFields(fields).Debugf("error response for %s request", r.Method)
-			}
-			return err
-		}
-
-		if r.Method != http.MethodPost {
-			return handleWithLogs(ctx, w, r, vars)
-		}
-		if err := httputils.CheckForJSON(r); err != nil {
-			return handleWithLogs(ctx, w, r, vars)
-		}
-		maxBodySize := 4096 // 4KB
-		if r.ContentLength > int64(maxBodySize) {
-			return handleWithLogs(ctx, w, r, vars)
-		}
-
-		body := r.Body
-		bufReader := bufio.NewReaderSize(body, maxBodySize)
-		r.Body = ioutils.NewReadCloserWrapper(bufReader, func() error { return body.Close() })
-
-		b, err := bufReader.Peek(maxBodySize)
-		if err != io.EOF {
-			// either there was an error reading, or the buffer is full (in which case the request is too large)
-			return handleWithLogs(ctx, w, r, vars)
-		}
-
-		var postForm map[string]interface{}
-		if err := json.Unmarshal(b, &postForm); err == nil {
-			maskSecretKeys(postForm)
-			// TODO(thaJeztah): is there a better way to detect if we're using JSON-formatted logs?
-			if _, ok := logger.Logger.Formatter.(*logrus.JSONFormatter); ok {
-				fields["form-data"] = postForm
-			} else {
-				if data, err := json.Marshal(postForm); err != nil {
-					fields["form-data"] = postForm
-				} else {
-					fields["form-data"] = string(data)
-				}
-			}
-		}
-
-		return handleWithLogs(ctx, w, r, vars)
-	}
-}
-
-func maskSecretKeys(inp interface{}) {
-	if arr, ok := inp.([]interface{}); ok {
-		for _, f := range arr {
-			maskSecretKeys(f)
-		}
-		return
-	}
-
-	if form, ok := inp.(map[string]interface{}); ok {
-		scrub := []string{
-			// Note: The Data field contains the base64-encoded secret in 'secret'
-			// and 'config' create and update requests. Currently, no other POST
-			// API endpoints use a data field, so we scrub this field unconditionally.
-			// Change this handling to be conditional if a new endpoint is added
-			// in future where this field should not be scrubbed.
-			"data",
-			"jointoken",
-			"password",
-			"secret",
-			"signingcakey",
-			"unlockkey",
-		}
-	loop0:
-		for k, v := range form {
-			for _, m := range scrub {
-				if strings.EqualFold(m, k) {
-					form[k] = "*****"
-					continue loop0
-				}
-			}
-			maskSecretKeys(v)
-		}
-	}
-}
--- a/api/server/middleware/debug_test.go
+++ b/api/server/middleware/debug_test.go
@@ -1,75 +0,0 @@
-package middleware
-
-import (
-	"testing"
-
-	"gotest.tools/v3/assert"
-	is "gotest.tools/v3/assert/cmp"
-)
-
-func TestMaskSecretKeys(t *testing.T) {
-	tests := []struct {
-		doc      string
-		input    map[string]interface{}
-		expected map[string]interface{}
-	}{
-		{
-			doc:      "secret/config create and update requests",
-			input:    map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}},
-			expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}},
-		},
-		{
-			doc: "masking other fields (recursively)",
-			input: map[string]interface{}{
-				"password":     "pass",
-				"secret":       "secret",
-				"jointoken":    "jointoken",
-				"unlockkey":    "unlockkey",
-				"signingcakey": "signingcakey",
-				"other": map[string]interface{}{
-					"password":     "pass",
-					"secret":       "secret",
-					"jointoken":    "jointoken",
-					"unlockkey":    "unlockkey",
-					"signingcakey": "signingcakey",
-				},
-			},
-			expected: map[string]interface{}{
-				"password":     "*****",
-				"secret":       "*****",
-				"jointoken":    "*****",
-				"unlockkey":    "*****",
-				"signingcakey": "*****",
-				"other": map[string]interface{}{
-					"password":     "*****",
-					"secret":       "*****",
-					"jointoken":    "*****",
-					"unlockkey":    "*****",
-					"signingcakey": "*****",
-				},
-			},
-		},
-		{
-			doc: "case insensitive field matching",
-			input: map[string]interface{}{
-				"PASSWORD": "pass",
-				"other": map[string]interface{}{
-					"PASSWORD": "pass",
-				},
-			},
-			expected: map[string]interface{}{
-				"PASSWORD": "*****",
-				"other": map[string]interface{}{
-					"PASSWORD": "*****",
-				},
-			},
-		},
-	}
-
-	for _, testcase := range tests {
-		t.Run(testcase.doc, func(t *testing.T) {
-			maskSecretKeys(testcase.input)
-			assert.Check(t, is.DeepEqual(testcase.expected, testcase.input))
-		})
-	}
-}
--- a/api/server/middleware/version.go
+++ b/api/server/middleware/version.go
@@ -1,86 +0,0 @@
-package middleware
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"runtime"
-
-	"github.com/docker/docker/api"
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/types/versions"
-)
-
-// VersionMiddleware is a middleware that
-// validates the client and server versions.
-type VersionMiddleware struct {
-	serverVersion string
-
-	// defaultAPIVersion is the default API version provided by the API server,
-	// specified as "major.minor". It is usually configured to the latest API
-	// version [github.com/docker/docker/api.DefaultVersion].
-	//
-	// API requests for API versions greater than this version are rejected by
-	// the server and produce a [versionUnsupportedError].
-	defaultAPIVersion string
-
-	// minAPIVersion is the minimum API version provided by the API server,
-	// specified as "major.minor".
-	//
-	// API requests for API versions lower than this version are rejected by
-	// the server and produce a [versionUnsupportedError].
-	minAPIVersion string
-}
-
-// NewVersionMiddleware creates a VersionMiddleware with the given versions.
-func NewVersionMiddleware(serverVersion, defaultAPIVersion, minAPIVersion string) (*VersionMiddleware, error) {
-	if versions.LessThan(defaultAPIVersion, api.MinSupportedAPIVersion) || versions.GreaterThan(defaultAPIVersion, api.DefaultVersion) {
-		return nil, fmt.Errorf("invalid default API version (%s): must be between %s and %s", defaultAPIVersion, api.MinSupportedAPIVersion, api.DefaultVersion)
-	}
-	if versions.LessThan(minAPIVersion, api.MinSupportedAPIVersion) || versions.GreaterThan(minAPIVersion, api.DefaultVersion) {
-		return nil, fmt.Errorf("invalid minimum API version (%s): must be between %s and %s", minAPIVersion, api.MinSupportedAPIVersion, api.DefaultVersion)
-	}
-	if versions.GreaterThan(minAPIVersion, defaultAPIVersion) {
-		return nil, fmt.Errorf("invalid API version: the minimum API version (%s) is higher than the default version (%s)", minAPIVersion, defaultAPIVersion)
-	}
-	return &VersionMiddleware{
-		serverVersion:     serverVersion,
-		defaultAPIVersion: defaultAPIVersion,
-		minAPIVersion:     minAPIVersion,
-	}, nil
-}
-
-type versionUnsupportedError struct {
-	version, minVersion, maxVersion string
-}
-
-func (e versionUnsupportedError) Error() string {
-	if e.minVersion != "" {
-		return fmt.Sprintf("client version %s is too old. Minimum supported API version is %s, please upgrade your client to a newer version", e.version, e.minVersion)
-	}
-	return fmt.Sprintf("client version %s is too new. Maximum supported API version is %s", e.version, e.maxVersion)
-}
-
-func (e versionUnsupportedError) InvalidParameter() {}
-
-// WrapHandler returns a new handler function wrapping the previous one in the request chain.
-func (v VersionMiddleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-		w.Header().Set("Server", fmt.Sprintf("Docker/%s (%s)", v.serverVersion, runtime.GOOS))
-		w.Header().Set("Api-Version", v.defaultAPIVersion)
-		w.Header().Set("Ostype", runtime.GOOS)
-
-		apiVersion := vars["version"]
-		if apiVersion == "" {
-			apiVersion = v.defaultAPIVersion
-		}
-		if versions.LessThan(apiVersion, v.minAPIVersion) {
-			return versionUnsupportedError{version: apiVersion, minVersion: v.minAPIVersion}
-		}
-		if versions.GreaterThan(apiVersion, v.defaultAPIVersion) {
-			return versionUnsupportedError{version: apiVersion, maxVersion: v.defaultAPIVersion}
-		}
-		ctx = context.WithValue(ctx, httputils.APIVersionKey{}, apiVersion)
-		return handler(ctx, w, r, vars)
-	}
-}
--- a/api/server/middleware/version_test.go
+++ b/api/server/middleware/version_test.go
@@ -1,145 +0,0 @@
-package middleware
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"runtime"
-	"testing"
-
-	"github.com/docker/docker/api"
-	"github.com/docker/docker/api/server/httputils"
-	"gotest.tools/v3/assert"
-	is "gotest.tools/v3/assert/cmp"
-)
-
-func TestNewVersionMiddlewareValidation(t *testing.T) {
-	tests := []struct {
-		doc, defaultVersion, minVersion, expectedErr string
-	}{
-		{
-			doc:            "defaults",
-			defaultVersion: api.DefaultVersion,
-			minVersion:     api.MinSupportedAPIVersion,
-		},
-		{
-			doc:            "invalid default lower than min",
-			defaultVersion: api.MinSupportedAPIVersion,
-			minVersion:     api.DefaultVersion,
-			expectedErr:    fmt.Sprintf("invalid API version: the minimum API version (%s) is higher than the default version (%s)", api.DefaultVersion, api.MinSupportedAPIVersion),
-		},
-		{
-			doc:            "invalid default too low",
-			defaultVersion: "0.1",
-			minVersion:     api.MinSupportedAPIVersion,
-			expectedErr:    fmt.Sprintf("invalid default API version (0.1): must be between %s and %s", api.MinSupportedAPIVersion, api.DefaultVersion),
-		},
-		{
-			doc:            "invalid default too high",
-			defaultVersion: "9999.9999",
-			minVersion:     api.DefaultVersion,
-			expectedErr:    fmt.Sprintf("invalid default API version (9999.9999): must be between %s and %s", api.MinSupportedAPIVersion, api.DefaultVersion),
-		},
-		{
-			doc:            "invalid minimum too low",
-			defaultVersion: api.MinSupportedAPIVersion,
-			minVersion:     "0.1",
-			expectedErr:    fmt.Sprintf("invalid minimum API version (0.1): must be between %s and %s", api.MinSupportedAPIVersion, api.DefaultVersion),
-		},
-		{
-			doc:            "invalid minimum too high",
-			defaultVersion: api.DefaultVersion,
-			minVersion:     "9999.9999",
-			expectedErr:    fmt.Sprintf("invalid minimum API version (9999.9999): must be between %s and %s", api.MinSupportedAPIVersion, api.DefaultVersion),
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.doc, func(t *testing.T) {
-			_, err := NewVersionMiddleware("1.2.3", tc.defaultVersion, tc.minVersion)
-			if tc.expectedErr == "" {
-				assert.Check(t, err)
-			} else {
-				assert.Check(t, is.Error(err, tc.expectedErr))
-			}
-		})
-	}
-}
-
-func TestVersionMiddlewareVersion(t *testing.T) {
-	expectedVersion := "<not set>"
-	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-		v := httputils.VersionFromContext(ctx)
-		assert.Check(t, is.Equal(expectedVersion, v))
-		return nil
-	}
-
-	m, err := NewVersionMiddleware("1.2.3", api.DefaultVersion, api.MinSupportedAPIVersion)
-	assert.NilError(t, err)
-	h := m.WrapHandler(handler)
-
-	req, _ := http.NewRequest(http.MethodGet, "/containers/json", http.NoBody)
-	resp := httptest.NewRecorder()
-	ctx := context.Background()
-
-	tests := []struct {
-		reqVersion      string
-		expectedVersion string
-		errString       string
-	}{
-		{
-			expectedVersion: api.DefaultVersion,
-		},
-		{
-			reqVersion:      api.MinSupportedAPIVersion,
-			expectedVersion: api.MinSupportedAPIVersion,
-		},
-		{
-			reqVersion: "0.1",
-			errString:  fmt.Sprintf("client version 0.1 is too old. Minimum supported API version is %s, please upgrade your client to a newer version", api.MinSupportedAPIVersion),
-		},
-		{
-			reqVersion: "9999.9999",
-			errString:  fmt.Sprintf("client version 9999.9999 is too new. Maximum supported API version is %s", api.DefaultVersion),
-		},
-	}
-
-	for _, test := range tests {
-		expectedVersion = test.expectedVersion
-
-		err := h(ctx, resp, req, map[string]string{"version": test.reqVersion})
-
-		if test.errString != "" {
-			assert.Check(t, is.Error(err, test.errString))
-		} else {
-			assert.Check(t, err)
-		}
-	}
-}
-
-func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
-	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-		v := httputils.VersionFromContext(ctx)
-		assert.Check(t, v != "")
-		return nil
-	}
-
-	m, err := NewVersionMiddleware("1.2.3", api.DefaultVersion, api.MinSupportedAPIVersion)
-	assert.NilError(t, err)
-	h := m.WrapHandler(handler)
-
-	req, _ := http.NewRequest(http.MethodGet, "/containers/json", http.NoBody)
-	resp := httptest.NewRecorder()
-	ctx := context.Background()
-
-	vars := map[string]string{"version": "0.1"}
-	err = h(ctx, resp, req, vars)
-	assert.Check(t, is.ErrorContains(err, ""))
-
-	hdr := resp.Result().Header
-	assert.Check(t, is.Contains(hdr.Get("Server"), "Docker/1.2.3"))
-	assert.Check(t, is.Contains(hdr.Get("Server"), runtime.GOOS))
-	assert.Check(t, is.Equal(hdr.Get("Api-Version"), api.DefaultVersion))
-	assert.Check(t, is.Equal(hdr.Get("Ostype"), runtime.GOOS))
-}
--- a/api/server/router/build/backend.go
+++ b/api/server/router/build/backend.go
@@ -1,23 +0,0 @@
-package build
-
-import (
-	"context"
-
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/build"
-)
-
-// Backend abstracts an image builder whose only purpose is to build an image referenced by an imageID.
-type Backend interface {
-	// Build a Docker image returning the id of the image
-	// TODO: make this return a reference instead of string
-	Build(context.Context, backend.BuildConfig) (string, error)
-
-	// PruneCache prunes the build cache.
-	PruneCache(context.Context, build.CachePruneOptions) (*build.CachePruneReport, error)
-	Cancel(context.Context, string) error
-}
-
-type experimentalProvider interface {
-	HasExperimental() bool
-}
--- a/api/server/router/build/build.go
+++ b/api/server/router/build/build.go
@@ -1,67 +0,0 @@
-package build
-
-import (
-	"runtime"
-
-	"github.com/docker/docker/api/server/router"
-	"github.com/docker/docker/api/types/build"
-)
-
-// buildRouter is a router to talk with the build controller
-type buildRouter struct {
-	backend Backend
-	daemon  experimentalProvider
-	routes  []router.Route
-}
-
-// NewRouter initializes a new build router
-func NewRouter(b Backend, d experimentalProvider) router.Router {
-	r := &buildRouter{
-		backend: b,
-		daemon:  d,
-	}
-	r.initRoutes()
-	return r
-}
-
-// Routes returns the available routers to the build controller
-func (br *buildRouter) Routes() []router.Route {
-	return br.routes
-}
-
-func (br *buildRouter) initRoutes() {
-	br.routes = []router.Route{
-		router.NewPostRoute("/build", br.postBuild),
-		router.NewPostRoute("/build/prune", br.postPrune),
-		router.NewPostRoute("/build/cancel", br.postCancel),
-	}
-}
-
-// BuilderVersion derives the default docker builder version from the config.
-//
-// The default on Linux is version "2" (BuildKit), but the daemon can be
-// configured to recommend version "1" (classic Builder). Windows does not
-// yet support BuildKit for native Windows images, and uses "1" (classic builder)
-// as a default.
-//
-// This value is only a recommendation as advertised by the daemon, and it is
-// up to the client to choose which builder to use.
-func BuilderVersion(features map[string]bool) build.BuilderVersion {
-	// TODO(thaJeztah) move the default to daemon/config
-	bv := build.BuilderBuildKit
-	if runtime.GOOS == "windows" {
-		// BuildKit is not yet the default on Windows.
-		bv = build.BuilderV1
-	}
-
-	// Allow the features field in the daemon config to override the
-	// default builder to advertise.
-	if enable, ok := features["buildkit"]; ok {
-		if enable {
-			bv = build.BuilderBuildKit
-		} else {
-			bv = build.BuilderV1
-		}
-	}
-	return bv
-}
--- a/api/server/router/checkpoint/backend.go
+++ b/api/server/router/checkpoint/backend.go
@@ -1,10 +0,0 @@
-package checkpoint
-
-import "github.com/docker/docker/api/types/checkpoint"
-
-// Backend for Checkpoint
-type Backend interface {
-	CheckpointCreate(container string, config checkpoint.CreateOptions) error
-	CheckpointDelete(container string, config checkpoint.DeleteOptions) error
-	CheckpointList(container string, config checkpoint.ListOptions) ([]checkpoint.Summary, error)
-}
--- a/api/server/router/checkpoint/checkpoint.go
+++ b/api/server/router/checkpoint/checkpoint.go
@@ -1,36 +0,0 @@
-package checkpoint
-
-import (
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/server/router"
-)
-
-// checkpointRouter is a router to talk with the checkpoint controller
-type checkpointRouter struct {
-	backend Backend
-	decoder httputils.ContainerDecoder
-	routes  []router.Route
-}
-
-// NewRouter initializes a new checkpoint router
-func NewRouter(b Backend, decoder httputils.ContainerDecoder) router.Router {
-	r := &checkpointRouter{
-		backend: b,
-		decoder: decoder,
-	}
-	r.initRoutes()
-	return r
-}
-
-// Routes returns the available routers to the checkpoint controller
-func (cr *checkpointRouter) Routes() []router.Route {
-	return cr.routes
-}
-
-func (cr *checkpointRouter) initRoutes() {
-	cr.routes = []router.Route{
-		router.NewGetRoute("/containers/{name:.*}/checkpoints", cr.getContainerCheckpoints, router.Experimental),
-		router.NewPostRoute("/containers/{name:.*}/checkpoints", cr.postContainerCheckpoint, router.Experimental),
-		router.NewDeleteRoute("/containers/{name}/checkpoints/{checkpoint}", cr.deleteContainerCheckpoint, router.Experimental),
-	}
-}
--- a/api/server/router/checkpoint/checkpoint_routes.go
+++ b/api/server/router/checkpoint/checkpoint_routes.go
@@ -1,60 +0,0 @@
-package checkpoint
-
-import (
-	"context"
-	"net/http"
-
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/types/checkpoint"
-)
-
-func (cr *checkpointRouter) postContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	var options checkpoint.CreateOptions
-	if err := httputils.ReadJSON(r, &options); err != nil {
-		return err
-	}
-
-	err := cr.backend.CheckpointCreate(vars["name"], options)
-	if err != nil {
-		return err
-	}
-
-	w.WriteHeader(http.StatusCreated)
-	return nil
-}
-
-func (cr *checkpointRouter) getContainerCheckpoints(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	checkpoints, err := cr.backend.CheckpointList(vars["name"], checkpoint.ListOptions{
-		CheckpointDir: r.Form.Get("dir"),
-	})
-	if err != nil {
-		return err
-	}
-
-	return httputils.WriteJSON(w, http.StatusOK, checkpoints)
-}
-
-func (cr *checkpointRouter) deleteContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	err := cr.backend.CheckpointDelete(vars["name"], checkpoint.DeleteOptions{
-		CheckpointDir: r.Form.Get("dir"),
-		CheckpointID:  vars["checkpoint"],
-	})
-	if err != nil {
-		return err
-	}
-
-	w.WriteHeader(http.StatusNoContent)
-	return nil
-}
--- a/api/server/router/container/backend.go
+++ b/api/server/router/container/backend.go
@@ -1,79 +0,0 @@
-package container
-
-import (
-	"context"
-	"io"
-
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/filters"
-	"github.com/moby/go-archive"
-)
-
-// execBackend includes functions to implement to provide exec functionality.
-type execBackend interface {
-	ContainerExecCreate(name string, options *container.ExecOptions) (string, error)
-	ContainerExecInspect(id string) (*backend.ExecInspect, error)
-	ContainerExecResize(ctx context.Context, name string, height, width uint32) error
-	ContainerExecStart(ctx context.Context, name string, options backend.ExecStartConfig) error
-	ExecExists(name string) (bool, error)
-}
-
-// copyBackend includes functions to implement to provide container copy functionality.
-type copyBackend interface {
-	ContainerArchivePath(name string, path string) (content io.ReadCloser, stat *container.PathStat, err error)
-	ContainerExport(ctx context.Context, name string, out io.Writer) error
-	ContainerExtractToDir(name, path string, copyUIDGID, noOverwriteDirNonDir bool, content io.Reader) error
-	ContainerStatPath(name string, path string) (stat *container.PathStat, err error)
-}
-
-// stateBackend includes functions to implement to provide container state lifecycle functionality.
-type stateBackend interface {
-	ContainerCreate(ctx context.Context, config backend.ContainerCreateConfig) (container.CreateResponse, error)
-	ContainerKill(name string, signal string) error
-	ContainerPause(name string) error
-	ContainerRename(oldName, newName string) error
-	ContainerResize(ctx context.Context, name string, height, width uint32) error
-	ContainerRestart(ctx context.Context, name string, options container.StopOptions) error
-	ContainerRm(name string, config *backend.ContainerRmConfig) error
-	ContainerStart(ctx context.Context, name string, checkpoint string, checkpointDir string) error
-	ContainerStop(ctx context.Context, name string, options container.StopOptions) error
-	ContainerUnpause(name string) error
-	ContainerUpdate(name string, hostConfig *container.HostConfig) (container.UpdateResponse, error)
-	ContainerWait(ctx context.Context, name string, condition container.WaitCondition) (<-chan container.StateStatus, error)
-}
-
-// monitorBackend includes functions to implement to provide containers monitoring functionality.
-type monitorBackend interface {
-	ContainerChanges(ctx context.Context, name string) ([]archive.Change, error)
-	ContainerInspect(ctx context.Context, name string, options backend.ContainerInspectOptions) (*container.InspectResponse, error)
-	ContainerLogs(ctx context.Context, name string, config *container.LogsOptions) (msgs <-chan *backend.LogMessage, tty bool, err error)
-	ContainerStats(ctx context.Context, name string, config *backend.ContainerStatsConfig) error
-	ContainerTop(name string, psArgs string) (*container.TopResponse, error)
-	Containers(ctx context.Context, config *container.ListOptions) ([]*container.Summary, error)
-}
-
-// attachBackend includes function to implement to provide container attaching functionality.
-type attachBackend interface {
-	ContainerAttach(name string, c *backend.ContainerAttachConfig) error
-}
-
-// systemBackend includes functions to implement to provide system wide containers functionality
-type systemBackend interface {
-	ContainersPrune(ctx context.Context, pruneFilters filters.Args) (*container.PruneReport, error)
-}
-
-type commitBackend interface {
-	CreateImageFromContainer(ctx context.Context, name string, config *backend.CreateImageConfig) (imageID string, err error)
-}
-
-// Backend is all the methods that need to be implemented to provide container specific functionality.
-type Backend interface {
-	commitBackend
-	execBackend
-	copyBackend
-	stateBackend
-	monitorBackend
-	attachBackend
-	systemBackend
-}
--- a/api/server/router/container/container.go
+++ b/api/server/router/container/container.go
@@ -1,71 +0,0 @@
-package container
-
-import (
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/server/router"
-)
-
-// containerRouter is a router to talk with the container controller
-type containerRouter struct {
-	backend Backend
-	decoder httputils.ContainerDecoder
-	routes  []router.Route
-	cgroup2 bool
-}
-
-// NewRouter initializes a new container router
-func NewRouter(b Backend, decoder httputils.ContainerDecoder, cgroup2 bool) router.Router {
-	r := &containerRouter{
-		backend: b,
-		decoder: decoder,
-		cgroup2: cgroup2,
-	}
-	r.initRoutes()
-	return r
-}
-
-// Routes returns the available routes to the container controller
-func (c *containerRouter) Routes() []router.Route {
-	return c.routes
-}
-
-// initRoutes initializes the routes in container router
-func (c *containerRouter) initRoutes() {
-	c.routes = []router.Route{
-		// HEAD
-		router.NewHeadRoute("/containers/{name:.*}/archive", c.headContainersArchive),
-		// GET
-		router.NewGetRoute("/containers/json", c.getContainersJSON),
-		router.NewGetRoute("/containers/{name:.*}/export", c.getContainersExport),
-		router.NewGetRoute("/containers/{name:.*}/changes", c.getContainersChanges),
-		router.NewGetRoute("/containers/{name:.*}/json", c.getContainersByName),
-		router.NewGetRoute("/containers/{name:.*}/top", c.getContainersTop),
-		router.NewGetRoute("/containers/{name:.*}/logs", c.getContainersLogs),
-		router.NewGetRoute("/containers/{name:.*}/stats", c.getContainersStats),
-		router.NewGetRoute("/containers/{name:.*}/attach/ws", c.wsContainersAttach),
-		router.NewGetRoute("/exec/{id:.*}/json", c.getExecByID),
-		router.NewGetRoute("/containers/{name:.*}/archive", c.getContainersArchive),
-		// POST
-		router.NewPostRoute("/containers/create", c.postContainersCreate),
-		router.NewPostRoute("/containers/{name:.*}/kill", c.postContainersKill),
-		router.NewPostRoute("/containers/{name:.*}/pause", c.postContainersPause),
-		router.NewPostRoute("/containers/{name:.*}/unpause", c.postContainersUnpause),
-		router.NewPostRoute("/containers/{name:.*}/restart", c.postContainersRestart),
-		router.NewPostRoute("/containers/{name:.*}/start", c.postContainersStart),
-		router.NewPostRoute("/containers/{name:.*}/stop", c.postContainersStop),
-		router.NewPostRoute("/containers/{name:.*}/wait", c.postContainersWait),
-		router.NewPostRoute("/containers/{name:.*}/resize", c.postContainersResize),
-		router.NewPostRoute("/containers/{name:.*}/attach", c.postContainersAttach),
-		router.NewPostRoute("/containers/{name:.*}/exec", c.postContainerExecCreate),
-		router.NewPostRoute("/exec/{name:.*}/start", c.postContainerExecStart),
-		router.NewPostRoute("/exec/{name:.*}/resize", c.postContainerExecResize),
-		router.NewPostRoute("/containers/{name:.*}/rename", c.postContainerRename),
-		router.NewPostRoute("/containers/{name:.*}/update", c.postContainerUpdate),
-		router.NewPostRoute("/containers/prune", c.postContainersPrune),
-		router.NewPostRoute("/commit", c.postCommit),
-		// PUT
-		router.NewPutRoute("/containers/{name:.*}/archive", c.putContainersArchive),
-		// DELETE
-		router.NewDeleteRoute("/containers/{name:.*}", c.deleteContainers),
-	}
-}
--- a/api/server/router/container/copy.go
+++ b/api/server/router/container/copy.go
@@ -1,99 +0,0 @@
-package container
-
-import (
-	"compress/flate"
-	"compress/gzip"
-	"context"
-	"encoding/base64"
-	"encoding/json"
-	"io"
-	"net/http"
-
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/types/container"
-	gddohttputil "github.com/golang/gddo/httputil"
-)
-
-// setContainerPathStatHeader encodes the stat to JSON, base64 encode, and place in a header.
-func setContainerPathStatHeader(stat *container.PathStat, header http.Header) error {
-	statJSON, err := json.Marshal(stat)
-	if err != nil {
-		return err
-	}
-
-	header.Set(
-		"X-Docker-Container-Path-Stat",
-		base64.StdEncoding.EncodeToString(statJSON),
-	)
-
-	return nil
-}
-
-func (c *containerRouter) headContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	v, err := httputils.ArchiveFormValues(r, vars)
-	if err != nil {
-		return err
-	}
-
-	stat, err := c.backend.ContainerStatPath(v.Name, v.Path)
-	if err != nil {
-		return err
-	}
-
-	return setContainerPathStatHeader(stat, w.Header())
-}
-
-func writeCompressedResponse(w http.ResponseWriter, r *http.Request, body io.Reader) error {
-	var cw io.Writer
-	switch gddohttputil.NegotiateContentEncoding(r, []string{"gzip", "deflate"}) {
-	case "gzip":
-		gw := gzip.NewWriter(w)
-		defer gw.Close()
-		cw = gw
-		w.Header().Set("Content-Encoding", "gzip")
-	case "deflate":
-		fw, err := flate.NewWriter(w, flate.DefaultCompression)
-		if err != nil {
-			return err
-		}
-		defer fw.Close()
-		cw = fw
-		w.Header().Set("Content-Encoding", "deflate")
-	default:
-		cw = w
-	}
-	_, err := io.Copy(cw, body)
-	return err
-}
-
-func (c *containerRouter) getContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	v, err := httputils.ArchiveFormValues(r, vars)
-	if err != nil {
-		return err
-	}
-
-	tarArchive, stat, err := c.backend.ContainerArchivePath(v.Name, v.Path)
-	if err != nil {
-		return err
-	}
-	defer tarArchive.Close()
-
-	if err := setContainerPathStatHeader(stat, w.Header()); err != nil {
-		return err
-	}
-
-	w.Header().Set("Content-Type", "application/x-tar")
-	return writeCompressedResponse(w, r, tarArchive)
-}
-
-func (c *containerRouter) putContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	v, err := httputils.ArchiveFormValues(r, vars)
-	if err != nil {
-		return err
-	}
-
-	noOverwriteDirNonDir := httputils.BoolValue(r, "noOverwriteDirNonDir")
-	copyUIDGID := httputils.BoolValue(r, "copyUIDGID")
-
-	return c.backend.ContainerExtractToDir(v.Name, v.Path, copyUIDGID, noOverwriteDirNonDir, r.Body)
-}
--- a/api/server/router/container/exec.go
+++ b/api/server/router/container/exec.go
@@ -1,171 +0,0 @@
-package container
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"net/http"
-
-	"github.com/containerd/log"
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/versions"
-	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/pkg/stdcopy"
-	"github.com/pkg/errors"
-)
-
-func (c *containerRouter) getExecByID(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	eConfig, err := c.backend.ContainerExecInspect(vars["id"])
-	if err != nil {
-		return err
-	}
-
-	return httputils.WriteJSON(w, http.StatusOK, eConfig)
-}
-
-type execCommandError struct{}
-
-func (execCommandError) Error() string {
-	return "No exec command specified"
-}
-
-func (execCommandError) InvalidParameter() {}
-
-func (c *containerRouter) postContainerExecCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	execConfig := &container.ExecOptions{}
-	if err := httputils.ReadJSON(r, execConfig); err != nil {
-		return err
-	}
-
-	if len(execConfig.Cmd) == 0 {
-		return execCommandError{}
-	}
-
-	version := httputils.VersionFromContext(ctx)
-	if versions.LessThan(version, "1.42") {
-		// Not supported by API versions before 1.42
-		execConfig.ConsoleSize = nil
-	}
-
-	// Register an instance of Exec in container.
-	id, err := c.backend.ContainerExecCreate(vars["name"], execConfig)
-	if err != nil {
-		log.G(ctx).Errorf("Error setting up exec command in container %s: %v", vars["name"], err)
-		return err
-	}
-
-	return httputils.WriteJSON(w, http.StatusCreated, &container.ExecCreateResponse{
-		ID: id,
-	})
-}
-
-// TODO(vishh): Refactor the code to avoid having to specify stream config as part of both create and start.
-func (c *containerRouter) postContainerExecStart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	var (
-		execName                  = vars["name"]
-		stdin, inStream           io.ReadCloser
-		stdout, stderr, outStream io.Writer
-	)
-
-	options := &container.ExecStartOptions{}
-	if err := httputils.ReadJSON(r, options); err != nil {
-		return err
-	}
-
-	if exists, err := c.backend.ExecExists(execName); !exists {
-		return err
-	}
-
-	if options.ConsoleSize != nil {
-		version := httputils.VersionFromContext(ctx)
-
-		// Not supported before 1.42
-		if versions.LessThan(version, "1.42") {
-			options.ConsoleSize = nil
-		}
-
-		// No console without tty
-		if !options.Tty {
-			options.ConsoleSize = nil
-		}
-	}
-
-	if !options.Detach {
-		var err error
-		// Setting up the streaming http interface.
-		inStream, outStream, err = httputils.HijackConnection(w)
-		if err != nil {
-			return err
-		}
-		defer httputils.CloseStreams(inStream, outStream)
-
-		if _, ok := r.Header["Upgrade"]; ok {
-			contentType := types.MediaTypeRawStream
-			if !options.Tty && versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.42") {
-				contentType = types.MediaTypeMultiplexedStream
-			}
-			_, _ = fmt.Fprint(outStream, "HTTP/1.1 101 UPGRADED\r\nContent-Type: "+contentType+"\r\nConnection: Upgrade\r\nUpgrade: tcp\r\n")
-		} else {
-			_, _ = fmt.Fprint(outStream, "HTTP/1.1 200 OK\r\nContent-Type: application/vnd.docker.raw-stream\r\n")
-		}
-
-		// copy headers that were removed as part of hijack
-		if err := w.Header().WriteSubset(outStream, nil); err != nil {
-			return err
-		}
-		_, _ = fmt.Fprint(outStream, "\r\n")
-
-		stdin = inStream
-		if options.Tty {
-			stdout = outStream
-		} else {
-			stderr = stdcopy.NewStdWriter(outStream, stdcopy.Stderr)
-			stdout = stdcopy.NewStdWriter(outStream, stdcopy.Stdout)
-		}
-	}
-
-	// Now run the user process in container.
-	//
-	// TODO: Maybe we should we pass ctx here if we're not detaching?
-	err := c.backend.ContainerExecStart(context.Background(), execName, backend.ExecStartConfig{
-		Stdin:       stdin,
-		Stdout:      stdout,
-		Stderr:      stderr,
-		ConsoleSize: options.ConsoleSize,
-	})
-	if err != nil {
-		if options.Detach {
-			return err
-		}
-		_, _ = fmt.Fprintf(stdout, "%v\r\n", err)
-		log.G(ctx).Errorf("Error running exec %s in container: %v", execName, err)
-	}
-	return nil
-}
-
-func (c *containerRouter) postContainerExecResize(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-	height, err := httputils.Uint32Value(r, "h")
-	if err != nil {
-		return errdefs.InvalidParameter(errors.Wrapf(err, "invalid resize height %q", r.Form.Get("h")))
-	}
-	width, err := httputils.Uint32Value(r, "w")
-	if err != nil {
-		return errdefs.InvalidParameter(errors.Wrapf(err, "invalid resize width %q", r.Form.Get("w")))
-	}
-
-	return c.backend.ContainerExecResize(ctx, vars["name"], height, width)
-}
--- a/api/server/router/container/inspect.go
+++ b/api/server/router/container/inspect.go
@@ -1,41 +0,0 @@
-// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.23
-
-package container
-
-import (
-	"context"
-	"net/http"
-
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/versions"
-	"github.com/docker/docker/internal/sliceutil"
-	"github.com/docker/docker/pkg/stringid"
-)
-
-// getContainersByName inspects container's configuration and serializes it as json.
-func (c *containerRouter) getContainersByName(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	ctr, err := c.backend.ContainerInspect(ctx, vars["name"], backend.ContainerInspectOptions{
-		Size: httputils.BoolValue(r, "size"),
-	})
-	if err != nil {
-		return err
-	}
-
-	version := httputils.VersionFromContext(ctx)
-	if versions.LessThan(version, "1.45") {
-		shortCID := stringid.TruncateID(ctr.ID)
-		for nwName, ep := range ctr.NetworkSettings.Networks {
-			if container.NetworkMode(nwName).IsUserDefined() {
-				ep.Aliases = sliceutil.Dedup(append(ep.Aliases, shortCID, ctr.Config.Hostname))
-			}
-		}
-	}
-	if versions.LessThan(version, "1.48") {
-		ctr.ImageManifestDescriptor = nil
-	}
-
-	return httputils.WriteJSON(w, http.StatusOK, ctr)
-}
--- a/api/server/router/debug/debug.go
+++ b/api/server/router/debug/debug.go
@@ -1,53 +0,0 @@
-package debug
-
-import (
-	"context"
-	"expvar"
-	"net/http"
-	"net/http/pprof"
-
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/server/router"
-)
-
-// NewRouter creates a new debug router
-// The debug router holds endpoints for debug the daemon, such as those for pprof.
-func NewRouter() router.Router {
-	r := &debugRouter{}
-	r.initRoutes()
-	return r
-}
-
-type debugRouter struct {
-	routes []router.Route
-}
-
-func (r *debugRouter) initRoutes() {
-	r.routes = []router.Route{
-		router.NewGetRoute("/debug/vars", frameworkAdaptHandler(expvar.Handler())),
-		router.NewGetRoute("/debug/pprof/", frameworkAdaptHandlerFunc(pprof.Index)),
-		router.NewGetRoute("/debug/pprof/cmdline", frameworkAdaptHandlerFunc(pprof.Cmdline)),
-		router.NewGetRoute("/debug/pprof/profile", frameworkAdaptHandlerFunc(pprof.Profile)),
-		router.NewGetRoute("/debug/pprof/symbol", frameworkAdaptHandlerFunc(pprof.Symbol)),
-		router.NewGetRoute("/debug/pprof/trace", frameworkAdaptHandlerFunc(pprof.Trace)),
-		router.NewGetRoute("/debug/pprof/{name}", handlePprof),
-	}
-}
-
-func (r *debugRouter) Routes() []router.Route {
-	return r.routes
-}
-
-func frameworkAdaptHandler(handler http.Handler) httputils.APIFunc {
-	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-		handler.ServeHTTP(w, r)
-		return nil
-	}
-}
-
-func frameworkAdaptHandlerFunc(handler http.HandlerFunc) httputils.APIFunc {
-	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-		handler(w, r)
-		return nil
-	}
-}
--- a/api/server/router/distribution/backend.go
+++ b/api/server/router/distribution/backend.go
@@ -1,15 +0,0 @@
-package distribution
-
-import (
-	"context"
-
-	"github.com/distribution/reference"
-	"github.com/docker/distribution"
-	"github.com/docker/docker/api/types/registry"
-)
-
-// Backend is all the methods that need to be implemented
-// to provide image specific functionality.
-type Backend interface {
-	GetRepositories(context.Context, reference.Named, *registry.AuthConfig) ([]distribution.Repository, error)
-}
--- a/api/server/router/image/backend.go
+++ b/api/server/router/image/backend.go
@@ -1,47 +0,0 @@
-package image
-
-import (
-	"context"
-	"io"
-
-	"github.com/distribution/reference"
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/filters"
-	"github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/api/types/registry"
-	dockerimage "github.com/docker/docker/image"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-)
-
-// Backend is all the methods that need to be implemented
-// to provide image specific functionality.
-type Backend interface {
-	imageBackend
-	importExportBackend
-	registryBackend
-}
-
-type imageBackend interface {
-	ImageDelete(ctx context.Context, imageRef string, options image.RemoveOptions) ([]image.DeleteResponse, error)
-	ImageHistory(ctx context.Context, imageName string, platform *ocispec.Platform) ([]*image.HistoryResponseItem, error)
-	Images(ctx context.Context, opts image.ListOptions) ([]*image.Summary, error)
-	GetImage(ctx context.Context, refOrID string, options backend.GetImageOpts) (*dockerimage.Image, error)
-	ImageInspect(ctx context.Context, refOrID string, options backend.ImageInspectOpts) (*image.InspectResponse, error)
-	TagImage(ctx context.Context, id dockerimage.ID, newRef reference.Named) error
-	ImagesPrune(ctx context.Context, pruneFilters filters.Args) (*image.PruneReport, error)
-}
-
-type importExportBackend interface {
-	LoadImage(ctx context.Context, inTar io.ReadCloser, platform *ocispec.Platform, outStream io.Writer, quiet bool) error
-	ImportImage(ctx context.Context, ref reference.Named, platform *ocispec.Platform, msg string, layerReader io.Reader, changes []string) (dockerimage.ID, error)
-	ExportImage(ctx context.Context, names []string, platform *ocispec.Platform, outStream io.Writer) error
-}
-
-type registryBackend interface {
-	PullImage(ctx context.Context, ref reference.Named, platform *ocispec.Platform, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) error
-	PushImage(ctx context.Context, ref reference.Named, platform *ocispec.Platform, metaHeaders map[string][]string, authConfig *registry.AuthConfig, outStream io.Writer) error
-}
-
-type Searcher interface {
-	Search(ctx context.Context, searchFilters filters.Args, term string, limit int, authConfig *registry.AuthConfig, headers map[string][]string) ([]registry.SearchResult, error)
-}
--- a/api/server/router/image/image.go
+++ b/api/server/router/image/image.go
@@ -1,48 +0,0 @@
-package image
-
-import (
-	"github.com/docker/docker/api/server/router"
-)
-
-// imageRouter is a router to talk with the image controller
-type imageRouter struct {
-	backend  Backend
-	searcher Searcher
-	routes   []router.Route
-}
-
-// NewRouter initializes a new image router
-func NewRouter(backend Backend, searcher Searcher) router.Router {
-	ir := &imageRouter{
-		backend:  backend,
-		searcher: searcher,
-	}
-	ir.initRoutes()
-	return ir
-}
-
-// Routes returns the available routes to the image controller
-func (ir *imageRouter) Routes() []router.Route {
-	return ir.routes
-}
-
-// initRoutes initializes the routes in the image router
-func (ir *imageRouter) initRoutes() {
-	ir.routes = []router.Route{
-		// GET
-		router.NewGetRoute("/images/json", ir.getImagesJSON),
-		router.NewGetRoute("/images/search", ir.getImagesSearch),
-		router.NewGetRoute("/images/get", ir.getImagesGet),
-		router.NewGetRoute("/images/{name:.*}/get", ir.getImagesGet),
-		router.NewGetRoute("/images/{name:.*}/history", ir.getImagesHistory),
-		router.NewGetRoute("/images/{name:.*}/json", ir.getImagesByName),
-		// POST
-		router.NewPostRoute("/images/load", ir.postImagesLoad),
-		router.NewPostRoute("/images/create", ir.postImagesCreate),
-		router.NewPostRoute("/images/{name:.*}/push", ir.postImagesPush),
-		router.NewPostRoute("/images/{name:.*}/tag", ir.postImagesTag),
-		router.NewPostRoute("/images/prune", ir.postImagesPrune),
-		// DELETE
-		router.NewDeleteRoute("/images/{name:.*}", ir.deleteImages),
-	}
-}
--- a/api/server/router/image/image_routes.go
+++ b/api/server/router/image/image_routes.go
@@ -1,602 +0,0 @@
-package image
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/containerd/platforms"
-	"github.com/distribution/reference"
-	"github.com/docker/docker/api"
-	"github.com/docker/docker/api/server/httputils"
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/filters"
-	imagetypes "github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/api/types/registry"
-	"github.com/docker/docker/api/types/versions"
-	"github.com/docker/docker/builder/remotecontext"
-	"github.com/docker/docker/dockerversion"
-	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/image"
-	"github.com/docker/docker/pkg/ioutils"
-	"github.com/docker/docker/pkg/progress"
-	"github.com/docker/docker/pkg/streamformatter"
-	"github.com/opencontainers/go-digest"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
-)
-
-// Creates an image from Pull or from Import
-func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	var (
-		img         = r.Form.Get("fromImage")
-		repo        = r.Form.Get("repo")
-		tag         = r.Form.Get("tag")
-		comment     = r.Form.Get("message")
-		progressErr error
-		output      = ioutils.NewWriteFlusher(w)
-		platform    *ocispec.Platform
-	)
-	defer output.Close()
-
-	w.Header().Set("Content-Type", "application/json")
-
-	version := httputils.VersionFromContext(ctx)
-	if versions.GreaterThanOrEqualTo(version, "1.32") {
-		if p := r.FormValue("platform"); p != "" {
-			sp, err := platforms.Parse(p)
-			if err != nil {
-				return errdefs.InvalidParameter(err)
-			}
-			platform = &sp
-		}
-	}
-
-	if img != "" { // pull
-		metaHeaders := map[string][]string{}
-		for k, v := range r.Header {
-			if strings.HasPrefix(k, "X-Meta-") {
-				metaHeaders[k] = v
-			}
-		}
-
-		// Special case: "pull -a" may send an image name with a
-		// trailing :. This is ugly, but let's not break API
-		// compatibility.
-		imgName := strings.TrimSuffix(img, ":")
-
-		ref, err := reference.ParseNormalizedNamed(imgName)
-		if err != nil {
-			return errdefs.InvalidParameter(err)
-		}
-
-		// TODO(thaJeztah) this could use a WithTagOrDigest() utility
-		if tag != "" {
-			// The "tag" could actually be a digest.
-			var dgst digest.Digest
-			dgst, err = digest.Parse(tag)
-			if err == nil {
-				ref, err = reference.WithDigest(reference.TrimNamed(ref), dgst)
-			} else {
-				ref, err = reference.WithTag(ref, tag)
-			}
-			if err != nil {
-				return errdefs.InvalidParameter(err)
-			}
-		}
-
-		if err := validateRepoName(ref); err != nil {
-			return errdefs.Forbidden(err)
-		}
-
-		// For a pull it is not an error if no auth was given. Ignore invalid
-		// AuthConfig to increase compatibility with the existing API.
-		authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))
-		progressErr = ir.backend.PullImage(ctx, ref, platform, metaHeaders, authConfig, output)
-	} else { // import
-		src := r.Form.Get("fromSrc")
-
-		tagRef, err := httputils.RepoTagReference(repo, tag)
-		if err != nil {
-			return errdefs.InvalidParameter(err)
-		}
-
-		if comment == "" {
-			comment = "Imported from " + src
-		}
-
-		var layerReader io.ReadCloser
-		defer r.Body.Close()
-		if src == "-" {
-			layerReader = r.Body
-		} else {
-			if len(strings.Split(src, "://")) == 1 {
-				src = "http://" + src
-			}
-			u, err := url.Parse(src)
-			if err != nil {
-				return errdefs.InvalidParameter(err)
-			}
-
-			resp, err := remotecontext.GetWithStatusError(u.String())
-			if err != nil {
-				return err
-			}
-			output.Write(streamformatter.FormatStatus("", "Downloading from %s", u))
-			progressOutput := streamformatter.NewJSONProgressOutput(output, true)
-			layerReader = progress.NewProgressReader(resp.Body, progressOutput, resp.ContentLength, "", "Importing")
-			defer layerReader.Close()
-		}
-
-		var id image.ID
-		id, progressErr = ir.backend.ImportImage(ctx, tagRef, platform, comment, layerReader, r.Form["changes"])
-
-		if progressErr == nil {
-			_, _ = output.Write(streamformatter.FormatStatus("", "%v", id.String()))
-		}
-	}
-	if progressErr != nil {
-		if !output.Flushed() {
-			return progressErr
-		}
-		_, _ = output.Write(streamformatter.FormatError(progressErr))
-	}
-
-	return nil
-}
-
-func (ir *imageRouter) postImagesPush(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	metaHeaders := map[string][]string{}
-	for k, v := range r.Header {
-		if strings.HasPrefix(k, "X-Meta-") {
-			metaHeaders[k] = v
-		}
-	}
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	var authConfig *registry.AuthConfig
-	if authEncoded := r.Header.Get(registry.AuthHeader); authEncoded != "" {
-		// the new format is to handle the authConfig as a header. Ignore invalid
-		// AuthConfig to increase compatibility with the existing API.
-		authConfig, _ = registry.DecodeAuthConfig(authEncoded)
-	} else {
-		// the old format is supported for compatibility if there was no authConfig header
-		var err error
-		authConfig, err = registry.DecodeAuthConfigBody(r.Body)
-		if err != nil {
-			return errors.Wrap(err, "bad parameters and missing X-Registry-Auth")
-		}
-	}
-
-	output := ioutils.NewWriteFlusher(w)
-	defer output.Close()
-
-	w.Header().Set("Content-Type", "application/json")
-
-	img := vars["name"]
-	tag := r.Form.Get("tag")
-
-	var ref reference.Named
-
-	// Tag is empty only in case PushOptions.All is true.
-	if tag != "" {
-		r, err := httputils.RepoTagReference(img, tag)
-		if err != nil {
-			return errdefs.InvalidParameter(err)
-		}
-		ref = r
-	} else {
-		r, err := reference.ParseNormalizedNamed(img)
-		if err != nil {
-			return errdefs.InvalidParameter(err)
-		}
-		ref = r
-	}
-
-	var platform *ocispec.Platform
-	// Platform is optional, and only supported in API version 1.46 and later.
-	// However the PushOptions struct previously was an alias for the PullOptions struct
-	// which also contained a Platform field.
-	// This means that older clients may be sending a platform field, even
-	// though it wasn't really supported by the server.
-	// Don't break these clients and just ignore the platform field on older APIs.
-	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.46") {
-		if formPlatform := r.Form.Get("platform"); formPlatform != "" {
-			p, err := httputils.DecodePlatform(formPlatform)
-			if err != nil {
-				return err
-			}
-			platform = p
-		}
-	}
-
-	if err := ir.backend.PushImage(ctx, ref, platform, metaHeaders, authConfig, output); err != nil {
-		if !output.Flushed() {
-			return err
-		}
-		_, _ = output.Write(streamformatter.FormatError(err))
-	}
-	return nil
-}
-
-func (ir *imageRouter) getImagesGet(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	w.Header().Set("Content-Type", "application/x-tar")
-
-	output := ioutils.NewWriteFlusher(w)
-	defer output.Close()
-	var names []string
-	if name, ok := vars["name"]; ok {
-		names = []string{name}
-	} else {
-		names = r.Form["names"]
-	}
-
-	var platform *ocispec.Platform
-	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.48") {
-		if formPlatforms := r.Form["platform"]; len(formPlatforms) > 1 {
-			// TODO(thaJeztah): remove once we support multiple platforms: see https://github.com/moby/moby/issues/48759
-			return errdefs.InvalidParameter(errors.New("multiple platform parameters not supported"))
-		}
-		if formPlatform := r.Form.Get("platform"); formPlatform != "" {
-			p, err := httputils.DecodePlatform(formPlatform)
-			if err != nil {
-				return err
-			}
-			platform = p
-		}
-	}
-
-	if err := ir.backend.ExportImage(ctx, names, platform, output); err != nil {
-		if !output.Flushed() {
-			return err
-		}
-		_, _ = output.Write(streamformatter.FormatError(err))
-	}
-	return nil
-}
-
-func (ir *imageRouter) postImagesLoad(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	var platform *ocispec.Platform
-	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.48") {
-		if formPlatforms := r.Form["platform"]; len(formPlatforms) > 1 {
-			// TODO(thaJeztah): remove once we support multiple platforms: see https://github.com/moby/moby/issues/48759
-			return errdefs.InvalidParameter(errors.New("multiple platform parameters not supported"))
-		}
-		if formPlatform := r.Form.Get("platform"); formPlatform != "" {
-			p, err := httputils.DecodePlatform(formPlatform)
-			if err != nil {
-				return err
-			}
-			platform = p
-		}
-	}
-	quiet := httputils.BoolValueOrDefault(r, "quiet", true)
-
-	w.Header().Set("Content-Type", "application/json")
-
-	output := ioutils.NewWriteFlusher(w)
-	defer output.Close()
-	if err := ir.backend.LoadImage(ctx, r.Body, platform, output, quiet); err != nil {
-		_, _ = output.Write(streamformatter.FormatError(err))
-	}
-	return nil
-}
-
-type missingImageError struct{}
-
-func (missingImageError) Error() string {
-	return "image name cannot be blank"
-}
-
-func (missingImageError) InvalidParameter() {}
-
-func (ir *imageRouter) deleteImages(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	name := vars["name"]
-
-	if strings.TrimSpace(name) == "" {
-		return missingImageError{}
-	}
-
-	force := httputils.BoolValue(r, "force")
-	prune := !httputils.BoolValue(r, "noprune")
-
-	var platforms []ocispec.Platform
-	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.50") {
-		p, err := httputils.DecodePlatforms(r.Form["platforms"])
-		if err != nil {
-			return err
-		}
-		platforms = p
-	}
-
-	list, err := ir.backend.ImageDelete(ctx, name, imagetypes.RemoveOptions{
-		Force:         force,
-		PruneChildren: prune,
-		Platforms:     platforms,
-	})
-	if err != nil {
-		return err
-	}
-
-	return httputils.WriteJSON(w, http.StatusOK, list)
-}
-
-func (ir *imageRouter) getImagesByName(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	var manifests bool
-	if r.Form.Get("manifests") != "" && versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.48") {
-		manifests = httputils.BoolValue(r, "manifests")
-	}
-
-	var platform *ocispec.Platform
-	if r.Form.Get("platform") != "" && versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.49") {
-		p, err := httputils.DecodePlatform(r.Form.Get("platform"))
-		if err != nil {
-			return errdefs.InvalidParameter(err)
-		}
-		platform = p
-	}
-
-	if manifests && platform != nil {
-		return errdefs.InvalidParameter(errors.New("conflicting options: manifests and platform options cannot both be set"))
-	}
-
-	resp, err := ir.backend.ImageInspect(ctx, vars["name"], backend.ImageInspectOpts{
-		Manifests: manifests,
-		Platform:  platform,
-	})
-	if err != nil {
-		return err
-	}
-
-	// inspectResponse preserves fields in the response that have an
-	// "omitempty" in the OCI spec, but didn't omit such fields in
-	// legacy responses before API v1.50.
-	imageInspect := &inspectCompatResponse{
-		InspectResponse: resp,
-		legacyConfig:    legacyConfigFields["current"],
-	}
-
-	// Make sure we output empty arrays instead of nil. While Go nil slice is functionally equivalent to an empty slice,
-	// it matters for the JSON representation.
-	if imageInspect.RepoTags == nil {
-		imageInspect.RepoTags = []string{}
-	}
-	if imageInspect.RepoDigests == nil {
-		imageInspect.RepoDigests = []string{}
-	}
-
-	version := httputils.VersionFromContext(ctx)
-	if versions.LessThan(version, "1.44") {
-		imageInspect.VirtualSize = imageInspect.Size //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.44.
-
-		if imageInspect.Created == "" {
-			// backwards compatibility for Created not existing returning "0001-01-01T00:00:00Z"
-			// https://github.com/moby/moby/issues/47368
-			imageInspect.Created = time.Time{}.Format(time.RFC3339Nano)
-		}
-	}
-	if versions.GreaterThanOrEqualTo(version, "1.45") {
-		imageInspect.Container = ""        //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
-		imageInspect.ContainerConfig = nil //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.45.
-	}
-	if versions.LessThan(version, "1.48") {
-		imageInspect.Descriptor = nil
-	}
-	if versions.LessThan(version, "1.50") {
-		imageInspect.legacyConfig = legacyConfigFields["v1.49"]
-	}
-
-	return httputils.WriteJSON(w, http.StatusOK, imageInspect)
-}
-
-func (ir *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	imageFilters, err := filters.FromJSON(r.Form.Get("filters"))
-	if err != nil {
-		return err
-	}
-
-	version := httputils.VersionFromContext(ctx)
-	if versions.LessThan(version, "1.41") {
-		// NOTE: filter is a shell glob string applied to repository names.
-		filterParam := r.Form.Get("filter")
-		if filterParam != "" {
-			imageFilters.Add("reference", filterParam)
-		}
-	}
-
-	var sharedSize bool
-	if versions.GreaterThanOrEqualTo(version, "1.42") {
-		// NOTE: Support for the "shared-size" parameter was added in API 1.42.
-		sharedSize = httputils.BoolValue(r, "shared-size")
-	}
-
-	var manifests bool
-	if versions.GreaterThanOrEqualTo(version, "1.47") {
-		manifests = httputils.BoolValue(r, "manifests")
-	}
-
-	images, err := ir.backend.Images(ctx, imagetypes.ListOptions{
-		All:        httputils.BoolValue(r, "all"),
-		Filters:    imageFilters,
-		SharedSize: sharedSize,
-		Manifests:  manifests,
-	})
-	if err != nil {
-		return err
-	}
-
-	useNone := versions.LessThan(version, "1.43")
-	withVirtualSize := versions.LessThan(version, "1.44")
-	noDescriptor := versions.LessThan(version, "1.48")
-	noContainers := versions.LessThan(version, "1.51")
-	for _, img := range images {
-		if useNone {
-			if len(img.RepoTags) == 0 && len(img.RepoDigests) == 0 {
-				img.RepoTags = append(img.RepoTags, "<none>:<none>")
-				img.RepoDigests = append(img.RepoDigests, "<none>@<none>")
-			}
-		} else {
-			if img.RepoTags == nil {
-				img.RepoTags = []string{}
-			}
-			if img.RepoDigests == nil {
-				img.RepoDigests = []string{}
-			}
-		}
-		if withVirtualSize {
-			img.VirtualSize = img.Size //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.44.
-		}
-		if noDescriptor {
-			img.Descriptor = nil
-		}
-		if noContainers {
-			img.Containers = -1
-		}
-	}
-
-	return httputils.WriteJSON(w, http.StatusOK, images)
-}
-
-func (ir *imageRouter) getImagesHistory(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	var platform *ocispec.Platform
-	if versions.GreaterThanOrEqualTo(httputils.VersionFromContext(ctx), "1.48") {
-		if formPlatform := r.Form.Get("platform"); formPlatform != "" {
-			p, err := httputils.DecodePlatform(formPlatform)
-			if err != nil {
-				return err
-			}
-			platform = p
-		}
-	}
-	history, err := ir.backend.ImageHistory(ctx, vars["name"], platform)
-	if err != nil {
-		return err
-	}
-
-	return httputils.WriteJSON(w, http.StatusOK, history)
-}
-
-func (ir *imageRouter) postImagesTag(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	ref, err := httputils.RepoTagReference(r.Form.Get("repo"), r.Form.Get("tag"))
-	if ref == nil || err != nil {
-		return errdefs.InvalidParameter(err)
-	}
-
-	refName := reference.FamiliarName(ref)
-	if refName == string(digest.Canonical) {
-		return errdefs.InvalidParameter(errors.New("refusing to create an ambiguous tag using digest algorithm as name"))
-	}
-
-	img, err := ir.backend.GetImage(ctx, vars["name"], backend.GetImageOpts{})
-	if err != nil {
-		return errdefs.NotFound(err)
-	}
-
-	if err := ir.backend.TagImage(ctx, img.ID(), ref); err != nil {
-		return err
-	}
-	w.WriteHeader(http.StatusCreated)
-	return nil
-}
-
-func (ir *imageRouter) getImagesSearch(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	var limit int
-	if r.Form.Get("limit") != "" {
-		var err error
-		limit, err = strconv.Atoi(r.Form.Get("limit"))
-		if err != nil || limit < 0 {
-			return errdefs.InvalidParameter(errors.Wrap(err, "invalid limit specified"))
-		}
-	}
-	searchFilters, err := filters.FromJSON(r.Form.Get("filters"))
-	if err != nil {
-		return err
-	}
-
-	// For a search it is not an error if no auth was given. Ignore invalid
-	// AuthConfig to increase compatibility with the existing API.
-	authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))
-
-	headers := http.Header{}
-	for k, v := range r.Header {
-		k = http.CanonicalHeaderKey(k)
-		if strings.HasPrefix(k, "X-Meta-") {
-			headers[k] = v
-		}
-	}
-	headers.Set("User-Agent", dockerversion.DockerUserAgent(ctx))
-	res, err := ir.searcher.Search(ctx, searchFilters, r.Form.Get("term"), limit, authConfig, headers)
-	if err != nil {
-		return err
-	}
-	return httputils.WriteJSON(w, http.StatusOK, res)
-}
-
-func (ir *imageRouter) postImagesPrune(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
-	if err := httputils.ParseForm(r); err != nil {
-		return err
-	}
-
-	pruneFilters, err := filters.FromJSON(r.Form.Get("filters"))
-	if err != nil {
-		return err
-	}
-
-	pruneReport, err := ir.backend.ImagesPrune(ctx, pruneFilters)
-	if err != nil {
-		return err
-	}
-	return httputils.WriteJSON(w, http.StatusOK, pruneReport)
-}
-
-// validateRepoName validates the name of a repository.
-func validateRepoName(name reference.Named) error {
-	familiarName := reference.FamiliarName(name)
-	if familiarName == api.NoBaseImageSpecifier {
-		return fmt.Errorf("'%s' is a reserved name", familiarName)
-	}
-	return nil
-}
--- a/api/server/router/image/inspect_response.go
+++ b/api/server/router/image/inspect_response.go
@@ -1,88 +0,0 @@
-// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.23
-
-package image
-
-import (
-	"encoding/json"
-	"maps"
-
-	"github.com/docker/docker/api/types/image"
-)
-
-// legacyConfigFields defines legacy image-config fields to include in
-// API responses on older API versions.
-var legacyConfigFields = map[string]map[string]any{
-	// Legacy fields for API v1.49 and lower. These fields are deprecated
-	// and omitted in newer API versions; see https://github.com/moby/moby/pull/48457
-	"v1.49": {
-		"AttachStderr": false,
-		"AttachStdin":  false,
-		"AttachStdout": false,
-		"Cmd":          nil,
-		"Domainname":   "",
-		"Entrypoint":   nil,
-		"Env":          nil,
-		"Hostname":     "",
-		"Image":        "",
-		"Labels":       nil,
-		"OnBuild":      nil,
-		"OpenStdin":    false,
-		"StdinOnce":    false,
-		"Tty":          false,
-		"User":         "",
-		"Volumes":      nil,
-		"WorkingDir":   "",
-	},
-	// Legacy fields for current API versions (v1.50 and up). These fields
-	// did not have an "omitempty" and were always included in the response,
-	// even if not set; see https://github.com/moby/moby/issues/50134
-	"current": {
-		"Cmd":        nil,
-		"Entrypoint": nil,
-		"Env":        nil,
-		"Labels":     nil,
-		"OnBuild":    nil,
-		"User":       "",
-		"Volumes":    nil,
-		"WorkingDir": "",
-	},
-}
-
-// inspectCompatResponse is a wrapper around [image.InspectResponse] with a
-// custom marshal function for legacy [api/types/container.Config} fields
-// that have been removed, or did not have omitempty.
-type inspectCompatResponse struct {
-	*image.InspectResponse
-	legacyConfig map[string]any
-}
-
-// MarshalJSON implements a custom marshaler to include legacy fields
-// in API responses.
-func (ir *inspectCompatResponse) MarshalJSON() ([]byte, error) {
-	type tmp *image.InspectResponse
-	base, err := json.Marshal((tmp)(ir.InspectResponse))
-	if err != nil {
-		return nil, err
-	}
-	if len(ir.legacyConfig) == 0 {
-		return base, nil
-	}
-
-	type resp struct {
-		*image.InspectResponse
-		Config map[string]any
-	}
-
-	var merged resp
-	err = json.Unmarshal(base, &merged)
-	if err != nil {
-		return base, nil
-	}
-
-	// prevent mutating legacyConfigFields.
-	cfg := maps.Clone(ir.legacyConfig)
-	maps.Copy(cfg, merged.Config)
-	merged.Config = cfg
-	return json.Marshal(merged)
-}
--- a/api/server/router/local.go
+++ b/api/server/router/local.go
@@ -1,73 +0,0 @@
-package router
-
-import (
-	"net/http"
-
-	"github.com/docker/docker/api/server/httputils"
-)
-
-// RouteWrapper wraps a route with extra functionality.
-// It is passed in when creating a new route.
-type RouteWrapper func(r Route) Route
-
-// localRoute defines an individual API route to connect
-// with the docker daemon. It implements Route.
-type localRoute struct {
-	method  string
-	path    string
-	handler httputils.APIFunc
-}
-
-// Handler returns the APIFunc to let the server wrap it in middlewares.
-func (l localRoute) Handler() httputils.APIFunc {
-	return l.handler
-}
-
-// Method returns the http method that the route responds to.
-func (l localRoute) Method() string {
-	return l.method
-}
-
-// Path returns the subpath where the route responds to.
-func (l localRoute) Path() string {
-	return l.path
-}
-
-// NewRoute initializes a new local route for the router.
-func NewRoute(method, path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
-	var r Route = localRoute{method, path, handler}
-	for _, o := range opts {
-		r = o(r)
-	}
-	return r
-}
-
-// NewGetRoute initializes a new route with the http method GET.
-func NewGetRoute(path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
-	return NewRoute(http.MethodGet, path, handler, opts...)
-}
-
-// NewPostRoute initializes a new route with the http method POST.
-func NewPostRoute(path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
-	return NewRoute(http.MethodPost, path, handler, opts...)
-}
-
-// NewPutRoute initializes a new route with the http method PUT.
-func NewPutRoute(path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
-	return NewRoute(http.MethodPut, path, handler, opts...)
-}
-
-// NewDeleteRoute initializes a new route with the http method DELETE.
-func NewDeleteRoute(path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
-	return NewRoute(http.MethodDelete, path, handler, opts...)
-}
-
-// NewOptionsRoute initializes a new route with the http method OPTIONS.
-func NewOptionsRoute(path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
-	return NewRoute(http.MethodOptions, path, handler, opts...)
-}
-
-// NewHeadRoute initializes a new route with the http method HEAD.
-func NewHeadRoute(path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
-	return NewRoute(http.MethodHead, path, handler, opts...)
-}
--- a/api/server/router/network/backend.go
+++ b/api/server/router/network/backend.go
@@ -1,30 +0,0 @@
-package network
-
-import (
-	"context"
-
-	"github.com/docker/docker/api/types/backend"
-	"github.com/docker/docker/api/types/filters"
-	"github.com/docker/docker/api/types/network"
-)
-
-// Backend is all the methods that need to be implemented
-// to provide network specific functionality.
-type Backend interface {
-	GetNetworks(filters.Args, backend.NetworkListConfig) ([]network.Inspect, error)
-	CreateNetwork(ctx context.Context, nc network.CreateRequest) (*network.CreateResponse, error)
-	ConnectContainerToNetwork(ctx context.Context, containerName, networkName string, endpointConfig *network.EndpointSettings) error
-	DisconnectContainerFromNetwork(containerName string, networkName string, force bool) error
-	DeleteNetwork(networkID string) error
-	NetworksPrune(ctx context.Context, pruneFilters filters.Args) (*network.PruneReport, error)
-}
-
-// ClusterBackend is all the methods that need to be implemented
-// to provide cluster network specific functionality.
-type ClusterBackend interface {
-	GetNetworks(filters.Args) ([]network.Inspect, error)
-	GetNetwork(name string) (network.Inspect, error)
-	GetNetworksByName(name string) ([]network.Inspect, error)
-	CreateNetwork(nc network.CreateRequest) (string, error)
-	RemoveNetwork(name string) error
-}
--- a/api/server/router/network/network.go
+++ b/api/server/router/network/network.go
@@ -1,43 +0,0 @@
-package network
-
-import (
-	"github.com/docker/docker/api/server/router"
-)
-
-// networkRouter is a router to talk with the network controller
-type networkRouter struct {
-	backend Backend
-	cluster ClusterBackend
-	routes  []router.Route
-}
-
-// NewRouter initializes a new network router
-func NewRouter(b Backend, c ClusterBackend) router.Router {
-	r := &networkRouter{
-		backend: b,
-		cluster: c,
-	}
-	r.initRoutes()
-	return r
-}
-
-// Routes returns the available routes to the network controller
-func (n *networkRouter) Routes() []router.Route {
-	return n.routes
-}
-
-func (n *networkRouter) initRoutes() {
-	n.routes = []router.Route{
-		// GET
-		router.NewGetRoute("/networks", n.getNetworksList),
-		router.NewGetRoute("/networks/", n.getNetworksList),
-		router.NewGetRoute("/networks/{id:.+}", n.getNetwork),
-		// POST
-		router.NewPostRoute("/networks/create", n.postNetworkCreate),
-		router.NewPostRoute("/networks/{id:.*}/connect", n.postNetworkConnect),
-		router.NewPostRoute("/networks/{id:.*}/disconnect", n.postNetworkDisconnect),
-		router.NewPostRoute("/networks/prune", n.postNetworksPrune),
-		// DELETE
-		router.NewDeleteRoute("/networks/{id:.*}", n.deleteNetwork),
-	}
-}
--- a/Show More
+++ b/Show More