Remove deprecated keep-storage parameter from /build/prune API

- Remove keep-storage parameter from swagger.yaml API specification - Remove KeepStorage field from CachePruneOptions struct - Remove client-side logic for setting keep-storage query parameter - Remove server-side fallback logic for keep-storage in API v1.49+ - Remove backward compatibility logic in builder.go - Add comprehensive tests to validate keep-storage is no longer sent - Maintain backward compatibility for API versions < v1.49 Co-authored-by: vvoland <5046555+vvoland@users.noreply.github.com>
Initial plan
2026-01-12 11:11:44 +00:00 · 2025-08-14 13:00:36 +00:00 · 2025-08-14 12:46:36 +00:00 · 2025-08-14 13:37:37 +02:00 · 2025-08-14 12:47:03 +02:00 · 2025-08-13 12:50:23 -07:00
3234 changed files with 118340 additions and 36135 deletions
--- a/.codecov.yml
+++ b/.codecov.yml
--- a/.dockerignore
+++ b/.dockerignore
@@ -2,5 +2,5 @@

 # build artifacts
 /bundles/
-/cli/winresources/dockerd/winres.json
-/cli/winresources/dockerd/*.syso
+/cmd/dockerd/winresources/winres.json
+/cmd/dockerd/*.syso
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1 @@
 Dockerfile* linguist-language=Dockerfile
-vendor.mod linguist-language=Go-Module
-vendor.sum linguist-language=Go-Checksums
--- a/.github/workflows/.dco.yml
+++ b/.github/workflows/.dco.yml
@@ -16,7 +16,7 @@ on:
  workflow_call:

 env:
-  ALPINE_VERSION: "3.21"
+  ALPINE_VERSION: "3.22"

 jobs:
  run:
--- a/.github/workflows/.test-prepare.yml
+++ b/.github/workflows/.test-prepare.yml
@@ -1,45 +0,0 @@
-# reusable workflow
-name: .test-prepare
-
-# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025
-
-# Default to 'contents: read', which grants actions to read commits.
-#
-# If any permission is set, any permission not included in the list is
-# implicitly set to "none".
-#
-# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-permissions:
-  contents: read
-
-on:
-  workflow_call:
-    outputs:
-      matrix:
-        description: Test matrix
-        value: ${{ jobs.run.outputs.matrix }}
-
-jobs:
-  run:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
-    outputs:
-      matrix: ${{ steps.set.outputs.matrix }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Create matrix
-        id: set
-        uses: actions/github-script@v7
-        with:
-          script: |
-            let matrix = ['graphdriver'];
-            if ("${{ contains(github.event.pull_request.labels.*.name, 'containerd-integration') || github.event_name != 'pull_request' }}" == "true") {
-              matrix.push('snapshotter');
-            }
-            await core.group(`Set matrix`, async () => {
-              core.info(`matrix: ${JSON.stringify(matrix)}`);
-              core.setOutput('matrix', JSON.stringify(matrix));
-            });
--- a/.github/workflows/.test-unit.yml
+++ b/.github/workflows/.test-unit.yml
@@ -16,7 +16,7 @@ on:
  workflow_call:

 env:
-  GO_VERSION: "1.24.4"
+  GO_VERSION: "1.24.6"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  SETUP_BUILDX_VERSION: edge
--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -21,13 +21,13 @@ on:
        default: "graphdriver"

 env:
-  GO_VERSION: "1.24.4"
+  GO_VERSION: "1.24.6"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  ITG_CLI_MATRIX_SIZE: 6
  DOCKER_EXPERIMENTAL: 1
  DOCKER_GRAPHDRIVER: ${{ inputs.storage == 'snapshotter' && 'overlayfs' || 'overlay2' }}
-  TEST_INTEGRATION_USE_SNAPSHOTTER: ${{ inputs.storage == 'snapshotter' && '1' || '' }}
+  TEST_INTEGRATION_USE_GRAPHDRIVER: ${{ inputs.storage == 'graphdriver' && '1' || '' }}
  SETUP_BUILDX_VERSION: edge
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest

@@ -144,7 +144,9 @@ jobs:
              // { os: 'ubuntu-24.04', mode: 'rootless-systemd' }, // FIXME: https://github.com/moby/moby/issues/44084
            ];
            if ("${{ inputs.storage }}" == "snapshotter") {
-              includes.push({ os: 'ubuntu-24.04', mode: 'firewalld' });
+              includes.push({ os: 'ubuntu-24.04', mode: 'iptables+firewalld' });
+              includes.push({ os: 'ubuntu-24.04', mode: 'nftables' });
+              includes.push({ os: 'ubuntu-24.04', mode: 'nftables+firewalld' });
            }
            await core.group(`Set matrix`, async () => {
              core.info(`matrix: ${JSON.stringify(includes)}`);
@@ -190,6 +192,9 @@ jobs:
            echo "FIREWALLD=true" >> $GITHUB_ENV
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
          fi
+          if [[ "${{ matrix.mode }}" == *"nftables"* ]]; then
+            echo "DOCKER_FIREWALL_BACKEND=nftables" >> $GITHUB_ENV
+          fi
          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
@@ -328,19 +333,43 @@ jobs:
            // 'include' with other matrix variables that aren't part of the
            // include items.
            // Moreover, since the goal is to run only relevant tests with
-            // firewalld enabled to minimize the number of CI jobs, we
+            // firewalld/nftables enabled to minimize the number of CI jobs, we
            // statically define the list of test suites that we want to run.
            if ("${{ inputs.storage }}" == "snapshotter") {
              matrix.include.push({
-                'mode': 'firewalld',
+                'mode': 'iptables+firewalld',
                'test': 'DockerCLINetworkSuite|DockerCLIPortSuite|DockerDaemonSuite'
              });
              matrix.include.push({
-                'mode': 'firewalld',
+                'mode': 'iptables+firewalld',
                'test': 'DockerSwarmSuite'
              });
              matrix.include.push({
-                'mode': 'firewalld',
+                'mode': 'iptables+firewalld',
+                'test': 'DockerNetworkSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables',
+                'test': 'DockerCLINetworkSuite|DockerCLIPortSuite|DockerDaemonSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables',
+                'test': 'DockerSwarmSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables',
+                'test': 'DockerNetworkSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables+firewalld',
+                'test': 'DockerCLINetworkSuite|DockerCLIPortSuite|DockerDaemonSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables+firewalld',
+                'test': 'DockerSwarmSuite'
+              });
+              matrix.include.push({
+                'mode': 'nftables+firewalld',
                'test': 'DockerNetworkSuite'
              });
            }
@@ -380,6 +409,9 @@ jobs:
            echo "FIREWALLD=true" >> $GITHUB_ENV
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
          fi
+          if [[ "${{ matrix.mode }}" == *"nftables"* ]]; then
+            echo "DOCKER_FIREWALL_BACKEND=nftables" >> $GITHUB_ENV
+          fi
          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
@@ -437,7 +469,7 @@ jobs:
        if: always()
        uses: actions/upload-artifact@v4
        with:
-          name: test-reports-integration-cli-${{ inputs.storage }}-${{ env.TESTREPORTS_NAME }}
+          name: test-reports-integration-cli-${{ inputs.storage }}-${{ matrix.mode }}-${{ env.TESTREPORTS_NAME }}
          path: /tmp/reports/*
          retention-days: 1

@@ -460,7 +492,7 @@ jobs:
        uses: actions/download-artifact@v4
        with:
          path: /tmp/reports
-          pattern: test-reports-integration-cli-${{ inputs.storage }}-*
+          pattern: test-reports-integration-cli-${{ inputs.storage }}-${{ matrix.mode }}-*
          merge-multiple: true
      -
        name: Install teststat
--- a/.github/workflows/.windows.yml
+++ b/.github/workflows/.windows.yml
@@ -28,12 +28,12 @@ on:
        default: false

 env:
-  GO_VERSION: "1.24.4"
+  GO_VERSION: "1.24.6"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
-  WINDOWS_BASE_TAG_2019: ltsc2019
  WINDOWS_BASE_TAG_2022: ltsc2022
+  WINDOWS_BASE_TAG_2025: ltsc2025
  TEST_IMAGE_NAME: moby:test
  TEST_CTN_NAME: moby
  DOCKER_BUILDKIT: 0
@@ -65,8 +65,8 @@ jobs:
        run: |
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
-          If ("${{ inputs.os }}" -eq "windows-2019") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2025") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
@@ -92,7 +92,6 @@ jobs:
          & docker build `
            --build-arg WINDOWS_BASE_IMAGE `
            --build-arg WINDOWS_BASE_IMAGE_TAG `
-            --build-arg GO_VERSION `
            -t ${{ env.TEST_IMAGE_NAME }} `
            -f Dockerfile.windows .
      -
@@ -145,8 +144,8 @@ jobs:
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
          New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
          New-Item -ItemType "directory" -Path "bundles"
-          If ("${{ inputs.os }}" -eq "windows-2019") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2025") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
@@ -172,7 +171,6 @@ jobs:
          & docker build `
            --build-arg WINDOWS_BASE_IMAGE `
            --build-arg WINDOWS_BASE_IMAGE_TAG `
-            --build-arg GO_VERSION `
            -t ${{ env.TEST_IMAGE_NAME }} `
            -f Dockerfile.windows .
      -
@@ -321,8 +319,8 @@ jobs:
        name: Init
        run: |
          New-Item -ItemType "directory" -Path "bundles"
-          If ("${{ inputs.os }}" -eq "windows-2019") {
-            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2019 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          If ("${{ inputs.os }}" -eq "windows-2025") {
+            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          } ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
            echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
@@ -366,10 +364,10 @@ jobs:
              "--exec-root=$env:TEMP\moby-exec", `
              "--pidfile=$env:TEMP\docker.pid", `
              "--register-service"
-          If ("${{ inputs.storage }}" -eq "snapshotter") {
+          If ("${{ inputs.storage }}" -eq "graphdriver") {
            # Make the env-var visible to the service-managed dockerd, as there's no CLI flag for this option.
-            & reg add "HKLM\SYSTEM\CurrentControlSet\Services\docker" /v Environment /t REG_MULTI_SZ /s '@' /d TEST_INTEGRATION_USE_SNAPSHOTTER=1 
-            echo "TEST_INTEGRATION_USE_SNAPSHOTTER=1" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+            & reg add "HKLM\SYSTEM\CurrentControlSet\Services\docker" /v Environment /t REG_MULTI_SZ /s '@' /d TEST_INTEGRATION_USE_GRAPHDRIVER=1
+            echo "TEST_INTEGRATION_USE_GRAPHDRIVER=1" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
          }
          Write-Host "Starting service"
          Start-Service -Name docker
@@ -441,7 +439,6 @@ jobs:
          .\hack\make.ps1 -TestIntegration
        env:
          DOCKER_HOST: npipe:////./pipe/docker_engine
-          GO111MODULE: "off"
          TEST_CLIENT_BINARY: ${{ env.BIN_OUT }}\docker
      -
        name: Test integration-cli
@@ -450,7 +447,6 @@ jobs:
          .\hack\make.ps1 -TestIntegrationCli
        env:
          DOCKER_HOST: npipe:////./pipe/docker_engine
-          GO111MODULE: "off"
          TEST_CLIENT_BINARY: ${{ env.BIN_OUT }}\docker
          INTEGRATION_TESTRUN: ${{ matrix.test }}
      -
--- a/.github/workflows/arm64.yml
+++ b/.github/workflows/arm64.yml
@@ -23,7 +23,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.24.4"
+  GO_VERSION: "1.24.6"
  TESTSTAT_VERSION: v0.1.25
  DESTDIR: ./build
  SETUP_BUILDX_VERSION: edge
--- a/.github/workflows/bin-image.yml
+++ b/.github/workflows/bin-image.yml
@@ -58,17 +58,21 @@ jobs:
          ### versioning strategy
          ## push semver tag v23.0.0
          # moby/moby-bin:23.0.0
+          # moby/moby-bin:23.0
+          # moby/moby-bin:23
          # moby/moby-bin:latest
          ## push semver prerelease tag v23.0.0-beta.1
          # moby/moby-bin:23.0.0-beta.1
          ## push on master
          # moby/moby-bin:master
-          ## push on 23.0 branch
-          # moby/moby-bin:23.0
+          ## push on 28.x branch
+          # moby/moby-bin:28.x
          tags: |
            type=semver,pattern={{version}}
            type=ref,event=branch
            type=ref,event=pr
+            type=semver,pattern={{major}}
+            type=semver,pattern={{major}}.{{minor}}
      -
        name: Rename meta bake definition file
        # see https://github.com/docker/metadata-action/issues/381#issuecomment-1918607161
@@ -91,7 +95,7 @@ jobs:

  build:
    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    timeout-minutes: 20 # guardrails timeout for the whole job
    needs:
      - validate-dco
      - prepare
@@ -167,7 +171,7 @@ jobs:

  merge:
    runs-on: ubuntu-24.04
-    timeout-minutes: 120 # guardrails timeout for the whole job
+    timeout-minutes: 40 # guardrails timeout for the whole job
    needs:
      - build
    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && github.event_name != 'pull_request' && github.repository == 'moby/moby'
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -23,7 +23,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.24.4"
+  GO_VERSION: "1.24.6"
  DESTDIR: ./build
  SETUP_BUILDX_VERSION: edge
  SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
@@ -220,7 +220,6 @@ jobs:
          & docker build `
            --build-arg WINDOWS_BASE_IMAGE `
            --build-arg WINDOWS_BASE_IMAGE_TAG `
-            --build-arg GO_VERSION `
            -t ${{ env.TEST_IMAGE_NAME }} `
            -f Dockerfile.windows .

--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -46,19 +46,10 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 2
-      # CodeQL 2.16.4's auto-build added support for multi-module repositories,
-      # and is trying to be smart by searching for modules in every directory,
-      # including vendor directories. If no module is found, it's creating one
-      # which is ... not what we want, so let's give it a "go.mod".
-      # see: https://github.com/docker/cli/pull/4944#issuecomment-2002034698
-      - name: Create go.mod
-        run: |
-          ln -s vendor.mod go.mod
-          ln -s vendor.sum go.sum
      - name: Update Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.24.4"
+          go-version: "1.24.6"
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -23,7 +23,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.24.4"
+  GO_VERSION: "1.24.6"
  GIT_PAGER: "cat"
  PAGER: "cat"
  SETUP_BUILDX_VERSION: edge
--- a/.github/workflows/validate-pr.yml
+++ b/.github/workflows/validate-pr.yml
@@ -14,15 +14,20 @@ on:
    types: [opened, edited, labeled, unlabeled, synchronize]

 jobs:
-  check-area-label:
+  check-labels:
    runs-on: ubuntu-24.04
    timeout-minutes: 120 # guardrails timeout for the whole job
    steps:
      - name: Missing `area/` label
-        if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
+        if: always() && contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
        run: |
          echo "::error::Every PR with an 'impact/*' label should also have an 'area/*' label"
          exit 1
+      - name: Missing `kind/` label
+        if: always() && contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'kind/')
+        run: |
+          echo "::error::Every PR with an 'impact/*' label should also have a 'kind/*' label"
+          exit 1
      - name: OK
        run: exit 0

--- a/.github/workflows/windows-2022.yml
+++ b/.github/workflows/windows-2022.yml
@@ -14,32 +14,23 @@ concurrency:
  cancel-in-progress: true

 on:
+  schedule:
+    - cron: '0 10 * * *'
  workflow_dispatch:
-  push:
-    branches:
-      - 'master'
-      - '[0-9]+.[0-9]+'
-      - '[0-9]+.x'
-  pull_request:

 jobs:
  validate-dco:
    uses: ./.github/workflows/.dco.yml

-  test-prepare:
-    uses: ./.github/workflows/.test-prepare.yml
-    needs:
-      - validate-dco
-
  run:
-    needs:
-      - test-prepare
    uses: ./.github/workflows/.windows.yml
    secrets: inherit
    strategy:
      fail-fast: false
      matrix:
-        storage: ${{ fromJson(needs.test-prepare.outputs.matrix) }}
+        storage:
+          - graphdriver
+          - snapshotter
    with:
      os: windows-2022
      storage: ${{ matrix.storage }}
--- a/.github/workflows/windows-2025.yml
+++ b/.github/workflows/windows-2025.yml
@@ -1,4 +1,4 @@
-name: windows-2019
+name: windows-2025

 # Default to 'contents: read', which grants actions to read commits.
 #
@@ -14,29 +14,28 @@ concurrency:
  cancel-in-progress: true

 on:
-  schedule:
-    - cron: '0 10 * * *'
  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
+  pull_request:

 jobs:
  validate-dco:
    uses: ./.github/workflows/.dco.yml

-  test-prepare:
-    uses: ./.github/workflows/.test-prepare.yml
-    needs:
-      - validate-dco
-
  run:
-    needs:
-      - test-prepare
    uses: ./.github/workflows/.windows.yml
    secrets: inherit
    strategy:
      fail-fast: false
      matrix:
-        storage: ${{ fromJson(needs.test-prepare.outputs.matrix) }}
+        storage:
+          - graphdriver
+          - snapshotter
    with:
-      os: windows-2019
+      os: windows-2025
      storage: ${{ matrix.storage }}
      send_coverage: false
--- a/.gitignore
+++ b/.gitignore
@@ -15,8 +15,8 @@ thumbs.db

 # build artifacts
 /bundles/
-/cli/winresources/dockerd/*.syso
-/cli/winresources/dockerd/winres.json
+/cmd/dockerd/winresources/winres.json
+/cmd/dockerd/*.syso

 # ci artifacts
 *.exe
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -3,7 +3,7 @@ version: "2"
 run:
  # prevent golangci-lint from deducting the go version to lint for through go.mod,
  # which causes it to fallback to go1.17 semantics.
-  go: "1.24.4"
+  go: "1.24.6"
  concurrency: 2
  # Only supported with go modules enabled (build flag -mod=vendor only valid when using modules)
  # modules-download-mode: vendor
@@ -69,6 +69,8 @@ linters:
              desc: Use github.com/moby/sys/userns instead.
            - pkg: "github.com/tonistiigi/fsutil"
              desc: The fsutil module does not have a stable API, so we should not have a direct dependency unless necessary.
+            - pkg: "github.com/hashicorp/go-multierror"
+              desc: "Use errors.Join instead"

    dupword:
      ignore:
@@ -103,11 +105,11 @@ linters:
          msg: Go 1.19 atomic types should be used instead.
        - pkg: ^regexp$
          pattern: ^regexp\.MustCompile
-          msg: Use internal/lazyregexp.New instead.
+          msg: Use daemon/internal/lazyregexp.New instead.
        - pkg: github.com/vishvananda/netlink$
          pattern: ^netlink\.(Handle\.)?(AddrList|BridgeVlanList|ChainList|ClassList|ConntrackTableList|ConntrackDeleteFilter$|ConntrackDeleteFilters|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByName|LinkByAlias|LinkList|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteList|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList|XfrmPolicyList|XfrmStateList)
          msg: Use internal nlwrap package for EINTR handling.
-        - pkg: github.com/docker/docker/internal/nlwrap$
+        - pkg: github.com/moby/moby/v2/internal/nlwrap$
          pattern: ^nlwrap.Handle.(BridgeVlanList|ChainList|ClassList|ConntrackDeleteFilter$|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByAlias|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList)
          msg: Add a wrapper to nlwrap.Handle for EINTR handling and update the list in .golangci.yml.
      analyze-types: true
@@ -204,10 +206,20 @@ linters:
      max-func-lines: 0

    revive:
+      # Only listed rules are applied
+      # https://github.com/mgechev/revive/blob/HEAD/RULES_DESCRIPTIONS.md
      rules:
+        - name: increment-decrement
          # FIXME make sure all packages have a description. Currently, there's many packages without.
        - name: package-comments
          disabled: true
+        - name: redefines-builtin-id
+        - name: superfluous-else
+          arguments:
+            - preserve-scope
+        - name: use-any
+        - name: use-errors-new
+        - name: var-declaration

    staticcheck:
      checks:
@@ -255,9 +267,6 @@ linters:
      http-status-code: true

  exclusions:
-    paths:
-      - volume/drivers/proxy.go # TODO: this is a generated file but with an invalid header, see https://github.com/moby/moby/pull/46274
-
    rules:
        # We prefer to use an "linters.exclusions.rules" so that new "default" exclusions are not
        # automatically inherited. We can decide whether or not to follow upstream
@@ -303,11 +312,6 @@ linters:
        linters:
          - staticcheck

-        # FIXME(thaJeztah): ignoring these transitional utilities until BuildKit is vendored with https://github.com/moby/moby/pull/49743
-      - text: "SA1019: idtools\\.(ToUserIdentityMapping|FromUserIdentityMapping) is deprecated"
-        linters:
-          - staticcheck
-
        # Ignore "nested context in function literal (fatcontext)" as we intentionally set up tracing on a base-context for tests.
        # FIXME(thaJeztah): see if there's a more iodiomatic way to do this.
      - text: 'nested context in function literal'
@@ -327,13 +331,21 @@ linters:
        linters:
          - forbidigo
      - text: 'use of `regexp.MustCompile` forbidden'
-        path: "internal/lazyregexp"
+        path: "daemon/internal/lazyregexp"
+        linters:
+          - forbidigo
+      - text: 'use of `regexp.MustCompile` forbidden'
+        path: "internal/testutils"
        linters:
          - forbidigo
      - text: 'use of `regexp.MustCompile` forbidden'
        path: "libnetwork/cmd/networkdb-test/dbclient"
        linters:
          - forbidigo
+      - text: 'use of `regexp.MustCompile` forbidden'
+        path: "registry/"
+        linters:
+          - forbidigo

    # Log a warning if an exclusion rule is unused.
    # Default: false
--- a/69
+++ b/69
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.24.4
+ARG GO_VERSION=1.24.6
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
 ARG XX_VERSION=1.6.1
@@ -10,7 +10,7 @@ ARG XX_VERSION=1.6.1
 ARG VPNKIT_VERSION=0.6.0

 # DOCKERCLI_VERSION is the version of the CLI to install in the dev-container.
-ARG DOCKERCLI_VERSION=v28.2.2
+ARG DOCKERCLI_VERSION=v28.3.2
 ARG DOCKERCLI_REPOSITORY="https://github.com/docker/cli.git"

 # cli version used for integration-cli tests
@@ -18,10 +18,10 @@ ARG DOCKERCLI_INTEGRATION_REPOSITORY="https://github.com/docker/cli.git"
 ARG DOCKERCLI_INTEGRATION_VERSION=v18.06.3-ce

 # BUILDX_VERSION is the version of buildx to install in the dev container.
-ARG BUILDX_VERSION=0.24.0
+ARG BUILDX_VERSION=0.25.0

 # COMPOSE_VERSION is the version of compose to install in the dev container.
-ARG COMPOSE_VERSION=v2.36.2
+ARG COMPOSE_VERSION=v2.38.2

 ARG SYSTEMD="false"
 ARG FIREWALLD="false"
@@ -34,8 +34,8 @@ ARG DOCKER_STATIC=1
 ARG REGISTRY_VERSION=3.0.0

 # delve is currently only supported on linux/amd64 and linux/arm64;
-# https://github.com/go-delve/delve/blob/v1.24.1/pkg/proc/native/support_sentinel.go#L1
-# https://github.com/go-delve/delve/blob/v1.24.1/pkg/proc/native/support_sentinel_linux.go#L1
+# https://github.com/go-delve/delve/blob/v1.25.0/pkg/proc/native/support_sentinel.go#L1
+# https://github.com/go-delve/delve/blob/v1.25.0/pkg/proc/native/support_sentinel_linux.go#L1
 #
 # ppc64le support was added in v1.21.1, but is still experimental, and requires
 # the "-tags exp.linuxppc64le" build-tag to be set:
@@ -64,7 +64,6 @@ COPY --from=xx / /
 RUN go telemetry off && [ "$(go telemetry)" = "off" ] || { echo "Failed to disable Go telemetry"; exit 1; }
 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN apt-get update && apt-get install --no-install-recommends -y file
-ENV GO111MODULE=off
 ENV GOTOOLCHAIN=local

 FROM base AS criu
@@ -82,25 +81,18 @@ FROM distribution/distribution:$REGISTRY_VERSION AS registry
 RUN mkdir /build && mv /bin/registry /build/registry

 # go-swagger
-FROM base AS swagger-src
-WORKDIR /usr/src/swagger
-# Currently uses a fork from https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix
-# TODO: move to under moby/ or fix upstream go-swagger to work for us.
-RUN git init . && git remote add origin "https://github.com/kolyshkin/go-swagger.git"
-# GO_SWAGGER_COMMIT specifies the version of the go-swagger binary to build and
-# install. Go-swagger is used in CI for validating swagger.yaml in hack/validate/swagger-gen
-ARG GO_SWAGGER_COMMIT=c56166c036004ba7a3a321e5951ba472b9ae298c
-RUN git fetch -q --depth 1 origin "${GO_SWAGGER_COMMIT}" && git checkout -q FETCH_HEAD
-
 FROM base AS swagger
 WORKDIR /go/src/github.com/go-swagger/go-swagger
 ARG TARGETPLATFORM
-RUN --mount=from=swagger-src,src=/usr/src/swagger,rw \
-    --mount=type=cache,target=/root/.cache/go-build,id=swagger-build-$TARGETPLATFORM \
+# GO_SWAGGER_VERSION specifies the version of the go-swagger binary to install.
+# Go-swagger is used in CI for generating types from swagger.yaml in
+# hack/validate/swagger-gen
+ARG GO_SWAGGER_VERSION=v0.32.3
+RUN --mount=type=cache,target=/root/.cache/go-build,id=swagger-build-$TARGETPLATFORM \
    --mount=type=cache,target=/go/pkg/mod \
    --mount=type=tmpfs,target=/go/src/ <<EOT
  set -e
-  xx-go build -o /build/swagger ./cmd/swagger
+  GOBIN=/build xx-go install "github.com/go-swagger/go-swagger/cmd/swagger@${GO_SWAGGER_VERSION}"
  xx-verify /build/swagger
 EOT

@@ -135,7 +127,7 @@ RUN git init . && git remote add origin "https://github.com/go-delve/delve.git"
 # from the https://github.com/go-delve/delve repository.
 # It can be used to run Docker with a possibility of
 # attaching debugger to it.
-ARG DELVE_VERSION=v1.24.1
+ARG DELVE_VERSION=v1.25.0
 RUN git fetch -q --depth 1 origin "${DELVE_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS delve-supported
@@ -145,7 +137,7 @@ RUN --mount=from=delve-src,src=/usr/src/delve,rw \
    --mount=type=cache,target=/root/.cache/go-build,id=delve-build-$TARGETPLATFORM \
    --mount=type=cache,target=/go/pkg/mod <<EOT
  set -e
-  GO111MODULE=on xx-go build -o /build/dlv ./cmd/dlv
+  xx-go build -o /build/dlv ./cmd/dlv
  xx-verify /build/dlv
 EOT

@@ -157,7 +149,7 @@ FROM base AS gowinres
 ARG GOWINRES_VERSION=v0.3.1
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \
+        GOBIN=/build/ go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \
     && /build/go-winres --help

 # containerd
@@ -167,11 +159,8 @@ RUN git init . && git remote add origin "https://github.com/containerd/container
 # CONTAINERD_VERSION is used to build containerd binaries, and used for the
 # integration tests. The distributed docker .deb and .rpm packages depend on a
 # separate (containerd.io) package, which may be a different version as is
-# specified here. The containerd golang package is also pinned in vendor.mod.
-# When updating the binary version you may also need to update the vendor
-# version to pick up bug fixes or new APIs, however, usually the Go packages
-# are built from a commit from the master branch.
-ARG CONTAINERD_VERSION=v1.7.27
+# specified here.
+ARG CONTAINERD_VERSION=v1.7.28
 RUN git fetch -q --depth 1 origin "${CONTAINERD_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS containerd-build
@@ -205,27 +194,28 @@ FROM base AS golangci_lint
 ARG GOLANGCI_LINT_VERSION=v2.1.5
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/v2/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
+        GOBIN=/build/ go install "github.com/golangci/golangci-lint/v2/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
     && /build/golangci-lint --version

 FROM base AS gotestsum
-ARG GOTESTSUM_VERSION=v1.12.0
+# GOTESTSUM_VERSION is the version of gotest.tools/gotestsum to install.
+ARG GOTESTSUM_VERSION=v1.12.3
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
+        GOBIN=/build/ go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
     && /build/gotestsum --version

 FROM base AS shfmt
 ARG SHFMT_VERSION=v3.8.0
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \
+        GOBIN=/build/ go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \
     && /build/shfmt --version

 FROM base AS gopls
 RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "golang.org/x/tools/gopls@latest" \
+        GOBIN=/build/ go install "golang.org/x/tools/gopls@latest" \
     && /build/gopls version

 FROM base AS dockercli
@@ -259,9 +249,8 @@ WORKDIR /usr/src/runc
 RUN git init . && git remote add origin "https://github.com/opencontainers/runc.git"
 # RUNC_VERSION should match the version that is used by the containerd version
 # that is used. If you need to update runc, open a pull request in the containerd
-# project first, and update both after that is merged. When updating RUNC_VERSION,
-# consider updating runc in vendor.mod accordingly.
-ARG RUNC_VERSION=v1.2.6
+# project first, and update both after that is merged.
+ARG RUNC_VERSION=v1.3.0
 RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

 FROM base AS runc-build
@@ -328,7 +317,7 @@ FROM tini-${TARGETOS} AS tini
 FROM base AS rootlesskit-src
 WORKDIR /usr/src/rootlesskit
 RUN git init . && git remote add origin "https://github.com/rootless-containers/rootlesskit.git"
-# When updating, also update vendor.mod and hack/dockerfile/install/rootlesskit.installer accordingly.
+# When updating, also update go.mod and hack/dockerfile/install/rootlesskit.installer accordingly.
 ARG ROOTLESSKIT_VERSION=v2.3.4
 RUN git fetch -q --depth 1 origin "${ROOTLESSKIT_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD

@@ -341,7 +330,6 @@ RUN --mount=type=cache,sharing=locked,id=moby-rootlesskit-aptlib,target=/var/lib
            gcc \
            libc6-dev \
            pkg-config
-ENV GO111MODULE=on
 ARG DOCKER_STATIC
 RUN --mount=from=rootlesskit-src,src=/usr/src/rootlesskit,rw \
    --mount=type=cache,target=/go/pkg/mod \
@@ -542,14 +530,14 @@ COPY --link --from=dockercli-integration /build/ /usr/local/cli-integration
 FROM base AS build
 COPY --from=gowinres /build/ /usr/local/bin/
 WORKDIR /go/src/github.com/docker/docker
-ENV GO111MODULE=off
 ENV CGO_ENABLED=1
 RUN --mount=type=cache,sharing=locked,id=moby-build-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-build-aptcache,target=/var/cache/apt \
        apt-get update && apt-get install --no-install-recommends -y \
            clang \
            lld \
-            llvm
+            llvm \
+            icoutils
 ARG TARGETPLATFORM
 RUN --mount=type=cache,sharing=locked,id=moby-build-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-build-aptcache,target=/var/cache/apt \
@@ -579,7 +567,6 @@ RUN <<EOT
  fi
 EOT
 RUN --mount=type=bind,target=.,rw \
-    --mount=type=tmpfs,target=cli/winresources/dockerd \
    --mount=type=cache,target=/root/.cache/go-build,id=moby-build-$TARGETPLATFORM <<EOT
  set -e
  target=$([ "$DOCKER_STATIC" = "1" ] && echo "binary" || echo "dynbinary")
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@@ -5,18 +5,17 @@

 # This represents the bare minimum required to build and test Docker.

-ARG GO_VERSION=1.24.4
+ARG GO_VERSION=1.24.6

 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"

 FROM ${GOLANG_IMAGE}
-ENV GO111MODULE=off
 ENV GOTOOLCHAIN=local

 # Compile and runtime deps
-# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
-# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#build-dependencies
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
 		build-essential \
 		curl \
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -161,12 +161,14 @@ FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

-ARG GO_VERSION=1.24.4
-ARG GOTESTSUM_VERSION=v1.12.0
+ARG GO_VERSION=1.24.6
+
+# GOTESTSUM_VERSION is the version of gotest.tools/gotestsum to install.
+ARG GOTESTSUM_VERSION=v1.12.3

 # GOWINRES_VERSION is the version of go-winres to install.
 ARG GOWINRES_VERSION=v0.3.3
-ARG CONTAINERD_VERSION=v1.7.27
+ARG CONTAINERD_VERSION=v1.7.28

 # Environment variable notes:
 #  - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
@@ -176,7 +178,6 @@ ENV GO_VERSION=${GO_VERSION} `
    CONTAINERD_VERSION=${CONTAINERD_VERSION} `
    GIT_VERSION=2.11.1 `
    GOPATH=C:\gopath `
-    GO111MODULE=off `
    GOTOOLCHAIN=local `
    FROM_DOCKERFILE=1 `
    GOTESTSUM_VERSION=${GOTESTSUM_VERSION} `
@@ -276,13 +277,11 @@ RUN `

 RUN `
  Function Install-GoTestSum() { `
-    $Env:GO111MODULE = 'on'; `
    $tmpGobin = "${Env:GOBIN_TMP}"; `
    $Env:GOBIN = """${Env:GOPATH}`\bin"""; `
    Write-Host "INFO: Installing gotestsum version $Env:GOTESTSUM_VERSION in $Env:GOBIN"; `
    &go install "gotest.tools/gotestsum@${Env:GOTESTSUM_VERSION}"; `
    $Env:GOBIN = "${tmpGobin}"; `
-    $Env:GO111MODULE = 'off'; `
    if ($LASTEXITCODE -ne 0) {  `
      Throw '"gotestsum install failed..."'; `
    } `
@@ -292,13 +291,11 @@ RUN `

 RUN `
  Function Install-GoWinres() { `
-    $Env:GO111MODULE = 'on'; `
    $tmpGobin = "${Env:GOBIN_TMP}"; `
    $Env:GOBIN = """${Env:GOPATH}`\bin"""; `
    Write-Host "INFO: Installing go-winres version $Env:GOWINRES_VERSION in $Env:GOBIN"; `
    &go install "github.com/tc-hib/go-winres@${Env:GOWINRES_VERSION}"; `
    $Env:GOBIN = "${tmpGobin}"; `
-    $Env:GO111MODULE = 'off'; `
    if ($LASTEXITCODE -ne 0) {  `
      Throw '"go-winres install failed..."'; `
    } `
--- a/2
+++ b/2
@@ -6,7 +6,7 @@
 # GitHub ID, Name, Email address, GPG fingerprint
 "akerouanton","Albin Kerouanton","albinker@gmail.com"
 "AkihiroSuda","Akihiro Suda","akihiro.suda.cz@hco.ntt.co.jp"
-"austinvazquez","Austin Vazquez","macedonv@amazon.com"
+"austinvazquez","Austin Vazquez","austin.vazquez.dev@gmail.com"
 "corhere","Cory Snider","csnider@mirantis.com"
 "cpuguy83","Brian Goff","cpuguy83@gmail.com"
 "robmry","Rob Murray","rob.murray@docker.com"
--- a/3
+++ b/3
@@ -38,6 +38,7 @@ DOCKER_ENVS := \
 	-e DOCKERCLI_INTEGRATION_REPOSITORY \
 	-e DOCKER_DEBUG \
 	-e DOCKER_EXPERIMENTAL \
+	-e DOCKER_FIREWALL_BACKEND \
 	-e DOCKER_GITCOMMIT \
 	-e DOCKER_GRAPHDRIVER \
 	-e DOCKER_LDFLAGS \
@@ -53,7 +54,7 @@ DOCKER_ENVS := \
 	-e GITHUB_ACTIONS \
 	-e TEST_FORCE_VALIDATE \
 	-e TEST_INTEGRATION_DIR \
-	-e TEST_INTEGRATION_USE_SNAPSHOTTER \
+	-e TEST_INTEGRATION_USE_GRAPHDRIVER \
 	-e TEST_INTEGRATION_FAIL_FAST \
 	-e TEST_SKIP_INTEGRATION \
 	-e TEST_SKIP_INTEGRATION_CLI \
--- a/README.md
+++ b/README.md
@@ -1,9 +1,11 @@
 The Moby Project
 ================

-[![PkgGoDev](https://pkg.go.dev/badge/github.com/docker/docker)](https://pkg.go.dev/github.com/docker/docker)
-[![Go Report Card](https://goreportcard.com/badge/github.com/docker/docker)](https://goreportcard.com/report/github.com/docker/docker)
+[![PkgGoDev](https://pkg.go.dev/badge/github.com/moby/moby/v2)](https://pkg.go.dev/github.com/moby/moby/v2)
+![GitHub License](https://img.shields.io/github/license/moby/moby)
+[![Go Report Card](https://goreportcard.com/badge/github.com/moby/moby/v2)](https://goreportcard.com/report/github.com/moby/moby/v2)
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/moby/moby/badge)](https://scorecard.dev/viewer/?uri=github.com/moby/moby)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10989/badge)](https://www.bestpractices.dev/projects/10989)


 ![Moby Project logo](docs/static_files/moby-project-logo.png "The Moby Project")
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -113,5 +113,5 @@ We see gRPC as the natural communication layer between decoupled components.

 In addition to pushing out large components into other projects, much of the
 internal code structure, and in particular the
-["Daemon"](https://godoc.org/github.com/docker/docker/daemon#Daemon) object,
+["Daemon"](https://pkg.go.dev/github.com/moby/moby/v2/daemon#Daemon) object,
 should be split into smaller, more manageable, and more testable components.
--- a/TESTING.md
+++ b/TESTING.md
@@ -8,11 +8,11 @@ questions you may have as an aspiring Moby contributor.
 Moby has two test suites (and one legacy test suite):

 * Unit tests - use standard `go test` and
-  [gotest.tools/assert](https://godoc.org/gotest.tools/assert) assertions. They are located in
+  [gotest.tools/v3/assert](https://pkg.go.dev/gotest.tools/v3/assert) assertions. They are located in
  the package they test. Unit tests should be fast and test only their own 
  package.
 * API integration tests - use standard `go test` and
-  [gotest.tools/assert](https://godoc.org/gotest.tools/assert) assertions. They are located in
+  [gotest.tools/v3/assert](https://pkg.go.dev/gotest.tools/v3/assert) assertions. They are located in
  `./integration/<component>` directories, where `component` is: container,
  image, volume, etc. These tests perform HTTP requests to an API endpoint and
  check the HTTP response and daemon state after the call.
@@ -57,17 +57,28 @@ Instead, implement new tests under `integration/`.
 ### Integration tests environment considerations

 When adding new tests or modifying existing tests under `integration/`, testing
-environment should be properly considered. `skip.If` from 
-[gotest.tools/skip](https://godoc.org/gotest.tools/skip) can be used to make the 
+environment should be properly considered. [`skip.If`](https://pkg.go.dev/gotest.tools/v3/skip#If) from 
+[gotest.tools/v3/skip](https://pkg.go.dev/gotest.tools/v3/skip) can be used to make the 
 test run conditionally. Full testing environment conditions can be found at 
-[environment.go](https://github.com/moby/moby/blob/6b6eeed03b963a27085ea670f40cd5ff8a61f32e/testutil/environment/environment.go)
+[environment.go](https://github.com/moby/moby/blob/311b2c87e125c6d4198014369e313135cf928a8a/testutil/environment/environment.go)

 Here is a quick example. If the test needs to interact with a docker daemon on 
 the same host, the following condition should be checked within the test code

 ```go
-skip.If(t, testEnv.IsRemoteDaemon())
-// your integration test code
+package example
+
+import (
+	"testing"
+
+	"gotest.tools/v3/skip"
+)
+
+func TestSomething(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon(), "test requires a local daemon")
+
+	// your integration test code
+}
 ```

 If a remote daemon is detected, the test will be skipped.
@@ -78,11 +89,11 @@ If a remote daemon is detected, the test will be skipped.

 To run the unit test suite:

-```
+```bash
 make test-unit
 ```

-or `hack/test/unit` from inside a `BINDDIR=. make shell` container or properly
+or `hack/test/unit` from inside a `make shell` container or properly
 configured environment.

 The following environment variables may be used to run a subset of tests:
@@ -95,7 +106,7 @@ The following environment variables may be used to run a subset of tests:

 To run the integration test suite:

-```
+```bash
 make test-integration
 ```

@@ -121,6 +132,6 @@ automatically set the other above mentioned environment variables accordingly.
 You can change a version of golang used for building stuff that is being tested
 by setting `GO_VERSION` variable, for example:

-```
-make GO_VERSION=1.12.8 test
+```bash
+make GO_VERSION=1.24.6 test
 ```
--- a/VENDORING.md
+++ b/VENDORING.md
@@ -1,46 +0,0 @@
-# Vendoring policies
-
-This document outlines recommended Vendoring policies for Docker repositories.
-(Example, libnetwork is a Docker repo and logrus is not.)
-
-## Vendoring using tags
-
-Commit ID based vendoring provides little/no information about the updates
-vendored. To fix this, vendors will now require that repositories use annotated
-tags along with commit ids to snapshot commits. Annotated tags by themselves
-are not sufficient, since the same tag can be force updated to reference
-different commits.
-
-Each tag should:
- Follow Semantic Versioning rules (refer to section on "Semantic Versioning")
- Have a corresponding entry in the change tracking document.
-
-Each repo should:
- Have a change tracking document between tags/releases. Ex: CHANGELOG.md,
-github releases file.
-
-The goal here is for consuming repos to be able to use the tag version and
-changelog updates to determine whether the vendoring will cause any breaking or
-backward incompatible changes. This also means that repos can specify having
-dependency on a package of a specific version or greater up to the next major
-release, without encountering breaking changes.
-
-## Semantic Versioning
-Annotated version tags should follow [Semantic Versioning](http://semver.org) policies:
-
-"Given a version number MAJOR.MINOR.PATCH, increment the:
-
-   1. MAJOR version when you make incompatible API changes,
-   2. MINOR version when you add functionality in a backwards-compatible manner, and
-   3. PATCH version when you make backwards-compatible bug fixes.
-
-Additional labels for pre-release and build metadata are available as extensions
-to the MAJOR.MINOR.PATCH format."
-
-## Vendoring cadence
-In order to avoid huge vendoring changes, it is recommended to have a regular
-cadence for vendoring updates. e.g. monthly.
-
-## Pre-merge vendoring tests
-All related repos will be vendored into docker/docker.
-CI on docker/docker should catch any breaking changes involving multiple repos.
--- a/api/README.md
+++ b/api/README.md
@@ -1,12 +1,18 @@
-# Working on the Engine API
+# Engine API
+
+[![PkgGoDev](https://pkg.go.dev/badge/github.com/moby/moby/api)](https://pkg.go.dev/github.com/moby/moby/api)
+![GitHub License](https://img.shields.io/github/license/moby/moby)
+[![Go Report Card](https://goreportcard.com/badge/github.com/moby/moby/api)](https://goreportcard.com/report/github.com/moby/moby/api)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/moby/moby/badge)](https://scorecard.dev/viewer/?uri=github.com/moby/moby)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10989/badge)](https://www.bestpractices.dev/projects/10989)
+

 The Engine API is an HTTP API used by the command-line client to communicate with the daemon. It can also be used by third-party software to control the daemon.

 It consists of various components in this repository:

 - `api/swagger.yaml` A Swagger definition of the API.
- `api/types/` Types shared by both the client and server, representing various objects, options, responses, etc. Most are written manually, but some are automatically generated from the Swagger definition. See [#27919](https://github.com/docker/docker/issues/27919) for progress on this.
- `cli/` The command-line client.
+- `api/types/` Types shared by both the client and server, representing various objects, options, responses, etc. Most are written manually, but some are automatically generated from the Swagger definition. See [#27919](https://github.com/moby/moby/issues/27919) for progress on this.
 - `client/` The Go client used by the command-line client. It can also be used by third-party Go programs.
 - `daemon/` The daemon, which serves the API.

@@ -21,6 +27,7 @@ The API is defined by the [Swagger](http://swagger.io/specification/) definition
 ## Updating the API documentation

 The API documentation is generated entirely from `api/swagger.yaml`. If you make updates to the API, edit this file to represent the change in the documentation.
+Documentation for each API version can be found in the [docs directory](docs/README.md), which also provides a [CHANGELOG.md](docs/CHANGELOG.md). 

 The file is split into two main sections:

@@ -29,7 +36,7 @@ The file is split into two main sections:

 To make an edit, first look for the endpoint you want to edit under `paths`, then make the required edits. Endpoints may reference reusable objects with `$ref`, which can be found in the `definitions` section.

-There is hopefully enough example material in the file for you to copy a similar pattern from elsewhere in the file (e.g. adding new fields or endpoints), but for the full reference, see the [Swagger specification](https://github.com/docker/docker/issues/27919).
+There is hopefully enough example material in the file for you to copy a similar pattern from elsewhere in the file (e.g. adding new fields or endpoints), but for the full reference, see the [Swagger specification](https://github.com/moby/moby/issues/27919).

 `swagger.yaml` is validated by `hack/validate/swagger` to ensure it is a valid Swagger definition. This is useful when making edits to ensure you are doing the right thing.

@@ -39,4 +46,4 @@ When you make edits to `swagger.yaml`, you may want to check the generated API d

 Run `make swagger-docs` and a preview will be running at `http://localhost:9000`. Some of the styling may be incorrect, but you'll be able to ensure that it is generating the correct documentation.

-The production documentation is generated by vendoring `swagger.yaml` into [docker/docker.github.io](https://github.com/docker/docker.github.io).
+The production documentation is generated by vendoring `swagger.yaml` into [docker/docs](https://github.com/docker/docs).
--- a/api/common.go
+++ b/api/common.go
@@ -3,18 +3,14 @@ package api
 // Common constants for daemon and client.
 const (
 	// DefaultVersion of the current REST API.
-	DefaultVersion = "1.51"
+	DefaultVersion = "1.52"

 	// MinSupportedAPIVersion is the minimum API version that can be supported
 	// by the API server, specified as "major.minor". Note that the daemon
 	// may be configured with a different minimum API version, as returned
-	// in [github.com/docker/docker/api/types.Version.MinAPIVersion].
+	// in [github.com/moby/moby/api/types.Version.MinAPIVersion].
 	//
 	// API requests for API versions lower than the configured version produce
 	// an error.
 	MinSupportedAPIVersion = "1.24"
-
-	// NoBaseImageSpecifier is the symbol used by the FROM
-	// command to specify that no base image is to be used.
-	NoBaseImageSpecifier = "scratch"
 )
--- a/docs/api/version-history.md
+++ b/docs/api/version-history.md
@@ -13,6 +13,16 @@ keywords: "API, Docker, rcli, REST, documentation"
     will be rejected.
 -->

+## v1.52 API changes
+
+[Docker Engine API v1.52](https://docs.docker.com/reference/api/engine/version/v1.52/) documentation
+
+* `GET /images/{name}/get` now accepts multiple `platform` query-arguments
+  to allow selecting which platform(s) of a multi-platform image must be
+  saved.
+* `POST /images/load` now accepts multiple `platform` query-arguments
+  to allow selecting which platform(s) of a multi-platform image to load.
+
 ## v1.51 API changes

 [Docker Engine API v1.51](https://docs.docker.com/reference/api/engine/version/v1.51/) documentation
--- a/api/docs/README.md
+++ b/api/docs/README.md
@@ -0,0 +1,26 @@
+# API Documentation
+
+This directory contains versioned documents for each version of the API
+specification supported by this module. While this module provides support
+for older API versions, support should be considered "best-effort", especially
+for very old versions. Users are recommended to use the latest API versions,
+and only rely on older API versions for compatibility with older clients.
+
+Newer API versions tend to be backward-compatible with older versions,
+with some exceptions where features were deprecated. For an overview
+of changes for each version, refer to [CHANGELOG.md](CHANGELOG.md).
+
+The latest version of the API specification can be found [at the root directory
+of this module](../swagger.yaml) which may contain unreleased changes.
+
+For API version v1.24, documentation is only available in markdown
+format, for later versions [Swagger (OpenAPI) v2.0](https://swagger.io/specification/v2/)
+specifications can be found in this directory. The Moby project itself
+primarily uses these swagger files to produce the API documentation;
+while we attempt to make these files match the actual implementation,
+the OpenAPI 2.0 specification has limitations that prevent us from
+expressing all options provided. There may be discrepancies (for which
+we welcome contributions). If you find bugs, or discrepancies, please
+open a ticket (or pull request).
+
+
--- a/api/docs/v1.24.md
+++ b/api/docs/v1.24.md
--- a/api/docs/v1.25.yaml
+++ b/api/docs/v1.25.yaml
@@ -1975,6 +1975,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
--- a/api/docs/v1.26.yaml
+++ b/api/docs/v1.26.yaml
@@ -1979,6 +1979,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
--- a/api/docs/v1.27.yaml
+++ b/api/docs/v1.27.yaml
@@ -2051,6 +2051,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
--- a/api/docs/v1.28.yaml
+++ b/api/docs/v1.28.yaml
@@ -2104,6 +2104,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
--- a/api/docs/v1.29.yaml
+++ b/api/docs/v1.29.yaml
@@ -2125,6 +2125,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Networks:
        type: "array"
        items:
--- a/api/docs/v1.30.yaml
+++ b/api/docs/v1.30.yaml
@@ -2303,6 +2303,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
--- a/api/docs/v1.31.yaml
+++ b/api/docs/v1.31.yaml
@@ -2332,6 +2332,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -2861,7 +2862,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
--- a/api/docs/v1.32.yaml
+++ b/api/docs/v1.32.yaml
@@ -2783,6 +2783,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3333,7 +3334,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
--- a/api/docs/v1.33.yaml
+++ b/api/docs/v1.33.yaml
@@ -2787,6 +2787,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3337,7 +3338,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
--- a/api/docs/v1.34.yaml
+++ b/api/docs/v1.34.yaml
@@ -2797,6 +2797,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3365,7 +3366,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
--- a/api/docs/v1.35.yaml
+++ b/api/docs/v1.35.yaml
@@ -2801,6 +2801,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3369,7 +3370,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
--- a/api/docs/v1.36.yaml
+++ b/api/docs/v1.36.yaml
@@ -2814,6 +2814,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3382,7 +3383,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
--- a/api/docs/v1.37.yaml
+++ b/api/docs/v1.37.yaml
@@ -2817,6 +2817,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3388,7 +3389,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
--- a/api/docs/v1.38.yaml
+++ b/api/docs/v1.38.yaml
@@ -2871,6 +2871,7 @@ definitions:
      ForceUpdate:
        description: "A counter that triggers an update even if no relevant parameters have been changed."
        type: "integer"
+        format: "uint64"
      Runtime:
        description: "Runtime is the type of runtime specified for the task executor."
        type: "string"
@@ -3442,7 +3443,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
--- a/api/docs/v1.39.yaml
+++ b/api/docs/v1.39.yaml
@@ -3913,6 +3913,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4503,7 +4504,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
--- a/api/docs/v1.40.yaml
+++ b/api/docs/v1.40.yaml
@@ -4039,6 +4039,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4627,7 +4628,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -7948,7 +7949,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.41.yaml
+++ b/api/docs/v1.41.yaml
@@ -4204,6 +4204,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4876,7 +4877,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8237,7 +8238,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.42.yaml
+++ b/api/docs/v1.42.yaml
@@ -4223,6 +4223,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4895,7 +4896,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8487,7 +8488,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.43.yaml
+++ b/api/docs/v1.43.yaml
@@ -4254,6 +4254,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -4926,7 +4927,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8505,7 +8506,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.44.yaml
+++ b/api/docs/v1.44.yaml
@@ -4322,6 +4322,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5041,7 +5042,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8662,7 +8663,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.45.yaml
+++ b/api/docs/v1.45.yaml
@@ -4308,6 +4308,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5027,7 +5028,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8648,7 +8649,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.46.yaml
+++ b/api/docs/v1.46.yaml
@@ -4361,6 +4361,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5086,7 +5087,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8769,7 +8770,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.47.yaml
+++ b/api/docs/v1.47.yaml
@@ -4379,6 +4379,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5104,7 +5105,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -8910,7 +8911,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.48.yaml
+++ b/api/docs/v1.48.yaml
@@ -3039,7 +3039,8 @@ definitions:
          be used. If multiple endpoints have the same priority, endpoints are
          lexicographically sorted based on their network name, and the one
          that sorts first is picked.
-        type: "number"
+        type: "integer"
+        format: "int64"
        example:
          - 10

@@ -4517,6 +4518,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5512,7 +5514,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -9454,7 +9456,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.49.yaml
+++ b/api/docs/v1.49.yaml
@@ -3039,7 +3039,8 @@ definitions:
          be used. If multiple endpoints have the same priority, endpoints are
          lexicographically sorted based on their network name, and the one
          that sorts first is picked.
-        type: "number"
+        type: "integer"
+        format: "int64"
        example:
          - 10

@@ -4517,6 +4518,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5512,7 +5514,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -9454,7 +9456,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.50.yaml
+++ b/api/docs/v1.50.yaml
@@ -2914,7 +2914,8 @@ definitions:
          be used. If multiple endpoints have the same priority, endpoints are
          lexicographically sorted based on their network name, and the one
          that sorts first is picked.
-        type: "number"
+        type: "integer"
+        format: "int64"
        example:
          - 10

@@ -4392,6 +4393,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5387,7 +5389,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -9338,7 +9340,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
--- a/api/docs/v1.51.yaml
+++ b/api/docs/v1.51.yaml
--- a/api/docs/v1.52.yaml
+++ b/api/docs/v1.52.yaml
--- a/api/go.mod
+++ b/api/go.mod
@@ -0,0 +1,15 @@
+module github.com/moby/moby/api
+
+go 1.23.0
+
+require (
+	github.com/docker/go-connections v0.6.0
+	github.com/docker/go-units v0.5.0
+	github.com/google/go-cmp v0.5.9
+	github.com/moby/docker-image-spec v1.3.1
+	github.com/opencontainers/go-digest v1.0.0
+	github.com/opencontainers/image-spec v1.1.1
+	golang.org/x/time v0.11.0
+	gotest.tools/v3 v3.5.2
+	pgregory.net/rapid v1.2.0
+)
--- a/api/go.sum
+++ b/api/go.sum
@@ -0,0 +1,18 @@
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
+golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
--- a/api/pkg/progress/progress.go
+++ b/api/pkg/progress/progress.go
@@ -23,7 +23,7 @@ type Progress struct {

 	// Aux contains extra information not presented to the user, such as
 	// digests for push signing.
-	Aux interface{}
+	Aux any

 	LastUpdate bool
 }
@@ -71,7 +71,7 @@ func Update(out Output, id, action string) {

 // Updatef is a convenience function to write a printf-formatted progress update
 // to the channel.
-func Updatef(out Output, id, format string, a ...interface{}) {
+func Updatef(out Output, id, format string, a ...any) {
 	Update(out, id, fmt.Sprintf(format, a...))
 }

@@ -82,12 +82,12 @@ func Message(out Output, id, message string) {

 // Messagef is a convenience function to write a printf-formatted progress
 // message to the channel.
-func Messagef(out Output, id, format string, a ...interface{}) {
+func Messagef(out Output, id, format string, a ...any) {
 	Message(out, id, fmt.Sprintf(format, a...))
 }

 // Aux sends auxiliary information over a progress interface, which will not be
 // formatted for the UI. This is used for things such as push signing.
-func Aux(out Output, a interface{}) {
+func Aux(out Output, a any) {
 	out.WriteProgress(Progress{Aux: a})
 }
--- a/api/pkg/progress/progressreader.go
+++ b/api/pkg/progress/progressreader.go
--- a/api/pkg/progress/progressreader_test.go
+++ b/api/pkg/progress/progressreader_test.go
--- a/api/pkg/stdcopy/stdcopy.go
+++ b/api/pkg/stdcopy/stdcopy.go
@@ -14,16 +14,13 @@ import (
 type StdType byte

 const (
-	// Stdin represents standard input stream type.
-	Stdin StdType = iota
-	// Stdout represents standard output stream type.
-	Stdout
-	// Stderr represents standard error steam type.
-	Stderr
-	// Systemerr represents errors originating from the system that make it
-	// into the multiplexed stream.
-	Systemerr
+	Stdin     StdType = 0 // Stdin represents standard input stream. It is present for completeness and should NOT be used. When reading the stream with [StdCopy] it is output on [Stdout].
+	Stdout    StdType = 1 // Stdout represents standard output stream.
+	Stderr    StdType = 2 // Stderr represents standard error steam.
+	Systemerr StdType = 3 // Systemerr represents errors originating from the system. When reading the stream with [StdCopy] it is returned as an error.
+)

+const (
 	stdWriterPrefixLen = 8
 	stdWriterFdIndex   = 0
 	stdWriterSizeIndex = 4
@@ -31,7 +28,7 @@ const (
 	startingBufLen = 32*1024 + stdWriterPrefixLen + 1
 )

-var bufPool = &sync.Pool{New: func() interface{} { return bytes.NewBuffer(nil) }}
+var bufPool = &sync.Pool{New: func() any { return bytes.NewBuffer(nil) }}

 // stdWriter is wrapper of io.Writer with extra customized info.
 type stdWriter struct {
@@ -39,10 +36,11 @@ type stdWriter struct {
 	prefix byte
 }

-// Write sends the buffer to the underneath writer.
+// Write sends the buffer to the underlying writer.
 // It inserts the prefix header before the buffer,
-// so stdcopy.StdCopy knows where to multiplex the output.
-// It makes stdWriter to implement io.Writer.
+// so [StdCopy] knows where to multiplex the output.
+//
+// It implements [io.Writer].
 func (w *stdWriter) Write(p []byte) (int, error) {
 	if w == nil || w.Writer == nil {
 		return 0, errors.New("writer not instantiated")
@@ -68,30 +66,55 @@ func (w *stdWriter) Write(p []byte) (int, error) {
 	return n, err
 }

-// NewStdWriter instantiates a new Writer.
-// Everything written to it will be encapsulated using a custom format,
-// and written to the underlying `w` stream.
-// This allows multiple write streams (e.g. stdout and stderr) to be muxed into a single connection.
-// `t` indicates the id of the stream to encapsulate.
-// It can be stdcopy.Stdin, stdcopy.Stdout, stdcopy.Stderr.
-func NewStdWriter(w io.Writer, t StdType) io.Writer {
+// NewStdWriter instantiates a new writer using a custom format to multiplex
+// multiple streams to a single writer. All messages written using this writer
+// are encapsulated using a custom format, and written to the underlying
+// stream "w".
+//
+// Writers created through NewStdWriter allow for multiple write streams
+// (e.g., stdout ([Stdout]) and stderr ([Stderr]) to be multiplexed into a
+// single connection. "streamType" indicates the type of stream to encapsulate,
+// commonly, [Stdout] or [Stderr]. The [Systemerr] stream can be used to
+// include server-side errors in the stream. Information on this stream
+// is returned as an error by [StdCopy] and terminates processing the
+// stream.
+//
+// The [Stdin] stream is present for completeness and should generally
+// NOT be used. It is output on [Stdout] when reading the stream with
+// [StdCopy].
+//
+// All streams must share the same underlying [io.Writer] to ensure proper
+// multiplexing. Each call to NewStdWriter wraps that shared writer with
+// a header indicating the target stream.
+func NewStdWriter(w io.Writer, streamType StdType) io.Writer {
 	return &stdWriter{
 		Writer: w,
-		prefix: byte(t),
+		prefix: byte(streamType),
 	}
 }

-// StdCopy is a modified version of io.Copy.
+// StdCopy is a modified version of [io.Copy] to de-multiplex messages
+// from "multiplexedSource" and copy them to destination streams
+// "destOut" and "destErr".
 //
-// StdCopy will demultiplex `src`, assuming that it contains two streams,
-// previously multiplexed together using a StdWriter instance.
-// As it reads from `src`, StdCopy will write to `dstout` and `dsterr`.
+// StdCopy demultiplexes "multiplexedSource", assuming that it contains
+// two streams, previously multiplexed using a writer created with
+// [NewStdWriter].
 //
-// StdCopy will read until it hits EOF on `src`. It will then return a nil error.
-// In other words: if `err` is non nil, it indicates a real underlying error.
+// As it reads from "multiplexedSource", StdCopy writes [Stdout] messages
+// to "destOut", and [Stderr] message to "destErr]. For backward-compatibility,
+// [Stdin] messages are output to "destOut". The [Systemerr] stream provides
+// errors produced by the daemon. It is returned as an error, and terminates
+// processing the stream.
 //
-// `written` will hold the total number of bytes written to `dstout` and `dsterr`.
-func StdCopy(dstout, dsterr io.Writer, src io.Reader) (written int64, _ error) {
+// StdCopy it reads until it hits [io.EOF] on "multiplexedSource", after
+// which it returns a nil error. In other words: any error returned indicates
+// a real underlying error, which may be when an unknown [StdType] stream
+// is received.
+//
+// The "written" return holds the total number of bytes written to "destOut"
+// and "destErr" combined.
+func StdCopy(destOut, destErr io.Writer, multiplexedSource io.Reader) (written int64, _ error) {
 	var (
 		buf       = make([]byte, startingBufLen)
 		bufLen    = len(buf)
@@ -105,7 +128,7 @@ func StdCopy(dstout, dsterr io.Writer, src io.Reader) (written int64, _ error) {
 		// Make sure we have at least a full header
 		for nr < stdWriterPrefixLen {
 			var nr2 int
-			nr2, err = src.Read(buf[nr:])
+			nr2, err = multiplexedSource.Read(buf[nr:])
 			nr += nr2
 			if errors.Is(err, io.EOF) {
 				if nr < stdWriterPrefixLen {
@@ -118,24 +141,24 @@ func StdCopy(dstout, dsterr io.Writer, src io.Reader) (written int64, _ error) {
 			}
 		}

-		stream := StdType(buf[stdWriterFdIndex])
 		// Check the first byte to know where to write
+		stream := StdType(buf[stdWriterFdIndex])
 		switch stream {
 		case Stdin:
 			fallthrough
 		case Stdout:
 			// Write on stdout
-			out = dstout
+			out = destOut
 		case Stderr:
 			// Write on stderr
-			out = dsterr
+			out = destErr
 		case Systemerr:
 			// If we're on Systemerr, we won't write anywhere.
 			// NB: if this code changes later, make sure you don't try to write
 			// to outstream if Systemerr is the stream
 			out = nil
 		default:
-			return 0, fmt.Errorf("Unrecognized input header: %d", buf[stdWriterFdIndex])
+			return 0, fmt.Errorf("unrecognized stream: %d", stream)
 		}

 		// Retrieve the size of the frame
@@ -151,7 +174,7 @@ func StdCopy(dstout, dsterr io.Writer, src io.Reader) (written int64, _ error) {
 		// While the amount of bytes read is less than the size of the frame + header, we keep reading
 		for nr < frameSize+stdWriterPrefixLen {
 			var nr2 int
-			nr2, err = src.Read(buf[nr:])
+			nr2, err = multiplexedSource.Read(buf[nr:])
 			nr += nr2
 			if errors.Is(err, io.EOF) {
 				if nr < frameSize+stdWriterPrefixLen {
--- a/api/pkg/stdcopy/stdcopy_example_test.go
+++ b/api/pkg/stdcopy/stdcopy_example_test.go
@@ -0,0 +1,66 @@
+package stdcopy_test
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"time"
+
+	"github.com/moby/moby/api/pkg/stdcopy"
+)
+
+func ExampleNewStdWriter() {
+	muxReader, muxStream := io.Pipe()
+	defer func() { _ = muxStream.Close() }()
+
+	// Start demuxing before the daemon starts writing.
+	done := make(chan error, 1)
+	go func() {
+		// using os.Stdout for both, otherwise output doesn't show up in the example.
+		osStdout := os.Stdout
+		osStderr := os.Stdout
+		_, err := stdcopy.StdCopy(osStdout, osStderr, muxReader)
+		done <- err
+	}()
+
+	// daemon writing to stdout, stderr, and systemErr.
+	stdout := stdcopy.NewStdWriter(muxStream, stdcopy.Stdout)
+	stderr := stdcopy.NewStdWriter(muxStream, stdcopy.Stderr)
+	systemErr := stdcopy.NewStdWriter(muxStream, stdcopy.Systemerr)
+
+	for range 10 {
+		_, _ = fmt.Fprintln(stdout, "hello from stdout")
+		_, _ = fmt.Fprintln(stderr, "hello from stderr")
+		time.Sleep(50 * time.Millisecond)
+	}
+	_, _ = fmt.Fprintln(systemErr, errors.New("something went wrong"))
+
+	// Wait for the demuxer to finish.
+	if err := <-done; err != nil {
+		fmt.Println(err)
+	}
+
+	// Output:
+	// hello from stdout
+	// hello from stderr
+	// hello from stdout
+	// hello from stderr
+	// hello from stdout
+	// hello from stderr
+	// hello from stdout
+	// hello from stderr
+	// hello from stdout
+	// hello from stderr
+	// hello from stdout
+	// hello from stderr
+	// hello from stdout
+	// hello from stderr
+	// hello from stdout
+	// hello from stderr
+	// hello from stdout
+	// hello from stderr
+	// hello from stdout
+	// hello from stderr
+	// error from daemon in stream: something went wrong
+}
--- a/api/pkg/stdcopy/stdcopy_test.go
+++ b/api/pkg/stdcopy/stdcopy_test.go
--- a/api/pkg/streamformatter/streamformatter.go
+++ b/api/pkg/streamformatter/streamformatter.go
@@ -0,0 +1,247 @@
+// Package streamformatter provides helper functions to format a stream.
+package streamformatter
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/go-units"
+	"github.com/moby/moby/api/pkg/progress"
+	"github.com/moby/moby/api/types/jsonstream"
+)
+
+// jsonMessage defines a message struct. It describes
+// the created time, where it from, status, ID of the
+// message. It's used for docker events.
+//
+// It is a reduced set of [jsonmessage.JSONMessage].
+type jsonMessage struct {
+	Stream   string               `json:"stream,omitempty"`
+	Status   string               `json:"status,omitempty"`
+	Progress *jsonstream.Progress `json:"progressDetail,omitempty"`
+	ID       string               `json:"id,omitempty"`
+	Error    *jsonstream.Error    `json:"errorDetail,omitempty"`
+	Aux      *json.RawMessage     `json:"aux,omitempty"` // Aux contains out-of-band data, such as digests for push signing and image id after building.
+
+	// ErrorMessage contains errors encountered during the operation.
+	//
+	// Deprecated: this field is deprecated since docker v0.6.0 / API v1.4. Use [Error.Message] instead. This field will be omitted in a future release.
+	ErrorMessage string `json:"error,omitempty"` // deprecated
+}
+
+const streamNewline = "\r\n"
+
+type jsonProgressFormatter struct{}
+
+func appendNewline(source []byte) []byte {
+	return append(source, []byte(streamNewline)...)
+}
+
+// FormatStatus formats the specified objects according to the specified format (and id).
+func FormatStatus(id, format string, a ...any) []byte {
+	str := fmt.Sprintf(format, a...)
+	b, err := json.Marshal(&jsonMessage{ID: id, Status: str})
+	if err != nil {
+		return FormatError(err)
+	}
+	return appendNewline(b)
+}
+
+// FormatError formats the error as a JSON object
+func FormatError(err error) []byte {
+	jsonError, ok := err.(*jsonstream.Error)
+	if !ok {
+		jsonError = &jsonstream.Error{Message: err.Error()}
+	}
+	if b, err := json.Marshal(&jsonMessage{Error: jsonError, ErrorMessage: err.Error()}); err == nil {
+		return appendNewline(b)
+	}
+	return []byte(`{"error":"format error"}` + streamNewline)
+}
+
+func (sf *jsonProgressFormatter) formatStatus(id, format string, a ...any) []byte {
+	return FormatStatus(id, format, a...)
+}
+
+// formatProgress formats the progress information for a specified action.
+func (sf *jsonProgressFormatter) formatProgress(id, action string, progress *jsonstream.Progress, aux any) []byte {
+	if progress == nil {
+		progress = &jsonstream.Progress{}
+	}
+	var auxJSON *json.RawMessage
+	if aux != nil {
+		auxJSONBytes, err := json.Marshal(aux)
+		if err != nil {
+			return nil
+		}
+		auxJSON = new(json.RawMessage)
+		*auxJSON = auxJSONBytes
+	}
+	b, err := json.Marshal(&jsonMessage{
+		Status:   action,
+		Progress: progress,
+		ID:       id,
+		Aux:      auxJSON,
+	})
+	if err != nil {
+		return nil
+	}
+	return appendNewline(b)
+}
+
+type rawProgressFormatter struct{}
+
+func (sf *rawProgressFormatter) formatStatus(id, format string, a ...any) []byte {
+	return []byte(fmt.Sprintf(format, a...) + streamNewline)
+}
+
+func rawProgressString(p *jsonstream.Progress) string {
+	if p == nil || (p.Current <= 0 && p.Total <= 0) {
+		return ""
+	}
+	if p.Total <= 0 {
+		switch p.Units {
+		case "":
+			return fmt.Sprintf("%8v", units.HumanSize(float64(p.Current)))
+		default:
+			return fmt.Sprintf("%d %s", p.Current, p.Units)
+		}
+	}
+
+	percentage := int(float64(p.Current)/float64(p.Total)*100) / 2
+	if percentage > 50 {
+		percentage = 50
+	}
+
+	numSpaces := 0
+	if 50-percentage > 0 {
+		numSpaces = 50 - percentage
+	}
+	pbBox := fmt.Sprintf("[%s>%s] ", strings.Repeat("=", percentage), strings.Repeat(" ", numSpaces))
+
+	var numbersBox string
+	switch {
+	case p.HideCounts:
+	case p.Units == "": // no units, use bytes
+		current := units.HumanSize(float64(p.Current))
+		total := units.HumanSize(float64(p.Total))
+
+		numbersBox = fmt.Sprintf("%8v/%v", current, total)
+
+		if p.Current > p.Total {
+			// remove total display if the reported current is wonky.
+			numbersBox = fmt.Sprintf("%8v", current)
+		}
+	default:
+		numbersBox = fmt.Sprintf("%d/%d %s", p.Current, p.Total, p.Units)
+
+		if p.Current > p.Total {
+			// remove total display if the reported current is wonky.
+			numbersBox = fmt.Sprintf("%d %s", p.Current, p.Units)
+		}
+	}
+
+	var timeLeftBox string
+	if p.Current > 0 && p.Start > 0 && percentage < 50 {
+		fromStart := time.Since(time.Unix(p.Start, 0))
+		perEntry := fromStart / time.Duration(p.Current)
+		left := time.Duration(p.Total-p.Current) * perEntry
+		timeLeftBox = " " + left.Round(time.Second).String()
+	}
+	return pbBox + numbersBox + timeLeftBox
+}
+
+func (sf *rawProgressFormatter) formatProgress(id, action string, progress *jsonstream.Progress, aux any) []byte {
+	if progress == nil {
+		progress = &jsonstream.Progress{}
+	}
+	endl := "\r"
+	out := rawProgressString(progress)
+	if out == "" {
+		endl += "\n"
+	}
+	return []byte(action + " " + out + endl)
+}
+
+// NewProgressOutput returns a progress.Output object that can be passed to
+// progress.NewProgressReader.
+func NewProgressOutput(out io.Writer) progress.Output {
+	return &progressOutput{sf: &rawProgressFormatter{}, out: out, newLines: true}
+}
+
+// NewJSONProgressOutput returns a progress.Output that formats output
+// using JSON objects
+func NewJSONProgressOutput(out io.Writer, newLines bool) progress.Output {
+	return &progressOutput{sf: &jsonProgressFormatter{}, out: out, newLines: newLines}
+}
+
+type formatProgress interface {
+	formatStatus(id, format string, a ...any) []byte
+	formatProgress(id, action string, progress *jsonstream.Progress, aux any) []byte
+}
+
+type progressOutput struct {
+	sf       formatProgress
+	out      io.Writer
+	newLines bool
+	mu       sync.Mutex
+}
+
+// WriteProgress formats progress information from a ProgressReader.
+func (out *progressOutput) WriteProgress(prog progress.Progress) error {
+	var formatted []byte
+	if prog.Message != "" {
+		formatted = out.sf.formatStatus(prog.ID, prog.Message)
+	} else {
+		jsonProgress := jsonstream.Progress{
+			Current:    prog.Current,
+			Total:      prog.Total,
+			HideCounts: prog.HideCounts,
+			Units:      prog.Units,
+		}
+		formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
+	}
+
+	out.mu.Lock()
+	defer out.mu.Unlock()
+	_, err := out.out.Write(formatted)
+	if err != nil {
+		return err
+	}
+
+	if out.newLines && prog.LastUpdate {
+		_, err = out.out.Write(out.sf.formatStatus("", ""))
+		return err
+	}
+
+	return nil
+}
+
+// AuxFormatter is a streamFormatter that writes aux progress messages
+type AuxFormatter struct {
+	io.Writer
+}
+
+// Emit emits the given interface as an aux progress message
+func (sf *AuxFormatter) Emit(id string, aux any) error {
+	auxJSONBytes, err := json.Marshal(aux)
+	if err != nil {
+		return err
+	}
+	auxJSON := new(json.RawMessage)
+	*auxJSON = auxJSONBytes
+	msgJSON, err := json.Marshal(&jsonMessage{ID: id, Aux: auxJSON})
+	if err != nil {
+		return err
+	}
+	msgJSON = appendNewline(msgJSON)
+	n, err := sf.Writer.Write(msgJSON)
+	if n != len(msgJSON) {
+		return io.ErrShortWrite
+	}
+	return err
+}
--- a/api/pkg/streamformatter/streamformatter_test.go
+++ b/api/pkg/streamformatter/streamformatter_test.go
@@ -7,9 +7,8 @@ import (
 	"strings"
 	"testing"

-	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/google/go-cmp/cmp"
-	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/moby/moby/api/types/jsonstream"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -22,7 +21,7 @@ func TestRawProgressFormatterFormatStatus(t *testing.T) {

 func TestRawProgressFormatterFormatProgress(t *testing.T) {
 	sf := rawProgressFormatter{}
-	jsonProgress := &jsonmessage.JSONProgress{
+	jsonProgress := &jsonstream.Progress{
 		Current: 15,
 		Total:   30,
 		Start:   1,
@@ -47,7 +46,7 @@ func TestFormatError(t *testing.T) {
 }

 func TestFormatJSONError(t *testing.T) {
-	err := &jsonmessage.JSONError{Code: 50, Message: "Json error"}
+	err := &jsonstream.Error{Code: 50, Message: "Json error"}
 	res := FormatError(err)
 	expected := `{"errorDetail":{"code":50,"message":"Json error"},"error":"Json error"}` + streamNewline
 	assert.Check(t, is.Equal(expected, string(res)))
@@ -55,19 +54,19 @@ func TestFormatJSONError(t *testing.T) {

 func TestJsonProgressFormatterFormatProgress(t *testing.T) {
 	sf := &jsonProgressFormatter{}
-	jsonProgress := &jsonmessage.JSONProgress{
+	jsonProgress := &jsonstream.Progress{
 		Current: 15,
 		Total:   30,
 		Start:   1,
 	}
 	aux := "aux message"
 	res := sf.formatProgress("id", "action", jsonProgress, aux)
-	msg := &jsonmessage.JSONMessage{}
+	msg := &jsonMessage{}

 	assert.NilError(t, json.Unmarshal(res, msg))

 	rawAux := json.RawMessage(`"` + aux + `"`)
-	expected := &jsonmessage.JSONMessage{
+	expected := &jsonMessage{
 		ID:       "id",
 		Status:   "action",
 		Aux:      &rawAux,
@@ -81,7 +80,6 @@ func cmpJSONMessageOpt() cmp.Option {
 		return path.String() == "ProgressMessage"
 	}
 	return cmp.Options{
-		cmpopts.IgnoreUnexported(jsonmessage.JSONProgress{}),
 		// Ignore deprecated property that is a derivative of Progress
 		cmp.FilterPath(progressMessagePath, cmp.Ignore()),
 	}
--- a/api/pkg/streamformatter/streamwriter.go
+++ b/api/pkg/streamformatter/streamwriter.go
@@ -3,8 +3,6 @@ package streamformatter
 import (
 	"encoding/json"
 	"io"
-
-	"github.com/docker/docker/pkg/jsonmessage"
 )

 type streamWriter struct {
@@ -22,7 +20,7 @@ func (sw *streamWriter) Write(buf []byte) (int, error) {
 }

 func (sw *streamWriter) format(buf []byte) []byte {
-	msg := &jsonmessage.JSONMessage{Stream: sw.lineFormat(buf)}
+	msg := &jsonMessage{Stream: sw.lineFormat(buf)}
 	b, err := json.Marshal(msg)
 	if err != nil {
 		return FormatError(err)
--- a/api/pkg/streamformatter/streamwriter_test.go
+++ b/api/pkg/streamformatter/streamwriter_test.go
--- a/api/releases/v1.52.0-alpha.toml
+++ b/api/releases/v1.52.0-alpha.toml
@@ -0,0 +1,17 @@
+# commit to be tagged for new release
+commit = "HEAD"
+
+project_name = "moby"
+github_repo = "moby/moby"
+sub_path = "api"
+ignore_deps = [ "github.com/moby/moby" ]
+
+# previous release
+previous = "v28.2.2"
+
+pre_release = true
+
+preface = """\
+The first dedicated release for the Moby API. This release continues the 1.x
+line of API compatibility with the 52nd minor release of the 1.x API.
+"""
--- a/api/server/httputils/decoder.go
+++ b/api/server/httputils/decoder.go
@@ -1,15 +0,0 @@
-package httputils
-
-import (
-	"io"
-
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/network"
-)
-
-// ContainerDecoder specifies how
-// to translate an io.Reader into
-// container configuration.
-type ContainerDecoder interface {
-	DecodeConfig(src io.Reader) (*container.Config, *container.HostConfig, *network.NetworkingConfig, error)
-}
--- a/api/swagger.yaml
+++ b/api/swagger.yaml
@@ -19,10 +19,10 @@ produces:
 consumes:
  - "application/json"
  - "text/plain"
-basePath: "/v1.51"
+basePath: "/v1.52"
 info:
  title: "Docker Engine API"
-  version: "1.51"
+  version: "1.52"
  x-logo:
    url: "https://docs.docker.com/assets/images/logo-docker-main.png"
  description: |
@@ -56,7 +56,7 @@ info:
    is returned.

    If you omit the version-prefix, the current version of the API (v1.50) is used.
-    For example, calling `/info` is the same as calling `/v1.51/info`. Using the
+    For example, calling `/info` is the same as calling `/v1.52/info`. Using the
    API without a version-prefix is deprecated and will be removed in a future release.

    Engine releases in the near future should support this version of the API,
@@ -173,9 +173,10 @@ tags:
    x-displayName: "System"

 definitions:
-  Port:
+  PortSummary:
    type: "object"
-    description: "An open port on a container"
+    description: |
+      Describes a port-mapping between the container and the host.
    required: [PrivatePort, Type]
    properties:
      IP:
@@ -2647,26 +2648,10 @@ definitions:
        type: "string"
      stream:
        type: "string"
-      error:
-        type: "string"
-        x-nullable: true
-        description: |-
-          errors encountered during the operation.
-
-
-          > **Deprecated**: This field is deprecated since API v1.4, and will be omitted in a future API version. Use the information in errorDetail instead.
      errorDetail:
        $ref: "#/definitions/ErrorDetail"
      status:
        type: "string"
-      progress:
-        type: "string"
-        x-nullable: true
-        description: |-
-          Progress is a pre-formatted presentation of progressDetail.
-
-
-          > **Deprecated**: This field is deprecated since API v1.8, and will be omitted in a future API version. Use the information in progressDetail instead.
      progressDetail:
        $ref: "#/definitions/ProgressDetail"
      aux:
@@ -2764,52 +2749,20 @@ definitions:
    properties:
      id:
        type: "string"
-      error:
-        type: "string"
-        x-nullable: true
-        description: |-
-          errors encountered during the operation.
-
-
-          > **Deprecated**: This field is deprecated since API v1.4, and will be omitted in a future API version. Use the information in errorDetail instead.
      errorDetail:
        $ref: "#/definitions/ErrorDetail"
      status:
        type: "string"
-      progress:
-        type: "string"
-        x-nullable: true
-        description: |-
-          Progress is a pre-formatted presentation of progressDetail.
-
-
-          > **Deprecated**: This field is deprecated since API v1.8, and will be omitted in a future API version. Use the information in progressDetail instead.
      progressDetail:
        $ref: "#/definitions/ProgressDetail"

  PushImageInfo:
    type: "object"
    properties:
-      error:
-        type: "string"
-        x-nullable: true
-        description: |-
-          errors encountered during the operation.
-
-
-          > **Deprecated**: This field is deprecated since API v1.4, and will be omitted in a future API version. Use the information in errorDetail instead.
      errorDetail:
        $ref: "#/definitions/ErrorDetail"
      status:
        type: "string"
-      progress:
-        type: "string"
-        x-nullable: true
-        description: |-
-          Progress is a pre-formatted presentation of progressDetail.
-
-
-          > **Deprecated**: This field is deprecated since API v1.8, and will be omitted in a future API version. Use the information in progressDetail instead.
      progressDetail:
        $ref: "#/definitions/ProgressDetail"

@@ -2913,7 +2866,8 @@ definitions:
          be used. If multiple endpoints have the same priority, endpoints are
          lexicographically sorted based on their network name, and the one
          that sorts first is picked.
-        type: "number"
+        type: "integer"
+        format: "int64"
        example:
          - 10

@@ -2997,6 +2951,7 @@ definitions:

  PluginMount:
    type: "object"
+    x-go-name: "Mount"
    x-nullable: false
    required: [Name, Description, Settable, Source, Destination, Type, Options]
    properties:
@@ -3033,6 +2988,7 @@ definitions:

  PluginDevice:
    type: "object"
+    x-go-name: "Device"
    required: [Name, Description, Settable, Path]
    x-nullable: false
    properties:
@@ -3052,6 +3008,7 @@ definitions:

  PluginEnv:
    type: "object"
+    x-go-name: "Env"
    x-nullable: false
    required: [Name, Description, Settable, Value]
    properties:
@@ -3068,27 +3025,12 @@ definitions:
      Value:
        type: "string"

-  PluginInterfaceType:
-    type: "object"
-    x-nullable: false
-    required: [Prefix, Capability, Version]
-    properties:
-      Prefix:
-        type: "string"
-        x-nullable: false
-      Capability:
-        type: "string"
-        x-nullable: false
-      Version:
-        type: "string"
-        x-nullable: false
-
  PluginPrivilege:
    description: |
      Describes a permission the user has to accept upon installing
      the plugin.
    type: "object"
-    x-go-name: "PluginPrivilege"
+    x-go-name: "Privilege"
    properties:
      Name:
        type: "string"
@@ -3105,6 +3047,7 @@ definitions:
  Plugin:
    description: "A plugin for the Engine API"
    type: "object"
+    x-go-name: "Plugin"
    required: [Settings, Enabled, Config, Name]
    properties:
      Id:
@@ -3122,8 +3065,9 @@ definitions:
        x-nullable: false
        example: true
      Settings:
-        description: "Settings that can be modified by users."
+        description: "user-configurable settings for the plugin."
        type: "object"
+        x-go-name: "Settings"
        x-nullable: false
        required: [Args, Devices, Env, Mounts]
        properties:
@@ -3148,11 +3092,13 @@ definitions:
      PluginReference:
        description: "plugin remote reference used to push/pull the plugin"
        type: "string"
+        x-go-name: "PluginReference"
        x-nullable: false
        example: "localhost:5000/tiborvass/sample-volume-plugin:latest"
      Config:
        description: "The config of a plugin."
        type: "object"
+        x-go-name: "Config"
        x-nullable: false
        required:
          - Description
@@ -3186,12 +3132,15 @@ definitions:
            description: "The interface between Docker and the plugin"
            x-nullable: false
            type: "object"
+            x-go-name: "Interface"
            required: [Types, Socket]
            properties:
              Types:
                type: "array"
                items:
-                  $ref: "#/definitions/PluginInterfaceType"
+                  type: "string"
+                  x-go-type:
+                    type: "CapabilityID"
                example:
                  - "docker.volumedriver/1.0"
              Socket:
@@ -3218,6 +3167,7 @@ definitions:
            example: "/bin/"
          User:
            type: "object"
+            x-go-name: "User"
            x-nullable: false
            properties:
              UID:
@@ -3230,6 +3180,7 @@ definitions:
                example: 1000
          Network:
            type: "object"
+            x-go-name: "NetworkConfig"
            x-nullable: false
            required: [Type]
            properties:
@@ -3239,6 +3190,7 @@ definitions:
                example: "host"
          Linux:
            type: "object"
+            x-go-name: "LinuxConfig"
            x-nullable: false
            required: [Capabilities, AllowAllDevices, Devices]
            properties:
@@ -3284,6 +3236,7 @@ definitions:
                Value: "0"
          Args:
            type: "object"
+            x-go-name: "Args"
            x-nullable: false
            required: [Name, Description, Settable, Value]
            properties:
@@ -3305,6 +3258,7 @@ definitions:
                  type: "string"
          rootfs:
            type: "object"
+            x-go-name: "RootFS"
            properties:
              type:
                type: "string"
@@ -4391,6 +4345,7 @@ definitions:
          A counter that triggers an update even if no relevant parameters have
          been changed.
        type: "integer"
+        format: "uint64"
      Runtime:
        description: |
          Runtime is the type of runtime specified for the task executor.
@@ -5250,7 +5205,7 @@ definitions:
          Port-mappings for the container.
        type: "array"
        items:
-          $ref: "#/definitions/Port"
+          $ref: "#/definitions/PortSummary"
      SizeRw:
        description: |-
          The size of files that have been created or changed by this container.
@@ -5345,6 +5300,29 @@ definitions:
          List of mounts used by the container.
        items:
          $ref: "#/definitions/MountPoint"
+      Health:
+        type: "object"
+        description: |-
+          Summary of health status
+
+          Added in v1.52, before that version all container summary not include Health.
+          After this attribute introduced, it includes containers with no health checks configured,
+          or containers that are not running with none
+        properties:
+          Status:
+            type: "string"
+            description: |-
+              the health status of the container
+            enum:
+              - "none"
+              - "starting"
+              - "healthy"
+              - "unhealthy"
+            example: "healthy"
+          FailingStreak:
+            description: "FailingStreak is the number of consecutive failures"
+            type: "integer"
+            example: 0

  Driver:
    description: "Driver represents a driver (network, logging, secrets)."
@@ -5386,7 +5364,7 @@ definitions:
          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
          It must be empty if the Driver field is set, in which case the data is
          loaded from an external secret store. The maximum allowed size is 500KB,
-          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0/api/validation#MaxSecretSize).

          This field is only used to _create_ a secret, and is not returned by
          other endpoints.
@@ -9337,7 +9315,18 @@ paths:
          default: ""
        - name: "outputs"
          in: "query"
-          description: "BuildKit output configuration"
+          description: |
+            BuildKit output configuration in the format of a stringified JSON array of objects.
+            Each object must have two top-level properties: `Type` and `Attrs`.
+            The `Type` property must be set to 'moby'.
+            The `Attrs` property is a map of attributes for the BuildKit output configuration.
+            See https://docs.docker.com/build/exporters/oci-docker/ for more information.
+
+            Example:
+
+            ```
+            [{"Type":"moby","Attrs":{"type":"image","force-compression":"true","compression":"zstd"}}]
+            ```
          type: "string"
          default: ""
        - name: "version"
@@ -9369,15 +9358,7 @@ paths:
        - "application/json"
      operationId: "BuildPrune"
      parameters:
-        - name: "keep-storage"
-          in: "query"
-          description: |
-            Amount of disk space in bytes to keep for cache

-            > **Deprecated**: This parameter is deprecated and has been renamed to "reserved-space".
-            > It is kept for backward compatibility and will be removed in API v1.49.
-          type: "integer"
-          format: "int64"
        - name: "reserved-space"
          in: "query"
          description: "Amount of disk space in bytes to keep for cache"
@@ -10419,7 +10400,10 @@ paths:
          type: "string"
          required: true
        - name: "platform"
-          type: "string"
+          type: "array"
+          items:
+            type: "string"
+          collectionFormat: "multi"
          in: "query"
          description: |
            JSON encoded OCI platform describing a platform which will be used
@@ -10464,13 +10448,16 @@ paths:
          items:
            type: "string"
        - name: "platform"
-          type: "string"
+          type: "array"
+          items:
+            type: "string"
+          collectionFormat: "multi"
          in: "query"
          description: |
-            JSON encoded OCI platform describing a platform which will be used
-            to select a platform-specific image to be saved if the image is
-            multi-platform.
-            If not provided, the full multi-platform image will be saved.
+            JSON encoded OCI platform(s) which will be used to select the
+            platform-specific image(s) to be saved if the image is
+            multi-platform. If not provided, the full multi-platform image
+            will be saved.

            Example: `{"os": "linux", "architecture": "arm", "variant": "v5"}`
      tags: ["Image"]
@@ -10506,13 +10493,16 @@ paths:
          type: "boolean"
          default: false
        - name: "platform"
-          type: "string"
+          type: "array"
+          items:
+            type: "string"
+          collectionFormat: "multi"
          in: "query"
          description: |
-            JSON encoded OCI platform describing a platform which will be used
-            to select a platform-specific image to be load if the image is
-            multi-platform.
-            If not provided, the full multi-platform image will be loaded.
+            JSON encoded OCI platform(s) which will be used to select the
+            platform-specific image(s) to load if the image is
+            multi-platform. If not provided, the full multi-platform image
+            will be loaded.

            Example: `{"os": "linux", "architecture": "arm", "variant": "v5"}`
      tags: ["Image"]
--- a/api/templates/schema.gotmpl
+++ b/api/templates/schema.gotmpl
@@ -0,0 +1,133 @@
+{{- if and .IsBaseType .IsExported (not .IsSuperAlias) }}
+  {{- template "schemaPolymorphic" . }}
+{{- else if .IsSuperAlias }}
+  type {{ pascalize .Name }} {{ template "typeSchemaType" . }}{{/* For types declared as $ref on some other type, just declare the type as a golang _aliased_ type, e.g. type A = B. No method shall be redeclared.  */}}
+  {{- if .IsBaseType }}
+    {{ template "baseTypeSerializer" . }}{{/* When the alias redeclares a polymorphic type, define factory methods with this alias. */}}
+  {{- end }}
+{{- else if .IsEmbedded }}
+  {{- template "schemaEmbedded" . }}
+{{- else }}
+  {{- if or .IsComplexObject .IsTuple .IsAdditionalProperties }}{{/* TODO(fred): handle case of subtype inheriting from base type with AdditionalProperties, issue #2220 */}}
+      {{ if .Name }}type {{ if not .IsExported }}{{ .Name }}{{ else }}{{ pascalize .Name }}{{ end }}{{ end }} {{ template "schemaBody" . }}
+    {{- range .Properties }}
+      {{- if .IsBaseType }}
+        // {{ pascalize .Name}} gets the {{ humanize .Name }} of this base type{{/* all properties which are of a base type propagate its interface */}}
+        func ({{ $.ReceiverName}} *{{ pascalize $.Name}}) {{ pascalize .Name}}() {{ template "schemaType" . }}{
+          {{- if eq $.DiscriminatorField .Name }}
+            return {{ printf "%q" $.DiscriminatorValue }}
+          {{- else }}
+            return {{ $.ReceiverName }}.{{camelize .Name}}Field
+          {{- end }}
+        }
+
+        // Set{{ pascalize .Name}} sets the {{ humanize .Name }} of this base type
+        func ({{ $.ReceiverName}} *{{ pascalize $.Name}}) Set{{ pascalize .Name}}(val {{ template "schemaType" . }}) {
+          {{- if ne $.DiscriminatorField .Name }}
+            {{ $.ReceiverName }}.{{camelize .Name}}Field = val
+          {{- end }}
+        }
+      {{- end }}
+    {{- end }}
+    {{- if .Default }}{{/* TODO(fred) - issue #2189 */}}
+      func ({{.ReceiverName}} *{{ pascalize .Name }}) UnmarshalJSON(b []byte) error {
+        type {{ pascalize .Name }}Alias {{ pascalize .Name }}
+        var t {{ pascalize .Name }}Alias
+        if err := json.Unmarshal([]byte({{printf "%q" (json .Default)}}), &t); err != nil {
+          return err
+        }
+        if err := json.Unmarshal(b, &t); err != nil {
+          return err
+        }
+        *{{.ReceiverName}} = {{ pascalize .Name }}(t)
+        return nil
+      }
+    {{- end }}
+  {{- else }}
+    type {{ pascalize .Name }} {{ template "typeSchemaType" . }}
+  {{- end }}
+  {{- if (and .IsPrimitive .IsAliased .IsCustomFormatter (not (stringContains .Zero "(\""))) }}
+    {{ template "aliasedSerializer" . }}
+  {{- end }}
+  {{- if .IsSubType }}
+    {{ range .AllOf }}
+      {{ range .Properties }}
+        {{- if .IsBaseType }}
+
+        // {{ pascalize .Name}} gets the {{ humanize .Name }} of this subtype
+        func ({{$.ReceiverName}} *{{ pascalize $.Name}}) {{ pascalize .Name}}() {{ template "schemaType" . }}{
+          {{- if eq $.DiscriminatorField .Name }}
+            return {{ printf "%q" $.DiscriminatorValue }}
+          {{- else }}
+            return {{ $.ReceiverName }}.{{camelize .Name}}Field
+          {{- end }}
+        }
+
+        // Set{{ pascalize .Name}} sets the {{ humanize .Name }} of this subtype
+        func ({{$.ReceiverName}} *{{ pascalize $.Name}}) Set{{ pascalize .Name}}(val {{ template "schemaType" . }}) {
+          {{- if ne $.DiscriminatorField .Name }}
+            {{ $.ReceiverName }}.{{camelize .Name}}Field = val
+          {{- end }}
+        }
+        {{- end }}
+      {{- end }}{{/* TODO(fred): handle AdditionalProperties in base type */}}
+    {{- end }}
+    {{ template "mapOrSliceGetter" . }}
+  {{- end }}
+  {{ template "schemaSerializer" . }}
+{{- end }}
+{{- if and .IncludeValidator (not .IsSuperAlias) (not .IsEmbedded) }}{{/* aliased types type A = B do not redefine methods */}}
+  {{- if and (not (or .IsInterface .IsStream)) (or .Required .HasValidations .HasBaseType) }}
+    {{- if (eq .SwaggerType "string") }}{{/* Enum factory for enums for which we generate const (atm, only strings)*/}}
+      {{- if .Enum }}
+
+func New{{ pascalize .Name }}(value {{ .GoType }}) *{{ .GoType }} {
+  return &value
+}
+
+// Pointer returns a pointer to a freshly-allocated {{ .GoType }}.
+func ({{ .ReceiverName }} {{ .GoType }}) Pointer() *{{ .GoType }} {
+  return &{{ .ReceiverName }}
+}
+      {{- end }}
+    {{- end }}
+    {{ if false }}{{ template "schemavalidator" . }}{{ end }}
+  {{- else if and false not (or .IsInterface .IsStream) }}
+// Validate validates this {{ humanize .Name }}{{/* this schema implements the runtime.Validatable interface but has no validations to check */}}
+func ({{.ReceiverName}} {{ if or .IsTuple .IsComplexObject .IsAdditionalProperties }}*{{ end }}{{ if or (not .IsExported) .Discriminates }}{{ camelize .Name }}{{ else }}{{ pascalize .Name }}{{ end }}) Validate(formats strfmt.Registry) error {
+  return nil
+}
+  {{- else }}{{/* {{ .Name }} does not implement the runtime.Validatable interface: noop */}}
+  {{- end }}
+{{- if false }}
+  {{- if and (not (or .IsInterface .IsStream)) (or .HasContextValidations) }}
+    {{ template "schemacontextvalidator" . }}
+  {{- else if not (or .IsInterface .IsStream) }}
+// ContextValidate validates this {{ humanize .Name }} based on context it is used {{/* this schema implements the runtime.ContextValidatable interface but has no validations to check */}}
+func ({{.ReceiverName}} {{ if or .IsTuple .IsComplexObject .IsAdditionalProperties }}*{{ end }}{{ if or (not .IsExported) .Discriminates }}{{ camelize .Name }}{{ else }}{{ pascalize .Name }}{{ end }}) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+  return nil
+}
+  {{- else }}{{/* {{ .Name }} does not implement the runtime.Validatable interface: noop */}}
+  {{- end }}
+{{- end }}
+{{- if .WantsMarshalBinary }}
+  {{ template "marshalBinarySerializer" . }}
+{{- end }}
+{{- end }}
+{{- define "mapOrSliceGetter" }}{{/* signature for AdditionalProperties and AdditionalItems getter funcs */}}
+  {{- if not .IsBaseType }}
+    {{- if .HasAdditionalProperties }}
+      {{- with .AdditionalProperties }}
+        // {{- template "docstring" . }}{{- template "propertyValidationDocString" . }}
+        {{ pascalize .Name }}() map[string]{{ template "schemaType" . }}
+      {{- end }}
+    {{- end }}
+    {{- with .AdditionalItems }}
+      // {{- template "docstring" . }}{{- template "propertyValidationDocString" . }}
+      {{ pascalize .Name }}() []{{ template "schemaType" . }}
+    {{- end }}
+  {{- else }}
+  // AdditionalProperties in base type shoud be handled just like regular properties{{/* TODO(fred): add full support for AdditionalProperties in base type */}}
+  // At this moment, the base type property is pushed down to the subtype
+  {{- end }}
+{{- end }}
--- a/api/templates/serializers/marshalbinaryserializer.gotmpl
+++ b/api/templates/serializers/marshalbinaryserializer.gotmpl
@@ -0,0 +1 @@
+{{ define "marshalBinarySerializer" }}{{ end }}
--- a/api/templates/server/operation.gotmpl
+++ b/api/templates/server/operation.gotmpl
@@ -18,6 +18,7 @@ import (

 {{ range .ExtraSchemas }}
 // {{ .Name }} {{ comment .Description }}
+//
 // swagger:model {{ .Name }}
-{{ template "schema" . }}
-{{ end }}
+  {{- template "schema" . }}
+{{- end }}
--- a/api/types/build/build.go
+++ b/api/types/build/build.go
@@ -3,8 +3,8 @@ package build
 import (
 	"io"

-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/registry"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/api/types/registry"
 )

 // BuilderVersion sets the version of underlying builder to use
--- a/api/types/build/cache.go
+++ b/api/types/build/cache.go
@@ -3,7 +3,7 @@ package build
 import (
 	"time"

-	"github.com/docker/docker/api/types/filters"
+	"github.com/moby/moby/api/types/filters"
 )

 // CacheRecord contains information about a build cache record.
@@ -40,8 +40,6 @@ type CachePruneOptions struct {
 	MaxUsedSpace  int64
 	MinFreeSpace  int64
 	Filters       filters.Args
-
-	KeepStorage int64 // Deprecated: deprecated in API 1.48.
 }

 // CachePruneReport contains the response for Engine API:
--- a/api/types/client.go
+++ b/api/types/client.go
@@ -1,85 +0,0 @@
-package types
-
-import (
-	"bufio"
-	"context"
-	"net"
-)
-
-// NewHijackedResponse initializes a [HijackedResponse] type.
-func NewHijackedResponse(conn net.Conn, mediaType string) HijackedResponse {
-	return HijackedResponse{Conn: conn, Reader: bufio.NewReader(conn), mediaType: mediaType}
-}
-
-// HijackedResponse holds connection information for a hijacked request.
-type HijackedResponse struct {
-	mediaType string
-	Conn      net.Conn
-	Reader    *bufio.Reader
-}
-
-// Close closes the hijacked connection and reader.
-func (h *HijackedResponse) Close() {
-	h.Conn.Close()
-}
-
-// MediaType let client know if HijackedResponse hold a raw or multiplexed stream.
-// returns false if HTTP Content-Type is not relevant, and container must be inspected
-func (h *HijackedResponse) MediaType() (string, bool) {
-	if h.mediaType == "" {
-		return "", false
-	}
-	return h.mediaType, true
-}
-
-// CloseWriter is an interface that implements structs
-// that close input streams to prevent from writing.
-type CloseWriter interface {
-	CloseWrite() error
-}
-
-// CloseWrite closes a readWriter for writing.
-func (h *HijackedResponse) CloseWrite() error {
-	if conn, ok := h.Conn.(CloseWriter); ok {
-		return conn.CloseWrite()
-	}
-	return nil
-}
-
-// PluginRemoveOptions holds parameters to remove plugins.
-type PluginRemoveOptions struct {
-	Force bool
-}
-
-// PluginEnableOptions holds parameters to enable plugins.
-type PluginEnableOptions struct {
-	Timeout int
-}
-
-// PluginDisableOptions holds parameters to disable plugins.
-type PluginDisableOptions struct {
-	Force bool
-}
-
-// PluginInstallOptions holds parameters to install a plugin.
-type PluginInstallOptions struct {
-	Disabled             bool
-	AcceptAllPermissions bool
-	RegistryAuth         string // RegistryAuth is the base64 encoded credentials for the registry
-	RemoteRef            string // RemoteRef is the plugin name on the registry
-
-	// PrivilegeFunc is a function that clients can supply to retry operations
-	// after getting an authorization error. This function returns the registry
-	// authentication header value in base64 encoded format, or an error if the
-	// privilege request fails.
-	//
-	// For details, refer to [github.com/docker/docker/api/types/registry.RequestAuthConfig].
-	PrivilegeFunc         func(context.Context) (string, error)
-	AcceptPermissionsFunc func(context.Context, PluginPrivileges) (bool, error)
-	Args                  []string
-}
-
-// PluginCreateOptions hold all options to plugin create.
-type PluginCreateOptions struct {
-	RepoName string
-}
--- a/api/types/common/error_response.go
+++ b/api/types/common/error_response.go
@@ -1,9 +1,13 @@
-package types
+// Code generated by go-swagger; DO NOT EDIT.
+
+package common

 // This file was generated by the swagger tool.
 // Editing this file might prove futile when you re-run the swagger generate command

 // ErrorResponse Represents an error.
+// Example: {"message":"Something went wrong."}
+//
 // swagger:model ErrorResponse
 type ErrorResponse struct {

--- a/api/types/common/error_response_ext.go
+++ b/api/types/common/error_response_ext.go
@@ -1,4 +1,4 @@
-package types
+package common

 // Error returns the error message
 func (e ErrorResponse) Error() string {
--- a/api/types/common/id_response.go
+++ b/api/types/common/id_response.go
@@ -1,9 +1,12 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
 package common

 // This file was generated by the swagger tool.
 // Editing this file might prove futile when you re-run the swagger generate command

 // IDResponse Response to an API call that returns just an Id
+//
 // swagger:model IDResponse
 type IDResponse struct {

--- a/api/types/container/change_type.go
+++ b/api/types/container/change_type.go
@@ -1,3 +1,5 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
 package container

 // This file was generated by the swagger tool.
--- a/api/types/container/commit.go
+++ b/api/types/container/commit.go
@@ -1,6 +1,6 @@
 package container

-import "github.com/docker/docker/api/types/common"
+import "github.com/moby/moby/api/types/common"

 // CommitResponse response for the commit API call, containing the ID of the
 // image that was produced.
--- a/api/types/container/config.go
+++ b/api/types/container/config.go
@@ -3,8 +3,6 @@ package container
 import (
 	"time"

-	"github.com/docker/docker/api/types/strslice"
-	"github.com/docker/go-connections/nat"
 	dockerspec "github.com/moby/docker-image-spec/specs-go/v1"
 )

@@ -48,18 +46,18 @@ type Config struct {
 	AttachStdin     bool                // Attach the standard input, makes possible user interaction
 	AttachStdout    bool                // Attach the standard output
 	AttachStderr    bool                // Attach the standard error
-	ExposedPorts    nat.PortSet         `json:",omitempty"` // List of exposed ports
+	ExposedPorts    PortSet             `json:",omitempty"` // List of exposed ports
 	Tty             bool                // Attach standard streams to a tty, including stdin if it is not closed.
 	OpenStdin       bool                // Open stdin
 	StdinOnce       bool                // If true, close stdin after the 1 attached client disconnects.
 	Env             []string            // List of environment variable to set in the container
-	Cmd             strslice.StrSlice   // Command to run when starting the container
+	Cmd             []string            // Command to run when starting the container
 	Healthcheck     *HealthConfig       `json:",omitempty"` // Healthcheck describes how to check the container is healthy
 	ArgsEscaped     bool                `json:",omitempty"` // True if command is already escaped (meaning treat as a command line) (Windows specific).
 	Image           string              // Name of the image as it was passed by the operator (e.g. could be symbolic)
 	Volumes         map[string]struct{} // List of volumes (mounts) used for the container
 	WorkingDir      string              // Current directory (PWD) in the command will be launched
-	Entrypoint      strslice.StrSlice   // Entrypoint to run when starting the container
+	Entrypoint      []string            // Entrypoint to run when starting the container
 	NetworkDisabled bool                `json:",omitempty"` // Is network disabled
 	// Mac Address of the container.
 	//
@@ -69,5 +67,5 @@ type Config struct {
 	Labels      map[string]string // List of labels set to this container
 	StopSignal  string            `json:",omitempty"` // Signal to stop a container
 	StopTimeout *int              `json:",omitempty"` // Timeout (in seconds) to stop a container
-	Shell       strslice.StrSlice `json:",omitempty"` // Shell for shell-form of RUN, CMD, ENTRYPOINT
+	Shell       []string          `json:",omitempty"` // Shell for shell-form of RUN, CMD, ENTRYPOINT
 }
--- a/api/types/container/container.go
+++ b/api/types/container/container.go
@@ -1,25 +1,14 @@
 package container

 import (
-	"io"
 	"os"
 	"time"

-	"github.com/docker/docker/api/types/mount"
-	"github.com/docker/docker/api/types/storage"
+	"github.com/moby/moby/api/types/mount"
+	"github.com/moby/moby/api/types/storage"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )

-// ContainerUpdateOKBody OK response to ContainerUpdate operation
-//
-// Deprecated: use [UpdateResponse]. This alias will be removed in the next release.
-type ContainerUpdateOKBody = UpdateResponse
-
-// ContainerTopOKBody OK response to ContainerTop operation
-//
-// Deprecated: use [TopResponse]. This alias will be removed in the next release.
-type ContainerTopOKBody = TopResponse
-
 // PruneReport contains the response for Engine API:
 // POST "/containers/prune"
 type PruneReport struct {
@@ -45,23 +34,10 @@ type CopyToContainerOptions struct {
 	CopyUIDGID                bool
 }

-// StatsResponseReader wraps an io.ReadCloser to read (a stream of) stats
-// for a container, as produced by the GET "/stats" endpoint.
-//
-// The OSType field is set to the server's platform to allow
-// platform-specific handling of the response.
-//
-// TODO(thaJeztah): remove this wrapper, and make OSType part of [StatsResponse].
-type StatsResponseReader struct {
-	Body   io.ReadCloser `json:"body"`
-	OSType string        `json:"ostype"`
-}
-
 // MountPoint represents a mount point configuration inside the container.
 // This is used for reporting the mountpoints in use by a container.
 type MountPoint struct {
-	// Type is the type of mount, see `Type<foo>` definitions in
-	// github.com/docker/docker/api/types/mount.Type
+	// Type is the type of mount, see [mount.Type] definitions for details.
 	Type mount.Type `json:",omitempty"`

 	// Name is the name reference to the underlying data defined by `Source`
@@ -128,7 +104,7 @@ type Summary struct {
 	ImageManifestDescriptor *ocispec.Descriptor `json:"ImageManifestDescriptor,omitempty"`
 	Command                 string
 	Created                 int64
-	Ports                   []Port
+	Ports                   []PortSummary
 	SizeRw                  int64 `json:",omitempty"`
 	SizeRootFs              int64 `json:",omitempty"`
 	Labels                  map[string]string
@@ -138,6 +114,7 @@ type Summary struct {
 		NetworkMode string            `json:",omitempty"`
 		Annotations map[string]string `json:",omitempty"`
 	}
+	Health          *HealthSummary `json:",omitempty"`
 	NetworkSettings *NetworkSettingsSummary
 	Mounts          []MountPoint
 }
--- a/api/types/container/create_request.go
+++ b/api/types/container/create_request.go
@@ -1,6 +1,6 @@
 package container

-import "github.com/docker/docker/api/types/network"
+import "github.com/moby/moby/api/types/network"

 // CreateRequest is the request message sent to the server for container
 // create calls. It is a config wrapper that holds the container [Config]
--- a/api/types/container/create_response.go
+++ b/api/types/container/create_response.go
@@ -1,3 +1,5 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
 package container

 // This file was generated by the swagger tool.
@@ -5,15 +7,18 @@ package container

 // CreateResponse ContainerCreateResponse
 //
-// OK response to ContainerCreate operation
+// # OK response to ContainerCreate operation
+//
 // swagger:model CreateResponse
 type CreateResponse struct {

 	// The ID of the created container
+	// Example: ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743
 	// Required: true
 	ID string `json:"Id"`

 	// Warnings encountered when creating the container
+	// Example: []
 	// Required: true
 	Warnings []string `json:"Warnings"`
 }
--- a/api/types/container/exec.go
+++ b/api/types/container/exec.go
@@ -1,6 +1,6 @@
 package container

-import "github.com/docker/docker/api/types/common"
+import "github.com/moby/moby/api/types/common"

 // ExecCreateResponse is the response for a successful exec-create request.
 // It holds the ID of the exec that was created.
@@ -18,11 +18,13 @@ type ExecOptions struct {
 	AttachStdin  bool     // Attach the standard input, makes possible user interaction
 	AttachStderr bool     // Attach the standard error
 	AttachStdout bool     // Attach the standard output
-	Detach       bool     // Execute in detach mode
 	DetachKeys   string   // Escape keys for detach
 	Env          []string // Environment variables
 	WorkingDir   string   // Working directory
 	Cmd          []string // Execution commands and args
+
+	// Deprecated: the Detach field is not used, and will be removed in a future release.
+	Detach bool
 }

 // ExecStartOptions is a temp struct used by execStart
@@ -42,10 +44,42 @@ type ExecStartOptions struct {
 type ExecAttachOptions = ExecStartOptions

 // ExecInspect holds information returned by exec inspect.
+//
+// It is used by the client to unmarshal a [ExecInspectResponse],
+// but currently only provides a subset of the information included
+// in that type.
+//
+// TODO(thaJeztah): merge [ExecInspect] and [ExecInspectResponse],
 type ExecInspect struct {
 	ExecID      string `json:"ID"`
-	ContainerID string
-	Running     bool
-	ExitCode    int
-	Pid         int
+	ContainerID string `json:"ContainerID"`
+	Running     bool   `json:"Running"`
+	ExitCode    int    `json:"ExitCode"`
+	Pid         int    `json:"Pid"`
+}
+
+// ExecInspectResponse is the API response for the "GET /exec/{id}/json"
+// endpoint and holds information about and exec.
+type ExecInspectResponse struct {
+	ID            string `json:"ID"`
+	Running       bool   `json:"Running"`
+	ExitCode      *int   `json:"ExitCode"`
+	ProcessConfig *ExecProcessConfig
+	OpenStdin     bool   `json:"OpenStdin"`
+	OpenStderr    bool   `json:"OpenStderr"`
+	OpenStdout    bool   `json:"OpenStdout"`
+	CanRemove     bool   `json:"CanRemove"`
+	ContainerID   string `json:"ContainerID"`
+	DetachKeys    []byte `json:"DetachKeys"`
+	Pid           int    `json:"Pid"`
+}
+
+// ExecProcessConfig holds information about the exec process
+// running on the host.
+type ExecProcessConfig struct {
+	Tty        bool     `json:"tty"`
+	Entrypoint string   `json:"entrypoint"`
+	Arguments  []string `json:"arguments"`
+	Privileged *bool    `json:"privileged,omitempty"`
+	User       string   `json:"user,omitempty"`
 }
--- a/api/types/container/filesystem_change.go
+++ b/api/types/container/filesystem_change.go
@@ -1,3 +1,5 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
 package container

 // This file was generated by the swagger tool.
--- a/api/types/container/health.go
+++ b/api/types/container/health.go
@@ -26,6 +26,12 @@ type Health struct {
 	Log           []*HealthcheckResult // Log contains the last few results (oldest first)
 }

+// HealthSummary stores a summary of the container's healthcheck results.
+type HealthSummary struct {
+	Status        HealthStatus // Status is one of [NoHealthcheck], [Starting], [Healthy] or [Unhealthy].
+	FailingStreak int          // FailingStreak is the number of consecutive failures
+}
+
 // HealthcheckResult stores information about a single run of a healthcheck probe
 type HealthcheckResult struct {
 	Start    time.Time // Start is the time this check started
--- a/api/types/container/hostconfig.go
+++ b/api/types/container/hostconfig.go
@@ -5,12 +5,10 @@ import (
 	"fmt"
 	"strings"

-	"github.com/docker/docker/api/types/blkiodev"
-	"github.com/docker/docker/api/types/mount"
-	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/api/types/strslice"
-	"github.com/docker/go-connections/nat"
 	"github.com/docker/go-units"
+	"github.com/moby/moby/api/types/blkiodev"
+	"github.com/moby/moby/api/types/mount"
+	"github.com/moby/moby/api/types/network"
 )

 // CgroupnsMode represents the cgroup namespace mode of the container
@@ -427,7 +425,7 @@ type HostConfig struct {
 	ContainerIDFile string            // File (path) where the containerId is written
 	LogConfig       LogConfig         // Configuration of the logs for this container
 	NetworkMode     NetworkMode       // Network mode to use for the container
-	PortBindings    nat.PortMap       // Port mapping between the exposed port (container) and the host
+	PortBindings    PortMap           // Port mapping between the exposed port (container) and the host
 	RestartPolicy   RestartPolicy     // Restart policy to be used for the container
 	AutoRemove      bool              // Automatically remove container when it exits
 	VolumeDriver    string            // Name of the volume driver used to mount volumes
@@ -436,8 +434,8 @@ type HostConfig struct {
 	Annotations     map[string]string `json:",omitempty"` // Arbitrary non-identifying metadata attached to container and provided to the runtime

 	// Applicable to UNIX platforms
-	CapAdd          strslice.StrSlice // List of kernel capabilities to add to the container
-	CapDrop         strslice.StrSlice // List of kernel capabilities to remove from the container
+	CapAdd          []string          // List of kernel capabilities to add to the container
+	CapDrop         []string          // List of kernel capabilities to remove from the container
 	CgroupnsMode    CgroupnsMode      // Cgroup namespace mode to use for the container
 	DNS             []string          `json:"Dns"`        // List of DNS server to lookup
 	DNSOptions      []string          `json:"DnsOptions"` // List of DNSOption to look for
--- a/api/types/container/hostconfig_unix.go
+++ b/api/types/container/hostconfig_unix.go
@@ -2,7 +2,7 @@

 package container

-import "github.com/docker/docker/api/types/network"
+import "github.com/moby/moby/api/types/network"

 // IsValid indicates if an isolation technology is valid
 func (i Isolation) IsValid() bool {
--- a/api/types/container/hostconfig_windows.go
+++ b/api/types/container/hostconfig_windows.go
@@ -1,6 +1,6 @@
 package container

-import "github.com/docker/docker/api/types/network"
+import "github.com/moby/moby/api/types/network"

 // IsValid indicates if an isolation technology is valid
 func (i Isolation) IsValid() bool {
--- a/api/types/container/nat_aliases.go
+++ b/api/types/container/nat_aliases.go
@@ -0,0 +1,24 @@
+package container
+
+import "github.com/docker/go-connections/nat"
+
+// PortRangeProto is a string containing port number and protocol in the format "80/tcp",
+// or a port range and protocol in the format "80-83/tcp".
+//
+// It is currently an alias for [nat.Port] but may become a concrete type in a future release.
+type PortRangeProto = nat.Port
+
+// PortSet is a collection of structs indexed by [HostPort].
+//
+// It is currently an alias for [nat.PortSet] but may become a concrete type in a future release.
+type PortSet = nat.PortSet
+
+// PortBinding represents a binding between a Host IP address and a [HostPort].
+//
+// It is currently an alias for [nat.PortBinding] but may become a concrete type in a future release.
+type PortBinding = nat.PortBinding
+
+// PortMap is a collection of [PortBinding] indexed by [HostPort].
+//
+// It is currently an alias for [nat.PortMap] but may become a concrete type in a future release.
+type PortMap = nat.PortMap
--- a/api/types/container/network_settings.go
+++ b/api/types/container/network_settings.go
@@ -1,8 +1,7 @@
 package container

 import (
-	"github.com/docker/docker/api/types/network"
-	"github.com/docker/go-connections/nat"
+	"github.com/moby/moby/api/types/network"
 )

 // NetworkSettings exposes the network settings in the api
@@ -14,10 +13,10 @@ type NetworkSettings struct {

 // NetworkSettingsBase holds networking state for a container when inspecting it.
 type NetworkSettingsBase struct {
-	Bridge     string      // Bridge contains the name of the default bridge interface iff it was set through the daemon --bridge flag.
-	SandboxID  string      // SandboxID uniquely represents a container's network stack
-	SandboxKey string      // SandboxKey identifies the sandbox
-	Ports      nat.PortMap // Ports is a collection of PortBinding indexed by Port
+	Bridge     string  // Bridge contains the name of the default bridge interface iff it was set through the daemon --bridge flag.
+	SandboxID  string  // SandboxID uniquely represents a container's network stack
+	SandboxKey string  // SandboxKey identifies the sandbox
+	Ports      PortMap // Ports is a collection of PortBinding indexed by Port

 	// HairpinMode specifies if hairpin NAT should be enabled on the virtual interface
 	//
--- a/api/types/container/options.go
+++ b/api/types/container/options.go
@@ -1,6 +1,6 @@
 package container

-import "github.com/docker/docker/api/types/filters"
+import "github.com/moby/moby/api/types/filters"

 // ResizeOptions holds parameters to resize a TTY.
 // It can be used to resize container TTYs and
--- a/api/types/container/port_summary.go
+++ b/api/types/container/port_summary.go
@@ -1,11 +1,16 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
 package container

 // This file was generated by the swagger tool.
 // Editing this file might prove futile when you re-run the swagger generate command

-// Port An open port on a container
-// swagger:model Port
-type Port struct {
+// PortSummary Describes a port-mapping between the container and the host.
+//
+// Example: {"PrivatePort":8080,"PublicPort":80,"Type":"tcp"}
+//
+// swagger:model PortSummary
+type PortSummary struct {

 	// Host IP address that the container's port is mapped to
 	IP string `json:"IP,omitempty"`
@@ -19,5 +24,6 @@ type Port struct {

 	// type
 	// Required: true
+	// Enum: ["tcp","udp","sctp"]
 	Type string `json:"Type"`
 }
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`{{ define "marshalBinarySerializer" }}{{ end }}`