Merge pull request #2558 from tiborvass/19.03-expenv-panic

[19.03] Fix bug with panic when DOCKER_CLI_EXPERIMENTAL environment variable is incorrect
Merge pull request #2560 from tiborvass/19.03-sshfix
2020-05-28 13:41:25 -07:00 · 2020-05-28 13:34:20 -07:00 · 2020-05-28 20:18:03 +00:00 · 2020-05-28 19:21:44 +00:00 · 2020-05-20 10:43:45 -07:00 · 2020-05-20 10:35:44 -07:00
2946 changed files with 256187 additions and 67849 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,2 +1,6 @@
+.dockerignore
 .git
-build
+.gitignore
+appveyor.yml
+build
+circle.yml
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -1,8 +1,7 @@
 # GitHub code owners
 # See https://github.com/blog/2392-introducing-code-owners

-cli/command/stack/**        @vdemeester @silvin-lubecki
-cli/compose/**              @vdemeester
+cli/command/stack/**        @silvin-lubecki
 contrib/completion/bash/**  @albers
 contrib/completion/zsh/**   @sdurrheimer
-docs/**                     @vdemeester @thaJeztah
+docs/**                     @thaJeztah
--- a/.golangci.yml
+++ b/.golangci.yml
@ -0,0 +1,83 @@
+linters:
+  enable:
+    - bodyclose
+    - deadcode
+    - dogsled
+    - gocyclo
+    - goimports
+    - golint
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - interfacer
+    - lll
+    - megacheck
+    - misspell
+    - nakedret
+    - staticcheck
+    - structcheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - varcheck
+
+  disable:
+    - errcheck
+
+run:
+  timeout: 5m
+  skip-dirs:
+    - cli/command/stack/kubernetes/api/openapi
+    - cli/command/stack/kubernetes/api/client
+  skip-files:
+    - cli/compose/schema/bindata.go
+    - .*generated.*
+
+linters-settings:
+  gocyclo:
+    min-complexity: 16
+  govet:
+    check-shadowing: false
+  lll:
+    line-length: 200
+  nakedret:
+    command: nakedret
+    pattern: ^(?P<path>.*?\\.go):(?P<line>\\d+)\\s*(?P<message>.*)$
+
+issues:
+  # The default exclusion rules are a bit too permissive, so copying the relevant ones below
+  exclude-use-default: false
+
+  exclude:
+    - parameter .* always receives
+
+  exclude-rules:
+    # These are copied from the default exclude rules, except for "ineffective break statement"
+    # and GoDoc checks.
+    # https://github.com/golangci/golangci-lint/blob/0cc87df732aaf1d5ad9ce9ca538d38d916918b36/pkg/config/config.go#L36
+    - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked"
+      linters:
+        - errcheck
+    - text: "func name will be used as test\\.Test.* by other packages, and that stutters; consider calling this"
+      linters:
+        - golint
+    - text: "G103: Use of unsafe calls should be audited"
+      linters:
+        - gosec
+    - text: "G104: Errors unhandled"
+      linters:
+        - gosec
+    - text: "G204: Subprocess launch(ed with (variable|function call)|ing should be audited)"
+      linters:
+        - gosec
+    - text: "(G301|G302): (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
+      linters:
+        - gosec
+    - text: "G304: Potential file inclusion via variable"
+      linters:
+        - gosec
+    - text: "(G201|G202): SQL string (formatting|concatenation)"
+      linters:
+        - gosec
--- a/.mailmap
+++ b/.mailmap
@ -8,6 +8,7 @@

 Aaron L. Xu <liker.xu@foxmail.com>
 Abhinandan Prativadi <abhi@docker.com>
+Ace Tang <aceapril@126.com>
 Adrien Gallouët <adrien@gallouet.fr> <angt@users.noreply.github.com>
 Ahmed Kamal <email.ahmedkamal@googlemail.com>
 Ahmet Alp Balkan <ahmetb@microsoft.com> <ahmetalpbalkan@gmail.com>
@ -43,6 +44,7 @@ Antonio Murdaca <antonio.murdaca@gmail.com> <runcom@users.noreply.github.com>
 Anuj Bahuguna <anujbahuguna.dev@gmail.com>
 Anuj Bahuguna <anujbahuguna.dev@gmail.com> <abahuguna@fiberlink.com>
 Anusha Ragunathan <anusha.ragunathan@docker.com> <anusha@docker.com>
+Ao Li <la9249@163.com>
 Arnaud Porterie <arnaud.porterie@docker.com>
 Arnaud Porterie <arnaud.porterie@docker.com> <icecrime@gmail.com>
 Arthur Gautier <baloo@gandi.net> <superbaloo+registrations.github@superbaloo.net>
@ -65,6 +67,7 @@ Brent Salisbury <brent.salisbury@docker.com> <brent@docker.com>
 Brian Goff <cpuguy83@gmail.com>
 Brian Goff <cpuguy83@gmail.com> <bgoff@cpuguy83-mbp.home>
 Brian Goff <cpuguy83@gmail.com> <bgoff@cpuguy83-mbp.local>
+Chad Faragher <wyckster@hotmail.com>
 Chander Govindarajan <chandergovind@gmail.com>
 Chao Wang <wangchao.fnst@cn.fujitsu.com> <chaowang@localhost.localdomain>
 Charles Hooper <charles.hooper@dotcloud.com> <chooper@plumata.com>
@ -77,6 +80,7 @@ Chris Dias <cdias@microsoft.com>
 Chris McKinnel <chris.mckinnel@tangentlabs.co.uk>
 Christopher Biscardi <biscarch@sketcht.com>
 Christopher Latham <sudosurootdev@gmail.com>
+Christy Norman <christy@linux.vnet.ibm.com>
 Chun Chen <ramichen@tencent.com> <chenchun.feed@gmail.com>
 Corbin Coleman <corbin.coleman@docker.com>
 Cristian Staretu <cristian.staretu@gmail.com>
@ -119,6 +123,7 @@ Doug Davis <dug@us.ibm.com> <duglin@users.noreply.github.com>
 Doug Tangren <d.tangren@gmail.com>
 Elan Ruusamäe <glen@pld-linux.org>
 Elan Ruusamäe <glen@pld-linux.org> <glen@delfi.ee>
+Elango Sivanandam <elango.siva@docker.com>
 Eric G. Noriega <enoriega@vizuri.com> <egnoriega@users.noreply.github.com>
 Eric Hanchrow <ehanchrow@ine.com> <eric.hanchrow@gmail.com>
 Eric Rosenberg <ehaydenr@gmail.com> <ehaydenr@users.noreply.github.com>
@ -153,6 +158,7 @@ Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume.charmes@dotcloud.
 Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume@charmes.net>
 Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume@docker.com>
 Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume@dotcloud.com>
+Guillaume Le Floch <glfloch@gmail.com>
 Gurjeet Singh <gurjeet@singh.im> <singh.gurjeet@gmail.com>
 Gustav Sinder <gustav.sinder@gmail.com>
 Günther Jungbluth <gunther@gameslabs.net>
@ -174,14 +180,19 @@ Hu Keping <hukeping@huawei.com>
 Huu Nguyen <huu@prismskylabs.com> <whoshuu@gmail.com>
 Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com>
 Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com> <1187766782@qq.com>
+Ian Campbell <ian.campbell@docker.com>
+Ian Campbell <ian.campbell@docker.com> <ijc@docker.com>
 Ilya Khlopotov <ilya.khlopotov@gmail.com>
 Jack Laxson <jackjrabbit@gmail.com>
 Jacob Atzen <jacob@jacobatzen.dk> <jatzen@gmail.com>
 Jacob Tomlinson <jacob@tom.linson.uk> <jacobtomlinson@users.noreply.github.com>
 Jaivish Kothari <janonymous.codevulture@gmail.com>
+Jake Lambert <jake.lambert@volusion.com>
+Jake Lambert <jake.lambert@volusion.com> <32850427+jake-lambert-volusion@users.noreply.github.com>
 Jamie Hannaford <jamie@limetree.org> <jamie.hannaford@rackspace.com>
 Jean-Baptiste Barth <jeanbaptiste.barth@gmail.com>
 Jean-Baptiste Dalido <jeanbaptiste@appgratis.com>
+Jean-Pierre Huynh <jean-pierre.huynh@ounet.fr> <jp@moogsoft.com>
 Jean-Tiare Le Bigot <jt@yadutaf.fr> <admin@jtlebi.fr>
 Jeff Anderson <jeff@docker.com> <jefferya@programmerq.net>
 Jeff Nickoloff <jeff.nickoloff@gmail.com> <jeff@allingeek.com>
@ -247,6 +258,8 @@ Konstantin Gribov <grossws@gmail.com>
 Konstantin Pelykh <kpelykh@zettaset.com>
 Kotaro Yoshimatsu <kotaro.yoshimatsu@gmail.com>
 Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> <kunal.kushwaha@gmail.com>
+Kyle Spiers <kyle@spiers.me>
+Kyle Spiers <kyle@spiers.me> <Kyle@Spiers.me>
 Lajos Papp <lajos.papp@sequenceiq.com> <lalyos@yahoo.com>
 Lei Jitang <leijitang@huawei.com>
 Lei Jitang <leijitang@huawei.com> <leijitang@gmail.com>
@ -277,6 +290,7 @@ Marianna Tessel <mtesselh@gmail.com>
 Mark Oates <fl0yd@me.com>
 Markan Patel <mpatel678@gmail.com>
 Markus Kortlang <hyp3rdino@googlemail.com> <markus.kortlang@lhsystems.com>
+Marsh Macy <marsma@microsoft.com>
 Martin Redmond <redmond.martin@gmail.com> <martin@tinychat.com>
 Martin Redmond <redmond.martin@gmail.com> <xgithub@redmond5.com>
 Mary Anthony <mary.anthony@docker.com> <mary@docker.com>
@ -365,6 +379,8 @@ Shukui Yang <yangshukui@huawei.com>
 Shuwei Hao <haosw@cn.ibm.com>
 Shuwei Hao <haosw@cn.ibm.com> <haoshuwei24@gmail.com>
 Sidhartha Mani <sidharthamn@gmail.com>
+Silvin Lubecki <silvin.lubecki@docker.com>
+Silvin Lubecki <silvin.lubecki@docker.com> <31478878+silvin-lubecki@users.noreply.github.com>
 Sjoerd Langkemper <sjoerd-github@linuxonly.nl> <sjoerd@byte.nl>
 Solomon Hykes <solomon@docker.com> <s@docker.com>
 Solomon Hykes <solomon@docker.com> <solomon.hykes@dotcloud.com>
@ -379,13 +395,18 @@ Stefan Berger <stefanb@linux.vnet.ibm.com>
 Stefan Berger <stefanb@linux.vnet.ibm.com> <stefanb@us.ibm.com>
 Stefan J. Wernli <swernli@microsoft.com> <swernli@ntdev.microsoft.com>
 Stefan S. <tronicum@user.github.com>
+Stefan Scherer <stefan.scherer@docker.com>
+Stefan Scherer <stefan.scherer@docker.com> <scherer_stefan@icloud.com>
 Stephen Day <stevvooe@gmail.com>
-Stephen Day <stephen.day@docker.com> <stevvooe@users.noreply.github.com>
 Stephen Day <stevvooe@gmail.com> <stephen.day@docker.com>
+Stephen Day <stevvooe@gmail.com> <stevvooe@users.noreply.github.com>
 Steve Desmond <steve@vtsv.ca> <stevedesmond-ca@users.noreply.github.com>
+Steve Richards <steve.richards@docker.com> stevejr <>
 Sun Gengze <690388648@qq.com>
 Sun Jianbo <wonderflow.sun@gmail.com>
 Sun Jianbo <wonderflow.sun@gmail.com> <wonderflow@zju.edu.cn>
+Sunny Gogoi <indiasuny000@gmail.com>
+Sunny Gogoi <indiasuny000@gmail.com> <me@darkowlzz.space>
 Sven Dowideit <SvenDowideit@home.org.au>
 Sven Dowideit <SvenDowideit@home.org.au> <sven@t440s.home.gateway>
 Sven Dowideit <SvenDowideit@home.org.au> <SvenDowideit@docker.com>
@ -404,6 +425,8 @@ Thomas Gazagnaire <thomas@gazagnaire.org> <thomas@gazagnaire.com>
 Thomas Krzero <thomas.kovatchitch@gmail.com>
 Thomas Léveil <thomasleveil@gmail.com>
 Thomas Léveil <thomasleveil@gmail.com> <thomasleveil@users.noreply.github.com>
+Thomas Riccardi <thomas@deepomatic.com>
+Thomas Riccardi <thomas@deepomatic.com> <riccardi@systran.fr>
 Tibor Vass <teabee89@gmail.com> <tibor@docker.com>
 Tibor Vass <teabee89@gmail.com> <tiborvass@users.noreply.github.com>
 Tim Bart <tim@fewagainstmany.com>
@ -414,6 +437,8 @@ Tim Zju <21651152@zju.edu.cn>
 Timothy Hobbs <timothyhobbs@seznam.cz>
 Toli Kuznets <toli@docker.com>
 Tom Barlow <tomwbarlow@gmail.com>
+Tom Milligan <code@tommilligan.net>
+Tom Milligan <code@tommilligan.net> <tommilligan@users.noreply.github.com>
 Tom Sweeney <tsweeney@redhat.com>
 Tõnis Tiigi <tonistiigi@gmail.com>
 Trishna Guha <trishnaguha17@gmail.com>
@ -440,6 +465,7 @@ Vladimir Rutsky <altsysrq@gmail.com> <iamironbob@gmail.com>
 Walter Stanish <walter@pratyeka.org>
 Wang Guoliang <liangcszzu@163.com>
 Wang Jie <wangjie5@chinaskycloud.com>
+Wang Lei <wanglei@tenxcloud.com>
 Wang Ping <present.wp@icloud.com>
 Wang Xing <hzwangxing@corp.netease.com> <root@localhost>
 Wang Yuexiao <wang.yuexiao@zte.com.cn>
@ -467,11 +493,12 @@ Yu Changchun <yuchangchun1@huawei.com>
 Yu Chengxia <yuchengxia@huawei.com>
 Yu Peng <yu.peng36@zte.com.cn>
 Yu Peng <yu.peng36@zte.com.cn> <yupeng36@zte.com.cn>
+Yue Zhang <zy675793960@yeah.net>
 Zachary Jaffee <zjaffee@us.ibm.com> <zij@case.edu>
 Zachary Jaffee <zjaffee@us.ibm.com> <zjaffee@apache.org>
 ZhangHang <stevezhang2014@gmail.com>
 Zhenkun Bi <bi.zhenkun@zte.com.cn>
 Zhou Hao <zhouhao@cn.fujitsu.com>
+Zhoulin Xie <zhoulin.xie@daocloud.io>
 Zhu Kunjia <zhu.kunjia@zte.com.cn>
 Zou Yu <zouyu7@huawei.com>
-
--- a/76
+++ b/76
@ -8,6 +8,7 @@ Aaron.L.Xu <likexu@harmonycloud.cn>
 Abdur Rehman <abdur_rehman@mentor.com>
 Abhinandan Prativadi <abhi@docker.com>
 Abin Shahab <ashahab@altiscale.com>
+Ace Tang <aceapril@126.com>
 Addam Hardy <addam.hardy@gmail.com>
 Adolfo Ochagavía <aochagavia92@gmail.com>
 Adrien Duermael <adrien@duermael.com>
@ -23,6 +24,7 @@ Albert Callarisa <shark234@gmail.com>
 Aleksa Sarai <asarai@suse.de>
 Alessandro Boch <aboch@tetrationanalytics.com>
 Alex Mavrogiannis <alex.mavrogiannis@docker.com>
+Alex Mayer <amayer5125@gmail.com>
 Alexander Boyd <alex@opengroove.org>
 Alexander Larsson <alexl@redhat.com>
 Alexander Morozov <lk4d4@docker.com>
@ -37,6 +39,7 @@ Amir Goldstein <amir73il@aquasec.com>
 Amit Krishnan <amit.krishnan@oracle.com>
 Amit Shukla <amit.shukla@docker.com>
 Amy Lindburg <amy.lindburg@docker.com>
+Anda Xu <anda.xu@docker.com>
 Andrea Luzzardi <aluzzardi@gmail.com>
 Andreas Köhler <andi5.py@gmx.net>
 Andrew France <andrew@avito.co.uk>
@ -50,10 +53,12 @@ Andy Goldstein <agoldste@redhat.com>
 Andy Rothfusz <github@developersupport.net>
 Anil Madhavapeddy <anil@recoil.org>
 Ankush Agarwal <ankushagarwal11@gmail.com>
+Anne Henmi <anne.henmi@docker.com>
 Anton Polonskiy <anton.polonskiy@gmail.com>
 Antonio Murdaca <antonio.murdaca@gmail.com>
 Antonis Kalipetis <akalipetis@gmail.com>
 Anusha Ragunathan <anusha.ragunathan@docker.com>
+Ao Li <la9249@163.com>
 Arash Deshmeh <adeshmeh@ca.ibm.com>
 Arnaud Porterie <arnaud.porterie@docker.com>
 Ashwini Oruganti <ashwini.oruganti@gmail.com>
@ -63,8 +68,10 @@ Barnaby Gray <barnaby@pickle.me.uk>
 Bastiaan Bakker <bbakker@xebia.com>
 BastianHofmann <bastianhofmann@me.com>
 Ben Bonnefoy <frenchben@docker.com>
+Ben Creasy <ben@bencreasy.com>
 Ben Firshman <ben@firshman.co.uk>
 Benjamin Boudreau <boudreau.benjamin@gmail.com>
+Benoit Sigoure <tsunanet@gmail.com>
 Bhumika Bayani <bhumikabayani@gmail.com>
 Bill Wang <ozbillwang@gmail.com>
 Bin Liu <liubin0329@gmail.com>
@ -73,6 +80,7 @@ Boaz Shuster <ripcurld.github@gmail.com>
 Bogdan Anton <contact@bogdananton.ro>
 Boris Pruessmann <boris@pruessmann.org>
 Bradley Cicenas <bradley.cicenas@gmail.com>
+Brandon Mitchell <git@bmitch.net>
 Brandon Philips <brandon.philips@coreos.com>
 Brent Salisbury <brent.salisbury@docker.com>
 Bret Fisher <bret@bretfisher.com>
@ -89,6 +97,7 @@ Carlos Alexandro Becker <caarlos0@gmail.com>
 Ce Gao <ce.gao@outlook.com>
 Cedric Davies <cedricda@microsoft.com>
 Cezar Sa Espinola <cezarsa@gmail.com>
+Chad Faragher <wyckster@hotmail.com>
 Chao Wang <wangchao.fnst@cn.fujitsu.com>
 Charles Chan <charleswhchan@users.noreply.github.com>
 Charles Law <claw@conduce.com>
@ -109,8 +118,9 @@ Christian Stefanescu <st.chris@gmail.com>
 Christophe Robin <crobin@nekoo.com>
 Christophe Vidal <kriss@krizalys.com>
 Christopher Biscardi <biscarch@sketcht.com>
+Christopher Crone <christopher.crone@docker.com>
 Christopher Jones <tophj@linux.vnet.ibm.com>
-Christy Perez <christy@linux.vnet.ibm.com>
+Christy Norman <christy@linux.vnet.ibm.com>
 Chun Chen <ramichen@tencent.com>
 Clinton Kitson <clintonskitson@gmail.com>
 Coenraad Loubser <coenraad@wish.org.za>
@ -118,6 +128,8 @@ Colin Hebert <hebert.colin@gmail.com>
 Collin Guarino <collin.guarino@gmail.com>
 Colm Hally <colmhally@gmail.com>
 Corey Farrell <git@cfware.com>
+Corey Quon <corey.quon@docker.com>
+Craig Wilhite <crwilhit@microsoft.com>
 Cristian Staretu <cristian.staretu@gmail.com>
 Daehyeok Mun <daehyeok@gmail.com>
 Dafydd Crosby <dtcrsby@gmail.com>
@ -147,6 +159,7 @@ David Cramer <davcrame@cisco.com>
 David Dooling <dooling@gmail.com>
 David Gageot <david@gageot.net>
 David Lechner <david@lechnology.com>
+David Scott <dave@recoil.org>
 David Sheets <dsheets@docker.com>
 David Williamson <david.williamson@docker.com>
 David Xia <dxia@spotify.com>
@ -173,9 +186,12 @@ Dong Chen <dongluo.chen@docker.com>
 Doug Davis <dug@us.ibm.com>
 Drew Erny <drew.erny@docker.com>
 Ed Costello <epc@epcostello.com>
+Elango Sivanandam <elango.siva@docker.com>
 Eli Uriegas <eli.uriegas@docker.com>
 Eli Uriegas <seemethere101@gmail.com>
 Elias Faxö <elias.faxo@tre.se>
+Elliot Luo <956941328@qq.com>
+Eric Curtin <ericcurtin17@gmail.com>
 Eric G. Noriega <enoriega@vizuri.com>
 Eric Rosenberg <ehaydenr@gmail.com>
 Eric Sage <eric.david.sage@gmail.com>
@ -183,7 +199,9 @@ Eric-Olivier Lamey <eo@lamey.me>
 Erica Windisch <erica@windisch.us>
 Erik Hollensbe <github@hollensbe.org>
 Erik St. Martin <alakriti@gmail.com>
+Essam A. Hassan <es.hassan187@gmail.com>
 Ethan Haynes <ethanhaynes@alumni.harvard.edu>
+Euan Kemp <euank@euank.com>
 Eugene Yakubovich <eugene.yakubovich@coreos.com>
 Evan Allrich <evan@unguku.com>
 Evan Hazlett <ejhazlett@gmail.com>
@ -194,10 +212,13 @@ Fabio Falci <fabiofalci@gmail.com>
 Fabrizio Soppelsa <fsoppelsa@mirantis.com>
 Felix Hupfeld <felix@quobyte.com>
 Felix Rabe <felix@rabe.io>
+Filip Jareš <filipjares@gmail.com>
 Flavio Crisciani <flavio.crisciani@docker.com>
 Florian Klein <florian.klein@free.fr>
 Foysal Iqbal <foysal.iqbal.fb@gmail.com>
+François Scala <francois.scala@swiss-as.com>
 Fred Lifton <fred.lifton@docker.com>
+Frederic Hemberger <mail@frederic-hemberger.de>
 Frederick F. Kautz IV <fkautz@redhat.com>
 Frederik Nordahl Jul Sabroe <frederikns@gmail.com>
 Frieder Bluemle <frieder.bluemle@gmail.com>
@ -215,6 +236,7 @@ Grant Reaber <grant.reaber@gmail.com>
 Greg Pflaum <gpflaum@users.noreply.github.com>
 Guilhem Lettron <guilhem+github@lettron.fr>
 Guillaume J. Charmes <guillaume.charmes@docker.com>
+Guillaume Le Floch <glfloch@gmail.com>
 gwx296173 <gaojing3@huawei.com>
 Günther Jungbluth <gunther@gameslabs.net>
 Hakan Özler <hakan.ozler@kodcu.com>
@ -239,12 +261,14 @@ Ignacio Capurro <icapurrofagian@gmail.com>
 Ilya Dmitrichenko <errordeveloper@gmail.com>
 Ilya Khlopotov <ilya.khlopotov@gmail.com>
 Ilya Sotkov <ilya@sotkov.com>
+Ioan Eugen Stan <eu@ieugen.ro>
 Isabel Jimenez <contact.isabeljimenez@gmail.com>
 Ivan Grcic <igrcic@gmail.com>
 Ivan Markin <sw@nogoegst.net>
 Jacob Atzen <jacob@jacobatzen.dk>
 Jacob Tomlinson <jacob@tom.linson.uk>
 Jaivish Kothari <janonymous.codevulture@gmail.com>
+Jake Lambert <jake.lambert@volusion.com>
 Jake Sanders <jsand@google.com>
 James Nesbitt <james.nesbitt@wunderkraut.com>
 James Turnbull <james@lovedthanlost.net>
@ -258,8 +282,9 @@ Jasmine Hegman <jasmine@jhegman.com>
 Jason Heiss <jheiss@aput.net>
 Jason Plum <jplum@devonit.com>
 Jay Kamat <github@jgkamat.33mail.com>
+Jean Rouge <rougej+github@gmail.com>
+Jean-Christophe Sirot <jean-christophe.sirot@docker.com>
 Jean-Pierre Huynh <jean-pierre.huynh@ounet.fr>
-Jean-Pierre Huynh <jp@moogsoft.com>
 Jeff Lindsay <progrium@gmail.com>
 Jeff Nickoloff <jeff.nickoloff@gmail.com>
 Jeff Silberman <jsilberm@gmail.com>
@ -277,6 +302,7 @@ Jim Galasyn <jim.galasyn@docker.com>
 Jimmy Leger <jimmy.leger@gmail.com>
 Jimmy Song <rootsongjc@gmail.com>
 jimmyxian <jimmyxian2004@yahoo.com.cn>
+Jintao Zhang <zhangjintao9020@gmail.com>
 Joao Fernandes <joao.fernandes@docker.com>
 Joe Doliner <jdoliner@pachyderm.io>
 Joe Gordon <joe.gordon0@gmail.com>
@ -314,7 +340,9 @@ Julien Maitrehenry <julien.maitrehenry@me.com>
 Justas Brazauskas <brazauskasjustas@gmail.com>
 Justin Cormack <justin.cormack@docker.com>
 Justin Simonelis <justin.p.simonelis@gmail.com>
+Justyn Temme <justyntemme@gmail.com>
 Jyrki Puttonen <jyrkiput@gmail.com>
+Jérémie Drouet <jeremie.drouet@gmail.com>
 Jérôme Petazzoni <jerome.petazzoni@docker.com>
 Jörg Thalheim <joerg@higgsboson.tk>
 Kai Blin <kai@samba.org>
@ -350,6 +378,7 @@ Lai Jiangshan <jiangshanlai@gmail.com>
 Lars Kellogg-Stedman <lars@redhat.com>
 Laura Frank <ljfrank@gmail.com>
 Laurent Erignoux <lerignoux@gmail.com>
+Lee Gaines <eightlimbed@gmail.com>
 Lei Jitang <leijitang@huawei.com>
 Lennie <github@consolejunkie.net>
 Leo Gallucci <elgalu3@gmail.com>
@ -357,6 +386,8 @@ Lewis Daly <lewisdaly@me.com>
 Li Yi <denverdino@gmail.com>
 Li Yi <weiyuan.yl@alibaba-inc.com>
 Liang-Chi Hsieh <viirya@gmail.com>
+Lifubang <lifubang@acmcoder.com>
+Lihua Tang <lhtang@alauda.io>
 Lily Guo <lily.guo@docker.com>
 Lin Lu <doraalin@163.com>
 Linus Heckemann <lheckemann@twig-world.com>
@ -384,18 +415,24 @@ Mansi Nahar <mmn4185@rit.edu>
 mapk0y <mapk0y@gmail.com>
 Marc Bihlmaier <marc.bihlmaier@reddoxx.com>
 Marco Mariani <marco.mariani@alterway.fr>
+Marco Vedovati <mvedovati@suse.com>
 Marcus Martins <marcus@docker.com>
 Marianna Tessel <mtesselh@gmail.com>
 Marius Sturm <marius@graylog.com>
 Mark Oates <fl0yd@me.com>
+Marsh Macy <marsma@microsoft.com>
 Martin Mosegaard Amdisen <martin.amdisen@praqma.com>
 Mary Anthony <mary.anthony@docker.com>
+Mason Fish <mason.fish@docker.com>
 Mason Malone <mason.malone@gmail.com>
 Mateusz Major <apkd@users.noreply.github.com>
+Mathieu Champlon <mathieu.champlon@docker.com>
 Matt Gucci <matt9ucci@gmail.com>
 Matt Robenolt <matt@ydekproductions.com>
+Matteo Orefice <matteo.orefice@bites4bits.software>
 Matthew Heon <mheon@redhat.com>
 Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
+Mauro Porras P <mauroporrasp@gmail.com>
 Max Shytikov <mshytikov@gmail.com>
 Maxime Petazzoni <max@signalfuse.com>
 Mei ChunTao <mei.chuntao@zte.com.cn>
@ -425,9 +462,11 @@ Mike MacCana <mike.maccana@gmail.com>
 mikelinjie <294893458@qq.com>
 Mikhail Vasin <vasin@cloud-tv.ru>
 Milind Chawre <milindchawre@gmail.com>
+Mindaugas Rukas <momomg@gmail.com>
 Misty Stanley-Jones <misty@docker.com>
 Mohammad Banikazemi <mb@us.ibm.com>
 Mohammed Aaqib Ansari <maaquib@gmail.com>
+Mohini Anne Dsouza <mohini3917@gmail.com>
 Moorthy RS <rsmoorthy@gmail.com>
 Morgan Bauer <mbauer@us.ibm.com>
 Moysés Borges <moysesb@gmail.com>
@ -435,9 +474,11 @@ Mrunal Patel <mrunalp@gmail.com>
 muicoder <muicoder@gmail.com>
 Muthukumar R <muthur@gmail.com>
 Máximo Cuadros <mcuadros@gmail.com>
+Mårten Cassel <marten.cassel@gmail.com>
 Nace Oroz <orkica@gmail.com>
 Nahum Shalman <nshalman@omniti.com>
 Nalin Dahyabhai <nalin@redhat.com>
+Nao YONASHIRO <owan.orisano@gmail.com>
 Nassim 'Nass' Eddequiouaq <eddequiouaq.nassim@gmail.com>
 Natalie Parker <nparker@omnifone.com>
 Nate Brennand <nate.brennand@clever.com>
@ -445,18 +486,22 @@ Nathan Hsieh <hsieh.nathan@gmail.com>
 Nathan LeClaire <nathan.leclaire@docker.com>
 Nathan McCauley <nathan.mccauley@docker.com>
 Neil Peterson <neilpeterson@outlook.com>
+Nick Adcock <nick.adcock@docker.com>
+Nico Stapelbroek <nstapelbroek@gmail.com>
 Nicola Kabar <nicolaka@gmail.com>
 Nicolas Borboën <ponsfrilus@gmail.com>
 Nicolas De Loof <nicolas.deloof@gmail.com>
 Nikhil Chawla <chawlanikhil24@gmail.com>
 Nikolas Garofil <nikolas.garofil@uantwerpen.be>
 Nikolay Milovanov <nmil@itransformers.net>
+Nir Soffer <nsoffer@redhat.com>
 Nishant Totla <nishanttotla@gmail.com>
 NIWA Hideyuki <niwa.niwa@nifty.ne.jp>
 Noah Treuhaft <noah.treuhaft@docker.com>
 O.S. Tezer <ostezer@gmail.com>
 ohmystack <jun.jiang02@ele.me>
 Olle Jonsson <olle.jonsson@gmail.com>
+Olli Janatuinen <olli.janatuinen@gmail.com>
 Otto Kekäläinen <otto@seravo.fi>
 Ovidio Mallo <ovidio.mallo@gmail.com>
 Pascal Borreli <pascal@borreli.com>
@ -474,12 +519,14 @@ Per Lundberg <per.lundberg@ecraft.com>
 Peter Edge <peter.edge@gmail.com>
 Peter Hsu <shhsu@microsoft.com>
 Peter Jaffe <pjaffe@nevo.com>
+Peter Kehl <peter.kehl@gmail.com>
 Peter Nagy <xificurC@gmail.com>
 Peter Salvatore <peter@psftw.com>
 Peter Waller <p@pwaller.net>
 Phil Estes <estesp@linux.vnet.ibm.com>
 Philip Alexander Etling <paetling@gmail.com>
 Philipp Gillé <philipp.gille@gmail.com>
+Philipp Schmied <pschmied@schutzwerk.com>
 pidster <pid@pidster.com>
 pixelistik <pixelistik@users.noreply.github.com>
 Pratik Karki <prertik@outlook.com>
@ -511,16 +558,21 @@ Roman Dudin <katrmr@gmail.com>
 Rory Hunter <roryhunter2@gmail.com>
 Ross Boucher <rboucher@gmail.com>
 Rubens Figueiredo <r.figueiredo.52@gmail.com>
+Rui Cao <ruicao@alauda.io>
 Ryan Belgrave <rmb1993@gmail.com>
 Ryan Detzel <ryan.detzel@gmail.com>
 Ryan Stelly <ryan.stelly@live.com>
+Ryan Wilson-Perkin <ryanwilsonperkin@gmail.com>
+Ryan Zhang <ryan.zhang@docker.com>
 Sainath Grandhi <sainath.grandhi@intel.com>
 Sakeven Jiang <jc5930@sina.cn>
 Sally O'Malley <somalley@redhat.com>
 Sam Neirinck <sam@samneirinck.com>
 Sambuddha Basu <sambuddhabasu1@gmail.com>
+Sami Tabet <salph.tabet@gmail.com>
 Samuel Karp <skarp@amazon.com>
 Santhosh Manohar <santhosh@docker.com>
+Scott Brenner <scott@scottbrenner.me>
 Scott Collier <emailscottcollier@gmail.com>
 Sean Christopherson <sean.j.christopherson@intel.com>
 Sean Rodman <srodman7689@gmail.com>
@ -548,27 +600,33 @@ Spencer Brown <spencer@spencerbrown.org>
 squeegels <1674195+squeegels@users.noreply.github.com>
 Srini Brahmaroutu <srbrahma@us.ibm.com>
 Stefan S. <tronicum@user.github.com>
-Stefan Scherer <scherer_stefan@icloud.com>
+Stefan Scherer <stefan.scherer@docker.com>
 Stefan Weil <sw@weilnetz.de>
+Stephane Jeandeaux <stephane.jeandeaux@gmail.com>
 Stephen Day <stevvooe@gmail.com>
 Stephen Rust <srust@blockbridge.com>
 Steve Durrheimer <s.durrheimer@gmail.com>
+Steve Richards <steve.richards@docker.com>
 Steven Burgess <steven.a.burgess@hotmail.com>
 Subhajit Ghosh <isubuz.g@gmail.com>
 Sun Jianbo <wonderflow.sun@gmail.com>
+Sune Keller <absukl@almbrand.dk>
 Sungwon Han <sungwon.han@navercorp.com>
+Sunny Gogoi <indiasuny000@gmail.com>
 Sven Dowideit <SvenDowideit@home.org.au>
 Sylvain Baubeau <sbaubeau@redhat.com>
 Sébastien HOUZÉ <cto@verylastroom.com>
 T K Sourabh <sourabhtk37@gmail.com>
 TAGOMORI Satoshi <tagomoris@gmail.com>
+taiji-tech <csuhqg@foxmail.com>
 Taylor Jones <monitorjbl@gmail.com>
+Tejaswini Duggaraju <naduggar@microsoft.com>
 Thatcher Peskens <thatcher@docker.com>
 Thomas Gazagnaire <thomas@gazagnaire.org>
 Thomas Krzero <thomas.kovatchitch@gmail.com>
 Thomas Leonard <thomas.leonard@docker.com>
 Thomas Léveil <thomasleveil@gmail.com>
-Thomas Riccardi <riccardi@systran.fr>
+Thomas Riccardi <thomas@deepomatic.com>
 Thomas Swift <tgs242@gmail.com>
 Tianon Gravi <admwiggin@gmail.com>
 Tianyi Wang <capkurmagati@gmail.com>
@ -585,6 +643,8 @@ Tobias Gesellchen <tobias@gesellix.de>
 Todd Whiteman <todd.whiteman@joyent.com>
 Tom Denham <tom@tomdee.co.uk>
 Tom Fotherby <tom+github@peopleperhour.com>
+Tom Klingenberg <tklingenberg@lastflood.net>
+Tom Milligan <code@tommilligan.net>
 Tom X. Tobin <tomxtobin@tomxtobin.com>
 Tomas Tomecek <ttomecek@redhat.com>
 Tomasz Kopczynski <tomek@kopczynski.net.pl>
@ -597,12 +657,14 @@ Tristan Carel <tristan@cogniteev.com>
 Tycho Andersen <tycho@docker.com>
 Tycho Andersen <tycho@tycho.ws>
 uhayate <uhayate.gong@daocloud.io>
+Ulysses Souza <ulysses.souza@docker.com>
 Umesh Yadav <umesh4257@gmail.com>
 Valentin Lorentz <progval+git@progval.net>
 Veres Lajos <vlajos@gmail.com>
 Victor Vieux <victor.vieux@docker.com>
 Victoria Bialas <victoria.bialas@docker.com>
 Viktor Stanchev <me@viktorstanchev.com>
+Vimal Raghubir <vraghubir0418@gmail.com>
 Vincent Batts <vbatts@redhat.com>
 Vincent Bernat <Vincent.Bernat@exoscale.ch>
 Vincent Demeester <vincent.demeester@docker.com>
@ -610,6 +672,7 @@ Vincent Woo <me@vincentwoo.com>
 Vishnu Kannan <vishnuk@google.com>
 Vivek Goyal <vgoyal@redhat.com>
 Wang Jie <wangjie5@chinaskycloud.com>
+Wang Lei <wanglei@tenxcloud.com>
 Wang Long <long.wanglong@huawei.com>
 Wang Ping <present.wp@icloud.com>
 Wang Xing <hzwangxing@corp.netease.com>
@ -622,6 +685,8 @@ Wes Morgan <cap10morgan@gmail.com>
 Wewang Xiaorenfine <wang.xiaoren@zte.com.cn>
 William Henry <whenry@redhat.com>
 Xianglin Gao <xlgao@zju.edu.cn>
+Xiaodong Zhang <a4012017@sina.com>
+Xiaoxi He <xxhe@alauda.io>
 Xinbo Weng <xihuanbo_0521@zju.edu.cn>
 Xuecong Liao <satorulogic@gmail.com>
 Yan Feng <yanfeng2@huawei.com>
@ -633,7 +698,9 @@ Yong Tang <yong.tang.github@outlook.com>
 Yosef Fertel <yfertel@gmail.com>
 Yu Peng <yu.peng36@zte.com.cn>
 Yuan Sun <sunyuan3@huawei.com>
+Yue Zhang <zy675793960@yeah.net>
 Yunxiang Huang <hyxqshk@vip.qq.com>
+Zachary Romero <zacromero3@gmail.com>
 zebrilee <zebrilee@gmail.com>
 Zhang Kun <zkazure@gmail.com>
 Zhang Wei <zhangwei555@huawei.com>
@ -641,6 +708,7 @@ Zhang Wentao <zhangwentao234@huawei.com>
 ZhangHang <stevezhang2014@gmail.com>
 zhenghenghuo <zhenghenghuo@zju.edu.cn>
 Zhou Hao <zhouhao@cn.fujitsu.com>
+Zhoulin Xie <zhoulin.xie@daocloud.io>
 Zhu Guihua <zhugh.fnst@cn.fujitsu.com>
 Álex González <agonzalezro@gmail.com>
 Álvaro Lázaro <alvaro.lazaro.g@gmail.com>
--- a/55
+++ b/55
@ -1,12 +1,47 @@
-wrappedNode(label: 'linux && x86_64', cleanWorkspace: true) {
-  timeout(time: 60, unit: 'MINUTES') {
-    stage "Git Checkout"
-    checkout scm
+pipeline {
+    agent {
+        label "linux && x86_64"
+    }

-    stage "Run end-to-end test suite"
-    sh "docker version"
-    sh "E2E_UNIQUE_ID=clie2e${BUILD_NUMBER} \
-        IMAGE_TAG=clie2e${BUILD_NUMBER} \
-        make -f docker.Makefile test-e2e"
-  }
+    options {
+        timeout(time: 60, unit: 'MINUTES')
+    }
+
+    stages {
+        stage("Docker info") {
+            steps {
+                sh "docker version"
+                sh "docker info"
+            }
+        }
+        stage("e2e (non-experimental) - stable engine") {
+            steps {
+                sh "E2E_UNIQUE_ID=clie2e${BUILD_NUMBER} \
+                    IMAGE_TAG=clie2e${BUILD_NUMBER} \
+                    DOCKER_BUILDKIT=1 make -f docker.Makefile test-e2e-non-experimental"
+            }
+        }
+        stage("e2e (non-experimental) - 18.09 engine") {
+            steps {
+                sh "E2E_ENGINE_VERSION=18.09-dind \
+                  E2E_UNIQUE_ID=clie2e${BUILD_NUMBER} \
+                  IMAGE_TAG=clie2e${BUILD_NUMBER} \
+                  DOCKER_BUILDKIT=1 make -f docker.Makefile test-e2e-non-experimental"
+            }
+        }
+        stage("e2e (experimental)") {
+            steps {
+                sh "E2E_UNIQUE_ID=clie2e${BUILD_NUMBER} \
+                    IMAGE_TAG=clie2e${BUILD_NUMBER} \
+                    DOCKER_BUILDKIT=1 make -f docker.Makefile test-e2e-experimental"
+            }
+        }
+        stage("e2e (ssh connhelper)") {
+            steps {
+                sh "E2E_UNIQUE_ID=clie2e${BUILD_NUMBER} \
+                    IMAGE_TAG=clie2e${BUILD_NUMBER} \
+                    DOCKER_BUILDKIT=1 make -f docker.Makefile test-e2e-connhelper-ssh"
+            }
+        }
+    }
 }
--- a/24
+++ b/24
@ -11,15 +11,19 @@ clean: ## remove build artifacts
 	rm -rf ./build/* cli/winresources/rsrc_* ./man/man[1-9] docs/yaml/gen

 .PHONY: test-unit
-test-unit: ## run unit test
-	./scripts/test/unit $(shell go list ./... | grep -vE '/vendor/|/e2e/|/e2eengine/')
+test-unit: ## run unit tests, to change the output format use: GOTESTSUM_FORMAT=(dots|short|standard-quiet|short-verbose|standard-verbose) make test-unit 
+	gotestsum $(TESTFLAGS) -- $${TESTDIRS:-$(shell go list ./... | grep -vE '/vendor/|/e2e/')}

 .PHONY: test
 test: test-unit ## run tests

 .PHONY: test-coverage
 test-coverage: ## run test coverage
-	./scripts/test/unit-with-coverage $(shell go list ./... | grep -vE '/vendor/|/e2e/|/e2eengine/')
+	gotestsum -- -coverprofile=coverage.txt $(shell go list ./... | grep -vE '/vendor/|/e2e/')
+
+.PHONY: fmt
+fmt:
+	go list -f {{.Dir}} ./... | xargs gofmt -w -s -d

 .PHONY: lint
 lint: ## run all the lint tools
@ -30,6 +34,10 @@ binary: ## build executable for Linux
 	@echo "WARNING: binary creates a Linux executable. Use cross for macOS or Windows."
 	./scripts/build/binary

+.PHONY: plugins
+plugins: ## build example CLI plugins
+	./scripts/build/plugins
+
 .PHONY: cross
 cross: ## build executable for macOS and Windows
 	./scripts/build/cross
@ -38,10 +46,18 @@ cross: ## build executable for macOS and Windows
 binary-windows: ## build executable for Windows
 	./scripts/build/windows

+.PHONY: plugins-windows
+plugins-windows: ## build example CLI plugins for Windows
+	./scripts/build/plugins-windows
+
 .PHONY: binary-osx
 binary-osx: ## build executable for macOS
 	./scripts/build/osx

+.PHONY: plugins-osx
+plugins-osx: ## build example CLI plugins for macOS
+	./scripts/build/plugins-osx
+
 .PHONY: dynbinary
 dynbinary: ## build dynamically linked binary
 	./scripts/build/dynbinary
@ -69,7 +85,7 @@ shellcheck: ## run shellcheck validation

 .PHONY: help
 help: ## print this help
-	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z0-9_-]+:.*?## / {gsub("\\\\n",sprintf("\n%22c",""), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)


 cli/compose/schema/bindata.go: cli/compose/schema/data/*.json
--- a/README.md
+++ b/README.md
@ -1,4 +1,5 @@
-[![build status](https://circleci.com/gh/docker/cli.svg?style=shield)](https://circleci.com/gh/docker/cli/tree/master) [![Build Status](https://jenkins.dockerproject.org/job/docker/job/cli/job/master/badge/icon)](https://jenkins.dockerproject.org/job/docker/job/cli/job/master/)
+[![build status](https://circleci.com/gh/docker/cli.svg?style=shield)](https://circleci.com/gh/docker/cli/tree/master)
+[![Build Status](https://ci.docker.com/public/job/cli/job/master/badge/icon)](https://ci.docker.com/public/job/cli/job/master)

 docker/cli
 ==========
--- a/2
+++ b/2
@ -1 +1 @@
-18.09.0-dev
+19.03.0-dev
--- a/appveyor.yml
+++ b/appveyor.yml
@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli

 environment:
  GOPATH: c:\gopath
-  GOVERSION: 1.10.3
+  GOVERSION: 1.13.11
  DEPVERSION: v0.4.1

 install:
@ -20,4 +20,4 @@ build_script:
  - ps: .\scripts\make.ps1 -Binary

 test_script:
-  - ps: .\scripts\make.ps1 -TestUnit
+  - ps: .\scripts\make.ps1 -TestUnit
--- a/circle.yml
+++ b/circle.yml
@ -4,39 +4,64 @@ jobs:

  lint:
    working_directory: /work
-    docker: [{image: 'docker:18.03-git'}]
+    docker: [{image: 'docker:18.09-git'}]
+    environment:
+      DOCKER_BUILDKIT: 1
    steps:
      - checkout
      - setup_remote_docker:
-            version: 18.03.1-ce
-            reusable: true
-            exclusive: false
+          version: 18.09.3
+          reusable: true
+          exclusive: false
      - run:
+          name: "Docker version"
          command: docker version
+      - run:
+          name: "Docker info"
+          command: docker info
+      - run:
+          name: "Shellcheck - build image"
+          command: |
+            docker build --progress=plain -f dockerfiles/Dockerfile.shellcheck --tag cli-validator:$CIRCLE_BUILD_NUM .
+      - run:
+          name: "Shellcheck"
+          command: |
+            docker run --rm cli-validator:$CIRCLE_BUILD_NUM \
+                make shellcheck
+      - run:
+          name: "Lint - build image"
+          command: |
+            docker build --progress=plain -f dockerfiles/Dockerfile.lint --tag cli-linter:$CIRCLE_BUILD_NUM .
      - run:
          name: "Lint"
          command: |
-            dockerfile=dockerfiles/Dockerfile.lint
-            echo "COPY . ." >> $dockerfile
-            docker build -f $dockerfile --tag cli-linter:$CIRCLE_BUILD_NUM .
            docker run --rm cli-linter:$CIRCLE_BUILD_NUM

  cross:
    working_directory: /work
-    docker: [{image: 'docker:18.03-git'}]
+    docker: [{image: 'docker:18.09-git'}]
+    environment:
+      DOCKER_BUILDKIT: 1
    parallelism: 3
    steps:
      - checkout
      - setup_remote_docker:
-            version: 18.03.1-ce
-            reusable: true
-            exclusive: false
+          version: 18.09.3
+          reusable: true
+          exclusive: false
+      - run:
+          name: "Docker version"
+          command: docker version
+      - run:
+          name: "Docker info"
+          command: docker info
+      - run:
+          name: "Cross - build image"
+          command: |
+            docker build --progress=plain -f dockerfiles/Dockerfile.cross --tag cli-builder:$CIRCLE_BUILD_NUM .
      - run:
          name: "Cross"
          command: |
-            dockerfile=dockerfiles/Dockerfile.cross
-            echo "COPY . ." >> $dockerfile
-            docker build -f $dockerfile --tag cli-builder:$CIRCLE_BUILD_NUM .
            name=cross-$CIRCLE_BUILD_NUM-$CIRCLE_NODE_INDEX
            docker run \
                -e CROSS_GROUP=$CIRCLE_NODE_INDEX \
@ -50,23 +75,37 @@ jobs:

  test:
    working_directory: /work
-    docker: [{image: 'docker:18.03-git'}]
+    docker: [{image: 'docker:18.09-git'}]
+    environment:
+      DOCKER_BUILDKIT: 1
    steps:
      - checkout
      - setup_remote_docker:
-            version: 18.03.1-ce
-            reusable: true
-            exclusive: false
+          version: 18.09.3
+          reusable: true
+          exclusive: false
+      - run:
+          name: "Docker version"
+          command: docker version
+      - run:
+          name: "Docker info"
+          command: docker info
+      - run:
+          name: "Unit Test with Coverage - build image"
+          command: |
+            mkdir -p test-results/unit-tests
+            docker build --progress=plain -f dockerfiles/Dockerfile.dev --tag cli-builder:$CIRCLE_BUILD_NUM .
      - run:
          name: "Unit Test with Coverage"
          command: |
-            dockerfile=dockerfiles/Dockerfile.dev
-            echo "COPY . ." >> $dockerfile
-            docker build -f $dockerfile --tag cli-builder:$CIRCLE_BUILD_NUM .
-            docker run --name \
+            docker run \
+                -e GOTESTSUM_JUNITFILE=/tmp/junit.xml \
+                --name \
                test-$CIRCLE_BUILD_NUM cli-builder:$CIRCLE_BUILD_NUM \
                make test-coverage
-
+            docker cp \
+                test-$CIRCLE_BUILD_NUM:/tmp/junit.xml \
+                ./test-results/unit-tests/junit.xml
      - run:
          name: "Upload to Codecov"
          command: |
@ -76,42 +115,40 @@ jobs:
            apk add -U bash curl
            curl -s https://codecov.io/bash | bash || \
                echo 'Codecov failed to upload'
+      - store_test_results:
+          path:  test-results
+      - store_artifacts:
+          path:  test-results

  validate:
    working_directory: /work
-    docker: [{image: 'docker:18.03-git'}]
+    docker: [{image: 'docker:18.09-git'}]
+    environment:
+      DOCKER_BUILDKIT: 1
    steps:
      - checkout
      - setup_remote_docker:
-            version: 18.03.1-ce
-            reusable: true
-            exclusive: false
+          version: 18.09.3
+          reusable: true
+          exclusive: false
+      - run:
+          name: "Docker version"
+          command: docker version
+      - run:
+          name: "Docker info"
+          command: docker info
+      - run:
+          name: "Validate - build image"
+          command: |
+            rm -f .dockerignore # include .git
+            docker build --progress=plain -f dockerfiles/Dockerfile.dev --tag cli-builder-with-git:$CIRCLE_BUILD_NUM .
      - run:
          name: "Validate Vendor, Docs, and Code Generation"
          command: |
-            dockerfile=dockerfiles/Dockerfile.dev
-            echo "COPY . ." >> $dockerfile
-            rm -f .dockerignore # include .git
-            docker build -f $dockerfile --tag cli-builder-with-git:$CIRCLE_BUILD_NUM .
            docker run --rm cli-builder-with-git:$CIRCLE_BUILD_NUM \
                make ci-validate
-  shellcheck:
-    working_directory: /work
-    docker: [{image: 'docker:18.03-git'}]
-    steps:
-      - checkout
-      - setup_remote_docker:
-            version: 18.03.1-ce
-            reusable: true
-            exclusive: false
-      - run:
-          name: "Run shellcheck"
-          command: |
-            dockerfile=dockerfiles/Dockerfile.shellcheck
-            echo "COPY . ." >> $dockerfile
-            docker build -f $dockerfile --tag cli-validator:$CIRCLE_BUILD_NUM .
-            docker run --rm cli-validator:$CIRCLE_BUILD_NUM \
-                make shellcheck
+          no_output_timeout: 15m
+
 workflows:
  version: 2
  ci:
@ -120,4 +157,3 @@ workflows:
      - cross
      - test
      - validate
-      - shellcheck
--- a/cli-plugins/examples/helloworld/main.go
+++ b/cli-plugins/examples/helloworld/main.go
@ -0,0 +1,106 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli-plugins/plugin"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+func main() {
+	plugin.Run(func(dockerCli command.Cli) *cobra.Command {
+		goodbye := &cobra.Command{
+			Use:   "goodbye",
+			Short: "Say Goodbye instead of Hello",
+			Run: func(cmd *cobra.Command, _ []string) {
+				fmt.Fprintln(dockerCli.Out(), "Goodbye World!")
+			},
+		}
+		apiversion := &cobra.Command{
+			Use:   "apiversion",
+			Short: "Print the API version of the server",
+			RunE: func(_ *cobra.Command, _ []string) error {
+				cli := dockerCli.Client()
+				ping, err := cli.Ping(context.Background())
+				if err != nil {
+					return err
+				}
+				fmt.Println(ping.APIVersion)
+				return nil
+			},
+		}
+
+		exitStatus2 := &cobra.Command{
+			Use:   "exitstatus2",
+			Short: "Exit with status 2",
+			RunE: func(_ *cobra.Command, _ []string) error {
+				fmt.Fprintln(dockerCli.Err(), "Exiting with error status 2")
+				os.Exit(2)
+				return nil
+			},
+		}
+
+		var (
+			who, context  string
+			preRun, debug bool
+		)
+		cmd := &cobra.Command{
+			Use:   "helloworld",
+			Short: "A basic Hello World plugin for tests",
+			PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+				if err := plugin.PersistentPreRunE(cmd, args); err != nil {
+					return err
+				}
+				if preRun {
+					fmt.Fprintf(dockerCli.Err(), "Plugin PersistentPreRunE called")
+				}
+				return nil
+			},
+			RunE: func(cmd *cobra.Command, args []string) error {
+				if debug {
+					fmt.Fprintf(dockerCli.Err(), "Plugin debug mode enabled")
+				}
+
+				switch context {
+				case "Christmas":
+					fmt.Fprintf(dockerCli.Out(), "Merry Christmas!\n")
+					return nil
+				case "":
+					// nothing
+				}
+
+				if who == "" {
+					who, _ = dockerCli.ConfigFile().PluginConfig("helloworld", "who")
+				}
+				if who == "" {
+					who = "World"
+				}
+
+				fmt.Fprintf(dockerCli.Out(), "Hello %s!\n", who)
+				dockerCli.ConfigFile().SetPluginConfig("helloworld", "lastwho", who)
+				return dockerCli.ConfigFile().Save()
+			},
+		}
+
+		flags := cmd.Flags()
+		flags.StringVar(&who, "who", "", "Who are we addressing?")
+		flags.BoolVar(&preRun, "pre-run", false, "Log from prerun hook")
+		// These are intended to deliberately clash with the CLIs own top
+		// level arguments.
+		flags.BoolVarP(&debug, "debug", "D", false, "Enable debug")
+		flags.StringVarP(&context, "context", "c", "", "Is it Christmas?")
+
+		cmd.AddCommand(goodbye, apiversion, exitStatus2)
+		return cmd
+	},
+		manager.Metadata{
+			SchemaVersion: "0.1.0",
+			Vendor:        "Docker Inc.",
+			Version:       "testing",
+			Experimental:  os.Getenv("HELLO_EXPERIMENTAL") != "",
+		})
+}
--- a/cli-plugins/manager/candidate.go
+++ b/cli-plugins/manager/candidate.go
@ -0,0 +1,23 @@
+package manager
+
+import (
+	"os/exec"
+)
+
+// Candidate represents a possible plugin candidate, for mocking purposes
+type Candidate interface {
+	Path() string
+	Metadata() ([]byte, error)
+}
+
+type candidate struct {
+	path string
+}
+
+func (c *candidate) Path() string {
+	return c.path
+}
+
+func (c *candidate) Metadata() ([]byte, error) {
+	return exec.Command(c.path, MetadataSubcommandName).Output()
+}
--- a/cli-plugins/manager/candidate_test.go
+++ b/cli-plugins/manager/candidate_test.go
@ -0,0 +1,101 @@
+package manager
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/spf13/cobra"
+	"gotest.tools/v3/assert"
+	"gotest.tools/v3/assert/cmp"
+)
+
+type fakeCandidate struct {
+	path              string
+	exec              bool
+	meta              string
+	allowExperimental bool
+}
+
+func (c *fakeCandidate) Path() string {
+	return c.path
+}
+
+func (c *fakeCandidate) Metadata() ([]byte, error) {
+	if !c.exec {
+		return nil, fmt.Errorf("faked a failure to exec %q", c.path)
+	}
+	return []byte(c.meta), nil
+}
+
+func TestValidateCandidate(t *testing.T) {
+	var (
+		goodPluginName = NamePrefix + "goodplugin"
+
+		builtinName  = NamePrefix + "builtin"
+		builtinAlias = NamePrefix + "alias"
+
+		badPrefixPath    = "/usr/local/libexec/cli-plugins/wobble"
+		badNamePath      = "/usr/local/libexec/cli-plugins/docker-123456"
+		goodPluginPath   = "/usr/local/libexec/cli-plugins/" + goodPluginName
+		metaExperimental = `{"SchemaVersion": "0.1.0", "Vendor": "e2e-testing", "Experimental": true}`
+	)
+
+	fakeroot := &cobra.Command{Use: "docker"}
+	fakeroot.AddCommand(&cobra.Command{
+		Use: strings.TrimPrefix(builtinName, NamePrefix),
+		Aliases: []string{
+			strings.TrimPrefix(builtinAlias, NamePrefix),
+		},
+	})
+
+	for _, tc := range []struct {
+		name string
+		c    *fakeCandidate
+
+		// Either err or invalid may be non-empty, but not both (both can be empty for a good plugin).
+		err     string
+		invalid string
+	}{
+		/* Each failing one of the tests */
+		{name: "empty path", c: &fakeCandidate{path: ""}, err: "plugin candidate path cannot be empty"},
+		{name: "bad prefix", c: &fakeCandidate{path: badPrefixPath}, err: fmt.Sprintf("does not have %q prefix", NamePrefix)},
+		{name: "bad path", c: &fakeCandidate{path: badNamePath}, invalid: "did not match"},
+		{name: "builtin command", c: &fakeCandidate{path: builtinName}, invalid: `plugin "builtin" duplicates builtin command`},
+		{name: "builtin alias", c: &fakeCandidate{path: builtinAlias}, invalid: `plugin "alias" duplicates an alias of builtin command "builtin"`},
+		{name: "fetch failure", c: &fakeCandidate{path: goodPluginPath, exec: false}, invalid: fmt.Sprintf("failed to fetch metadata: faked a failure to exec %q", goodPluginPath)},
+		{name: "metadata not json", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `xyzzy`}, invalid: "invalid character"},
+		{name: "empty schemaversion", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{}`}, invalid: `plugin SchemaVersion "" is not valid`},
+		{name: "invalid schemaversion", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "xyzzy"}`}, invalid: `plugin SchemaVersion "xyzzy" is not valid`},
+		{name: "no vendor", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0"}`}, invalid: "plugin metadata does not define a vendor"},
+		{name: "empty vendor", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0", "Vendor": ""}`}, invalid: "plugin metadata does not define a vendor"},
+		{name: "experimental required", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: metaExperimental}, invalid: "requires experimental CLI"},
+		// This one should work
+		{name: "valid", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0", "Vendor": "e2e-testing"}`}},
+		{name: "valid + allowing experimental", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0", "Vendor": "e2e-testing"}`, allowExperimental: true}},
+		{name: "experimental + allowing experimental", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: metaExperimental, allowExperimental: true}},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			p, err := newPlugin(tc.c, fakeroot, tc.c.allowExperimental)
+			if tc.err != "" {
+				assert.ErrorContains(t, err, tc.err)
+			} else if tc.invalid != "" {
+				assert.NilError(t, err)
+				assert.Assert(t, cmp.ErrorType(p.Err, reflect.TypeOf(&pluginError{})))
+				assert.ErrorContains(t, p.Err, tc.invalid)
+			} else {
+				assert.NilError(t, err)
+				assert.Equal(t, NamePrefix+p.Name, goodPluginName)
+				assert.Equal(t, p.SchemaVersion, "0.1.0")
+				assert.Equal(t, p.Vendor, "e2e-testing")
+			}
+		})
+	}
+}
+
+func TestCandidatePath(t *testing.T) {
+	exp := "/some/path"
+	cand := &candidate{path: exp}
+	assert.Equal(t, exp, cand.Path())
+}
--- a/cli-plugins/manager/cobra.go
+++ b/cli-plugins/manager/cobra.go
@ -0,0 +1,60 @@
+package manager
+
+import (
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+const (
+	// CommandAnnotationPlugin is added to every stub command added by
+	// AddPluginCommandStubs with the value "true" and so can be
+	// used to distinguish plugin stubs from regular commands.
+	CommandAnnotationPlugin = "com.docker.cli.plugin"
+
+	// CommandAnnotationPluginVendor is added to every stub command
+	// added by AddPluginCommandStubs and contains the vendor of
+	// that plugin.
+	CommandAnnotationPluginVendor = "com.docker.cli.plugin.vendor"
+
+	// CommandAnnotationPluginVersion is added to every stub command
+	// added by AddPluginCommandStubs and contains the version of
+	// that plugin.
+	CommandAnnotationPluginVersion = "com.docker.cli.plugin.version"
+
+	// CommandAnnotationPluginInvalid is added to any stub command
+	// added by AddPluginCommandStubs for an invalid command (that
+	// is, one which failed it's candidate test) and contains the
+	// reason for the failure.
+	CommandAnnotationPluginInvalid = "com.docker.cli.plugin-invalid"
+)
+
+// AddPluginCommandStubs adds a stub cobra.Commands for each valid and invalid
+// plugin. The command stubs will have several annotations added, see
+// `CommandAnnotationPlugin*`.
+func AddPluginCommandStubs(dockerCli command.Cli, cmd *cobra.Command) error {
+	plugins, err := ListPlugins(dockerCli, cmd)
+	if err != nil {
+		return err
+	}
+	for _, p := range plugins {
+		vendor := p.Vendor
+		if vendor == "" {
+			vendor = "unknown"
+		}
+		annotations := map[string]string{
+			CommandAnnotationPlugin:        "true",
+			CommandAnnotationPluginVendor:  vendor,
+			CommandAnnotationPluginVersion: p.Version,
+		}
+		if p.Err != nil {
+			annotations[CommandAnnotationPluginInvalid] = p.Err.Error()
+		}
+		cmd.AddCommand(&cobra.Command{
+			Use:         p.Name,
+			Short:       p.ShortDescription,
+			Run:         func(_ *cobra.Command, _ []string) {},
+			Annotations: annotations,
+		})
+	}
+	return nil
+}
--- a/cli-plugins/manager/error.go
+++ b/cli-plugins/manager/error.go
@ -0,0 +1,48 @@
+package manager
+
+import (
+	"github.com/pkg/errors"
+)
+
+// pluginError is set as Plugin.Err by NewPlugin if the plugin
+// candidate fails one of the candidate tests. This exists primarily
+// to implement encoding.TextMarshaller such that rendering a plugin as JSON
+// (e.g. for `docker info -f '{{json .CLIPlugins}}'`) renders the Err
+// field as a useful string and not just `{}`. See
+// https://github.com/golang/go/issues/10748 for some discussion
+// around why the builtin error type doesn't implement this.
+type pluginError struct {
+	cause error
+}
+
+// Error satisfies the core error interface for pluginError.
+func (e *pluginError) Error() string {
+	return e.cause.Error()
+}
+
+// Cause satisfies the errors.causer interface for pluginError.
+func (e *pluginError) Cause() error {
+	return e.cause
+}
+
+// Unwrap provides compatibility for Go 1.13 error chains.
+func (e *pluginError) Unwrap() error {
+	return e.cause
+}
+
+// MarshalText marshalls the pluginError into a textual form.
+func (e *pluginError) MarshalText() (text []byte, err error) {
+	return []byte(e.cause.Error()), nil
+}
+
+// wrapAsPluginError wraps an error in a pluginError with an
+// additional message, analogous to errors.Wrapf.
+func wrapAsPluginError(err error, msg string) error {
+	return &pluginError{cause: errors.Wrap(err, msg)}
+}
+
+// NewPluginError creates a new pluginError, analogous to
+// errors.Errorf.
+func NewPluginError(msg string, args ...interface{}) error {
+	return &pluginError{cause: errors.Errorf(msg, args...)}
+}
--- a/cli-plugins/manager/error_test.go
+++ b/cli-plugins/manager/error_test.go
@ -0,0 +1,24 @@
+package manager
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/pkg/errors"
+	"gopkg.in/yaml.v2"
+	"gotest.tools/v3/assert"
+)
+
+func TestPluginError(t *testing.T) {
+	err := NewPluginError("new error")
+	assert.Error(t, err, "new error")
+
+	inner := fmt.Errorf("testing")
+	err = wrapAsPluginError(inner, "wrapping")
+	assert.Error(t, err, "wrapping: testing")
+	assert.Assert(t, errors.Is(err, inner))
+
+	actual, err := yaml.Marshal(err)
+	assert.NilError(t, err)
+	assert.Equal(t, "'wrapping: testing'\n", string(actual))
+}
--- a/cli-plugins/manager/manager.go
+++ b/cli-plugins/manager/manager.go
@ -0,0 +1,209 @@
+package manager
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config"
+	"github.com/spf13/cobra"
+)
+
+// ReexecEnvvar is the name of an ennvar which is set to the command
+// used to originally invoke the docker CLI when executing a
+// plugin. Assuming $PATH and $CWD remain unchanged this should allow
+// the plugin to re-execute the original CLI.
+const ReexecEnvvar = "DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND"
+
+// errPluginNotFound is the error returned when a plugin could not be found.
+type errPluginNotFound string
+
+func (e errPluginNotFound) NotFound() {}
+
+func (e errPluginNotFound) Error() string {
+	return "Error: No such CLI plugin: " + string(e)
+}
+
+type errPluginRequireExperimental string
+
+// Note: errPluginRequireExperimental implements notFound so that the plugin
+// is skipped when listing the plugins.
+func (e errPluginRequireExperimental) NotFound() {}
+
+func (e errPluginRequireExperimental) Error() string {
+	return fmt.Sprintf("plugin candidate %q: requires experimental CLI", string(e))
+}
+
+type notFound interface{ NotFound() }
+
+// IsNotFound is true if the given error is due to a plugin not being found.
+func IsNotFound(err error) bool {
+	if e, ok := err.(*pluginError); ok {
+		err = e.Cause()
+	}
+	_, ok := err.(notFound)
+	return ok
+}
+
+func getPluginDirs(dockerCli command.Cli) ([]string, error) {
+	var pluginDirs []string
+
+	if cfg := dockerCli.ConfigFile(); cfg != nil {
+		pluginDirs = append(pluginDirs, cfg.CLIPluginsExtraDirs...)
+	}
+	pluginDir, err := config.Path("cli-plugins")
+	if err != nil {
+		return nil, err
+	}
+
+	pluginDirs = append(pluginDirs, pluginDir)
+	pluginDirs = append(pluginDirs, defaultSystemPluginDirs...)
+	return pluginDirs, nil
+}
+
+func addPluginCandidatesFromDir(res map[string][]string, d string) error {
+	dentries, err := ioutil.ReadDir(d)
+	if err != nil {
+		return err
+	}
+	for _, dentry := range dentries {
+		switch dentry.Mode() & os.ModeType {
+		case 0, os.ModeSymlink:
+			// Regular file or symlink, keep going
+		default:
+			// Something else, ignore.
+			continue
+		}
+		name := dentry.Name()
+		if !strings.HasPrefix(name, NamePrefix) {
+			continue
+		}
+		name = strings.TrimPrefix(name, NamePrefix)
+		var err error
+		if name, err = trimExeSuffix(name); err != nil {
+			continue
+		}
+		res[name] = append(res[name], filepath.Join(d, dentry.Name()))
+	}
+	return nil
+}
+
+// listPluginCandidates returns a map from plugin name to the list of (unvalidated) Candidates. The list is in descending order of priority.
+func listPluginCandidates(dirs []string) (map[string][]string, error) {
+	result := make(map[string][]string)
+	for _, d := range dirs {
+		// Silently ignore any directories which we cannot
+		// Stat (e.g. due to permissions or anything else) or
+		// which is not a directory.
+		if fi, err := os.Stat(d); err != nil || !fi.IsDir() {
+			continue
+		}
+		if err := addPluginCandidatesFromDir(result, d); err != nil {
+			// Silently ignore paths which don't exist.
+			if os.IsNotExist(err) {
+				continue
+			}
+			return nil, err // Or return partial result?
+		}
+	}
+	return result, nil
+}
+
+// ListPlugins produces a list of the plugins available on the system
+func ListPlugins(dockerCli command.Cli, rootcmd *cobra.Command) ([]Plugin, error) {
+	pluginDirs, err := getPluginDirs(dockerCli)
+	if err != nil {
+		return nil, err
+	}
+
+	candidates, err := listPluginCandidates(pluginDirs)
+	if err != nil {
+		return nil, err
+	}
+
+	var plugins []Plugin
+	for _, paths := range candidates {
+		if len(paths) == 0 {
+			continue
+		}
+		c := &candidate{paths[0]}
+		p, err := newPlugin(c, rootcmd, dockerCli.ClientInfo().HasExperimental)
+		if err != nil {
+			return nil, err
+		}
+		if !IsNotFound(p.Err) {
+			p.ShadowedPaths = paths[1:]
+			plugins = append(plugins, p)
+		}
+	}
+
+	return plugins, nil
+}
+
+// PluginRunCommand returns an "os/exec".Cmd which when .Run() will execute the named plugin.
+// The rootcmd argument is referenced to determine the set of builtin commands in order to detect conficts.
+// The error returned satisfies the IsNotFound() predicate if no plugin was found or if the first candidate plugin was invalid somehow.
+func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command) (*exec.Cmd, error) {
+	// This uses the full original args, not the args which may
+	// have been provided by cobra to our caller. This is because
+	// they lack e.g. global options which we must propagate here.
+	args := os.Args[1:]
+	if !pluginNameRe.MatchString(name) {
+		// We treat this as "not found" so that callers will
+		// fallback to their "invalid" command path.
+		return nil, errPluginNotFound(name)
+	}
+	exename := addExeSuffix(NamePrefix + name)
+	pluginDirs, err := getPluginDirs(dockerCli)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, d := range pluginDirs {
+		path := filepath.Join(d, exename)
+
+		// We stat here rather than letting the exec tell us
+		// ENOENT because the latter does not distinguish a
+		// file not existing from its dynamic loader or one of
+		// its libraries not existing.
+		if _, err := os.Stat(path); os.IsNotExist(err) {
+			continue
+		}
+
+		c := &candidate{path: path}
+		plugin, err := newPlugin(c, rootcmd, dockerCli.ClientInfo().HasExperimental)
+		if err != nil {
+			return nil, err
+		}
+		if plugin.Err != nil {
+			// TODO: why are we not returning plugin.Err?
+
+			err := plugin.Err.(*pluginError).Cause()
+			// if an experimental plugin was invoked directly while experimental mode is off
+			// provide a more useful error message than "not found".
+			if err, ok := err.(errPluginRequireExperimental); ok {
+				return nil, err
+			}
+			return nil, errPluginNotFound(name)
+		}
+		cmd := exec.Command(plugin.Path, args...)
+		// Using dockerCli.{In,Out,Err}() here results in a hang until something is input.
+		// See: - https://github.com/golang/go/issues/10338
+		//      - https://github.com/golang/go/commit/d000e8742a173aa0659584aa01b7ba2834ba28ab
+		// os.Stdin is a *os.File which avoids this behaviour. We don't need the functionality
+		// of the wrappers here anyway.
+		cmd.Stdin = os.Stdin
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+
+		cmd.Env = os.Environ()
+		cmd.Env = append(cmd.Env, ReexecEnvvar+"="+os.Args[0])
+
+		return cmd, nil
+	}
+	return nil, errPluginNotFound(name)
+}
--- a/cli-plugins/manager/manager_test.go
+++ b/cli-plugins/manager/manager_test.go
@ -0,0 +1,114 @@
+package manager
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/v3/assert"
+	"gotest.tools/v3/fs"
+)
+
+func TestListPluginCandidates(t *testing.T) {
+	// Populate a selection of directories with various shadowed and bogus/obscure plugin candidates.
+	// For the purposes of this test no contents is required and permissions are irrelevant.
+	dir := fs.NewDir(t, t.Name(),
+		fs.WithDir(
+			"plugins1",
+			fs.WithFile("docker-plugin1", ""),                        // This appears in each directory
+			fs.WithFile("not-a-plugin", ""),                          // Should be ignored
+			fs.WithFile("docker-symlinked1", ""),                     // This and ...
+			fs.WithSymlink("docker-symlinked2", "docker-symlinked1"), // ... this should both appear
+			fs.WithDir("ignored1"),                                   // A directory should be ignored
+		),
+		fs.WithDir(
+			"plugins2",
+			fs.WithFile("docker-plugin1", ""),
+			fs.WithFile("also-not-a-plugin", ""),
+			fs.WithFile("docker-hardlink1", ""),                     // This and ...
+			fs.WithHardlink("docker-hardlink2", "docker-hardlink1"), // ... this should both appear
+			fs.WithDir("ignored2"),
+		),
+		fs.WithDir(
+			"plugins3-target", // Will be referenced as a symlink from below
+			fs.WithFile("docker-plugin1", ""),
+			fs.WithDir("ignored3"),
+			fs.WithSymlink("docker-brokensymlink", "broken"),           // A broken symlink is still a candidate (but would fail tests later)
+			fs.WithFile("non-plugin-symlinked", ""),                    // This shouldn't appear, but ...
+			fs.WithSymlink("docker-symlinked", "non-plugin-symlinked"), // ... this link to it should.
+		),
+		fs.WithSymlink("plugins3", "plugins3-target"),
+		fs.WithFile("/plugins4", ""),
+		fs.WithSymlink("plugins5", "plugins5-nonexistent-target"),
+	)
+	defer dir.Remove()
+
+	var dirs []string
+	for _, d := range []string{"plugins1", "nonexistent", "plugins2", "plugins3", "plugins4", "plugins5"} {
+		dirs = append(dirs, dir.Join(d))
+	}
+
+	candidates, err := listPluginCandidates(dirs)
+	assert.NilError(t, err)
+	exp := map[string][]string{
+		"plugin1": {
+			dir.Join("plugins1", "docker-plugin1"),
+			dir.Join("plugins2", "docker-plugin1"),
+			dir.Join("plugins3", "docker-plugin1"),
+		},
+		"symlinked1": {
+			dir.Join("plugins1", "docker-symlinked1"),
+		},
+		"symlinked2": {
+			dir.Join("plugins1", "docker-symlinked2"),
+		},
+		"hardlink1": {
+			dir.Join("plugins2", "docker-hardlink1"),
+		},
+		"hardlink2": {
+			dir.Join("plugins2", "docker-hardlink2"),
+		},
+		"brokensymlink": {
+			dir.Join("plugins3", "docker-brokensymlink"),
+		},
+		"symlinked": {
+			dir.Join("plugins3", "docker-symlinked"),
+		},
+	}
+
+	assert.DeepEqual(t, candidates, exp)
+}
+
+func TestErrPluginNotFound(t *testing.T) {
+	var err error = errPluginNotFound("test")
+	err.(errPluginNotFound).NotFound()
+	assert.Error(t, err, "Error: No such CLI plugin: test")
+	assert.Assert(t, IsNotFound(err))
+	assert.Assert(t, !IsNotFound(nil))
+}
+
+func TestGetPluginDirs(t *testing.T) {
+	cli := test.NewFakeCli(nil)
+
+	pluginDir, err := config.Path("cli-plugins")
+	assert.NilError(t, err)
+	expected := append([]string{pluginDir}, defaultSystemPluginDirs...)
+
+	var pluginDirs []string
+	pluginDirs, err = getPluginDirs(cli)
+	assert.Equal(t, strings.Join(expected, ":"), strings.Join(pluginDirs, ":"))
+	assert.NilError(t, err)
+
+	extras := []string{
+		"foo", "bar", "baz",
+	}
+	expected = append(extras, expected...)
+	cli.SetConfigFile(&configfile.ConfigFile{
+		CLIPluginsExtraDirs: extras,
+	})
+	pluginDirs, err = getPluginDirs(cli)
+	assert.DeepEqual(t, expected, pluginDirs)
+	assert.NilError(t, err)
+}
--- a/cli-plugins/manager/manager_unix.go
+++ b/cli-plugins/manager/manager_unix.go
@ -0,0 +1,8 @@
+// +build !windows
+
+package manager
+
+var defaultSystemPluginDirs = []string{
+	"/usr/local/lib/docker/cli-plugins", "/usr/local/libexec/docker/cli-plugins",
+	"/usr/lib/docker/cli-plugins", "/usr/libexec/docker/cli-plugins",
+}
--- a/cli-plugins/manager/manager_windows.go
+++ b/cli-plugins/manager/manager_windows.go
@ -0,0 +1,11 @@
+package manager
+
+import (
+	"os"
+	"path/filepath"
+)
+
+var defaultSystemPluginDirs = []string{
+	filepath.Join(os.Getenv("ProgramData"), "Docker", "cli-plugins"),
+	filepath.Join(os.Getenv("ProgramFiles"), "Docker", "cli-plugins"),
+}
--- a/cli-plugins/manager/metadata.go
+++ b/cli-plugins/manager/metadata.go
@ -0,0 +1,28 @@
+package manager
+
+const (
+	// NamePrefix is the prefix required on all plugin binary names
+	NamePrefix = "docker-"
+
+	// MetadataSubcommandName is the name of the plugin subcommand
+	// which must be supported by every plugin and returns the
+	// plugin metadata.
+	MetadataSubcommandName = "docker-cli-plugin-metadata"
+)
+
+// Metadata provided by the plugin. See docs/extend/cli_plugins.md for canonical information.
+type Metadata struct {
+	// SchemaVersion describes the version of this struct. Mandatory, must be "0.1.0"
+	SchemaVersion string `json:",omitempty"`
+	// Vendor is the name of the plugin vendor. Mandatory
+	Vendor string `json:",omitempty"`
+	// Version is the optional version of this plugin.
+	Version string `json:",omitempty"`
+	// ShortDescription should be suitable for a single line help message.
+	ShortDescription string `json:",omitempty"`
+	// URL is a pointer to the plugin's homepage.
+	URL string `json:",omitempty"`
+	// Experimental specifies whether the plugin is experimental.
+	// Experimental plugins are not displayed on non-experimental CLIs.
+	Experimental bool `json:",omitempty"`
+}
--- a/cli-plugins/manager/plugin.go
+++ b/cli-plugins/manager/plugin.go
@ -0,0 +1,112 @@
+package manager
+
+import (
+	"encoding/json"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+var (
+	pluginNameRe = regexp.MustCompile("^[a-z][a-z0-9]*$")
+)
+
+// Plugin represents a potential plugin with all it's metadata.
+type Plugin struct {
+	Metadata
+
+	Name string `json:",omitempty"`
+	Path string `json:",omitempty"`
+
+	// Err is non-nil if the plugin failed one of the candidate tests.
+	Err error `json:",omitempty"`
+
+	// ShadowedPaths contains the paths of any other plugins which this plugin takes precedence over.
+	ShadowedPaths []string `json:",omitempty"`
+}
+
+// newPlugin determines if the given candidate is valid and returns a
+// Plugin.  If the candidate fails one of the tests then `Plugin.Err`
+// is set, and is always a `pluginError`, but the `Plugin` is still
+// returned with no error. An error is only returned due to a
+// non-recoverable error.
+//
+// nolint: gocyclo
+func newPlugin(c Candidate, rootcmd *cobra.Command, allowExperimental bool) (Plugin, error) {
+	path := c.Path()
+	if path == "" {
+		return Plugin{}, errors.New("plugin candidate path cannot be empty")
+	}
+
+	// The candidate listing process should have skipped anything
+	// which would fail here, so there are all real errors.
+	fullname := filepath.Base(path)
+	if fullname == "." {
+		return Plugin{}, errors.Errorf("unable to determine basename of plugin candidate %q", path)
+	}
+	var err error
+	if fullname, err = trimExeSuffix(fullname); err != nil {
+		return Plugin{}, errors.Wrapf(err, "plugin candidate %q", path)
+	}
+	if !strings.HasPrefix(fullname, NamePrefix) {
+		return Plugin{}, errors.Errorf("plugin candidate %q: does not have %q prefix", path, NamePrefix)
+	}
+
+	p := Plugin{
+		Name: strings.TrimPrefix(fullname, NamePrefix),
+		Path: path,
+	}
+
+	// Now apply the candidate tests, so these update p.Err.
+	if !pluginNameRe.MatchString(p.Name) {
+		p.Err = NewPluginError("plugin candidate %q did not match %q", p.Name, pluginNameRe.String())
+		return p, nil
+	}
+
+	if rootcmd != nil {
+		for _, cmd := range rootcmd.Commands() {
+			// Ignore conflicts with commands which are
+			// just plugin stubs (i.e. from a previous
+			// call to AddPluginCommandStubs).
+			if p := cmd.Annotations[CommandAnnotationPlugin]; p == "true" {
+				continue
+			}
+			if cmd.Name() == p.Name {
+				p.Err = NewPluginError("plugin %q duplicates builtin command", p.Name)
+				return p, nil
+			}
+			if cmd.HasAlias(p.Name) {
+				p.Err = NewPluginError("plugin %q duplicates an alias of builtin command %q", p.Name, cmd.Name())
+				return p, nil
+			}
+		}
+	}
+
+	// We are supposed to check for relevant execute permissions here. Instead we rely on an attempt to execute.
+	meta, err := c.Metadata()
+	if err != nil {
+		p.Err = wrapAsPluginError(err, "failed to fetch metadata")
+		return p, nil
+	}
+
+	if err := json.Unmarshal(meta, &p.Metadata); err != nil {
+		p.Err = wrapAsPluginError(err, "invalid metadata")
+		return p, nil
+	}
+	if p.Experimental && !allowExperimental {
+		p.Err = &pluginError{errPluginRequireExperimental(p.Name)}
+		return p, nil
+	}
+	if p.Metadata.SchemaVersion != "0.1.0" {
+		p.Err = NewPluginError("plugin SchemaVersion %q is not valid, must be 0.1.0", p.Metadata.SchemaVersion)
+		return p, nil
+	}
+	if p.Metadata.Vendor == "" {
+		p.Err = NewPluginError("plugin metadata does not define a vendor")
+		return p, nil
+	}
+	return p, nil
+}
--- a/cli-plugins/manager/suffix_unix.go
+++ b/cli-plugins/manager/suffix_unix.go
@ -0,0 +1,10 @@
+// +build !windows
+
+package manager
+
+func trimExeSuffix(s string) (string, error) {
+	return s, nil
+}
+func addExeSuffix(s string) string {
+	return s
+}
--- a/cli-plugins/manager/suffix_windows.go
+++ b/cli-plugins/manager/suffix_windows.go
@ -0,0 +1,26 @@
+package manager
+
+import (
+	"path/filepath"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+// This is made slightly more complex due to needing to be case insensitive.
+func trimExeSuffix(s string) (string, error) {
+	ext := filepath.Ext(s)
+	if ext == "" {
+		return "", errors.Errorf("path %q lacks required file extension", s)
+	}
+
+	exe := ".exe"
+	if !strings.EqualFold(ext, exe) {
+		return "", errors.Errorf("path %q lacks required %q suffix", s, exe)
+	}
+	return strings.TrimSuffix(s, ext), nil
+}
+
+func addExeSuffix(s string) string {
+	return s + ".exe"
+}
--- a/cli-plugins/plugin/plugin.go
+++ b/cli-plugins/plugin/plugin.go
@ -0,0 +1,161 @@
+package plugin
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"sync"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/connhelper"
+	"github.com/docker/docker/client"
+	"github.com/spf13/cobra"
+)
+
+// PersistentPreRunE must be called by any plugin command (or
+// subcommand) which uses the cobra `PersistentPreRun*` hook. Plugins
+// which do not make use of `PersistentPreRun*` do not need to call
+// this (although it remains safe to do so). Plugins are recommended
+// to use `PersistenPreRunE` to enable the error to be
+// returned. Should not be called outside of a command's
+// PersistentPreRunE hook and must not be run unless Run has been
+// called.
+var PersistentPreRunE func(*cobra.Command, []string) error
+
+func runPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager.Metadata) error {
+	tcmd := newPluginCommand(dockerCli, plugin, meta)
+
+	var persistentPreRunOnce sync.Once
+	PersistentPreRunE = func(_ *cobra.Command, _ []string) error {
+		var err error
+		persistentPreRunOnce.Do(func() {
+			var opts []command.InitializeOpt
+			if os.Getenv("DOCKER_CLI_PLUGIN_USE_DIAL_STDIO") != "" {
+				opts = append(opts, withPluginClientConn(plugin.Name()))
+			}
+			err = tcmd.Initialize(opts...)
+		})
+		return err
+	}
+
+	cmd, args, err := tcmd.HandleGlobalFlags()
+	if err != nil {
+		return err
+	}
+	// We've parsed global args already, so reset args to those
+	// which remain.
+	cmd.SetArgs(args)
+	return cmd.Execute()
+}
+
+// Run is the top-level entry point to the CLI plugin framework. It should be called from your plugin's `main()` function.
+func Run(makeCmd func(command.Cli) *cobra.Command, meta manager.Metadata) {
+	dockerCli, err := command.NewDockerCli()
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+
+	plugin := makeCmd(dockerCli)
+
+	if err := runPlugin(dockerCli, plugin, meta); err != nil {
+		if sterr, ok := err.(cli.StatusError); ok {
+			if sterr.Status != "" {
+				fmt.Fprintln(dockerCli.Err(), sterr.Status)
+			}
+			// StatusError should only be used for errors, and all errors should
+			// have a non-zero exit status, so never exit with 0
+			if sterr.StatusCode == 0 {
+				os.Exit(1)
+			}
+			os.Exit(sterr.StatusCode)
+		}
+		fmt.Fprintln(dockerCli.Err(), err)
+		os.Exit(1)
+	}
+}
+
+func withPluginClientConn(name string) command.InitializeOpt {
+	return command.WithInitializeClient(func(dockerCli *command.DockerCli) (client.APIClient, error) {
+		cmd := "docker"
+		if x := os.Getenv(manager.ReexecEnvvar); x != "" {
+			cmd = x
+		}
+		var flags []string
+
+		// Accumulate all the global arguments, that is those
+		// up to (but not including) the plugin's name. This
+		// ensures that `docker system dial-stdio` is
+		// evaluating the same set of `--config`, `--tls*` etc
+		// global options as the plugin was called with, which
+		// in turn is the same as what the original docker
+		// invocation was passed.
+		for _, a := range os.Args[1:] {
+			if a == name {
+				break
+			}
+			flags = append(flags, a)
+		}
+		flags = append(flags, "system", "dial-stdio")
+
+		helper, err := connhelper.GetCommandConnectionHelper(cmd, flags...)
+		if err != nil {
+			return nil, err
+		}
+
+		return client.NewClientWithOpts(client.WithDialContext(helper.Dialer))
+	})
+}
+
+func newPluginCommand(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager.Metadata) *cli.TopLevelCommand {
+	name := plugin.Name()
+	fullname := manager.NamePrefix + name
+
+	cmd := &cobra.Command{
+		Use:           fmt.Sprintf("docker [OPTIONS] %s [ARG...]", name),
+		Short:         fullname + " is a Docker CLI plugin",
+		SilenceUsage:  true,
+		SilenceErrors: true,
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			// We can't use this as the hook directly since it is initialised later (in runPlugin)
+			return PersistentPreRunE(cmd, args)
+		},
+		TraverseChildren:      true,
+		DisableFlagsInUseLine: true,
+	}
+	opts, flags := cli.SetupPluginRootCommand(cmd)
+
+	cmd.SetOutput(dockerCli.Out())
+
+	cmd.AddCommand(
+		plugin,
+		newMetadataSubcommand(plugin, meta),
+	)
+
+	cli.DisableFlagsInUseLine(cmd)
+
+	return cli.NewTopLevelCommand(cmd, dockerCli, opts, flags)
+}
+
+func newMetadataSubcommand(plugin *cobra.Command, meta manager.Metadata) *cobra.Command {
+	if meta.ShortDescription == "" {
+		meta.ShortDescription = plugin.Short
+	}
+	cmd := &cobra.Command{
+		Use:    manager.MetadataSubcommandName,
+		Hidden: true,
+		// Suppress the global/parent PersistentPreRunE, which
+		// needlessly initializes the client and tries to
+		// connect to the daemon.
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			enc := json.NewEncoder(os.Stdout)
+			enc.SetEscapeHTML(false)
+			enc.SetIndent("", "     ")
+			return enc.Encode(meta)
+		},
+	}
+	return cmd
+}
--- a/cli/cobra.go
+++ b/cli/cobra.go
@ -2,31 +2,67 @@ package cli

 import (
 	"fmt"
+	"os"
 	"strings"

+	pluginmanager "github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli/command"
+	cliconfig "github.com/docker/cli/cli/config"
+	cliflags "github.com/docker/cli/cli/flags"
 	"github.com/docker/docker/pkg/term"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
 )

-// SetupRootCommand sets default usage, help, and error handling for the
-// root command.
-func SetupRootCommand(rootCmd *cobra.Command) {
+// setupCommonRootCommand contains the setup common to
+// SetupRootCommand and SetupPluginRootCommand.
+func setupCommonRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *pflag.FlagSet, *cobra.Command) {
+	opts := cliflags.NewClientOptions()
+	flags := rootCmd.Flags()
+
+	flags.StringVar(&opts.ConfigDir, "config", cliconfig.Dir(), "Location of client config files")
+	opts.Common.InstallFlags(flags)
+
+	cobra.AddTemplateFunc("add", func(a, b int) int { return a + b })
 	cobra.AddTemplateFunc("hasSubCommands", hasSubCommands)
 	cobra.AddTemplateFunc("hasManagementSubCommands", hasManagementSubCommands)
+	cobra.AddTemplateFunc("hasInvalidPlugins", hasInvalidPlugins)
 	cobra.AddTemplateFunc("operationSubCommands", operationSubCommands)
 	cobra.AddTemplateFunc("managementSubCommands", managementSubCommands)
+	cobra.AddTemplateFunc("invalidPlugins", invalidPlugins)
 	cobra.AddTemplateFunc("wrappedFlagUsages", wrappedFlagUsages)
+	cobra.AddTemplateFunc("vendorAndVersion", vendorAndVersion)
+	cobra.AddTemplateFunc("invalidPluginReason", invalidPluginReason)
+	cobra.AddTemplateFunc("isPlugin", isPlugin)
+	cobra.AddTemplateFunc("decoratedName", decoratedName)

 	rootCmd.SetUsageTemplate(usageTemplate)
 	rootCmd.SetHelpTemplate(helpTemplate)
 	rootCmd.SetFlagErrorFunc(FlagErrorFunc)
 	rootCmd.SetHelpCommand(helpCommand)
-	rootCmd.SetVersionTemplate("Docker version {{.Version}}\n")

 	rootCmd.PersistentFlags().BoolP("help", "h", false, "Print usage")
 	rootCmd.PersistentFlags().MarkShorthandDeprecated("help", "please use --help")
 	rootCmd.PersistentFlags().Lookup("help").Hidden = true
+
+	return opts, flags, helpCommand
+}
+
+// SetupRootCommand sets default usage, help, and error handling for the
+// root command.
+func SetupRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *pflag.FlagSet, *cobra.Command) {
+	opts, flags, helpCmd := setupCommonRootCommand(rootCmd)
+
+	rootCmd.SetVersionTemplate("Docker version {{.Version}}\n")
+
+	return opts, flags, helpCmd
+}
+
+// SetupPluginRootCommand sets default usage, help and error handling for a plugin root command.
+func SetupPluginRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *pflag.FlagSet) {
+	opts, flags, _ := setupCommonRootCommand(rootCmd)
+	return opts, flags
 }

 // FlagErrorFunc prints an error message which matches the format of the
@ -46,6 +82,98 @@ func FlagErrorFunc(cmd *cobra.Command, err error) error {
 	}
 }

+// TopLevelCommand encapsulates a top-level cobra command (either
+// docker CLI or a plugin) and global flag handling logic necessary
+// for plugins.
+type TopLevelCommand struct {
+	cmd       *cobra.Command
+	dockerCli *command.DockerCli
+	opts      *cliflags.ClientOptions
+	flags     *pflag.FlagSet
+	args      []string
+}
+
+// NewTopLevelCommand returns a new TopLevelCommand object
+func NewTopLevelCommand(cmd *cobra.Command, dockerCli *command.DockerCli, opts *cliflags.ClientOptions, flags *pflag.FlagSet) *TopLevelCommand {
+	return &TopLevelCommand{cmd, dockerCli, opts, flags, os.Args[1:]}
+}
+
+// SetArgs sets the args (default os.Args[:1] used to invoke the command
+func (tcmd *TopLevelCommand) SetArgs(args []string) {
+	tcmd.args = args
+	tcmd.cmd.SetArgs(args)
+}
+
+// SetFlag sets a flag in the local flag set of the top-level command
+func (tcmd *TopLevelCommand) SetFlag(name, value string) {
+	tcmd.cmd.Flags().Set(name, value)
+}
+
+// HandleGlobalFlags takes care of parsing global flags defined on the
+// command, it returns the underlying cobra command and the args it
+// will be called with (or an error).
+//
+// On success the caller is responsible for calling Initialize()
+// before calling `Execute` on the returned command.
+func (tcmd *TopLevelCommand) HandleGlobalFlags() (*cobra.Command, []string, error) {
+	cmd := tcmd.cmd
+
+	// We manually parse the global arguments and find the
+	// subcommand in order to properly deal with plugins. We rely
+	// on the root command never having any non-flag arguments. We
+	// create our own FlagSet so that we can configure it
+	// (e.g. `SetInterspersed` below) in an idempotent way.
+	flags := pflag.NewFlagSet(cmd.Name(), pflag.ContinueOnError)
+
+	// We need !interspersed to ensure we stop at the first
+	// potential command instead of accumulating it into
+	// flags.Args() and then continuing on and finding other
+	// arguments which we try and treat as globals (when they are
+	// actually arguments to the subcommand).
+	flags.SetInterspersed(false)
+
+	// We need the single parse to see both sets of flags.
+	flags.AddFlagSet(cmd.Flags())
+	flags.AddFlagSet(cmd.PersistentFlags())
+	// Now parse the global flags, up to (but not including) the
+	// first command. The result will be that all the remaining
+	// arguments are in `flags.Args()`.
+	if err := flags.Parse(tcmd.args); err != nil {
+		// Our FlagErrorFunc uses the cli, make sure it is initialized
+		if err := tcmd.Initialize(); err != nil {
+			return nil, nil, err
+		}
+		return nil, nil, cmd.FlagErrorFunc()(cmd, err)
+	}
+
+	return cmd, flags.Args(), nil
+}
+
+// Initialize finalises global option parsing and initializes the docker client.
+func (tcmd *TopLevelCommand) Initialize(ops ...command.InitializeOpt) error {
+	tcmd.opts.Common.SetDefaultOptions(tcmd.flags)
+	return tcmd.dockerCli.Initialize(tcmd.opts, ops...)
+}
+
+// VisitAll will traverse all commands from the root.
+// This is different from the VisitAll of cobra.Command where only parents
+// are checked.
+func VisitAll(root *cobra.Command, fn func(*cobra.Command)) {
+	for _, cmd := range root.Commands() {
+		VisitAll(cmd, fn)
+	}
+	fn(root)
+}
+
+// DisableFlagsInUseLine sets the DisableFlagsInUseLine flag on all
+// commands within the tree rooted at cmd.
+func DisableFlagsInUseLine(cmd *cobra.Command) {
+	VisitAll(cmd, func(ccmd *cobra.Command) {
+		// do not add a `[flags]` to the end of the usage line.
+		ccmd.DisableFlagsInUseLine = true
+	})
+}
+
 var helpCommand = &cobra.Command{
 	Use:               "help [command]",
 	Short:             "Help about the command",
@ -63,6 +191,10 @@ var helpCommand = &cobra.Command{
 	},
 }

+func isPlugin(cmd *cobra.Command) bool {
+	return cmd.Annotations[pluginmanager.CommandAnnotationPlugin] == "true"
+}
+
 func hasSubCommands(cmd *cobra.Command) bool {
 	return len(operationSubCommands(cmd)) > 0
 }
@ -71,9 +203,16 @@ func hasManagementSubCommands(cmd *cobra.Command) bool {
 	return len(managementSubCommands(cmd)) > 0
 }

+func hasInvalidPlugins(cmd *cobra.Command) bool {
+	return len(invalidPlugins(cmd)) > 0
+}
+
 func operationSubCommands(cmd *cobra.Command) []*cobra.Command {
 	cmds := []*cobra.Command{}
 	for _, sub := range cmd.Commands() {
+		if isPlugin(sub) {
+			continue
+		}
 		if sub.IsAvailableCommand() && !sub.HasSubCommands() {
 			cmds = append(cmds, sub)
 		}
@ -89,9 +228,34 @@ func wrappedFlagUsages(cmd *cobra.Command) string {
 	return cmd.Flags().FlagUsagesWrapped(width - 1)
 }

+func decoratedName(cmd *cobra.Command) string {
+	decoration := " "
+	if isPlugin(cmd) {
+		decoration = "*"
+	}
+	return cmd.Name() + decoration
+}
+
+func vendorAndVersion(cmd *cobra.Command) string {
+	if vendor, ok := cmd.Annotations[pluginmanager.CommandAnnotationPluginVendor]; ok && isPlugin(cmd) {
+		version := ""
+		if v, ok := cmd.Annotations[pluginmanager.CommandAnnotationPluginVersion]; ok && v != "" {
+			version = ", " + v
+		}
+		return fmt.Sprintf("(%s%s)", vendor, version)
+	}
+	return ""
+}
+
 func managementSubCommands(cmd *cobra.Command) []*cobra.Command {
 	cmds := []*cobra.Command{}
 	for _, sub := range cmd.Commands() {
+		if isPlugin(sub) {
+			if invalidPluginReason(sub) == "" {
+				cmds = append(cmds, sub)
+			}
+			continue
+		}
 		if sub.IsAvailableCommand() && sub.HasSubCommands() {
 			cmds = append(cmds, sub)
 		}
@ -99,12 +263,29 @@ func managementSubCommands(cmd *cobra.Command) []*cobra.Command {
 	return cmds
 }

+func invalidPlugins(cmd *cobra.Command) []*cobra.Command {
+	cmds := []*cobra.Command{}
+	for _, sub := range cmd.Commands() {
+		if !isPlugin(sub) {
+			continue
+		}
+		if invalidPluginReason(sub) != "" {
+			cmds = append(cmds, sub)
+		}
+	}
+	return cmds
+}
+
+func invalidPluginReason(cmd *cobra.Command) string {
+	return cmd.Annotations[pluginmanager.CommandAnnotationPluginInvalid]
+}
+
 var usageTemplate = `Usage:

 {{- if not .HasSubCommands}}	{{.UseLine}}{{end}}
 {{- if .HasSubCommands}}	{{ .CommandPath}}{{- if .HasAvailableFlags}} [OPTIONS]{{end}} COMMAND{{end}}

-{{ .Short | trim }}
+{{if ne .Long ""}}{{ .Long | trim }}{{ else }}{{ .Short | trim }}{{end}}

 {{- if gt .Aliases 0}}

@ -129,7 +310,7 @@ Options:
 Management Commands:

 {{- range managementSubCommands . }}
-  {{rpad .Name .NamePadding }} {{.Short}}
+  {{rpad (decoratedName .) (add .NamePadding 1)}}{{.Short}}{{ if isPlugin .}} {{vendorAndVersion .}}{{ end}}
 {{- end}}

 {{- end}}
@ -142,6 +323,16 @@ Commands:
 {{- end}}
 {{- end}}

+{{- if hasInvalidPlugins . }}
+
+Invalid Plugins:
+
+{{- range invalidPlugins . }}
+  {{rpad .Name .NamePadding }} {{invalidPluginReason .}}
+{{- end}}
+
+{{- end}}
+
 {{- if .HasSubCommands }}

 Run '{{.CommandPath}} COMMAND --help' for more information on a command.
--- a/cli/cobra_test.go
+++ b/cli/cobra_test.go
@ -0,0 +1,88 @@
+package cli
+
+import (
+	"testing"
+
+	pluginmanager "github.com/docker/cli/cli-plugins/manager"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/spf13/cobra"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestVisitAll(t *testing.T) {
+	root := &cobra.Command{Use: "root"}
+	sub1 := &cobra.Command{Use: "sub1"}
+	sub1sub1 := &cobra.Command{Use: "sub1sub1"}
+	sub1sub2 := &cobra.Command{Use: "sub1sub2"}
+	sub2 := &cobra.Command{Use: "sub2"}
+
+	root.AddCommand(sub1, sub2)
+	sub1.AddCommand(sub1sub1, sub1sub2)
+
+	// Take the opportunity to test DisableFlagsInUseLine too
+	DisableFlagsInUseLine(root)
+
+	var visited []string
+	VisitAll(root, func(ccmd *cobra.Command) {
+		visited = append(visited, ccmd.Name())
+		assert.Assert(t, ccmd.DisableFlagsInUseLine, "DisableFlagsInUseLine not set on %q", ccmd.Name())
+	})
+	expected := []string{"sub1sub1", "sub1sub2", "sub1", "sub2", "root"}
+	assert.DeepEqual(t, expected, visited)
+}
+
+func TestVendorAndVersion(t *testing.T) {
+	// Non plugin.
+	assert.Equal(t, vendorAndVersion(&cobra.Command{Use: "test"}), "")
+
+	// Plugins with various lengths of vendor.
+	for _, tc := range []struct {
+		vendor   string
+		version  string
+		expected string
+	}{
+		{vendor: "vendor", expected: "(vendor)"},
+		{vendor: "vendor", version: "testing", expected: "(vendor, testing)"},
+	} {
+		t.Run(tc.vendor, func(t *testing.T) {
+			cmd := &cobra.Command{
+				Use: "test",
+				Annotations: map[string]string{
+					pluginmanager.CommandAnnotationPlugin:        "true",
+					pluginmanager.CommandAnnotationPluginVendor:  tc.vendor,
+					pluginmanager.CommandAnnotationPluginVersion: tc.version,
+				},
+			}
+			assert.Equal(t, vendorAndVersion(cmd), tc.expected)
+		})
+	}
+}
+
+func TestInvalidPlugin(t *testing.T) {
+	root := &cobra.Command{Use: "root"}
+	sub1 := &cobra.Command{Use: "sub1"}
+	sub1sub1 := &cobra.Command{Use: "sub1sub1"}
+	sub1sub2 := &cobra.Command{Use: "sub1sub2"}
+	sub2 := &cobra.Command{Use: "sub2"}
+
+	assert.Assert(t, is.Len(invalidPlugins(root), 0))
+
+	sub1.Annotations = map[string]string{
+		pluginmanager.CommandAnnotationPlugin:        "true",
+		pluginmanager.CommandAnnotationPluginInvalid: "foo",
+	}
+	root.AddCommand(sub1, sub2)
+	sub1.AddCommand(sub1sub1, sub1sub2)
+
+	assert.DeepEqual(t, invalidPlugins(root), []*cobra.Command{sub1}, cmpopts.IgnoreUnexported(cobra.Command{}))
+}
+
+func TestDecoratedName(t *testing.T) {
+	root := &cobra.Command{Use: "root"}
+	topLevelCommand := &cobra.Command{Use: "pluginTopLevelCommand"}
+	root.AddCommand(topLevelCommand)
+	assert.Equal(t, decoratedName(topLevelCommand), "pluginTopLevelCommand ")
+	topLevelCommand.Annotations = map[string]string{pluginmanager.CommandAnnotationPlugin: "true"}
+	assert.Equal(t, decoratedName(topLevelCommand), "pluginTopLevelCommand*")
+}
--- a/cli/command/builder/cmd.go
+++ b/cli/command/builder/cmd.go
@ -5,18 +5,21 @@ import (

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image"
 )

 // NewBuilderCommand returns a cobra command for `builder` subcommands
 func NewBuilderCommand(dockerCli command.Cli) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "builder",
-		Short: "Manage builds",
-		Args:  cli.NoArgs,
-		RunE:  command.ShowHelp(dockerCli.Err()),
+		Use:         "builder",
+		Short:       "Manage builds",
+		Args:        cli.NoArgs,
+		RunE:        command.ShowHelp(dockerCli.Err()),
+		Annotations: map[string]string{"version": "1.31"},
 	}
 	cmd.AddCommand(
 		NewPruneCommand(dockerCli),
+		image.NewBuildCommand(dockerCli),
 	)
 	return cmd
 }
--- a/cli/command/builder/prune.go
+++ b/cli/command/builder/prune.go
@ -3,29 +3,94 @@ package builder
 import (
 	"context"
 	"fmt"
+	"strings"

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
 	units "github.com/docker/go-units"
 	"github.com/spf13/cobra"
 )

+type pruneOptions struct {
+	force       bool
+	all         bool
+	filter      opts.FilterOpt
+	keepStorage opts.MemBytes
+}
+
 // NewPruneCommand returns a new cobra prune command for images
 func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
+	options := pruneOptions{filter: opts.NewFilterOpt()}
+
 	cmd := &cobra.Command{
 		Use:   "prune",
 		Short: "Remove build cache",
 		Args:  cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			report, err := dockerCli.Client().BuildCachePrune(context.Background())
+			spaceReclaimed, output, err := runPrune(dockerCli, options)
 			if err != nil {
 				return err
 			}
-			fmt.Fprintln(dockerCli.Out(), "Total reclaimed space:", units.HumanSize(float64(report.SpaceReclaimed)))
+			if output != "" {
+				fmt.Fprintln(dockerCli.Out(), output)
+			}
+			fmt.Fprintln(dockerCli.Out(), "Total reclaimed space:", units.HumanSize(float64(spaceReclaimed)))
 			return nil
 		},
 		Annotations: map[string]string{"version": "1.39"},
 	}

+	flags := cmd.Flags()
+	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
+	flags.BoolVarP(&options.all, "all", "a", false, "Remove all unused build cache, not just dangling ones")
+	flags.Var(&options.filter, "filter", "Provide filter values (e.g. 'until=24h')")
+	flags.Var(&options.keepStorage, "keep-storage", "Amount of disk space to keep for cache")
+
 	return cmd
 }
+
+const (
+	normalWarning   = `WARNING! This will remove all dangling build cache. Are you sure you want to continue?`
+	allCacheWarning = `WARNING! This will remove all build cache. Are you sure you want to continue?`
+)
+
+func runPrune(dockerCli command.Cli, options pruneOptions) (spaceReclaimed uint64, output string, err error) {
+	pruneFilters := options.filter.Value()
+	pruneFilters = command.PruneFilters(dockerCli, pruneFilters)
+
+	warning := normalWarning
+	if options.all {
+		warning = allCacheWarning
+	}
+	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), warning) {
+		return 0, "", nil
+	}
+
+	report, err := dockerCli.Client().BuildCachePrune(context.Background(), types.BuildCachePruneOptions{
+		All:         options.all,
+		KeepStorage: options.keepStorage.Value(),
+		Filters:     pruneFilters,
+	})
+	if err != nil {
+		return 0, "", err
+	}
+
+	if len(report.CachesDeleted) > 0 {
+		var sb strings.Builder
+		sb.WriteString("Deleted build cache objects:\n")
+		for _, id := range report.CachesDeleted {
+			sb.WriteString(id)
+			sb.WriteByte('\n')
+		}
+		output = sb.String()
+	}
+
+	return report.SpaceReclaimed, output, nil
+}
+
+// CachePrune executes a prune command for build cache
+func CachePrune(dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error) {
+	return runPrune(dockerCli, pruneOptions{force: true, all: all, filter: filter})
+}
--- a/cli/command/bundlefile/bundlefile_test.go
+++ b/cli/command/bundlefile/bundlefile_test.go
@ -5,8 +5,8 @@ import (
 	"strings"
 	"testing"

-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 func TestLoadFileV01Success(t *testing.T) {
--- a/cli/command/checkpoint/create_test.go
+++ b/cli/command/checkpoint/create_test.go
@ -8,8 +8,8 @@ import (
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/pkg/errors"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 func TestCheckpointCreateErrors(t *testing.T) {
--- a/cli/command/checkpoint/formatter.go
+++ b/cli/command/checkpoint/formatter.go
@ -1,6 +1,9 @@
-package formatter
+package checkpoint

-import "github.com/docker/docker/api/types"
+import (
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/docker/api/types"
+)

 const (
 	defaultCheckpointFormat = "table {{.Name}}"
@ -8,18 +11,18 @@ const (
 	checkpointNameHeader = "CHECKPOINT NAME"
 )

-// NewCheckpointFormat returns a format for use with a checkpoint Context
-func NewCheckpointFormat(source string) Format {
+// NewFormat returns a format for use with a checkpoint Context
+func NewFormat(source string) formatter.Format {
 	switch source {
-	case TableFormatKey:
+	case formatter.TableFormatKey:
 		return defaultCheckpointFormat
 	}
-	return Format(source)
+	return formatter.Format(source)
 }

-// CheckpointWrite writes formatted checkpoints using the Context
-func CheckpointWrite(ctx Context, checkpoints []types.Checkpoint) error {
-	render := func(format func(subContext subContext) error) error {
+// FormatWrite writes formatted checkpoints using the Context
+func FormatWrite(ctx formatter.Context, checkpoints []types.Checkpoint) error {
+	render := func(format func(subContext formatter.SubContext) error) error {
 		for _, checkpoint := range checkpoints {
 			if err := format(&checkpointContext{c: checkpoint}); err != nil {
 				return err
@ -31,20 +34,20 @@ func CheckpointWrite(ctx Context, checkpoints []types.Checkpoint) error {
 }

 type checkpointContext struct {
-	HeaderContext
+	formatter.HeaderContext
 	c types.Checkpoint
 }

 func newCheckpointContext() *checkpointContext {
 	cpCtx := checkpointContext{}
-	cpCtx.header = volumeHeaderContext{
+	cpCtx.Header = formatter.SubHeaderContext{
 		"Name": checkpointNameHeader,
 	}
 	return &cpCtx
 }

 func (c *checkpointContext) MarshalJSON() ([]byte, error) {
-	return marshalJSON(c)
+	return formatter.MarshalJSON(c)
 }

 func (c *checkpointContext) Name() string {
--- a/cli/command/checkpoint/formatter_test.go
+++ b/cli/command/checkpoint/formatter_test.go
@ -1,20 +1,21 @@
-package formatter
+package checkpoint

 import (
 	"bytes"
 	"testing"

+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/api/types"
-	"gotest.tools/assert"
+	"gotest.tools/v3/assert"
 )

 func TestCheckpointContextFormatWrite(t *testing.T) {
 	cases := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		{
-			Context{Format: NewCheckpointFormat(defaultCheckpointFormat)},
+			formatter.Context{Format: NewFormat(defaultCheckpointFormat)},
 			`CHECKPOINT NAME
 checkpoint-1
 checkpoint-2
@ -22,14 +23,14 @@ checkpoint-3
 `,
 		},
 		{
-			Context{Format: NewCheckpointFormat("{{.Name}}")},
+			formatter.Context{Format: NewFormat("{{.Name}}")},
 			`checkpoint-1
 checkpoint-2
 checkpoint-3
 `,
 		},
 		{
-			Context{Format: NewCheckpointFormat("{{.Name}}:")},
+			formatter.Context{Format: NewFormat("{{.Name}}:")},
 			`checkpoint-1:
 checkpoint-2:
 checkpoint-3:
@ -45,7 +46,7 @@ checkpoint-3:
 	for _, testcase := range cases {
 		out := bytes.NewBufferString("")
 		testcase.context.Output = out
-		err := CheckpointWrite(testcase.context, checkpoints)
+		err := FormatWrite(testcase.context, checkpoints)
 		assert.NilError(t, err)
 		assert.Equal(t, out.String(), testcase.expected)
 	}
--- a/cli/command/checkpoint/list.go
+++ b/cli/command/checkpoint/list.go
@ -48,7 +48,7 @@ func runList(dockerCli command.Cli, container string, opts listOptions) error {

 	cpCtx := formatter.Context{
 		Output: dockerCli.Out(),
-		Format: formatter.NewCheckpointFormat(formatter.TableFormatKey),
+		Format: NewFormat(formatter.TableFormatKey),
 	}
-	return formatter.CheckpointWrite(cpCtx, checkpoints)
+	return FormatWrite(cpCtx, checkpoints)
 }
--- a/cli/command/checkpoint/list_test.go
+++ b/cli/command/checkpoint/list_test.go
@ -7,9 +7,9 @@ import (
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/pkg/errors"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
-	"gotest.tools/golden"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+	"gotest.tools/v3/golden"
 )

 func TestCheckpointListErrors(t *testing.T) {
--- a/cli/command/checkpoint/remove_test.go
+++ b/cli/command/checkpoint/remove_test.go
@ -7,8 +7,8 @@ import (
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/pkg/errors"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 func TestCheckpointRemoveErrors(t *testing.T) {
--- a/cli/command/cli.go
+++ b/cli/command/cli.go
@ -3,28 +3,35 @@ package command
 import (
 	"context"
 	"io"
-	"net"
-	"net/http"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
+	"strconv"
+	"strings"
 	"time"

-	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/config"
 	cliconfig "github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/configfile"
-	"github.com/docker/cli/cli/connhelper"
+	dcontext "github.com/docker/cli/cli/context"
+	"github.com/docker/cli/cli/context/docker"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/docker/cli/cli/debug"
 	cliflags "github.com/docker/cli/cli/flags"
 	manifeststore "github.com/docker/cli/cli/manifest/store"
 	registryclient "github.com/docker/cli/cli/registry/client"
+	"github.com/docker/cli/cli/streams"
 	"github.com/docker/cli/cli/trust"
+	"github.com/docker/cli/cli/version"
 	"github.com/docker/cli/internal/containerizedengine"
 	dopts "github.com/docker/cli/opts"
+	clitypes "github.com/docker/cli/types"
 	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/types"
 	registrytypes "github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/term"
 	"github.com/docker/go-connections/tlsconfig"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@ -35,18 +42,19 @@ import (

 // Streams is an interface which exposes the standard input and output streams
 type Streams interface {
-	In() *InStream
-	Out() *OutStream
+	In() *streams.In
+	Out() *streams.Out
 	Err() io.Writer
 }

 // Cli represents the docker command line client.
 type Cli interface {
 	Client() client.APIClient
-	Out() *OutStream
+	Out() *streams.Out
 	Err() io.Writer
-	In() *InStream
-	SetIn(in *InStream)
+	In() *streams.In
+	SetIn(in *streams.In)
+	Apply(ops ...DockerCliOption) error
 	ConfigFile() *configfile.ConfigFile
 	ServerInfo() ServerInfo
 	ClientInfo() ClientInfo
@ -55,25 +63,34 @@ type Cli interface {
 	ManifestStore() manifeststore.Store
 	RegistryClient(bool) registryclient.RegistryClient
 	ContentTrustEnabled() bool
-	NewContainerizedEngineClient(sockPath string) (containerizedengine.Client, error)
+	NewContainerizedEngineClient(sockPath string) (clitypes.ContainerizedClient, error)
+	ContextStore() store.Store
+	CurrentContext() string
+	StackOrchestrator(flagValue string) (Orchestrator, error)
+	DockerEndpoint() docker.Endpoint
 }

 // DockerCli is an instance the docker command line client.
 // Instances of the client can be returned from NewDockerCli.
 type DockerCli struct {
-	configFile   *configfile.ConfigFile
-	in           *InStream
-	out          *OutStream
-	err          io.Writer
-	client       client.APIClient
-	serverInfo   ServerInfo
-	clientInfo   ClientInfo
-	contentTrust bool
+	configFile            *configfile.ConfigFile
+	in                    *streams.In
+	out                   *streams.Out
+	err                   io.Writer
+	client                client.APIClient
+	serverInfo            ServerInfo
+	clientInfo            *ClientInfo
+	contentTrust          bool
+	newContainerizeClient func(string) (clitypes.ContainerizedClient, error)
+	contextStore          store.Store
+	currentContext        string
+	dockerEndpoint        docker.Endpoint
+	contextStoreConfig    store.Config
 }

 // DefaultVersion returns api.defaultVersion or DOCKER_API_VERSION if specified.
 func (cli *DockerCli) DefaultVersion() string {
-	return cli.clientInfo.DefaultVersion
+	return cli.ClientInfo().DefaultVersion
 }

 // Client returns the APIClient
@ -82,7 +99,7 @@ func (cli *DockerCli) Client() client.APIClient {
 }

 // Out returns the writer used for stdout
-func (cli *DockerCli) Out() *OutStream {
+func (cli *DockerCli) Out() *streams.Out {
 	return cli.out
 }

@ -92,12 +109,12 @@ func (cli *DockerCli) Err() io.Writer {
 }

 // SetIn sets the reader used for stdin
-func (cli *DockerCli) SetIn(in *InStream) {
+func (cli *DockerCli) SetIn(in *streams.In) {
 	cli.in = in
 }

 // In returns the reader used for stdin
-func (cli *DockerCli) In() *InStream {
+func (cli *DockerCli) In() *streams.In {
 	return cli.in
 }

@ -112,9 +129,16 @@ func ShowHelp(err io.Writer) func(*cobra.Command, []string) error {

 // ConfigFile returns the ConfigFile
 func (cli *DockerCli) ConfigFile() *configfile.ConfigFile {
+	if cli.configFile == nil {
+		cli.loadConfigFile()
+	}
 	return cli.configFile
 }

+func (cli *DockerCli) loadConfigFile() {
+	cli.configFile = cliconfig.LoadDefaultConfigFile(cli.err)
+}
+
 // ServerInfo returns the server version details for the host this client is
 // connected to
 func (cli *DockerCli) ServerInfo() ServerInfo {
@ -123,7 +147,36 @@ func (cli *DockerCli) ServerInfo() ServerInfo {

 // ClientInfo returns the client details for the cli
 func (cli *DockerCli) ClientInfo() ClientInfo {
-	return cli.clientInfo
+	if cli.clientInfo == nil {
+		if err := cli.loadClientInfo(); err != nil {
+			panic(err)
+		}
+	}
+	return *cli.clientInfo
+}
+
+func (cli *DockerCli) loadClientInfo() error {
+	var experimentalValue string
+	// Environment variable always overrides configuration
+	if experimentalValue = os.Getenv("DOCKER_CLI_EXPERIMENTAL"); experimentalValue == "" {
+		experimentalValue = cli.ConfigFile().Experimental
+	}
+	hasExperimental, err := isEnabled(experimentalValue)
+	if err != nil {
+		return errors.Wrap(err, "Experimental field")
+	}
+
+	var v string
+	if cli.client != nil {
+		v = cli.client.ClientVersion()
+	} else {
+		v = api.DefaultVersion
+	}
+	cli.clientInfo = &ClientInfo{
+		DefaultVersion:  v,
+		HasExperimental: hasExperimental,
+	}
+	return nil
 }

 // ContentTrustEnabled returns whether content trust has been enabled by an
@ -132,6 +185,20 @@ func (cli *DockerCli) ContentTrustEnabled() bool {
 	return cli.contentTrust
 }

+// BuildKitEnabled returns whether buildkit is enabled either through a daemon setting
+// or otherwise the client-side DOCKER_BUILDKIT environment variable
+func BuildKitEnabled(si ServerInfo) (bool, error) {
+	buildkitEnabled := si.BuildkitVersion == types.BuilderBuildKit
+	if buildkitEnv := os.Getenv("DOCKER_BUILDKIT"); buildkitEnv != "" {
+		var err error
+		buildkitEnabled, err = strconv.ParseBool(buildkitEnv)
+		if err != nil {
+			return false, errors.Wrap(err, "DOCKER_BUILDKIT environment variable expects boolean value")
+		}
+	}
+	return buildkitEnabled, nil
+}
+
 // ManifestStore returns a store for local manifests
 func (cli *DockerCli) ManifestStore() manifeststore.Store {
 	// TODO: support override default location from config file
@ -147,41 +214,154 @@ func (cli *DockerCli) RegistryClient(allowInsecure bool) registryclient.Registry
 	return registryclient.NewRegistryClient(resolver, UserAgent(), allowInsecure)
 }

+// InitializeOpt is the type of the functional options passed to DockerCli.Initialize
+type InitializeOpt func(dockerCli *DockerCli) error
+
+// WithInitializeClient is passed to DockerCli.Initialize by callers who wish to set a particular API Client for use by the CLI.
+func WithInitializeClient(makeClient func(dockerCli *DockerCli) (client.APIClient, error)) InitializeOpt {
+	return func(dockerCli *DockerCli) error {
+		var err error
+		dockerCli.client, err = makeClient(dockerCli)
+		return err
+	}
+}
+
 // Initialize the dockerCli runs initialization that must happen after command
 // line flags are parsed.
-func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions) error {
-	cli.configFile = cliconfig.LoadDefaultConfigFile(cli.err)
-
+func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...InitializeOpt) error {
 	var err error
-	cli.client, err = NewAPIClientFromFlags(opts.Common, cli.configFile)
-	if tlsconfig.IsErrEncryptedKey(err) {
-		passRetriever := passphrase.PromptRetrieverWithInOut(cli.In(), cli.Out(), nil)
-		newClient := func(password string) (client.APIClient, error) {
-			opts.Common.TLSOptions.Passphrase = password
-			return NewAPIClientFromFlags(opts.Common, cli.configFile)
+
+	for _, o := range ops {
+		if err := o(cli); err != nil {
+			return err
 		}
-		cli.client, err = getClientWithPassword(passRetriever, newClient)
 	}
+	cliflags.SetLogLevel(opts.Common.LogLevel)
+
+	if opts.ConfigDir != "" {
+		cliconfig.SetDir(opts.ConfigDir)
+	}
+
+	if opts.Common.Debug {
+		debug.Enable()
+	}
+
+	cli.loadConfigFile()
+
+	baseContextStore := store.New(cliconfig.ContextStoreDir(), cli.contextStoreConfig)
+	cli.contextStore = &ContextStoreWithDefault{
+		Store: baseContextStore,
+		Resolver: func() (*DefaultContext, error) {
+			return ResolveDefaultContext(opts.Common, cli.ConfigFile(), cli.contextStoreConfig, cli.Err())
+		},
+	}
+	cli.currentContext, err = resolveContextName(opts.Common, cli.configFile, cli.contextStore)
 	if err != nil {
 		return err
 	}
-	var experimentalValue string
-	// Environment variable always overrides configuration
-	if experimentalValue = os.Getenv("DOCKER_CLI_EXPERIMENTAL"); experimentalValue == "" {
-		experimentalValue = cli.configFile.Experimental
-	}
-	hasExperimental, err := isEnabled(experimentalValue)
+	cli.dockerEndpoint, err = resolveDockerEndpoint(cli.contextStore, cli.currentContext)
 	if err != nil {
-		return errors.Wrap(err, "Experimental field")
+		return errors.Wrap(err, "unable to resolve docker endpoint")
 	}
-	cli.clientInfo = ClientInfo{
-		DefaultVersion:  cli.client.ClientVersion(),
-		HasExperimental: hasExperimental,
+
+	if cli.client == nil {
+		cli.client, err = newAPIClientFromEndpoint(cli.dockerEndpoint, cli.configFile)
+		if tlsconfig.IsErrEncryptedKey(err) {
+			passRetriever := passphrase.PromptRetrieverWithInOut(cli.In(), cli.Out(), nil)
+			newClient := func(password string) (client.APIClient, error) {
+				cli.dockerEndpoint.TLSPassword = password
+				return newAPIClientFromEndpoint(cli.dockerEndpoint, cli.configFile)
+			}
+			cli.client, err = getClientWithPassword(passRetriever, newClient)
+		}
+		if err != nil {
+			return err
+		}
 	}
 	cli.initializeFromClient()
+
+	if err := cli.loadClientInfo(); err != nil {
+		return err
+	}
+
 	return nil
 }

+// NewAPIClientFromFlags creates a new APIClient from command line flags
+func NewAPIClientFromFlags(opts *cliflags.CommonOptions, configFile *configfile.ConfigFile) (client.APIClient, error) {
+	storeConfig := DefaultContextStoreConfig()
+	store := &ContextStoreWithDefault{
+		Store: store.New(cliconfig.ContextStoreDir(), storeConfig),
+		Resolver: func() (*DefaultContext, error) {
+			return ResolveDefaultContext(opts, configFile, storeConfig, ioutil.Discard)
+		},
+	}
+	contextName, err := resolveContextName(opts, configFile, store)
+	if err != nil {
+		return nil, err
+	}
+	endpoint, err := resolveDockerEndpoint(store, contextName)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to resolve docker endpoint")
+	}
+	return newAPIClientFromEndpoint(endpoint, configFile)
+}
+
+func newAPIClientFromEndpoint(ep docker.Endpoint, configFile *configfile.ConfigFile) (client.APIClient, error) {
+	clientOpts, err := ep.ClientOpts()
+	if err != nil {
+		return nil, err
+	}
+	customHeaders := configFile.HTTPHeaders
+	if customHeaders == nil {
+		customHeaders = map[string]string{}
+	}
+	customHeaders["User-Agent"] = UserAgent()
+	clientOpts = append(clientOpts, client.WithHTTPHeaders(customHeaders))
+	return client.NewClientWithOpts(clientOpts...)
+}
+
+func resolveDockerEndpoint(s store.Reader, contextName string) (docker.Endpoint, error) {
+	ctxMeta, err := s.GetMetadata(contextName)
+	if err != nil {
+		return docker.Endpoint{}, err
+	}
+	epMeta, err := docker.EndpointFromContext(ctxMeta)
+	if err != nil {
+		return docker.Endpoint{}, err
+	}
+	return docker.WithTLSData(s, contextName, epMeta)
+}
+
+// Resolve the Docker endpoint for the default context (based on config, env vars and CLI flags)
+func resolveDefaultDockerEndpoint(opts *cliflags.CommonOptions) (docker.Endpoint, error) {
+	host, err := getServerHost(opts.Hosts, opts.TLSOptions)
+	if err != nil {
+		return docker.Endpoint{}, err
+	}
+
+	var (
+		skipTLSVerify bool
+		tlsData       *dcontext.TLSData
+	)
+
+	if opts.TLSOptions != nil {
+		skipTLSVerify = opts.TLSOptions.InsecureSkipVerify
+		tlsData, err = dcontext.TLSDataFromFiles(opts.TLSOptions.CAFile, opts.TLSOptions.CertFile, opts.TLSOptions.KeyFile)
+		if err != nil {
+			return docker.Endpoint{}, err
+		}
+	}
+
+	return docker.Endpoint{
+		EndpointMeta: docker.EndpointMeta{
+			Host:          host,
+			SkipTLSVerify: skipTLSVerify,
+		},
+		TLSData: tlsData,
+	}, nil
+}
+
 func isEnabled(value string) (bool, error) {
 	switch value {
 	case "enabled":
@ -194,7 +374,16 @@ func isEnabled(value string) (bool, error) {
 }

 func (cli *DockerCli) initializeFromClient() {
-	ping, err := cli.client.Ping(context.Background())
+	ctx := context.Background()
+	if strings.HasPrefix(cli.DockerEndpoint().Host, "tcp://") {
+		// @FIXME context.WithTimeout doesn't work with connhelper / ssh connections
+		// time="2020-04-10T10:16:26Z" level=warning msg="commandConn.CloseWrite: commandconn: failed to wait: signal: killed"
+		var cancel func()
+		ctx, cancel = context.WithTimeout(ctx, 2*time.Second)
+		defer cancel()
+	}
+
+	ping, err := cli.client.Ping(ctx)
 	if err != nil {
 		// Default to true if we fail to connect to daemon
 		cli.serverInfo = ServerInfo{HasExperimental: true}
@ -233,8 +422,52 @@ func (cli *DockerCli) NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions
 }

 // NewContainerizedEngineClient returns a containerized engine client
-func (cli *DockerCli) NewContainerizedEngineClient(sockPath string) (containerizedengine.Client, error) {
-	return containerizedengine.NewClient(sockPath)
+func (cli *DockerCli) NewContainerizedEngineClient(sockPath string) (clitypes.ContainerizedClient, error) {
+	return cli.newContainerizeClient(sockPath)
+}
+
+// ContextStore returns the ContextStore
+func (cli *DockerCli) ContextStore() store.Store {
+	return cli.contextStore
+}
+
+// CurrentContext returns the current context name
+func (cli *DockerCli) CurrentContext() string {
+	return cli.currentContext
+}
+
+// StackOrchestrator resolves which stack orchestrator is in use
+func (cli *DockerCli) StackOrchestrator(flagValue string) (Orchestrator, error) {
+	currentContext := cli.CurrentContext()
+	ctxRaw, err := cli.ContextStore().GetMetadata(currentContext)
+	if store.IsErrContextDoesNotExist(err) {
+		// case where the currentContext has been removed (CLI behavior is to fallback to using DOCKER_HOST based resolution)
+		return GetStackOrchestrator(flagValue, "", cli.ConfigFile().StackOrchestrator, cli.Err())
+	}
+	if err != nil {
+		return "", err
+	}
+	ctxMeta, err := GetDockerContext(ctxRaw)
+	if err != nil {
+		return "", err
+	}
+	ctxOrchestrator := string(ctxMeta.StackOrchestrator)
+	return GetStackOrchestrator(flagValue, ctxOrchestrator, cli.ConfigFile().StackOrchestrator, cli.Err())
+}
+
+// DockerEndpoint returns the current docker endpoint
+func (cli *DockerCli) DockerEndpoint() docker.Endpoint {
+	return cli.dockerEndpoint
+}
+
+// Apply all the operation on the cli
+func (cli *DockerCli) Apply(ops ...DockerCliOption) error {
+	for _, op := range ops {
+		if err := op(cli); err != nil {
+			return err
+		}
+	}
+	return nil
 }

 // ServerInfo stores details about the supported features and platform of the
@ -251,61 +484,36 @@ type ClientInfo struct {
 	DefaultVersion  string
 }

-// NewDockerCli returns a DockerCli instance with IO output and error streams set by in, out and err.
-func NewDockerCli(in io.ReadCloser, out, err io.Writer, isTrusted bool) *DockerCli {
-	return &DockerCli{in: NewInStream(in), out: NewOutStream(out), err: err, contentTrust: isTrusted}
-}
-
-// NewAPIClientFromFlags creates a new APIClient from command line flags
-func NewAPIClientFromFlags(opts *cliflags.CommonOptions, configFile *configfile.ConfigFile) (client.APIClient, error) {
-	unparsedHost, err := getUnparsedServerHost(opts.Hosts)
-	if err != nil {
-		return &client.Client{}, err
+// NewDockerCli returns a DockerCli instance with all operators applied on it.
+// It applies by default the standard streams, the content trust from
+// environment and the default containerized client constructor operations.
+func NewDockerCli(ops ...DockerCliOption) (*DockerCli, error) {
+	cli := &DockerCli{}
+	defaultOps := []DockerCliOption{
+		WithContentTrustFromEnv(),
+		WithContainerizedClient(containerizedengine.NewClient),
 	}
-	var clientOpts []func(*client.Client) error
-	helper, err := connhelper.GetConnectionHelper(unparsedHost)
-	if err != nil {
-		return &client.Client{}, err
+	cli.contextStoreConfig = DefaultContextStoreConfig()
+	ops = append(defaultOps, ops...)
+	if err := cli.Apply(ops...); err != nil {
+		return nil, err
 	}
-	if helper == nil {
-		clientOpts = append(clientOpts, withHTTPClient(opts.TLSOptions))
-		host, err := dopts.ParseHost(opts.TLSOptions != nil, unparsedHost)
-		if err != nil {
-			return &client.Client{}, err
+	if cli.out == nil || cli.in == nil || cli.err == nil {
+		stdin, stdout, stderr := term.StdStreams()
+		if cli.in == nil {
+			cli.in = streams.NewIn(stdin)
+		}
+		if cli.out == nil {
+			cli.out = streams.NewOut(stdout)
+		}
+		if cli.err == nil {
+			cli.err = stderr
 		}
-		clientOpts = append(clientOpts, client.WithHost(host))
-	} else {
-		clientOpts = append(clientOpts, func(c *client.Client) error {
-			httpClient := &http.Client{
-				// No tls
-				// No proxy
-				Transport: &http.Transport{
-					DialContext: helper.Dialer,
-				},
-			}
-			return client.WithHTTPClient(httpClient)(c)
-		})
-		clientOpts = append(clientOpts, client.WithHost(helper.Host))
-		clientOpts = append(clientOpts, client.WithDialContext(helper.Dialer))
 	}
-
-	customHeaders := configFile.HTTPHeaders
-	if customHeaders == nil {
-		customHeaders = map[string]string{}
-	}
-	customHeaders["User-Agent"] = UserAgent()
-	clientOpts = append(clientOpts, client.WithHTTPHeaders(customHeaders))
-
-	verStr := api.DefaultVersion
-	if tmpStr := os.Getenv("DOCKER_API_VERSION"); tmpStr != "" {
-		verStr = tmpStr
-	}
-	clientOpts = append(clientOpts, client.WithVersion(verStr))
-
-	return client.NewClientWithOpts(clientOpts...)
+	return cli, nil
 }

-func getUnparsedServerHost(hosts []string) (string, error) {
+func getServerHost(hosts []string, tlsOptions *tlsconfig.Options) (string, error) {
 	var host string
 	switch len(hosts) {
 	case 0:
@ -315,38 +523,65 @@ func getUnparsedServerHost(hosts []string) (string, error) {
 	default:
 		return "", errors.New("Please specify only one -H")
 	}
-	return host, nil
-}

-func withHTTPClient(tlsOpts *tlsconfig.Options) func(*client.Client) error {
-	return func(c *client.Client) error {
-		if tlsOpts == nil {
-			// Use the default HTTPClient
-			return nil
-		}
-
-		opts := *tlsOpts
-		opts.ExclusiveRootPools = true
-		tlsConfig, err := tlsconfig.Client(opts)
-		if err != nil {
-			return err
-		}
-
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: tlsConfig,
-				DialContext: (&net.Dialer{
-					KeepAlive: 30 * time.Second,
-					Timeout:   30 * time.Second,
-				}).DialContext,
-			},
-			CheckRedirect: client.CheckRedirect,
-		}
-		return client.WithHTTPClient(httpClient)(c)
-	}
+	return dopts.ParseHost(tlsOptions != nil, host)
 }

 // UserAgent returns the user agent string used for making API requests
 func UserAgent() string {
-	return "Docker-Client/" + cli.Version + " (" + runtime.GOOS + ")"
+	return "Docker-Client/" + version.Version + " (" + runtime.GOOS + ")"
+}
+
+// resolveContextName resolves the current context name with the following rules:
+// - setting both --context and --host flags is ambiguous
+// - if --context is set, use this value
+// - if --host flag or DOCKER_HOST is set, fallbacks to use the same logic as before context-store was added
+// for backward compatibility with existing scripts
+// - if DOCKER_CONTEXT is set, use this value
+// - if Config file has a globally set "CurrentContext", use this value
+// - fallbacks to default HOST, uses TLS config from flags/env vars
+func resolveContextName(opts *cliflags.CommonOptions, config *configfile.ConfigFile, contextstore store.Reader) (string, error) {
+	if opts.Context != "" && len(opts.Hosts) > 0 {
+		return "", errors.New("Conflicting options: either specify --host or --context, not both")
+	}
+	if opts.Context != "" {
+		return opts.Context, nil
+	}
+	if len(opts.Hosts) > 0 {
+		return DefaultContextName, nil
+	}
+	if _, present := os.LookupEnv("DOCKER_HOST"); present {
+		return DefaultContextName, nil
+	}
+	if ctxName, ok := os.LookupEnv("DOCKER_CONTEXT"); ok {
+		return ctxName, nil
+	}
+	if config != nil && config.CurrentContext != "" {
+		_, err := contextstore.GetMetadata(config.CurrentContext)
+		if store.IsErrContextDoesNotExist(err) {
+			return "", errors.Errorf("Current context %q is not found on the file system, please check your config file at %s", config.CurrentContext, config.Filename)
+		}
+		return config.CurrentContext, err
+	}
+	return DefaultContextName, nil
+}
+
+var defaultStoreEndpoints = []store.NamedTypeGetter{
+	store.EndpointTypeGetter(docker.DockerEndpoint, func() interface{} { return &docker.EndpointMeta{} }),
+}
+
+// RegisterDefaultStoreEndpoints registers a new named endpoint
+// metadata type with the default context store config, so that
+// endpoint will be supported by stores using the config returned by
+// DefaultContextStoreConfig.
+func RegisterDefaultStoreEndpoints(ep ...store.NamedTypeGetter) {
+	defaultStoreEndpoints = append(defaultStoreEndpoints, ep...)
+}
+
+// DefaultContextStoreConfig returns a new store.Config with the default set of endpoints configured.
+func DefaultContextStoreConfig() store.Config {
+	return store.NewConfig(
+		func() interface{} { return &DockerContext{} },
+		defaultStoreEndpoints...,
+	)
 }
--- a/cli/command/cli_options.go
+++ b/cli/command/cli_options.go
@ -0,0 +1,105 @@
+package command
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strconv"
+
+	"github.com/docker/cli/cli/context/docker"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/docker/cli/cli/streams"
+	clitypes "github.com/docker/cli/types"
+	"github.com/docker/docker/pkg/term"
+)
+
+// DockerCliOption applies a modification on a DockerCli.
+type DockerCliOption func(cli *DockerCli) error
+
+// WithStandardStreams sets a cli in, out and err streams with the standard streams.
+func WithStandardStreams() DockerCliOption {
+	return func(cli *DockerCli) error {
+		// Set terminal emulation based on platform as required.
+		stdin, stdout, stderr := term.StdStreams()
+		cli.in = streams.NewIn(stdin)
+		cli.out = streams.NewOut(stdout)
+		cli.err = stderr
+		return nil
+	}
+}
+
+// WithCombinedStreams uses the same stream for the output and error streams.
+func WithCombinedStreams(combined io.Writer) DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.out = streams.NewOut(combined)
+		cli.err = combined
+		return nil
+	}
+}
+
+// WithInputStream sets a cli input stream.
+func WithInputStream(in io.ReadCloser) DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.in = streams.NewIn(in)
+		return nil
+	}
+}
+
+// WithOutputStream sets a cli output stream.
+func WithOutputStream(out io.Writer) DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.out = streams.NewOut(out)
+		return nil
+	}
+}
+
+// WithErrorStream sets a cli error stream.
+func WithErrorStream(err io.Writer) DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.err = err
+		return nil
+	}
+}
+
+// WithContentTrustFromEnv enables content trust on a cli from environment variable DOCKER_CONTENT_TRUST value.
+func WithContentTrustFromEnv() DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.contentTrust = false
+		if e := os.Getenv("DOCKER_CONTENT_TRUST"); e != "" {
+			if t, err := strconv.ParseBool(e); t || err != nil {
+				// treat any other value as true
+				cli.contentTrust = true
+			}
+		}
+		return nil
+	}
+}
+
+// WithContentTrust enables content trust on a cli.
+func WithContentTrust(enabled bool) DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.contentTrust = enabled
+		return nil
+	}
+}
+
+// WithContainerizedClient sets the containerized client constructor on a cli.
+func WithContainerizedClient(containerizedFn func(string) (clitypes.ContainerizedClient, error)) DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.newContainerizeClient = containerizedFn
+		return nil
+	}
+}
+
+// WithContextEndpointType add support for an additional typed endpoint in the context store
+// Plugins should use this to store additional endpoints configuration in the context store
+func WithContextEndpointType(endpointName string, endpointType store.TypeGetter) DockerCliOption {
+	return func(cli *DockerCli) error {
+		switch endpointName {
+		case docker.DockerEndpoint:
+			return fmt.Errorf("cannot change %q endpoint type", endpointName)
+		}
+		cli.contextStoreConfig.SetEndpoint(endpointName, endpointType)
+		return nil
+	}
+}
--- a/cli/command/cli_options_test.go
+++ b/cli/command/cli_options_test.go
@ -0,0 +1,37 @@
+package command
+
+import (
+	"os"
+	"testing"
+
+	"gotest.tools/v3/assert"
+)
+
+func contentTrustEnabled(t *testing.T) bool {
+	var cli DockerCli
+	assert.NilError(t, WithContentTrustFromEnv()(&cli))
+	return cli.contentTrust
+}
+
+// NB: Do not t.Parallel() this test -- it messes with the process environment.
+func TestWithContentTrustFromEnv(t *testing.T) {
+	envvar := "DOCKER_CONTENT_TRUST"
+	if orig, ok := os.LookupEnv(envvar); ok {
+		defer func() {
+			os.Setenv(envvar, orig)
+		}()
+	} else {
+		defer func() {
+			os.Unsetenv(envvar)
+		}()
+	}
+
+	os.Setenv(envvar, "true")
+	assert.Assert(t, contentTrustEnabled(t))
+	os.Setenv(envvar, "false")
+	assert.Assert(t, !contentTrustEnabled(t))
+	os.Setenv(envvar, "invalid")
+	assert.Assert(t, contentTrustEnabled(t))
+	os.Unsetenv(envvar)
+	assert.Assert(t, !contentTrustEnabled(t))
+}
--- a/cli/command/cli_test.go
+++ b/cli/command/cli_test.go
@ -1,8 +1,12 @@
 package command

 import (
+	"bytes"
 	"context"
 	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"net/http"
 	"os"
 	"runtime"
 	"testing"
@ -10,14 +14,15 @@ import (
 	cliconfig "github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/cli/flags"
+	clitypes "github.com/docker/cli/types"
 	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
 	"github.com/pkg/errors"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
-	"gotest.tools/env"
-	"gotest.tools/fs"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+	"gotest.tools/v3/env"
+	"gotest.tools/v3/fs"
 )

 func TestNewAPIClientFromFlags(t *testing.T) {
@ -43,9 +48,30 @@ func TestNewAPIClientFromFlags(t *testing.T) {
 	assert.Check(t, is.Equal(api.DefaultVersion, apiclient.ClientVersion()))
 }

+func TestNewAPIClientFromFlagsForDefaultSchema(t *testing.T) {
+	host := ":2375"
+	opts := &flags.CommonOptions{Hosts: []string{host}}
+	configFile := &configfile.ConfigFile{
+		HTTPHeaders: map[string]string{
+			"My-Header": "Custom-Value",
+		},
+	}
+	apiclient, err := NewAPIClientFromFlags(opts, configFile)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("tcp://localhost"+host, apiclient.DaemonHost()))
+
+	expectedHeaders := map[string]string{
+		"My-Header":  "Custom-Value",
+		"User-Agent": UserAgent(),
+	}
+	assert.Check(t, is.DeepEqual(expectedHeaders, apiclient.(*client.Client).CustomHTTPHeaders()))
+	assert.Check(t, is.Equal(api.DefaultVersion, apiclient.ClientVersion()))
+}
+
 func TestNewAPIClientFromFlagsWithAPIVersionFromEnv(t *testing.T) {
 	customVersion := "v3.3.3"
 	defer env.Patch(t, "DOCKER_API_VERSION", customVersion)()
+	defer env.Patch(t, "DOCKER_HOST", ":2375")()

 	opts := &flags.CommonOptions{}
 	configFile := &configfile.ConfigFile{}
@ -54,6 +80,24 @@ func TestNewAPIClientFromFlagsWithAPIVersionFromEnv(t *testing.T) {
 	assert.Check(t, is.Equal(customVersion, apiclient.ClientVersion()))
 }

+func TestNewAPIClientFromFlagsWithHttpProxyEnv(t *testing.T) {
+	defer env.Patch(t, "HTTP_PROXY", "http://proxy.acme.com:1234")()
+	defer env.Patch(t, "DOCKER_HOST", "tcp://docker.acme.com:2376")()
+
+	opts := &flags.CommonOptions{}
+	configFile := &configfile.ConfigFile{}
+	apiclient, err := NewAPIClientFromFlags(opts, configFile)
+	assert.NilError(t, err)
+	transport, ok := apiclient.HTTPClient().Transport.(*http.Transport)
+	assert.Assert(t, ok)
+	assert.Assert(t, transport.Proxy != nil)
+	request, err := http.NewRequest(http.MethodGet, "tcp://docker.acme.com:2376", nil)
+	assert.NilError(t, err)
+	url, err := transport.Proxy(request)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("http://proxy.acme.com:1234", url.String()))
+}
+
 type fakeClient struct {
 	client.Client
 	pingFunc   func() (types.Ping, error)
@ -108,6 +152,7 @@ func TestInitializeFromClient(t *testing.T) {
 	}

 	for _, testcase := range testcases {
+		testcase := testcase
 		t.Run(testcase.doc, func(t *testing.T) {
 			apiclient := &fakeClient{
 				pingFunc: testcase.pingFunc,
@ -145,11 +190,15 @@ func TestExperimentalCLI(t *testing.T) {
 	}

 	for _, testcase := range testcases {
+		testcase := testcase
 		t.Run(testcase.doc, func(t *testing.T) {
 			dir := fs.NewDir(t, testcase.doc, fs.WithFile("config.json", testcase.configfile))
 			defer dir.Remove()
 			apiclient := &fakeClient{
 				version: defaultVersion,
+				pingFunc: func() (types.Ping, error) {
+					return types.Ping{Experimental: true, OSType: "linux", APIVersion: defaultVersion}, nil
+				},
 			}

 			cli := &DockerCli{client: apiclient, err: os.Stderr}
@ -195,6 +244,7 @@ func TestGetClientWithPassword(t *testing.T) {
 	}

 	for _, testcase := range testcases {
+		testcase := testcase
 		t.Run(testcase.doc, func(t *testing.T) {
 			passRetriever := func(_, _ string, _ bool, attempts int) (passphrase string, giveup bool, err error) {
 				// Always return an invalid pass first to test iteration
@ -226,3 +276,54 @@ func TestGetClientWithPassword(t *testing.T) {
 		})
 	}
 }
+
+func TestNewDockerCliAndOperators(t *testing.T) {
+	// Test default operations and also overriding default ones
+	cli, err := NewDockerCli(
+		WithContentTrust(true),
+		WithContainerizedClient(func(string) (clitypes.ContainerizedClient, error) { return nil, nil }),
+	)
+	assert.NilError(t, err)
+	// Check streams are initialized
+	assert.Check(t, cli.In() != nil)
+	assert.Check(t, cli.Out() != nil)
+	assert.Check(t, cli.Err() != nil)
+	assert.Equal(t, cli.ContentTrustEnabled(), true)
+	client, err := cli.NewContainerizedEngineClient("")
+	assert.NilError(t, err)
+	assert.Equal(t, client, nil)
+
+	// Apply can modify a dockerCli after construction
+	inbuf := bytes.NewBuffer([]byte("input"))
+	outbuf := bytes.NewBuffer(nil)
+	errbuf := bytes.NewBuffer(nil)
+	err = cli.Apply(
+		WithInputStream(ioutil.NopCloser(inbuf)),
+		WithOutputStream(outbuf),
+		WithErrorStream(errbuf),
+	)
+	assert.NilError(t, err)
+	// Check input stream
+	inputStream, err := ioutil.ReadAll(cli.In())
+	assert.NilError(t, err)
+	assert.Equal(t, string(inputStream), "input")
+	// Check output stream
+	fmt.Fprintf(cli.Out(), "output")
+	outputStream, err := ioutil.ReadAll(outbuf)
+	assert.NilError(t, err)
+	assert.Equal(t, string(outputStream), "output")
+	// Check error stream
+	fmt.Fprintf(cli.Err(), "error")
+	errStream, err := ioutil.ReadAll(errbuf)
+	assert.NilError(t, err)
+	assert.Equal(t, string(errStream), "error")
+}
+
+func TestInitializeShouldAlwaysCreateTheContextStore(t *testing.T) {
+	cli, err := NewDockerCli()
+	assert.NilError(t, err)
+	assert.NilError(t, cli.Initialize(flags.NewClientOptions(), WithInitializeClient(func(cli *DockerCli) (client.APIClient, error) {
+		return client.NewClientWithOpts()
+	})))
+	assert.Check(t, cli.ContextStore() != nil)
+}
--- a/cli/command/commands/commands.go
+++ b/cli/command/commands/commands.go
@ -2,12 +2,14 @@ package commands

 import (
 	"os"
+	"runtime"

 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/builder"
 	"github.com/docker/cli/cli/command/checkpoint"
 	"github.com/docker/cli/cli/command/config"
 	"github.com/docker/cli/cli/command/container"
+	"github.com/docker/cli/cli/command/context"
 	"github.com/docker/cli/cli/command/engine"
 	"github.com/docker/cli/cli/command/image"
 	"github.com/docker/cli/cli/command/manifest"
@ -74,7 +76,6 @@ func AddCommands(cmd *cobra.Command, dockerCli command.Cli) {

 		// stack
 		stack.NewStackCommand(dockerCli),
-		stack.NewTopLevelDeployCommand(dockerCli),

 		// swarm
 		swarm.NewSwarmCommand(dockerCli),
@ -85,10 +86,11 @@ func AddCommands(cmd *cobra.Command, dockerCli command.Cli) {
 		// volume
 		volume.NewVolumeCommand(dockerCli),

-		// engine
-		engine.NewEngineCommand(dockerCli),
+		// context
+		context.NewContextCommand(dockerCli),

 		// legacy commands may be hidden
+		hide(stack.NewTopLevelDeployCommand(dockerCli)),
 		hide(system.NewEventsCommand(dockerCli)),
 		hide(system.NewInfoCommand(dockerCli)),
 		hide(system.NewInspectCommand(dockerCli)),
@ -124,7 +126,10 @@ func AddCommands(cmd *cobra.Command, dockerCli command.Cli) {
 		hide(image.NewSaveCommand(dockerCli)),
 		hide(image.NewTagCommand(dockerCli)),
 	)
-
+	if runtime.GOOS == "linux" {
+		// engine
+		cmd.AddCommand(engine.NewEngineCommand(dockerCli))
+	}
 }

 func hide(cmd *cobra.Command) *cobra.Command {
--- a/cli/command/config/create.go
+++ b/cli/command/config/create.go
@ -15,16 +15,17 @@ import (
 	"github.com/spf13/cobra"
 )

-type createOptions struct {
-	name           string
-	templateDriver string
-	file           string
-	labels         opts.ListOpts
+// CreateOptions specifies some options that are used when creating a config.
+type CreateOptions struct {
+	Name           string
+	TemplateDriver string
+	File           string
+	Labels         opts.ListOpts
 }

 func newConfigCreateCommand(dockerCli command.Cli) *cobra.Command {
-	createOpts := createOptions{
-		labels: opts.NewListOpts(opts.ValidateEnv),
+	createOpts := CreateOptions{
+		Labels: opts.NewListOpts(opts.ValidateLabel),
 	}

 	cmd := &cobra.Command{
@ -32,26 +33,27 @@ func newConfigCreateCommand(dockerCli command.Cli) *cobra.Command {
 		Short: "Create a config from a file or STDIN",
 		Args:  cli.ExactArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			createOpts.name = args[0]
-			createOpts.file = args[1]
-			return runConfigCreate(dockerCli, createOpts)
+			createOpts.Name = args[0]
+			createOpts.File = args[1]
+			return RunConfigCreate(dockerCli, createOpts)
 		},
 	}
 	flags := cmd.Flags()
-	flags.VarP(&createOpts.labels, "label", "l", "Config labels")
-	flags.StringVar(&createOpts.templateDriver, "template-driver", "", "Template driver")
-	flags.SetAnnotation("driver", "version", []string{"1.37"})
+	flags.VarP(&createOpts.Labels, "label", "l", "Config labels")
+	flags.StringVar(&createOpts.TemplateDriver, "template-driver", "", "Template driver")
+	flags.SetAnnotation("template-driver", "version", []string{"1.37"})

 	return cmd
 }

-func runConfigCreate(dockerCli command.Cli, options createOptions) error {
+// RunConfigCreate creates a config with the given options.
+func RunConfigCreate(dockerCli command.Cli, options CreateOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()

 	var in io.Reader = dockerCli.In()
-	if options.file != "-" {
-		file, err := system.OpenSequential(options.file)
+	if options.File != "-" {
+		file, err := system.OpenSequential(options.File)
 		if err != nil {
 			return err
 		}
@ -61,19 +63,19 @@ func runConfigCreate(dockerCli command.Cli, options createOptions) error {

 	configData, err := ioutil.ReadAll(in)
 	if err != nil {
-		return errors.Errorf("Error reading content from %q: %v", options.file, err)
+		return errors.Errorf("Error reading content from %q: %v", options.File, err)
 	}

 	spec := swarm.ConfigSpec{
 		Annotations: swarm.Annotations{
-			Name:   options.name,
-			Labels: opts.ConvertKVStringsToMap(options.labels.GetAll()),
+			Name:   options.Name,
+			Labels: opts.ConvertKVStringsToMap(options.Labels.GetAll()),
 		},
 		Data: configData,
 	}
-	if options.templateDriver != "" {
+	if options.TemplateDriver != "" {
 		spec.Templating = &swarm.Driver{
-			Name: options.templateDriver,
+			Name: options.TemplateDriver,
 		}
 	}
 	r, err := client.ConfigCreate(ctx, spec)
--- a/cli/command/config/create_test.go
+++ b/cli/command/config/create_test.go
@ -11,9 +11,9 @@ import (
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/pkg/errors"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
-	"gotest.tools/golden"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+	"gotest.tools/v3/golden"
 )

 const configDataFile = "config-create-with-name.golden"
--- a/cli/command/config/formatter.go
+++ b/cli/command/config/formatter.go
@ -1,4 +1,4 @@
-package formatter
+package config

 import (
 	"fmt"
@ -6,17 +6,18 @@ import (
 	"time"

 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/cli/cli/command/inspect"
 	"github.com/docker/docker/api/types/swarm"
 	units "github.com/docker/go-units"
 )

 const (
-	defaultConfigTableFormat           = "table {{.ID}}\t{{.Name}}\t{{.CreatedAt}}\t{{.UpdatedAt}}"
-	configIDHeader                     = "ID"
-	configCreatedHeader                = "CREATED"
-	configUpdatedHeader                = "UPDATED"
-	configInspectPrettyTemplate Format = `ID:			{{.ID}}
+	defaultConfigTableFormat                     = "table {{.ID}}\t{{.Name}}\t{{.CreatedAt}}\t{{.UpdatedAt}}"
+	configIDHeader                               = "ID"
+	configCreatedHeader                          = "CREATED"
+	configUpdatedHeader                          = "UPDATED"
+	configInspectPrettyTemplate formatter.Format = `ID:			{{.ID}}
 Name:			{{.Name}}
 {{- if .Labels }}
 Labels:
@ -29,23 +30,23 @@ Data:
 {{.Data}}`
 )

-// NewConfigFormat returns a Format for rendering using a config Context
-func NewConfigFormat(source string, quiet bool) Format {
+// NewFormat returns a Format for rendering using a config Context
+func NewFormat(source string, quiet bool) formatter.Format {
 	switch source {
-	case PrettyFormatKey:
+	case formatter.PrettyFormatKey:
 		return configInspectPrettyTemplate
-	case TableFormatKey:
+	case formatter.TableFormatKey:
 		if quiet {
-			return defaultQuietFormat
+			return formatter.DefaultQuietFormat
 		}
 		return defaultConfigTableFormat
 	}
-	return Format(source)
+	return formatter.Format(source)
 }

-// ConfigWrite writes the context
-func ConfigWrite(ctx Context, configs []swarm.Config) error {
-	render := func(format func(subContext subContext) error) error {
+// FormatWrite writes the context
+func FormatWrite(ctx formatter.Context, configs []swarm.Config) error {
+	render := func(format func(subContext formatter.SubContext) error) error {
 		for _, config := range configs {
 			configCtx := &configContext{c: config}
 			if err := format(configCtx); err != nil {
@ -60,23 +61,23 @@ func ConfigWrite(ctx Context, configs []swarm.Config) error {
 func newConfigContext() *configContext {
 	cCtx := &configContext{}

-	cCtx.header = map[string]string{
+	cCtx.Header = formatter.SubHeaderContext{
 		"ID":        configIDHeader,
-		"Name":      nameHeader,
+		"Name":      formatter.NameHeader,
 		"CreatedAt": configCreatedHeader,
 		"UpdatedAt": configUpdatedHeader,
-		"Labels":    labelsHeader,
+		"Labels":    formatter.LabelsHeader,
 	}
 	return cCtx
 }

 type configContext struct {
-	HeaderContext
+	formatter.HeaderContext
 	c swarm.Config
 }

 func (c *configContext) MarshalJSON() ([]byte, error) {
-	return marshalJSON(c)
+	return formatter.MarshalJSON(c)
 }

 func (c *configContext) ID() string {
@ -114,12 +115,12 @@ func (c *configContext) Label(name string) string {
 	return c.c.Spec.Annotations.Labels[name]
 }

-// ConfigInspectWrite renders the context for a list of configs
-func ConfigInspectWrite(ctx Context, refs []string, getRef inspect.GetRefFunc) error {
+// InspectFormatWrite renders the context for a list of configs
+func InspectFormatWrite(ctx formatter.Context, refs []string, getRef inspect.GetRefFunc) error {
 	if ctx.Format != configInspectPrettyTemplate {
 		return inspect.Inspect(ctx.Output, refs, string(ctx.Format), getRef)
 	}
-	render := func(format func(subContext subContext) error) error {
+	render := func(format func(subContext formatter.SubContext) error) error {
 		for _, ref := range refs {
 			configI, _, err := getRef(ref)
 			if err != nil {
@ -140,7 +141,7 @@ func ConfigInspectWrite(ctx Context, refs []string, getRef inspect.GetRefFunc) e

 type configInspectContext struct {
 	swarm.Config
-	subContext
+	formatter.SubContext
 }

 func (ctx *configInspectContext) ID() string {
--- a/cli/command/config/formatter_test.go
+++ b/cli/command/config/formatter_test.go
@ -1,44 +1,45 @@
-package formatter
+package config

 import (
 	"bytes"
 	"testing"
 	"time"

+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/api/types/swarm"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 func TestConfigContextFormatWrite(t *testing.T) {
 	// Check default output format (verbose and non-verbose mode) for table headers
 	cases := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		// Errors
 		{
-			Context{Format: "{{InvalidFunction}}"},
+			formatter.Context{Format: "{{InvalidFunction}}"},
 			`Template parsing error: template: :1: function "InvalidFunction" not defined
 `,
 		},
 		{
-			Context{Format: "{{nil}}"},
+			formatter.Context{Format: "{{nil}}"},
 			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
 `,
 		},
 		// Table format
-		{Context{Format: NewConfigFormat("table", false)},
+		{formatter.Context{Format: NewFormat("table", false)},
 			`ID                  NAME                CREATED                  UPDATED
 1                   passwords           Less than a second ago   Less than a second ago
 2                   id_rsa              Less than a second ago   Less than a second ago
 `},
-		{Context{Format: NewConfigFormat("table {{.Name}}", true)},
+		{formatter.Context{Format: NewFormat("table {{.Name}}", true)},
 			`NAME
 passwords
 id_rsa
 `},
-		{Context{Format: NewConfigFormat("{{.ID}}-{{.Name}}", false)},
+		{formatter.Context{Format: NewFormat("{{.ID}}-{{.Name}}", false)},
 			`1-passwords
 2-id_rsa
 `},
@ -55,7 +56,7 @@ id_rsa
 	for _, testcase := range cases {
 		out := bytes.NewBufferString("")
 		testcase.context.Output = out
-		if err := ConfigWrite(testcase.context, configs); err != nil {
+		if err := FormatWrite(testcase.context, configs); err != nil {
 			assert.ErrorContains(t, err, testcase.expected)
 		} else {
 			assert.Check(t, is.Equal(out.String(), testcase.expected))
--- a/cli/command/config/inspect.go
+++ b/cli/command/config/inspect.go
@ -11,41 +11,43 @@ import (
 	"github.com/spf13/cobra"
 )

-type inspectOptions struct {
-	names  []string
-	format string
-	pretty bool
+// InspectOptions contains options for the docker config inspect command.
+type InspectOptions struct {
+	Names  []string
+	Format string
+	Pretty bool
 }

 func newConfigInspectCommand(dockerCli command.Cli) *cobra.Command {
-	opts := inspectOptions{}
+	opts := InspectOptions{}
 	cmd := &cobra.Command{
 		Use:   "inspect [OPTIONS] CONFIG [CONFIG...]",
 		Short: "Display detailed information on one or more configs",
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			opts.names = args
-			return runConfigInspect(dockerCli, opts)
+			opts.Names = args
+			return RunConfigInspect(dockerCli, opts)
 		},
 	}

-	cmd.Flags().StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
-	cmd.Flags().BoolVar(&opts.pretty, "pretty", false, "Print the information in a human friendly format")
+	cmd.Flags().StringVarP(&opts.Format, "format", "f", "", "Format the output using the given Go template")
+	cmd.Flags().BoolVar(&opts.Pretty, "pretty", false, "Print the information in a human friendly format")
 	return cmd
 }

-func runConfigInspect(dockerCli command.Cli, opts inspectOptions) error {
+// RunConfigInspect inspects the given Swarm config.
+func RunConfigInspect(dockerCli command.Cli, opts InspectOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()

-	if opts.pretty {
-		opts.format = "pretty"
+	if opts.Pretty {
+		opts.Format = "pretty"
 	}

 	getRef := func(id string) (interface{}, []byte, error) {
 		return client.ConfigInspectWithRaw(ctx, id)
 	}
-	f := opts.format
+	f := opts.Format

 	// check if the user is trying to apply a template to the pretty format, which
 	// is not supported
@ -55,10 +57,10 @@ func runConfigInspect(dockerCli command.Cli, opts inspectOptions) error {

 	configCtx := formatter.Context{
 		Output: dockerCli.Out(),
-		Format: formatter.NewConfigFormat(f, false),
+		Format: NewFormat(f, false),
 	}

-	if err := formatter.ConfigInspectWrite(configCtx, opts.names, getRef); err != nil {
+	if err := InspectFormatWrite(configCtx, opts.Names, getRef); err != nil {
 		return cli.StatusError{StatusCode: 1, Status: err.Error()}
 	}
 	return nil
--- a/cli/command/config/inspect_test.go
+++ b/cli/command/config/inspect_test.go
@ -7,12 +7,11 @@ import (
 	"time"

 	"github.com/docker/cli/internal/test"
+	. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/pkg/errors"
-	// Import builders to get the builder function as package function
-	. "github.com/docker/cli/internal/test/builders"
-	"gotest.tools/assert"
-	"gotest.tools/golden"
+	"gotest.tools/v3/assert"
+	"gotest.tools/v3/golden"
 )

 func TestConfigInspectErrors(t *testing.T) {
--- a/cli/command/config/ls.go
+++ b/cli/command/config/ls.go
@ -13,14 +13,15 @@ import (
 	"vbom.ml/util/sortorder"
 )

-type listOptions struct {
-	quiet  bool
-	format string
-	filter opts.FilterOpt
+// ListOptions contains options for the docker config ls command.
+type ListOptions struct {
+	Quiet  bool
+	Format string
+	Filter opts.FilterOpt
 }

 func newConfigListCommand(dockerCli command.Cli) *cobra.Command {
-	listOpts := listOptions{filter: opts.NewFilterOpt()}
+	listOpts := ListOptions{Filter: opts.NewFilterOpt()}

 	cmd := &cobra.Command{
 		Use:     "ls [OPTIONS]",
@ -28,30 +29,31 @@ func newConfigListCommand(dockerCli command.Cli) *cobra.Command {
 		Short:   "List configs",
 		Args:    cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runConfigList(dockerCli, listOpts)
+			return RunConfigList(dockerCli, listOpts)
 		},
 	}

 	flags := cmd.Flags()
-	flags.BoolVarP(&listOpts.quiet, "quiet", "q", false, "Only display IDs")
-	flags.StringVarP(&listOpts.format, "format", "", "", "Pretty-print configs using a Go template")
-	flags.VarP(&listOpts.filter, "filter", "f", "Filter output based on conditions provided")
+	flags.BoolVarP(&listOpts.Quiet, "quiet", "q", false, "Only display IDs")
+	flags.StringVarP(&listOpts.Format, "format", "", "", "Pretty-print configs using a Go template")
+	flags.VarP(&listOpts.Filter, "filter", "f", "Filter output based on conditions provided")

 	return cmd
 }

-func runConfigList(dockerCli command.Cli, options listOptions) error {
+// RunConfigList lists Swarm configs.
+func RunConfigList(dockerCli command.Cli, options ListOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()

-	configs, err := client.ConfigList(ctx, types.ConfigListOptions{Filters: options.filter.Value()})
+	configs, err := client.ConfigList(ctx, types.ConfigListOptions{Filters: options.Filter.Value()})
 	if err != nil {
 		return err
 	}

-	format := options.format
+	format := options.Format
 	if len(format) == 0 {
-		if len(dockerCli.ConfigFile().ConfigFormat) > 0 && !options.quiet {
+		if len(dockerCli.ConfigFile().ConfigFormat) > 0 && !options.Quiet {
 			format = dockerCli.ConfigFile().ConfigFormat
 		} else {
 			format = formatter.TableFormatKey
@ -64,7 +66,7 @@ func runConfigList(dockerCli command.Cli, options listOptions) error {

 	configCtx := formatter.Context{
 		Output: dockerCli.Out(),
-		Format: formatter.NewConfigFormat(format, options.quiet),
+		Format: NewFormat(format, options.Quiet),
 	}
-	return formatter.ConfigWrite(configCtx, configs)
+	return FormatWrite(configCtx, configs)
 }
--- a/cli/command/config/ls_test.go
+++ b/cli/command/config/ls_test.go
@ -7,14 +7,13 @@ import (

 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
+	. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/pkg/errors"
-	// Import builders to get the builder function as package function
-	. "github.com/docker/cli/internal/test/builders"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
-	"gotest.tools/golden"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+	"gotest.tools/v3/golden"
 )

 func TestConfigListErrors(t *testing.T) {
--- a/cli/command/config/remove.go
+++ b/cli/command/config/remove.go
@ -11,8 +11,9 @@ import (
 	"github.com/spf13/cobra"
 )

-type removeOptions struct {
-	names []string
+// RemoveOptions contains options for the docker config rm command.
+type RemoveOptions struct {
+	Names []string
 }

 func newConfigRemoveCommand(dockerCli command.Cli) *cobra.Command {
@ -22,21 +23,22 @@ func newConfigRemoveCommand(dockerCli command.Cli) *cobra.Command {
 		Short:   "Remove one or more configs",
 		Args:    cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			opts := removeOptions{
-				names: args,
+			opts := RemoveOptions{
+				Names: args,
 			}
-			return runConfigRemove(dockerCli, opts)
+			return RunConfigRemove(dockerCli, opts)
 		},
 	}
 }

-func runConfigRemove(dockerCli command.Cli, opts removeOptions) error {
+// RunConfigRemove removes the given Swarm configs.
+func RunConfigRemove(dockerCli command.Cli, opts RemoveOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()

 	var errs []string

-	for _, name := range opts.names {
+	for _, name := range opts.Names {
 		if err := client.ConfigRemove(ctx, name); err != nil {
 			errs = append(errs, err.Error())
 			continue
--- a/cli/command/config/remove_test.go
+++ b/cli/command/config/remove_test.go
@ -7,8 +7,8 @@ import (

 	"github.com/docker/cli/internal/test"
 	"github.com/pkg/errors"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 func TestConfigRemoveErrors(t *testing.T) {
--- a/cli/command/container/attach.go
+++ b/cli/command/container/attach.go
@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"net/http/httputil"

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
@ -103,10 +102,7 @@ func runAttach(dockerCli command.Cli, opts *attachOptions) error {
 	}

 	resp, errAttach := client.ContainerAttach(ctx, opts.container, options)
-	if errAttach != nil && errAttach != httputil.ErrPersistEOF {
-		// ContainerAttach returns an ErrPersistEOF (connection closed)
-		// means server met an error and put it in Hijacked connection
-		// keep the error and read detailed error message from hijacked connection later
+	if errAttach != nil {
 		return errAttach
 	}
 	defer resp.Close()
@ -142,10 +138,6 @@ func runAttach(dockerCli command.Cli, opts *attachOptions) error {
 		return err
 	}

-	if errAttach != nil {
-		return errAttach
-	}
-
 	return getExitStatus(errC, resultC)
 }

--- a/cli/command/container/attach_test.go
+++ b/cli/command/container/attach_test.go
@ -10,7 +10,7 @@ import (
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/pkg/errors"
-	"gotest.tools/assert"
+	"gotest.tools/v3/assert"
 )

 func TestNewAttachCommandErrors(t *testing.T) {
--- a/cli/command/container/client_test.go
+++ b/cli/command/container/client_test.go
@ -12,19 +12,24 @@ import (

 type fakeClient struct {
 	client.Client
-	inspectFunc           func(string) (types.ContainerJSON, error)
-	execInspectFunc       func(execID string) (types.ContainerExecInspect, error)
-	execCreateFunc        func(container string, config types.ExecConfig) (types.IDResponse, error)
-	createContainerFunc   func(config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, containerName string) (container.ContainerCreateCreatedBody, error)
-	containerStartFunc    func(container string, options types.ContainerStartOptions) error
-	imageCreateFunc       func(parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error)
-	infoFunc              func() (types.Info, error)
-	containerStatPathFunc func(container, path string) (types.ContainerPathStat, error)
-	containerCopyFromFunc func(container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error)
-	logFunc               func(string, types.ContainerLogsOptions) (io.ReadCloser, error)
-	waitFunc              func(string) (<-chan container.ContainerWaitOKBody, <-chan error)
-	containerListFunc     func(types.ContainerListOptions) ([]types.Container, error)
-	Version               string
+	inspectFunc         func(string) (types.ContainerJSON, error)
+	execInspectFunc     func(execID string) (types.ContainerExecInspect, error)
+	execCreateFunc      func(container string, config types.ExecConfig) (types.IDResponse, error)
+	createContainerFunc func(config *container.Config,
+		hostConfig *container.HostConfig,
+		networkingConfig *network.NetworkingConfig,
+		containerName string) (container.ContainerCreateCreatedBody, error)
+	containerStartFunc      func(container string, options types.ContainerStartOptions) error
+	imageCreateFunc         func(parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error)
+	infoFunc                func() (types.Info, error)
+	containerStatPathFunc   func(container, path string) (types.ContainerPathStat, error)
+	containerCopyFromFunc   func(container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error)
+	logFunc                 func(string, types.ContainerLogsOptions) (io.ReadCloser, error)
+	waitFunc                func(string) (<-chan container.ContainerWaitOKBody, <-chan error)
+	containerListFunc       func(types.ContainerListOptions) ([]types.Container, error)
+	containerExportFunc     func(string) (io.ReadCloser, error)
+	containerExecResizeFunc func(id string, options types.ResizeOptions) error
+	Version                 string
 }

 func (f *fakeClient) ContainerList(_ context.Context, options types.ContainerListOptions) ([]types.Container, error) {
@ -124,3 +129,17 @@ func (f *fakeClient) ContainerStart(_ context.Context, container string, options
 	}
 	return nil
 }
+
+func (f *fakeClient) ContainerExport(_ context.Context, container string) (io.ReadCloser, error) {
+	if f.containerExportFunc != nil {
+		return f.containerExportFunc(container)
+	}
+	return nil, nil
+}
+
+func (f *fakeClient) ContainerExecResize(_ context.Context, id string, options types.ResizeOptions) error {
+	if f.containerExecResizeFunc != nil {
+		return f.containerExecResizeFunc(id, options)
+	}
+	return nil
+}
--- a/cli/command/container/cp.go
+++ b/cli/command/container/cp.go
@ -128,6 +128,10 @@ func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cp
 		}
 	}

+	if err := command.ValidateOutputPath(dstPath); err != nil {
+		return err
+	}
+
 	client := dockerCli.Client()
 	// if client requests to follow symbol link, then must decide target file to be copied
 	var rebaseName string
@ -209,6 +213,11 @@ func copyToContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpCo
 		dstStat, err = client.ContainerStatPath(ctx, copyConfig.container, linkTarget)
 	}

+	// Validate the destination path
+	if err := command.ValidateOutputPathFileMode(dstStat.Mode); err != nil {
+		return errors.Wrapf(err, `destination "%s:%s" must be a directory or a regular file`, copyConfig.container, dstPath)
+	}
+
 	// Ignore any error and assume that the parent directory of the destination
 	// path exists, in which case the copy may still succeed. If there is any
 	// type of conflict (e.g., non-directory overwriting an existing directory
--- a/cli/command/container/cp_test.go
+++ b/cli/command/container/cp_test.go
@ -11,10 +11,10 @@ import (
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/pkg/archive"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
-	"gotest.tools/fs"
-	"gotest.tools/skip"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+	"gotest.tools/v3/fs"
+	"gotest.tools/v3/skip"
 )

 func TestRunCopyWithInvalidArguments(t *testing.T) {
@ -190,3 +190,12 @@ func TestSplitCpArg(t *testing.T) {
 		})
 	}
 }
+
+func TestRunCopyFromContainerToFilesystemIrregularDestination(t *testing.T) {
+	options := copyOptions{source: "container:/dev/null", destination: "/dev/random"}
+	cli := test.NewFakeCli(nil)
+	err := runCopy(cli, options)
+	assert.Assert(t, err != nil)
+	expected := `"/dev/random" must be a directory or a regular file`
+	assert.ErrorContains(t, err, expected)
+}
--- a/cli/command/container/create.go
+++ b/cli/command/container/create.go
@ -5,10 +5,12 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"regexp"

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/cli/opts"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
@ -59,13 +61,27 @@ func NewCreateCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }

-func runCreate(dockerCli command.Cli, flags *pflag.FlagSet, opts *createOptions, copts *containerOptions) error {
-	containerConfig, err := parse(flags, copts)
+func runCreate(dockerCli command.Cli, flags *pflag.FlagSet, options *createOptions, copts *containerOptions) error {
+	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), opts.ConvertKVStringsToMapWithNil(copts.env.GetAll()))
+	newEnv := []string{}
+	for k, v := range proxyConfig {
+		if v == nil {
+			newEnv = append(newEnv, k)
+		} else {
+			newEnv = append(newEnv, fmt.Sprintf("%s=%s", k, *v))
+		}
+	}
+	copts.env = *opts.NewListOptsRef(&newEnv, nil)
+	containerConfig, err := parse(flags, copts, dockerCli.ServerInfo().OSType)
 	if err != nil {
 		reportError(dockerCli.Err(), "create", err.Error(), true)
 		return cli.StatusError{StatusCode: 125}
 	}
-	response, err := createContainer(context.Background(), dockerCli, containerConfig, opts)
+	if err = validateAPIVersion(containerConfig, dockerCli.Client().ClientVersion()); err != nil {
+		reportError(dockerCli.Err(), "create", err.Error(), true)
+		return cli.StatusError{StatusCode: 125}
+	}
+	response, err := createContainer(context.Background(), dockerCli, containerConfig, options)
 	if err != nil {
 		return err
 	}
@ -165,6 +181,9 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerConfig
 	networkingConfig := containerConfig.NetworkingConfig
 	stderr := dockerCli.Err()

+	warnOnOomKillDisable(*hostConfig, stderr)
+	warnOnLocalhostDNS(*hostConfig, stderr)
+
 	var (
 		trustedRef reference.Canonical
 		namedRef   reference.Named
@ -227,3 +246,32 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerConfig
 	err = containerIDFile.Write(response.ID)
 	return &response, err
 }
+
+func warnOnOomKillDisable(hostConfig container.HostConfig, stderr io.Writer) {
+	if hostConfig.OomKillDisable != nil && *hostConfig.OomKillDisable && hostConfig.Memory == 0 {
+		fmt.Fprintln(stderr, "WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.")
+	}
+}
+
+// check the DNS settings passed via --dns against localhost regexp to warn if
+// they are trying to set a DNS to a localhost address
+func warnOnLocalhostDNS(hostConfig container.HostConfig, stderr io.Writer) {
+	for _, dnsIP := range hostConfig.DNS {
+		if isLocalhost(dnsIP) {
+			fmt.Fprintf(stderr, "WARNING: Localhost DNS setting (--dns=%s) may fail in containers.\n", dnsIP)
+			return
+		}
+	}
+}
+
+// IPLocalhost is a regex pattern for IPv4 or IPv6 loopback range.
+const ipLocalhost = `((127\.([0-9]{1,3}\.){2}[0-9]{1,3})|(::1)$)`
+
+var localhostIPRegexp = regexp.MustCompile(ipLocalhost)
+
+// IsLocalhost returns true if ip matches the localhost IP regular expression.
+// Used for determining if nameserver settings are being passed which are
+// localhost addresses
+func isLocalhost(ip string) bool {
+	return localhostIPRegexp.MatchString(ip)
+}
--- a/cli/command/container/create_test.go
+++ b/cli/command/container/create_test.go
@ -7,9 +7,11 @@ import (
 	"io/ioutil"
 	"os"
 	"runtime"
+	"sort"
 	"strings"
 	"testing"

+	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/notary"
 	"github.com/docker/docker/api/types"
@ -17,9 +19,10 @@ import (
 	"github.com/docker/docker/api/types/network"
 	"github.com/google/go-cmp/cmp"
 	"github.com/pkg/errors"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
-	"gotest.tools/fs"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+	"gotest.tools/v3/fs"
+	"gotest.tools/v3/golden"
 )

 func TestCIDFileNoOPWithNoFilename(t *testing.T) {
@ -148,6 +151,7 @@ func TestNewCreateCommandWithContentTrustErrors(t *testing.T) {
 		},
 	}
 	for _, tc := range testCases {
+		tc := tc
 		cli := test.NewFakeCli(&fakeClient{
 			createContainerFunc: func(config *container.Config,
 				hostConfig *container.HostConfig,
@ -166,6 +170,112 @@ func TestNewCreateCommandWithContentTrustErrors(t *testing.T) {
 	}
 }

+func TestNewCreateCommandWithWarnings(t *testing.T) {
+	testCases := []struct {
+		name    string
+		args    []string
+		warning bool
+	}{
+		{
+			name: "container-create-without-oom-kill-disable",
+			args: []string{"image:tag"},
+		},
+		{
+			name: "container-create-oom-kill-disable-false",
+			args: []string{"--oom-kill-disable=false", "image:tag"},
+		},
+		{
+			name:    "container-create-oom-kill-without-memory-limit",
+			args:    []string{"--oom-kill-disable", "image:tag"},
+			warning: true,
+		},
+		{
+			name:    "container-create-oom-kill-true-without-memory-limit",
+			args:    []string{"--oom-kill-disable=true", "image:tag"},
+			warning: true,
+		},
+		{
+			name: "container-create-oom-kill-true-with-memory-limit",
+			args: []string{"--oom-kill-disable=true", "--memory=100M", "image:tag"},
+		},
+		{
+			name:    "container-create-localhost-dns",
+			args:    []string{"--dns=127.0.0.11", "image:tag"},
+			warning: true,
+		},
+		{
+			name:    "container-create-localhost-dns-ipv6",
+			args:    []string{"--dns=::1", "image:tag"},
+			warning: true,
+		},
+	}
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			cli := test.NewFakeCli(&fakeClient{
+				createContainerFunc: func(config *container.Config,
+					hostConfig *container.HostConfig,
+					networkingConfig *network.NetworkingConfig,
+					containerName string,
+				) (container.ContainerCreateCreatedBody, error) {
+					return container.ContainerCreateCreatedBody{}, nil
+				},
+			})
+			cmd := NewCreateCommand(cli)
+			cmd.SetOutput(ioutil.Discard)
+			cmd.SetArgs(tc.args)
+			err := cmd.Execute()
+			assert.NilError(t, err)
+			if tc.warning {
+				golden.Assert(t, cli.ErrBuffer().String(), tc.name+".golden")
+			} else {
+				assert.Equal(t, cli.ErrBuffer().String(), "")
+			}
+		})
+	}
+}
+
+func TestCreateContainerWithProxyConfig(t *testing.T) {
+	expected := []string{
+		"HTTP_PROXY=httpProxy",
+		"http_proxy=httpProxy",
+		"HTTPS_PROXY=httpsProxy",
+		"https_proxy=httpsProxy",
+		"NO_PROXY=noProxy",
+		"no_proxy=noProxy",
+		"FTP_PROXY=ftpProxy",
+		"ftp_proxy=ftpProxy",
+	}
+	sort.Strings(expected)
+
+	cli := test.NewFakeCli(&fakeClient{
+		createContainerFunc: func(config *container.Config,
+			hostConfig *container.HostConfig,
+			networkingConfig *network.NetworkingConfig,
+			containerName string,
+		) (container.ContainerCreateCreatedBody, error) {
+			sort.Strings(config.Env)
+			assert.DeepEqual(t, config.Env, expected)
+			return container.ContainerCreateCreatedBody{}, nil
+		},
+	})
+	cli.SetConfigFile(&configfile.ConfigFile{
+		Proxies: map[string]configfile.ProxyConfig{
+			"default": {
+				HTTPProxy:  "httpProxy",
+				HTTPSProxy: "httpsProxy",
+				NoProxy:    "noProxy",
+				FTPProxy:   "ftpProxy",
+			},
+		},
+	})
+	cmd := NewCreateCommand(cli)
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs([]string{"image:tag"})
+	err := cmd.Execute()
+	assert.NilError(t, err)
+}
+
 type fakeNotFound struct{}

 func (f fakeNotFound) NotFound() bool { return true }
--- a/cli/command/container/diff.go
+++ b/cli/command/container/diff.go
@ -41,7 +41,7 @@ func runDiff(dockerCli command.Cli, opts *diffOptions) error {
 	}
 	diffCtx := formatter.Context{
 		Output: dockerCli.Out(),
-		Format: formatter.NewDiffFormat("{{.Type}} {{.Path}}"),
+		Format: NewDiffFormat("{{.Type}} {{.Path}}"),
 	}
-	return formatter.DiffWrite(diffCtx, changes)
+	return DiffFormatWrite(diffCtx, changes)
 }
--- a/cli/command/container/exec_test.go
+++ b/cli/command/container/exec_test.go
@ -11,8 +11,8 @@ import (
 	"github.com/docker/cli/opts"
 	"github.com/docker/docker/api/types"
 	"github.com/pkg/errors"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 func withDefaultOpts(options execOptions) execOptions {
--- a/cli/command/container/export.go
+++ b/cli/command/container/export.go
@ -41,6 +41,10 @@ func runExport(dockerCli command.Cli, opts exportOptions) error {
 		return errors.New("cowardly refusing to save to a terminal. Use the -o flag or redirect")
 	}

+	if err := command.ValidateOutputPath(opts.output); err != nil {
+		return errors.Wrap(err, "failed to export container")
+	}
+
 	clnt := dockerCli.Client()

 	responseBody, err := clnt.ContainerExport(context.Background(), opts.container)
--- a/cli/command/container/export_test.go
+++ b/cli/command/container/export_test.go
@ -0,0 +1,49 @@
+package container
+
+import (
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/v3/assert"
+	"gotest.tools/v3/fs"
+)
+
+func TestContainerExportOutputToFile(t *testing.T) {
+	dir := fs.NewDir(t, "export-test")
+	defer dir.Remove()
+
+	cli := test.NewFakeCli(&fakeClient{
+		containerExportFunc: func(container string) (io.ReadCloser, error) {
+			return ioutil.NopCloser(strings.NewReader("bar")), nil
+		},
+	})
+	cmd := NewExportCommand(cli)
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs([]string{"-o", dir.Join("foo"), "container"})
+	assert.NilError(t, cmd.Execute())
+
+	expected := fs.Expected(t,
+		fs.WithFile("foo", "bar", fs.MatchAnyFileMode),
+	)
+
+	assert.Assert(t, fs.Equal(dir.Path(), expected))
+}
+
+func TestContainerExportOutputToIrregularFile(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerExportFunc: func(container string) (io.ReadCloser, error) {
+			return ioutil.NopCloser(strings.NewReader("foo")), nil
+		},
+	})
+	cmd := NewExportCommand(cli)
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs([]string{"-o", "/dev/random", "container"})
+
+	err := cmd.Execute()
+	assert.Assert(t, err != nil)
+	expected := `"/dev/random" must be a directory or a regular file`
+	assert.ErrorContains(t, err, expected)
+}
--- a/cli/command/container/formatter_diff.go
+++ b/cli/command/container/formatter_diff.go
@ -1,6 +1,7 @@
-package formatter
+package container

 import (
+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/pkg/archive"
 )
@ -13,18 +14,18 @@ const (
 )

 // NewDiffFormat returns a format for use with a diff Context
-func NewDiffFormat(source string) Format {
+func NewDiffFormat(source string) formatter.Format {
 	switch source {
-	case TableFormatKey:
+	case formatter.TableFormatKey:
 		return defaultDiffTableFormat
 	}
-	return Format(source)
+	return formatter.Format(source)
 }

-// DiffWrite writes formatted diff using the Context
-func DiffWrite(ctx Context, changes []container.ContainerChangeResponseItem) error {
+// DiffFormatWrite writes formatted diff using the Context
+func DiffFormatWrite(ctx formatter.Context, changes []container.ContainerChangeResponseItem) error {

-	render := func(format func(subContext subContext) error) error {
+	render := func(format func(subContext formatter.SubContext) error) error {
 		for _, change := range changes {
 			if err := format(&diffContext{c: change}); err != nil {
 				return err
@ -36,13 +37,13 @@ func DiffWrite(ctx Context, changes []container.ContainerChangeResponseItem) err
 }

 type diffContext struct {
-	HeaderContext
+	formatter.HeaderContext
 	c container.ContainerChangeResponseItem
 }

 func newDiffContext() *diffContext {
 	diffCtx := diffContext{}
-	diffCtx.header = map[string]string{
+	diffCtx.Header = formatter.SubHeaderContext{
 		"Type": changeTypeHeader,
 		"Path": pathHeader,
 	}
@ -50,7 +51,7 @@ func newDiffContext() *diffContext {
 }

 func (d *diffContext) MarshalJSON() ([]byte, error) {
-	return marshalJSON(d)
+	return formatter.MarshalJSON(d)
 }

 func (d *diffContext) Type() string {
--- a/cli/command/container/formatter_diff_test.go
+++ b/cli/command/container/formatter_diff_test.go
@ -1,23 +1,24 @@
-package formatter
+package container

 import (
 	"bytes"
 	"testing"

+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/pkg/archive"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 func TestDiffContextFormatWrite(t *testing.T) {
 	// Check default output format (verbose and non-verbose mode) for table headers
 	cases := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		{
-			Context{Format: NewDiffFormat("table")},
+			formatter.Context{Format: NewDiffFormat("table")},
 			`CHANGE TYPE         PATH
 C                   /var/log/app.log
 A                   /usr/app/app.js
@ -25,7 +26,7 @@ D                   /usr/app/old_app.js
 `,
 		},
 		{
-			Context{Format: NewDiffFormat("table {{.Path}}")},
+			formatter.Context{Format: NewDiffFormat("table {{.Path}}")},
 			`PATH
 /var/log/app.log
 /usr/app/app.js
@ -33,7 +34,7 @@ D                   /usr/app/old_app.js
 `,
 		},
 		{
-			Context{Format: NewDiffFormat("{{.Type}}: {{.Path}}")},
+			formatter.Context{Format: NewDiffFormat("{{.Type}}: {{.Path}}")},
 			`C: /var/log/app.log
 A: /usr/app/app.js
 D: /usr/app/old_app.js
@ -50,7 +51,7 @@ D: /usr/app/old_app.js
 	for _, testcase := range cases {
 		out := bytes.NewBufferString("")
 		testcase.context.Output = out
-		err := DiffWrite(testcase.context, diffs)
+		err := DiffFormatWrite(testcase.context, diffs)
 		if err != nil {
 			assert.Error(t, err, testcase.expected)
 		} else {
--- a/cli/command/container/formatter_stats.go
+++ b/cli/command/container/formatter_stats.go
@ -1,9 +1,10 @@
-package formatter
+package container

 import (
 	"fmt"
 	"sync"

+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/pkg/stringid"
 	units "github.com/docker/go-units"
 )
@ -40,8 +41,8 @@ type StatsEntry struct {
 	IsInvalid        bool
 }

-// ContainerStats represents an entity to store containers statistics synchronously
-type ContainerStats struct {
+// Stats represents an entity to store containers statistics synchronously
+type Stats struct {
 	mutex sync.Mutex
 	StatsEntry
 	err error
@ -49,7 +50,7 @@ type ContainerStats struct {

 // GetError returns the container statistics error.
 // This is used to determine whether the statistics are valid or not
-func (cs *ContainerStats) GetError() error {
+func (cs *Stats) GetError() error {
 	cs.mutex.Lock()
 	defer cs.mutex.Unlock()
 	return cs.err
@ -57,7 +58,7 @@ func (cs *ContainerStats) GetError() error {

 // SetErrorAndReset zeroes all the container statistics and store the error.
 // It is used when receiving time out error during statistics collecting to reduce lock overhead
-func (cs *ContainerStats) SetErrorAndReset(err error) {
+func (cs *Stats) SetErrorAndReset(err error) {
 	cs.mutex.Lock()
 	defer cs.mutex.Unlock()
 	cs.CPUPercentage = 0
@ -74,7 +75,7 @@ func (cs *ContainerStats) SetErrorAndReset(err error) {
 }

 // SetError sets container statistics error
-func (cs *ContainerStats) SetError(err error) {
+func (cs *Stats) SetError(err error) {
 	cs.mutex.Lock()
 	defer cs.mutex.Unlock()
 	cs.err = err
@ -84,7 +85,7 @@ func (cs *ContainerStats) SetError(err error) {
 }

 // SetStatistics set the container statistics
-func (cs *ContainerStats) SetStatistics(s StatsEntry) {
+func (cs *Stats) SetStatistics(s StatsEntry) {
 	cs.mutex.Lock()
 	defer cs.mutex.Unlock()
 	s.Container = cs.Container
@ -92,38 +93,38 @@ func (cs *ContainerStats) SetStatistics(s StatsEntry) {
 }

 // GetStatistics returns container statistics with other meta data such as the container name
-func (cs *ContainerStats) GetStatistics() StatsEntry {
+func (cs *Stats) GetStatistics() StatsEntry {
 	cs.mutex.Lock()
 	defer cs.mutex.Unlock()
 	return cs.StatsEntry
 }

 // NewStatsFormat returns a format for rendering an CStatsContext
-func NewStatsFormat(source, osType string) Format {
-	if source == TableFormatKey {
+func NewStatsFormat(source, osType string) formatter.Format {
+	if source == formatter.TableFormatKey {
 		if osType == winOSType {
-			return Format(winDefaultStatsTableFormat)
+			return formatter.Format(winDefaultStatsTableFormat)
 		}
-		return Format(defaultStatsTableFormat)
+		return formatter.Format(defaultStatsTableFormat)
 	}
-	return Format(source)
+	return formatter.Format(source)
 }

-// NewContainerStats returns a new ContainerStats entity and sets in it the given name
-func NewContainerStats(container string) *ContainerStats {
-	return &ContainerStats{StatsEntry: StatsEntry{Container: container}}
+// NewStats returns a new Stats entity and sets in it the given name
+func NewStats(container string) *Stats {
+	return &Stats{StatsEntry: StatsEntry{Container: container}}
 }

-// ContainerStatsWrite renders the context for a list of containers statistics
-func ContainerStatsWrite(ctx Context, containerStats []StatsEntry, osType string, trunc bool) error {
-	render := func(format func(subContext subContext) error) error {
-		for _, cstats := range containerStats {
-			containerStatsCtx := &containerStatsContext{
+// statsFormatWrite renders the context for a list of containers statistics
+func statsFormatWrite(ctx formatter.Context, Stats []StatsEntry, osType string, trunc bool) error {
+	render := func(format func(subContext formatter.SubContext) error) error {
+		for _, cstats := range Stats {
+			statsCtx := &statsContext{
 				s:     cstats,
 				os:    osType,
 				trunc: trunc,
 			}
-			if err := format(containerStatsCtx); err != nil {
+			if err := format(statsCtx); err != nil {
 				return err
 			}
 		}
@ -133,11 +134,11 @@ func ContainerStatsWrite(ctx Context, containerStats []StatsEntry, osType string
 	if osType == winOSType {
 		memUsage = winMemUseHeader
 	}
-	containerStatsCtx := containerStatsContext{}
-	containerStatsCtx.header = map[string]string{
+	statsCtx := statsContext{}
+	statsCtx.Header = formatter.SubHeaderContext{
 		"Container": containerHeader,
-		"Name":      nameHeader,
-		"ID":        containerIDHeader,
+		"Name":      formatter.NameHeader,
+		"ID":        formatter.ContainerIDHeader,
 		"CPUPerc":   cpuPercHeader,
 		"MemUsage":  memUsage,
 		"MemPerc":   memPercHeader,
@ -145,47 +146,47 @@ func ContainerStatsWrite(ctx Context, containerStats []StatsEntry, osType string
 		"BlockIO":   blockIOHeader,
 		"PIDs":      pidsHeader,
 	}
-	containerStatsCtx.os = osType
-	return ctx.Write(&containerStatsCtx, render)
+	statsCtx.os = osType
+	return ctx.Write(&statsCtx, render)
 }

-type containerStatsContext struct {
-	HeaderContext
+type statsContext struct {
+	formatter.HeaderContext
 	s     StatsEntry
 	os    string
 	trunc bool
 }

-func (c *containerStatsContext) MarshalJSON() ([]byte, error) {
-	return marshalJSON(c)
+func (c *statsContext) MarshalJSON() ([]byte, error) {
+	return formatter.MarshalJSON(c)
 }

-func (c *containerStatsContext) Container() string {
+func (c *statsContext) Container() string {
 	return c.s.Container
 }

-func (c *containerStatsContext) Name() string {
+func (c *statsContext) Name() string {
 	if len(c.s.Name) > 1 {
 		return c.s.Name[1:]
 	}
 	return "--"
 }

-func (c *containerStatsContext) ID() string {
+func (c *statsContext) ID() string {
 	if c.trunc {
 		return stringid.TruncateID(c.s.ID)
 	}
 	return c.s.ID
 }

-func (c *containerStatsContext) CPUPerc() string {
+func (c *statsContext) CPUPerc() string {
 	if c.s.IsInvalid {
 		return fmt.Sprintf("--")
 	}
 	return fmt.Sprintf("%.2f%%", c.s.CPUPercentage)
 }

-func (c *containerStatsContext) MemUsage() string {
+func (c *statsContext) MemUsage() string {
 	if c.s.IsInvalid {
 		return fmt.Sprintf("-- / --")
 	}
@ -195,28 +196,28 @@ func (c *containerStatsContext) MemUsage() string {
 	return fmt.Sprintf("%s / %s", units.BytesSize(c.s.Memory), units.BytesSize(c.s.MemoryLimit))
 }

-func (c *containerStatsContext) MemPerc() string {
+func (c *statsContext) MemPerc() string {
 	if c.s.IsInvalid || c.os == winOSType {
 		return fmt.Sprintf("--")
 	}
 	return fmt.Sprintf("%.2f%%", c.s.MemoryPercentage)
 }

-func (c *containerStatsContext) NetIO() string {
+func (c *statsContext) NetIO() string {
 	if c.s.IsInvalid {
 		return fmt.Sprintf("--")
 	}
 	return fmt.Sprintf("%s / %s", units.HumanSizeWithPrecision(c.s.NetworkRx, 3), units.HumanSizeWithPrecision(c.s.NetworkTx, 3))
 }

-func (c *containerStatsContext) BlockIO() string {
+func (c *statsContext) BlockIO() string {
 	if c.s.IsInvalid {
 		return fmt.Sprintf("--")
 	}
 	return fmt.Sprintf("%s / %s", units.HumanSizeWithPrecision(c.s.BlockRead, 3), units.HumanSizeWithPrecision(c.s.BlockWrite, 3))
 }

-func (c *containerStatsContext) PIDs() string {
+func (c *statsContext) PIDs() string {
 	if c.s.IsInvalid || c.os == winOSType {
 		return fmt.Sprintf("--")
 	}
--- a/cli/command/container/formatter_stats_test.go
+++ b/cli/command/container/formatter_stats_test.go
@ -1,18 +1,19 @@
-package formatter
+package container

 import (
 	"bytes"
 	"testing"

+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/pkg/stringid"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 func TestContainerStatsContext(t *testing.T) {
 	containerID := stringid.GenerateRandomID()

-	var ctx containerStatsContext
+	var ctx statsContext
 	tt := []struct {
 		stats     StatsEntry
 		osType    string
@ -39,7 +40,7 @@ func TestContainerStatsContext(t *testing.T) {
 	}

 	for _, te := range tt {
-		ctx = containerStatsContext{s: te.stats, os: te.osType}
+		ctx = statsContext{s: te.stats, os: te.osType}
 		if v := te.call(); v != te.expValue {
 			t.Fatalf("Expected %q, got %q", te.expValue, v)
 		}
@ -48,34 +49,34 @@ func TestContainerStatsContext(t *testing.T) {

 func TestContainerStatsContextWrite(t *testing.T) {
 	tt := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		{
-			Context{Format: "{{InvalidFunction}}"},
+			formatter.Context{Format: "{{InvalidFunction}}"},
 			`Template parsing error: template: :1: function "InvalidFunction" not defined
 `,
 		},
 		{
-			Context{Format: "{{nil}}"},
+			formatter.Context{Format: "{{nil}}"},
 			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
 `,
 		},
 		{
-			Context{Format: "table {{.MemUsage}}"},
+			formatter.Context{Format: "table {{.MemUsage}}"},
 			`MEM USAGE / LIMIT
 20B / 20B
 -- / --
 `,
 		},
 		{
-			Context{Format: "{{.Container}}  {{.ID}}  {{.Name}}"},
+			formatter.Context{Format: "{{.Container}}  {{.ID}}  {{.Name}}"},
 			`container1  abcdef  foo
 container2    --
 `,
 		},
 		{
-			Context{Format: "{{.Container}}  {{.CPUPerc}}"},
+			formatter.Context{Format: "{{.Container}}  {{.CPUPerc}}"},
 			`container1  20.00%
 container2  --
 `,
@ -115,7 +116,7 @@ container2  --
 		}
 		var out bytes.Buffer
 		te.context.Output = &out
-		err := ContainerStatsWrite(te.context, stats, "linux", false)
+		err := statsFormatWrite(te.context, stats, "linux", false)
 		if err != nil {
 			assert.Error(t, err, te.expected)
 		} else {
@ -126,24 +127,24 @@ container2  --

 func TestContainerStatsContextWriteWindows(t *testing.T) {
 	tt := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		{
-			Context{Format: "table {{.MemUsage}}"},
+			formatter.Context{Format: "table {{.MemUsage}}"},
 			`PRIV WORKING SET
 20B
 -- / --
 `,
 		},
 		{
-			Context{Format: "{{.Container}}  {{.CPUPerc}}"},
+			formatter.Context{Format: "{{.Container}}  {{.CPUPerc}}"},
 			`container1  20.00%
 container2  --
 `,
 		},
 		{
-			Context{Format: "{{.Container}}  {{.MemPerc}}  {{.PIDs}}"},
+			formatter.Context{Format: "{{.Container}}  {{.MemPerc}}  {{.PIDs}}"},
 			`container1  --  --
 container2  --  --
 `,
@ -181,7 +182,7 @@ container2  --  --
 		}
 		var out bytes.Buffer
 		te.context.Output = &out
-		err := ContainerStatsWrite(te.context, stats, "windows", false)
+		err := statsFormatWrite(te.context, stats, "windows", false)
 		if err != nil {
 			assert.Error(t, err, te.expected)
 		} else {
@ -194,25 +195,25 @@ func TestContainerStatsContextWriteWithNoStats(t *testing.T) {
 	var out bytes.Buffer

 	contexts := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		{
-			Context{
+			formatter.Context{
 				Format: "{{.Container}}",
 				Output: &out,
 			},
 			"",
 		},
 		{
-			Context{
+			formatter.Context{
 				Format: "table {{.Container}}",
 				Output: &out,
 			},
 			"CONTAINER\n",
 		},
 		{
-			Context{
+			formatter.Context{
 				Format: "table {{.Container}}\t{{.CPUPerc}}",
 				Output: &out,
 			},
@ -221,7 +222,7 @@ func TestContainerStatsContextWriteWithNoStats(t *testing.T) {
 	}

 	for _, context := range contexts {
-		ContainerStatsWrite(context.context, []StatsEntry{}, "linux", false)
+		statsFormatWrite(context.context, []StatsEntry{}, "linux", false)
 		assert.Check(t, is.Equal(context.expected, out.String()))
 		// Clean buffer
 		out.Reset()
@ -232,25 +233,25 @@ func TestContainerStatsContextWriteWithNoStatsWindows(t *testing.T) {
 	var out bytes.Buffer

 	contexts := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		{
-			Context{
+			formatter.Context{
 				Format: "{{.Container}}",
 				Output: &out,
 			},
 			"",
 		},
 		{
-			Context{
+			formatter.Context{
 				Format: "table {{.Container}}\t{{.MemUsage}}",
 				Output: &out,
 			},
 			"CONTAINER           PRIV WORKING SET\n",
 		},
 		{
-			Context{
+			formatter.Context{
 				Format: "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}",
 				Output: &out,
 			},
@ -259,7 +260,7 @@ func TestContainerStatsContextWriteWithNoStatsWindows(t *testing.T) {
 	}

 	for _, context := range contexts {
-		ContainerStatsWrite(context.context, []StatsEntry{}, "windows", false)
+		statsFormatWrite(context.context, []StatsEntry{}, "windows", false)
 		assert.Check(t, is.Equal(context.expected, out.String()))
 		// Clean buffer
 		out.Reset()
@ -270,12 +271,12 @@ func TestContainerStatsContextWriteTrunc(t *testing.T) {
 	var out bytes.Buffer

 	contexts := []struct {
-		context  Context
+		context  formatter.Context
 		trunc    bool
 		expected string
 	}{
 		{
-			Context{
+			formatter.Context{
 				Format: "{{.ID}}",
 				Output: &out,
 			},
@ -283,7 +284,7 @@ func TestContainerStatsContextWriteTrunc(t *testing.T) {
 			"b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc\n",
 		},
 		{
-			Context{
+			formatter.Context{
 				Format: "{{.ID}}",
 				Output: &out,
 			},
@ -293,7 +294,7 @@ func TestContainerStatsContextWriteTrunc(t *testing.T) {
 	}

 	for _, context := range contexts {
-		ContainerStatsWrite(context.context, []StatsEntry{{ID: "b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc"}}, "linux", context.trunc)
+		statsFormatWrite(context.context, []StatsEntry{{ID: "b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc"}}, "linux", context.trunc)
 		assert.Check(t, is.Equal(context.expected, out.String()))
 		// Clean buffer
 		out.Reset()
--- a/cli/command/container/list_test.go
+++ b/cli/command/container/list_test.go
@ -7,11 +7,10 @@ import (

 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
+	. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
 	"github.com/docker/docker/api/types"
-	// Import builders to get the builder function as package function
-	. "github.com/docker/cli/internal/test/builders"
-	"gotest.tools/assert"
-	"gotest.tools/golden"
+	"gotest.tools/v3/assert"
+	"gotest.tools/v3/golden"
 )

 func TestContainerListErrors(t *testing.T) {
--- a/cli/command/container/logs.go
+++ b/cli/command/container/logs.go
@ -50,6 +50,11 @@ func NewLogsCommand(dockerCli command.Cli) *cobra.Command {
 func runLogs(dockerCli command.Cli, opts *logsOptions) error {
 	ctx := context.Background()

+	c, err := dockerCli.Client().ContainerInspect(ctx, opts.container)
+	if err != nil {
+		return err
+	}
+
 	options := types.ContainerLogsOptions{
 		ShowStdout: true,
 		ShowStderr: true,
@ -60,17 +65,12 @@ func runLogs(dockerCli command.Cli, opts *logsOptions) error {
 		Tail:       opts.tail,
 		Details:    opts.details,
 	}
-	responseBody, err := dockerCli.Client().ContainerLogs(ctx, opts.container, options)
+	responseBody, err := dockerCli.Client().ContainerLogs(ctx, c.ID, options)
 	if err != nil {
 		return err
 	}
 	defer responseBody.Close()

-	c, err := dockerCli.Client().ContainerInspect(ctx, opts.container)
-	if err != nil {
-		return err
-	}
-
 	if c.Config.Tty {
 		_, err = io.Copy(dockerCli.Out(), responseBody)
 	} else {
--- a/cli/command/container/logs_test.go
+++ b/cli/command/container/logs_test.go
@ -9,8 +9,8 @@ import (
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 var logFn = func(expectedOut string) func(string, types.ContainerLogsOptions) (io.ReadCloser, error) {
--- a/cli/command/container/opts.go
+++ b/cli/command/container/opts.go
@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"path"
+	"reflect"
 	"regexp"
 	"strconv"
 	"strings"
@ -16,6 +17,8 @@ import (
 	"github.com/docker/docker/api/types/container"
 	networktypes "github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/pkg/signal"
 	"github.com/docker/go-connections/nat"
 	"github.com/pkg/errors"
@ -45,6 +48,7 @@ type containerOptions struct {
 	labels             opts.ListOpts
 	deviceCgroupRules  opts.ListOpts
 	devices            opts.ListOpts
+	gpus               opts.GpuOpts
 	ulimits            *opts.UlimitOpt
 	sysctls            *opts.MapOpts
 	publish            opts.ListOpts
@ -74,6 +78,7 @@ type containerOptions struct {
 	containerIDFile    string
 	entrypoint         string
 	hostname           string
+	domainname         string
 	memory             opts.MemBytes
 	memoryReservation  opts.MemBytes
 	memorySwap         opts.MemSwapBytes
@ -94,7 +99,7 @@ type containerOptions struct {
 	ioMaxBandwidth     opts.MemBytes
 	ioMaxIOps          uint64
 	swappiness         int64
-	netMode            string
+	netMode            opts.NetworkOpt
 	macAddress         string
 	ipv4Address        string
 	ipv6Address        string
@ -139,13 +144,13 @@ func addFlags(flags *pflag.FlagSet) *containerOptions {
 		deviceReadIOps:    opts.NewThrottledeviceOpt(opts.ValidateThrottleIOpsDevice),
 		deviceWriteBps:    opts.NewThrottledeviceOpt(opts.ValidateThrottleBpsDevice),
 		deviceWriteIOps:   opts.NewThrottledeviceOpt(opts.ValidateThrottleIOpsDevice),
-		devices:           opts.NewListOpts(validateDevice),
+		devices:           opts.NewListOpts(nil), // devices can only be validated after we know the server OS
 		env:               opts.NewListOpts(opts.ValidateEnv),
 		envFile:           opts.NewListOpts(nil),
 		expose:            opts.NewListOpts(nil),
 		extraHosts:        opts.NewListOpts(opts.ValidateExtraHost),
 		groupAdd:          opts.NewListOpts(nil),
-		labels:            opts.NewListOpts(nil),
+		labels:            opts.NewListOpts(opts.ValidateLabel),
 		labelsFile:        opts.NewListOpts(nil),
 		linkLocalIPs:      opts.NewListOpts(nil),
 		links:             opts.NewListOpts(opts.ValidateLink),
@ -164,11 +169,14 @@ func addFlags(flags *pflag.FlagSet) *containerOptions {
 	flags.VarP(&copts.attach, "attach", "a", "Attach to STDIN, STDOUT or STDERR")
 	flags.Var(&copts.deviceCgroupRules, "device-cgroup-rule", "Add a rule to the cgroup allowed devices list")
 	flags.Var(&copts.devices, "device", "Add a host device to the container")
+	flags.Var(&copts.gpus, "gpus", "GPU devices to add to the container ('all' to pass all GPUs)")
+	flags.SetAnnotation("gpus", "version", []string{"1.40"})
 	flags.VarP(&copts.env, "env", "e", "Set environment variables")
 	flags.Var(&copts.envFile, "env-file", "Read in a file of environment variables")
 	flags.StringVar(&copts.entrypoint, "entrypoint", "", "Overwrite the default ENTRYPOINT of the image")
 	flags.Var(&copts.groupAdd, "group-add", "Add additional groups to join")
 	flags.StringVarP(&copts.hostname, "hostname", "h", "", "Container host name")
+	flags.StringVar(&copts.domainname, "domainname", "", "Container NIS domain name")
 	flags.BoolVarP(&copts.stdin, "interactive", "i", false, "Keep STDIN open even if not attached")
 	flags.VarP(&copts.labels, "label", "l", "Set meta data on a container")
 	flags.Var(&copts.labelsFile, "label-file", "Read in a line delimited file of labels")
@ -209,8 +217,8 @@ func addFlags(flags *pflag.FlagSet) *containerOptions {
 	flags.VarP(&copts.publish, "publish", "p", "Publish a container's port(s) to the host")
 	flags.BoolVarP(&copts.publishAll, "publish-all", "P", false, "Publish all exposed ports to random ports")
 	// We allow for both "--net" and "--network", although the latter is the recommended way.
-	flags.StringVar(&copts.netMode, "net", "default", "Connect a container to a network")
-	flags.StringVar(&copts.netMode, "network", "default", "Connect a container to a network")
+	flags.Var(&copts.netMode, "net", "Connect a container to a network")
+	flags.Var(&copts.netMode, "network", "Connect a container to a network")
 	flags.MarkHidden("net")
 	// We allow for both "--net-alias" and "--network-alias", although the latter is the recommended way.
 	flags.Var(&copts.aliases, "net-alias", "Add network-scoped alias for the container")
@ -296,7 +304,7 @@ type containerConfig struct {
 // a HostConfig and returns them with the specified command.
 // If the specified args are not valid, it will return an error.
 // nolint: gocyclo
-func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, error) {
+func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*containerConfig, error) {
 	var (
 		attachStdin  = copts.attach.Get("stdin")
 		attachStdout = copts.attach.Get("stdout")
@ -414,10 +422,22 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		}
 	}

-	// parse device mappings
+	// validate and parse device mappings. Note we do late validation of the
+	// device path (as opposed to during flag parsing), as at the time we are
+	// parsing flags, we haven't yet sent a _ping to the daemon to determine
+	// what operating system it is.
 	deviceMappings := []container.DeviceMapping{}
 	for _, device := range copts.devices.GetAll() {
-		deviceMapping, err := parseDevice(device)
+		var (
+			validated     string
+			deviceMapping container.DeviceMapping
+			err           error
+		)
+		validated, err = validateDevice(device, serverOS)
+		if err != nil {
+			return nil, err
+		}
+		deviceMapping, err = parseDevice(validated, serverOS)
 		if err != nil {
 			return nil, err
 		}
@ -466,6 +486,8 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		return nil, err
 	}

+	securityOpts, maskedPaths, readonlyPaths := parseSystemPaths(securityOpts)
+
 	storageOpts, err := parseStorageOpts(copts.storageOpt.GetAll())
 	if err != nil {
 		return nil, err
@ -530,7 +552,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		CPUQuota:             copts.cpuQuota,
 		CPURealtimePeriod:    copts.cpuRealtimePeriod,
 		CPURealtimeRuntime:   copts.cpuRealtimeRuntime,
-		PidsLimit:            copts.pidsLimit,
+		PidsLimit:            &copts.pidsLimit,
 		BlkioWeight:          copts.blkioWeight,
 		BlkioWeightDevice:    copts.blkioWeightDevice.GetList(),
 		BlkioDeviceReadBps:   copts.deviceReadBps.GetList(),
@ -542,10 +564,12 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		Ulimits:              copts.ulimits.GetList(),
 		DeviceCgroupRules:    copts.deviceCgroupRules.GetAll(),
 		Devices:              deviceMappings,
+		DeviceRequests:       copts.gpus.Value(),
 	}

 	config := &container.Config{
 		Hostname:     copts.hostname,
+		Domainname:   copts.domainname,
 		ExposedPorts: ports,
 		User:         copts.user,
 		Tty:          copts.tty,
@ -593,8 +617,8 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		DNSOptions:     copts.dnsOptions.GetAllOrEmpty(),
 		ExtraHosts:     copts.extraHosts.GetAll(),
 		VolumesFrom:    copts.volumesFrom.GetAll(),
-		NetworkMode:    container.NetworkMode(copts.netMode),
 		IpcMode:        container.IpcMode(copts.ipcMode),
+		NetworkMode:    container.NetworkMode(copts.netMode.NetworkMode()),
 		PidMode:        pidMode,
 		UTSMode:        utsMode,
 		UsernsMode:     usernsMode,
@ -614,6 +638,8 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		Sysctls:        copts.sysctls.GetAll(),
 		Runtime:        copts.runtime,
 		Mounts:         mounts,
+		MaskedPaths:    maskedPaths,
+		ReadonlyPaths:  readonlyPaths,
 	}

 	if copts.autoRemove && !hostConfig.RestartPolicy.IsNone() {
@ -634,39 +660,9 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		EndpointsConfig: make(map[string]*networktypes.EndpointSettings),
 	}

-	if copts.ipv4Address != "" || copts.ipv6Address != "" || copts.linkLocalIPs.Len() > 0 {
-		epConfig := &networktypes.EndpointSettings{}
-		networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)] = epConfig
-
-		epConfig.IPAMConfig = &networktypes.EndpointIPAMConfig{
-			IPv4Address: copts.ipv4Address,
-			IPv6Address: copts.ipv6Address,
-		}
-
-		if copts.linkLocalIPs.Len() > 0 {
-			epConfig.IPAMConfig.LinkLocalIPs = make([]string, copts.linkLocalIPs.Len())
-			copy(epConfig.IPAMConfig.LinkLocalIPs, copts.linkLocalIPs.GetAll())
-		}
-	}
-
-	if hostConfig.NetworkMode.IsUserDefined() && len(hostConfig.Links) > 0 {
-		epConfig := networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)]
-		if epConfig == nil {
-			epConfig = &networktypes.EndpointSettings{}
-		}
-		epConfig.Links = make([]string, len(hostConfig.Links))
-		copy(epConfig.Links, hostConfig.Links)
-		networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)] = epConfig
-	}
-
-	if copts.aliases.Len() > 0 {
-		epConfig := networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)]
-		if epConfig == nil {
-			epConfig = &networktypes.EndpointSettings{}
-		}
-		epConfig.Aliases = make([]string, copts.aliases.Len())
-		copy(epConfig.Aliases, copts.aliases.GetAll())
-		networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)] = epConfig
+	networkingConfig.EndpointsConfig, err = parseNetworkOpts(copts)
+	if err != nil {
+		return nil, err
 	}

 	return &containerConfig{
@ -676,6 +672,121 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 	}, nil
 }

+// parseNetworkOpts converts --network advanced options to endpoint-specs, and combines
+// them with the old --network-alias and --links. If returns an error if conflicting options
+// are found.
+//
+// this function may return _multiple_ endpoints, which is not currently supported
+// by the daemon, but may be in future; it's up to the daemon to produce an error
+// in case that is not supported.
+func parseNetworkOpts(copts *containerOptions) (map[string]*networktypes.EndpointSettings, error) {
+	var (
+		endpoints                         = make(map[string]*networktypes.EndpointSettings, len(copts.netMode.Value()))
+		hasUserDefined, hasNonUserDefined bool
+	)
+
+	for i, n := range copts.netMode.Value() {
+		if container.NetworkMode(n.Target).IsUserDefined() {
+			hasUserDefined = true
+		} else {
+			hasNonUserDefined = true
+		}
+		if i == 0 {
+			// The first network corresponds with what was previously the "only"
+			// network, and what would be used when using the non-advanced syntax
+			// `--network-alias`, `--link`, `--ip`, `--ip6`, and `--link-local-ip`
+			// are set on this network, to preserve backward compatibility with
+			// the non-advanced notation
+			if err := applyContainerOptions(&n, copts); err != nil {
+				return nil, err
+			}
+		}
+		ep, err := parseNetworkAttachmentOpt(n)
+		if err != nil {
+			return nil, err
+		}
+		if _, ok := endpoints[n.Target]; ok {
+			return nil, errdefs.InvalidParameter(errors.Errorf("network %q is specified multiple times", n.Target))
+		}
+
+		// For backward compatibility: if no custom options are provided for the network,
+		// and only a single network is specified, omit the endpoint-configuration
+		// on the client (the daemon will still create it when creating the container)
+		if i == 0 && len(copts.netMode.Value()) == 1 {
+			if ep == nil || reflect.DeepEqual(*ep, networktypes.EndpointSettings{}) {
+				continue
+			}
+		}
+		endpoints[n.Target] = ep
+	}
+	if hasUserDefined && hasNonUserDefined {
+		return nil, errdefs.InvalidParameter(errors.New("conflicting options: cannot attach both user-defined and non-user-defined network-modes"))
+	}
+	return endpoints, nil
+}
+
+func applyContainerOptions(n *opts.NetworkAttachmentOpts, copts *containerOptions) error {
+	// TODO should copts.MacAddress actually be set on the first network? (currently it's not)
+	// TODO should we error if _any_ advanced option is used? (i.e. forbid to combine advanced notation with the "old" flags (`--network-alias`, `--link`, `--ip`, `--ip6`)?
+	if len(n.Aliases) > 0 && copts.aliases.Len() > 0 {
+		return errdefs.InvalidParameter(errors.New("conflicting options: cannot specify both --network-alias and per-network alias"))
+	}
+	if len(n.Links) > 0 && copts.links.Len() > 0 {
+		return errdefs.InvalidParameter(errors.New("conflicting options: cannot specify both --link and per-network links"))
+	}
+	if copts.aliases.Len() > 0 {
+		n.Aliases = make([]string, copts.aliases.Len())
+		copy(n.Aliases, copts.aliases.GetAll())
+	}
+	if copts.links.Len() > 0 {
+		n.Links = make([]string, copts.links.Len())
+		copy(n.Links, copts.links.GetAll())
+	}
+
+	// TODO add IPv4/IPv6 options to the csv notation for --network, and error-out in case of conflicting options
+	n.IPv4Address = copts.ipv4Address
+	n.IPv6Address = copts.ipv6Address
+
+	// TODO should linkLocalIPs be added to the _first_ network only, or to _all_ networks? (should this be a per-network option as well?)
+	if copts.linkLocalIPs.Len() > 0 {
+		n.LinkLocalIPs = make([]string, copts.linkLocalIPs.Len())
+		copy(n.LinkLocalIPs, copts.linkLocalIPs.GetAll())
+	}
+	return nil
+}
+
+func parseNetworkAttachmentOpt(ep opts.NetworkAttachmentOpts) (*networktypes.EndpointSettings, error) {
+	if strings.TrimSpace(ep.Target) == "" {
+		return nil, errors.New("no name set for network")
+	}
+	if !container.NetworkMode(ep.Target).IsUserDefined() {
+		if len(ep.Aliases) > 0 {
+			return nil, errors.New("network-scoped aliases are only supported for user-defined networks")
+		}
+		if len(ep.Links) > 0 {
+			return nil, errors.New("links are only supported for user-defined networks")
+		}
+	}
+
+	epConfig := &networktypes.EndpointSettings{}
+	epConfig.Aliases = append(epConfig.Aliases, ep.Aliases...)
+	if len(ep.DriverOpts) > 0 {
+		epConfig.DriverOpts = make(map[string]string)
+		epConfig.DriverOpts = ep.DriverOpts
+	}
+	if len(ep.Links) > 0 {
+		epConfig.Links = ep.Links
+	}
+	if ep.IPv4Address != "" || ep.IPv6Address != "" || len(ep.LinkLocalIPs) > 0 {
+		epConfig.IPAMConfig = &networktypes.EndpointIPAMConfig{
+			IPv4Address:  ep.IPv4Address,
+			IPv6Address:  ep.IPv6Address,
+			LinkLocalIPs: ep.LinkLocalIPs,
+		}
+	}
+	return epConfig, nil
+}
+
 func parsePortOpts(publishOpts []string) ([]string, error) {
 	optsList := []string{}
 	for _, publish := range publishOpts {
@ -688,7 +799,7 @@ func parsePortOpts(publishOpts []string) ([]string, error) {

 			params[opt[0]] = opt[1]
 		}
-		optsList = append(optsList, fmt.Sprintf("%s:%s/%s", params["target"], params["published"], params["protocol"]))
+		optsList = append(optsList, fmt.Sprintf("%s:%s/%s", params["published"], params["target"], params["protocol"]))
 	}
 	return optsList, nil
 }
@ -728,6 +839,25 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) {
 	return securityOpts, nil
 }

+// parseSystemPaths checks if `systempaths=unconfined` security option is set,
+// and returns the `MaskedPaths` and `ReadonlyPaths` accordingly. An updated
+// list of security options is returned with this option removed, because the
+// `unconfined` option is handled client-side, and should not be sent to the
+// daemon.
+func parseSystemPaths(securityOpts []string) (filtered, maskedPaths, readonlyPaths []string) {
+	filtered = securityOpts[:0]
+	for _, opt := range securityOpts {
+		if opt == "systempaths=unconfined" {
+			maskedPaths = []string{}
+			readonlyPaths = []string{}
+		} else {
+			filtered = append(filtered, opt)
+		}
+	}
+
+	return filtered, maskedPaths, readonlyPaths
+}
+
 // parses storage options per container into a map
 func parseStorageOpts(storageOpts []string) (map[string]string, error) {
 	m := make(map[string]string)
@ -743,7 +873,19 @@ func parseStorageOpts(storageOpts []string) (map[string]string, error) {
 }

 // parseDevice parses a device mapping string to a container.DeviceMapping struct
-func parseDevice(device string) (container.DeviceMapping, error) {
+func parseDevice(device, serverOS string) (container.DeviceMapping, error) {
+	switch serverOS {
+	case "linux":
+		return parseLinuxDevice(device)
+	case "windows":
+		return parseWindowsDevice(device)
+	}
+	return container.DeviceMapping{}, errors.Errorf("unknown server OS: %s", serverOS)
+}
+
+// parseLinuxDevice parses a device mapping string to a container.DeviceMapping struct
+// knowing that the target is a Linux daemon
+func parseLinuxDevice(device string) (container.DeviceMapping, error) {
 	src := ""
 	dst := ""
 	permissions := "rwm"
@ -777,6 +919,12 @@ func parseDevice(device string) (container.DeviceMapping, error) {
 	return deviceMapping, nil
 }

+// parseWindowsDevice parses a device mapping string to a container.DeviceMapping struct
+// knowing that the target is a Windows daemon
+func parseWindowsDevice(device string) (container.DeviceMapping, error) {
+	return container.DeviceMapping{PathOnHost: device}, nil
+}
+
 // validateDeviceCgroupRule validates a device cgroup rule string format
 // It will make sure 'val' is in the form:
 //    'type major:minor mode'
@ -809,14 +957,23 @@ func validDeviceMode(mode string) bool {
 }

 // validateDevice validates a path for devices
+func validateDevice(val string, serverOS string) (string, error) {
+	switch serverOS {
+	case "linux":
+		return validateLinuxPath(val, validDeviceMode)
+	case "windows":
+		// Windows does validation entirely server-side
+		return val, nil
+	}
+	return "", errors.Errorf("unknown server OS: %s", serverOS)
+}
+
+// validateLinuxPath is the implementation of validateDevice knowing that the
+// target server operating system is a Linux daemon.
 // It will make sure 'val' is in the form:
 //    [host-dir:]container-path[:mode]
 // It also validates the device mode.
-func validateDevice(val string) (string, error) {
-	return validatePath(val, validDeviceMode)
-}
-
-func validatePath(val string, validator func(string) bool) (string, error) {
+func validateLinuxPath(val string, validator func(string) bool) (string, error) {
 	var containerPath string
 	var mode string

@ -866,3 +1023,12 @@ func validateAttach(val string) (string, error) {
 	}
 	return val, errors.Errorf("valid streams are STDIN, STDOUT and STDERR")
 }
+
+func validateAPIVersion(c *containerConfig, serverAPIVersion string) error {
+	for _, m := range c.HostConfig.Mounts {
+		if m.BindOptions != nil && m.BindOptions.NonRecursive && versions.LessThan(serverAPIVersion, "1.40") {
+			return errors.Errorf("bind-nonrecursive requires API v1.40 or later")
+		}
+	}
+	return nil
+}
--- a/cli/command/container/opts_test.go
+++ b/cli/command/container/opts_test.go
@ -14,8 +14,9 @@ import (
 	"github.com/docker/go-connections/nat"
 	"github.com/pkg/errors"
 	"github.com/spf13/pflag"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+	"gotest.tools/v3/skip"
 )

 func TestValidateAttach(t *testing.T) {
@ -48,7 +49,7 @@ func parseRun(args []string) (*container.Config, *container.HostConfig, *network
 		return nil, nil, nil, err
 	}
 	// TODO: fix tests to accept ContainerConfig
-	containerConfig, err := parse(flags, copts)
+	containerConfig, err := parse(flags, copts, runtime.GOOS)
 	if err != nil {
 		return nil, nil, nil, err
 	}
@ -64,7 +65,7 @@ func setupRunFlags() (*pflag.FlagSet, *containerOptions) {
 }

 func parseMustError(t *testing.T, args string) {
-	_, _, _, err := parseRun(strings.Split(args+" ubuntu bash", " "))
+	_, _, _, err := parseRun(strings.Split(args+" ubuntu bash", " ")) //nolint:dogsled
 	assert.ErrorContains(t, err, "", args)
 }

@ -265,14 +266,35 @@ func TestParseHostname(t *testing.T) {
 	hostnameWithDomainTld := "--hostname=hostname.domainname.tld"
 	for hostname, expectedHostname := range validHostnames {
 		if config, _ := mustParse(t, fmt.Sprintf("--hostname=%s", hostname)); config.Hostname != expectedHostname {
-			t.Fatalf("Expected the config to have 'hostname' as hostname, got '%v'", config.Hostname)
+			t.Fatalf("Expected the config to have 'hostname' as %q, got %q", expectedHostname, config.Hostname)
 		}
 	}
-	if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" && config.Domainname != "" {
-		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got '%v'", config.Hostname)
+	if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" || config.Domainname != "" {
+		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got %q", config.Hostname)
 	}
-	if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" && config.Domainname != "" {
-		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got '%v'", config.Hostname)
+	if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" || config.Domainname != "" {
+		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got %q", config.Hostname)
+	}
+}
+
+func TestParseHostnameDomainname(t *testing.T) {
+	validDomainnames := map[string]string{
+		"domainname":    "domainname",
+		"domain-name":   "domain-name",
+		"domainname123": "domainname123",
+		"123domainname": "123domainname",
+		"domainname-63-bytes-long-should-be-valid-and-without-any-errors": "domainname-63-bytes-long-should-be-valid-and-without-any-errors",
+	}
+	for domainname, expectedDomainname := range validDomainnames {
+		if config, _ := mustParse(t, "--domainname="+domainname); config.Domainname != expectedDomainname {
+			t.Fatalf("Expected the config to have 'domainname' as %q, got %q", expectedDomainname, config.Domainname)
+		}
+	}
+	if config, _ := mustParse(t, "--hostname=some.prefix --domainname=domainname"); config.Hostname != "some.prefix" || config.Domainname != "domainname" {
+		t.Fatalf("Expected the config to have 'hostname' as 'some.prefix' and 'domainname' as 'domainname', got %q and %q", config.Hostname, config.Domainname)
+	}
+	if config, _ := mustParse(t, "--hostname=another-prefix --domainname=domainname.tld"); config.Hostname != "another-prefix" || config.Domainname != "domainname.tld" {
+		t.Fatalf("Expected the config to have 'hostname' as 'another-prefix' and 'domainname' as 'domainname.tld', got %q and %q", config.Hostname, config.Domainname)
 	}
 }

@ -330,6 +352,7 @@ func TestParseWithExpose(t *testing.T) {
 }

 func TestParseDevice(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows") // Windows validates server-side
 	valids := map[string]container.DeviceMapping{
 		"/dev/snd": {
 			PathOnHost:        "/dev/snd",
@ -367,12 +390,145 @@ func TestParseDevice(t *testing.T) {

 }

+func TestParseNetworkConfig(t *testing.T) {
+	tests := []struct {
+		name        string
+		flags       []string
+		expected    map[string]*networktypes.EndpointSettings
+		expectedCfg container.HostConfig
+		expectedErr string
+	}{
+		{
+			name:        "single-network-legacy",
+			flags:       []string{"--network", "net1"},
+			expected:    map[string]*networktypes.EndpointSettings{},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name:        "single-network-advanced",
+			flags:       []string{"--network", "name=net1"},
+			expected:    map[string]*networktypes.EndpointSettings{},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name: "single-network-legacy-with-options",
+			flags: []string{
+				"--ip", "172.20.88.22",
+				"--ip6", "2001:db8::8822",
+				"--link", "foo:bar",
+				"--link", "bar:baz",
+				"--link-local-ip", "169.254.2.2",
+				"--link-local-ip", "fe80::169:254:2:2",
+				"--network", "name=net1",
+				"--network-alias", "web1",
+				"--network-alias", "web2",
+			},
+			expected: map[string]*networktypes.EndpointSettings{
+				"net1": {
+					IPAMConfig: &networktypes.EndpointIPAMConfig{
+						IPv4Address:  "172.20.88.22",
+						IPv6Address:  "2001:db8::8822",
+						LinkLocalIPs: []string{"169.254.2.2", "fe80::169:254:2:2"},
+					},
+					Links:   []string{"foo:bar", "bar:baz"},
+					Aliases: []string{"web1", "web2"},
+				},
+			},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name: "multiple-network-advanced-mixed",
+			flags: []string{
+				"--ip", "172.20.88.22",
+				"--ip6", "2001:db8::8822",
+				"--link", "foo:bar",
+				"--link", "bar:baz",
+				"--link-local-ip", "169.254.2.2",
+				"--link-local-ip", "fe80::169:254:2:2",
+				"--network", "name=net1,driver-opt=field1=value1",
+				"--network-alias", "web1",
+				"--network-alias", "web2",
+				"--network", "net2",
+				"--network", "name=net3,alias=web3,driver-opt=field3=value3",
+			},
+			expected: map[string]*networktypes.EndpointSettings{
+				"net1": {
+					DriverOpts: map[string]string{"field1": "value1"},
+					IPAMConfig: &networktypes.EndpointIPAMConfig{
+						IPv4Address:  "172.20.88.22",
+						IPv6Address:  "2001:db8::8822",
+						LinkLocalIPs: []string{"169.254.2.2", "fe80::169:254:2:2"},
+					},
+					Links:   []string{"foo:bar", "bar:baz"},
+					Aliases: []string{"web1", "web2"},
+				},
+				"net2": {},
+				"net3": {
+					DriverOpts: map[string]string{"field3": "value3"},
+					Aliases:    []string{"web3"},
+				},
+			},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name:  "single-network-advanced-with-options",
+			flags: []string{"--network", "name=net1,alias=web1,alias=web2,driver-opt=field1=value1,driver-opt=field2=value2"},
+			expected: map[string]*networktypes.EndpointSettings{
+				"net1": {
+					DriverOpts: map[string]string{
+						"field1": "value1",
+						"field2": "value2",
+					},
+					Aliases: []string{"web1", "web2"},
+				},
+			},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name:        "multiple-networks",
+			flags:       []string{"--network", "net1", "--network", "name=net2"},
+			expected:    map[string]*networktypes.EndpointSettings{"net1": {}, "net2": {}},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name:        "conflict-network",
+			flags:       []string{"--network", "duplicate", "--network", "name=duplicate"},
+			expectedErr: `network "duplicate" is specified multiple times`,
+		},
+		{
+			name:        "conflict-options",
+			flags:       []string{"--network", "name=net1,alias=web1", "--network-alias", "web1"},
+			expectedErr: `conflicting options: cannot specify both --network-alias and per-network alias`,
+		},
+		{
+			name:        "invalid-mixed-network-types",
+			flags:       []string{"--network", "name=host", "--network", "net1"},
+			expectedErr: `conflicting options: cannot attach both user-defined and non-user-defined network-modes`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			_, hConfig, nwConfig, err := parseRun(tc.flags)
+
+			if tc.expectedErr != "" {
+				assert.Error(t, err, tc.expectedErr)
+				return
+			}
+
+			assert.NilError(t, err)
+			assert.DeepEqual(t, hConfig.NetworkMode, tc.expectedCfg.NetworkMode)
+			assert.DeepEqual(t, nwConfig.EndpointsConfig, tc.expected)
+		})
+	}
+}
+
 func TestParseModes(t *testing.T) {
 	// pid ko
 	flags, copts := setupRunFlags()
 	args := []string{"--pid=container:", "img", "cmd"}
 	assert.NilError(t, flags.Parse(args))
-	_, err := parse(flags, copts)
+	_, err := parse(flags, copts, runtime.GOOS)
 	assert.ErrorContains(t, err, "--pid: invalid PID mode")

 	// pid ok
@ -383,7 +539,7 @@ func TestParseModes(t *testing.T) {
 	}

 	// uts ko
-	_, _, _, err = parseRun([]string{"--uts=container:", "img", "cmd"})
+	_, _, _, err = parseRun([]string{"--uts=container:", "img", "cmd"}) //nolint:dogsled
 	assert.ErrorContains(t, err, "--uts: invalid UTS mode")

 	// uts ok
@ -444,7 +600,7 @@ func TestParseRestartPolicy(t *testing.T) {

 func TestParseRestartPolicyAutoRemove(t *testing.T) {
 	expected := "Conflicting options: --restart and --rm"
-	_, _, _, err := parseRun([]string{"--rm", "--restart=always", "img", "cmd"})
+	_, _, _, err := parseRun([]string{"--rm", "--restart=always", "img", "cmd"}) //nolint:dogsled
 	if err == nil || err.Error() != expected {
 		t.Fatalf("Expected error %v, but got none", expected)
 	}
@ -594,6 +750,7 @@ func TestParseEntryPoint(t *testing.T) {
 }

 func TestValidateDevice(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows") // Windows validates server-side
 	valid := []string{
 		"/home",
 		"/home:/home",
@ -628,13 +785,13 @@ func TestValidateDevice(t *testing.T) {
 	}

 	for _, path := range valid {
-		if _, err := validateDevice(path); err != nil {
+		if _, err := validateDevice(path, runtime.GOOS); err != nil {
 			t.Fatalf("ValidateDevice(`%q`) should succeed: error %q", path, err)
 		}
 	}

 	for path, expectedError := range invalid {
-		if _, err := validateDevice(path); err == nil {
+		if _, err := validateDevice(path, runtime.GOOS); err == nil {
 			t.Fatalf("ValidateDevice(`%q`) should have failed validation", path)
 		} else {
 			if err.Error() != expectedError {
@ -643,3 +800,63 @@ func TestValidateDevice(t *testing.T) {
 		}
 	}
 }
+
+func TestParseSystemPaths(t *testing.T) {
+	tests := []struct {
+		doc                       string
+		in, out, masked, readonly []string
+	}{
+		{
+			doc: "not set",
+			in:  []string{},
+			out: []string{},
+		},
+		{
+			doc: "not set, preserve other options",
+			in: []string{
+				"seccomp=unconfined",
+				"apparmor=unconfined",
+				"label=user:USER",
+				"foo=bar",
+			},
+			out: []string{
+				"seccomp=unconfined",
+				"apparmor=unconfined",
+				"label=user:USER",
+				"foo=bar",
+			},
+		},
+		{
+			doc:      "unconfined",
+			in:       []string{"systempaths=unconfined"},
+			out:      []string{},
+			masked:   []string{},
+			readonly: []string{},
+		},
+		{
+			doc:      "unconfined and other options",
+			in:       []string{"foo=bar", "bar=baz", "systempaths=unconfined"},
+			out:      []string{"foo=bar", "bar=baz"},
+			masked:   []string{},
+			readonly: []string{},
+		},
+		{
+			doc: "unknown option",
+			in:  []string{"foo=bar", "systempaths=unknown", "bar=baz"},
+			out: []string{"foo=bar", "systempaths=unknown", "bar=baz"},
+		},
+	}
+
+	for _, tc := range tests {
+		securityOpts, maskedPaths, readonlyPaths := parseSystemPaths(tc.in)
+		assert.DeepEqual(t, securityOpts, tc.out)
+		assert.DeepEqual(t, maskedPaths, tc.masked)
+		assert.DeepEqual(t, readonlyPaths, tc.readonly)
+	}
+}
+
+func TestParsePortOpts(t *testing.T) {
+	parsed, err := parsePortOpts([]string{"published=1500,target=200", "target=80,published=90"})
+	assert.NilError(t, err)
+	assert.DeepEqual(t, []string{"1500:200/tcp", "90:80/tcp"}, parsed)
+}
--- a/cli/command/container/prune.go
+++ b/cli/command/container/prune.go
@ -73,6 +73,6 @@ func runPrune(dockerCli command.Cli, options pruneOptions) (spaceReclaimed uint6

 // RunPrune calls the Container Prune API
 // This returns the amount of space reclaimed and a detailed output string
-func RunPrune(dockerCli command.Cli, filter opts.FilterOpt) (uint64, string, error) {
+func RunPrune(dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error) {
 	return runPrune(dockerCli, pruneOptions{force: true, filter: filter})
 }
--- a/cli/command/container/ps_test.go
+++ b/cli/command/container/ps_test.go
@ -4,8 +4,8 @@ import (
 	"testing"

 	"github.com/docker/cli/opts"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 func TestBuildContainerListOptions(t *testing.T) {
--- a/cli/command/container/rm.go
+++ b/cli/command/container/rm.go
@ -35,7 +35,7 @@ func NewRmCommand(dockerCli command.Cli) *cobra.Command {
 	}

 	flags := cmd.Flags()
-	flags.BoolVarP(&opts.rmVolumes, "volumes", "v", false, "Remove the volumes associated with the container")
+	flags.BoolVarP(&opts.rmVolumes, "volumes", "v", false, "Remove anonymous volumes associated with the container")
 	flags.BoolVarP(&opts.rmLink, "link", "l", false, "Remove the specified link")
 	flags.BoolVarP(&opts.force, "force", "f", false, "Force the removal of a running container (uses SIGKILL)")
 	return cmd
--- a/cli/command/container/run.go
+++ b/cli/command/container/run.go
@ -4,9 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"net/http/httputil"
 	"os"
-	"regexp"
 	"runtime"
 	"strings"
 	"syscall"
@ -68,37 +66,8 @@ func NewRunCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }

-func warnOnOomKillDisable(hostConfig container.HostConfig, stderr io.Writer) {
-	if hostConfig.OomKillDisable != nil && *hostConfig.OomKillDisable && hostConfig.Memory == 0 {
-		fmt.Fprintln(stderr, "WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.")
-	}
-}
-
-// check the DNS settings passed via --dns against localhost regexp to warn if
-// they are trying to set a DNS to a localhost address
-func warnOnLocalhostDNS(hostConfig container.HostConfig, stderr io.Writer) {
-	for _, dnsIP := range hostConfig.DNS {
-		if isLocalhost(dnsIP) {
-			fmt.Fprintf(stderr, "WARNING: Localhost DNS setting (--dns=%s) may fail in containers.\n", dnsIP)
-			return
-		}
-	}
-}
-
-// IPLocalhost is a regex pattern for IPv4 or IPv6 loopback range.
-const ipLocalhost = `((127\.([0-9]{1,3}\.){2}[0-9]{1,3})|(::1)$)`
-
-var localhostIPRegexp = regexp.MustCompile(ipLocalhost)
-
-// IsLocalhost returns true if ip matches the localhost IP regular expression.
-// Used for determining if nameserver settings are being passed which are
-// localhost addresses
-func isLocalhost(ip string) bool {
-	return localhostIPRegexp.MatchString(ip)
-}
-
 func runRun(dockerCli command.Cli, flags *pflag.FlagSet, ropts *runOptions, copts *containerOptions) error {
-	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), copts.env.GetAll())
+	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), opts.ConvertKVStringsToMapWithNil(copts.env.GetAll()))
 	newEnv := []string{}
 	for k, v := range proxyConfig {
 		if v == nil {
@ -108,12 +77,16 @@ func runRun(dockerCli command.Cli, flags *pflag.FlagSet, ropts *runOptions, copt
 		}
 	}
 	copts.env = *opts.NewListOptsRef(&newEnv, nil)
-	containerConfig, err := parse(flags, copts)
+	containerConfig, err := parse(flags, copts, dockerCli.ServerInfo().OSType)
 	// just in case the parse does not exit
 	if err != nil {
 		reportError(dockerCli.Err(), "run", err.Error(), true)
 		return cli.StatusError{StatusCode: 125}
 	}
+	if err = validateAPIVersion(containerConfig, dockerCli.Client().ClientVersion()); err != nil {
+		reportError(dockerCli.Err(), "run", err.Error(), true)
+		return cli.StatusError{StatusCode: 125}
+	}
 	return runContainer(dockerCli, ropts, copts, containerConfig)
 }

@ -124,9 +97,6 @@ func runContainer(dockerCli command.Cli, opts *runOptions, copts *containerOptio
 	stdout, stderr := dockerCli.Out(), dockerCli.Err()
 	client := dockerCli.Client()

-	warnOnOomKillDisable(*hostConfig, stderr)
-	warnOnLocalhostDNS(*hostConfig, stderr)
-
 	config.ArgsEscaped = false

 	if !opts.detach {
@ -144,11 +114,6 @@ func runContainer(dockerCli command.Cli, opts *runOptions, copts *containerOptio
 		config.StdinOnce = false
 	}

-	// Disable sigProxy when in TTY mode
-	if config.Tty {
-		opts.sigProxy = false
-	}
-
 	// Telling the Windows daemon the initial size of the tty during start makes
 	// a far better user experience rather than relying on subsequent resizes
 	// to cause things to catch up.
@ -282,10 +247,7 @@ func attachContainer(
 	}

 	resp, errAttach := dockerCli.Client().ContainerAttach(ctx, containerID, options)
-	if errAttach != nil && errAttach != httputil.ErrPersistEOF {
-		// ContainerAttach returns an ErrPersistEOF (connection closed)
-		// means server met an error and put it in Hijacked connection
-		// keep the error and read detailed error message from hijacked connection later
+	if errAttach != nil {
 		return nil, errAttach
 	}

--- a/cli/command/container/run_test.go
+++ b/cli/command/container/run_test.go
@ -9,8 +9,8 @@ import (
 	"github.com/docker/cli/internal/test/notary"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 func TestRunLabel(t *testing.T) {
@ -23,8 +23,7 @@ func TestRunLabel(t *testing.T) {
 		Version: "1.36",
 	})
 	cmd := NewRunCommand(cli)
-	cmd.Flags().Set("detach", "true")
-	cmd.SetArgs([]string{"--label", "foo", "busybox"})
+	cmd.SetArgs([]string{"--detach=true", "--label", "foo", "busybox"})
 	assert.NilError(t, cmd.Execute())
 }

--- a/cli/command/container/start.go
+++ b/cli/command/container/start.go
@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"net/http/httputil"
 	"strings"

 	"github.com/docker/cli/cli"
@ -98,10 +97,7 @@ func runStart(dockerCli command.Cli, opts *startOptions) error {
 		}

 		resp, errAttach := dockerCli.Client().ContainerAttach(ctx, c.ID, options)
-		if errAttach != nil && errAttach != httputil.ErrPersistEOF {
-			// ContainerAttach return an ErrPersistEOF (connection closed)
-			// means server met an error and already put it in Hijacked connection,
-			// we would keep the error and read the detailed error message from hijacked connection
+		if errAttach != nil {
 			return errAttach
 		}
 		defer resp.Close()
@ -154,7 +150,7 @@ func runStart(dockerCli command.Cli, opts *startOptions) error {
 			}
 		}
 		if attachErr := <-cErr; attachErr != nil {
-			if _, ok := err.(term.EscapeError); ok {
+			if _, ok := attachErr.(term.EscapeError); ok {
 				// The user entered the detach escape sequence.
 				return nil
 			}
--- a/cli/command/container/stats.go
+++ b/cli/command/container/stats.go
@ -108,7 +108,7 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
 			closeChan <- err
 		}
 		for _, container := range cs {
-			s := formatter.NewContainerStats(container.ID[:12])
+			s := NewStats(container.ID[:12])
 			if cStats.add(s) {
 				waitFirst.Add(1)
 				go collect(ctx, s, dockerCli.Client(), !opts.noStream, waitFirst)
@ -125,7 +125,7 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
 		eh := command.InitEventHandler()
 		eh.Handle("create", func(e events.Message) {
 			if opts.all {
-				s := formatter.NewContainerStats(e.ID[:12])
+				s := NewStats(e.ID[:12])
 				if cStats.add(s) {
 					waitFirst.Add(1)
 					go collect(ctx, s, dockerCli.Client(), !opts.noStream, waitFirst)
@ -134,7 +134,7 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
 		})

 		eh.Handle("start", func(e events.Message) {
-			s := formatter.NewContainerStats(e.ID[:12])
+			s := NewStats(e.ID[:12])
 			if cStats.add(s) {
 				waitFirst.Add(1)
 				go collect(ctx, s, dockerCli.Client(), !opts.noStream, waitFirst)
@ -160,7 +160,7 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
 		// Artificially send creation events for the containers we were asked to
 		// monitor (same code path than we use when monitoring all containers).
 		for _, name := range opts.containers {
-			s := formatter.NewContainerStats(name)
+			s := NewStats(name)
 			if cStats.add(s) {
 				waitFirst.Add(1)
 				go collect(ctx, s, dockerCli.Client(), !opts.noStream, waitFirst)
@ -198,7 +198,7 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
 	}
 	statsCtx := formatter.Context{
 		Output: dockerCli.Out(),
-		Format: formatter.NewStatsFormat(format, daemonOSType),
+		Format: NewStatsFormat(format, daemonOSType),
 	}
 	cleanScreen := func() {
 		if !opts.noStream {
@ -208,15 +208,17 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
 	}

 	var err error
-	for range time.Tick(500 * time.Millisecond) {
+	ticker := time.NewTicker(500 * time.Millisecond)
+	defer ticker.Stop()
+	for range ticker.C {
 		cleanScreen()
-		ccstats := []formatter.StatsEntry{}
+		ccstats := []StatsEntry{}
 		cStats.mu.Lock()
 		for _, c := range cStats.cs {
 			ccstats = append(ccstats, c.GetStatistics())
 		}
 		cStats.mu.Unlock()
-		if err = formatter.ContainerStatsWrite(statsCtx, ccstats, daemonOSType, !opts.noTrunc); err != nil {
+		if err = statsFormatWrite(statsCtx, ccstats, daemonOSType, !opts.noTrunc); err != nil {
 			break
 		}
 		if len(cStats.cs) == 0 && !showAll {
--- a/cli/command/container/stats_helpers.go
+++ b/cli/command/container/stats_helpers.go
@ -4,11 +4,9 @@ import (
 	"context"
 	"encoding/json"
 	"io"
-	"strings"
 	"sync"
 	"time"

-	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
 	"github.com/pkg/errors"
@ -17,7 +15,7 @@ import (

 type stats struct {
 	mu sync.Mutex
-	cs []*formatter.ContainerStats
+	cs []*Stats
 }

 // daemonOSType is set once we have at least one stat for a container
@ -25,7 +23,7 @@ type stats struct {
 // on the daemon platform.
 var daemonOSType string

-func (s *stats) add(cs *formatter.ContainerStats) bool {
+func (s *stats) add(cs *Stats) bool {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	if _, exists := s.isKnownContainer(cs.Container); !exists {
@ -52,7 +50,7 @@ func (s *stats) isKnownContainer(cid string) (int, bool) {
 	return -1, false
 }

-func collect(ctx context.Context, s *formatter.ContainerStats, cli client.APIClient, streamStats bool, waitFirst *sync.WaitGroup) {
+func collect(ctx context.Context, s *Stats, cli client.APIClient, streamStats bool, waitFirst *sync.WaitGroup) {
 	logrus.Debugf("collecting stats for %s", s.Container)
 	var (
 		getFirst       bool
@ -115,7 +113,7 @@ func collect(ctx context.Context, s *formatter.ContainerStats, cli client.APICli
 				mem = float64(v.MemoryStats.PrivateWorkingSet)
 			}
 			netRx, netTx := calculateNetwork(v.Networks)
-			s.SetStatistics(formatter.StatsEntry{
+			s.SetStatistics(StatsEntry{
 				Name:             v.Name,
 				ID:               v.ID,
 				CPUPercentage:    cpuPercent,
@ -203,10 +201,13 @@ func calculateCPUPercentWindows(v *types.StatsJSON) float64 {
 func calculateBlockIO(blkio types.BlkioStats) (uint64, uint64) {
 	var blkRead, blkWrite uint64
 	for _, bioEntry := range blkio.IoServiceBytesRecursive {
-		switch strings.ToLower(bioEntry.Op) {
-		case "read":
+		if len(bioEntry.Op) == 0 {
+			continue
+		}
+		switch bioEntry.Op[0] {
+		case 'r', 'R':
 			blkRead = blkRead + bioEntry.Value
-		case "write":
+		case 'w', 'W':
 			blkWrite = blkWrite + bioEntry.Value
 		}
 	}
--- a/cli/command/container/stats_helpers_test.go
+++ b/cli/command/container/stats_helpers_test.go
@ -5,7 +5,7 @@ import (
 	"testing"

 	"github.com/docker/docker/api/types"
-	"gotest.tools/assert"
+	"gotest.tools/v3/assert"
 )

 func TestCalculateMemUsageUnixNoCache(t *testing.T) {
--- a/cli/command/container/stats_unit_test.go
+++ b/cli/command/container/stats_unit_test.go
@ -11,15 +11,20 @@ func TestCalculateBlockIO(t *testing.T) {
 		IoServiceBytesRecursive: []types.BlkioStatEntry{
 			{Major: 8, Minor: 0, Op: "read", Value: 1234},
 			{Major: 8, Minor: 1, Op: "read", Value: 4567},
+			{Major: 8, Minor: 0, Op: "Read", Value: 6},
+			{Major: 8, Minor: 1, Op: "Read", Value: 8},
 			{Major: 8, Minor: 0, Op: "write", Value: 123},
 			{Major: 8, Minor: 1, Op: "write", Value: 456},
+			{Major: 8, Minor: 0, Op: "Write", Value: 6},
+			{Major: 8, Minor: 1, Op: "Write", Value: 8},
+			{Major: 8, Minor: 1, Op: "", Value: 456},
 		},
 	}
 	blkRead, blkWrite := calculateBlockIO(blkio)
-	if blkRead != 5801 {
-		t.Fatalf("blkRead = %d, want 5801", blkRead)
+	if blkRead != 5815 {
+		t.Fatalf("blkRead = %d, want 5815", blkRead)
 	}
-	if blkWrite != 579 {
-		t.Fatalf("blkWrite = %d, want 579", blkWrite)
+	if blkWrite != 593 {
+		t.Fatalf("blkWrite = %d, want 593", blkWrite)
 	}
 }
--- a/cli/command/container/testdata/container-create-localhost-dns-ipv6.golden
+++ b/cli/command/container/testdata/container-create-localhost-dns-ipv6.golden
@ -0,0 +1 @@
+WARNING: Localhost DNS setting (--dns=::1) may fail in containers.
--- a/cli/command/container/testdata/container-create-localhost-dns.golden
+++ b/cli/command/container/testdata/container-create-localhost-dns.golden
@ -0,0 +1 @@
+WARNING: Localhost DNS setting (--dns=127.0.0.11) may fail in containers.
--- a/cli/command/container/testdata/container-create-oom-kill-true-without-memory-limit.golden
+++ b/cli/command/container/testdata/container-create-oom-kill-true-without-memory-limit.golden
@ -0,0 +1 @@
+WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.
--- a/cli/command/container/testdata/container-create-oom-kill-without-memory-limit.golden
+++ b/cli/command/container/testdata/container-create-oom-kill-without-memory-limit.golden
@ -0,0 +1 @@
+WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.
--- a/cli/command/container/tty.go
+++ b/cli/command/container/tty.go
@ -16,9 +16,9 @@ import (
 )

 // resizeTtyTo resizes tty to specific height and width
-func resizeTtyTo(ctx context.Context, client client.ContainerAPIClient, id string, height, width uint, isExec bool) {
+func resizeTtyTo(ctx context.Context, client client.ContainerAPIClient, id string, height, width uint, isExec bool) error {
 	if height == 0 && width == 0 {
-		return
+		return nil
 	}

 	options := types.ResizeOptions{
@ -34,19 +34,42 @@ func resizeTtyTo(ctx context.Context, client client.ContainerAPIClient, id strin
 	}

 	if err != nil {
-		logrus.Debugf("Error resize: %s", err)
+		logrus.Debugf("Error resize: %s\r", err)
+	}
+	return err
+}
+
+// resizeTty is to resize the tty with cli out's tty size
+func resizeTty(ctx context.Context, cli command.Cli, id string, isExec bool) error {
+	height, width := cli.Out().GetTtySize()
+	return resizeTtyTo(ctx, cli.Client(), id, height, width, isExec)
+}
+
+// initTtySize is to init the tty's size to the same as the window, if there is an error, it will retry 5 times.
+func initTtySize(ctx context.Context, cli command.Cli, id string, isExec bool, resizeTtyFunc func(ctx context.Context, cli command.Cli, id string, isExec bool) error) {
+	rttyFunc := resizeTtyFunc
+	if rttyFunc == nil {
+		rttyFunc = resizeTty
+	}
+	if err := rttyFunc(ctx, cli, id, isExec); err != nil {
+		go func() {
+			var err error
+			for retry := 0; retry < 5; retry++ {
+				time.Sleep(10 * time.Millisecond)
+				if err = rttyFunc(ctx, cli, id, isExec); err == nil {
+					break
+				}
+			}
+			if err != nil {
+				fmt.Fprintln(cli.Err(), "failed to resize tty, using default size")
+			}
+		}()
 	}
 }

 // MonitorTtySize updates the container tty size when the terminal tty changes size
 func MonitorTtySize(ctx context.Context, cli command.Cli, id string, isExec bool) error {
-	resizeTty := func() {
-		height, width := cli.Out().GetTtySize()
-		resizeTtyTo(ctx, cli.Client(), id, height, width, isExec)
-	}
-
-	resizeTty()
-
+	initTtySize(ctx, cli, id, isExec, resizeTty)
 	if runtime.GOOS == "windows" {
 		go func() {
 			prevH, prevW := cli.Out().GetTtySize()
@ -55,7 +78,7 @@ func MonitorTtySize(ctx context.Context, cli command.Cli, id string, isExec bool
 				h, w := cli.Out().GetTtySize()

 				if prevW != w || prevH != h {
-					resizeTty()
+					resizeTty(ctx, cli, id, isExec)
 				}
 				prevH = h
 				prevW = w
@ -66,7 +89,7 @@ func MonitorTtySize(ctx context.Context, cli command.Cli, id string, isExec bool
 		gosignal.Notify(sigchan, signal.SIGWINCH)
 		go func() {
 			for range sigchan {
-				resizeTty()
+				resizeTty(ctx, cli, id, isExec)
 			}
 		}()
 	}
--- a/cli/command/container/tty_test.go
+++ b/cli/command/container/tty_test.go
@ -0,0 +1,30 @@
+package container
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestInitTtySizeErrors(t *testing.T) {
+	expectedError := "failed to resize tty, using default size\n"
+	fakeContainerExecResizeFunc := func(id string, options types.ResizeOptions) error {
+		return errors.Errorf("Error response from daemon: no such exec")
+	}
+	fakeResizeTtyFunc := func(ctx context.Context, cli command.Cli, id string, isExec bool) error {
+		height, width := uint(1024), uint(768)
+		return resizeTtyTo(ctx, cli.Client(), id, height, width, isExec)
+	}
+	ctx := context.Background()
+	cli := test.NewFakeCli(&fakeClient{containerExecResizeFunc: fakeContainerExecResizeFunc})
+	initTtySize(ctx, cli, "8mm8nn8tt8bb", true, fakeResizeTtyFunc)
+	time.Sleep(100 * time.Millisecond)
+	assert.Check(t, is.Equal(expectedError, cli.ErrBuffer().String()))
+}
--- a/cli/command/container/update.go
+++ b/cli/command/container/update.go
@ -27,6 +27,7 @@ type updateOptions struct {
 	memorySwap         opts.MemSwapBytes
 	kernelMemory       opts.MemBytes
 	restartPolicy      string
+	pidsLimit          int64
 	cpus               opts.NanoCPUs

 	nFlag int
@ -65,6 +66,8 @@ func NewUpdateCommand(dockerCli command.Cli) *cobra.Command {
 	flags.Var(&options.memorySwap, "memory-swap", "Swap limit equal to memory plus swap: '-1' to enable unlimited swap")
 	flags.Var(&options.kernelMemory, "kernel-memory", "Kernel memory limit")
 	flags.StringVar(&options.restartPolicy, "restart", "", "Restart policy to apply when a container exits")
+	flags.Int64Var(&options.pidsLimit, "pids-limit", 0, "Tune container pids limit (set -1 for unlimited)")
+	flags.SetAnnotation("pids-limit", "version", []string{"1.40"})

 	flags.Var(&options.cpus, "cpus", "Number of CPUs")
 	flags.SetAnnotation("cpus", "version", []string{"1.29"})
@ -103,6 +106,10 @@ func runUpdate(dockerCli command.Cli, options *updateOptions) error {
 		NanoCPUs:           options.cpus.Value(),
 	}

+	if options.pidsLimit != 0 {
+		resources.PidsLimit = &options.pidsLimit
+	}
+
 	updateConfig := containertypes.UpdateConfig{
 		Resources:     resources,
 		RestartPolicy: restartPolicy,
--- a/cli/command/container/utils_test.go
+++ b/cli/command/container/utils_test.go
@ -9,8 +9,8 @@ import (
 	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/types/container"
 	"github.com/pkg/errors"
-	"gotest.tools/assert"
-	is "gotest.tools/assert/cmp"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 func waitFn(cid string) (<-chan container.ContainerWaitOKBody, <-chan error) {
--- a/cli/command/context.go
+++ b/cli/command/context.go
@ -0,0 +1,27 @@
+package command
+
+import (
+	"errors"
+
+	"github.com/docker/cli/cli/context/store"
+)
+
+// DockerContext is a typed representation of what we put in Context metadata
+type DockerContext struct {
+	Description       string       `json:",omitempty"`
+	StackOrchestrator Orchestrator `json:",omitempty"`
+}
+
+// GetDockerContext extracts metadata from stored context metadata
+func GetDockerContext(storeMetadata store.Metadata) (DockerContext, error) {
+	if storeMetadata.Metadata == nil {
+		// can happen if we save endpoints before assigning a context metadata
+		// it is totally valid, and we should return a default initialized value
+		return DockerContext{}, nil
+	}
+	res, ok := storeMetadata.Metadata.(DockerContext)
+	if !ok {
+		return DockerContext{}, errors.New("context metadata is not a valid DockerContext")
+	}
+	return res, nil
+}
--- a/cli/command/context/cmd.go
+++ b/cli/command/context/cmd.go
@ -0,0 +1,49 @@
+package context
+
+import (
+	"errors"
+	"fmt"
+	"regexp"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+// NewContextCommand returns the context cli subcommand
+func NewContextCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "context",
+		Short: "Manage contexts",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+	}
+	cmd.AddCommand(
+		newCreateCommand(dockerCli),
+		newListCommand(dockerCli),
+		newUseCommand(dockerCli),
+		newExportCommand(dockerCli),
+		newImportCommand(dockerCli),
+		newRemoveCommand(dockerCli),
+		newUpdateCommand(dockerCli),
+		newInspectCommand(dockerCli),
+	)
+	return cmd
+}
+
+const restrictedNamePattern = "^[a-zA-Z0-9][a-zA-Z0-9_.+-]+$"
+
+var restrictedNameRegEx = regexp.MustCompile(restrictedNamePattern)
+
+func validateContextName(name string) error {
+	if name == "" {
+		return errors.New("context name cannot be empty")
+	}
+	if name == "default" {
+		return errors.New(`"default" is a reserved context name`)
+	}
+	if !restrictedNameRegEx.MatchString(name) {
+		return fmt.Errorf("context name %q is invalid, names are validated against regexp %q", name, restrictedNamePattern)
+	}
+	return nil
+}
--- a/cli/command/context/create.go
+++ b/cli/command/context/create.go
@ -0,0 +1,199 @@
+package context
+
+import (
+	"bytes"
+	"fmt"
+	"text/tabwriter"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/context/docker"
+	"github.com/docker/cli/cli/context/kubernetes"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+// CreateOptions are the options used for creating a context
+type CreateOptions struct {
+	Name                     string
+	Description              string
+	DefaultStackOrchestrator string
+	Docker                   map[string]string
+	Kubernetes               map[string]string
+	From                     string
+}
+
+func longCreateDescription() string {
+	buf := bytes.NewBuffer(nil)
+	buf.WriteString("Create a context\n\nDocker endpoint config:\n\n")
+	tw := tabwriter.NewWriter(buf, 20, 1, 3, ' ', 0)
+	fmt.Fprintln(tw, "NAME\tDESCRIPTION")
+	for _, d := range dockerConfigKeysDescriptions {
+		fmt.Fprintf(tw, "%s\t%s\n", d.name, d.description)
+	}
+	tw.Flush()
+	buf.WriteString("\nKubernetes endpoint config:\n\n")
+	tw = tabwriter.NewWriter(buf, 20, 1, 3, ' ', 0)
+	fmt.Fprintln(tw, "NAME\tDESCRIPTION")
+	for _, d := range kubernetesConfigKeysDescriptions {
+		fmt.Fprintf(tw, "%s\t%s\n", d.name, d.description)
+	}
+	tw.Flush()
+	buf.WriteString("\nExample:\n\n$ docker context create my-context --description \"some description\" --docker \"host=tcp://myserver:2376,ca=~/ca-file,cert=~/cert-file,key=~/key-file\"\n")
+	return buf.String()
+}
+
+func newCreateCommand(dockerCli command.Cli) *cobra.Command {
+	opts := &CreateOptions{}
+	cmd := &cobra.Command{
+		Use:   "create [OPTIONS] CONTEXT",
+		Short: "Create a context",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.Name = args[0]
+			return RunCreate(dockerCli, opts)
+		},
+		Long: longCreateDescription(),
+	}
+	flags := cmd.Flags()
+	flags.StringVar(&opts.Description, "description", "", "Description of the context")
+	flags.StringVar(
+		&opts.DefaultStackOrchestrator,
+		"default-stack-orchestrator", "",
+		"Default orchestrator for stack operations to use with this context (swarm|kubernetes|all)")
+	flags.StringToStringVar(&opts.Docker, "docker", nil, "set the docker endpoint")
+	flags.StringToStringVar(&opts.Kubernetes, "kubernetes", nil, "set the kubernetes endpoint")
+	flags.StringVar(&opts.From, "from", "", "create context from a named context")
+	return cmd
+}
+
+// RunCreate creates a Docker context
+func RunCreate(cli command.Cli, o *CreateOptions) error {
+	s := cli.ContextStore()
+	if err := checkContextNameForCreation(s, o.Name); err != nil {
+		return err
+	}
+	stackOrchestrator, err := command.NormalizeOrchestrator(o.DefaultStackOrchestrator)
+	if err != nil {
+		return errors.Wrap(err, "unable to parse default-stack-orchestrator")
+	}
+	switch {
+	case o.From == "" && o.Docker == nil && o.Kubernetes == nil:
+		err = createFromExistingContext(s, cli.CurrentContext(), stackOrchestrator, o)
+	case o.From != "":
+		err = createFromExistingContext(s, o.From, stackOrchestrator, o)
+	default:
+		err = createNewContext(o, stackOrchestrator, cli, s)
+	}
+	if err == nil {
+		fmt.Fprintln(cli.Out(), o.Name)
+		fmt.Fprintf(cli.Err(), "Successfully created context %q\n", o.Name)
+	}
+	return err
+}
+
+func createNewContext(o *CreateOptions, stackOrchestrator command.Orchestrator, cli command.Cli, s store.Writer) error {
+	if o.Docker == nil {
+		return errors.New("docker endpoint configuration is required")
+	}
+	contextMetadata := newContextMetadata(stackOrchestrator, o)
+	contextTLSData := store.ContextTLSData{
+		Endpoints: make(map[string]store.EndpointTLSData),
+	}
+	dockerEP, dockerTLS, err := getDockerEndpointMetadataAndTLS(cli, o.Docker)
+	if err != nil {
+		return errors.Wrap(err, "unable to create docker endpoint config")
+	}
+	contextMetadata.Endpoints[docker.DockerEndpoint] = dockerEP
+	if dockerTLS != nil {
+		contextTLSData.Endpoints[docker.DockerEndpoint] = *dockerTLS
+	}
+	if o.Kubernetes != nil {
+		kubernetesEP, kubernetesTLS, err := getKubernetesEndpointMetadataAndTLS(cli, o.Kubernetes)
+		if err != nil {
+			return errors.Wrap(err, "unable to create kubernetes endpoint config")
+		}
+		if kubernetesEP == nil && stackOrchestrator.HasKubernetes() {
+			return errors.Errorf("cannot specify orchestrator %q without configuring a Kubernetes endpoint", stackOrchestrator)
+		}
+		if kubernetesEP != nil {
+			contextMetadata.Endpoints[kubernetes.KubernetesEndpoint] = kubernetesEP
+		}
+		if kubernetesTLS != nil {
+			contextTLSData.Endpoints[kubernetes.KubernetesEndpoint] = *kubernetesTLS
+		}
+	}
+	if err := validateEndpointsAndOrchestrator(contextMetadata); err != nil {
+		return err
+	}
+	if err := s.CreateOrUpdate(contextMetadata); err != nil {
+		return err
+	}
+	if err := s.ResetTLSMaterial(o.Name, &contextTLSData); err != nil {
+		return err
+	}
+	return nil
+}
+
+func checkContextNameForCreation(s store.Reader, name string) error {
+	if err := validateContextName(name); err != nil {
+		return err
+	}
+	if _, err := s.GetMetadata(name); !store.IsErrContextDoesNotExist(err) {
+		if err != nil {
+			return errors.Wrap(err, "error while getting existing contexts")
+		}
+		return errors.Errorf("context %q already exists", name)
+	}
+	return nil
+}
+
+func createFromExistingContext(s store.ReaderWriter, fromContextName string, stackOrchestrator command.Orchestrator, o *CreateOptions) error {
+	if len(o.Docker) != 0 || len(o.Kubernetes) != 0 {
+		return errors.New("cannot use --docker or --kubernetes flags when --from is set")
+	}
+	reader := store.Export(fromContextName, &descriptionAndOrchestratorStoreDecorator{
+		Reader:       s,
+		description:  o.Description,
+		orchestrator: stackOrchestrator,
+	})
+	defer reader.Close()
+	return store.Import(o.Name, s, reader)
+}
+
+type descriptionAndOrchestratorStoreDecorator struct {
+	store.Reader
+	description  string
+	orchestrator command.Orchestrator
+}
+
+func (d *descriptionAndOrchestratorStoreDecorator) GetMetadata(name string) (store.Metadata, error) {
+	c, err := d.Reader.GetMetadata(name)
+	if err != nil {
+		return c, err
+	}
+	typedContext, err := command.GetDockerContext(c)
+	if err != nil {
+		return c, err
+	}
+	if d.description != "" {
+		typedContext.Description = d.description
+	}
+	if d.orchestrator != command.Orchestrator("") {
+		typedContext.StackOrchestrator = d.orchestrator
+	}
+	c.Metadata = typedContext
+	return c, nil
+}
+
+func newContextMetadata(stackOrchestrator command.Orchestrator, o *CreateOptions) store.Metadata {
+	return store.Metadata{
+		Endpoints: make(map[string]interface{}),
+		Metadata: command.DockerContext{
+			Description:       o.Description,
+			StackOrchestrator: stackOrchestrator,
+		},
+		Name: o.Name,
+	}
+}
--- a/cli/command/context/create_test.go
+++ b/cli/command/context/create_test.go
@ -0,0 +1,367 @@
+package context
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/context/docker"
+	"github.com/docker/cli/cli/context/kubernetes"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/v3/assert"
+	"gotest.tools/v3/env"
+)
+
+func makeFakeCli(t *testing.T, opts ...func(*test.FakeCli)) (*test.FakeCli, func()) {
+	dir, err := ioutil.TempDir("", t.Name())
+	assert.NilError(t, err)
+	storeConfig := store.NewConfig(
+		func() interface{} { return &command.DockerContext{} },
+		store.EndpointTypeGetter(docker.DockerEndpoint, func() interface{} { return &docker.EndpointMeta{} }),
+		store.EndpointTypeGetter(kubernetes.KubernetesEndpoint, func() interface{} { return &kubernetes.EndpointMeta{} }),
+	)
+	store := &command.ContextStoreWithDefault{
+		Store: store.New(dir, storeConfig),
+		Resolver: func() (*command.DefaultContext, error) {
+			return &command.DefaultContext{
+				Meta: store.Metadata{
+					Endpoints: map[string]interface{}{
+						docker.DockerEndpoint: docker.EndpointMeta{
+							Host: "unix:///var/run/docker.sock",
+						},
+					},
+					Metadata: command.DockerContext{
+						Description:       "",
+						StackOrchestrator: command.OrchestratorSwarm,
+					},
+					Name: command.DefaultContextName,
+				},
+				TLS: store.ContextTLSData{},
+			}, nil
+		},
+	}
+	cleanup := func() {
+		os.RemoveAll(dir)
+	}
+	result := test.NewFakeCli(nil, opts...)
+	for _, o := range opts {
+		o(result)
+	}
+	result.SetContextStore(store)
+	return result, cleanup
+}
+
+func withCliConfig(configFile *configfile.ConfigFile) func(*test.FakeCli) {
+	return func(m *test.FakeCli) {
+		m.SetConfigFile(configFile)
+	}
+}
+
+func TestCreateInvalids(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	assert.NilError(t, cli.ContextStore().CreateOrUpdate(store.Metadata{Name: "existing-context"}))
+	tests := []struct {
+		options     CreateOptions
+		expecterErr string
+	}{
+		{
+			expecterErr: `context name cannot be empty`,
+		},
+		{
+			options: CreateOptions{
+				Name: "default",
+			},
+			expecterErr: `"default" is a reserved context name`,
+		},
+		{
+			options: CreateOptions{
+				Name: " ",
+			},
+			expecterErr: `context name " " is invalid`,
+		},
+		{
+			options: CreateOptions{
+				Name: "existing-context",
+			},
+			expecterErr: `context "existing-context" already exists`,
+		},
+		{
+			options: CreateOptions{
+				Name: "invalid-docker-host",
+				Docker: map[string]string{
+					keyHost: "some///invalid/host",
+				},
+			},
+			expecterErr: `unable to parse docker host`,
+		},
+		{
+			options: CreateOptions{
+				Name:                     "invalid-orchestrator",
+				DefaultStackOrchestrator: "invalid",
+			},
+			expecterErr: `specified orchestrator "invalid" is invalid, please use either kubernetes, swarm or all`,
+		},
+		{
+			options: CreateOptions{
+				Name:                     "orchestrator-kubernetes-no-endpoint",
+				DefaultStackOrchestrator: "kubernetes",
+				Docker:                   map[string]string{},
+			},
+			expecterErr: `cannot specify orchestrator "kubernetes" without configuring a Kubernetes endpoint`,
+		},
+		{
+			options: CreateOptions{
+				Name:                     "orchestrator-all-no-endpoint",
+				DefaultStackOrchestrator: "all",
+				Docker:                   map[string]string{},
+			},
+			expecterErr: `cannot specify orchestrator "all" without configuring a Kubernetes endpoint`,
+		},
+	}
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.options.Name, func(t *testing.T) {
+			err := RunCreate(cli, &tc.options)
+			assert.ErrorContains(t, err, tc.expecterErr)
+		})
+	}
+}
+
+func assertContextCreateLogging(t *testing.T, cli *test.FakeCli, n string) {
+	assert.Equal(t, n+"\n", cli.OutBuffer().String())
+	assert.Equal(t, fmt.Sprintf("Successfully created context %q\n", n), cli.ErrBuffer().String())
+}
+
+func TestCreateOrchestratorSwarm(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+
+	err := RunCreate(cli, &CreateOptions{
+		Name:                     "test",
+		DefaultStackOrchestrator: "swarm",
+		Docker:                   map[string]string{},
+	})
+	assert.NilError(t, err)
+	assertContextCreateLogging(t, cli, "test")
+}
+
+func TestCreateOrchestratorEmpty(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+
+	err := RunCreate(cli, &CreateOptions{
+		Name:   "test",
+		Docker: map[string]string{},
+	})
+	assert.NilError(t, err)
+	assertContextCreateLogging(t, cli, "test")
+}
+
+func validateTestKubeEndpoint(t *testing.T, s store.Reader, name string) {
+	t.Helper()
+	ctxMetadata, err := s.GetMetadata(name)
+	assert.NilError(t, err)
+	kubeMeta := ctxMetadata.Endpoints[kubernetes.KubernetesEndpoint].(kubernetes.EndpointMeta)
+	kubeEP, err := kubeMeta.WithTLSData(s, name)
+	assert.NilError(t, err)
+	assert.Equal(t, "https://someserver", kubeEP.Host)
+	assert.Equal(t, "the-ca", string(kubeEP.TLSData.CA))
+	assert.Equal(t, "the-cert", string(kubeEP.TLSData.Cert))
+	assert.Equal(t, "the-key", string(kubeEP.TLSData.Key))
+}
+
+func createTestContextWithKube(t *testing.T, cli command.Cli) {
+	t.Helper()
+	revert := env.Patch(t, "KUBECONFIG", "./testdata/test-kubeconfig")
+	defer revert()
+
+	err := RunCreate(cli, &CreateOptions{
+		Name:                     "test",
+		DefaultStackOrchestrator: "all",
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		Docker: map[string]string{},
+	})
+	assert.NilError(t, err)
+}
+
+func TestCreateOrchestratorAllKubernetesEndpointFromCurrent(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKube(t, cli)
+	assertContextCreateLogging(t, cli, "test")
+	validateTestKubeEndpoint(t, cli.ContextStore(), "test")
+}
+
+func TestCreateFromContext(t *testing.T) {
+	cases := []struct {
+		name                 string
+		description          string
+		orchestrator         string
+		expectedDescription  string
+		docker               map[string]string
+		kubernetes           map[string]string
+		expectedOrchestrator command.Orchestrator
+	}{
+		{
+			name:                 "no-override",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-description",
+			description:          "new description",
+			expectedDescription:  "new description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-orchestrator",
+			orchestrator:         "kubernetes",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorKubernetes,
+		},
+	}
+
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	revert := env.Patch(t, "KUBECONFIG", "./testdata/test-kubeconfig")
+	defer revert()
+	cli.ResetOutputBuffers()
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name:        "original",
+		Description: "original description",
+		Docker: map[string]string{
+			keyHost: "tcp://42.42.42.42:2375",
+		},
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		DefaultStackOrchestrator: "swarm",
+	}))
+	assertContextCreateLogging(t, cli, "original")
+
+	cli.ResetOutputBuffers()
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name:        "dummy",
+		Description: "dummy description",
+		Docker: map[string]string{
+			keyHost: "tcp://24.24.24.24:2375",
+		},
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		DefaultStackOrchestrator: "swarm",
+	}))
+	assertContextCreateLogging(t, cli, "dummy")
+
+	cli.SetCurrentContext("dummy")
+
+	for _, c := range cases {
+		c := c
+		t.Run(c.name, func(t *testing.T) {
+			cli.ResetOutputBuffers()
+			err := RunCreate(cli, &CreateOptions{
+				From:                     "original",
+				Name:                     c.name,
+				Description:              c.description,
+				DefaultStackOrchestrator: c.orchestrator,
+				Docker:                   c.docker,
+				Kubernetes:               c.kubernetes,
+			})
+			assert.NilError(t, err)
+			assertContextCreateLogging(t, cli, c.name)
+			newContext, err := cli.ContextStore().GetMetadata(c.name)
+			assert.NilError(t, err)
+			newContextTyped, err := command.GetDockerContext(newContext)
+			assert.NilError(t, err)
+			dockerEndpoint, err := docker.EndpointFromContext(newContext)
+			assert.NilError(t, err)
+			kubeEndpoint := kubernetes.EndpointFromContext(newContext)
+			assert.Check(t, kubeEndpoint != nil)
+			assert.Equal(t, newContextTyped.Description, c.expectedDescription)
+			assert.Equal(t, newContextTyped.StackOrchestrator, c.expectedOrchestrator)
+			assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375")
+			assert.Equal(t, kubeEndpoint.Host, "https://someserver")
+		})
+	}
+}
+
+func TestCreateFromCurrent(t *testing.T) {
+	cases := []struct {
+		name                 string
+		description          string
+		orchestrator         string
+		expectedDescription  string
+		expectedOrchestrator command.Orchestrator
+	}{
+		{
+			name:                 "no-override",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-description",
+			description:          "new description",
+			expectedDescription:  "new description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-orchestrator",
+			orchestrator:         "kubernetes",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorKubernetes,
+		},
+	}
+
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	revert := env.Patch(t, "KUBECONFIG", "./testdata/test-kubeconfig")
+	defer revert()
+	cli.ResetOutputBuffers()
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name:        "original",
+		Description: "original description",
+		Docker: map[string]string{
+			keyHost: "tcp://42.42.42.42:2375",
+		},
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		DefaultStackOrchestrator: "swarm",
+	}))
+	assertContextCreateLogging(t, cli, "original")
+
+	cli.SetCurrentContext("original")
+
+	for _, c := range cases {
+		c := c
+		t.Run(c.name, func(t *testing.T) {
+			cli.ResetOutputBuffers()
+			err := RunCreate(cli, &CreateOptions{
+				Name:                     c.name,
+				Description:              c.description,
+				DefaultStackOrchestrator: c.orchestrator,
+			})
+			assert.NilError(t, err)
+			assertContextCreateLogging(t, cli, c.name)
+			newContext, err := cli.ContextStore().GetMetadata(c.name)
+			assert.NilError(t, err)
+			newContextTyped, err := command.GetDockerContext(newContext)
+			assert.NilError(t, err)
+			dockerEndpoint, err := docker.EndpointFromContext(newContext)
+			assert.NilError(t, err)
+			kubeEndpoint := kubernetes.EndpointFromContext(newContext)
+			assert.Check(t, kubeEndpoint != nil)
+			assert.Equal(t, newContextTyped.Description, c.expectedDescription)
+			assert.Equal(t, newContextTyped.StackOrchestrator, c.expectedOrchestrator)
+			assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375")
+			assert.Equal(t, kubeEndpoint.Host, "https://someserver")
+		})
+	}
+}
--- a/cli/command/context/export-import_test.go
+++ b/cli/command/context/export-import_test.go
@ -0,0 +1,110 @@
+package context
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/cli/cli/streams"
+	"gotest.tools/v3/assert"
+)
+
+func TestExportImportWithFile(t *testing.T) {
+	contextDir, err := ioutil.TempDir("", t.Name()+"context")
+	assert.NilError(t, err)
+	defer os.RemoveAll(contextDir)
+	contextFile := filepath.Join(contextDir, "exported")
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKube(t, cli)
+	cli.ErrBuffer().Reset()
+	assert.NilError(t, RunExport(cli, &ExportOptions{
+		ContextName: "test",
+		Dest:        contextFile,
+	}))
+	assert.Equal(t, cli.ErrBuffer().String(), fmt.Sprintf("Written file %q\n", contextFile))
+	cli.OutBuffer().Reset()
+	cli.ErrBuffer().Reset()
+	assert.NilError(t, RunImport(cli, "test2", contextFile))
+	context1, err := cli.ContextStore().GetMetadata("test")
+	assert.NilError(t, err)
+	context2, err := cli.ContextStore().GetMetadata("test2")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, context1.Endpoints, context2.Endpoints)
+	assert.DeepEqual(t, context1.Metadata, context2.Metadata)
+	assert.Equal(t, "test", context1.Name)
+	assert.Equal(t, "test2", context2.Name)
+
+	assert.Equal(t, "test2\n", cli.OutBuffer().String())
+	assert.Equal(t, "Successfully imported context \"test2\"\n", cli.ErrBuffer().String())
+}
+
+func TestExportImportPipe(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKube(t, cli)
+	cli.ErrBuffer().Reset()
+	cli.OutBuffer().Reset()
+	assert.NilError(t, RunExport(cli, &ExportOptions{
+		ContextName: "test",
+		Dest:        "-",
+	}))
+	assert.Equal(t, cli.ErrBuffer().String(), "")
+	cli.SetIn(streams.NewIn(ioutil.NopCloser(bytes.NewBuffer(cli.OutBuffer().Bytes()))))
+	cli.OutBuffer().Reset()
+	cli.ErrBuffer().Reset()
+	assert.NilError(t, RunImport(cli, "test2", "-"))
+	context1, err := cli.ContextStore().GetMetadata("test")
+	assert.NilError(t, err)
+	context2, err := cli.ContextStore().GetMetadata("test2")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, context1.Endpoints, context2.Endpoints)
+	assert.DeepEqual(t, context1.Metadata, context2.Metadata)
+	assert.Equal(t, "test", context1.Name)
+	assert.Equal(t, "test2", context2.Name)
+
+	assert.Equal(t, "test2\n", cli.OutBuffer().String())
+	assert.Equal(t, "Successfully imported context \"test2\"\n", cli.ErrBuffer().String())
+}
+
+func TestExportKubeconfig(t *testing.T) {
+	contextDir, err := ioutil.TempDir("", t.Name()+"context")
+	assert.NilError(t, err)
+	defer os.RemoveAll(contextDir)
+	contextFile := filepath.Join(contextDir, "exported")
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKube(t, cli)
+	cli.ErrBuffer().Reset()
+	assert.NilError(t, RunExport(cli, &ExportOptions{
+		ContextName: "test",
+		Dest:        contextFile,
+		Kubeconfig:  true,
+	}))
+	assert.Equal(t, cli.ErrBuffer().String(), fmt.Sprintf("Written file %q\n", contextFile))
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name: "test2",
+		Kubernetes: map[string]string{
+			keyKubeconfig: contextFile,
+		},
+		Docker: map[string]string{},
+	}))
+	validateTestKubeEndpoint(t, cli.ContextStore(), "test2")
+}
+
+func TestExportExistingFile(t *testing.T) {
+	contextDir, err := ioutil.TempDir("", t.Name()+"context")
+	assert.NilError(t, err)
+	defer os.RemoveAll(contextDir)
+	contextFile := filepath.Join(contextDir, "exported")
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKube(t, cli)
+	cli.ErrBuffer().Reset()
+	assert.NilError(t, ioutil.WriteFile(contextFile, []byte{}, 0644))
+	err = RunExport(cli, &ExportOptions{ContextName: "test", Dest: contextFile})
+	assert.Assert(t, os.IsExist(err))
+}
--- a/cli/command/context/export.go
+++ b/cli/command/context/export.go
@ -0,0 +1,110 @@
+package context
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/context/kubernetes"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/spf13/cobra"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+// ExportOptions are the options used for exporting a context
+type ExportOptions struct {
+	Kubeconfig  bool
+	ContextName string
+	Dest        string
+}
+
+func newExportCommand(dockerCli command.Cli) *cobra.Command {
+	opts := &ExportOptions{}
+	cmd := &cobra.Command{
+		Use:   "export [OPTIONS] CONTEXT [FILE|-]",
+		Short: "Export a context to a tar or kubeconfig file",
+		Args:  cli.RequiresRangeArgs(1, 2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.ContextName = args[0]
+			if len(args) == 2 {
+				opts.Dest = args[1]
+			} else {
+				opts.Dest = opts.ContextName
+				if opts.Kubeconfig {
+					opts.Dest += ".kubeconfig"
+				} else {
+					opts.Dest += ".dockercontext"
+				}
+			}
+			return RunExport(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVar(&opts.Kubeconfig, "kubeconfig", false, "Export as a kubeconfig file")
+	return cmd
+}
+
+func writeTo(dockerCli command.Cli, reader io.Reader, dest string) error {
+	var writer io.Writer
+	var printDest bool
+	if dest == "-" {
+		if dockerCli.Out().IsTerminal() {
+			return errors.New("cowardly refusing to export to a terminal, please specify a file path")
+		}
+		writer = dockerCli.Out()
+	} else {
+		f, err := os.OpenFile(dest, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+		writer = f
+		printDest = true
+	}
+	if _, err := io.Copy(writer, reader); err != nil {
+		return err
+	}
+	if printDest {
+		fmt.Fprintf(dockerCli.Err(), "Written file %q\n", dest)
+	}
+	return nil
+}
+
+// RunExport exports a Docker context
+func RunExport(dockerCli command.Cli, opts *ExportOptions) error {
+	if err := validateContextName(opts.ContextName); err != nil && opts.ContextName != command.DefaultContextName {
+		return err
+	}
+	ctxMeta, err := dockerCli.ContextStore().GetMetadata(opts.ContextName)
+	if err != nil {
+		return err
+	}
+	if !opts.Kubeconfig {
+		reader := store.Export(opts.ContextName, dockerCli.ContextStore())
+		defer reader.Close()
+		return writeTo(dockerCli, reader, opts.Dest)
+	}
+	kubernetesEndpointMeta := kubernetes.EndpointFromContext(ctxMeta)
+	if kubernetesEndpointMeta == nil {
+		return fmt.Errorf("context %q has no kubernetes endpoint", opts.ContextName)
+	}
+	kubernetesEndpoint, err := kubernetesEndpointMeta.WithTLSData(dockerCli.ContextStore(), opts.ContextName)
+	if err != nil {
+		return err
+	}
+	kubeConfig := kubernetesEndpoint.KubernetesConfig()
+	rawCfg, err := kubeConfig.RawConfig()
+	if err != nil {
+		return err
+	}
+	data, err := clientcmd.Write(rawCfg)
+	if err != nil {
+		return err
+	}
+	return writeTo(dockerCli, bytes.NewBuffer(data), opts.Dest)
+}
--- a/cli/command/context/import.go
+++ b/cli/command/context/import.go
@ -0,0 +1,51 @@
+package context
+
+import (
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/spf13/cobra"
+)
+
+func newImportCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "import CONTEXT FILE|-",
+		Short: "Import a context from a tar or zip file",
+		Args:  cli.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return RunImport(dockerCli, args[0], args[1])
+		},
+	}
+	return cmd
+}
+
+// RunImport imports a Docker context
+func RunImport(dockerCli command.Cli, name string, source string) error {
+	if err := checkContextNameForCreation(dockerCli.ContextStore(), name); err != nil {
+		return err
+	}
+
+	var reader io.Reader
+	if source == "-" {
+		reader = dockerCli.In()
+	} else {
+		f, err := os.Open(source)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+		reader = f
+	}
+
+	if err := store.Import(name, dockerCli.ContextStore(), reader); err != nil {
+		return err
+	}
+
+	fmt.Fprintln(dockerCli.Out(), name)
+	fmt.Fprintf(dockerCli.Err(), "Successfully imported context %q\n", name)
+	return nil
+}
--- a/cli/command/context/inspect.go
+++ b/cli/command/context/inspect.go
@ -0,0 +1,64 @@
+package context
+
+import (
+	"errors"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/inspect"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	format string
+	refs   []string
+}
+
+// newInspectCommand creates a new cobra.Command for `docker image inspect`
+func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+	var opts inspectOptions
+
+	cmd := &cobra.Command{
+		Use:   "inspect [OPTIONS] [CONTEXT] [CONTEXT...]",
+		Short: "Display detailed information on one or more contexts",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.refs = args
+			if len(opts.refs) == 0 {
+				if dockerCli.CurrentContext() == "" {
+					return errors.New("no context specified")
+				}
+				opts.refs = []string{dockerCli.CurrentContext()}
+			}
+			return runInspect(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+	return cmd
+}
+
+func runInspect(dockerCli command.Cli, opts inspectOptions) error {
+	getRefFunc := func(ref string) (interface{}, []byte, error) {
+		c, err := dockerCli.ContextStore().GetMetadata(ref)
+		if err != nil {
+			return nil, nil, err
+		}
+		tlsListing, err := dockerCli.ContextStore().ListTLSFiles(ref)
+		if err != nil {
+			return nil, nil, err
+		}
+		return contextWithTLSListing{
+			Metadata:    c,
+			TLSMaterial: tlsListing,
+			Storage:     dockerCli.ContextStore().GetStorageInfo(ref),
+		}, nil, nil
+	}
+	return inspect.Inspect(dockerCli.Out(), opts.refs, opts.format, getRefFunc)
+}
+
+type contextWithTLSListing struct {
+	store.Metadata
+	TLSMaterial map[string]store.EndpointFiles
+	Storage     store.StorageInfo
+}
--- a/cli/command/context/inspect_test.go
+++ b/cli/command/context/inspect_test.go
@ -0,0 +1,24 @@
+package context
+
+import (
+	"strings"
+	"testing"
+
+	"gotest.tools/v3/assert"
+	"gotest.tools/v3/golden"
+)
+
+func TestInspect(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKubeAndSwarm(t, cli, "current", "all")
+	cli.OutBuffer().Reset()
+	assert.NilError(t, runInspect(cli, inspectOptions{
+		refs: []string{"current"},
+	}))
+	expected := string(golden.Get(t, "inspect.golden"))
+	si := cli.ContextStore().GetStorageInfo("current")
+	expected = strings.Replace(expected, "<METADATA_PATH>", strings.Replace(si.MetadataPath, `\`, `\\`, -1), 1)
+	expected = strings.Replace(expected, "<TLS_PATH>", strings.Replace(si.TLSPath, `\`, `\\`, -1), 1)
+	assert.Equal(t, cli.OutBuffer().String(), expected)
+}
--- a/cli/command/context/list.go
+++ b/cli/command/context/list.go
@ -0,0 +1,96 @@
+package context
+
+import (
+	"fmt"
+	"os"
+	"sort"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/cli/context/docker"
+	kubecontext "github.com/docker/cli/cli/context/kubernetes"
+	"github.com/spf13/cobra"
+	"vbom.ml/util/sortorder"
+)
+
+type listOptions struct {
+	format string
+	quiet  bool
+}
+
+func newListCommand(dockerCli command.Cli) *cobra.Command {
+	opts := &listOptions{}
+	cmd := &cobra.Command{
+		Use:     "ls [OPTIONS]",
+		Aliases: []string{"list"},
+		Short:   "List contexts",
+		Args:    cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runList(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVar(&opts.format, "format", "", "Pretty-print contexts using a Go template")
+	flags.BoolVarP(&opts.quiet, "quiet", "q", false, "Only show context names")
+	return cmd
+}
+
+func runList(dockerCli command.Cli, opts *listOptions) error {
+	if opts.format == "" {
+		opts.format = formatter.TableFormatKey
+	}
+	curContext := dockerCli.CurrentContext()
+	contextMap, err := dockerCli.ContextStore().List()
+	if err != nil {
+		return err
+	}
+	var contexts []*formatter.ClientContext
+	for _, rawMeta := range contextMap {
+		meta, err := command.GetDockerContext(rawMeta)
+		if err != nil {
+			return err
+		}
+		dockerEndpoint, err := docker.EndpointFromContext(rawMeta)
+		if err != nil {
+			return err
+		}
+		kubernetesEndpoint := kubecontext.EndpointFromContext(rawMeta)
+		kubEndpointText := ""
+		if kubernetesEndpoint != nil {
+			kubEndpointText = fmt.Sprintf("%s (%s)", kubernetesEndpoint.Host, kubernetesEndpoint.DefaultNamespace)
+		}
+		if rawMeta.Name == command.DefaultContextName {
+			meta.Description = "Current DOCKER_HOST based configuration"
+		}
+		desc := formatter.ClientContext{
+			Name:               rawMeta.Name,
+			Current:            rawMeta.Name == curContext,
+			Description:        meta.Description,
+			StackOrchestrator:  string(meta.StackOrchestrator),
+			DockerEndpoint:     dockerEndpoint.Host,
+			KubernetesEndpoint: kubEndpointText,
+		}
+		contexts = append(contexts, &desc)
+	}
+	sort.Slice(contexts, func(i, j int) bool {
+		return sortorder.NaturalLess(contexts[i].Name, contexts[j].Name)
+	})
+	if err := format(dockerCli, opts, contexts); err != nil {
+		return err
+	}
+	if os.Getenv("DOCKER_HOST") != "" {
+		fmt.Fprint(dockerCli.Err(), "Warning: DOCKER_HOST environment variable overrides the active context. "+
+			"To use a context, either set the global --context flag, or unset DOCKER_HOST environment variable.\n")
+	}
+	return nil
+}
+
+func format(dockerCli command.Cli, opts *listOptions, contexts []*formatter.ClientContext) error {
+	contextCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewClientContextFormat(opts.format, opts.quiet),
+	}
+	return formatter.ClientContextWrite(contextCtx, contexts)
+}
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`WARNING: Localhost DNS setting (--dns=::1) may fail in containers.`
				`@ -0,0 +1 @@`
				`WARNING: Localhost DNS setting (--dns=127.0.0.11) may fail in containers.`
				`@ -0,0 +1 @@`
				`WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.`