Merge pull request #3919 from thaJeztah/20.10_update_engine

[20.10] update docker/docker and buildkit

.golangci.yml

@@ -5,12 +5,10 @@ linters:
     - dogsled
     - gocyclo
     - goimports
-    - golint
     - gosec
     - gosimple
     - govet
     - ineffassign
-    - interfacer
     - lll
     - megacheck
     - misspell
@@ -21,6 +19,7 @@ linters:
     - unconvert
     - unparam
     - unused
+    - revive
     - varcheck
 
   disable:
@@ -54,30 +53,65 @@ issues:
     - parameter .* always receives
 
   exclude-rules:
-    # These are copied from the default exclude rules, except for "ineffective break statement"
-    # and GoDoc checks.
-    # https://github.com/golangci/golangci-lint/blob/0cc87df732aaf1d5ad9ce9ca538d38d916918b36/pkg/config/config.go#L36
-    - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked"
+    # We prefer to use an "exclude-list" so that new "default" exclusions are not
+    # automatically inherited. We can decide whether or not to follow upstream
+    # defaults when updating golang-ci-lint versions.
+    # Unfortunately, this means we have to copy the whole exclusion pattern, as
+    # (unlike the "include" option), the "exclude" option does not take exclusion
+    # ID's.
+    #
+    # These exclusion patterns are copied from the default excluses at:
+    # https://github.com/golangci/golangci-lint/blob/v1.44.0/pkg/config/issues.go#L10-L104
+
+    # EXC0001
+    - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*print(f|ln)?|os\\.(Un)?Setenv). is not checked"
       linters:
         - errcheck
+    # EXC0003
     - text: "func name will be used as test\\.Test.* by other packages, and that stutters; consider calling this"
       linters:
-        - golint
-    - text: "G103: Use of unsafe calls should be audited"
+        - revive
+    # EXC0006
+    - text: "Use of unsafe calls should be audited"
       linters:
         - gosec
-    - text: "G104: Errors unhandled"
+    # EXC0007
+    - text: "Subprocess launch(ed with variable|ing should be audited)"
       linters:
         - gosec
-    - text: "G204: Subprocess launch(ed with (variable|function call)|ing should be audited)"
+    # EXC0008
+    # TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close" (gosec)
+    - text: "(G104|G307)"
       linters:
         - gosec
-    - text: "(G301|G302): (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
+    # EXC0009
+    - text: "(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
       linters:
         - gosec
-    - text: "G304: Potential file inclusion via variable"
+    # EXC0010
+    - text: "Potential file inclusion via variable"
       linters:
         - gosec
-    - text: "(G201|G202): SQL string (formatting|concatenation)"
+
+    # Looks like the match in "EXC0007" above doesn't catch this one
+    # TODO: consider upstreaming this to golangci-lint's default exclusion rules
+    - text: "G204: Subprocess launched with a potential tainted input or cmd arguments"
       linters:
         - gosec
+    # Looks like the match in "EXC0009" above doesn't catch this one
+    # TODO: consider upstreaming this to golangci-lint's default exclusion rules
+    - text: "G306: Expect WriteFile permissions to be 0600 or less"
+      linters:
+        - gosec
+
+    # Exclude some linters from running on tests files.
+    - path: _test\.go
+      linters:
+        - errcheck
+        - gosec
+
+  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
+  max-issues-per-linter: 0
+
+  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
+  max-same-issues: 0

Dockerfile

@@ -1,12 +1,13 @@
-# syntax=docker/dockerfile:1.3
+# syntax=docker/dockerfile:1
 
 ARG BASE_VARIANT=alpine
-ARG GO_VERSION=1.17.11
+ARG GO_VERSION=1.18.9
+ARG ALPINE_VERSION=3.16
 ARG XX_VERSION=1.1.0
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${BASE_VARIANT} AS build-base-alpine
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build-base-alpine
 COPY --from=xx / /
 RUN apk add --no-cache clang lld llvm file git
 WORKDIR /go/src/github.com/docker/cli

appveyor.yml

@@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli
 
 environment:
   GOPATH: c:\gopath
-  GOVERSION: 1.17.11
+  GOVERSION: 1.18.9
   DEPVERSION: v0.4.1
 
 install:

cli/command/config/formatter_test.go

@@ -19,13 +19,11 @@ func TestConfigContextFormatWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{formatter.Context{Format: NewFormat("table", false)},

cli/command/config/inspect_test.go

@@ -36,7 +36,7 @@ func TestConfigInspectErrors(t *testing.T) {
 			flags: map[string]string{
 				"format": "{{invalid format}}",
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 		{
 			args: []string{"foo", "bar"},

cli/command/container/create.go

@@ -155,7 +155,7 @@ func (cid *cidFile) Close() error {
 		return nil
 	}
 	if err := os.Remove(cid.path); err != nil {
-		return errors.Errorf("failed to remove the CID file '%s': %s \n", cid.path, err)
+		return errors.Wrapf(err, "failed to remove the CID file '%s'", cid.path)
 	}
 
 	return nil
@@ -166,7 +166,7 @@ func (cid *cidFile) Write(id string) error {
 		return nil
 	}
 	if _, err := cid.file.Write([]byte(id)); err != nil {
-		return errors.Errorf("Failed to write the container ID to the file: %s", err)
+		return errors.Wrap(err, "failed to write the container ID to the file")
 	}
 	cid.written = true
 	return nil
@@ -177,12 +177,12 @@ func newCIDFile(path string) (*cidFile, error) {
 		return &cidFile{}, nil
 	}
 	if _, err := os.Stat(path); err == nil {
-		return nil, errors.Errorf("Container ID file found, make sure the other container isn't running or delete %s", path)
+		return nil, errors.Errorf("container ID file found, make sure the other container isn't running or delete %s", path)
 	}
 
 	f, err := os.Create(path)
 	if err != nil {
-		return nil, errors.Errorf("Failed to create the container ID file: %s", err)
+		return nil, errors.Wrap(err, "failed to create the container ID file")
 	}
 
 	return &cidFile{path: path, file: f}, nil

cli/command/container/create_test.go

@@ -39,7 +39,7 @@ func TestNewCIDFileWhenFileAlreadyExists(t *testing.T) {
 	defer tempfile.Remove()
 
 	_, err := newCIDFile(tempfile.Path())
-	assert.ErrorContains(t, err, "Container ID file found")
+	assert.ErrorContains(t, err, "container ID file found")
 }
 
 func TestCIDFileCloseWithNoWrite(t *testing.T) {

cli/command/container/formatter_stats.go

@@ -181,14 +181,14 @@ func (c *statsContext) ID() string {
 
 func (c *statsContext) CPUPerc() string {
 	if c.s.IsInvalid {
-		return fmt.Sprintf("--")
+		return "--"
 	}
 	return fmt.Sprintf("%.2f%%", c.s.CPUPercentage)
 }
 
 func (c *statsContext) MemUsage() string {
 	if c.s.IsInvalid {
-		return fmt.Sprintf("-- / --")
+		return "-- / --"
 	}
 	if c.os == winOSType {
 		return units.BytesSize(c.s.Memory)
@@ -198,28 +198,28 @@ func (c *statsContext) MemUsage() string {
 
 func (c *statsContext) MemPerc() string {
 	if c.s.IsInvalid || c.os == winOSType {
-		return fmt.Sprintf("--")
+		return "--"
 	}
 	return fmt.Sprintf("%.2f%%", c.s.MemoryPercentage)
 }
 
 func (c *statsContext) NetIO() string {
 	if c.s.IsInvalid {
-		return fmt.Sprintf("--")
+		return "--"
 	}
 	return fmt.Sprintf("%s / %s", units.HumanSizeWithPrecision(c.s.NetworkRx, 3), units.HumanSizeWithPrecision(c.s.NetworkTx, 3))
 }
 
 func (c *statsContext) BlockIO() string {
 	if c.s.IsInvalid {
-		return fmt.Sprintf("--")
+		return "--"
 	}
 	return fmt.Sprintf("%s / %s", units.HumanSizeWithPrecision(c.s.BlockRead, 3), units.HumanSizeWithPrecision(c.s.BlockWrite, 3))
 }
 
 func (c *statsContext) PIDs() string {
 	if c.s.IsInvalid || c.os == winOSType {
-		return fmt.Sprintf("--")
+		return "--"
 	}
 	return fmt.Sprintf("%d", c.s.PidsCurrent)
 }

cli/command/container/formatter_stats_test.go

@@ -54,13 +54,11 @@ func TestContainerStatsContextWrite(t *testing.T) {
 	}{
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		{
 			formatter.Context{Format: "table {{.MemUsage}}"},

cli/command/container/rm_test.go

@@ -14,13 +14,17 @@ import (
 )
 
 func TestRemoveForce(t *testing.T) {
-	var removed []string
+	var (
+		removed1 []string
+		removed2 []string
+	)
 
 	cli := test.NewFakeCli(&fakeClient{
 		containerRemoveFunc: func(ctx context.Context, container string, options types.ContainerRemoveOptions) error {
-			removed = append(removed, container)
+			removed1 = append(removed1, container)
+			removed2 = append(removed2, container)
 			if container == "nosuchcontainer" {
-				return errdefs.NotFound(fmt.Errorf("Error: No such container: " + container))
+				return errdefs.NotFound(fmt.Errorf("Error: no such container: " + container))
 			}
 			return nil
 		},
@@ -31,16 +35,16 @@ func TestRemoveForce(t *testing.T) {
 
 	t.Run("without force", func(t *testing.T) {
 		cmd.SetArgs([]string{"nosuchcontainer", "mycontainer"})
-		removed = []string{}
-		assert.ErrorContains(t, cmd.Execute(), "No such container")
-		sort.Strings(removed)
-		assert.DeepEqual(t, removed, []string{"mycontainer", "nosuchcontainer"})
+		removed1 = []string{}
+		assert.ErrorContains(t, cmd.Execute(), "no such container")
+		sort.Strings(removed1)
+		assert.DeepEqual(t, removed1, []string{"mycontainer", "nosuchcontainer"})
 	})
 	t.Run("with force", func(t *testing.T) {
 		cmd.SetArgs([]string{"--force", "nosuchcontainer", "mycontainer"})
-		removed = []string{}
+		removed2 = []string{}
 		assert.NilError(t, cmd.Execute())
-		sort.Strings(removed)
-		assert.DeepEqual(t, removed, []string{"mycontainer", "nosuchcontainer"})
+		sort.Strings(removed2)
+		assert.DeepEqual(t, removed2, []string{"mycontainer", "nosuchcontainer"})
 	})
 }

cli/command/formatter/container_test.go

@@ -130,13 +130,11 @@ func TestContainerContextWrite(t *testing.T) {
 		// Errors
 		{
 			Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table Format
 		{

cli/command/formatter/disk_usage_test.go

@@ -61,8 +61,7 @@ CACHE ID   CACHE TYPE   SIZE      CREATED   LAST USED   USAGE     SHARED
 					Format: "{{InvalidFunction}}",
 				},
 			},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			DiskUsageContext{
@@ -70,8 +69,7 @@ CACHE ID   CACHE TYPE   SIZE      CREATED   LAST USED   USAGE     SHARED
 					Format: "{{nil}}",
 				},
 			},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table Format
 		{

cli/command/formatter/formatter.go

@@ -64,7 +64,7 @@ func (c *Context) preFormat() {
 func (c *Context) parseFormat() (*template.Template, error) {
 	tmpl, err := templates.Parse(c.finalFormat)
 	if err != nil {
-		return tmpl, errors.Errorf("Template parsing error: %v\n", err)
+		return tmpl, errors.Wrap(err, "template parsing error")
 	}
 	return tmpl, err
 }
@@ -85,7 +85,7 @@ func (c *Context) postFormat(tmpl *template.Template, subContext SubContext) {
 
 func (c *Context) contextFormat(tmpl *template.Template, subContext SubContext) error {
 	if err := tmpl.Execute(c.buffer, subContext); err != nil {
-		return errors.Errorf("Template parsing error: %v\n", err)
+		return errors.Wrap(err, "template parsing error")
 	}
 	if c.Format.IsTable() && c.header != nil {
 		c.header = subContext.FullHeader()

cli/command/formatter/image_test.go

@@ -119,8 +119,7 @@ func TestImageContextWrite(t *testing.T) {
 					Format: "{{InvalidFunction}}",
 				},
 			},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			ImageContext{
@@ -128,8 +127,7 @@ func TestImageContextWrite(t *testing.T) {
 					Format: "{{nil}}",
 				},
 			},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table Format
 		{

cli/command/formatter/volume_test.go

@@ -62,13 +62,11 @@ func TestVolumeContextWrite(t *testing.T) {
 		// Errors
 		{
 			Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{

cli/command/image/build.go

@@ -297,7 +297,7 @@ func runBuild(dockerCli command.Cli, options buildOptions) error {
 		}
 
 		if err := build.ValidateContextDirectory(contextDir, excludes); err != nil {
-			return errors.Errorf("error checking context: '%s'.", err)
+			return errors.Wrap(err, "error checking context")
 		}
 
 		// And canonicalize dockerfile name to a platform-independent one

cli/command/inspect/inspector.go

@@ -44,7 +44,7 @@ func NewTemplateInspectorFromString(out io.Writer, tmplStr string) (Inspector, e
 
 	tmpl, err := templates.Parse(tmplStr)
 	if err != nil {
-		return nil, errors.Errorf("Template parsing error: %s", err)
+		return nil, errors.Errorf("template parsing error: %s", err)
 	}
 	return NewTemplateInspector(out, tmpl), nil
 }
@@ -94,7 +94,7 @@ func (i *TemplateInspector) Inspect(typedElement interface{}, rawElement []byte)
 	buffer := new(bytes.Buffer)
 	if err := i.tmpl.Execute(buffer, typedElement); err != nil {
 		if rawElement == nil {
-			return errors.Errorf("Template parsing error: %v", err)
+			return errors.Errorf("template parsing error: %v", err)
 		}
 		return i.tryRawInspectFallback(rawElement)
 	}
@@ -118,7 +118,7 @@ func (i *TemplateInspector) tryRawInspectFallback(rawElement []byte) error {
 
 	tmplMissingKey := i.tmpl.Option("missingkey=error")
 	if rawErr := tmplMissingKey.Execute(buffer, raw); rawErr != nil {
-		return errors.Errorf("Template parsing error: %v", rawErr)
+		return errors.Errorf("template parsing error: %v", rawErr)
 	}
 
 	i.buffer.Write(buffer.Bytes())

cli/command/inspect/inspector_test.go

@@ -62,7 +62,7 @@ func TestTemplateInspectorTemplateError(t *testing.T) {
 		t.Fatal("Expected error got nil")
 	}
 
-	if !strings.HasPrefix(err.Error(), "Template parsing error") {
+	if !strings.HasPrefix(err.Error(), "template parsing error") {
 		t.Fatalf("Expected template error, got %v", err)
 	}
 }
@@ -98,7 +98,7 @@ func TestTemplateInspectorRawFallbackError(t *testing.T) {
 		t.Fatal("Expected error got nil")
 	}
 
-	if !strings.HasPrefix(err.Error(), "Template parsing error") {
+	if !strings.HasPrefix(err.Error(), "template parsing error") {
 		t.Fatalf("Expected template error, got %v", err)
 	}
 }

cli/command/network/formatter_test.go

@@ -79,13 +79,11 @@ func TestNetworkContextWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{

cli/command/node/formatter_test.go

@@ -62,15 +62,13 @@ func TestNodeContextWrite(t *testing.T) {
 
 		// Errors
 		{
-			context: formatter.Context{Format: "{{InvalidFunction}}"},
-			expected: `Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			context:     formatter.Context{Format: "{{InvalidFunction}}"},
+			expected:    `template parsing error: template: :1: function "InvalidFunction" not defined`,
 			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
 		},
 		{
-			context: formatter.Context{Format: "{{nil}}"},
-			expected: `Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			context:     formatter.Context{Format: "{{nil}}"},
+			expected:    `template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
 		},
 		// Table format

cli/command/plugin/formatter_test.go

@@ -59,13 +59,11 @@ func TestPluginContextWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{

cli/command/plugin/inspect_test.go

@@ -61,7 +61,7 @@ func TestInspectErrors(t *testing.T) {
 			flags: map[string]string{
 				"format": "{{invalid format}}",
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 	}
 

cli/command/plugin/list_test.go

@@ -41,7 +41,7 @@ func TestListErrors(t *testing.T) {
 			flags: map[string]string{
 				"format": "{{invalid format}}",
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 	}
 

cli/command/registry/formatter_search_test.go

@@ -112,13 +112,11 @@ func TestSearchContextWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{

cli/command/secret/formatter_test.go

@@ -19,13 +19,11 @@ func TestSecretContextFormatWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{formatter.Context{Format: NewFormat("table", false)},

cli/command/secret/inspect_test.go

@@ -36,7 +36,7 @@ func TestSecretInspectErrors(t *testing.T) {
 			flags: map[string]string{
 				"format": "{{invalid format}}",
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 		{
 			args: []string{"foo", "bar"},

cli/command/service/formatter_test.go

@@ -29,13 +29,11 @@ func TestServiceContextWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{

cli/command/service/opts.go

@@ -914,7 +914,7 @@ func addServiceFlags(flags *pflag.FlagSet, opts *serviceOptions, defaultFlagValu
 }
 
 const (
-	flagCredentialSpec          = "credential-spec"
+	flagCredentialSpec          = "credential-spec" //nolint:gosec // ignore G101: Potential hardcoded credentials
 	flagPlacementPref           = "placement-pref"
 	flagPlacementPrefAdd        = "placement-pref-add"
 	flagPlacementPrefRemove     = "placement-pref-rm"

cli/command/stack/formatter/formatter_test.go

@@ -16,13 +16,11 @@ func TestStackContextWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{

cli/command/stack/list_test.go

@@ -33,7 +33,7 @@ func TestListErrors(t *testing.T) {
 			flags: map[string]string{
 				"format": "{{invalid format}}",
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 		{
 			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {

cli/command/stack/loader/loader.go

@@ -28,6 +28,7 @@ func LoadComposefile(dockerCli command.Cli, opts options.Deploy) (*composetypes.
 	config, err := loader.Load(configDetails)
 	if err != nil {
 		if fpe, ok := err.(*loader.ForbiddenPropertiesError); ok {
+			//nolint:revive // ignore capitalization error; this error is intentionally formatted multi-line
 			return nil, errors.Errorf("Compose file contains unsupported options:\n\n%s\n",
 				propertyWarnings(fpe.Properties))
 		}

cli/command/stack/services_test.go

@@ -62,7 +62,7 @@ func TestStackServicesErrors(t *testing.T) {
 			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
 				return []swarm.Service{*Service()}, nil
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 	}
 

cli/command/system/info.go

@@ -506,7 +506,7 @@ func formatInfo(dockerCli command.Cli, info info, format string) error {
 	tmpl, err := templates.Parse(format)
 	if err != nil {
 		return cli.StatusError{StatusCode: 64,
-			Status: "Template parsing error: " + err.Error()}
+			Status: "template parsing error: " + err.Error()}
 	}
 	err = tmpl.Execute(dockerCli.Out(), info)
 	dockerCli.Out().Write([]byte{'\n'})

cli/command/system/info_test.go

@@ -394,7 +394,7 @@ func TestFormatInfo(t *testing.T) {
 		{
 			doc:           "syntax",
 			template:      "{{}",
-			expectedError: `Status: Template parsing error: template: :1: unexpected "}" in command, Code: 64`,
+			expectedError: `Status: template parsing error: template: :1: unexpected "}" in command, Code: 64`,
 		},
 		{
 			doc:           "syntax",

cli/command/system/version.go

@@ -235,7 +235,7 @@ func newVersionTemplate(templateFormat string) (*template.Template, error) {
 	tmpl := templates.New("version").Funcs(template.FuncMap{"getDetailsOrder": getDetailsOrder})
 	tmpl, err := tmpl.Parse(templateFormat)
 
-	return tmpl, errors.Wrap(err, "Template parsing error")
+	return tmpl, errors.Wrap(err, "template parsing error")
 }
 
 func getDetailsOrder(v types.ComponentVersion) []string {

cli/command/task/formatter_test.go

@@ -20,13 +20,11 @@ func TestTaskContextWrite(t *testing.T) {
 	}{
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		{
 			formatter.Context{Format: NewTaskFormat("table", true)},

cli/command/trust/formatter_test.go

@@ -95,15 +95,13 @@ func TestTrustTagContextWrite(t *testing.T) {
 			formatter.Context{
 				Format: "{{InvalidFunction}}",
 			},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{
 				Format: "{{nil}}",
 			},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table Format
 		{
@@ -191,15 +189,13 @@ func TestSignerInfoContextWrite(t *testing.T) {
 			formatter.Context{
 				Format: "{{InvalidFunction}}",
 			},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{
 				Format: "{{nil}}",
 			},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table Format
 		{

cli/command/volume/create.go

@@ -32,7 +32,7 @@ func newCreateCommand(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if len(args) == 1 {
 				if options.name != "" {
-					return errors.Errorf("Conflicting options: either specify --name or provide positional arg, not both\n")
+					return errors.Errorf("conflicting options: either specify --name or provide positional arg, not both")
 				}
 				options.name = args[0]
 			}

cli/command/volume/create_test.go

@@ -26,7 +26,7 @@ func TestVolumeCreateErrors(t *testing.T) {
 			flags: map[string]string{
 				"name": "volumeName",
 			},
-			expectedError: "Conflicting options: either specify --name or provide positional arg, not both",
+			expectedError: "conflicting options: either specify --name or provide positional arg, not both",
 		},
 		{
 			args:          []string{"too", "many"},

cli/command/volume/inspect_test.go

@@ -35,7 +35,7 @@ func TestVolumeInspectErrors(t *testing.T) {
 			flags: map[string]string{
 				"format": "{{invalid format}}",
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 		{
 			args: []string{"foo", "bar"},

cli/compose/interpolation/interpolation.go

@@ -99,7 +99,7 @@ func newPathError(path Path, err error) error {
 		return nil
 	case *template.InvalidTemplateError:
 		return errors.Errorf(
-			"invalid interpolation format for %s: %#v. You may need to escape any $ with another $.",
+			"invalid interpolation format for %s: %#v; you may need to escape any $ with another $",
 			path, err.Template)
 	default:
 		return errors.Wrapf(err, "error while interpolating %s", path)

cli/compose/interpolation/interpolation_test.go

@@ -58,7 +58,7 @@ func TestInvalidInterpolation(t *testing.T) {
 		},
 	}
 	_, err := Interpolate(services, Options{LookupValue: defaultMapping})
-	assert.Error(t, err, `invalid interpolation format for servicea.image: "${". You may need to escape any $ with another $.`)
+	assert.Error(t, err, `invalid interpolation format for servicea.image: "${"; you may need to escape any $ with another $`)
 }
 
 func TestInterpolateWithDefaults(t *testing.T) {

cli/config/credentials/native_store.go

@@ -7,7 +7,7 @@ import (
 )
 
 const (
-	remoteCredentialsPrefix = "docker-credential-"
+	remoteCredentialsPrefix = "docker-credential-" //nolint:gosec // ignore G101: Potential hardcoded credentials
 	tokenUsername           = "<token>"
 )
 

contrib/completion/bash/docker

@@ -1954,6 +1954,7 @@ _docker_container_run_and_create() {
 		--oom-score-adj
 		--pid
 		--pids-limit
+		--platform
 		--publish -p
 		--pull
 		--restart
@@ -1981,9 +1982,6 @@ _docker_container_run_and_create() {
 		--io-maxiops
 		--isolation
 	"
-	__docker_server_is_experimental && options_with_args+="
-		--platform
-	"
 
 	local boolean_options="
 		--disable-content-trust=false
@@ -2831,6 +2829,7 @@ _docker_image_build() {
 		--memory -m
 		--memory-swap
 		--network
+		--platform
 		--shm-size
 		--tag -t
 		--target
@@ -2851,9 +2850,6 @@ _docker_image_build() {
 	"
 
 	if __docker_server_is_experimental ; then
-		options_with_args+="
-			--platform
-		"
 		boolean_options+="
 			--squash
 		"
@@ -2862,7 +2858,6 @@ _docker_image_build() {
 	if [ "$DOCKER_BUILDKIT" = "1" ] ; then
 		options_with_args+="
 			--output -o
-			--platform
 			--progress
 			--secret
 			--ssh
@@ -2993,8 +2988,7 @@ _docker_image_import() {
 
 	case "$cur" in
 		-*)
-			local options="--change -c --help --message -m"
-			__docker_server_is_experimental && options+=" --platform"
+			local options="--change -c --help --message -m --platform"
 			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
 			;;
 		*)
@@ -3102,9 +3096,7 @@ _docker_image_pull() {
 
 	case "$cur" in
 		-*)
-			local options="--all-tags -a --disable-content-trust=false --help --quiet -q"
-			__docker_server_is_experimental && options+=" --platform"
-
+			local options="--all-tags -a --disable-content-trust=false --help --platform --quiet -q"
 			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
 			;;
 		*)
@@ -5485,6 +5477,23 @@ _docker_wait() {
 	_docker_container_wait
 }
 
+COMPOSE_PLUGIN_PATH=$(docker info --format '{{range .ClientInfo.Plugins}}{{if eq .Name "compose"}}{{.Path}}{{end}}{{end}}')
+
+_docker_compose() {
+	local completionCommand="__completeNoDesc"
+	local resultArray=($COMPOSE_PLUGIN_PATH $completionCommand compose)
+	for value in "${words[@]:2}"; do
+		if [ -z "$value" ]; then
+			resultArray+=( "''" )
+		else
+			resultArray+=( "$value" )
+		fi
+	done
+	local result=$(eval "${resultArray[*]}" 2> /dev/null | grep -v '^:[0-9]*$')
+
+	COMPREPLY=( $(compgen -W "${result}" -- "$current") )
+}
+
 _docker() {
 	local previous_extglob_setting=$(shopt -p extglob)
 	shopt -s extglob
@@ -5554,11 +5563,17 @@ _docker() {
 		wait
 	)
 
+	local known_plugin_commands=()
+
+	if [ -f "$COMPOSE_PLUGIN_PATH" ] ; then
+		known_plugin_commands+=("compose")
+	fi
+
 	local experimental_server_commands=(
 		checkpoint
 	)
 
-	local commands=(${management_commands[*]} ${top_level_commands[*]})
+	local commands=(${management_commands[*]} ${top_level_commands[*]} ${known_plugin_commands[*]})
 	[ -z "$DOCKER_HIDE_LEGACY_COMMANDS" ] && commands+=(${legacy_commands[*]})
 
 	# These options are valid as global options for all client commands

contrib/completion/zsh/_docker

@@ -3094,6 +3094,7 @@ _docker() {
     _arguments $(__docker_arguments) -C \
         "(: -)"{-h,--help}"[Print usage]" \
         "($help)--config[Location of client config files]:path:_directories" \
+        "($help -c --context)"{-c=,--context=}"[Execute the command in a docker context]:context:__docker_complete_contexts" \
         "($help -D --debug)"{-D,--debug}"[Enable debug mode]" \
         "($help -H --host)"{-H=,--host=}"[tcp://host:port to bind/connect to]:host: " \
         "($help -l --log-level)"{-l=,--log-level=}"[Logging level]:level:(debug info warn error fatal)" \
@@ -3109,7 +3110,8 @@ _docker() {
 
     local host=${opt_args[-H]}${opt_args[--host]}
     local config=${opt_args[--config]}
-    local docker_options="${host:+--host $host} ${config:+--config $config}"
+    local context=${opt_args[-c]}${opt_args[--context]}
+    local docker_options="${host:+--host $host} ${config:+--config $config} ${context:+--context $context} "
 
     case $state in
         (command)

docker-bake.hcl

@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-    default = "1.17.11"
+    default = "1.18.9"
 }
 variable "VERSION" {
     default = ""

dockerfiles/Dockerfile.binary-native

@@ -1,4 +1,4 @@
-ARG GO_VERSION=1.17.11
+ARG GO_VERSION=1.18.9
 
 FROM    golang:${GO_VERSION}-alpine
 

dockerfiles/Dockerfile.dev

@@ -1,8 +1,9 @@
-# syntax=docker/dockerfile:1.3
+# syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.17.11
+ARG GO_VERSION=1.18.9
+ARG ALPINE_VERSION=3.16
 
-FROM golang:${GO_VERSION}-alpine AS golang
+FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang
 ENV  CGO_ENABLED=0
 
 FROM golang AS esc
@@ -13,7 +14,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     GO111MODULE=on go install github.com/mjibson/esc@${ESC_VERSION}
 
 FROM golang AS gotestsum
-ARG GOTESTSUM_VERSION=v0.4.0
+ARG GOTESTSUM_VERSION=v1.8.2
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
     --mount=type=tmpfs,target=/go/src/ \

dockerfiles/Dockerfile.e2e

@@ -1,4 +1,4 @@
-ARG GO_VERSION=1.17.11
+ARG GO_VERSION=1.18.9
 
 # Use Debian based image as docker-compose requires glibc.
 FROM golang:${GO_VERSION}-buster
@@ -18,7 +18,7 @@ ARG NOTARY_VERSION=v0.6.1
 RUN curl -fsSL https://github.com/theupdateframework/notary/releases/download/${NOTARY_VERSION}/notary-Linux-amd64 -o /usr/local/bin/notary \
     && chmod +x /usr/local/bin/notary
 
-ARG GOTESTSUM_VERSION=0.4.0
+ARG GOTESTSUM_VERSION=1.8.2
 RUN curl -fsSL https://github.com/gotestyourself/gotestsum/releases/download/v${GOTESTSUM_VERSION}/gotestsum_${GOTESTSUM_VERSION}_linux_amd64.tar.gz -o gotestsum.tar.gz \
     && tar -xf gotestsum.tar.gz gotestsum \
     && mv gotestsum /usr/local/bin/gotestsum \

dockerfiles/Dockerfile.lint

@@ -1,18 +1,19 @@
-# syntax=docker/dockerfile:1.3
+# syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.17.11
-ARG GOLANGCI_LINTER_SHA="v1.21.0"
+ARG GO_VERSION=1.18.9
+ARG ALPINE_VERSION=3.16
+ARG GOLANGCI_LINT_VERSION=v1.45.2
 
-FROM    golang:${GO_VERSION}-alpine AS build
+FROM    golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build
 ENV     CGO_ENABLED=0
 RUN     apk add --no-cache git
-ARG     GOLANGCI_LINTER_SHA
+ARG     GOLANGCI_LINT_VERSION
 ARG     GO111MODULE=on
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
-        go get github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINTER_SHA}
+        go install github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}
 
-FROM    golang:${GO_VERSION}-alpine AS lint
+FROM    golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS lint
 ENV     GO111MODULE=off
 ENV     CGO_ENABLED=0
 ENV     DISABLE_WARN_OUTSIDE_CONTAINER=1

docs/deprecated.md

@@ -67,6 +67,7 @@ The table below provides an overview of the current status of deprecated feature
 | Removed    | [`docker engine` subcommands](#docker-engine-subcommands)                                                                          | v19.03     | v20.10 |
 | Removed    | [Top-level `docker deploy` subcommand (experimental)](#top-level-docker-deploy-subcommand-experimental)                            | v19.03     | v20.10 |
 | Removed    | [`docker stack deploy` using "dab" files (experimental)](#docker-stack-deploy-using-dab-files-experimental)                        | v19.03     | v20.10 |
+| Disabled   | [Support for the `overlay2.override_kernel_check` storage option](#support-for-the-overlay2override_kernel_check-storage-option)   | v19.03     | -      |
 | Deprecated | [AuFS storage driver](#aufs-storage-driver)                                                                                        | v19.03     | -      |
 | Deprecated | [Legacy "overlay" storage driver](#legacy-overlay-storage-driver)                                                                  | v18.09     | -      |
 | Deprecated | [Device mapper storage driver](#device-mapper-storage-driver)                                                                      | v18.09     | -      |
@@ -323,6 +324,19 @@ format, support for the DAB file format and the top-level docker deploy command
 (hidden by default in 19.03), will be removed, in favour of `docker stack deploy`
 using compose files.
 
+### Support for the `overlay2.override_kernel_check` storage option
+
+**Deprecated in Release: v19.03**
+**Disabled in Release: v19.03**
+
+This daemon configuration option disabled the Linux kernel version check used
+to detect if the kernel supported OverlayFS with multiple lower dirs, which is
+required for the overlay2 storage driver. Starting with Docker v19.03.7, the
+detection was improved to no longer depend on the kernel _version_, so this
+option was no longer used.
+
+Docker v22.06 logs a warning in the daemon logs if this option is set, and
+users should remove this option from their daemon configuration.
 
 ### AuFS storage driver
 

docs/extend/index.md

@@ -14,9 +14,9 @@ keywords: "API, Usage, plugins, documentation, developer"
 
 # Docker Engine managed plugin system
 
-* [Installing and using a plugin](index.md#installing-and-using-a-plugin)
-* [Developing a plugin](index.md#developing-a-plugin)
-* [Debugging plugins](index.md#debugging-plugins)
+- [Installing and using a plugin](index.md#installing-and-using-a-plugin)
+- [Developing a plugin](index.md#developing-a-plugin)
+- [Debugging plugins](index.md#debugging-plugins)
 
 Docker Engine's plugin system allows you to install, start, stop, and remove
 plugins using Docker Engine.
@@ -70,7 +70,7 @@ enabled, and use it to create a volume.
 
     - It needs access to the `host` network.
     - It needs the `CAP_SYS_ADMIN` capability, which allows the plugin to run
-    the `mount` command.
+      the `mount` command.
 
 2.  Check that the plugin is enabled in the output of `docker plugin ls`.
 
@@ -115,6 +115,7 @@ enabled, and use it to create a volume.
     ```
 
 6.  Remove the volume `sshvolume`
+
     ```console
     $ docker volume rm sshvolume
 
@@ -126,15 +127,15 @@ remove it, use the `docker plugin remove` command. For other available
 commands and options, see the
 [command line reference](https://docs.docker.com/engine/reference/commandline/cli/).
 
-
 ## Developing a plugin
 
 #### The rootfs directory
+
 The `rootfs` directory represents the root filesystem of the plugin. In this
 example, it was created from a Dockerfile:
 
->**Note:** The `/run/docker/plugins` directory is mandatory inside of the
-plugin's filesystem for docker to communicate with the plugin.
+> **Note:** The `/run/docker/plugins` directory is mandatory inside of the
+> plugin's filesystem for docker to communicate with the plugin.
 
 ```console
 $ git clone https://github.com/vieux/docker-volume-sshfs
@@ -155,19 +156,19 @@ Consider the following `config.json` file.
 
 ```json
 {
-	"description": "sshFS plugin for Docker",
-	"documentation": "https://docs.docker.com/engine/extend/plugins/",
-	"entrypoint": ["/docker-volume-sshfs"],
-	"network": {
-		   "type": "host"
-		   },
-	"interface" : {
-		   "types": ["docker.volumedriver/1.0"],
-		   "socket": "sshfs.sock"
-	},
-	"linux": {
-		"capabilities": ["CAP_SYS_ADMIN"]
-	}
+  "description": "sshFS plugin for Docker",
+  "documentation": "https://docs.docker.com/engine/extend/plugins/",
+  "entrypoint": ["/docker-volume-sshfs"],
+  "network": {
+    "type": "host"
+  },
+  "interface": {
+    "types": ["docker.volumedriver/1.0"],
+    "socket": "sshfs.sock"
+  },
+  "linux": {
+    "capabilities": ["CAP_SYS_ADMIN"]
+  }
 }
 ```
 
@@ -187,7 +188,6 @@ After that the plugin `<plugin-name>` will show up in `docker plugin ls`.
 Plugins can be pushed to remote registries with
 `docker plugin push <plugin-name>`.
 
-
 ## Debugging plugins
 
 Stdout of a plugin is redirected to dockerd logs. Such entries have a
@@ -226,7 +226,7 @@ plugins. This is specifically useful to collect plugin logs if they are
 redirected to a file.
 
 ```console
-$ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins list
+$ sudo runc --root /run/docker/runtime-runc/plugins.moby list
 
 ID                                                                 PID         STATUS      BUNDLE                                                                                                                                       CREATED                          OWNER
 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25   15806       running     /run/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby-plugins/93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25   2018-02-08T21:40:08.621358213Z   root
@@ -235,14 +235,14 @@ c5bb4b90941efcaccca999439ed06d6a6affdde7081bb34dc84126b57b3e793d   14984       r
 ```
 
 ```console
-$ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins exec 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 cat /var/log/plugin.log
+$ sudo runc --root /run/docker/runtime-runc/plugins.moby exec 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 cat /var/log/plugin.log
 ```
 
 If the plugin has a built-in shell, then exec into the plugin can be done as
 follows:
 
 ```console
-$ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins exec -t 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 sh
+$ sudo runc --root /run/docker/runtime-runc/plugins.moby exec -t 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 sh
 ```
 
 #### Using curl to debug plugin socket issues.
@@ -253,7 +253,6 @@ docker host to volume and network plugins using curl 7.47.0 to ensure that
 the plugin is listening on the said socket. For a well functioning plugin,
 these basic requests should work. Note that plugin sockets are available on the host under `/var/run/docker/plugins/<pluginID>`
 
-
 ```console
 $ curl -H "Content-Type: application/json" -XPOST -d '{}' --unix-socket /var/run/docker/plugins/e8a37ba56fc879c991f7d7921901723c64df6b42b87e6a0b055771ecf8477a6d/plugin.sock http:/VolumeDriver.List
 

docs/reference/builder.md

@@ -1060,7 +1060,7 @@ If an environment variable is only needed during build, and not in the final
 image, consider setting a value for a single command instead:
 
 ```dockerfile
-RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y ...
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y ...
 ```
  
 Or using [`ARG`](#arg), which is not persisted in the final image:

docs/reference/commandline/build.md

@@ -323,13 +323,13 @@ directory from the context. Its effect can be seen in the changed size of the
 uploaded context. The builder reference contains detailed information on
 [creating a .dockerignore file](../builder.md#dockerignore-file).
 
-When using the [BuildKit backend](../builder.md#buildkit), `docker build` searches
-for a `.dockerignore` file relative to the Dockerfile name. For example, running
-`docker build -f myapp.Dockerfile .` will first look for an ignore file named
-`myapp.Dockerfile.dockerignore`. If such a file is not found, the `.dockerignore`
-file is used if present. Using a Dockerfile based `.dockerignore` is useful if a
-project contains multiple Dockerfiles that expect to ignore different sets of
-files.
+When using the [BuildKit backend](https://docs.docker.com/build/buildkit/),
+`docker build` searches for a `.dockerignore` file relative to the Dockerfile
+name. For example, running `docker build -f myapp.Dockerfile .` will first look
+for an ignore file named `myapp.Dockerfile.dockerignore`. If such a file is not
+found, the `.dockerignore` file is used if present. Using a Dockerfile based
+`.dockerignore` is useful if a project contains multiple Dockerfiles that
+expect to ignore different sets of files.
 
 
 ### Tag an image (-t)
@@ -585,8 +585,9 @@ vndr
 > **Note**
 >
 > This feature requires the BuildKit backend. You can either
-> [enable BuildKit](../builder.md#buildkit) or use the [buildx](https://github.com/docker/buildx)
-> plugin which provides more output type options.
+> [enable BuildKit](https://docs.docker.com/build/buildkit/#getting-started) or
+> use the [buildx](https://github.com/docker/buildx) plugin which provides more
+> output type options.
 
 ### Specifying external cache sources
 
@@ -627,9 +628,9 @@ $ docker build --cache-from myname/myapp .
 > **Note**
 >
 > This feature requires the BuildKit backend. You can either
-> [enable BuildKit](../builder.md#buildkit) or use the [buildx](https://github.com/docker/buildx)
-> plugin. The previous builder has limited support for reusing cache from
-> pre-pulled images.
+> [enable BuildKit](https://docs.docker.com/build/buildkit/#getting-started) or
+> use the [buildx](https://github.com/docker/buildx) plugin. The previous
+> builder has limited support for reusing cache from pre-pulled images.
 
 ### Squash an image's layers (--squash) (experimental)
 

docs/reference/commandline/cli.md

@@ -78,7 +78,7 @@ line:
 | `DOCKER_HOST`                 | Daemon socket to connect to.                                                                                                          |
 | `DOCKER_STACK_ORCHESTRATOR`   | Configure the default orchestrator to use when using `docker stack` management commands.                                              |
 | `DOCKER_TLS_VERIFY`           | When set Docker uses TLS and verifies the remote. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md) |
-| `BUILDKIT_PROGRESS`           | Set type of progress output (`auto`, `plain`, `tty`) when [building](build.md) with [BuildKit backend](../builder.md#buildkit). Use plain to show container output (default `auto`). |
+| `BUILDKIT_PROGRESS`           | Set type of progress output (`auto`, `plain`, `tty`) when [building](build.md) with [BuildKit backend](https://docs.docker.com/build/buildkit/). Use plain to show container output (default `auto`). |
 
 Because Docker is developed using Go, you can also use any environment
 variables used by the Go runtime. In particular, you may find these useful:

docs/reference/commandline/dockerd.md

@@ -820,20 +820,11 @@ $ sudo dockerd -s btrfs --storage-opt btrfs.min_space=10G
 
 #### Overlay2 options
 
-##### `overlay2.override_kernel_check`
-
-Overrides the Linux kernel version check allowing overlay2. Support for
-specifying multiple lower directories needed by overlay2 was added to the
-Linux kernel in 4.0.0. However, some older kernel versions may be patched
-to add multiple lower directory support for OverlayFS. This option should
-only be used after verifying this support exists in the kernel. Applying
-this option on a kernel without this support will cause failures on mount.
-
 ##### `overlay2.size`
 
 Sets the default max size of the container. It is supported only when the
 backing fs is `xfs` and mounted with `pquota` mount option. Under these
-conditions the user can pass any size less then the backing fs size.
+conditions the user can pass any size less than the backing fs size.
 
 ###### Example
 

docs/reference/commandline/inspect.md

@@ -29,15 +29,15 @@ By default, `docker inspect` will render results in a JSON array.
 
 If a format is specified, the given template will be executed for each result.
 
-Go's [text/template](https://golang.org/pkg/text/template/) package
-describes all the details of the format.
+Go's [text/template](https://golang.org/pkg/text/template/) package describes
+all the details of the format.
 
 ## Specify target type (--type)
 
 `--type container|image|node|network|secret|service|volume|task|plugin`
 
-The `docker inspect` command matches any type of object by either ID or name.
-In some cases multiple type of objects (for example, a container and a volume)
+The `docker inspect` command matches any type of object by either ID or name. In
+some cases multiple type of objects (for example, a container and a volume)
 exist with the same name, making the result ambiguous.
 
 To restrict `docker inspect` to a specific type of object, use the `--type`
@@ -49,6 +49,35 @@ The following example inspects a _volume_ named "myvolume"
 $ docker inspect --type=volume myvolume
 ```
 
+### <a name=size></a> Inspect the size of a container (-s, --size)
+
+The `--size`, or short-form `-s`, option adds two additional fields to the
+`docker inspect` output. This option only works for containers. The container
+doesn't have to be running, it also works for stopped containers.
+
+```console
+$ docker inspect --size mycontainer
+```
+
+The output includes the full output of a regular `docker inspect` command, with
+the following additional fields:
+
+- `SizeRootFs`: the total size of all the files in the container, in bytes.
+- `SizeRw`: the size of the files that have been created or changed in the
+  container, compared to it's image, in bytes.
+
+```console
+$ docker run --name database -d redis
+3b2cbf074c99db4a0cad35966a9e24d7bc277f5565c17233386589029b7db273
+$ docker inspect --size database -f '{{ .SizeRootFs }}'
+123125760
+$ docker inspect --size database -f '{{ .SizeRw }}'                 
+8192
+$ docker exec database fallocate -l 1000 /newfile 
+$ docker inspect --size database -f '{{ .SizeRw }}'
+12288
+```
+
 ## Examples
 
 ### Get an instance's IP address
@@ -80,8 +109,7 @@ $ docker inspect --format='{{.Config.Image}}' $INSTANCE_ID
 
 ### List all port bindings
 
-You can loop over arrays and maps in the results to produce simple text
-output:
+You can loop over arrays and maps in the results to produce simple text output:
 
 ```console
 $ docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}} {{$p}} -> {{(index $conf 0).HostPort}} {{end}}' $INSTANCE_ID
@@ -89,13 +117,12 @@ $ docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}} {{$p}}
 
 ### Find a specific port mapping
 
-The `.Field` syntax doesn't work when the field name begins with a
-number, but the template language's `index` function does. The
-`.NetworkSettings.Ports` section contains a map of the internal port
-mappings to a list of external address/port objects. To grab just the
-numeric public port, you use `index` to find the specific port map, and
-then `index` 0 contains the first object inside of that. Then we ask for
-the `HostPort` field to get the public address.
+The `.Field` syntax doesn't work when the field name begins with a number, but
+the template language's `index` function does. The `.NetworkSettings.Ports`
+section contains a map of the internal port mappings to a list of external
+address/port objects. To grab just the numeric public port, you use `index` to
+find the specific port map, and then `index` 0 contains the first object inside
+of that. Then we ask for the `HostPort` field to get the public address.
 
 ```console
 $ docker inspect --format='{{(index (index .NetworkSettings.Ports "8787/tcp") 0).HostPort}}' $INSTANCE_ID
@@ -103,10 +130,9 @@ $ docker inspect --format='{{(index (index .NetworkSettings.Ports "8787/tcp") 0)
 
 ### Get a subsection in JSON format
 
-If you request a field which is itself a structure containing other
-fields, by default you get a Go-style dump of the inner values.
-Docker adds a template function, `json`, which can be applied to get
-results in JSON format.
+If you request a field which is itself a structure containing other fields, by
+default you get a Go-style dump of the inner values. Docker adds a template
+function, `json`, which can be applied to get results in JSON format.
 
 ```console
 $ docker inspect --format='{{json .Config}}' $INSTANCE_ID

docs/reference/commandline/logs.md

@@ -25,11 +25,6 @@ Options:
 
 The `docker logs` command batch-retrieves logs present at the time of execution.
 
-> **Note**
->
-> This command is only functional for containers that are started with the
-> `json-file` or `journald` logging driver.
-
 For more information about selecting and configuring logging drivers, refer to
 [Configure logging drivers](https://docs.docker.com/config/containers/logging/configure/).
 

docs/reference/commandline/run.md

@@ -587,14 +587,15 @@ retrieve the container's ID once the container has finished running.
 ### Add host device to container (--device)
 
 ```console
-$ docker run --device=/dev/sdc:/dev/xvdc \
-             --device=/dev/sdd --device=/dev/zero:/dev/nulo \
-             -i -t \
-             ubuntu ls -l /dev/{xvdc,sdd,nulo}
+$ docker run -it --rm \
+    --device=/dev/sdc:/dev/xvdc \
+    --device=/dev/sdd \
+    --device=/dev/zero:/dev/foobar \
+    ubuntu ls -l /dev/{xvdc,sdd,foobar}
 
 brw-rw---- 1 root disk 8, 2 Feb  9 16:05 /dev/xvdc
 brw-rw---- 1 root disk 8, 3 Feb  9 16:05 /dev/sdd
-crw-rw-rw- 1 root root 1, 5 Feb  9 16:05 /dev/nulo
+crw-rw-rw- 1 root root 1, 5 Feb  9 16:05 /dev/foobar
 ```
 
 It is often necessary to directly expose devices to a container. The `--device`

docs/reference/commandline/version.md

@@ -19,30 +19,84 @@ Options:
 
 ## Description
 
-By default, this will render all version information in an easy to read
-layout. If a format is specified, the given template will be executed instead.
+The version command prints the current version number for all independently
+versioned Docker components. Use the [`--format`](#format) option to customize
+the output.
 
-Go's [text/template](https://golang.org/pkg/text/template/) package
-describes all the details of the format.
-
-## Examples
+The version command (`docker version`) outputs the version numbers of Docker
+components, while the `--version` flag (`docker --version`) outputs the version
+number of the Docker CLI you are using.
 
 ### Default output
 
+The default output renders all version information divided into two sections;
+the "Client" section contains information about the Docker CLI and client
+components, and the "Server" section contains information about the Docker
+Engine and components used by the Engine, such as the "Containerd" and "Runc"
+OCI Runtimes.
+
+The information shown may differ depending on how you installed Docker and
+what components are in use. The following example shows the output on a macOS
+machine running Docker Desktop:
+
 ```console
 $ docker version
 
 Client:
- Version:           19.03.8
- API version:       1.40
- Go version:        go1.12.17
- Git commit:        afacb8b
- Built:             Wed Mar 11 01:21:11 2020
+ Version:           20.10.16
+ API version:       1.41
+ Go version:        go1.17.10
+ Git commit:        aa7e414
+ Built:             Thu May 12 09:17:28 2022
  OS/Arch:           darwin/amd64
  Context:           default
- Experimental:      true
 
-Server:
+Server: Docker Desktop 4.8.2 (77141)
+ Engine:
+  Version:          20.10.16
+  API version:      1.41 (minimum version 1.12)
+  Go version:       go1.17.10
+  Git commit:       f756502
+  Built:            Thu May 12 09:15:33 2022
+  OS/Arch:          linux/amd64
+  Experimental:     false
+ containerd:
+  Version:          1.6.4
+  GitCommit:        212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
+ runc:
+  Version:          1.1.1
+  GitCommit:        v1.1.1-0-g52de29d
+ docker-init:
+  Version:          0.19.0
+  GitCommit:        de40ad0
+```
+
+### Client and server versions
+
+Docker uses a client/server architecture, which allows you to use the Docker CLI
+on your local machine to control a Docker Engine running on a remote machine,
+which can be (for example) a machine running in the Cloud or inside a Virtual Machine.
+
+The following example switches the Docker CLI to use a [context](context.md)
+named "remote-test-server", which runs an older version of the Docker Engine
+on a Linux server:
+
+```console
+$ docker context use remote-test-server
+remote-test-server
+
+$ docker version
+
+Client:
+ Version:           20.10.16
+ API version:       1.40 (downgraded from 1.41)
+ Go version:        go1.17.10
+ Git commit:        aa7e414
+ Built:             Thu May 12 09:17:28 2022
+ OS/Arch:           darwin/amd64
+ Context:           remote-test-server
+
+Server: Docker Engine - Community
  Engine:
   Version:          19.03.8
   API version:      1.40 (minimum version 1.12)
@@ -50,7 +104,6 @@ Server:
   Git commit:       afacb8b
   Built:            Wed Mar 11 01:29:16 2020
   OS/Arch:          linux/amd64
-  Experimental:     true
  containerd:
   Version:          v1.2.13
   GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
@@ -62,12 +115,21 @@ Server:
   GitCommit:        fec3683
 ```
 
+## Examples
+
+### <a name=format></a> Format the output (--format)
+
+The formatting option (`--format`) pretty-prints the output using a Go template,
+which allows you to customize the output format, or to obtain specific information
+from the output. Refer to the [format command and log output](https://docs.docker.com/config/formatting/)
+page for details of the format.
+
 ### Get the server version
 
 ```console
 $ docker version --format '{{.Server.Version}}'
 
-19.03.8
+20.10.16
 ```
 
 ### Dump raw JSON data

docs/reference/run.md

@@ -687,7 +687,7 @@ the container exits**, you can add the `--rm` flag:
 | `--security-opt="label=level:LEVEL"`      | Set the label level for the container                                     |
 | `--security-opt="label=disable"`          | Turn off label confinement for the container                              |
 | `--security-opt="apparmor=PROFILE"`       | Set the apparmor profile to be applied to the container                   |
-| `--security-opt="no-new-privileges:true"` | Disable container processes from gaining new privileges                   |
+| `--security-opt="no-new-privileges=true"` | Disable container processes from gaining new privileges                   |
 | `--security-opt="seccomp=unconfined"`     | Turn off seccomp confinement for the container                            |
 | `--security-opt="seccomp=profile.json"`   | White-listed syscalls seccomp Json file to be used as a seccomp filter    |
 

templates/templates.go

@@ -20,7 +20,7 @@ var basicFunctions = template.FuncMap{
 	},
 	"split":    strings.Split,
 	"join":     strings.Join,
-	"title":    strings.Title,
+	"title":    strings.Title, //nolint:staticcheck // strings.Title is deprecated, but we only use it for ASCII, so replacing with golang.org/x/text is out of scope
 	"lower":    strings.ToLower,
 	"upper":    strings.ToUpper,
 	"pad":      padWithSpace,

vendor.conf

@@ -4,7 +4,7 @@ github.com/beorn7/perks                             37c8de3658fcb183f997c4e13e83
 github.com/cespare/xxhash/v2                        d7df74196a9e781ede915320c11c378c1b2f3a1f # v2.1.1
 github.com/containerd/console                       5d7e1412f07b502a01029ea20e20e0d2be31fa7c # v1.0.1
 github.com/containerd/containerd                    0edc412565dcc6e3d6125ff9e4b009ad4b89c638 # master (v1.5.0-dev)
-github.com/containerd/continuity                    efbc4488d8fe1bdc16bde3b2d2990d9b3a899165
+github.com/containerd/continuity                    5ad51c7aca47b8e742f5e6e7dc841d50f5f6affd # v0.3.0
 github.com/containerd/cgroups                       0b889c03f102012f1d93a97ddd3ef71cd6f4f510
 github.com/containerd/typeurl                       cd3ce7159eae562a4f60ceff37dada11a939d247 # v1.0.1
 github.com/coreos/etcd                              d57e8b8d97adfc4a6c224fe116714bf1a1f3beb9 # v3.3.12
@@ -13,7 +13,7 @@ github.com/creack/pty                               2a38352e8b4d7ab6c336eef107e4
 github.com/davecgh/go-spew                          8991bc29aa16c548c550c7ff78260e27b9ab7c73 # v1.1.1
 github.com/docker/compose-on-kubernetes             1f9b5b8cb6aca13deee947511801cf89447c1bfe # v0.5.0
 github.com/docker/distribution                      b5ca020cfbe998e5af3457fda087444cf5116496 # v2.8.1
-github.com/docker/docker                            87a90dc786bda134c9eb02adbae2c6a7342fb7f6 # v20.10.14
+github.com/docker/docker                            3056208812eb5e792fa99736c9167d1e10f4ab49 # v20.10.21
 github.com/docker/docker-credential-helpers         fc9290adbcf1594e78910e2f0334090eaee0e1ee # v0.6.4
 github.com/docker/go                                d30aec9fd63c35133f8f79c3412ad91a3b08be06 # Contains a customized version of canonical/json and is used by Notary. The package is periodically rebased on current Go versions.
 github.com/docker/go-connections                    7395e3f8aa162843a74ed6d48e79627d9792ac55 # v0.4.0
@@ -29,7 +29,7 @@ github.com/gogo/protobuf                            5628607bb4c51c3157aacc3a50f0
 github.com/golang/groupcache                        869f871628b6baa9cfbc11732cdf6546b17c1298
 github.com/golang/protobuf                          84668698ea25b64748563aa20726db66a6b8d299 # v1.3.5
 github.com/google/go-cmp                            3af367b6b30c263d47e8895973edcca9a49cf029 # v0.2.0
-github.com/google/gofuzz                            24818f796faf91cd76ec7bddd72458fbced7a6c1
+github.com/google/gofuzz                            f140a6486e521aad38f5917de355cbf147cc0496 # v1.0.0
 github.com/google/shlex                             e7afc7fbc51079733e9468cdfd1efcd7d196cd1d
 github.com/googleapis/gnostic                       7c663266750e7d82587642f65e60bc4083f1f84e # v0.2.0
 github.com/gorilla/mux                              98cb6bf42e086f6af920b965c38cacc07402d51b # v1.8.0
@@ -40,17 +40,17 @@ github.com/hashicorp/golang-lru                     7f827b33c0f158ec5dfbba01bb0b
 github.com/imdario/mergo                            1afb36080aec31e0d1528973ebe6721b191b0369 # v0.3.8
 github.com/inconshreveable/mousetrap                76626ae9c91c4f2a10f34cad8ce83ea42c93bb75 # v1.0.0
 github.com/jaguilar/vt100                           ad4c4a5743050fb7f88ce968dca9422f72a0e3f2 https://github.com/tonistiigi/vt100.git
-github.com/json-iterator/go                         0ff49de124c6f76f8494e194af75bde0f1a49a29 # 1.1.6
+github.com/json-iterator/go                         024077e996b048517130b21ea6bf12aa23055d3d # v1.1.12
 github.com/matttproud/golang_protobuf_extensions    c12348ce28de40eed0136aa2b644d0ee0650e56c # v1.0.1
 github.com/Microsoft/go-winio                       5b44b70ab3ab4d291a7c1d28afe7b4afeced0ed4 # v0.4.15
 github.com/Microsoft/hcsshim                        5bc557dd210ff2caf615e6e22d398123de77fc11 # v0.8.9
 github.com/miekg/pkcs11                             210dc1e16747c5ba98a03bcbcf728c38086ea357 # v1.0.3
 github.com/mitchellh/mapstructure                   d16e9488127408e67948eb43b6d3fbb9f222da10 # v1.3.2
-github.com/moby/buildkit                            8142d66b5ebde79846b869fba30d9d30633e74aa # v0.8.1
+github.com/moby/buildkit                            eeb7b65ab7d651770a5ec52a06ea7c96eb97a249 # v0.8.4-0.20221020190723-eeb7b65ab7d6
 github.com/moby/sys                                 1bc8673b57550ddf85262eb0fed0aac651a37dab # symlink/v0.1.0 (latest tag, either mount/vXXX, mountinfo/vXXX or symlink/vXXX)
 github.com/moby/term                                3f7ff695adc6a35abc925370dd0a4dafb48ec64d
 github.com/modern-go/concurrent                     bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94 # 1.0.3
-github.com/modern-go/reflect2                       4b7aa43c6742a2c18fdef89dd197aaae7dac7ccd # 1.0.1
+github.com/modern-go/reflect2                       2b33151c9bbc5231aea69b8861c540102b087070 # v1.0.2
 github.com/morikuni/aec                             39771216ff4c63d11f5e604076f9c45e8be1067b # v1.0.0
 github.com/opencontainers/go-digest                 ea51bea511f75cfa3ef6098cc253c5c3609b037a # v1.0.0
 github.com/opencontainers/image-spec                67d2d5658fe0476ab9bf414cec164077ebff3920 # v1.0.2
@@ -73,7 +73,7 @@ github.com/xeipuuv/gojsonpointer                    02993c407bfbf5f6dae44c4f4b1c
 github.com/xeipuuv/gojsonreference                  bd5ef7bd5415a7ac448318e64f11a24cd21e594b
 github.com/xeipuuv/gojsonschema                     82fcdeb203eb6ab2a67d0a623d9c19e5e5a64927 # v1.2.0
 go.opencensus.io                                    d835ff86be02193d324330acdb7d65546b05f814 # v0.22.3
-golang.org/x/crypto                                 c1f2f97bffc9c53fc40a1a28a5b460094c0050d9
+golang.org/x/crypto                                 642fcc37f5043eadb2509c84b2769e729e7d27ef # v0.1.0
 golang.org/x/net                                    ab34263943818b32f575efc978a3d24e80b04bd7
 golang.org/x/oauth2                                 bf48bf16ab8d622ce64ec6ce98d2c98f916b6303
 golang.org/x/sync                                   cd5d95a43a6e21273425c7ae415d3df9ea832eeb

vendor/github.com/containerd/continuity/README.md

@@ -1,19 +1,20 @@
 # continuity
 
-[![GoDoc](https://godoc.org/github.com/containerd/continuity?status.svg)](https://godoc.org/github.com/containerd/continuity)
-[![Build Status](https://travis-ci.org/containerd/continuity.svg?branch=master)](https://travis-ci.org/containerd/continuity)
+[![Go Reference](https://pkg.go.dev/badge/github.com/containerd/continuity.svg)](https://pkg.go.dev/github.com/containerd/continuity)
+[![Build Status](https://github.com/containerd/continuity/workflows/Continuity/badge.svg)](https://github.com/containerd/continuity/actions?query=workflow%3AContinuity+branch%3Amain)
 
 A transport-agnostic, filesystem metadata manifest system
 
 This project is a staging area for experiments in providing transport agnostic
 metadata storage.
 
-Please see https://github.com/opencontainers/specs/issues/11 for more details.
+See [opencontainers/runtime-spec#11](https://github.com/opencontainers/runtime-spec/issues/11)
+for more details.
 
 ## Manifest Format
 
 A continuity manifest encodes filesystem metadata in Protocol Buffers.
-Please refer to [proto/manifest.proto](proto/manifest.proto).
+Refer to [proto/manifest.proto](proto/manifest.proto) for more details.
 
 ## Usage
 
@@ -63,6 +64,10 @@ $ stat -c %a Makefile
 $ ./bin/continuity verify . /tmp/a.pb
 ```
 
+## Platforms
+
+continuity primarily targets Linux. Continuity may compile for and work on
+other operating systems, but those platforms are not tested.
 
 ## Contribution Guide
 ### Building Proto Package
@@ -77,8 +82,8 @@ $ go generate ./proto
 
 continuity is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).
 As a containerd sub-project, you will find the:
- * [Project governance](https://github.com/containerd/project/blob/master/GOVERNANCE.md),
- * [Maintainers](https://github.com/containerd/project/blob/master/MAINTAINERS),
- * and [Contributing guidelines](https://github.com/containerd/project/blob/master/CONTRIBUTING.md)
+ * [Project governance](https://github.com/containerd/project/blob/main/GOVERNANCE.md),
+ * [Maintainers](https://github.com/containerd/project/blob/main/MAINTAINERS),
+ * and [Contributing guidelines](https://github.com/containerd/project/blob/main/CONTRIBUTING.md)
 
 information in our [`containerd/project`](https://github.com/containerd/project) repository.

vendor/github.com/containerd/continuity/go.mod

@@ -1,23 +1,14 @@
 module github.com/containerd/continuity
 
-go 1.13
+go 1.17
 
 require (
-	bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898
-	github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4
-	github.com/golang/protobuf v1.2.0
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/onsi/ginkgo v1.10.1 // indirect
-	github.com/onsi/gomega v1.7.0 // indirect
-	github.com/opencontainers/go-digest v1.0.0-rc1
-	github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7
-	github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2
-	github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee
-	github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95 // indirect
-	github.com/stretchr/testify v1.4.0 // indirect
-	golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3 // indirect
-	golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f
-	golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e
-	gopkg.in/airbrake/gobrake.v2 v2.0.9 // indirect
-	gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2 // indirect
+	github.com/Microsoft/go-winio v0.5.2
+	github.com/opencontainers/go-digest v1.0.0
+	github.com/sirupsen/logrus v1.8.1
+	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
+	golang.org/x/sys v0.0.0-20220405210540-1e041c57c461
+	google.golang.org/protobuf v1.26.0
 )
+
+require github.com/stretchr/testify v1.3.0 // indirect

vendor/github.com/containerd/continuity/sysx/nodata_unix.go

@@ -1,4 +1,5 @@
-// +build darwin freebsd openbsd
+//go:build !(linux || solaris || windows)
+// +build !linux,!solaris,!windows
 
 /*
    Copyright The containerd Authors.

vendor/github.com/containerd/continuity/sysx/xattr.go

@@ -1,3 +1,4 @@
+//go:build linux || darwin
 // +build linux darwin
 
 /*

vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go

@@ -1,3 +1,4 @@
+//go:build !linux && !darwin
 // +build !linux,!darwin
 
 /*

vendor/github.com/docker/docker/api/common_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package api // import "github.com/docker/docker/api"

vendor/github.com/docker/docker/api/types/container/hostconfig_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package container // import "github.com/docker/docker/api/types/container"

vendor/github.com/docker/docker/builder/remotecontext/git/gitutils.go

@@ -17,21 +17,38 @@ type gitRepo struct {
 	remote string
 	ref    string
 	subdir string
+
+	isolateConfig bool
+}
+
+// CloneOption changes the behaviour of Clone().
+type CloneOption func(*gitRepo)
+
+// WithIsolatedConfig disables reading the user or system gitconfig files when
+// performing Git operations.
+func WithIsolatedConfig(v bool) CloneOption {
+	return func(gr *gitRepo) {
+		gr.isolateConfig = v
+	}
 }
 
 // Clone clones a repository into a newly created directory which
 // will be under "docker-build-git"
-func Clone(remoteURL string) (string, error) {
+func Clone(remoteURL string, opts ...CloneOption) (string, error) {
 	repo, err := parseRemoteURL(remoteURL)
 
 	if err != nil {
 		return "", err
 	}
 
-	return cloneGitRepo(repo)
+	for _, opt := range opts {
+		opt(&repo)
+	}
+
+	return repo.clone()
 }
 
-func cloneGitRepo(repo gitRepo) (checkoutDir string, err error) {
+func (repo gitRepo) clone() (checkoutDir string, err error) {
 	fetch := fetchArgs(repo.remote, repo.ref)
 
 	root, err := ioutil.TempDir("", "docker-build-git")
@@ -45,21 +62,21 @@ func cloneGitRepo(repo gitRepo) (checkoutDir string, err error) {
 		}
 	}()
 
-	if out, err := gitWithinDir(root, "init"); err != nil {
+	if out, err := repo.gitWithinDir(root, "init"); err != nil {
 		return "", errors.Wrapf(err, "failed to init repo at %s: %s", root, out)
 	}
 
 	// Add origin remote for compatibility with previous implementation that
 	// used "git clone" and also to make sure local refs are created for branches
-	if out, err := gitWithinDir(root, "remote", "add", "origin", repo.remote); err != nil {
+	if out, err := repo.gitWithinDir(root, "remote", "add", "origin", repo.remote); err != nil {
 		return "", errors.Wrapf(err, "failed add origin repo at %s: %s", repo.remote, out)
 	}
 
-	if output, err := gitWithinDir(root, fetch...); err != nil {
+	if output, err := repo.gitWithinDir(root, fetch...); err != nil {
 		return "", errors.Wrapf(err, "error fetching: %s", output)
 	}
 
-	checkoutDir, err = checkoutGit(root, repo.ref, repo.subdir)
+	checkoutDir, err = repo.checkout(root)
 	if err != nil {
 		return "", err
 	}
@@ -163,20 +180,20 @@ func supportsShallowClone(remoteURL string) bool {
 	return true
 }
 
-func checkoutGit(root, ref, subdir string) (string, error) {
+func (repo gitRepo) checkout(root string) (string, error) {
 	// Try checking out by ref name first. This will work on branches and sets
 	// .git/HEAD to the current branch name
-	if output, err := gitWithinDir(root, "checkout", ref); err != nil {
+	if output, err := repo.gitWithinDir(root, "checkout", repo.ref); err != nil {
 		// If checking out by branch name fails check out the last fetched ref
-		if _, err2 := gitWithinDir(root, "checkout", "FETCH_HEAD"); err2 != nil {
-			return "", errors.Wrapf(err, "error checking out %s: %s", ref, output)
+		if _, err2 := repo.gitWithinDir(root, "checkout", "FETCH_HEAD"); err2 != nil {
+			return "", errors.Wrapf(err, "error checking out %s: %s", repo.ref, output)
 		}
 	}
 
-	if subdir != "" {
-		newCtx, err := symlink.FollowSymlinkInScope(filepath.Join(root, subdir), root)
+	if repo.subdir != "" {
+		newCtx, err := symlink.FollowSymlinkInScope(filepath.Join(root, repo.subdir), root)
 		if err != nil {
-			return "", errors.Wrapf(err, "error setting git context, %q not within git root", subdir)
+			return "", errors.Wrapf(err, "error setting git context, %q not within git root", repo.subdir)
 		}
 
 		fi, err := os.Stat(newCtx)
@@ -192,13 +209,21 @@ func checkoutGit(root, ref, subdir string) (string, error) {
 	return root, nil
 }
 
-func gitWithinDir(dir string, args ...string) ([]byte, error) {
-	a := []string{"--work-tree", dir, "--git-dir", filepath.Join(dir, ".git")}
-	return git(append(a, args...)...)
-}
+func (repo gitRepo) gitWithinDir(dir string, args ...string) ([]byte, error) {
+	args = append([]string{"-c", "protocol.file.allow=never"}, args...) // Block sneaky repositories from using repos from the filesystem as submodules.
+	cmd := exec.Command("git", args...)
+	cmd.Dir = dir
+	// Disable unsafe remote protocols.
+	cmd.Env = append(os.Environ(), "GIT_PROTOCOL_FROM_USER=0")
 
-func git(args ...string) ([]byte, error) {
-	return exec.Command("git", args...).CombinedOutput()
+	if repo.isolateConfig {
+		cmd.Env = append(cmd.Env,
+			"GIT_CONFIG_NOSYSTEM=1", // Disable reading from system gitconfig.
+			"HOME=/dev/null",        // Disable reading from user gitconfig.
+		)
+	}
+
+	return cmd.CombinedOutput()
 }
 
 // isGitTransport returns true if the provided str is a git transport by inspecting

vendor/github.com/docker/docker/client/client.go

@@ -135,9 +135,6 @@ func NewClientWithOpts(ops ...Opt) (*Client, error) {
 		}
 	}
 
-	if _, ok := c.client.Transport.(http.RoundTripper); !ok {
-		return nil, fmt.Errorf("unable to verify TLS configuration, invalid transport %v", c.client.Transport)
-	}
 	if c.scheme == "" {
 		c.scheme = "http"
 

vendor/github.com/docker/docker/client/client_unix.go

@@ -1,3 +1,4 @@
+//go:build linux || freebsd || openbsd || netbsd || darwin || solaris || illumos || dragonfly
 // +build linux freebsd openbsd netbsd darwin solaris illumos dragonfly
 
 package client // import "github.com/docker/docker/client"

vendor/github.com/docker/docker/client/container_create.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"encoding/json"
 	"net/url"
+	"path"
 
-	"github.com/containerd/containerd/platforms"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/versions"
@@ -16,7 +16,6 @@ type configWrapper struct {
 	*container.Config
 	HostConfig       *container.HostConfig
 	NetworkingConfig *network.NetworkingConfig
-	Platform         *specs.Platform
 }
 
 // ContainerCreate creates a new container based in the given configuration.
@@ -38,8 +37,8 @@ func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config
 	}
 
 	query := url.Values{}
-	if platform != nil {
-		query.Set("platform", platforms.Format(*platform))
+	if p := formatPlatform(platform); p != "" {
+		query.Set("platform", p)
 	}
 
 	if containerName != "" {
@@ -61,3 +60,15 @@ func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config
 	err = json.NewDecoder(serverResp.body).Decode(&response)
 	return response, err
 }
+
+// formatPlatform returns a formatted string representing platform (e.g. linux/arm/v7).
+//
+// Similar to containerd's platforms.Format(), but does allow components to be
+// omitted (e.g. pass "architecture" only, without "os":
+// https://github.com/containerd/containerd/blob/v1.5.2/platforms/platforms.go#L243-L263
+func formatPlatform(platform *specs.Platform) string {
+	if platform == nil {
+		return ""
+	}
+	return path.Join(platform.OS, platform.Architecture, platform.Variant)
+}

vendor/github.com/docker/docker/client/request.go

@@ -150,10 +150,8 @@ func (cli *Client) doRequest(ctx context.Context, req *http.Request) (serverResp
 			if err.Timeout() {
 				return serverResp, ErrorConnectionFailed(cli.host)
 			}
-			if !err.Temporary() {
-				if strings.Contains(err.Error(), "connection refused") || strings.Contains(err.Error(), "dial unix") {
-					return serverResp, ErrorConnectionFailed(cli.host)
-				}
+			if strings.Contains(err.Error(), "connection refused") || strings.Contains(err.Error(), "dial unix") {
+				return serverResp, ErrorConnectionFailed(cli.host)
 			}
 		}
 
@@ -242,10 +240,8 @@ func (cli *Client) addHeaders(req *http.Request, headers headers) *http.Request
 		req.Header.Set(k, v)
 	}
 
-	if headers != nil {
-		for k, v := range headers {
-			req.Header[k] = v
-		}
+	for k, v := range headers {
+		req.Header[k] = v
 	}
 	return req
 }

vendor/github.com/docker/docker/errdefs/http_helpers.go

@@ -1,78 +1,11 @@
 package errdefs // import "github.com/docker/docker/errdefs"
 
 import (
-	"fmt"
 	"net/http"
 
-	containerderrors "github.com/containerd/containerd/errdefs"
-	"github.com/docker/distribution/registry/api/errcode"
 	"github.com/sirupsen/logrus"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 )
 
-// GetHTTPErrorStatusCode retrieves status code from error message.
-func GetHTTPErrorStatusCode(err error) int {
-	if err == nil {
-		logrus.WithFields(logrus.Fields{"error": err}).Error("unexpected HTTP error handling")
-		return http.StatusInternalServerError
-	}
-
-	var statusCode int
-
-	// Stop right there
-	// Are you sure you should be adding a new error class here? Do one of the existing ones work?
-
-	// Note that the below functions are already checking the error causal chain for matches.
-	switch {
-	case IsNotFound(err):
-		statusCode = http.StatusNotFound
-	case IsInvalidParameter(err):
-		statusCode = http.StatusBadRequest
-	case IsConflict(err):
-		statusCode = http.StatusConflict
-	case IsUnauthorized(err):
-		statusCode = http.StatusUnauthorized
-	case IsUnavailable(err):
-		statusCode = http.StatusServiceUnavailable
-	case IsForbidden(err):
-		statusCode = http.StatusForbidden
-	case IsNotModified(err):
-		statusCode = http.StatusNotModified
-	case IsNotImplemented(err):
-		statusCode = http.StatusNotImplemented
-	case IsSystem(err) || IsUnknown(err) || IsDataLoss(err) || IsDeadline(err) || IsCancelled(err):
-		statusCode = http.StatusInternalServerError
-	default:
-		statusCode = statusCodeFromGRPCError(err)
-		if statusCode != http.StatusInternalServerError {
-			return statusCode
-		}
-		statusCode = statusCodeFromContainerdError(err)
-		if statusCode != http.StatusInternalServerError {
-			return statusCode
-		}
-		statusCode = statusCodeFromDistributionError(err)
-		if statusCode != http.StatusInternalServerError {
-			return statusCode
-		}
-		if e, ok := err.(causer); ok {
-			return GetHTTPErrorStatusCode(e.Cause())
-		}
-
-		logrus.WithFields(logrus.Fields{
-			"module":     "api",
-			"error_type": fmt.Sprintf("%T", err),
-		}).Debugf("FIXME: Got an API for which error does not match any expected type!!!: %+v", err)
-	}
-
-	if statusCode == 0 {
-		statusCode = http.StatusInternalServerError
-	}
-
-	return statusCode
-}
-
 // FromStatusCode creates an errdef error, based on the provided HTTP status-code
 func FromStatusCode(err error, statusCode int) error {
 	if err == nil {
@@ -100,10 +33,10 @@ func FromStatusCode(err error, statusCode int) error {
 			err = System(err)
 		}
 	default:
-		logrus.WithFields(logrus.Fields{
+		logrus.WithError(err).WithFields(logrus.Fields{
 			"module":      "api",
-			"status_code": fmt.Sprintf("%d", statusCode),
-		}).Debugf("FIXME: Got an status-code for which error does not match any expected type!!!: %d", statusCode)
+			"status_code": statusCode,
+		}).Debug("FIXME: Got an status-code for which error does not match any expected type!!!")
 
 		switch {
 		case statusCode >= 200 && statusCode < 400:
@@ -118,74 +51,3 @@ func FromStatusCode(err error, statusCode int) error {
 	}
 	return err
 }
-
-// statusCodeFromGRPCError returns status code according to gRPC error
-func statusCodeFromGRPCError(err error) int {
-	switch status.Code(err) {
-	case codes.InvalidArgument: // code 3
-		return http.StatusBadRequest
-	case codes.NotFound: // code 5
-		return http.StatusNotFound
-	case codes.AlreadyExists: // code 6
-		return http.StatusConflict
-	case codes.PermissionDenied: // code 7
-		return http.StatusForbidden
-	case codes.FailedPrecondition: // code 9
-		return http.StatusBadRequest
-	case codes.Unauthenticated: // code 16
-		return http.StatusUnauthorized
-	case codes.OutOfRange: // code 11
-		return http.StatusBadRequest
-	case codes.Unimplemented: // code 12
-		return http.StatusNotImplemented
-	case codes.Unavailable: // code 14
-		return http.StatusServiceUnavailable
-	default:
-		// codes.Canceled(1)
-		// codes.Unknown(2)
-		// codes.DeadlineExceeded(4)
-		// codes.ResourceExhausted(8)
-		// codes.Aborted(10)
-		// codes.Internal(13)
-		// codes.DataLoss(15)
-		return http.StatusInternalServerError
-	}
-}
-
-// statusCodeFromDistributionError returns status code according to registry errcode
-// code is loosely based on errcode.ServeJSON() in docker/distribution
-func statusCodeFromDistributionError(err error) int {
-	switch errs := err.(type) {
-	case errcode.Errors:
-		if len(errs) < 1 {
-			return http.StatusInternalServerError
-		}
-		if _, ok := errs[0].(errcode.ErrorCoder); ok {
-			return statusCodeFromDistributionError(errs[0])
-		}
-	case errcode.ErrorCoder:
-		return errs.ErrorCode().Descriptor().HTTPStatusCode
-	}
-	return http.StatusInternalServerError
-}
-
-// statusCodeFromContainerdError returns status code for containerd errors when
-// consumed directly (not through gRPC)
-func statusCodeFromContainerdError(err error) int {
-	switch {
-	case containerderrors.IsInvalidArgument(err):
-		return http.StatusBadRequest
-	case containerderrors.IsNotFound(err):
-		return http.StatusNotFound
-	case containerderrors.IsAlreadyExists(err):
-		return http.StatusConflict
-	case containerderrors.IsFailedPrecondition(err):
-		return http.StatusPreconditionFailed
-	case containerderrors.IsUnavailable(err):
-		return http.StatusServiceUnavailable
-	case containerderrors.IsNotImplemented(err):
-		return http.StatusNotImplemented
-	default:
-		return http.StatusInternalServerError
-	}
-}

vendor/github.com/docker/docker/pkg/archive/archive_other.go

@@ -1,3 +1,4 @@
+//go:build !linux
 // +build !linux
 
 package archive // import "github.com/docker/docker/pkg/archive"

vendor/github.com/docker/docker/pkg/archive/archive_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package archive // import "github.com/docker/docker/pkg/archive"
@@ -51,8 +52,8 @@ func setHeaderForSpecialDevice(hdr *tar.Header, name string, stat interface{}) (
 		// Currently go does not fill in the major/minors
 		if s.Mode&unix.S_IFBLK != 0 ||
 			s.Mode&unix.S_IFCHR != 0 {
-			hdr.Devmajor = int64(unix.Major(uint64(s.Rdev))) // nolint: unconvert
-			hdr.Devminor = int64(unix.Minor(uint64(s.Rdev))) // nolint: unconvert
+			hdr.Devmajor = int64(unix.Major(uint64(s.Rdev))) //nolint: unconvert
+			hdr.Devminor = int64(unix.Minor(uint64(s.Rdev))) //nolint: unconvert
 		}
 	}
 

vendor/github.com/docker/docker/pkg/archive/changes_other.go

@@ -1,3 +1,4 @@
+//go:build !linux
 // +build !linux
 
 package archive // import "github.com/docker/docker/pkg/archive"

vendor/github.com/docker/docker/pkg/archive/changes_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package archive // import "github.com/docker/docker/pkg/archive"

vendor/github.com/docker/docker/pkg/archive/copy.go

@@ -354,6 +354,16 @@ func RebaseArchiveEntries(srcContent io.Reader, oldBase, newBase string) io.Read
 				return
 			}
 
+			// Ignoring GoSec G110. See https://github.com/securego/gosec/pull/433
+			// and https://cure53.de/pentest-report_opa.pdf, which recommends to
+			// replace io.Copy with io.CopyN7. The latter allows to specify the
+			// maximum number of bytes that should be read. By properly defining
+			// the limit, it can be assured that a GZip compression bomb cannot
+			// easily cause a Denial-of-Service.
+			// After reviewing with @tonistiigi and @cpuguy83, this should not
+			// affect us, because here we do not read into memory, hence should
+			// not be vulnerable to this code consuming memory.
+			//nolint:gosec // G110: Potential DoS vulnerability via decompression bomb (gosec)
 			if _, err = io.Copy(rebasedTar, srcTar); err != nil {
 				w.CloseWithError(err)
 				return

vendor/github.com/docker/docker/pkg/archive/copy_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package archive // import "github.com/docker/docker/pkg/archive"

vendor/github.com/docker/docker/pkg/archive/time_unsupported.go

@@ -1,3 +1,4 @@
+//go:build !linux
 // +build !linux
 
 package archive // import "github.com/docker/docker/pkg/archive"

vendor/github.com/docker/docker/pkg/fileutils/fileutils_unix.go

@@ -1,3 +1,4 @@
+//go:build linux || freebsd
 // +build linux freebsd
 
 package fileutils // import "github.com/docker/docker/pkg/fileutils"

vendor/github.com/docker/docker/pkg/homedir/homedir_others.go

@@ -1,3 +1,4 @@
+//go:build !linux
 // +build !linux
 
 package homedir // import "github.com/docker/docker/pkg/homedir"

vendor/github.com/docker/docker/pkg/homedir/homedir_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package homedir // import "github.com/docker/docker/pkg/homedir"

vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package idtools // import "github.com/docker/docker/pkg/idtools"

vendor/github.com/docker/docker/pkg/idtools/usergroupadd_unsupported.go

@@ -1,3 +1,4 @@
+//go:build !linux
 // +build !linux
 
 package idtools // import "github.com/docker/docker/pkg/idtools"

vendor/github.com/docker/docker/pkg/idtools/utils_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package idtools // import "github.com/docker/docker/pkg/idtools"

vendor/github.com/docker/docker/pkg/ioutils/temp_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package ioutils // import "github.com/docker/docker/pkg/ioutils"

vendor/github.com/docker/docker/pkg/signal/signal_linux.go

@@ -1,3 +1,4 @@
+//go:build !mips && !mipsle && !mips64 && !mips64le
 // +build !mips,!mipsle,!mips64,!mips64le
 
 package signal // import "github.com/docker/docker/pkg/signal"

vendor/github.com/docker/docker/pkg/signal/signal_linux_mipsx.go

@@ -1,3 +1,4 @@
+//go:build linux && (mips || mipsle || mips64 || mips64le)
 // +build linux
 // +build mips mipsle mips64 mips64le
 

vendor/github.com/docker/docker/pkg/signal/signal_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package signal // import "github.com/docker/docker/pkg/signal"

vendor/github.com/docker/docker/pkg/signal/signal_unsupported.go

@@ -1,3 +1,4 @@
+//go:build !linux && !darwin && !freebsd && !windows
 // +build !linux,!darwin,!freebsd,!windows
 
 package signal // import "github.com/docker/docker/pkg/signal"

vendor/github.com/docker/docker/pkg/system/chtimes_nowindows.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package system // import "github.com/docker/docker/pkg/system"

vendor/github.com/docker/docker/pkg/system/filesys_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package system // import "github.com/docker/docker/pkg/system"

vendor/github.com/docker/docker/pkg/system/lcow.go

@@ -1,3 +1,4 @@
+//go:build windows && !no_lcow
 // +build windows,!no_lcow
 
 package system // import "github.com/docker/docker/pkg/system"

vendor/github.com/docker/docker/pkg/system/lcow_unsupported.go

@@ -1,3 +1,4 @@
+//go:build !windows || (windows && no_lcow)
 // +build !windows windows,no_lcow
 
 package system // import "github.com/docker/docker/pkg/system"

vendor/github.com/docker/docker/pkg/system/lstat_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package system // import "github.com/docker/docker/pkg/system"

vendor/github.com/docker/docker/pkg/system/meminfo_unsupported.go

@@ -1,3 +1,4 @@
+//go:build !linux && !windows
 // +build !linux,!windows
 
 package system // import "github.com/docker/docker/pkg/system"