Merge pull request #4233 from thaJeztah/23.0_update_engine

[23.0] vendor: github.com/docker/docker v23.0.4
Merge pull request #4232 from thaJeztah/23.0_backport_docs_fixes
2023-04-26 16:46:06 +02:00 · 2023-04-26 16:44:30 +02:00 · 2023-04-26 16:13:12 +02:00 · 2023-04-26 15:39:17 +02:00 · 2023-04-26 13:00:58 +02:00 · 2023-04-26 13:00:27 +02:00
126 changed files with 1973 additions and 925 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -9,20 +9,41 @@ on:
  push:
    branches:
      - 'master'
-      - '[0-9]+.[0-9]{2}'
+      - '[0-9]+.[0-9]+'
    tags:
      - 'v*'
  pull_request:

 jobs:
+  prepare:
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.platforms.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Create matrix
+        id: platforms
+        run: |
+          echo "matrix=$(docker buildx bake cross --print | jq -cr '.target."cross".platforms')" >>${GITHUB_OUTPUT}
+      -
+        name: Show matrix
+        run: |
+          echo ${{ steps.platforms.outputs.matrix }}
+
  build:
    runs-on: ubuntu-20.04
+    needs:
+      - prepare
    strategy:
      fail-fast: false
      matrix:
        target:
-          - cross
-          - dynbinary-cross
+          - binary
+          - dynbinary
+        platform: ${{ fromJson(needs.prepare.outputs.matrix) }}
        use_glibc:
          - ""
          - glibc
@ -36,22 +57,22 @@ jobs:
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      -
-        name: Run ${{ matrix.target }}
-        uses: docker/bake-action@v2
+        name: Build
+        uses: docker/bake-action@v3
        with:
          targets: ${{ matrix.target }}
+          set: |
+            *.platform=${{ matrix.platform }}
        env:
          USE_GLIBC: ${{ matrix.use_glibc }}
      -
-        name: Flatten artifacts
+        name: Create tarball
        working-directory: ./build
        run: |
-          for dir in */; do
-            base=$(basename "$dir")
-            echo "Creating ${base}.tar.gz ..."
-            tar -cvzf "${base}.tar.gz" "$dir"
-            rm -rf "$dir"
-          done
+          mkdir /tmp/out
+          platform=${{ matrix.platform }}
+          platformPair=${platform//\//-}
+          tar -cvzf "/tmp/out/docker-${platformPair}.tar.gz" .
          if [ -z "${{ matrix.use_glibc }}" ]; then
            echo "ARTIFACT_NAME=${{ matrix.target }}" >> $GITHUB_ENV
          else
@ -62,11 +83,35 @@ jobs:
        uses: actions/upload-artifact@v3
        with:
          name: ${{ env.ARTIFACT_NAME }}
-          path: ./build/*
+          path: /tmp/out/*
          if-no-files-found: error

+  prepare-plugins:
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.platforms.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Create matrix
+        id: platforms
+        run: |
+          echo "matrix=$(docker buildx bake plugins-cross --print | jq -cr '.target."plugins-cross".platforms')" >>${GITHUB_OUTPUT}
+      -
+        name: Show matrix
+        run: |
+          echo ${{ steps.platforms.outputs.matrix }}
+
  plugins:
    runs-on: ubuntu-20.04
+    needs:
+      - prepare-plugins
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: ${{ fromJson(needs.prepare-plugins.outputs.matrix) }}
    steps:
      -
        name: Checkout
@ -75,7 +120,9 @@ jobs:
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      -
-        name: Build plugins
-        uses: docker/bake-action@v2
+        name: Build
+        uses: docker/bake-action@v3
        with:
          targets: plugins-cross
+          set: |
+            *.platform=${{ matrix.platform }}
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@ -9,7 +9,7 @@ on:
  push:
    branches:
      - 'master'
-      - '[0-9]+.[0-9]{2}'
+      - '[0-9]+.[0-9]+'
    tags:
      - 'v*'
  pull_request:
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -9,7 +9,7 @@ on:
  push:
    branches:
      - 'master'
-      - '[0-9]+.[0-9]{2}'
+      - '[0-9]+.[0-9]+'
    tags:
      - 'v*'
  pull_request:
@ -26,7 +26,7 @@ jobs:
        uses: docker/setup-buildx-action@v2
      -
        name: Test
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v3
        with:
          targets: test-coverage
      -
@ -63,7 +63,7 @@ jobs:
        name: Set up Go
        uses: actions/setup-go@v3
        with:
-          go-version: 1.19.4
+          go-version: 1.19.8
      -
        name: Test
        run: |
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@ -9,7 +9,7 @@ on:
  push:
    branches:
      - 'master'
-      - '[0-9]+.[0-9]{2}'
+      - '[0-9]+.[0-9]+'
    tags:
      - 'v*'
  pull_request:
@ -29,14 +29,33 @@ jobs:
      -
        name: Checkout
        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
      -
        name: Run
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v3
        with:
          targets: ${{ matrix.target }}

+  # check that the generated Markdown and the checked-in files match
+  validate-md:
+    runs-on: ubuntu-20.04
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Generate
+        shell: 'script --return --quiet --command "bash {0}"'
+        run: |
+          make -f docker.Makefile mddocs
+      -
+        name: Validate
+        run: |
+          if [[ $(git diff --stat) != '' ]]; then
+            echo 'fail: generated files do not match checked-in files'
+            git --no-pager diff
+            exit 1
+          fi
+
  validate-make:
    runs-on: ubuntu-20.04
    strategy:
@ -49,8 +68,6 @@ jobs:
      -
        name: Checkout
        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
      -
        name: Run
        shell: 'script --return --quiet --command "bash {0}"'
--- a/4
+++ b/4
@ -1,12 +1,12 @@
 # syntax=docker/dockerfile:1

 ARG BASE_VARIANT=alpine
-ARG GO_VERSION=1.19.5
+ARG GO_VERSION=1.19.8
 ARG ALPINE_VERSION=3.16
 ARG XX_VERSION=1.1.1
 ARG GOVERSIONINFO_VERSION=v1.3.0
 ARG GOTESTSUM_VERSION=v1.8.2
-ARG BUILDX_VERSION=0.9.1
+ARG BUILDX_VERSION=0.10.4

 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx

--- a/cli-plugins/manager/candidate_test.go
+++ b/cli-plugins/manager/candidate_test.go
@ -74,7 +74,7 @@ func TestValidateCandidate(t *testing.T) {
 		{name: "experimental + allowing experimental", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: metaExperimental}},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			p, err := newPlugin(tc.c, fakeroot)
+			p, err := newPlugin(tc.c, fakeroot.Commands())
 			if tc.err != "" {
 				assert.ErrorContains(t, err, tc.err)
 			} else if tc.invalid != "" {
--- a/cli-plugins/manager/cobra.go
+++ b/cli-plugins/manager/cobra.go
@ -3,6 +3,7 @@ package manager
 import (
 	"fmt"
 	"os"
+	"sync"

 	"github.com/docker/cli/cli/command"
 	"github.com/spf13/cobra"
@ -31,64 +32,69 @@ const (
 	CommandAnnotationPluginInvalid = "com.docker.cli.plugin-invalid"
 )

+var pluginCommandStubsOnce sync.Once
+
 // AddPluginCommandStubs adds a stub cobra.Commands for each valid and invalid
 // plugin. The command stubs will have several annotations added, see
 // `CommandAnnotationPlugin*`.
-func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) error {
-	plugins, err := ListPlugins(dockerCli, rootCmd)
-	if err != nil {
-		return err
-	}
-	for _, p := range plugins {
-		p := p
-		vendor := p.Vendor
-		if vendor == "" {
-			vendor = "unknown"
+func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err error) {
+	pluginCommandStubsOnce.Do(func() {
+		var plugins []Plugin
+		plugins, err = ListPlugins(dockerCli, rootCmd)
+		if err != nil {
+			return
 		}
-		annotations := map[string]string{
-			CommandAnnotationPlugin:        "true",
-			CommandAnnotationPluginVendor:  vendor,
-			CommandAnnotationPluginVersion: p.Version,
-		}
-		if p.Err != nil {
-			annotations[CommandAnnotationPluginInvalid] = p.Err.Error()
-		}
-		rootCmd.AddCommand(&cobra.Command{
-			Use:                p.Name,
-			Short:              p.ShortDescription,
-			Run:                func(_ *cobra.Command, _ []string) {},
-			Annotations:        annotations,
-			DisableFlagParsing: true,
-			RunE: func(cmd *cobra.Command, args []string) error {
-				flags := rootCmd.PersistentFlags()
-				flags.SetOutput(nil)
-				err := flags.Parse(args)
-				if err != nil {
-					return err
-				}
-				if flags.Changed("help") {
-					cmd.HelpFunc()(rootCmd, args)
-					return nil
-				}
-				return fmt.Errorf("docker: '%s' is not a docker command.\nSee 'docker --help'", cmd.Name())
-			},
-			ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-				// Delegate completion to plugin
-				cargs := []string{p.Path, cobra.ShellCompRequestCmd, p.Name}
-				cargs = append(cargs, args...)
-				cargs = append(cargs, toComplete)
-				os.Args = cargs
-				runCommand, err := PluginRunCommand(dockerCli, p.Name, cmd)
-				if err != nil {
+		for _, p := range plugins {
+			p := p
+			vendor := p.Vendor
+			if vendor == "" {
+				vendor = "unknown"
+			}
+			annotations := map[string]string{
+				CommandAnnotationPlugin:        "true",
+				CommandAnnotationPluginVendor:  vendor,
+				CommandAnnotationPluginVersion: p.Version,
+			}
+			if p.Err != nil {
+				annotations[CommandAnnotationPluginInvalid] = p.Err.Error()
+			}
+			rootCmd.AddCommand(&cobra.Command{
+				Use:                p.Name,
+				Short:              p.ShortDescription,
+				Run:                func(_ *cobra.Command, _ []string) {},
+				Annotations:        annotations,
+				DisableFlagParsing: true,
+				RunE: func(cmd *cobra.Command, args []string) error {
+					flags := rootCmd.PersistentFlags()
+					flags.SetOutput(nil)
+					perr := flags.Parse(args)
+					if perr != nil {
+						return err
+					}
+					if flags.Changed("help") {
+						cmd.HelpFunc()(rootCmd, args)
+						return nil
+					}
+					return fmt.Errorf("docker: '%s' is not a docker command.\nSee 'docker --help'", cmd.Name())
+				},
+				ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+					// Delegate completion to plugin
+					cargs := []string{p.Path, cobra.ShellCompRequestCmd, p.Name}
+					cargs = append(cargs, args...)
+					cargs = append(cargs, toComplete)
+					os.Args = cargs
+					runCommand, runErr := PluginRunCommand(dockerCli, p.Name, cmd)
+					if runErr != nil {
+						return nil, cobra.ShellCompDirectiveError
+					}
+					runErr = runCommand.Run()
+					if runErr == nil {
+						os.Exit(0) // plugin already rendered complete data
+					}
 					return nil, cobra.ShellCompDirectiveError
-				}
-				err = runCommand.Run()
-				if err == nil {
-					os.Exit(0) // plugin already rendered complete data
-				}
-				return nil, cobra.ShellCompDirectiveError
-			},
-		})
-	}
-	return nil
+				},
+			})
+		}
+	})
+	return err
 }
--- a/cli-plugins/manager/manager.go
+++ b/cli-plugins/manager/manager.go
@ -1,15 +1,18 @@
 package manager

 import (
+	"context"
 	"os"
 	"path/filepath"
 	"sort"
 	"strings"
+	"sync"

 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/config"
 	"github.com/fvbommel/sortorder"
 	"github.com/spf13/cobra"
+	"golang.org/x/sync/errgroup"
 	exec "golang.org/x/sys/execabs"
 )

@ -120,7 +123,7 @@ func GetPlugin(name string, dockerCli command.Cli, rootcmd *cobra.Command) (*Plu
 			return nil, errPluginNotFound(name)
 		}
 		c := &candidate{paths[0]}
-		p, err := newPlugin(c, rootcmd)
+		p, err := newPlugin(c, rootcmd.Commands())
 		if err != nil {
 			return nil, err
 		}
@ -146,19 +149,32 @@ func ListPlugins(dockerCli command.Cli, rootcmd *cobra.Command) ([]Plugin, error
 	}

 	var plugins []Plugin
+	var mu sync.Mutex
+	eg, _ := errgroup.WithContext(context.TODO())
+	cmds := rootcmd.Commands()
 	for _, paths := range candidates {
-		if len(paths) == 0 {
-			continue
-		}
-		c := &candidate{paths[0]}
-		p, err := newPlugin(c, rootcmd)
-		if err != nil {
-			return nil, err
-		}
-		if !IsNotFound(p.Err) {
-			p.ShadowedPaths = paths[1:]
-			plugins = append(plugins, p)
-		}
+		func(paths []string) {
+			eg.Go(func() error {
+				if len(paths) == 0 {
+					return nil
+				}
+				c := &candidate{paths[0]}
+				p, err := newPlugin(c, cmds)
+				if err != nil {
+					return err
+				}
+				if !IsNotFound(p.Err) {
+					p.ShadowedPaths = paths[1:]
+					mu.Lock()
+					defer mu.Unlock()
+					plugins = append(plugins, p)
+				}
+				return nil
+			})
+		}(paths)
+	}
+	if err := eg.Wait(); err != nil {
+		return nil, err
 	}

 	sort.Slice(plugins, func(i, j int) bool {
@ -199,7 +215,7 @@ func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command
 		}

 		c := &candidate{path: path}
-		plugin, err := newPlugin(c, rootcmd)
+		plugin, err := newPlugin(c, rootcmd.Commands())
 		if err != nil {
 			return nil, err
 		}
--- a/cli-plugins/manager/plugin.go
+++ b/cli-plugins/manager/plugin.go
@ -31,7 +31,7 @@ type Plugin struct {
 // is set, and is always a `pluginError`, but the `Plugin` is still
 // returned with no error. An error is only returned due to a
 // non-recoverable error.
-func newPlugin(c Candidate, rootcmd *cobra.Command) (Plugin, error) {
+func newPlugin(c Candidate, cmds []*cobra.Command) (Plugin, error) {
 	path := c.Path()
 	if path == "" {
 		return Plugin{}, errors.New("plugin candidate path cannot be empty")
@ -62,22 +62,20 @@ func newPlugin(c Candidate, rootcmd *cobra.Command) (Plugin, error) {
 		return p, nil
 	}

-	if rootcmd != nil {
-		for _, cmd := range rootcmd.Commands() {
-			// Ignore conflicts with commands which are
-			// just plugin stubs (i.e. from a previous
-			// call to AddPluginCommandStubs).
-			if IsPluginCommand(cmd) {
-				continue
-			}
-			if cmd.Name() == p.Name {
-				p.Err = NewPluginError("plugin %q duplicates builtin command", p.Name)
-				return p, nil
-			}
-			if cmd.HasAlias(p.Name) {
-				p.Err = NewPluginError("plugin %q duplicates an alias of builtin command %q", p.Name, cmd.Name())
-				return p, nil
-			}
+	for _, cmd := range cmds {
+		// Ignore conflicts with commands which are
+		// just plugin stubs (i.e. from a previous
+		// call to AddPluginCommandStubs).
+		if IsPluginCommand(cmd) {
+			continue
+		}
+		if cmd.Name() == p.Name {
+			p.Err = NewPluginError("plugin %q duplicates builtin command", p.Name)
+			return p, nil
+		}
+		if cmd.HasAlias(p.Name) {
+			p.Err = NewPluginError("plugin %q duplicates an alias of builtin command %q", p.Name, cmd.Name())
+			return p, nil
 		}
 	}

--- a/cli/cobra.go
+++ b/cli/cobra.go
@ -204,6 +204,16 @@ func DisableFlagsInUseLine(cmd *cobra.Command) {
 	})
 }

+// HasCompletionArg returns true if a cobra completion arg request is found.
+func HasCompletionArg(args []string) bool {
+	for _, arg := range args {
+		if arg == cobra.ShellCompRequestCmd || arg == cobra.ShellCompNoDescRequestCmd {
+			return true
+		}
+	}
+	return false
+}
+
 var helpCommand = &cobra.Command{
 	Use:               "help [command]",
 	Short:             "Help about the command",
--- a/cli/command/cli.go
+++ b/cli/command/cli.go
@ -164,8 +164,8 @@ func (cli *DockerCli) ContentTrustEnabled() bool {

 // BuildKitEnabled returns buildkit is enabled or not.
 func (cli *DockerCli) BuildKitEnabled() (bool, error) {
-	// use DOCKER_BUILDKIT env var value if set
-	if v, ok := os.LookupEnv("DOCKER_BUILDKIT"); ok {
+	// use DOCKER_BUILDKIT env var value if set and not empty
+	if v := os.Getenv("DOCKER_BUILDKIT"); v != "" {
 		enabled, err := strconv.ParseBool(v)
 		if err != nil {
 			return false, errors.Wrap(err, "DOCKER_BUILDKIT environment variable expects boolean value")
--- a/cli/command/container/cp.go
+++ b/cli/command/container/cp.go
@ -1,15 +1,20 @@
 package container

 import (
+	"bytes"
 	"context"
 	"fmt"
 	"io"
 	"os"
+	"os/signal"
 	"path/filepath"
 	"strings"
+	"sync/atomic"
+	"time"

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/streams"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/system"
@ -48,26 +53,73 @@ type cpConfig struct {
 // copying files to/from a container.
 type copyProgressPrinter struct {
 	io.ReadCloser
-	toContainer bool
-	total       *float64
-	writer      io.Writer
+	total *int64
 }

+const (
+	copyToContainerHeader       = "Copying to container - "
+	copyFromContainerHeader     = "Copying from container - "
+	copyProgressUpdateThreshold = 75 * time.Millisecond
+)
+
 func (pt *copyProgressPrinter) Read(p []byte) (int, error) {
 	n, err := pt.ReadCloser.Read(p)
-	*pt.total += float64(n)
+	atomic.AddInt64(pt.total, int64(n))
+	return n, err
+}

-	if err == nil {
-		fmt.Fprint(pt.writer, aec.Restore)
-		fmt.Fprint(pt.writer, aec.EraseLine(aec.EraseModes.All))
-		if pt.toContainer {
-			fmt.Fprintln(pt.writer, "Copying to container - "+units.HumanSize(*pt.total))
-		} else {
-			fmt.Fprintln(pt.writer, "Copying from container - "+units.HumanSize(*pt.total))
-		}
+func copyProgress(ctx context.Context, dst io.Writer, header string, total *int64) (func(), <-chan struct{}) {
+	done := make(chan struct{})
+	if !streams.NewOut(dst).IsTerminal() {
+		close(done)
+		return func() {}, done
 	}

-	return n, err
+	fmt.Fprint(dst, aec.Save)
+	fmt.Fprint(dst, "Preparing to copy...")
+
+	restore := func() {
+		fmt.Fprint(dst, aec.Restore)
+		fmt.Fprint(dst, aec.EraseLine(aec.EraseModes.All))
+	}
+
+	go func() {
+		defer close(done)
+		fmt.Fprint(dst, aec.Hide)
+		defer fmt.Fprint(dst, aec.Show)
+
+		fmt.Fprint(dst, aec.Restore)
+		fmt.Fprint(dst, aec.EraseLine(aec.EraseModes.All))
+		fmt.Fprint(dst, header)
+
+		var last int64
+		fmt.Fprint(dst, progressHumanSize(last))
+
+		buf := bytes.NewBuffer(nil)
+		ticker := time.NewTicker(copyProgressUpdateThreshold)
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				n := atomic.LoadInt64(total)
+				if n == last {
+					// Don't write to the terminal, if we don't need to.
+					continue
+				}
+
+				// Write to the buffer first to avoid flickering and context switching
+				fmt.Fprint(buf, aec.Column(uint(len(header)+1)))
+				fmt.Fprint(buf, aec.EraseLine(aec.EraseModes.Tail))
+				fmt.Fprint(buf, progressHumanSize(n))
+
+				buf.WriteTo(dst)
+				buf.Reset()
+				last += n
+			}
+		}
+	}()
+	return restore, done
 }

 // NewCopyCommand creates a new `docker cp` command
@ -113,6 +165,10 @@ func NewCopyCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }

+func progressHumanSize(n int64) string {
+	return units.HumanSizeWithPrecision(float64(n), 3)
+}
+
 func runCopy(dockerCli command.Cli, opts copyOptions) error {
 	srcContainer, srcPath := splitCpArg(opts.source)
 	destContainer, destPath := splitCpArg(opts.destination)
@ -193,6 +249,9 @@ func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cp

 	}

+	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt)
+	defer cancel()
+
 	content, stat, err := client.CopyFromContainer(ctx, copyConfig.container, srcPath)
 	if err != nil {
 		return err
@ -211,13 +270,11 @@ func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cp
 		RebaseName: rebaseName,
 	}

-	var copiedSize float64
+	var copiedSize int64
 	if !copyConfig.quiet {
 		content = &copyProgressPrinter{
-			ReadCloser:  content,
-			toContainer: false,
-			writer:      dockerCli.Err(),
-			total:       &copiedSize,
+			ReadCloser: content,
+			total:      &copiedSize,
 		}
 	}

@ -231,12 +288,12 @@ func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cp
 		return archive.CopyTo(preArchive, srcInfo, dstPath)
 	}

-	fmt.Fprint(dockerCli.Err(), aec.Save)
-	fmt.Fprintln(dockerCli.Err(), "Preparing to copy...")
+	restore, done := copyProgress(ctx, dockerCli.Err(), copyFromContainerHeader, &copiedSize)
 	res := archive.CopyTo(preArchive, srcInfo, dstPath)
-	fmt.Fprint(dockerCli.Err(), aec.Restore)
-	fmt.Fprint(dockerCli.Err(), aec.EraseLine(aec.EraseModes.All))
-	fmt.Fprintln(dockerCli.Err(), "Successfully copied", units.HumanSize(copiedSize), "to", dstPath)
+	cancel()
+	<-done
+	restore()
+	fmt.Fprintln(dockerCli.Err(), "Successfully copied", progressHumanSize(copiedSize), "to", dstPath)

 	return res
 }
@ -293,7 +350,7 @@ func copyToContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpCo
 	var (
 		content         io.ReadCloser
 		resolvedDstPath string
-		copiedSize      float64
+		copiedSize      int64
 	)

 	if srcPath == "-" {
@ -337,10 +394,8 @@ func copyToContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpCo
 		content = preparedArchive
 		if !copyConfig.quiet {
 			content = &copyProgressPrinter{
-				ReadCloser:  content,
-				toContainer: true,
-				writer:      dockerCli.Err(),
-				total:       &copiedSize,
+				ReadCloser: content,
+				total:      &copiedSize,
 			}
 		}
 	}
@ -354,12 +409,13 @@ func copyToContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpCo
 		return client.CopyToContainer(ctx, copyConfig.container, resolvedDstPath, content, options)
 	}

-	fmt.Fprint(dockerCli.Err(), aec.Save)
-	fmt.Fprintln(dockerCli.Err(), "Preparing to copy...")
+	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt)
+	restore, done := copyProgress(ctx, dockerCli.Err(), copyToContainerHeader, &copiedSize)
 	res := client.CopyToContainer(ctx, copyConfig.container, resolvedDstPath, content, options)
-	fmt.Fprint(dockerCli.Err(), aec.Restore)
-	fmt.Fprint(dockerCli.Err(), aec.EraseLine(aec.EraseModes.All))
-	fmt.Fprintln(dockerCli.Err(), "Successfully copied", units.HumanSize(copiedSize), "to", copyConfig.container+":"+dstInfo.Path)
+	cancel()
+	<-done
+	restore()
+	fmt.Fprintln(dockerCli.Err(), "Successfully copied", progressHumanSize(copiedSize), "to", copyConfig.container+":"+dstInfo.Path)

 	return res
 }
--- a/cli/command/container/list.go
+++ b/cli/command/container/list.go
@ -17,14 +17,15 @@ import (
 )

 type psOptions struct {
-	quiet   bool
-	size    bool
-	all     bool
-	noTrunc bool
-	nLatest bool
-	last    int
-	format  string
-	filter  opts.FilterOpt
+	quiet       bool
+	size        bool
+	sizeChanged bool
+	all         bool
+	noTrunc     bool
+	nLatest     bool
+	last        int
+	format      string
+	filter      opts.FilterOpt
 }

 // NewPsCommand creates a new cobra.Command for `docker ps`
@ -36,6 +37,7 @@ func NewPsCommand(dockerCli command.Cli) *cobra.Command {
 		Short: "List containers",
 		Args:  cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			options.sizeChanged = cmd.Flags().Changed("size")
 			return runPs(dockerCli, &options)
 		},
 		Annotations: map[string]string{
@ -78,13 +80,8 @@ func buildContainerListOptions(opts *psOptions) (*types.ContainerListOptions, er
 		options.Limit = 1
 	}

-	if !opts.quiet && !options.Size && len(opts.format) > 0 {
-		// The --size option isn't set, but .Size may be used in the template.
-		// Parse and execute the given template to detect if the .Size field is
-		// used. If it is, then automatically enable the --size option. See #24696
-		//
-		// Only requesting container size information when needed is an optimization,
-		// because calculating the size is a costly operation.
+	// always validate template when `--format` is used, for consistency
+	if len(opts.format) > 0 {
 		tmpl, err := templates.NewParse("", opts.format)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to parse template")
@ -98,8 +95,19 @@ func buildContainerListOptions(opts *psOptions) (*types.ContainerListOptions, er
 			return nil, errors.Wrap(err, "failed to execute template")
 		}

-		if _, ok := optionsProcessor.FieldsUsed["Size"]; ok {
-			options.Size = true
+		// if `size` was not explicitly set to false (with `--size=false`)
+		// and `--quiet` is not set, request size if the template requires it
+		if !opts.quiet && !options.Size && !opts.sizeChanged {
+			// The --size option isn't set, but .Size may be used in the template.
+			// Parse and execute the given template to detect if the .Size field is
+			// used. If it is, then automatically enable the --size option. See #24696
+			//
+			// Only requesting container size information when needed is an optimization,
+			// because calculating the size is a costly operation.
+
+			if _, ok := optionsProcessor.FieldsUsed["Size"]; ok {
+				options.Size = true
+			}
 		}
 	}

--- a/cli/command/container/list_test.go
+++ b/cli/command/container/list_test.go
@ -231,15 +231,56 @@ func TestContainerListFormatTemplateWithArg(t *testing.T) {
 }

 func TestContainerListFormatSizeSetsOption(t *testing.T) {
-	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(options types.ContainerListOptions) ([]types.Container, error) {
-			assert.Check(t, options.Size)
-			return []types.Container{}, nil
+	tests := []struct {
+		doc, format, sizeFlag string
+		sizeExpected          bool
+	}{
+		{
+			doc:          "detect with all fields",
+			format:       `{{json .}}`,
+			sizeExpected: true,
 		},
-	})
-	cmd := newListCommand(cli)
-	cmd.Flags().Set("format", `{{.Size}}`)
-	assert.NilError(t, cmd.Execute())
+		{
+			doc:          "detect with explicit field",
+			format:       `{{.Size}}`,
+			sizeExpected: true,
+		},
+		{
+			doc:          "detect no size",
+			format:       `{{.Names}}`,
+			sizeExpected: false,
+		},
+		{
+			doc:          "override enable",
+			format:       `{{.Names}}`,
+			sizeFlag:     "true",
+			sizeExpected: true,
+		},
+		{
+			doc:          "override disable",
+			format:       `{{.Size}}`,
+			sizeFlag:     "false",
+			sizeExpected: false,
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.doc, func(t *testing.T) {
+			cli := test.NewFakeCli(&fakeClient{
+				containerListFunc: func(options types.ContainerListOptions) ([]types.Container, error) {
+					assert.Check(t, is.Equal(options.Size, tc.sizeExpected))
+					return []types.Container{}, nil
+				},
+			})
+			cmd := newListCommand(cli)
+			cmd.Flags().Set("format", tc.format)
+			if tc.sizeFlag != "" {
+				cmd.Flags().Set("size", tc.sizeFlag)
+			}
+			assert.NilError(t, cmd.Execute())
+		})
+	}
 }

 func TestContainerListWithConfigFormat(t *testing.T) {
--- a/cli/command/container/run.go
+++ b/cli/command/container/run.go
@ -308,7 +308,8 @@ func runStartContainerErr(err error) error {
 		strings.Contains(trimmedErr, "no such file or directory") ||
 		strings.Contains(trimmedErr, "system cannot find the file specified") {
 		statusError = cli.StatusError{StatusCode: 127}
-	} else if strings.Contains(trimmedErr, syscall.EACCES.Error()) {
+	} else if strings.Contains(trimmedErr, syscall.EACCES.Error()) ||
+		strings.Contains(trimmedErr, syscall.EISDIR.Error()) {
 		statusError = cli.StatusError{StatusCode: 126}
 	}

--- a/cli/command/formatter/formatter.go
+++ b/cli/command/formatter/formatter.go
@ -19,7 +19,7 @@ const (
 	JSONFormatKey   = "json"

 	DefaultQuietFormat = "{{.ID}}"
-	jsonFormat         = "{{json .}}"
+	JSONFormat         = "{{json .}}"
 )

 // Format is the format string rendered using the Context
@ -62,7 +62,7 @@ func (c *Context) preFormat() {
 	case c.Format.IsTable():
 		c.finalFormat = c.finalFormat[len(TableFormatKey):]
 	case c.Format.IsJSON():
-		c.finalFormat = jsonFormat
+		c.finalFormat = JSONFormat
 	}

 	c.finalFormat = strings.Trim(c.finalFormat, " ")
--- a/cli/command/formatter/image.go
+++ b/cli/command/formatter/image.go
@ -27,6 +27,9 @@ type ImageContext struct {
 }

 func isDangling(image types.ImageSummary) bool {
+	if len(image.RepoTags) == 0 && len(image.RepoDigests) == 0 {
+		return true
+	}
 	return len(image.RepoTags) == 1 && image.RepoTags[0] == "<none>:<none>" && len(image.RepoDigests) == 1 && image.RepoDigests[0] == "<none>@<none>"
 }

--- a/cli/command/image/client_test.go
+++ b/cli/command/image/client_test.go
@ -91,7 +91,7 @@ func (cli *fakeClient) ImageList(ctx context.Context, options types.ImageListOpt
 	if cli.imageListFunc != nil {
 		return cli.imageListFunc(options)
 	}
-	return []types.ImageSummary{{}}, nil
+	return []types.ImageSummary{}, nil
 }

 func (cli *fakeClient) ImageInspectWithRaw(_ context.Context, image string) (types.ImageInspect, []byte, error) {
--- a/cli/command/image/list_test.go
+++ b/cli/command/image/list_test.go
@ -30,7 +30,7 @@ func TestNewImagesCommandErrors(t *testing.T) {
 			name:          "failed-list",
 			expectedError: "something went wrong",
 			imageListFunc: func(options types.ImageListOptions) ([]types.ImageSummary, error) {
-				return []types.ImageSummary{{}}, errors.Errorf("something went wrong")
+				return []types.ImageSummary{}, errors.Errorf("something went wrong")
 			},
 		},
 	}
@ -66,7 +66,7 @@ func TestNewImagesCommandSuccess(t *testing.T) {
 			args: []string{"image"},
 			imageListFunc: func(options types.ImageListOptions) ([]types.ImageSummary, error) {
 				assert.Check(t, is.Equal("image", options.Filters.Get("reference")[0]))
-				return []types.ImageSummary{{}}, nil
+				return []types.ImageSummary{}, nil
 			},
 		},
 		{
@ -74,7 +74,7 @@ func TestNewImagesCommandSuccess(t *testing.T) {
 			args: []string{"--filter", "name=value"},
 			imageListFunc: func(options types.ImageListOptions) ([]types.ImageSummary, error) {
 				assert.Check(t, is.Equal("value", options.Filters.Get("name")[0]))
-				return []types.ImageSummary{{}}, nil
+				return []types.ImageSummary{}, nil
 			},
 		},
 	}
--- a/cli/command/registry.go
+++ b/cli/command/registry.go
@ -21,8 +21,9 @@ import (
 	"github.com/pkg/errors"
 )

-// ElectAuthServer returns the default registry to use
-// Deprecated: use registry.IndexServer instead
+// ElectAuthServer returns the default registry to use.
+//
+// Deprecated: use [registry.IndexServer] instead.
 func ElectAuthServer(_ context.Context, _ Cli) string {
 	return registry.IndexServer
 }
@ -55,9 +56,12 @@ func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInf
 	}
 }

-// ResolveAuthConfig is like registry.ResolveAuthConfig, but if using the
-// default index, it uses the default index name for the daemon's platform,
-// not the client's platform.
+// ResolveAuthConfig returns auth-config for the given registry from the
+// credential-store. It returns an empty AuthConfig if no credentials were
+// found.
+//
+// It is similar to [registry.ResolveAuthConfig], but uses the credentials-
+// store, instead of looking up credentials from a map.
 func ResolveAuthConfig(_ context.Context, cli Cli, index *registrytypes.IndexInfo) types.AuthConfig {
 	configKey := index.Name
 	if index.Official {
--- a/cli/command/registry_test.go
+++ b/cli/command/registry_test.go
@ -6,16 +6,13 @@ import (
 	"fmt"
 	"testing"

-	"gotest.tools/v3/assert"
-	is "gotest.tools/v3/assert/cmp"
-
-	// Prevents a circular import with "github.com/docker/cli/internal/test"
-
-	. "github.com/docker/cli/cli/command"
+	. "github.com/docker/cli/cli/command" // Prevents a circular import with "github.com/docker/cli/internal/test"
 	configtypes "github.com/docker/cli/cli/config/types"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 type fakeClient struct {
--- a/cli/command/stack/loader/loader.go
+++ b/cli/command/stack/loader/loader.go
@ -5,6 +5,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"runtime"
 	"sort"
 	"strings"

@ -104,9 +105,22 @@ func GetConfigDetails(composefiles []string, stdin io.Reader) (composetypes.Conf
 func buildEnvironment(env []string) (map[string]string, error) {
 	result := make(map[string]string, len(env))
 	for _, s := range env {
+		if runtime.GOOS == "windows" && len(s) > 0 {
+			// cmd.exe can have special environment variables which names start with "=".
+			// They are only there for MS-DOS compatibility and we should ignore them.
+			// See TestBuildEnvironment for examples.
+			//
+			// https://ss64.com/nt/syntax-variables.html
+			// https://devblogs.microsoft.com/oldnewthing/20100506-00/?p=14133
+			// https://github.com/docker/cli/issues/4078
+			if s[0] == '=' {
+				continue
+			}
+		}
+
 		k, v, ok := strings.Cut(s, "=")
 		if !ok || k == "" {
-			return result, errors.Errorf("unexpected environment %q", s)
+			return result, errors.Errorf("unexpected environment variable '%s'", s)
 		}
 		// value may be set, but empty if "s" is like "K=", not "K".
 		result[k] = v
--- a/cli/command/stack/loader/loader_test.go
+++ b/cli/command/stack/loader/loader_test.go
@ -3,6 +3,7 @@ package loader
 import (
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"

@ -45,3 +46,34 @@ services:
 	assert.Check(t, is.Equal("3.0", details.ConfigFiles[0].Config["version"]))
 	assert.Check(t, is.Len(details.Environment, len(os.Environ())))
 }
+
+func TestBuildEnvironment(t *testing.T) {
+	inputEnv := []string{
+		"LEGIT_VAR=LEGIT_VALUE",
+		"EMPTY_VARIABLE=",
+	}
+
+	if runtime.GOOS == "windows" {
+		inputEnv = []string{
+			"LEGIT_VAR=LEGIT_VALUE",
+
+			// cmd.exe has some special environment variables which start with "=".
+			// These should be ignored as they're only there for MS-DOS compatibility.
+			"=ExitCode=00000041",
+			"=ExitCodeAscii=A",
+			`=C:=C:\some\dir`,
+			`=D:=D:\some\different\dir`,
+			`=X:=X:\`,
+			`=::=::\`,
+
+			"EMPTY_VARIABLE=",
+		}
+	}
+
+	env, err := buildEnvironment(inputEnv)
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Len(env, 2))
+	assert.Check(t, is.Equal("LEGIT_VALUE", env["LEGIT_VAR"]))
+	assert.Check(t, is.Equal("", env["EMPTY_VARIABLE"]))
+}
--- a/cli/command/streams.go
+++ b/cli/command/streams.go
@ -1,23 +1,32 @@
 package command

 import (
+	"io"
+
 	"github.com/docker/cli/cli/streams"
 )

 // InStream is an input stream used by the DockerCli to read user input
-// Deprecated: Use github.com/docker/cli/cli/streams.In instead
+//
+// Deprecated: Use [streams.In] instead.
 type InStream = streams.In

 // OutStream is an output stream used by the DockerCli to write normal program
 // output.
-// Deprecated: Use github.com/docker/cli/cli/streams.Out instead
+//
+// Deprecated: Use [streams.Out] instead.
 type OutStream = streams.Out

-var (
-	// NewInStream returns a new InStream object from a ReadCloser
-	// Deprecated: Use github.com/docker/cli/cli/streams.NewIn instead
-	NewInStream = streams.NewIn
-	// NewOutStream returns a new OutStream object from a Writer
-	// Deprecated: Use github.com/docker/cli/cli/streams.NewOut instead
-	NewOutStream = streams.NewOut
-)
+// NewInStream returns a new [streams.In] from an [io.ReadCloser].
+//
+// Deprecated: Use [streams.NewIn] instead.
+func NewInStream(in io.ReadCloser) *streams.In {
+	return streams.NewIn(in)
+}
+
+// NewOutStream returns a new [streams.Out] from an [io.Writer].
+//
+// Deprecated: Use [streams.NewOut] instead.
+func NewOutStream(out io.Writer) *streams.Out {
+	return streams.NewOut(out)
+}
--- a/cli/command/system/info.go
+++ b/cli/command/system/info.go
@ -12,7 +12,9 @@ import (
 	pluginmanager "github.com/docker/cli/cli-plugins/manager"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/cli/cli/debug"
+	flagsHelper "github.com/docker/cli/cli/flags"
 	"github.com/docker/cli/templates"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
@ -62,10 +64,7 @@ func NewInfoCommand(dockerCli command.Cli) *cobra.Command {
 		ValidArgsFunction: completion.NoComplete,
 	}

-	flags := cmd.Flags()
-
-	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
-
+	cmd.Flags().StringVarP(&opts.format, "format", "f", "", flagsHelper.InspectFormatHelp)
 	return cmd
 }

@ -507,6 +506,10 @@ func printServerWarningsLegacy(dockerCli command.Cli, info types.Info) {
 }

 func formatInfo(dockerCli command.Cli, info info, format string) error {
+	if format == formatter.JSONFormatKey {
+		format = formatter.JSONFormat
+	}
+
 	// Ensure slice/array fields render as `[]` not `null`
 	if info.ClientInfo != nil && info.ClientInfo.Plugins == nil {
 		info.ClientInfo.Plugins = make([]pluginmanager.Plugin, 0)
--- a/cli/command/system/info_test.go
+++ b/cli/command/system/info_test.go
@ -396,6 +396,11 @@ func TestPrettyPrintInfo(t *testing.T) {
 				assert.NilError(t, formatInfo(cli, tc.dockerInfo, "{{json .}}"))
 				golden.Assert(t, cli.OutBuffer().String(), tc.jsonGolden+".json.golden")
 				assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+
+				cli = test.NewFakeCli(&fakeClient{})
+				assert.NilError(t, formatInfo(cli, tc.dockerInfo, "json"))
+				golden.Assert(t, cli.OutBuffer().String(), tc.jsonGolden+".json.golden")
+				assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
 			}
 		})
 	}
--- a/cli/command/system/testdata/docker-client-version.json.golden
+++ b/cli/command/system/testdata/docker-client-version.json.golden
@ -0,0 +1 @@
+{"Client":{"Platform":{"Name":""},"Version":"18.99.5-ce","ApiVersion":"1.38","DefaultAPIVersion":"1.38","GitCommit":"deadbeef","GoVersion":"go1.10.2","Os":"linux","Arch":"amd64","BuildTime":"Wed May 30 22:21:05 2018","Context":"my-context"},"Server":{"Platform":{"Name":"Docker Enterprise Edition (EE) 2.0"},"Components":[{"Name":"Engine","Version":"17.06.2-ee-15","Details":{"ApiVersion":"1.30","Arch":"amd64","BuildTime":"Mon Jul  9 23:38:38 2018","Experimental":"false","GitCommit":"64ddfa6","GoVersion":"go1.8.7","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"Universal Control Plane","Version":"17.06.2-ee-15","Details":{"ApiVersion":"1.30","Arch":"amd64","BuildTime":"Mon Jul  2 21:24:07 UTC 2018","GitCommit":"4513922","GoVersion":"go1.9.4","MinApiVersion":"1.20","Os":"linux","Version":"3.0.3-tp2"}},{"Name":"Kubernetes","Version":"1.8+","Details":{"buildDate":"2018-04-26T16:51:21Z","compiler":"gc","gitCommit":"8d637aedf46b9c21dde723e29c645b9f27106fa5","gitTreeState":"clean","gitVersion":"v1.8.11-docker-8d637ae","goVersion":"go1.8.3","major":"1","minor":"8+","platform":"linux/amd64"}},{"Name":"Calico","Version":"v3.0.8","Details":{"cni":"v2.0.6","kube-controllers":"v2.0.5","node":"v3.0.8"}}],"Version":"","ApiVersion":"","GitCommit":"","GoVersion":"","Os":"","Arch":""}}
--- a/cli/command/system/version.go
+++ b/cli/command/system/version.go
@ -11,7 +11,9 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/cli/cli/command/formatter/tabwriter"
+	flagsHelper "github.com/docker/cli/cli/flags"
 	"github.com/docker/cli/cli/version"
 	"github.com/docker/cli/templates"
 	"github.com/docker/docker/api/types"
@ -20,7 +22,7 @@ import (
 	"github.com/tonistiigi/go-rosetta"
 )

-var versionTemplate = `{{with .Client -}}
+const defaultVersionTemplate = `{{with .Client -}}
 Client:{{if ne .Platform.Name ""}} {{.Platform.Name}}{{end}}
 Version:	{{.Version}}
 API version:	{{.APIVersion}}{{if ne .APIVersion .DefaultAPIVersion}} (downgraded from {{.DefaultAPIVersion}}){{end}}
@ -101,9 +103,7 @@ func NewVersionCommand(dockerCli command.Cli) *cobra.Command {
 		ValidArgsFunction: completion.NoComplete,
 	}

-	flags := cmd.Flags()
-	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
-
+	cmd.Flags().StringVarP(&opts.format, "format", "f", "", flagsHelper.InspectFormatHelp)
 	return cmd
 }

@ -194,8 +194,11 @@ func prettyPrintVersion(dockerCli command.Cli, vd versionInfo, tmpl *template.Te
 }

 func newVersionTemplate(templateFormat string) (*template.Template, error) {
-	if templateFormat == "" {
-		templateFormat = versionTemplate
+	switch templateFormat {
+	case "":
+		templateFormat = defaultVersionTemplate
+	case formatter.JSONFormatKey:
+		templateFormat = formatter.JSONFormat
 	}
 	tmpl := templates.New("version").Funcs(template.FuncMap{"getDetailsOrder": getDetailsOrder})
 	tmpl, err := tmpl.Parse(templateFormat)
--- a/cli/command/system/version_test.go
+++ b/cli/command/system/version_test.go
@ -6,12 +6,11 @@ import (
 	"strings"
 	"testing"

+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/golden"
-
-	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types"
 )

 func TestVersionWithoutServer(t *testing.T) {
@ -30,7 +29,7 @@ func TestVersionWithoutServer(t *testing.T) {
 	assert.Assert(t, !strings.Contains(out, "Server:"), "actual: %s", out)
 }

-func TestVersionAlign(t *testing.T) {
+func TestVersionFormat(t *testing.T) {
 	vi := versionInfo{
 		Client: clientVersion{
 			Version:           "18.99.5-ce",
@ -104,10 +103,28 @@ func TestVersionAlign(t *testing.T) {
 		},
 	})

-	cli := test.NewFakeCli(&fakeClient{})
-	tmpl, err := newVersionTemplate("")
-	assert.NilError(t, err)
-	assert.NilError(t, prettyPrintVersion(cli, vi, tmpl))
-	assert.Check(t, golden.String(cli.OutBuffer().String(), "docker-client-version.golden"))
-	assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+	t.Run("default", func(t *testing.T) {
+		cli := test.NewFakeCli(&fakeClient{})
+		tmpl, err := newVersionTemplate("")
+		assert.NilError(t, err)
+		assert.NilError(t, prettyPrintVersion(cli, vi, tmpl))
+		assert.Check(t, golden.String(cli.OutBuffer().String(), "docker-client-version.golden"))
+		assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+	})
+	t.Run("json", func(t *testing.T) {
+		cli := test.NewFakeCli(&fakeClient{})
+		tmpl, err := newVersionTemplate("json")
+		assert.NilError(t, err)
+		assert.NilError(t, prettyPrintVersion(cli, vi, tmpl))
+		assert.Check(t, golden.String(cli.OutBuffer().String(), "docker-client-version.json.golden"))
+		assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+	})
+	t.Run("json template", func(t *testing.T) {
+		cli := test.NewFakeCli(&fakeClient{})
+		tmpl, err := newVersionTemplate("{{json .}}")
+		assert.NilError(t, err)
+		assert.NilError(t, prettyPrintVersion(cli, vi, tmpl))
+		assert.Check(t, golden.String(cli.OutBuffer().String(), "docker-client-version.json.golden"))
+		assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+	})
 }
--- a/cli/command/volume/create_test.go
+++ b/cli/command/volume/create_test.go
@ -50,6 +50,7 @@ func TestVolumeCreateErrors(t *testing.T) {
 			cmd.Flags().Set(key, value)
 		}
 		cmd.SetOut(io.Discard)
+		cmd.SetErr(io.Discard)
 		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
 	}
 }
--- a/cli/command/volume/inspect_test.go
+++ b/cli/command/volume/inspect_test.go
@ -62,6 +62,7 @@ func TestVolumeInspectErrors(t *testing.T) {
 			cmd.Flags().Set(key, value)
 		}
 		cmd.SetOut(io.Discard)
+		cmd.SetErr(io.Discard)
 		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
 	}
 }
--- a/cli/command/volume/list_test.go
+++ b/cli/command/volume/list_test.go
@ -43,6 +43,7 @@ func TestVolumeListErrors(t *testing.T) {
 			cmd.Flags().Set(key, value)
 		}
 		cmd.SetOut(io.Discard)
+		cmd.SetErr(io.Discard)
 		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
 	}
 }
--- a/cli/command/volume/prune.go
+++ b/cli/command/volume/prune.go
@ -8,11 +8,15 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/errdefs"
 	units "github.com/docker/go-units"
+	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )

 type pruneOptions struct {
+	all    bool
 	force  bool
 	filter opts.FilterOpt
 }
@ -41,18 +45,37 @@ func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
 	}

 	flags := cmd.Flags()
+	flags.BoolVarP(&options.all, "all", "a", false, "Remove all unused volumes, not just anonymous ones")
+	flags.SetAnnotation("all", "version", []string{"1.42"})
 	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
 	flags.Var(&options.filter, "filter", `Provide filter values (e.g. "label=<label>")`)

 	return cmd
 }

-const warning = `WARNING! This will remove all local volumes not used by at least one container.
+const (
+	unusedVolumesWarning = `WARNING! This will remove anonymous local volumes not used by at least one container.
 Are you sure you want to continue?`
+	allVolumesWarning = `WARNING! This will remove all local volumes not used by at least one container.
+Are you sure you want to continue?`
+)

 func runPrune(dockerCli command.Cli, options pruneOptions) (spaceReclaimed uint64, output string, err error) {
 	pruneFilters := command.PruneFilters(dockerCli, options.filter.Value())

+	warning := unusedVolumesWarning
+	if versions.GreaterThanOrEqualTo(dockerCli.CurrentVersion(), "1.42") {
+		if options.all {
+			if pruneFilters.Contains("all") {
+				return 0, "", errdefs.InvalidParameter(errors.New("conflicting options: cannot specify both --all and --filter all=1"))
+			}
+			pruneFilters.Add("all", "true")
+			warning = allVolumesWarning
+		}
+	} else {
+		// API < v1.42 removes all volumes (anonymous and named) by default.
+		warning = allVolumesWarning
+	}
 	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), warning) {
 		return 0, "", nil
 	}
--- a/cli/command/volume/prune_test.go
+++ b/cli/command/volume/prune_test.go
@ -13,22 +13,26 @@ import (
 	"github.com/docker/docker/api/types/filters"
 	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/golden"
 	"gotest.tools/v3/skip"
 )

 func TestVolumePruneErrors(t *testing.T) {
 	testCases := []struct {
+		name            string
 		args            []string
 		flags           map[string]string
 		volumePruneFunc func(args filters.Args) (types.VolumesPruneReport, error)
 		expectedError   string
 	}{
 		{
+			name:          "accepts no arguments",
 			args:          []string{"foo"},
 			expectedError: "accepts no argument",
 		},
 		{
+			name: "forced but other error",
 			flags: map[string]string{
 				"force": "true",
 			},
@ -37,19 +41,75 @@ func TestVolumePruneErrors(t *testing.T) {
 			},
 			expectedError: "error pruning volumes",
 		},
+		{
+			name: "conflicting options",
+			flags: map[string]string{
+				"all":    "true",
+				"filter": "all=1",
+			},
+			expectedError: "conflicting options: cannot specify both --all and --filter all=1",
+		},
 	}
 	for _, tc := range testCases {
-		cmd := NewPruneCommand(
-			test.NewFakeCli(&fakeClient{
-				volumePruneFunc: tc.volumePruneFunc,
-			}),
-		)
-		cmd.SetArgs(tc.args)
-		for key, value := range tc.flags {
-			cmd.Flags().Set(key, value)
-		}
-		cmd.SetOut(io.Discard)
-		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			cmd := NewPruneCommand(
+				test.NewFakeCli(&fakeClient{
+					volumePruneFunc: tc.volumePruneFunc,
+				}),
+			)
+			cmd.SetArgs(tc.args)
+			for key, value := range tc.flags {
+				cmd.Flags().Set(key, value)
+			}
+			cmd.SetOut(io.Discard)
+			cmd.SetErr(io.Discard)
+			assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+		})
+	}
+}
+
+func TestVolumePruneSuccess(t *testing.T) {
+	testCases := []struct {
+		name            string
+		args            []string
+		volumePruneFunc func(args filters.Args) (types.VolumesPruneReport, error)
+	}{
+		{
+			name: "all",
+			args: []string{"--all"},
+			volumePruneFunc: func(pruneFilter filters.Args) (types.VolumesPruneReport, error) {
+				assert.Check(t, is.Equal([]string{"true"}, pruneFilter.Get("all")))
+				return types.VolumesPruneReport{}, nil
+			},
+		},
+		{
+			name: "all-forced",
+			args: []string{"--all", "--force"},
+			volumePruneFunc: func(pruneFilter filters.Args) (types.VolumesPruneReport, error) {
+				return types.VolumesPruneReport{}, nil
+			},
+		},
+		{
+			name: "label-filter",
+			args: []string{"--filter", "label=foobar"},
+			volumePruneFunc: func(pruneFilter filters.Args) (types.VolumesPruneReport, error) {
+				assert.Check(t, is.Equal([]string{"foobar"}, pruneFilter.Get("label")))
+				return types.VolumesPruneReport{}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			cli := test.NewFakeCli(&fakeClient{volumePruneFunc: tc.volumePruneFunc})
+			cmd := NewPruneCommand(cli)
+			cmd.SetOut(io.Discard)
+			cmd.SetArgs(tc.args)
+			err := cmd.Execute()
+			assert.NilError(t, err)
+			golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("volume-prune-success.%s.golden", tc.name))
+		})
 	}
 }

--- a/cli/command/volume/remove_test.go
+++ b/cli/command/volume/remove_test.go
@ -33,6 +33,7 @@ func TestVolumeRemoveErrors(t *testing.T) {
 			}))
 		cmd.SetArgs(tc.args)
 		cmd.SetOut(io.Discard)
+		cmd.SetErr(io.Discard)
 		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
 	}
 }
--- a/cli/command/volume/testdata/volume-prune-no.golden
+++ b/cli/command/volume/testdata/volume-prune-no.golden
@ -1,2 +1,2 @@
-WARNING! This will remove all local volumes not used by at least one container.
+WARNING! This will remove anonymous local volumes not used by at least one container.
 Are you sure you want to continue? [y/N] Total reclaimed space: 0B
--- a/cli/command/volume/testdata/volume-prune-success.all-forced.golden
+++ b/cli/command/volume/testdata/volume-prune-success.all-forced.golden
@ -0,0 +1 @@
+Total reclaimed space: 0B
--- a/cli/command/volume/testdata/volume-prune-success.all.golden
+++ b/cli/command/volume/testdata/volume-prune-success.all.golden
@ -0,0 +1,2 @@
+WARNING! This will remove all local volumes not used by at least one container.
+Are you sure you want to continue? [y/N] Total reclaimed space: 0B
--- a/cli/command/volume/testdata/volume-prune-success.label-filter.golden
+++ b/cli/command/volume/testdata/volume-prune-success.label-filter.golden
@ -0,0 +1,2 @@
+WARNING! This will remove anonymous local volumes not used by at least one container.
+Are you sure you want to continue? [y/N] Total reclaimed space: 0B
--- a/cli/command/volume/testdata/volume-prune-yes.golden
+++ b/cli/command/volume/testdata/volume-prune-yes.golden
@ -1,4 +1,4 @@
-WARNING! This will remove all local volumes not used by at least one container.
+WARNING! This will remove anonymous local volumes not used by at least one container.
 Are you sure you want to continue? [y/N] Deleted Volumes:
 foo
 bar
--- a/cli/context/store/metadatastore.go
+++ b/cli/context/store/metadatastore.go
@ -2,12 +2,14 @@ package store

 import (
 	"encoding/json"
+	"fmt"
 	"os"
 	"path/filepath"
 	"reflect"
 	"sort"

 	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/ioutils"
 	"github.com/fvbommel/sortorder"
 	"github.com/pkg/errors"
 )
@ -35,7 +37,7 @@ func (s *metadataStore) createOrUpdate(meta Metadata) error {
 	if err != nil {
 		return err
 	}
-	return os.WriteFile(filepath.Join(contextDir, metaFile), bytes, 0o644)
+	return ioutils.AtomicWriteFile(filepath.Join(contextDir, metaFile), bytes, 0o644)
 }

 func parseTypedOrMap(payload []byte, getter TypeGetter) (interface{}, error) {
@ -65,7 +67,8 @@ func (s *metadataStore) get(name string) (Metadata, error) {
 }

 func (s *metadataStore) getByID(id contextdir) (Metadata, error) {
-	bytes, err := os.ReadFile(filepath.Join(s.contextDir(id), metaFile))
+	fileName := filepath.Join(s.contextDir(id), metaFile)
+	bytes, err := os.ReadFile(fileName)
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			return Metadata{}, errdefs.NotFound(errors.Wrap(err, "context not found"))
@ -77,15 +80,15 @@ func (s *metadataStore) getByID(id contextdir) (Metadata, error) {
 		Endpoints: make(map[string]interface{}),
 	}
 	if err := json.Unmarshal(bytes, &untyped); err != nil {
-		return Metadata{}, err
+		return Metadata{}, fmt.Errorf("parsing %s: %v", fileName, err)
 	}
 	r.Name = untyped.Name
 	if r.Metadata, err = parseTypedOrMap(untyped.Metadata, s.config.contextType); err != nil {
-		return Metadata{}, err
+		return Metadata{}, fmt.Errorf("parsing %s: %v", fileName, err)
 	}
 	for k, v := range untyped.Endpoints {
 		if r.Endpoints[k], err = parseTypedOrMap(v, s.config.endpointTypes[k]); err != nil {
-			return Metadata{}, err
+			return Metadata{}, fmt.Errorf("parsing %s: %v", fileName, err)
 		}
 	}
 	return r, err
--- a/cli/context/store/store_test.go
+++ b/cli/context/store/store_test.go
@ -7,9 +7,11 @@ import (
 	"bytes"
 	"crypto/rand"
 	"encoding/json"
+	"fmt"
 	"io"
 	"os"
 	"path"
+	"path/filepath"
 	"testing"

 	"github.com/docker/docker/errdefs"
@ -230,3 +232,28 @@ func TestImportZipInvalid(t *testing.T) {
 	err = Import("zipInvalid", s, r)
 	assert.ErrorContains(t, err, "unexpected context file")
 }
+
+func TestCorruptMetadata(t *testing.T) {
+	tempDir := t.TempDir()
+	s := New(tempDir, testCfg)
+	err := s.CreateOrUpdate(
+		Metadata{
+			Endpoints: map[string]interface{}{
+				"ep1": endpoint{Foo: "bar"},
+			},
+			Metadata: context{Bar: "baz"},
+			Name:     "source",
+		})
+	assert.NilError(t, err)
+
+	// Simulate the meta.json file getting corrupted
+	// by some external process.
+	contextDir := s.meta.contextDir(contextdirOf("source"))
+	contextFile := filepath.Join(contextDir, metaFile)
+	err = os.WriteFile(contextFile, nil, 0o600)
+	assert.NilError(t, err)
+
+	// Assert that the error message gives the user some clue where to look.
+	_, err = s.GetMetadata("source")
+	assert.ErrorContains(t, err, fmt.Sprintf("parsing %s: unexpected end of JSON input", contextFile))
+}
--- a/cli/context/store/tlsstore.go
+++ b/cli/context/store/tlsstore.go
@ -5,6 +5,7 @@ import (
 	"path/filepath"

 	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/ioutils"
 	"github.com/pkg/errors"
 )

@ -31,7 +32,7 @@ func (s *tlsStore) createOrUpdate(name, endpointName, filename string, data []by
 	if err := os.MkdirAll(endpointDir, 0o700); err != nil {
 		return err
 	}
-	return os.WriteFile(filepath.Join(endpointDir, filename), data, 0o600)
+	return ioutils.AtomicWriteFile(filepath.Join(endpointDir, filename), data, 0o600)
 }

 func (s *tlsStore) getData(name, endpointName, filename string) ([]byte, error) {
--- a/cmd/docker/builder.go
+++ b/cmd/docker/builder.go
@ -44,9 +44,9 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st
 	var buildKitDisabled, useBuilder, useAlias bool
 	var envs []string

-	// check DOCKER_BUILDKIT env var is present and
-	// if not assume we want to use the builder component
-	if v, ok := os.LookupEnv("DOCKER_BUILDKIT"); ok {
+	// check DOCKER_BUILDKIT env var is not empty
+	// if it is assume we want to use the builder component
+	if v := os.Getenv("DOCKER_BUILDKIT"); v != "" {
 		enabled, err := strconv.ParseBool(v)
 		if err != nil {
 			return args, osargs, nil, errors.Wrap(err, "DOCKER_BUILDKIT environment variable expects boolean value")
--- a/cmd/docker/docker.go
+++ b/cmd/docker/docker.go
@ -133,13 +133,20 @@ func tryRunPluginHelp(dockerCli command.Cli, ccmd *cobra.Command, cargs []string
 func setHelpFunc(dockerCli command.Cli, cmd *cobra.Command) {
 	defaultHelpFunc := cmd.HelpFunc()
 	cmd.SetHelpFunc(func(ccmd *cobra.Command, args []string) {
-		if pluginmanager.IsPluginCommand(ccmd) {
+		if err := pluginmanager.AddPluginCommandStubs(dockerCli, ccmd.Root()); err != nil {
+			ccmd.Println(err)
+			return
+		}
+
+		if len(args) >= 1 {
 			err := tryRunPluginHelp(dockerCli, ccmd, args)
+			if err == nil {
+				return
+			}
 			if !pluginmanager.IsNotFound(err) {
 				ccmd.Println(err)
+				return
 			}
-			cmd.PrintErrf("unknown help topic: %v\n", ccmd.Name())
-			return
 		}

 		if err := isSupported(ccmd, dockerCli); err != nil {
@ -227,9 +234,14 @@ func runDocker(dockerCli *command.DockerCli) error {
 		return err
 	}

-	err = pluginmanager.AddPluginCommandStubs(dockerCli, cmd)
-	if err != nil {
-		return err
+	if cli.HasCompletionArg(args) {
+		// We add plugin command stubs early only for completion. We don't
+		// want to add them for normal command execution as it would cause
+		// a significant performance hit.
+		err = pluginmanager.AddPluginCommandStubs(dockerCli, cmd)
+		if err != nil {
+			return err
+		}
 	}

 	if len(args) > 0 {
--- a/contrib/completion/bash/docker
+++ b/contrib/completion/bash/docker
@ -1142,6 +1142,42 @@ __docker_complete_user_group() {
 	fi
 }

+DOCKER_PLUGINS_PATH=$(docker info --format '{{range .ClientInfo.Plugins}}{{.Path}}:{{end}}')
+
+__docker_complete_plugin() {
+	local path=$1
+	local completionCommand="__completeNoDesc"
+	local resultArray=($path $completionCommand)
+	for value in "${words[@]:2}"; do
+		if [ -z "$value" ]; then
+			resultArray+=( "''" )
+		else
+			resultArray+=( "$value" )
+		fi
+	done
+	local rawResult=$(eval "${resultArray[*]}" 2> /dev/null)
+	local result=$(grep -v '^:[0-9]*$' <<< "$rawResult")
+
+	# Compose V2 completions sometimes returns returns `:8` (ShellCompDirectiveFilterFileExt)
+	# with the expected file extensions (such as `yml`, `yaml`) to indicate that the shell should
+	# provide autocompletions for files with matching extensions
+	local completionFlag=$(tail -1 <<< "$rawResult")
+	if [ "$completionFlag" == ":8" ]; then
+		# format a valid glob pattern for the provided file extensions
+		local filePattern=$(tr '\n' '|' <<< "$result")
+
+		_filedir "$filePattern"
+		return
+	fi
+
+	# if result empty, just use filename completion as fallback
+	if [ -z "$result" ]; then
+		_filedir
+	else
+		COMPREPLY=( $(compgen -W "${result}" -- "${current-}") )
+	fi
+}
+
 _docker_docker() {
 	# global options that may appear after the docker command
 	local boolean_options="
@ -5347,7 +5383,7 @@ _docker_volume_prune() {

 	case "$cur" in
 		-*)
-			COMPREPLY=( $( compgen -W "--filter --force -f --help" -- "$cur" ) )
+			COMPREPLY=( $( compgen -W "--all -a --filter --force -f --help" -- "$cur" ) )
 			;;
 	esac
 }
@ -5395,23 +5431,6 @@ _docker_wait() {
 	_docker_container_wait
 }

-COMPOSE_PLUGIN_PATH=$(docker info --format '{{range .ClientInfo.Plugins}}{{if eq .Name "compose"}}{{.Path}}{{end}}{{end}}')
-
-_docker_compose() {
-	local completionCommand="__completeNoDesc"
-	local resultArray=($COMPOSE_PLUGIN_PATH $completionCommand compose)
-	for value in "${words[@]:2}"; do
-		if [ -z "$value" ]; then
-			resultArray+=( "''" )
-		else
-			resultArray+=( "$value" )
-		fi
-	done
-	local result=$(eval "${resultArray[*]}" 2> /dev/null | grep -v '^:[0-9]*$')
-
-	COMPREPLY=( $(compgen -W "${result}" -- "$current") )
-}
-
 _docker() {
 	local previous_extglob_setting=$(shopt -p extglob)
 	shopt -s extglob
@ -5481,11 +5500,16 @@ _docker() {
 		wait
 	)

+	# Create completion functions for all registered plugins
 	local known_plugin_commands=()
-
-	if [ -f "$COMPOSE_PLUGIN_PATH" ] ; then
-		known_plugin_commands+=("compose")
-	fi
+	local plugin_name=""
+	for plugin_path in ${DOCKER_PLUGINS_PATH//:/ }; do
+		plugin_name=$(basename "$plugin_path" | sed 's/ *$//')
+		plugin_name=${plugin_name#docker-}
+		plugin_name=${plugin_name%%.*}
+		eval "_docker_${plugin_name}() { __docker_complete_plugin \"${plugin_path}\"; }"
+		known_plugin_commands+=(${plugin_name})
+	done

 	local experimental_server_commands=(
 		checkpoint
--- a/contrib/completion/zsh/_docker
+++ b/contrib/completion/zsh/_docker
@ -2527,6 +2527,8 @@ __docker_volume_subcommand() {
        (prune)
            _arguments $(__docker_arguments) \
                $opts_help \
+                "($help -a --all)"{-a,--all}"[Remove all unused local volumes, not just anonymous ones]" \
+                "($help)*--filter=[Filter values]:filter:__docker_complete_prune_filters" \
                "($help -f --force)"{-f,--force}"[Do not prompt for confirmation]" && ret=0
            ;;
        (rm)
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-    default = "1.19.5"
+    default = "1.19.8"
 }
 variable "VERSION" {
    default = ""
@ -52,7 +52,7 @@ target "binary" {
    platforms = ["local"]
    output = ["build"]
    args = {
-        BASE_VARIANT = USE_GLIBC != "" ? "bullseye" : "alpine"
+        BASE_VARIANT = USE_GLIBC == "1" ? "bullseye" : "alpine"
        VERSION = VERSION
        PACKAGER_NAME = PACKAGER_NAME
        GO_STRIP = STRIP_TARGET
@ -72,7 +72,7 @@ target "plugins" {
    platforms = ["local"]
    output = ["build"]
    args = {
-        BASE_VARIANT = USE_GLIBC != "" ? "bullseye" : "alpine"
+        BASE_VARIANT = USE_GLIBC == "1" ? "bullseye" : "alpine"
        VERSION = VERSION
        GO_STRIP = STRIP_TARGET
    }
@ -155,7 +155,13 @@ target "e2e-image" {
    output = ["type=docker"]
    tags = ["${IMAGE_NAME}"]
    args = {
-        BASE_VARIANT = USE_GLIBC != "" ? "bullseye" : "alpine"
+        BASE_VARIANT = USE_GLIBC == "1" ? "bullseye" : "alpine"
        VERSION = VERSION
    }
 }
+
+target "e2e-gencerts" {
+    inherits = ["_common"]
+    dockerfile = "./e2e/testdata/Dockerfile.gencerts"
+    output = ["./e2e/testdata"]
+}
--- a/dockerfiles/Dockerfile.dev
+++ b/dockerfiles/Dockerfile.dev
@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.19.5
+ARG GO_VERSION=1.19.8
 ARG ALPINE_VERSION=3.16

-ARG BUILDX_VERSION=0.9.1
+ARG BUILDX_VERSION=0.10.4
 FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx

 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang
--- a/dockerfiles/Dockerfile.lint
+++ b/dockerfiles/Dockerfile.lint
@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.19.5
+ARG GO_VERSION=1.19.8
 ARG ALPINE_VERSION=3.16
 ARG GOLANGCI_LINT_VERSION=v1.49.0

--- a/dockerfiles/Dockerfile.vendor
+++ b/dockerfiles/Dockerfile.vendor
@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.19.4
+ARG GO_VERSION=1.19.8
 ARG ALPINE_VERSION=3.16
 ARG MODOUTDATED_VERSION=v0.8.0

--- a/docs/deprecated.md
+++ b/docs/deprecated.md
@ -50,6 +50,7 @@ The table below provides an overview of the current status of deprecated feature

 | Status     | Feature                                                                                                                            | Deprecated | Remove  |
 |------------|------------------------------------------------------------------------------------------------------------------------------------|------------|---------|
+| Deprecated | [Buildkit build information](#buildkit-build-information)                                                                          | v23.0.0    | v24.0.0 |
 | Deprecated | [Legacy builder for Linux images](#legacy-builder-for-linux-images)                                                                | v23.0.0    | -       |
 | Deprecated | [Legacy builder fallback](#legacy-builder-fallback)                                                                                | v23.0.0    | -       |
 | Removed    | [Btrfs storage driver on CentOS 7 and RHEL 7](#btrfs-storage-driver-on-centos-7-and-rhel-7)                                        | v20.10     | v23.0.0 |
@ -104,6 +105,17 @@ The table below provides an overview of the current status of deprecated feature
 | Removed    | [`--run` flag on `docker commit`](#--run-flag-on-docker-commit)                                                                    | v0.10      | v1.13   |
 | Removed    | [Three arguments form in `docker import`](#three-arguments-form-in-docker-import)                                                  | v0.6.7     | v1.12   |

+### Buildkit build information
+
+**Deprecated in Release: v23.0.0**
+
+[Build information](https://github.com/moby/buildkit/blob/v0.11/docs/buildinfo.md)
+structures have been introduced in [BuildKit v0.10.0](https://github.com/moby/buildkit/releases/tag/v0.10.0)
+and are generated with build metadata that allows you to see all the sources
+(images, git repositories) that were used by the build with their exact
+versions and also the configuration that was passed to the build. This
+information is also embedded into the image configuration if one is generated.
+
 ### Legacy builder for Linux images

 **Deprecated in Release: v23.0.0**
--- a/docs/reference/commandline/build.md
+++ b/docs/reference/commandline/build.md
@ -661,7 +661,7 @@ The `--squash` option has a number of known limitations:

 #### Prerequisites

-The example on this page is using experimental mode in Docker 19.03.
+The example on this page is using experimental mode in Docker 23.03.

 Experimental mode can be enabled by using the `--experimental` flag when starting
 the Docker daemon or setting `experimental: true` in the `daemon.json` configuration
@ -673,21 +673,21 @@ line in the `Engine` section:

 ```console
 Client: Docker Engine - Community
- Version:           19.03.8
- API version:       1.40
- Go version:        go1.12.17
- Git commit:        afacb8b
- Built:             Wed Mar 11 01:21:11 2020
+ Version:           23.0.3
+ API version:       1.42
+ Go version:        go1.19.7
+ Git commit:        3e7cbfd
+ Built:             Tue Apr  4 22:05:41 2023
 OS/Arch:           darwin/amd64
- Experimental:      false
+ Context:           default

 Server: Docker Engine - Community
 Engine:
-  Version:          19.03.8
-  API version:      1.40 (minimum version 1.12)
-  Go version:       go1.12.17
-  Git commit:       afacb8b
-  Built:            Wed Mar 11 01:29:16 2020
+  Version:          23.0.3
+  API version:      1.42 (minimum version 1.12)
+  Go version:       go1.19.7
+  Git commit:       59118bf
+  Built:            Tue Apr  4 22:05:41 2023
  OS/Arch:          linux/amd64
  Experimental:     true
 [...]
--- a/docs/reference/commandline/cli.md
+++ b/docs/reference/commandline/cli.md
@ -123,30 +123,31 @@ the [installation](https://docs.docker.com/install/) instructions for your opera
 The following list of environment variables are supported by the `docker` command
 line:

-| Variable                      | Description                                                                                                                             |
-|:------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------|
-| `DOCKER_API_VERSION`          | Override the negotiated API version to use for debugging (e.g. `1.19`)                                                                  |
-| `DOCKER_CERT_PATH`            | Location of your authentication keys. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md)             |
-| `DOCKER_CONFIG`               | The location of your client configuration files.                                                                                        |
-| `DOCKER_CONTENT_TRUST_SERVER` | The URL of the Notary server to use. Defaults to the same URL as the registry.                                                          |
-| `DOCKER_CONTENT_TRUST`        | When set Docker uses notary to sign and verify images. Equates to `--disable-content-trust=false` for build, create, pull, push, run.   |
-| `DOCKER_CONTEXT`              | Name of the `docker context` to use (overrides `DOCKER_HOST` env var and default context set with `docker context use`)                 |
-| `DOCKER_DEFAULT_PLATFORM`     | Default platform for commands that take the `--platform` flag.                                                                          |
-| `DOCKER_HIDE_LEGACY_COMMANDS` | When set, Docker hides "legacy" top-level commands (such as `docker rm`, and `docker pull`) in `docker help` output, and only `Management commands` per object-type (e.g., `docker container`) are printed. This may become the default in a future release, at which point this environment-variable is removed. |
-| `DOCKER_HOST`                 | Daemon socket to connect to.                                                                                                            |
-| `DOCKER_TLS_VERIFY`           | When set Docker uses TLS and verifies the remote. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md) |
-| `BUILDKIT_PROGRESS`           | Set type of progress output (`auto`, `plain`, `tty`) when [building](build.md) with [BuildKit backend](https://docs.docker.com/build/buildkit/). Use plain to show container output (default `auto`). |
+| Variable                      | Description                                                                                                                                                                                                                                                  |
+|:------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `DOCKER_API_VERSION`          | Override the negotiated API version to use for debugging (e.g. `1.19`)                                                                                                                                                                                       |
+| `DOCKER_CERT_PATH`            | Location of your authentication keys. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md)                                                                                                                                  |
+| `DOCKER_CONFIG`               | The location of your client configuration files.                                                                                                                                                                                                             |
+| `DOCKER_CONTENT_TRUST_SERVER` | The URL of the Notary server to use. Defaults to the same URL as the registry.                                                                                                                                                                               |
+| `DOCKER_CONTENT_TRUST`        | When set Docker uses notary to sign and verify images. Equates to `--disable-content-trust=false` for build, create, pull, push, run.                                                                                                                        |
+| `DOCKER_CONTEXT`              | Name of the `docker context` to use (overrides `DOCKER_HOST` env var and default context set with `docker context use`)                                                                                                                                      |
+| `DOCKER_DEFAULT_PLATFORM`     | Default platform for commands that take the `--platform` flag.                                                                                                                                                                                               |
+| `DOCKER_HIDE_LEGACY_COMMANDS` | When set, Docker hides "legacy" top-level commands (such as `docker rm`, and `docker pull`) in `docker help` output, and only `Management commands` per object-type (e.g., `docker container`) are printed. This may become the default in a future release. |
+| `DOCKER_HOST`                 | Daemon socket to connect to.                                                                                                                                                                                                                                 |
+| `DOCKER_TLS_VERIFY`           | When set Docker uses TLS and verifies the remote. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md)                                                                                                                      |
+| `BUILDKIT_PROGRESS`           | Set type of progress output (`auto`, `plain`, `tty`) when [building](build.md) with [BuildKit backend](https://docs.docker.com/build/buildkit/). Use plain to show container output (default `auto`).                                                        |

 Because Docker is developed using Go, you can also use any environment
 variables used by the Go runtime. In particular, you may find these useful:

-* `HTTP_PROXY`
-* `HTTPS_PROXY`
-* `NO_PROXY`
+| Variable      | Description                                                                    |
+|:--------------|:-------------------------------------------------------------------------------|
+| `HTTP_PROXY`  | Proxy URL for HTTP requests unless overridden by NoProxy.                      |
+| `HTTPS_PROXY` | Proxy URL for HTTPS requests unless overridden by NoProxy.                     |
+| `NO_PROXY`    | Comma-separated values specifying hosts that should be excluded from proxying. |

-These Go environment variables are case-insensitive. See the
-[Go specification](https://golang.org/pkg/net/http/) for details on these
-variables.
+See the [Go specification](https://pkg.go.dev/golang.org/x/net/http/httpproxy#Config)
+for details on these variables.

 ## Configuration files

--- a/docs/reference/commandline/container_rm.md
+++ b/docs/reference/commandline/container_rm.md
@ -5,7 +5,7 @@ Remove one or more containers

 ### Aliases

-`docker container rm`, `docker rm`
+`docker container rm`, `docker container remove`, `docker rm`

 ### Options

--- a/docs/reference/commandline/dockerd.md
+++ b/docs/reference/commandline/dockerd.md
@ -18,7 +18,7 @@ redirect_from:
 # daemon

 ```markdown
-Usage: dockerd COMMAND
+Usage: dockerd [OPTIONS]

 A self-sufficient runtime for containers.

@ -35,14 +35,14 @@ Options:
      --containerd-namespace string           Containerd namespace to use (default "moby")
      --containerd-plugins-namespace string   Containerd namespace to use for plugins (default "plugins.moby")
      --cpu-rt-period int                     Limit the CPU real-time period in microseconds for the
-                                              parent cgroup for all containers
+                                              parent cgroup for all containers (not supported with cgroups v2)
      --cpu-rt-runtime int                    Limit the CPU real-time runtime in microseconds for the
-                                              parent cgroup for all containers
+                                              parent cgroup for all containers (not supported with cgroups v2)
      --cri-containerd                        start containerd with cri
      --data-root string                      Root directory of persistent Docker state (default "/var/lib/docker")
  -D, --debug                                 Enable debug mode
      --default-address-pool pool-options     Default address pools for node specific local networks
-      --default-cgroupns-mode string          Default mode for containers cgroup namespace ("host" | "private") (default "host")
+      --default-cgroupns-mode string          Default mode for containers cgroup namespace ("host" | "private") (default "private")
      --default-gateway ip                    Container default gateway IPv4 address
      --default-gateway-v6 ip                 Container default gateway IPv6 address
      --default-ipc-mode string               Default mode for containers ipc ("shareable" | "private") (default "private")
@ -62,6 +62,8 @@ Options:
  -H, --host list                             Daemon socket(s) to connect to
      --host-gateway-ip ip                    IP address that the special 'host-gateway' string in --add-host resolves to.
                                              Defaults to the IP address of the default bridge
+      --http-proxy string                     HTTP proxy URL to use for outgoing traffic
+      --https-proxy string                    HTTPS proxy URL to use for outgoing traffic
      --icc                                   Enable inter-container communication (default true)
      --init                                  Run an init in the container to forward signals and reap processes
      --init-path string                      Path to the docker-init binary
@ -69,8 +71,8 @@ Options:
      --ip ip                                 Default IP when binding container ports (default 0.0.0.0)
      --ip-forward                            Enable net.ipv4.ip_forward (default true)
      --ip-masq                               Enable IP masquerading (default true)
+      --ip6tables                             Enable addition of ip6tables rules (experimental)
      --iptables                              Enable addition of iptables rules (default true)
-      --ip6tables                             Enable addition of ip6tables rules (default false)
      --ipv6                                  Enable IPv6 networking
      --label list                            Set key=value labels to the daemon
      --live-restore                          Enable live restore of docker when containers are still running
@ -81,16 +83,17 @@ Options:
      --max-concurrent-uploads int            Set the max concurrent uploads (default 5)
      --max-download-attempts int             Set the max download attempts for each pull (default 5)
      --metrics-addr string                   Set default address and port to serve the metrics api on
-      --mtu int                               Set the containers network MTU
+      --mtu int                               Set the containers network MTU (default 1500)
      --network-control-plane-mtu int         Network Control plane MTU (default 1500)
      --no-new-privileges                     Set no-new-privileges by default for new containers
+      --no-proxy string                       Comma-separated list of hosts or IP addresses for which the proxy is skipped
      --node-generic-resource list            Advertise user-defined resource
-      --oom-score-adjust int                  Set the oom_score_adj for the daemon (default -500)
+      --oom-score-adjust int                  Set the oom_score_adj for the daemon
  -p, --pidfile string                        Path to use for daemon PID file (default "/var/run/docker.pid")
      --raw-logs                              Full timestamps without ANSI coloring
      --registry-mirror list                  Preferred registry mirror
      --rootless                              Enable rootless mode; typically used with RootlessKit
-      --seccomp-profile string                Path to seccomp profile
+      --seccomp-profile string                Path to seccomp profile. Use "unconfined" to disable the default seccomp profile (default "builtin")
      --selinux-enabled                       Enable selinux support
      --shutdown-timeout int                  Set the default shutdown timeout (default 15)
  -s, --storage-driver string                 Storage driver to use
@ -129,16 +132,42 @@ to [the `daemon.json` file](#daemon-configuration-file).
 For easy reference, the following list of environment variables are supported
 by the `dockerd` command line:

-* `DOCKER_DRIVER` The graph driver to use.
-* `DOCKER_NOWARN_KERNEL_VERSION` Prevent warnings that your Linux kernel is
-  unsuitable for Docker.
-* `DOCKER_RAMDISK` If set this will disable 'pivot_root'.
-* `DOCKER_TMPDIR` Location for temporary Docker files.
-* `MOBY_DISABLE_PIGZ` Do not use [`unpigz`](https://linux.die.net/man/1/pigz) to
-  decompress layers in parallel when pulling images, even if it is installed.
+| Variable            | Description                                                                                                                                                                       |
+|:--------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `DOCKER_CERT_PATH`  | Location of your authentication keys. This variable is used both by the [`docker` CLI](cli.md) and the `dockerd` daemon.                                                          |
+| `DOCKER_DRIVER`     | The storage driver to use.                                                                                                                                                        |
+| `DOCKER_RAMDISK`    | If set this disables 'pivot_root'.                                                                                                                                                |
+| `DOCKER_TLS_VERIFY` | When set Docker uses TLS and verifies the remote. This variable is used both by the  [`docker` CLI](cli.md) and the `dockerd` daemon.                                             |
+| `DOCKER_TMPDIR`     | Location for temporary files created by the daemon.                                                                                                                               |
+| `HTTP_PROXY`        | Proxy URL for HTTP requests unless overridden by NoProxy. See the [Go specification](https://pkg.go.dev/golang.org/x/net/http/httpproxy#Config) for details.                      |
+| `HTTPS_PROXY`       | Proxy URL for HTTPS requests unless overridden by NoProxy. See the [Go specification](https://pkg.go.dev/golang.org/x/net/http/httpproxy#Config) for details.                     |
+| `MOBY_DISABLE_PIGZ` | Disables the use of [`unpigz`](https://linux.die.net/man/1/pigz) to  decompress layers in parallel when pulling images, even if it is installed.                                  |                                                                                                                                                               |
+| `NO_PROXY`          | Comma-separated values specifying hosts that should be excluded from proxying. See the [Go specification](https://pkg.go.dev/golang.org/x/net/http/httpproxy#Config) for details. |

 ## Examples

+### Proxy configuration
+
+> **Note**
+> 
+> Refer to the [Docker Desktop manual](https://docs.docker.com/desktop/networking/#httphttps-proxy-support)
+> if you are running [Docker Desktop](https://docs.docker.com/desktop/).
+
+If you are behind an HTTP proxy server, for example in corporate settings,
+you may have to configure the Docker daemon to use the proxy server for
+operations such as pulling and pushing images. The daemon can be configured
+in three ways:
+
+1. Using environment variables (`HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY`).
+2. Using the "http-proxy", "https-proxy", and "no-proxy" fields in the
+  [daemon configuration file](#daemon-configuration-file) (Docker Engine 23.0 or newer).
+3. Using the `--http-proxy`, `--https-proxy`, and `--no-proxy` command-line
+  options. (Docker Engine 23.0 or newer).
+
+The command-line and configuration file options take precedence over environment
+variables. Refer to [control and configure Docker with systemd](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy)
+to set these environment variables on a host using `systemd`.
+
 ### Daemon socket option

 The Docker daemon can listen for [Docker Engine API](https://docs.docker.com/engine/api/)
@ -295,57 +324,11 @@ $ docker -H tcp://127.0.0.1:2375 pull ubuntu
 On Linux, the Docker daemon has support for several different image layer storage
 drivers: `aufs`, `devicemapper`, `btrfs`, `zfs`, `overlay`, `overlay2`, and `fuse-overlayfs`.

-The `aufs` driver is the oldest, but is based on a Linux kernel patch-set that
-is unlikely to be merged into the main kernel. These are also known to cause
-some serious kernel crashes. However `aufs` allows containers to share
-executable and shared library memory, so is a useful choice when running
-thousands of containers with the same program or libraries.
+`overlay2` is the preferred storage driver for all currently supported Linux distributions,
+and is selected by default. Unless users have a strong reason to prefer another storage driver,
+`overlay2` should be used.

-The `devicemapper` driver uses thin provisioning and Copy on Write (CoW)
-snapshots. For each devicemapper graph location – typically
-`/var/lib/docker/devicemapper` – a thin pool is created based on two block
-devices, one for data and one for metadata. By default, these block devices
-are created automatically by using loopback mounts of automatically created
-sparse files. Refer to [Devicemapper options](#devicemapper-options) below
-for a way how to customize this setup.
-[~jpetazzo/Resizing Docker containers with the Device Mapper plugin](https://jpetazzo.github.io/2014/01/29/docker-device-mapper-resize/)
-article explains how to tune your existing setup without the use of options.
-
-The `btrfs` driver is very fast for `docker build` - but like `devicemapper`
-does not share executable memory between devices. Use
-`dockerd --storage-driver btrfs --data-root /mnt/btrfs_partition`.
-
-The `zfs` driver is probably not as fast as `btrfs` but has a longer track record
-on stability. Thanks to `Single Copy ARC` shared blocks between clones will be
-cached only once. Use `dockerd -s zfs`. To select a different zfs filesystem
-set `zfs.fsname` option as described in [ZFS options](#zfs-options).
-
-The `overlay` is a very fast union filesystem. It is now merged in the main
-Linux kernel as of [3.18.0](https://lkml.org/lkml/2014/10/26/137). `overlay`
-also supports page cache sharing, this means multiple containers accessing
-the same file can share a single page cache entry (or entries), it makes
-`overlay` as efficient with memory as `aufs` driver. Call `dockerd -s overlay`
-to use it.
-
-The `overlay2` uses the same fast union filesystem but takes advantage of
-[additional features](https://lkml.org/lkml/2015/2/11/106) added in Linux
-kernel 4.0 to avoid excessive inode consumption. Call `dockerd -s overlay2`
-to use it.
-
-> **Note**
->
-> The `overlay` storage driver can cause excessive inode consumption (especially
-> as the number of images grows). We recommend using the `overlay2` storage
-> driver instead.
-
-
-> **Note**
->
-> Both `overlay` and `overlay2` are currently unsupported on `btrfs`
-> or any Copy on Write filesystem and should only be used over `ext4` partitions.
-
-The `fuse-overlayfs` driver is similar to `overlay2` but works in userspace.
-The `fuse-overlayfs` driver is expected to be used for [Rootless mode](https://docs.docker.com/engine/security/rootless/).
+You can find out more about storage drivers and how to select one in [Select a storage driver](https://docs.docker.com/storage/storagedriver/select-storage-driver/).

 On Windows, the Docker daemon only supports the `windowsfilter` storage driver.

@ -1189,7 +1172,7 @@ of the flag name, e.g., `labels` for the `label` flag.

 The options set in the configuration file must not conflict with options set
 via flags. The docker daemon fails to start if an option is duplicated between
-the file and the flags, regardless their value. We do this to avoid
+the file and the flags, regardless of their value. We do this to avoid
 silently ignore changes introduced in configuration reloads.
 For example, the daemon fails to start if you set daemon labels
 in the configuration file and also set daemon labels via the `--label` flag.
@ -1268,6 +1251,9 @@ This is a full example of the allowed configuration options on Linux:
  "fixed-cidr-v6": "",
  "group": "",
  "hosts": [],
+  "http-proxy": "http://proxy.example.com:80",
+  "https-proxy": "https://proxy.example.com:443",
+  "no-proxy": "*.test.example.com,.example.org",
  "icc": false,
  "init": false,
  "init-path": "/usr/libexec/docker-init",
@ -1301,7 +1287,7 @@ This is a full example of the allowed configuration options on Linux:
    "NVIDIA-GPU=UUID1",
    "NVIDIA-GPU=UUID2"
  ],
-  "oom-score-adjust": -500,
+  "oom-score-adjust": 0,
  "pidfile": "",
  "raw-logs": false,
  "registry-mirrors": [],
--- a/docs/reference/commandline/info.md
+++ b/docs/reference/commandline/info.md
@ -9,9 +9,9 @@ Display system-wide information

 ### Options

-| Name                                   | Type     | Default | Description                                   |
-|:---------------------------------------|:---------|:--------|:----------------------------------------------|
-| [`-f`](#format), [`--format`](#format) | `string` |         | Format the output using the given Go template |
+| Name                                   | Type     | Default | Description                                                                                                                                                                                                                                                        |
+|:---------------------------------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [`-f`](#format), [`--format`](#format) | `string` |         | Format output using a custom template:<br>'json':             Print in JSON format<br>'TEMPLATE':         Print output using the given Go template.<br>Refer to https://docs.docker.com/go/formatting/ for more information about formatting output with templates |


 <!---MARKER_GEN_END-->
@ -52,14 +52,11 @@ Client:
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
-    Version:  v0.8.2
+    Version:  v0.10.4
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
-    Version:  v2.6.0
+    Version:  v2.17.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose
-  scan: Docker Scan (Docker Inc.)
-    Version:  v0.17.0
-    Path:     /usr/libexec/docker/cli-plugins/docker-scan

 Server:
 Containers: 14
@ -67,7 +64,7 @@ Server:
  Paused: 1
  Stopped: 10
 Images: 52
- Server Version: 22.06.0
+ Server Version: 23.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
@ -82,11 +79,11 @@ Server:
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
- Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
+ Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
- containerd version: 212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
- runc version: v1.1.1-0-g52de29d
+ containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
+ runc version: v1.1.5-0-gf19387a
 init version: de40ad0
 Security Options:
  apparmor
@ -106,7 +103,7 @@ Server:
 Username: gordontheturtle
 Registry: https://index.docker.io/v1/
 Experimental: false
- Insecure registries:
+ Insecure Registries:
  myinsecurehost:5000
  127.0.0.0/8
 Live Restore Enabled: false
@ -119,7 +116,7 @@ You can also specify the output format:
 ```console
 $ docker info --format '{{json .}}'

-{"ID":"I54V:OLXT:HVMM:TPKO:JPHQ:CQCD:JNLC:O3BZ:4ZVJ:43XJ:PFHZ:6N2S","Containers":14, ...}
+{"ID":"4cee4408-10d2-4e17-891c-a41736ac4536","Containers":14, ...}
 ```

 ### Run `docker info` on Windows
@ -133,9 +130,12 @@ Client:
 Context:    default
 Debug Mode: false
 Plugins:
-  buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
-  compose: Docker Compose (Docker Inc., v2.6.0)
-  scan: Docker Scan (Docker Inc., v0.17.0)
+  buildx: Docker Buildx (Docker Inc.)
+    Version:  v0.10.4
+    Path:     C:\Program Files\Docker\cli-plugins\docker-buildx.exe
+  compose: Docker Compose (Docker Inc.)
+    Version:  v2.17.2
+    Path:     C:\Program Files\Docker\cli-plugins\docker-compose.exe

 Server:
 Containers: 1
@ -143,7 +143,7 @@ Server:
  Paused: 0
  Stopped: 1
 Images: 17
- Server Version: 20.10.16
+ Server Version: 23.0.3
 Storage Driver: windowsfilter
 Logging Driver: json-file
 Plugins:
--- a/docs/reference/commandline/node_ls.md
+++ b/docs/reference/commandline/node_ls.md
@ -110,10 +110,10 @@ Show all nodes that have a `region` node label set:
 $ docker node ls --filter node.label=region

 ID                            HOSTNAME        STATUS    AVAILABILITY   MANAGER STATUS   ENGINE VERSION
-yg550ettvsjn6g6t840iaiwgb *   swarm-test-01   Ready     Active         Leader           20.10.2
-2lm9w9kbepgvkzkkeyku40e65     swarm-test-02   Ready     Active         Reachable        20.10.2
-hc0pu7ntc7s4uvj4pv7z7pz15     swarm-test-03   Ready     Active         Reachable        20.10.2
-n41b2cijmhifxxvz56vwrs12q     swarm-test-04   Ready     Active                          20.10.2
+yg550ettvsjn6g6t840iaiwgb *   swarm-test-01   Ready     Active         Leader           23.0.3
+2lm9w9kbepgvkzkkeyku40e65     swarm-test-02   Ready     Active         Reachable        23.0.3
+hc0pu7ntc7s4uvj4pv7z7pz15     swarm-test-03   Ready     Active         Reachable        23.0.3
+n41b2cijmhifxxvz56vwrs12q     swarm-test-04   Ready     Active                          23.0.3
 ```

 Show all nodes that have a `region` node label, with value `region-a`:
@ -122,8 +122,8 @@ Show all nodes that have a `region` node label, with value `region-a`:
 $ docker node ls --filter node.label=region=region-a

 ID                            HOSTNAME        STATUS    AVAILABILITY   MANAGER STATUS   ENGINE VERSION
-yg550ettvsjn6g6t840iaiwgb *   swarm-test-01   Ready     Active         Leader           20.10.2
-2lm9w9kbepgvkzkkeyku40e65     swarm-test-02   Ready     Active         Reachable        20.10.2
+yg550ettvsjn6g6t840iaiwgb *   swarm-test-01   Ready     Active         Leader           23.0.3
+2lm9w9kbepgvkzkkeyku40e65     swarm-test-02   Ready     Active         Reachable        23.0.3
 ```

 #### membership
@ -203,7 +203,7 @@ e216jshn25ckzbvmwlnh5jr3g: swarm-manager1 Ready
 To list all nodes in JSON format, use the `json` directive:
 ```console
 $ docker node ls --format json
-{"Availability":"Active","EngineVersion":"20.10.5","Hostname":"docker-desktop","ID":"k8f4w7qtzpj5sqzclcqafw35g","ManagerStatus":"Leader","Self":true,"Status":"Ready","TLSStatus":"Ready"}
+{"Availability":"Active","EngineVersion":"23.0.3","Hostname":"docker-desktop","ID":"k8f4w7qtzpj5sqzclcqafw35g","ManagerStatus":"Leader","Self":true,"Status":"Ready","TLSStatus":"Ready"}
 ```

 ## Related commands
--- a/docs/reference/commandline/pull.md
+++ b/docs/reference/commandline/pull.md
@ -34,10 +34,8 @@ use `docker pull`.

 If you are behind an HTTP proxy server, for example in corporate settings,
 before open a connect to registry, you may need to configure the Docker
-daemon's proxy settings, using the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY`
-environment variables. To set these environment variables on a host using
-`systemd`, refer to the [control and configure Docker with systemd](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy)
-for variables configuration.
+daemon's proxy settings, refer to the [dockerd command-line reference](dockerd.md#proxy-configuration)
+for details.

 ### Concurrent downloads

--- a/docs/reference/commandline/rm.md
+++ b/docs/reference/commandline/rm.md
@ -5,7 +5,7 @@ Remove one or more containers

 ### Aliases

-`docker container rm`, `docker rm`
+`docker container rm`, `docker container remove`, `docker rm`

 ### Options

--- a/docs/reference/commandline/run.md
+++ b/docs/reference/commandline/run.md
@ -91,7 +91,7 @@ Create and run a new container from an image
 | `-P`, `--publish-all`                         |               |           | Publish all exposed ports to random ports                                                                                                                                                                                                                                                                        |
 | [`--pull`](#pull)                             | `string`      | `missing` | Pull image before running (`always`, `missing`, `never`)                                                                                                                                                                                                                                                         |
 | `-q`, `--quiet`                               |               |           | Suppress the pull output                                                                                                                                                                                                                                                                                         |
-| `--read-only`                                 |               |           | Mount the container's root filesystem as read only                                                                                                                                                                                                                                                               |
+| [`--read-only`](#read-only)                   |               |           | Mount the container's root filesystem as read only                                                                                                                                                                                                                                                               |
 | [`--restart`](#restart)                       | `string`      | `no`      | Restart policy to apply when a container exits                                                                                                                                                                                                                                                                   |
 | `--rm`                                        |               |           | Automatically remove the container when it exits                                                                                                                                                                                                                                                                 |
 | `--runtime`                                   | `string`      |           | Runtime to use for this container                                                                                                                                                                                                                                                                                |
@ -118,14 +118,11 @@ Create and run a new container from an image

 ## Description

-The `docker run` command first `creates` a writeable container layer over the
-specified image, and then `starts` it using the specified command. That is,
-`docker run` is equivalent to the API `/containers/create` then
-`/containers/(id)/start`. A stopped container can be restarted with all its
-previous changes intact using `docker start`. See `docker ps -a` to view a list
-of all containers.
+The `docker run` command runs a command in a new container, pulling the image if needed and starting the container.
+
+You can restart a stopped container with all its previous changes intact using `docker start`.
+Use `docker ps -a` to view a list of all containers, including those that are stopped.

-For information on connecting a container to a network, see the ["*Docker network overview*"](https://docs.docker.com/network/).

 ## Examples

@ -144,9 +141,9 @@ d6c0fe130dba        debian:7            "/bin/bash"         26 seconds ago
 This example runs a container named `test` using the `debian:latest`
 image. The `-it` instructs Docker to allocate a pseudo-TTY connected to
 the container's stdin; creating an interactive `bash` shell in the container.
-In the example, the `bash` shell is quit by entering
-`exit 13`. This exit code is passed on to the caller of
-`docker run`, and is recorded in the `test` container's metadata.
+The example quits the `bash` shell by entering
+`exit 13`, passing the exit code on to the caller of
+`docker run`, and recording it in the `test` container's metadata.

 ### <a name="cidfile"></a> Capture container ID (--cidfile)

@ -154,9 +151,9 @@ In the example, the `bash` shell is quit by entering
 $ docker run --cidfile /tmp/docker_test.cid ubuntu echo "test"
 ```

-This will create a container and print `test` to the console. The `cidfile`
+This creates a container and prints `test` to the console. The `cidfile`
 flag makes Docker attempt to create a new file and write the container ID to it.
-If the file exists already, Docker will return an error. Docker will close this
+If the file exists already, Docker returns an error. Docker closes this
 file when `docker run` exits.

 ### <a name="privileged"></a> Full container capabilities (--privileged)
@ -167,9 +164,9 @@ root@bc338942ef20:/# mount -t tmpfs none /mnt
 mount: permission denied
 ```

-This will *not* work, because by default, most potentially dangerous kernel
-capabilities are dropped; including `cap_sys_admin` (which is required to mount
-filesystems). However, the `--privileged` flag will allow it to run:
+This *doesn't* work, because by default, Docker drops most potentially dangerous kernel
+capabilities, including `CAP_SYS_ADMIN ` (which is required to mount
+filesystems). However, the `--privileged` flag allows it to run:

 ```console
 $ docker run -t -i --privileged ubuntu bash
@ -190,8 +187,8 @@ flag exists to allow special use-cases, like running Docker within Docker.
 $ docker  run -w /path/to/dir/ -i -t  ubuntu pwd
 ```

-The `-w` lets the command being executed inside directory given, here
-`/path/to/dir/`. If the path does not exist it is created inside the container.
+The `-w` option runs the command executed inside the directory specified, in this example,
+`/path/to/dir/`. If the path does not exist, Docker creates it inside the container.

 ### <a name="storage-opt"></a> Set storage driver options per container (--storage-opt)

@ -199,14 +196,17 @@ The `-w` lets the command being executed inside directory given, here
 $ docker run -it --storage-opt size=120G fedora /bin/bash
 ```

-This (size) will allow to set the container filesystem size to 120G at creation time.
+This (size) constraints the container filesystem size to 120G at creation time.
 This option is only available for the `devicemapper`, `btrfs`, `overlay2`,
-`windowsfilter` and `zfs` graph drivers.
-For the `devicemapper`, `btrfs`, `windowsfilter` and `zfs` graph drivers,
-user cannot pass a size less than the Default BaseFS Size.
+`windowsfilter` and `zfs` storage drivers.
+
 For the `overlay2` storage driver, the size option is only available if the
 backing filesystem is `xfs` and mounted with the `pquota` mount option.
-Under these conditions, user can pass any size less than the backing filesystem size.
+Under these conditions, you can pass any size less than the backing filesystem size.
+
+For the `windowsfilter`, `devicemapper`, `btrfs`, and `zfs` storage drivers,
+you cannot pass a size less than the Default BaseFS Size.
+

 ### <a name="tmpfs"></a> Mount tmpfs (--tmpfs)

@ -217,32 +217,41 @@ $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image
 The `--tmpfs` flag mounts an empty tmpfs into the container with the `rw`,
 `noexec`, `nosuid`, `size=65536k` options.

-### <a name="volume"></a> Mount volume (-v, --read-only)
+### <a name="volume"></a> Mount volume (-v)

 ```console
-$ docker  run  -v `pwd`:`pwd` -w `pwd` -i -t  ubuntu pwd
+$ docker  run  -v $(pwd):$(pwd) -w $(pwd) -i -t  ubuntu pwd
 ```

-The `-v` flag mounts the current working directory into the container. The `-w`
-lets the command being executed inside the current working directory, by
-changing into the directory to the value returned by `pwd`. So this
-combination executes the command using the container, but inside the
-current working directory.
+The example above mounts the current directory into the container at the same path
+using the `-v` flag, sets it as the working directory, and then runs the `pwd` command inside the container.
+
+As of Docker Engine version 23, you can use relative paths on the host.
+
+```console
+$ docker  run  -v ./content:/content -w /content -i -t  ubuntu pwd
+```
+
+The example above mounts the `content` directory in the current directory into the container at the
+`/content` path using the `-v` flag, sets it as the working directory, and then
+runs the `pwd` command inside the container.

 ```console
 $ docker run -v /doesnt/exist:/foo -w /foo -i -t ubuntu bash
 ```

 When the host directory of a bind-mounted volume doesn't exist, Docker
-will automatically create this directory on the host for you. In the
-example above, Docker will create the `/doesnt/exist`
+automatically creates this directory on the host for you. In the
+example above, Docker creates the `/doesnt/exist`
 folder before starting your container.

+### <a name="read-only"></a> Mount volume read-only (--read-only)
+
 ```console
 $ docker run --read-only -v /icanwrite busybox touch /icanwrite/here
 ```

-Volumes can be used in combination with `--read-only` to control where
+You can use volumes in combination with the `--read-only` flag to control where
 a container writes files. The `--read-only` flag mounts the container's root
 filesystem as read only prohibiting writes to locations other than the
 specified volumes for the container.
@ -256,7 +265,7 @@ binary (refer to [get the Linux binary](https://docs.docker.com/engine/install/b
 you give the container the full access to create and manipulate the host's
 Docker daemon.

-On Windows, the paths must be specified using Windows-style semantics.
+On Windows, you must specify the paths using Windows-style path semantics.

 ```powershell
 PS C:\> docker run -v c:\foo:c:\dest microsoft/nanoserver cmd /s /c type c:\dest\somefile.txt
@ -266,9 +275,9 @@ PS C:\> docker run -v c:\foo:d: microsoft/nanoserver cmd /s /c type d:\somefile.
 Contents of file
 ```

-The following examples will fail when using Windows-based containers, as the
+The following examples fails when using Windows-based containers, as the
 destination of a volume or bind mount inside the container must be one of:
-a non-existing or empty directory; or a drive other than C:. Further, the source
+a non-existing or empty directory; or a drive other than `C:`. Further, the source
 of a bind mount must be a local directory, not a file.

 ```powershell
@ -282,13 +291,12 @@ docker run -v c:\foo:c:\existing-directory-with-contents ...

 For in-depth information about volumes, refer to [manage data in containers](https://docs.docker.com/storage/volumes/)

-
 ### <a name="mount"></a> Add bind mounts or volumes using the --mount flag

-The `--mount` flag allows you to mount volumes, host-directories and `tmpfs`
+The `--mount` flag allows you to mount volumes, host-directories, and `tmpfs`
 mounts in a container.

-The `--mount` flag supports most options that are supported by the `-v` or the
+The `--mount` flag supports most options supported by the `-v` or the
 `--volume` flag, but uses a different syntax. For in-depth information on the
 `--mount` flag, and a comparison between `--volume` and `--mount`, refer to
 [Bind mounts](https://docs.docker.com/storage/bind-mounts/).
@ -314,10 +322,10 @@ $ docker run -p 127.0.0.1:80:8080/tcp ubuntu bash
 This binds port `8080` of the container to TCP port `80` on `127.0.0.1` of the host
 machine. You can also specify `udp` and `sctp` ports.
 The [Docker User Guide](https://docs.docker.com/network/links/)
-explains in detail how to manipulate ports in Docker.
+explains in detail how to use ports in Docker.

 Note that ports which are not bound to the host (i.e., `-p 80:80` instead of
-`-p 127.0.0.1:80:80`) will be accessible from the outside. This also applies if
+`-p 127.0.0.1:80:80`) are externally accessible. This also applies if
 you configured UFW to block this specific port, as Docker manages its
 own iptables rules. [Read more](https://docs.docker.com/network/iptables/)

@ -345,7 +353,7 @@ When creating (and running) a container from an image, the daemon checks if the
 image exists in the local image cache. If the image is missing, an error is
 returned to the CLI, allowing it to initiate a pull.

-The default (`missing`) is to only pull the image if it is not present in the
+The default (`missing`) is to only pull the image if it's not present in the
 daemon's image cache. This default allows you to run images that only exist
 locally (for example, images you built from a Dockerfile, but that have not
 been pushed to a registry), and reduces networking.
@ -378,7 +386,7 @@ $ docker run -e MYVAR1 --env MYVAR2=foo --env-file ./env.list ubuntu bash

 Use the `-e`, `--env`, and `--env-file` flags to set simple (non-array)
 environment variables in the container you're running, or overwrite variables
-that are defined in the Dockerfile of the image you're running.
+defined in the Dockerfile of the image you're running.

 You can define the variable and its value when running the container:

@ -388,7 +396,7 @@ VAR1=value1
 VAR2=value2
 ```

-You can also use variables that you've exported to your local environment:
+You can also use variables exported to your local environment:

 ```console
 export VAR1=value1
@ -402,7 +410,7 @@ VAR2=value2
 When running the command, the Docker CLI client checks the value the variable
 has in your local environment and passes it to the container.
 If no `=` is provided and that variable is not exported in your local
-environment, the variable won't be set in the container.
+environment, the variable isn't set in the container.

 You can also load the environment variables from a file. This file should use
 the syntax `<variable>=value` (which sets the variable to the given value) or
@ -446,7 +454,7 @@ $ docker run --label-file ./labels ubuntu bash

 The label-file format is similar to the format for loading environment
 variables. (Unlike environment variables, labels are not visible to processes
-running inside a container.) The following example illustrates a label-file
+running inside a container.) The following example shows a label-file
 format:

 ```console
@ -465,8 +473,9 @@ the Docker User Guide.

 ### <a name="network"></a> Connect a container to a network (--network)

-When you start a container use the `--network` flag to connect it to a network.
-The following commands create a network named `my-net`, and adds a `busybox` container
+To start a container and connect it to a network, use the `--network` option.
+
+The following commands create a network named `my-net` and adds a `busybox` container
 to the `my-net` network.

 ```console
@ -484,7 +493,7 @@ $ docker run -itd --network=my-net --ip=10.10.9.75 busybox
 If you want to add a running container to a network use the `docker network connect` subcommand.

 You can connect multiple containers to the same network. Once connected, the
-containers can communicate easily using only another container's IP address
+containers can communicate using only another container's IP address
 or name. For `overlay` networks or custom plugins that support multi-host
 connectivity, containers connected to the same multi-host network but launched
 from different Engines can also communicate in this way.
@ -498,6 +507,8 @@ from different Engines can also communicate in this way.
 You can disconnect a container from a network using the `docker network
 disconnect` command.

+For more information on connecting a container to a network when using the `run` command, see the ["*Docker network overview*"](https://docs.docker.com/network/).
+
 ### <a name="volumes-from"></a> Mount volumes from container (--volumes-from)

 ```console
@ -505,13 +516,13 @@ $ docker run --volumes-from 777f7dc92da7 --volumes-from ba8c0c54f0f2:ro -i -t ub
 ```

 The `--volumes-from` flag mounts all the defined volumes from the referenced
-containers. Containers can be specified by repetitions of the `--volumes-from`
+containers. You can specify more than one container by repetitions of the `--volumes-from`
 argument. The container ID may be optionally suffixed with `:ro` or `:rw` to
 mount the volumes in read-only or read-write mode, respectively. By default,
-the volumes are mounted in the same mode (read write or read only) as
+Docker mounts the volumes in the same mode (read write or read only) as
 the reference container.

-Labeling systems like SELinux require that proper labels are placed on volume
+Labeling systems like SELinux require placing proper labels on volume
 content mounted into a container. Without a label, the security system might
 prevent the processes running inside the container from using the content. By
 default, Docker does not change the labels set by the OS.
@ -541,17 +552,17 @@ only to the container's `STDIN`.
 $ docker run -a stderr ubuntu echo test
 ```

-This isn't going to print anything unless there's an error because we've
-only attached to the `STDERR` of the container. The container's logs
-still store what's been written to `STDERR` and `STDOUT`.
+This isn't going to print anything to the console unless there's an error because output
+is only attached to the `STDERR` of the container. The container's logs
+still store what's written to `STDERR` and `STDOUT`.

 ```console
 $ cat somefile | docker run -i -a stdin mybuilder dobuild
 ```

-This is a way of using `--attach` to pipe a build file into a container.
-The container's ID will be printed after the build is done and the build
-logs could be retrieved using `docker logs`. This is
+This example shows a way of using `--attach` to pipe a file into a container.
+The command prints the container's ID after the build completes and you can retrieve
+the build logs using `docker logs`. This is
 useful if you need to pipe a file or something else into a container and
 retrieve the container's ID once the container has finished running.

@ -571,15 +582,15 @@ brw-rw---- 1 root disk 8, 3 Feb  9 16:05 /dev/sdd
 crw-rw-rw- 1 root root 1, 5 Feb  9 16:05 /dev/foobar
 ```

-It is often necessary to directly expose devices to a container. The `--device`
-option enables that. For example, a specific block storage device or loop
-device or audio device can be added to an otherwise unprivileged container
+It's often necessary to directly expose devices to a container. The `--device`
+option enables that. For example, adding a specific block storage device or loop
+device or audio device to an otherwise unprivileged container
 (without the `--privileged` flag) and have the application directly access it.

-By default, the container will be able to `read`, `write` and `mknod` these devices.
+By default, the container is able to `read`, `write` and `mknod` these devices.
 This can be overridden using a third `:rwm` set of options to each `--device`
-flag. If the container is running in privileged mode, then the permissions specified
-will be ignored.
+flag. If the container is running in privileged mode, then Docker ignores the
+specified permissions.

 ```console
 $ docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk  /dev/xvdc
@ -600,8 +611,8 @@ fdisk: unable to open /dev/xvdc: Operation not permitted

 > **Note**
 >
-> The `--device` option cannot be safely used with ephemeral devices. Block devices
-> that may be removed should not be added to untrusted containers with `--device`.
+> The `--device` option cannot be safely used with ephemeral devices. You shouldn't 
+> add block devices that may be removed to untrusted containers with `--device`.

 For Windows, the format of the string passed to the `--device` option is in
 the form of `--device=<IdType>/<Id>`. Beginning with Windows Server 2019
@ -612,8 +623,8 @@ Refer to the table defined in the [Windows container
 docs](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/hardware-devices-in-containers)
 for a list of container-supported device interface class GUIDs.

-If this option is specified for a process-isolated Windows container, _all_
-devices that implement the requested device interface class GUID are made
+If you specify this option for a process-isolated Windows container, Docker makes
+_all_ devices that implement the requested device interface class GUID
 available in the container. For example, the command below makes all COM
 ports on the host visible in the container.

@ -628,16 +639,16 @@ PS C:\> docker run --device=class/86E0D1E0-8089-11D0-9CE4-08003E301F73 mcr.micro

 ### <a name="device-cgroup-rule"></a> Using dynamically created devices (--device-cgroup-rule)

-Devices available to a container are assigned at creation time. The
-assigned devices will both be added to the cgroup.allow file and
-created into the container once it is run. This poses a problem when
-a new device needs to be added to running container.
+Docker assigns devices available to a container at creation time. The
+assigned devices are added to the cgroup.allow file and
+created into the container when it runs. This poses a problem when
+you need to add a new device to running container.

-One of the solutions is to add a more permissive rule to a container
+One solution is to add a more permissive rule to a container
 allowing it access to a wider range of devices. For example, supposing
-our container needs access to a character device with major `42` and
-any number of minor number (added as new devices appear), the
-following rule would be added:
+the container needs access to a character device with major `42` and
+any number of minor numbers (added as new devices appear), add the
+following rule:

 ```console
 $ docker run -d --device-cgroup-rule='c 42:* rmw' -name my-container my-image
@ -646,18 +657,19 @@ $ docker run -d --device-cgroup-rule='c 42:* rmw' -name my-container my-image
 Then, a user could ask `udev` to execute a script that would `docker exec my-container mknod newDevX c 42 <minor>`
 the required device when it is added.

-> **Note**: initially present devices still need to be explicitly added to the
+> **Note**: You still need to explicitly add initially present devices to the
 > `docker run` / `docker create` command.

 ### <a name="gpus"></a> Access an NVIDIA GPU

 The `--gpus` flag allows you to access NVIDIA GPU resources. First you need to
-install [nvidia-container-runtime](https://nvidia.github.io/nvidia-container-runtime/).
-Visit [Specify a container's resources](https://docs.docker.com/config/containers/resource_constraints/)
+install the [nvidia-container-runtime](https://nvidia.github.io/nvidia-container-runtime/).
+
+Read [Specify a container's resources](https://docs.docker.com/config/containers/resource_constraints/)
 for more information.

-To use `--gpus`, specify which GPUs (or all) to use. If no value is provided, all
-available GPUs are used. The example below exposes all available GPUs.
+To use `--gpus`, specify which GPUs (or all) to use. If you provide no value, Docker uses all
+available GPUs. The example below exposes all available GPUs.

 ```console
 $ docker run -it --rm --gpus all ubuntu nvidia-smi
@ -678,7 +690,7 @@ $ docker run -it --rm --gpus '"device=0,2"' nvidia-smi

 ### <a name="restart"></a> Restart policies (--restart)

-Use Docker's `--restart` to specify a container's *restart policy*. A restart
+Use the `--restart` flag to specify a container's *restart policy*. A restart
 policy controls whether the Docker daemon restarts a container after exit.
 Docker supports the following restart policies:

@ -686,17 +698,17 @@ Docker supports the following restart policies:
 |:---------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `no`                       | Do not automatically restart the container when it exits. This is the default.                                                                                                                                                                                   |
 | `on-failure[:max-retries]` | Restart only if the container exits with a non-zero exit status. Optionally, limit the number of restart retries the Docker daemon attempts.                                                                                                                     |
-| `unless-stopped`           | Restart the container unless it is explicitly stopped or Docker itself is stopped or restarted.                                                                                                                                                                  |
-| `always`                   | Always restart the container regardless of the exit status. When you specify always, the Docker daemon will try to restart the container indefinitely. The container will also always start on daemon startup, regardless of the current state of the container. |
+| `unless-stopped`           | Restart the container unless it's explicitly stopped or Docker itself is stopped or restarted.                                                                                                                                                                  |
+| `always`                   | Always restart the container regardless of the exit status. When you specify always, the Docker daemon tries to restart the container indefinitely. The container always starts on daemon startup, regardless of the current state of the container. |

 ```console
 $ docker run --restart=always redis
 ```

 This will run the `redis` container with a restart policy of **always**
-so that if the container exits, Docker will restart it.
+so that if the container exits, Docker restarts it.

-More detailed information on restart policies can be found in the
+You can find more detailed information on restart policies in the
 [Restart Policies (--restart)](../run.md#restart-policies---restart)
 section of the Docker run reference page.

@ -742,8 +754,8 @@ for the bridge device).

 Since setting `ulimit` settings in a container requires extra privileges not
 available in the default container, you can set these using the `--ulimit` flag.
-`--ulimit` is specified with a soft and hard limit as such:
-`<type>=<soft limit>[:<hard limit>]`, for example:
+Specify `--ulimit` with a soft and hard limit in the format
+`<type>=<soft limit>[:<hard limit>]`. For example:

 ```console
 $ docker run --ulimit nofile=1024:1024 --rm debian sh -c "ulimit -n"
@ -752,21 +764,25 @@ $ docker run --ulimit nofile=1024:1024 --rm debian sh -c "ulimit -n"

 > **Note**
 >
-> If you do not provide a `hard limit`, the `soft limit` is used
-> for both values. If no `ulimits` are set, they are inherited from
-> the default `ulimits` set on the daemon. The `as` option is disabled now.
+> If you don't provide a hard limit value, Docker uses the soft limit value
+> for both values. If you don't provide any values, they are inherited from
+> the default `ulimits` set on the daemon.
+
+> **Note**
+>
+> The `as` option is deprecated.
 > In other words, the following script is not supported:
 >
 > ```console
 > $ docker run -it --ulimit as=1024 fedora /bin/bash
 > ```

-The values are sent to the appropriate `syscall` as they are set.
-Docker doesn't perform any byte conversion. Take this into account when setting the values.
+Docker sends the values to the appropriate OS `syscall` and doesn't perform any byte conversion.
+Take this into account when setting the values.

 #### For `nproc` usage

-Be careful setting `nproc` with the `ulimit` flag as `nproc` is designed by Linux to set the
+Be careful setting `nproc` with the `ulimit` flag as Linux uses `nproc` to set the
 maximum number of processes available to a user, not to a container. For example, start four
 containers with `daemon` user:

@ -780,36 +796,36 @@ $ docker run -d -u daemon --ulimit nproc=3 busybox top
 $ docker run -d -u daemon --ulimit nproc=3 busybox top
 ```

-The 4th container fails and reports "[8] System error: resource temporarily unavailable" error.
+The 4th container fails and reports a "[8] System error: resource temporarily unavailable" error.
 This fails because the caller set `nproc=3` resulting in the first three containers using up
 the three processes quota set for the `daemon` user.

 ### <a name="stop-signal"></a> Stop container with signal (--stop-signal)

-The `--stop-signal` flag sets the system call signal that will be sent to the
+The `--stop-signal` flag sends the system call signal to the
 container to exit. This signal can be a signal name in the format `SIG<NAME>`,
 for instance `SIGKILL`, or an unsigned number that matches a position in the
 kernel's syscall table, for instance `9`.

-The default is defined by [`STOPSIGNAL`](https://docs.docker.com/engine/reference/builder/#stopsignal)
+The default value is defined by [`STOPSIGNAL`](https://docs.docker.com/engine/reference/builder/#stopsignal)
 in the image, or `SIGTERM` if the image has no `STOPSIGNAL` defined.

 ### <a name="security-opt"></a> Optional security options (--security-opt)

-On Windows, this flag can be used to specify the `credentialspec` option.
+On Windows, you can use this flag to specify the `credentialspec` option.
 The `credentialspec` must be in the format `file://spec.txt` or `registry://keyname`.

 ### <a name="stop-timeout"></a> Stop container with timeout (--stop-timeout)

 The `--stop-timeout` flag sets the number of seconds to wait for the container
 to stop after sending the pre-defined (see `--stop-signal`) system call signal.
-If the container does not exit after the timeout elapses, it is forcibly killed
+If the container does not exit after the timeout elapses, it's forcibly killed
 with a `SIGKILL` signal.

-If `--stop-timeout` is set to `-1`, no timeout is applied, and the daemon will
-wait indefinitely for the container to exit.
+If you set `--stop-timeout` to `-1`, no timeout is applied, and the daemon
+waits indefinitely for the container to exit.

-The default is determined by the daemon, and is 10 seconds for Linux containers,
+The Daemon determines the default, and is 10 seconds for Linux containers,
 and 30 seconds for Windows containers.

 ### <a name="isolation"></a> Specify isolation technology for container (--isolation)
@ -857,12 +873,12 @@ PS C:\> docker run -d --isolation hyperv microsoft/nanoserver powershell echo hy

 ### <a name="memory"></a> Specify hard limits on memory available to containers (-m, --memory)

-These parameters always set an upper limit on the memory available to the container. On Linux, this
-is set on the cgroup and applications in a container can query it at `/sys/fs/cgroup/memory/memory.limit_in_bytes`.
+These parameters always set an upper limit on the memory available to the container. Linux sets this
+on the cgroup and applications in a container can query it at `/sys/fs/cgroup/memory/memory.limit_in_bytes`.

-On Windows, this will affect containers differently depending on what type of isolation is used.
+On Windows, this affects containers differently depending on what type of isolation you use.

- With `process` isolation, Windows will report the full memory of the host system, not the limit to applications running inside the container
+- With `process` isolation, Windows reports the full memory of the host system, not the limit to applications running inside the container

    ```powershell
    PS C:\> docker run -it -m 2GB --isolation=process microsoft/nanoserver powershell Get-ComputerInfo *memory*
@ -877,7 +893,7 @@ On Windows, this will affect containers differently depending on what type of is
    OsMaxProcessMemorySize     : 137438953344
    ```

- With `hyperv` isolation, Windows will create a utility VM that is big enough to hold the memory limit, plus the minimal OS needed to host the container. That size is reported as "Total Physical Memory."
+- With `hyperv` isolation, Windows creates a utility VM that is big enough to hold the memory limit, plus the minimal OS needed to host the container. That size is reported as "Total Physical Memory."

    ```powershell
    PS C:\> docker run -it -m 2GB --isolation=hyperv microsoft/nanoserver powershell Get-ComputerInfo *memory*
@ -892,7 +908,6 @@ On Windows, this will affect containers differently depending on what type of is
    OsMaxProcessMemorySize     : 137438953344
    ```

-
 ### <a name="sysctl"></a> Configure namespaced kernel parameters (sysctls) at runtime (--sysctl)

 The `--sysctl` sets namespaced kernel parameters (sysctls) in the
@ -909,6 +924,7 @@ $ docker run --sysctl net.ipv4.ip_forward=1 someimage
 > inside of a container that also modify the host system. As the kernel
 > evolves we expect to see more sysctls become namespaced.

+
 #### Currently supported sysctls

 IPC Namespace:
@ -922,3 +938,13 @@ Network Namespace:

 - Sysctls beginning with `net.*`
 - If you use the `--network=host` option using these sysctls are not allowed.
+
+## Command internals
+
+The `docker run` command is equivalent to the following API calls:
+
+- `/<API version>/containers/create`
+  - If that call returns a 404 (image not found), and depending on the `--pull` option ("always", "missing", "never") the call can trigger a `docker pull <image>`.
+- `/containers/create` again after pulling the image.
+- `/containers/(id)/start` to start the container.
+- `/containers/(id)/attach` to attach to the container when starting with the `-it` flags for interactive containers.
--- a/docs/reference/commandline/stats.md
+++ b/docs/reference/commandline/stats.md
@ -95,16 +95,16 @@ $ docker stats nginx --no-stream --format "{{ json . }}"
 Running `docker stats` with customized format on all (Running and Stopped) containers.

 ```console
-$ docker stats --all --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}" fervent_panini 5acfcb1b4fd1 drunk_visvesvaraya big_heisenberg
+$ docker stats --all --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}" fervent_panini 5acfcb1b4fd1 humble_visvesvaraya big_heisenberg

 CONTAINER                CPU %               MEM USAGE / LIMIT
 fervent_panini           0.00%               56KiB / 15.57GiB
 5acfcb1b4fd1             0.07%               32.86MiB / 15.57GiB
-drunk_visvesvaraya       0.00%               0B / 0B
+humble_visvesvaraya      0.00%               0B / 0B
 big_heisenberg           0.00%               0B / 0B
 ```

-`drunk_visvesvaraya` and `big_heisenberg` are stopped containers in the above example.
+`humble_visvesvaraya` and `big_heisenberg` are stopped containers in the above example.

 Running `docker stats` on all running containers against a Windows daemon.

--- a/docs/reference/commandline/system_info.md
+++ b/docs/reference/commandline/system_info.md
@ -9,9 +9,9 @@ Display system-wide information

 ### Options

-| Name             | Type     | Default | Description                                   |
-|:-----------------|:---------|:--------|:----------------------------------------------|
-| `-f`, `--format` | `string` |         | Format the output using the given Go template |
+| Name             | Type     | Default | Description                                                                                                                                                                                                                                                        |
+|:-----------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `-f`, `--format` | `string` |         | Format output using a custom template:<br>'json':             Print in JSON format<br>'TEMPLATE':         Print output using the given Go template.<br>Refer to https://docs.docker.com/go/formatting/ for more information about formatting output with templates |


 <!---MARKER_GEN_END-->
--- a/docs/reference/commandline/version.md
+++ b/docs/reference/commandline/version.md
@ -5,9 +5,9 @@ Show the Docker version information

 ### Options

-| Name                                   | Type     | Default | Description                                   |
-|:---------------------------------------|:---------|:--------|:----------------------------------------------|
-| [`-f`](#format), [`--format`](#format) | `string` |         | Format the output using the given Go template |
+| Name                                   | Type     | Default | Description                                                                                                                                                                                                                                                        |
+|:---------------------------------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [`-f`](#format), [`--format`](#format) | `string` |         | Format output using a custom template:<br>'json':             Print in JSON format<br>'TEMPLATE':         Print output using the given Go template.<br>Refer to https://docs.docker.com/go/formatting/ for more information about formatting output with templates |


 <!---MARKER_GEN_END-->
@ -37,30 +37,30 @@ machine running Docker Desktop:
 ```console
 $ docker version

-Client:
- Version:           20.10.16
- API version:       1.41
- Go version:        go1.17.10
- Git commit:        aa7e414
- Built:             Thu May 12 09:17:28 2022
+Client: Docker Engine - Community
+ Version:           23.0.3
+ API version:       1.42
+ Go version:        go1.19.7
+ Git commit:        3e7cbfd
+ Built:             Tue Apr  4 22:05:41 2023
 OS/Arch:           darwin/amd64
 Context:           default

-Server: Docker Desktop 4.8.2 (77141)
+Server: Docker Desktop 4.19.0 (12345)
 Engine:
-  Version:          20.10.16
-  API version:      1.41 (minimum version 1.12)
-  Go version:       go1.17.10
-  Git commit:       f756502
-  Built:            Thu May 12 09:15:33 2022
+  Version:          23.0.3
+  API version:      1.42 (minimum version 1.12)
+  Go version:       go1.19.7
+  Git commit:       59118bf
+  Built:            Tue Apr  4 22:05:41 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
-  Version:          1.6.4
-  GitCommit:        212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
+  Version:          1.6.20
+  GitCommit:        2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc:
-  Version:          1.1.1
-  GitCommit:        v1.1.1-0-g52de29d
+  Version:          1.1.5
+  GitCommit:        v1.1.5-0-gf19387a
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
@ -82,12 +82,12 @@ remote-test-server

 $ docker version

-Client:
- Version:           20.10.16
- API version:       1.40 (downgraded from 1.41)
- Go version:        go1.17.10
- Git commit:        aa7e414
- Built:             Thu May 12 09:17:28 2022
+Client: Docker Engine - Community
+ Version:           23.0.3
+ API version:       1.40 (downgraded from 1.42)
+ Go version:        go1.19.7
+ Git commit:        3e7cbfd
+ Built:             Tue Apr  4 22:05:41 2023
 OS/Arch:           darwin/amd64
 Context:           remote-test-server

@ -142,7 +142,7 @@ $ docker version --format '{{.Client.APIVersion}}'

 $ unset DOCKER_API_VERSION
 $ docker version --format '{{.Client.APIVersion}}'
-1.41
+1.42
 ```

 ## Examples
@ -159,7 +159,7 @@ page for details of the format.
 ```console
 $ docker version --format '{{.Server.Version}}'

-20.10.16
+23.0.3
 ```

 ### Get the client API version
@ -169,7 +169,7 @@ The following example prints the API version that is used by the client:
 ```console
 $ docker version --format '{{.Client.APIVersion}}'

-1.41
+1.42
 ```

 The version shown is the API version that is negotiated between the client
@ -181,5 +181,5 @@ above for more information.
 ```console
 $ docker version --format '{{json .}}'

-{"Client":{"Platform":{"Name":"Docker Engine - Community"},"Version":"19.03.8","ApiVersion":"1.40","DefaultAPIVersion":"1.40","GitCommit":"afacb8b","GoVersion":"go1.12.17","Os":"darwin","Arch":"amd64","BuildTime":"Wed Mar 11 01:21:11 2020","Experimental":true},"Server":{"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"19.03.8","Details":{"ApiVersion":"1.40","Arch":"amd64","BuildTime":"Wed Mar 11 01:29:16 2020","Experimental":"true","GitCommit":"afacb8b","GoVersion":"go1.12.17","KernelVersion":"4.19.76-linuxkit","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"v1.2.13","Details":{"GitCommit":"7ad184331fa3e55e52b890ea95e65ba581ae3429"}},{"Name":"runc","Version":"1.0.0-rc10","Details":{"GitCommit":"dc9208a3303feef5b3839f4323d9beb36df0a9dd"}},{"Name":"docker-init","Version":"0.18.0","Details":{"GitCommit":"fec3683"}}],"Version":"19.03.8","ApiVersion":"1.40","MinAPIVersion":"1.12","GitCommit":"afacb8b","GoVersion":"go1.12.17","Os":"linux","Arch":"amd64","KernelVersion":"4.19.76-linuxkit","Experimental":true,"BuildTime":"2020-03-11T01:29:16.000000000+00:00"}}
+{"Client":"Version":"23.0.3","ApiVersion":"1.42", ...}
 ```
--- a/docs/reference/commandline/volume_prune.md
+++ b/docs/reference/commandline/volume_prune.md
@ -5,24 +5,26 @@ Remove all unused local volumes

 ### Options

-| Name                  | Type     | Default | Description                                  |
-|:----------------------|:---------|:--------|:---------------------------------------------|
-| [`--filter`](#filter) | `filter` |         | Provide filter values (e.g. `label=<label>`) |
-| `-f`, `--force`       |          |         | Do not prompt for confirmation               |
+| Name                          | Type     | Default | Description                                        |
+|:------------------------------|:---------|:--------|:---------------------------------------------------|
+| [`-a`](#all), [`--all`](#all) |          |         | Remove all unused volumes, not just anonymous ones |
+| [`--filter`](#filter)         | `filter` |         | Provide filter values (e.g. `label=<label>`)       |
+| `-f`, `--force`               |          |         | Do not prompt for confirmation                     |


 <!---MARKER_GEN_END-->

 ## Description

-Remove all unused local volumes. Unused local volumes are those which are not referenced by any containers
+Remove all unused local volumes. Unused local volumes are those which are not
+referenced by any containers. By default, it only removes anonymous volumes.

 ## Examples

 ```console
 $ docker volume prune

-WARNING! This will remove all local volumes not used by at least one container.
+WARNING! This will remove anonymous local volumes not used by at least one container.
 Are you sure you want to continue? [y/N] y
 Deleted Volumes:
 07c7bdf3e34ab76d921894c2b834f073721fccfbbcba792aa7648e3a7a664c2e
@ -31,6 +33,10 @@ my-named-vol
 Total reclaimed space: 36 B
 ```

+### <a name="all"></a> Filtering (--all, -a)
+
+Use the `--all` flag to prune both unused anonymous and named volumes.
+
 ### <a name="filter"></a> Filtering (--filter)

 The filtering flag (`--filter`) format is of "key=value". If there is more
--- a/e2e/cli-plugins/run_test.go
+++ b/e2e/cli-plugins/run_test.go
@ -83,7 +83,7 @@ func TestHelpBad(t *testing.T) {

 	res := icmd.RunCmd(run("help", "badmeta"))
 	res.Assert(t, icmd.Expected{
-		ExitCode: 0,
+		ExitCode: 1,
 		Out:      icmd.None,
 	})
 	golden.Assert(t, res.Stderr(), "docker-help-badmeta-err.golden")
@ -110,8 +110,8 @@ func TestBadHelp(t *testing.T) {
 	res.Assert(t, icmd.Expected{
 		ExitCode: 0,
 		// This should be identical to the --help case above
-		Out: usage,
-		Err: shortHFlagDeprecated,
+		Out: shortHFlagDeprecated + usage,
+		Err: icmd.None,
 	})
 }

--- a/e2e/testdata/Dockerfile.gencerts
+++ b/e2e/testdata/Dockerfile.gencerts
@ -0,0 +1,19 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION=1.19.8
+
+FROM golang:${GO_VERSION}-alpine AS generated
+RUN go install github.com/dmcgowan/quicktls@master
+WORKDIR /tmp/gencerts/notary
+RUN --mount=type=bind,source=e2e/testdata/notary,target=/tmp/gencerts/notary,rw <<EOT
+  set -eu
+  mkdir -p ../notary-evil /out
+  quicktls -exp 87600h -org=Docker -with-san notary-server notaryserver evil-notary-server evilnotaryserver localhost 127.0.0.1
+  cat ca.pem >> notary-server.cert
+  mv ca.pem root-ca.cert
+  cp notary-server.cert notary-server.key root-ca.cert ../notary-evil
+  cp -r /tmp/gencerts/notary* /out/
+EOT
+
+FROM scratch
+COPY --from=generated /out /
--- a/e2e/testdata/gen-certs.sh
+++ b/e2e/testdata/gen-certs.sh
@ -1,12 +0,0 @@
-#!/usr/bin/env sh
-set -eu
-
-# This script is used to generate the test-certificates in the notary-server and
-# evil-notary-server directories. Run this script to update the certificates if
-# they expire.
-GO111MODULE=off go get -u github.com/dmcgowan/quicktls
-cd notary
-quicktls -org=Docker -with-san notary-server notaryserver evil-notary-server evilnotaryserver localhost 127.0.0.1
-cat ca.pem >> notary-server.cert
-mv ca.pem root-ca.cert
-cp notary-server.cert notary-server.key root-ca.cert ../notary-evil/
--- a/e2e/testdata/notary-evil/notary-server.cert
+++ b/e2e/testdata/notary-evil/notary-server.cert
@ -1,38 +1,40 @@
 -----BEGIN CERTIFICATE-----
-MIIDVDCCAjygAwIBAgIQQReeTsMMrsG9juzWS8eAjjANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
-bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKA
-wO8S9Ux/e4TMOsTkPtCPfpFU+6l6z72uzrFhCNWb0lrTG7hcxwhP6sIesevTOM24
-GCyvzh+9SMTtdBmSQty4JNElqg9sB6r1tLTeTHo7lMiSiINftctoI1kYg9ni+IO9
-DVBSb9gQf9dDoizat9VhpbLNm3QXkQSeE9cumen6Pz+fcEtB7lFtIYxEEv/L7+VY
-QOvhtg0RXiRzfmtSGwFL+FZ9PBz4LOvPnPOLCMQewhR+6cAkO7Jch0ZMjCe8zXXw
-h8meeIedoevHt0opsr4HHikvr6llwlhWHL+E7zwTPO10xLGd/RIQGGhs8dXhzp1V
-lw/oe2VJoIFSOaGjRFcCAwEAAaN/MH0wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
-/wQCMAAwXQYDVR0RBFYwVIINbm90YXJ5LXNlcnZlcoIMbm90YXJ5c2VydmVyghJl
-dmlsLW5vdGFyeS1zZXJ2ZXKCEGV2aWxub3RhcnlzZXJ2ZXKCCWxvY2FsaG9zdIcE
-fwAAATANBgkqhkiG9w0BAQsFAAOCAQEAgwkZpp4s6reZWs9QatF/x9qWWXIXJzYh
-6BgzHL3s7UgeZSs0XhgfHYy6SO94ENpbzPADZwue/NjwNXmp7TLjbyUPjSo1DDt7
-OLG8bQ/hbcPKgMzirTZT36CEsetIBYmfyn39h+ZEIJ30J996/Tgq+X9sG7An2wq3
-/btn+C/BiMUgGnNxZ8p4n+uJCUKA95uVugdLjeioA+19HgQzrLSkeZUR/wsesq5F
-iP9k8va2oU3l3MsF079NpfIDl2gtIgXFYWPhyaJCaa+b8irjdoPnhDBuC5p77AWl
-UTPw/6ENKMMd1Pze6HLpBJAkPP8hTlULKgvuF0pWuGOejipkAKlOBQ==
+MIIDdzCCAl+gAwIBAgIQTujwx+1xxXeI5AbzAQ379TANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
+bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPhZ
+pU7DRK/2nwbTu+kVYhU/XARDleVSiLrQ5RMR1Cz2xC4LWkOEVSj4aCBo85O66JAx
+p+WRVwoVEU2rdkK3k4983Xr34+7q5Hv4hmwlg6I7QLRRJapEgK5G5RB/9aQntolx
+h5E0KaoF4PJP25y4FHCUr4td4QyitaICsCpuOAN6XgmE9sM9TBf+AEjTSxwwvgEz
+DqHvyovl7pA+pQP2oTKBrf6KN8hHDOXmm9gd8ST9yKLrsYWhqExLLPnAD4lQEcKZ
+29g+iTd4eNoJUXctpuY+3IpqBcQSLq35mNKBP/FQco6g3q26/cB4zWGxTr3jGJqs
+ms8qdFLGZ2KiBCt+oDMCAwEAAaOBoTCBnjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
+AQH/BAIwADAfBgNVHSMEGDAWgBTxYMNqgy2wkgmPZL/+bTCTQo6ulTBdBgNVHREE
+VjBUgg1ub3Rhcnktc2VydmVyggxub3RhcnlzZXJ2ZXKCEmV2aWwtbm90YXJ5LXNl
+cnZlcoIQZXZpbG5vdGFyeXNlcnZlcoIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
+DQEBCwUAA4IBAQCDMjuZnNINFfqstFwhEEvAgWbjYW26ZQxhQffaqDlbMIQkWoXj
+8inld9bma9Mf5i/GAkUwFqCnEHD4LQ6vDgfAgL+pSOv9VI5SBEuk/gLqvIBUeIRu
+uHo1jWtll2Fr7eDLVdD4mPRPFC7V6mv6sFa9EN4tBN8eheQxHJvzwnnU7X28prfI
+/hWnwPWScVvttqBSsq1h2CUpVu2zGVToeCJ9xl4r/NyDtM5TyMgz7RLrer0p8NSu
+4Qp4ZXtxHDLduWcyMUHLGTprW05yjj9UVq89xfaCOqFSpx5i4oxotYm1PoOacHmN
+RMp9vaYMAmopoxIEYX6fDg5T3sQ5cidZJEvU
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIC8TCCAdmgAwIBAgIQBHJBPhWngTmnMShFTm17rTANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
-RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5E3t9TSkfFXu
-VJooMBa2sNfX98MPMJoEzG+LEEe42XEegrfrq2VQ5Nb7VdM9hEi65GJgELsXRgc5
-s88C6hmgnnfD7CLb8UsbCTHgVE7SFrUuuwHaDq0gcx3PiVThm2eGbGh70tpFYEfP
-onWqyoUS90gvc5ZeKwRKXLoEQ1fhWSNSurrr6tY4AtVOdbYuAHepJcQW/rYk+i4a
-7E46UBaM0IucYTiX34a6aZtNulRdgNTDmyIBDrFnmBW+BIKQmY/7lIDSBE0QDKZJ
-+yx5TWzJeCiqqPn7rK8jaUlTNeBUCVAyD6PylOf9S8njAlAynFEz5mm+fpRB077Y
-8vTHsvhqMQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAgibOJ8rfqzjb97ToIJq9VPDQyEqCYV3RHR04
-UqdcAK5DMjcVRPtf6e2vGNP4bbY41GM/HW9aMqTL+9Iiuj/pLwe4Az0Ro/IzoXMt
-yyNqzUpNLfDFAwfMOPLrcBG7gvc/iK6lF1crelPYoaoOptwux+4/PT4nKRKlq3A6
-C1k5CjKnHUOEccBEjBL/2pvaqhuQTupA/iy8InerD2TN1ew9qk0URStMF/cif/2R
-lN68Zl+zAkuypzXbxK4LlheFP3CaNuXf1DDaDsmxAgVyWrrSI7a2Nl+AiLTogxCt
-YnxxdSL6x4tS8aOkrFHAoyb7Oog+285fHoTKiF3e4zjUE/+uXQ==
+MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
+RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
+uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
+wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
+9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
+5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
+VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
+QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
+ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
+DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
+SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
+1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
+PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
+sK8jZi441ojEJ7OaggGPheO3mCU=
 -----END CERTIFICATE-----
--- a/e2e/testdata/notary-evil/notary-server.key
+++ b/e2e/testdata/notary-evil/notary-server.key
@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAooDA7xL1TH97hMw6xOQ+0I9+kVT7qXrPva7OsWEI1ZvSWtMb
-uFzHCE/qwh6x69M4zbgYLK/OH71IxO10GZJC3Lgk0SWqD2wHqvW0tN5MejuUyJKI
-g1+1y2gjWRiD2eL4g70NUFJv2BB/10OiLNq31WGlss2bdBeRBJ4T1y6Z6fo/P59w
-S0HuUW0hjEQS/8vv5VhA6+G2DRFeJHN+a1IbAUv4Vn08HPgs68+c84sIxB7CFH7p
-wCQ7slyHRkyMJ7zNdfCHyZ54h52h68e3SimyvgceKS+vqWXCWFYcv4TvPBM87XTE
-sZ39EhAYaGzx1eHOnVWXD+h7ZUmggVI5oaNEVwIDAQABAoIBAB+xmO+H9Qu8eWzH
-IFcyZQXsVrUlrAe8CjRmma2CzWRMBdTtA6ULg04duB2wOudRxOxqkVx11W/fTQgL
-f+9U1XGTAKtB+08StNQlI99609OrNzN/UNy+mAhaATrpSx395JZdEvGtgl7TqPtl
-F4ZECkK1zsl2zHDx/7i01A3N6vr1IiK1UU0sdQqqrYdWXm+ozJpRuYj8AMU3JN79
-aVDFy7cM68UZRVHp0os2SXrmTLE6Li0L0Gp55371iAbv7NQAzyhH/U2HRwSMYTSY
-aRqr3VQqI7Frf0QHtHtcUP0idGa/KXMRKzSIbGFCUNV2XxXs+c7+xFylRZuJ1DBp
-oawlYNECgYEAwc8+2034McwM0zMTTdIA+WhrDVSEFDpv4S9LjFzOl09J+LVHe6Mj
-am1bKu99PWzmNnvBrnDPOfEI3VxkIJW59omjPecXsie6/XNfG2U0Yvd4B4Aq5mSW
-+YSqH1FlQ3qqcjj/zTj+A3nfBNyn80I16AsbZVO4jijMrDsleLk+NjMCgYEA1qXI
-hyj+i96/WxYEofgDMlmM3nUWN3Ll3M9MEfpX1+B13XYWqOYpG/WGk7gxDVKtUkqh
-KbgnLtdglQjz10iD1nXpmMPzrVfEFZwlhUfrBGOXJIdOt2nCoxzMd/k13xVqjOS2
-X4sja+vvgJVwYm5q+YS3gNutx1Om5gyeEjoCLU0CgYEAoGhJW/WCcKS0ELF7TrN7
-fvG/eL70ulFLfBNK8hd2HaHQVXqkeV4i19k+1aB2Bbr2Jy3ytdBEk249qgjoDlge
-HED6zSdRY3CiwVcV5nSzER5FR9/6ocmrc0UsENOrflgubm9iuJZtFq9tuHZww1OP
-jkhzGkBaxb5a+EnTz8FyDiUCgYBgVXVDG+XqFmVhVudrXejpXwF3EauP5TQ+vpaQ
-dv+XtniPlSEkWm/WyYHFqGPza8i35yCfnbOQNT92g9cUJspspOzbEA68HGi3niXE
-xHs4tA2waj2s2X1uQU2PBrzjyzPP2hHznXmfRPtvhSI0OwQtyh+laHJ8xBFirAUB
-fyFc/QKBgFWXXq2W/m3m1zsshn0QtxsC/sIxDdLseGq5sUi5Xy7R0fXqhKAW6xfj
-pnHcAe4yKT6ymnfBQ8xdKURuZJWMql8R0b1lSJb7A9P9ZxTD7FjW7ilyzbdFMr7F
-CTRZcz33sHTWD2TOqpDsia9gbQythGmySv4WVJ5W8H7gFY/2/h2W
+MIIEpAIBAAKCAQEA+FmlTsNEr/afBtO76RViFT9cBEOV5VKIutDlExHULPbELgta
+Q4RVKPhoIGjzk7rokDGn5ZFXChURTat2QreTj3zdevfj7urke/iGbCWDojtAtFEl
+qkSArkblEH/1pCe2iXGHkTQpqgXg8k/bnLgUcJSvi13hDKK1ogKwKm44A3peCYT2
+wz1MF/4ASNNLHDC+ATMOoe/Ki+XukD6lA/ahMoGt/oo3yEcM5eab2B3xJP3Iouux
+haGoTEss+cAPiVARwpnb2D6JN3h42glRdy2m5j7cimoFxBIurfmY0oE/8VByjqDe
+rbr9wHjNYbFOveMYmqyazyp0UsZnYqIEK36gMwIDAQABAoIBAQDy7W2f763+mbTQ
+zshepQX+Vq3BlgLIAMWyR6fr0WLEYNVhXMV8ibNrkiD4ovCwLwJSGeBr1JFZUWZN
+nUze0gdLMg7LvDN/ftDk2yNSIhfy1xbhywaW2M8uqjZiv2genKIXK7A6PtYKdBmn
+rKnbUMzdmvNj1f7Ph1E4Gn0L5ChybJDJrq6wQjuTdZ6RmkGkbid0L+47Uv+6xBm9
+hgBPVXd8auQAYGmyXZwvfga5ZjfRMI4wvWkvjOAQcJtxxgOnLT1KDjYV+L70PWul
+bYoKX0sNkFEP9tOq2pD9XVBuTVQxcYeztv0Vz+kG66Ju1KKCAnUYFhRt055zZLfm
+WDYlWm0BAoGBAPvGW9LvzwCDE9QUcR46nG1ZihheJyGKwWVK+ZjYkUU9nLbrIpOD
+/jmihoHHhKBC6YOfHHY73LtZ22fgXEu6ivDzZtTxBErXbdRpEKktJebRK7gPkfsB
+PNQ8CRd/DxRC/JuVFR76OPsbZWhXCaeC7PRdyAtvU9toT1jIQf+a4OhBAoGBAPyE
+kxEoNO1KhWtgByUlsPzvq9PaTjwW/LpmEoo0FBUhYRPxYzVuYrE0BBflDR6JcMRR
+oE9CXYGjtVPB44gT7pHVP09f3Ugrxk7X+t8wy3PWUTaTprmmEGqF0TzfdH4oQz0Y
+v1khwuIu6rRlddGEiCKldXxn+gJy9E70yO4bm4tzAoGAL/XFIBVWVT6i1E9gjOWV
+Tq8zwxiMU7Ney7DQgvEeGxZ1d9Kqr3cBQnFXNfmPpgeY+92fSlZ04atoRA1VB4ft
+V6DGAeI3cxo+bavl5JQZGDLYJSOyJyJBOByHjtZBRRbNj8WCVHhNymeZlZqe2C30
+fUgwBx2Z172y/7KF/+680QECgYEA1GhUKQ9wDdYsiliZSgb9bJXSLH8qZeNULRrl
+J3mNFwUf2p2mvPAgdjxx4QOb2H716z1aIrGJZB4nzc9/LBzQBb2h5ouV4DpqMjH8
+5bbuvH6fi9ABY5Irpt7vVUwFeoU1ofPqKPh8LLQYWywpQddAiBwzyjTQGTVHCg9f
+4OI6Ib8CgYAptl24MGOc6BminKgsux+vNS9X1WwIADiHDyWBPHeQgLX8bYegswq9
+/6uGXJQgdFBhfLuoTBBN0ia/0QQhDezzrqnERddciuL2zxFxEETdpIuxm4lhieX7
+9LqnFcjxM4sLCg4SDSRX+nburiCnLDQiaBzhARooMJO48luTZUiWYQ==
 -----END RSA PRIVATE KEY-----
--- a/e2e/testdata/notary-evil/root-ca.cert
+++ b/e2e/testdata/notary-evil/root-ca.cert
@ -1,18 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIC8TCCAdmgAwIBAgIQBHJBPhWngTmnMShFTm17rTANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
-RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5E3t9TSkfFXu
-VJooMBa2sNfX98MPMJoEzG+LEEe42XEegrfrq2VQ5Nb7VdM9hEi65GJgELsXRgc5
-s88C6hmgnnfD7CLb8UsbCTHgVE7SFrUuuwHaDq0gcx3PiVThm2eGbGh70tpFYEfP
-onWqyoUS90gvc5ZeKwRKXLoEQ1fhWSNSurrr6tY4AtVOdbYuAHepJcQW/rYk+i4a
-7E46UBaM0IucYTiX34a6aZtNulRdgNTDmyIBDrFnmBW+BIKQmY/7lIDSBE0QDKZJ
-+yx5TWzJeCiqqPn7rK8jaUlTNeBUCVAyD6PylOf9S8njAlAynFEz5mm+fpRB077Y
-8vTHsvhqMQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAgibOJ8rfqzjb97ToIJq9VPDQyEqCYV3RHR04
-UqdcAK5DMjcVRPtf6e2vGNP4bbY41GM/HW9aMqTL+9Iiuj/pLwe4Az0Ro/IzoXMt
-yyNqzUpNLfDFAwfMOPLrcBG7gvc/iK6lF1crelPYoaoOptwux+4/PT4nKRKlq3A6
-C1k5CjKnHUOEccBEjBL/2pvaqhuQTupA/iy8InerD2TN1ew9qk0URStMF/cif/2R
-lN68Zl+zAkuypzXbxK4LlheFP3CaNuXf1DDaDsmxAgVyWrrSI7a2Nl+AiLTogxCt
-YnxxdSL6x4tS8aOkrFHAoyb7Oog+285fHoTKiF3e4zjUE/+uXQ==
+MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
+RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
+uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
+wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
+9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
+5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
+VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
+QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
+ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
+DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
+SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
+1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
+PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
+sK8jZi441ojEJ7OaggGPheO3mCU=
 -----END CERTIFICATE-----
--- a/e2e/testdata/notary/notary-server.cert
+++ b/e2e/testdata/notary/notary-server.cert
@ -1,38 +1,40 @@
 -----BEGIN CERTIFICATE-----
-MIIDVDCCAjygAwIBAgIQQReeTsMMrsG9juzWS8eAjjANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
-bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKA
-wO8S9Ux/e4TMOsTkPtCPfpFU+6l6z72uzrFhCNWb0lrTG7hcxwhP6sIesevTOM24
-GCyvzh+9SMTtdBmSQty4JNElqg9sB6r1tLTeTHo7lMiSiINftctoI1kYg9ni+IO9
-DVBSb9gQf9dDoizat9VhpbLNm3QXkQSeE9cumen6Pz+fcEtB7lFtIYxEEv/L7+VY
-QOvhtg0RXiRzfmtSGwFL+FZ9PBz4LOvPnPOLCMQewhR+6cAkO7Jch0ZMjCe8zXXw
-h8meeIedoevHt0opsr4HHikvr6llwlhWHL+E7zwTPO10xLGd/RIQGGhs8dXhzp1V
-lw/oe2VJoIFSOaGjRFcCAwEAAaN/MH0wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
-/wQCMAAwXQYDVR0RBFYwVIINbm90YXJ5LXNlcnZlcoIMbm90YXJ5c2VydmVyghJl
-dmlsLW5vdGFyeS1zZXJ2ZXKCEGV2aWxub3RhcnlzZXJ2ZXKCCWxvY2FsaG9zdIcE
-fwAAATANBgkqhkiG9w0BAQsFAAOCAQEAgwkZpp4s6reZWs9QatF/x9qWWXIXJzYh
-6BgzHL3s7UgeZSs0XhgfHYy6SO94ENpbzPADZwue/NjwNXmp7TLjbyUPjSo1DDt7
-OLG8bQ/hbcPKgMzirTZT36CEsetIBYmfyn39h+ZEIJ30J996/Tgq+X9sG7An2wq3
-/btn+C/BiMUgGnNxZ8p4n+uJCUKA95uVugdLjeioA+19HgQzrLSkeZUR/wsesq5F
-iP9k8va2oU3l3MsF079NpfIDl2gtIgXFYWPhyaJCaa+b8irjdoPnhDBuC5p77AWl
-UTPw/6ENKMMd1Pze6HLpBJAkPP8hTlULKgvuF0pWuGOejipkAKlOBQ==
+MIIDdzCCAl+gAwIBAgIQTujwx+1xxXeI5AbzAQ379TANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
+bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPhZ
+pU7DRK/2nwbTu+kVYhU/XARDleVSiLrQ5RMR1Cz2xC4LWkOEVSj4aCBo85O66JAx
+p+WRVwoVEU2rdkK3k4983Xr34+7q5Hv4hmwlg6I7QLRRJapEgK5G5RB/9aQntolx
+h5E0KaoF4PJP25y4FHCUr4td4QyitaICsCpuOAN6XgmE9sM9TBf+AEjTSxwwvgEz
+DqHvyovl7pA+pQP2oTKBrf6KN8hHDOXmm9gd8ST9yKLrsYWhqExLLPnAD4lQEcKZ
+29g+iTd4eNoJUXctpuY+3IpqBcQSLq35mNKBP/FQco6g3q26/cB4zWGxTr3jGJqs
+ms8qdFLGZ2KiBCt+oDMCAwEAAaOBoTCBnjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
+AQH/BAIwADAfBgNVHSMEGDAWgBTxYMNqgy2wkgmPZL/+bTCTQo6ulTBdBgNVHREE
+VjBUgg1ub3Rhcnktc2VydmVyggxub3RhcnlzZXJ2ZXKCEmV2aWwtbm90YXJ5LXNl
+cnZlcoIQZXZpbG5vdGFyeXNlcnZlcoIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
+DQEBCwUAA4IBAQCDMjuZnNINFfqstFwhEEvAgWbjYW26ZQxhQffaqDlbMIQkWoXj
+8inld9bma9Mf5i/GAkUwFqCnEHD4LQ6vDgfAgL+pSOv9VI5SBEuk/gLqvIBUeIRu
+uHo1jWtll2Fr7eDLVdD4mPRPFC7V6mv6sFa9EN4tBN8eheQxHJvzwnnU7X28prfI
+/hWnwPWScVvttqBSsq1h2CUpVu2zGVToeCJ9xl4r/NyDtM5TyMgz7RLrer0p8NSu
+4Qp4ZXtxHDLduWcyMUHLGTprW05yjj9UVq89xfaCOqFSpx5i4oxotYm1PoOacHmN
+RMp9vaYMAmopoxIEYX6fDg5T3sQ5cidZJEvU
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIC8TCCAdmgAwIBAgIQBHJBPhWngTmnMShFTm17rTANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
-RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5E3t9TSkfFXu
-VJooMBa2sNfX98MPMJoEzG+LEEe42XEegrfrq2VQ5Nb7VdM9hEi65GJgELsXRgc5
-s88C6hmgnnfD7CLb8UsbCTHgVE7SFrUuuwHaDq0gcx3PiVThm2eGbGh70tpFYEfP
-onWqyoUS90gvc5ZeKwRKXLoEQ1fhWSNSurrr6tY4AtVOdbYuAHepJcQW/rYk+i4a
-7E46UBaM0IucYTiX34a6aZtNulRdgNTDmyIBDrFnmBW+BIKQmY/7lIDSBE0QDKZJ
-+yx5TWzJeCiqqPn7rK8jaUlTNeBUCVAyD6PylOf9S8njAlAynFEz5mm+fpRB077Y
-8vTHsvhqMQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAgibOJ8rfqzjb97ToIJq9VPDQyEqCYV3RHR04
-UqdcAK5DMjcVRPtf6e2vGNP4bbY41GM/HW9aMqTL+9Iiuj/pLwe4Az0Ro/IzoXMt
-yyNqzUpNLfDFAwfMOPLrcBG7gvc/iK6lF1crelPYoaoOptwux+4/PT4nKRKlq3A6
-C1k5CjKnHUOEccBEjBL/2pvaqhuQTupA/iy8InerD2TN1ew9qk0URStMF/cif/2R
-lN68Zl+zAkuypzXbxK4LlheFP3CaNuXf1DDaDsmxAgVyWrrSI7a2Nl+AiLTogxCt
-YnxxdSL6x4tS8aOkrFHAoyb7Oog+285fHoTKiF3e4zjUE/+uXQ==
+MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
+RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
+uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
+wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
+9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
+5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
+VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
+QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
+ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
+DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
+SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
+1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
+PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
+sK8jZi441ojEJ7OaggGPheO3mCU=
 -----END CERTIFICATE-----
--- a/e2e/testdata/notary/notary-server.key
+++ b/e2e/testdata/notary/notary-server.key
@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAooDA7xL1TH97hMw6xOQ+0I9+kVT7qXrPva7OsWEI1ZvSWtMb
-uFzHCE/qwh6x69M4zbgYLK/OH71IxO10GZJC3Lgk0SWqD2wHqvW0tN5MejuUyJKI
-g1+1y2gjWRiD2eL4g70NUFJv2BB/10OiLNq31WGlss2bdBeRBJ4T1y6Z6fo/P59w
-S0HuUW0hjEQS/8vv5VhA6+G2DRFeJHN+a1IbAUv4Vn08HPgs68+c84sIxB7CFH7p
-wCQ7slyHRkyMJ7zNdfCHyZ54h52h68e3SimyvgceKS+vqWXCWFYcv4TvPBM87XTE
-sZ39EhAYaGzx1eHOnVWXD+h7ZUmggVI5oaNEVwIDAQABAoIBAB+xmO+H9Qu8eWzH
-IFcyZQXsVrUlrAe8CjRmma2CzWRMBdTtA6ULg04duB2wOudRxOxqkVx11W/fTQgL
-f+9U1XGTAKtB+08StNQlI99609OrNzN/UNy+mAhaATrpSx395JZdEvGtgl7TqPtl
-F4ZECkK1zsl2zHDx/7i01A3N6vr1IiK1UU0sdQqqrYdWXm+ozJpRuYj8AMU3JN79
-aVDFy7cM68UZRVHp0os2SXrmTLE6Li0L0Gp55371iAbv7NQAzyhH/U2HRwSMYTSY
-aRqr3VQqI7Frf0QHtHtcUP0idGa/KXMRKzSIbGFCUNV2XxXs+c7+xFylRZuJ1DBp
-oawlYNECgYEAwc8+2034McwM0zMTTdIA+WhrDVSEFDpv4S9LjFzOl09J+LVHe6Mj
-am1bKu99PWzmNnvBrnDPOfEI3VxkIJW59omjPecXsie6/XNfG2U0Yvd4B4Aq5mSW
-+YSqH1FlQ3qqcjj/zTj+A3nfBNyn80I16AsbZVO4jijMrDsleLk+NjMCgYEA1qXI
-hyj+i96/WxYEofgDMlmM3nUWN3Ll3M9MEfpX1+B13XYWqOYpG/WGk7gxDVKtUkqh
-KbgnLtdglQjz10iD1nXpmMPzrVfEFZwlhUfrBGOXJIdOt2nCoxzMd/k13xVqjOS2
-X4sja+vvgJVwYm5q+YS3gNutx1Om5gyeEjoCLU0CgYEAoGhJW/WCcKS0ELF7TrN7
-fvG/eL70ulFLfBNK8hd2HaHQVXqkeV4i19k+1aB2Bbr2Jy3ytdBEk249qgjoDlge
-HED6zSdRY3CiwVcV5nSzER5FR9/6ocmrc0UsENOrflgubm9iuJZtFq9tuHZww1OP
-jkhzGkBaxb5a+EnTz8FyDiUCgYBgVXVDG+XqFmVhVudrXejpXwF3EauP5TQ+vpaQ
-dv+XtniPlSEkWm/WyYHFqGPza8i35yCfnbOQNT92g9cUJspspOzbEA68HGi3niXE
-xHs4tA2waj2s2X1uQU2PBrzjyzPP2hHznXmfRPtvhSI0OwQtyh+laHJ8xBFirAUB
-fyFc/QKBgFWXXq2W/m3m1zsshn0QtxsC/sIxDdLseGq5sUi5Xy7R0fXqhKAW6xfj
-pnHcAe4yKT6ymnfBQ8xdKURuZJWMql8R0b1lSJb7A9P9ZxTD7FjW7ilyzbdFMr7F
-CTRZcz33sHTWD2TOqpDsia9gbQythGmySv4WVJ5W8H7gFY/2/h2W
+MIIEpAIBAAKCAQEA+FmlTsNEr/afBtO76RViFT9cBEOV5VKIutDlExHULPbELgta
+Q4RVKPhoIGjzk7rokDGn5ZFXChURTat2QreTj3zdevfj7urke/iGbCWDojtAtFEl
+qkSArkblEH/1pCe2iXGHkTQpqgXg8k/bnLgUcJSvi13hDKK1ogKwKm44A3peCYT2
+wz1MF/4ASNNLHDC+ATMOoe/Ki+XukD6lA/ahMoGt/oo3yEcM5eab2B3xJP3Iouux
+haGoTEss+cAPiVARwpnb2D6JN3h42glRdy2m5j7cimoFxBIurfmY0oE/8VByjqDe
+rbr9wHjNYbFOveMYmqyazyp0UsZnYqIEK36gMwIDAQABAoIBAQDy7W2f763+mbTQ
+zshepQX+Vq3BlgLIAMWyR6fr0WLEYNVhXMV8ibNrkiD4ovCwLwJSGeBr1JFZUWZN
+nUze0gdLMg7LvDN/ftDk2yNSIhfy1xbhywaW2M8uqjZiv2genKIXK7A6PtYKdBmn
+rKnbUMzdmvNj1f7Ph1E4Gn0L5ChybJDJrq6wQjuTdZ6RmkGkbid0L+47Uv+6xBm9
+hgBPVXd8auQAYGmyXZwvfga5ZjfRMI4wvWkvjOAQcJtxxgOnLT1KDjYV+L70PWul
+bYoKX0sNkFEP9tOq2pD9XVBuTVQxcYeztv0Vz+kG66Ju1KKCAnUYFhRt055zZLfm
+WDYlWm0BAoGBAPvGW9LvzwCDE9QUcR46nG1ZihheJyGKwWVK+ZjYkUU9nLbrIpOD
+/jmihoHHhKBC6YOfHHY73LtZ22fgXEu6ivDzZtTxBErXbdRpEKktJebRK7gPkfsB
+PNQ8CRd/DxRC/JuVFR76OPsbZWhXCaeC7PRdyAtvU9toT1jIQf+a4OhBAoGBAPyE
+kxEoNO1KhWtgByUlsPzvq9PaTjwW/LpmEoo0FBUhYRPxYzVuYrE0BBflDR6JcMRR
+oE9CXYGjtVPB44gT7pHVP09f3Ugrxk7X+t8wy3PWUTaTprmmEGqF0TzfdH4oQz0Y
+v1khwuIu6rRlddGEiCKldXxn+gJy9E70yO4bm4tzAoGAL/XFIBVWVT6i1E9gjOWV
+Tq8zwxiMU7Ney7DQgvEeGxZ1d9Kqr3cBQnFXNfmPpgeY+92fSlZ04atoRA1VB4ft
+V6DGAeI3cxo+bavl5JQZGDLYJSOyJyJBOByHjtZBRRbNj8WCVHhNymeZlZqe2C30
+fUgwBx2Z172y/7KF/+680QECgYEA1GhUKQ9wDdYsiliZSgb9bJXSLH8qZeNULRrl
+J3mNFwUf2p2mvPAgdjxx4QOb2H716z1aIrGJZB4nzc9/LBzQBb2h5ouV4DpqMjH8
+5bbuvH6fi9ABY5Irpt7vVUwFeoU1ofPqKPh8LLQYWywpQddAiBwzyjTQGTVHCg9f
+4OI6Ib8CgYAptl24MGOc6BminKgsux+vNS9X1WwIADiHDyWBPHeQgLX8bYegswq9
+/6uGXJQgdFBhfLuoTBBN0ia/0QQhDezzrqnERddciuL2zxFxEETdpIuxm4lhieX7
+9LqnFcjxM4sLCg4SDSRX+nburiCnLDQiaBzhARooMJO48luTZUiWYQ==
 -----END RSA PRIVATE KEY-----
--- a/e2e/testdata/notary/root-ca.cert
+++ b/e2e/testdata/notary/root-ca.cert
@ -1,18 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIC8TCCAdmgAwIBAgIQBHJBPhWngTmnMShFTm17rTANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
-RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5E3t9TSkfFXu
-VJooMBa2sNfX98MPMJoEzG+LEEe42XEegrfrq2VQ5Nb7VdM9hEi65GJgELsXRgc5
-s88C6hmgnnfD7CLb8UsbCTHgVE7SFrUuuwHaDq0gcx3PiVThm2eGbGh70tpFYEfP
-onWqyoUS90gvc5ZeKwRKXLoEQ1fhWSNSurrr6tY4AtVOdbYuAHepJcQW/rYk+i4a
-7E46UBaM0IucYTiX34a6aZtNulRdgNTDmyIBDrFnmBW+BIKQmY/7lIDSBE0QDKZJ
-+yx5TWzJeCiqqPn7rK8jaUlTNeBUCVAyD6PylOf9S8njAlAynFEz5mm+fpRB077Y
-8vTHsvhqMQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAgibOJ8rfqzjb97ToIJq9VPDQyEqCYV3RHR04
-UqdcAK5DMjcVRPtf6e2vGNP4bbY41GM/HW9aMqTL+9Iiuj/pLwe4Az0Ro/IzoXMt
-yyNqzUpNLfDFAwfMOPLrcBG7gvc/iK6lF1crelPYoaoOptwux+4/PT4nKRKlq3A6
-C1k5CjKnHUOEccBEjBL/2pvaqhuQTupA/iy8InerD2TN1ew9qk0URStMF/cif/2R
-lN68Zl+zAkuypzXbxK4LlheFP3CaNuXf1DDaDsmxAgVyWrrSI7a2Nl+AiLTogxCt
-YnxxdSL6x4tS8aOkrFHAoyb7Oog+285fHoTKiF3e4zjUE/+uXQ==
+MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
+RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
+uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
+wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
+9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
+5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
+VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
+QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
+ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
+DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
+SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
+1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
+PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
+sK8jZi441ojEJ7OaggGPheO3mCU=
 -----END CERTIFICATE-----
--- a/man/dockerd.8.md
+++ b/man/dockerd.8.md
@ -35,6 +35,8 @@ dockerd - Enable daemon mode
 [**-G**|**--group**[=*docker*]]
 [**-H**|**--host**[=*[]*]]
 [**--help**]
+[**--http-proxy**[*""*]]
+[**--https-proxy**[*""*]]
 [**--icc**[=*true*]]
 [**--init**[=*false*]]
 [**--init-path**[=*""*]]
@ -54,6 +56,7 @@ dockerd - Enable daemon mode
 [**--max-concurrent-downloads**[=*3*]]
 [**--max-concurrent-uploads**[=*5*]]
 [**--max-download-attempts**[=*5*]]
+[**--no-proxy**[*""*]]
 [**--node-generic-resources**[=*[]*]]
 [**-p**|**--pidfile**[=*/var/run/docker.pid*]]
 [**--raw-logs**]
@ -233,6 +236,12 @@ unix://[/path/to/socket] to use.
 **--help**
  Print usage statement

+**--http-proxy***""*
+  Proxy URL for HTTP requests unless overridden by NoProxy.
+
+**--https-proxy***""*
+  Proxy URL for HTTPS requests unless overridden by NoProxy.
+
 **--icc**=*true*|*false*
  Allow unrestricted inter\-container and Docker daemon host communication. If
  disabled, containers can still be linked together using the **--link** option
@ -325,6 +334,9 @@ unix://[/path/to/socket] to use.
 **--max-download-attempts**=*5*
  Set the max download attempts for each pull. Default is `5`.

+**--no-proxy**=*""*"
+  Comma-separated values specifying hosts that should be excluded from proxying.
+
 **--node-generic-resources**=*[]*
  Advertise user-defined resource. Default is `[]`.
  Use this if your swarm cluster has some nodes with custom
--- a/man/src/system/info.md
+++ b/man/src/system/info.md
@ -32,14 +32,11 @@ Client:
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
-    Version:  v0.8.2
+    Version:  v0.10.4
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
-    Version:  v2.6.0
+    Version:  v2.17.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose
-  scan: Docker Scan (Docker Inc.)
-    Version:  v0.17.0
-    Path:     /usr/libexec/docker/cli-plugins/docker-scan

 Server:
 Containers: 14
@ -47,7 +44,7 @@ Server:
  Paused: 1
  Stopped: 10
 Images: 52
- Server Version: 22.06.0
+ Server Version: 23.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
@ -62,11 +59,11 @@ Server:
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
- Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
+ Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
- containerd version: 212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
- runc version: v1.1.1-0-g52de29d
+ containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
+ runc version: v1.1.5-0-gf19387a
 init version: de40ad0
 Security Options:
  apparmor
@ -86,7 +83,7 @@ Server:
 Username: gordontheturtle
 Registry: https://index.docker.io/v1/
 Experimental: false
- Insecure registries:
+ Insecure Registries:
  myinsecurehost:5000
  127.0.0.0/8
 Live Restore Enabled: false
@ -95,4 +92,4 @@ Server:
 You can also specify the output format:

    $ docker info --format '{{json .}}'
-    {"ID":"I54V:OLXT:HVMM:TPKO:JPHQ:CQCD:JNLC:O3BZ:4ZVJ:43XJ:PFHZ:6N2S","Containers":14, ...}
+    {"ID":"4cee4408-10d2-4e17-891c-a41736ac4536","Containers":14, ...}
--- a/man/src/version.md
+++ b/man/src/version.md
@ -1,37 +1,57 @@
-This command displays version information for both the Docker client and 
-daemon. 
+The version command prints the current version number for all independently
+versioned Docker components.

 # EXAMPLES

 ## Display Docker version information

-The default output:
+The default output renders all version information divided into two sections;
+the "Client" section contains information about the Docker CLI and client
+components, and the "Server" section contains information about the Docker
+Engine and components used by the Engine, such as the "Containerd" and "Runc"
+OCI Runtimes.
+
+The information shown may differ depending on how you installed Docker and
+what components are in use. The following example shows the output on a macOS
+machine running Docker Desktop:

    $ docker version
-	Client:
-	 Version:      1.8.0
-	 API version:  1.20
-	 Go version:   go1.4.2
-	 Git commit:   f5bae0a
-	 Built:        Tue Jun 23 17:56:00 UTC 2015
-	 OS/Arch:      linux/amd64
-
-	Server:
-	 Version:      1.8.0
-	 API version:  1.20
-	 Go version:   go1.4.2
-	 Git commit:   f5bae0a
-	 Built:        Tue Jun 23 17:56:00 UTC 2015
-	 OS/Arch:      linux/amd64
+    Client: Docker Engine - Community
+     Version:           23.0.3
+     API version:       1.42
+     Go version:        go1.19.7
+     Git commit:        3e7cbfd
+     Built:             Tue Apr  4 22:05:41 2023
+     OS/Arch:           darwin/amd64
+     Context:           default
+    
+    Server: Docker Desktop 4.19.0 (12345)
+     Engine:
+      Version:          23.0.3
+      API version:      1.42 (minimum version 1.12)
+      Go version:       go1.19.7
+      Git commit:       59118bf
+      Built:            Tue Apr  4 22:05:41 2023
+      OS/Arch:          linux/amd64
+      Experimental:     false
+     containerd:
+      Version:          1.6.20
+      GitCommit:        2806fc1057397dbaeefbea0e4e17bddfbd388f38
+     runc:
+      Version:          1.1.5
+      GitCommit:        v1.1.5-0-gf19387a
+     docker-init:
+      Version:          0.19.0
+      GitCommit:        de40ad0

 Get server version:

    $ docker version --format '{{.Server.Version}}'
-	1.8.0
+    23.0.3

 Dump raw data:

 To view all available fields, you can use the format `{{json .}}`.

    $ docker version --format '{{json .}}'
-    {"Client":{"Version":"1.8.0","ApiVersion":"1.20","GitCommit":"f5bae0a","GoVersion":"go1.4.2","Os":"linux","Arch":"amd64","BuildTime":"Tue Jun 23 17:56:00 UTC 2015"},"ServerOK":true,"Server":{"Version":"1.8.0","ApiVersion":"1.20","GitCommit":"f5bae0a","GoVersion":"go1.4.2","Os":"linux","Arch":"amd64","KernelVersion":"3.13.2-gentoo","BuildTime":"Tue Jun 23 17:56:00 UTC 2015"}}
+    {"Client":"Version":"23.0.3","ApiVersion":"1.42", ...}
--- a/opts/throttledevice.go
+++ b/opts/throttledevice.go
@ -31,7 +31,7 @@ func ValidateThrottleBpsDevice(val string) (*blkiodev.ThrottleDevice, error) {
 	}

 	return &blkiodev.ThrottleDevice{
-		Path: v,
+		Path: k,
 		Rate: uint64(rate),
 	}, nil
 }
--- a/scripts/docs/generate-md.sh
+++ b/scripts/docs/generate-md.sh
@ -25,11 +25,11 @@ trap clean EXIT
  # install cli-docs-tool and copy docs/tools.go in root folder
  # to be able to fetch the required depedencies
  go mod edit -modfile=vendor.mod -require=github.com/docker/cli-docs-tool@${CLI_DOCS_TOOL_VERSION}
-  cp docs/tools.go .
+  cp docs/generate/tools.go .
  # update vendor
  ./scripts/vendor update
  # build docsgen
-  go build -mod=vendor -modfile=vendor.mod -tags docsgen -o /tmp/docsgen ./docs/generate.go
+  go build -mod=vendor -modfile=vendor.mod -tags docsgen -o /tmp/docsgen ./docs/generate/generate.go
 )

 # yaml generation on docs repo needs the cli.md file: https://github.com/docker/cli/pull/3924#discussion_r1059986605
--- a/vendor.mod
+++ b/vendor.mod
@ -7,10 +7,10 @@ module github.com/docker/cli
 go 1.18

 require (
-	github.com/containerd/containerd v1.6.15
+	github.com/containerd/containerd v1.6.19
 	github.com/creack/pty v1.1.11
 	github.com/docker/distribution v2.8.1+incompatible
-	github.com/docker/docker v23.0.0-rc.3+incompatible
+	github.com/docker/docker v23.0.4+incompatible
 	github.com/docker/docker-credential-helpers v0.7.0
 	github.com/docker/go-connections v0.4.0
 	github.com/docker/go-units v0.5.0
@ -23,7 +23,7 @@ require (
 	github.com/mitchellh/mapstructure v1.3.2
 	github.com/moby/buildkit v0.10.6
 	github.com/moby/patternmatcher v0.5.0
-	github.com/moby/swarmkit/v2 v2.0.0-20230119195359-904c221ac281
+	github.com/moby/swarmkit/v2 v2.0.0-20230309194213-a745a8755ce3
 	github.com/moby/sys/sequential v0.5.0
 	github.com/moby/sys/signal v0.7.0
 	github.com/moby/term v0.0.0-20221128092401-c43b287e0e0f
@ -37,9 +37,10 @@ require (
 	github.com/theupdateframework/notary v0.7.1-0.20210315103452-bf96a202a09a
 	github.com/tonistiigi/go-rosetta v0.0.0-20200727161949-f79598599c5d
 	github.com/xeipuuv/gojsonschema v1.2.0
-	golang.org/x/sys v0.4.0
-	golang.org/x/term v0.4.0
-	golang.org/x/text v0.6.0
+	golang.org/x/sync v0.1.0
+	golang.org/x/sys v0.5.0
+	golang.org/x/term v0.5.0
+	golang.org/x/text v0.7.0
 	gopkg.in/yaml.v2 v2.4.0
 	gotest.tools/v3 v3.4.0
 )
@ -70,8 +71,8 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	go.etcd.io/etcd/raft/v3 v3.5.6 // indirect
 	golang.org/x/crypto v0.2.0 // indirect
-	golang.org/x/net v0.5.0 // indirect
-	golang.org/x/time v0.1.0 // indirect
+	golang.org/x/net v0.7.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/genproto v0.0.0-20220706185917-7780775163c4 // indirect
 	google.golang.org/grpc v1.48.0 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
--- a/vendor.sum
+++ b/vendor.sum
@ -38,7 +38,7 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/hcsshim v0.9.6 h1:VwnDOgLeoi2du6dAznfmspNqTiwczvjv4K7NxuY9jsY=
+github.com/Microsoft/hcsshim v0.9.7 h1:mKNHW/Xvv1aFH87Jb6ERDzXTJTLPlmzfZ28VBFD/bfg=
 github.com/Shopify/logrus-bugsnag v0.0.0-20170309145241-6dbc35f2c30d h1:hi6J4K6DKrR4/ljxn6SF6nURyu785wKMuQcjt7H3VCQ=
 github.com/Shopify/logrus-bugsnag v0.0.0-20170309145241-6dbc35f2c30d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@ -84,8 +84,8 @@ github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h
 github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
 github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
 github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
-github.com/containerd/containerd v1.6.15 h1:4wWexxzLNHNE46aIETc6ge4TofO550v+BlLoANrbses=
-github.com/containerd/containerd v1.6.15/go.mod h1:U2NnBPIhzJDm59xF7xB2MMHnKtggpZ+phKg8o2TKj2c=
+github.com/containerd/containerd v1.6.19 h1:F0qgQPrG0P2JPgwpxWxYavrVeXAG0ezUIB9Z/4FTUAU=
+github.com/containerd/containerd v1.6.19/go.mod h1:HZCDMn4v/Xl2579/MvtOC2M206i+JJ6VxFWU/NetrGY=
 github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
@ -101,8 +101,8 @@ github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xb
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68=
 github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v23.0.0-rc.3+incompatible h1:97RCXK7nxN1YPlqb3z0+AoTE3rql4ck1CG5p9tlRD2o=
-github.com/docker/docker v23.0.0-rc.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v23.0.4+incompatible h1:Kd3Bh9V/rO+XpTP/BLqM+gx8z7+Yb0AA2Ibj+nNo4ek=
+github.com/docker/docker v23.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=
@ -283,8 +283,8 @@ github.com/moby/buildkit v0.10.6 h1:DJlEuLIgnu34HQKF4n9Eg6q2YqQVC0eOpMb4p2eRS2w=
 github.com/moby/buildkit v0.10.6/go.mod h1:tQuuyTWtOb9D+RE425cwOCUkX0/oZ+5iBZ+uWpWQ9bU=
 github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
 github.com/moby/patternmatcher v0.5.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/swarmkit/v2 v2.0.0-20230119195359-904c221ac281 h1:E0LdO1cZEXmXrLoojCqEvVCk4cNLWSVotoDbWUmNa8g=
-github.com/moby/swarmkit/v2 v2.0.0-20230119195359-904c221ac281/go.mod h1:jIgi55SqNJvlQ74bK35NXKWz6JCTexx5h69d0btP2AM=
+github.com/moby/swarmkit/v2 v2.0.0-20230309194213-a745a8755ce3 h1:05e6sB9az9OINsgqSy1PiSC9i0ffkpfQd0oJGAigo6k=
+github.com/moby/swarmkit/v2 v2.0.0-20230309194213-a745a8755ce3/go.mod h1:GvjR7mC8YuUd9Mq44lrrIZPaXyKPAGEUMBpAQzaj3dI=
 github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
 github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
 github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
@ -505,8 +505,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
-golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
+golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -524,6 +524,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -578,13 +580,13 @@ golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
-golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg=
-golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
+golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -593,13 +595,13 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
-golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA=
-golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
--- a/vendor/github.com/containerd/containerd/platforms/defaults_windows.go
+++ b/vendor/github.com/containerd/containerd/platforms/defaults_windows.go
@ -46,10 +46,14 @@ type matchComparer struct {

 // Match matches platform with the same windows major, minor
 // and build version.
-func (m matchComparer) Match(p imagespec.Platform) bool {
-	if m.defaults.Match(p) {
-		// TODO(windows): Figure out whether OSVersion is deprecated.
-		return strings.HasPrefix(p.OSVersion, m.osVersionPrefix)
+func (m matchComparer) Match(p specs.Platform) bool {
+	match := m.defaults.Match(p)
+
+	if match && p.OS == "windows" {
+		if strings.HasPrefix(p.OSVersion, m.osVersionPrefix) {
+			return true
+		}
+		return p.OSVersion == ""
 	}
 	return false
 }
--- a/vendor/github.com/docker/docker/client/container_wait.go
+++ b/vendor/github.com/docker/docker/client/container_wait.go
@ -1,14 +1,19 @@
 package client // import "github.com/docker/docker/client"

 import (
+	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
+	"io"
 	"net/url"

 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/versions"
 )

+const containerWaitErrorMsgLimit = 2 * 1024 /* Max: 2KiB */
+
 // ContainerWait waits until the specified container is in a certain state
 // indicated by the given condition, either "not-running" (default),
 // "next-exit", or "removed".
@ -46,9 +51,23 @@ func (cli *Client) ContainerWait(ctx context.Context, containerID string, condit

 	go func() {
 		defer ensureReaderClosed(resp)
+
+		body := resp.body
+		responseText := bytes.NewBuffer(nil)
+		stream := io.TeeReader(body, responseText)
+
 		var res container.WaitResponse
-		if err := json.NewDecoder(resp.body).Decode(&res); err != nil {
-			errC <- err
+		if err := json.NewDecoder(stream).Decode(&res); err != nil {
+			// NOTE(nicks): The /wait API does not work well with HTTP proxies.
+			// At any time, the proxy could cut off the response stream.
+			//
+			// But because the HTTP status has already been written, the proxy's
+			// only option is to write a plaintext error message.
+			//
+			// If there's a JSON parsing error, read the real error message
+			// off the body and send it to the client.
+			_, _ = io.ReadAll(io.LimitReader(stream, containerWaitErrorMsgLimit))
+			errC <- errors.New(responseText.String())
 			return
 		}

--- a/vendor/github.com/docker/docker/pkg/archive/archive.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive.go
@ -711,7 +711,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, L
 			}
 		}

-	case tar.TypeReg, tar.TypeRegA:
+	case tar.TypeReg:
 		// Source is regular file. We use sequential file access to avoid depleting
 		// the standby list on Windows. On Linux, this equates to a regular os.OpenFile.
 		file, err := sequential.OpenFile(path, os.O_CREATE|os.O_WRONLY, hdrInfo.Mode())
--- a/vendor/golang.org/x/net/http2/flow.go
+++ b/vendor/golang.org/x/net/http2/flow.go
@ -18,7 +18,7 @@ type inflow struct {
 	unsent int32
 }

-// set sets the initial window.
+// init sets the initial window.
 func (f *inflow) init(n int32) {
 	f.avail = n
 }
--- a/vendor/golang.org/x/net/http2/frame.go
+++ b/vendor/golang.org/x/net/http2/frame.go
@ -662,6 +662,15 @@ func (f *Framer) WriteData(streamID uint32, endStream bool, data []byte) error {
 // It is the caller's responsibility not to violate the maximum frame size
 // and to not call other Write methods concurrently.
 func (f *Framer) WriteDataPadded(streamID uint32, endStream bool, data, pad []byte) error {
+	if err := f.startWriteDataPadded(streamID, endStream, data, pad); err != nil {
+		return err
+	}
+	return f.endWrite()
+}
+
+// startWriteDataPadded is WriteDataPadded, but only writes the frame to the Framer's internal buffer.
+// The caller should call endWrite to flush the frame to the underlying writer.
+func (f *Framer) startWriteDataPadded(streamID uint32, endStream bool, data, pad []byte) error {
 	if !validStreamID(streamID) && !f.AllowIllegalWrites {
 		return errStreamID
 	}
@ -691,7 +700,7 @@ func (f *Framer) WriteDataPadded(streamID uint32, endStream bool, data, pad []by
 	}
 	f.wbuf = append(f.wbuf, data...)
 	f.wbuf = append(f.wbuf, pad...)
-	return f.endWrite()
+	return nil
 }

 // A SettingsFrame conveys configuration parameters that affect how
--- a/vendor/golang.org/x/net/http2/hpack/hpack.go
+++ b/vendor/golang.org/x/net/http2/hpack/hpack.go
@ -211,7 +211,7 @@ func (d *Decoder) at(i uint64) (hf HeaderField, ok bool) {
 	return dt.ents[dt.len()-(int(i)-staticTable.len())], true
 }

-// Decode decodes an entire block.
+// DecodeFull decodes an entire block.
 //
 // TODO: remove this method and make it incremental later? This is
 // easier for debugging now.
@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {

 	var hf HeaderField
 	wantStr := d.emitEnabled || it.indexed()
+	var undecodedName undecodedString
 	if nameIdx > 0 {
 		ihf, ok := d.at(nameIdx)
 		if !ok {
@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
 		}
 		hf.Name = ihf.Name
 	} else {
-		hf.Name, buf, err = d.readString(buf, wantStr)
+		undecodedName, buf, err = d.readString(buf)
 		if err != nil {
 			return err
 		}
 	}
-	hf.Value, buf, err = d.readString(buf, wantStr)
+	undecodedValue, buf, err := d.readString(buf)
 	if err != nil {
 		return err
 	}
+	if wantStr {
+		if nameIdx <= 0 {
+			hf.Name, err = d.decodeString(undecodedName)
+			if err != nil {
+				return err
+			}
+		}
+		hf.Value, err = d.decodeString(undecodedValue)
+		if err != nil {
+			return err
+		}
+	}
 	d.buf = buf
 	if it.indexed() {
 		d.dynTab.add(hf)
@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) {
 	return 0, origP, errNeedMore
 }

-// readString decodes an hpack string from p.
+// readString reads an hpack string from p.
 //
-// wantStr is whether s will be used. If false, decompression and
-// []byte->string garbage are skipped if s will be ignored
-// anyway. This does mean that huffman decoding errors for non-indexed
-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
-// is returning an error anyway, and because they're not indexed, the error
-// won't affect the decoding state.
-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
+// It returns a reference to the encoded string data to permit deferring decode costs
+// until after the caller verifies all data is present.
+func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
 	if len(p) == 0 {
-		return "", p, errNeedMore
+		return u, p, errNeedMore
 	}
 	isHuff := p[0]&128 != 0
 	strLen, p, err := readVarInt(7, p)
 	if err != nil {
-		return "", p, err
+		return u, p, err
 	}
 	if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
-		return "", nil, ErrStringLength
+		// Returning an error here means Huffman decoding errors
+		// for non-indexed strings past the maximum string length
+		// are ignored, but the server is returning an error anyway
+		// and because the string is not indexed the error will not
+		// affect the decoding state.
+		return u, nil, ErrStringLength
 	}
 	if uint64(len(p)) < strLen {
-		return "", p, errNeedMore
+		return u, p, errNeedMore
 	}
-	if !isHuff {
-		if wantStr {
-			s = string(p[:strLen])
-		}
-		return s, p[strLen:], nil
-	}
-
-	if wantStr {
-		buf := bufPool.Get().(*bytes.Buffer)
-		buf.Reset() // don't trust others
-		defer bufPool.Put(buf)
-		if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
-			buf.Reset()
-			return "", nil, err
-		}
-		s = buf.String()
-		buf.Reset() // be nice to GC
-	}
-	return s, p[strLen:], nil
+	u.isHuff = isHuff
+	u.b = p[:strLen]
+	return u, p[strLen:], nil
+}
+
+type undecodedString struct {
+	isHuff bool
+	b      []byte
+}
+
+func (d *Decoder) decodeString(u undecodedString) (string, error) {
+	if !u.isHuff {
+		return string(u.b), nil
+	}
+	buf := bufPool.Get().(*bytes.Buffer)
+	buf.Reset() // don't trust others
+	var s string
+	err := huffmanDecode(buf, d.maxStrLen, u.b)
+	if err == nil {
+		s = buf.String()
+	}
+	buf.Reset() // be nice to GC
+	bufPool.Put(buf)
+	return s, err
 }
--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
@ -843,8 +843,13 @@ type frameWriteResult struct {
 // and then reports when it's done.
 // At most one goroutine can be running writeFrameAsync at a time per
 // serverConn.
-func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest) {
-	err := wr.write.writeFrame(sc)
+func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest, wd *writeData) {
+	var err error
+	if wd == nil {
+		err = wr.write.writeFrame(sc)
+	} else {
+		err = sc.framer.endWrite()
+	}
 	sc.wroteFrameCh <- frameWriteResult{wr: wr, err: err}
 }

@ -1251,9 +1256,16 @@ func (sc *serverConn) startFrameWrite(wr FrameWriteRequest) {
 		sc.writingFrameAsync = false
 		err := wr.write.writeFrame(sc)
 		sc.wroteFrame(frameWriteResult{wr: wr, err: err})
+	} else if wd, ok := wr.write.(*writeData); ok {
+		// Encode the frame in the serve goroutine, to ensure we don't have
+		// any lingering asynchronous references to data passed to Write.
+		// See https://go.dev/issue/58446.
+		sc.framer.startWriteDataPadded(wd.streamID, wd.endStream, wd.p, nil)
+		sc.writingFrameAsync = true
+		go sc.writeFrameAsync(wr, wd)
 	} else {
 		sc.writingFrameAsync = true
-		go sc.writeFrameAsync(wr)
+		go sc.writeFrameAsync(wr, nil)
 	}
 }

@ -2192,7 +2204,7 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r
 		tlsState = sc.tlsState
 	}

-	needsContinue := rp.header.Get("Expect") == "100-continue"
+	needsContinue := httpguts.HeaderValuesContainsToken(rp.header["Expect"], "100-continue")
 	if needsContinue {
 		rp.header.Del("Expect")
 	}
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@ -1569,7 +1569,7 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 	close(cs.donec)
 }

-// awaitOpenSlotForStream waits until len(streams) < maxConcurrentStreams.
+// awaitOpenSlotForStreamLocked waits until len(streams) < maxConcurrentStreams.
 // Must hold cc.mu.
 func (cc *ClientConn) awaitOpenSlotForStreamLocked(cs *clientStream) error {
 	for {
--- a/vendor/golang.org/x/net/trace/histogram.go
+++ b/vendor/golang.org/x/net/trace/histogram.go
@ -32,7 +32,7 @@ type histogram struct {
 	valueCount   int64   // number of values recorded for single value
 }

-// AddMeasurement records a value measurement observation to the histogram.
+// addMeasurement records a value measurement observation to the histogram.
 func (h *histogram) addMeasurement(value int64) {
 	// TODO: assert invariant
 	h.sum += value
--- a/vendor/golang.org/x/sync/LICENSE
+++ b/vendor/golang.org/x/sync/LICENSE
@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/vendor/golang.org/x/sync/PATENTS
+++ b/vendor/golang.org/x/sync/PATENTS
@ -0,0 +1,22 @@
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Google as part of the Go project.
+
+Google hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section)
+patent license to make, have made, use, offer to sell, sell, import,
+transfer and otherwise run, modify and propagate the contents of this
+implementation of Go, where such license applies only to those patent
+claims, both currently owned or controlled by Google and acquired in
+the future, licensable by Google that are necessarily infringed by this
+implementation of Go.  This grant does not include claims that would be
+infringed only as a consequence of further modification of this
+implementation.  If you or your agent or exclusive licensee institute or
+order or agree to the institution of patent litigation against any
+entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that this implementation of Go or any code incorporated within this
+implementation of Go constitutes direct or contributory patent
+infringement, or inducement of patent infringement, then any patent
+rights granted to you under this License for this implementation of Go
+shall terminate as of the date such litigation is filed.
--- a/vendor/golang.org/x/sync/errgroup/errgroup.go
+++ b/vendor/golang.org/x/sync/errgroup/errgroup.go
@ -0,0 +1,132 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package errgroup provides synchronization, error propagation, and Context
+// cancelation for groups of goroutines working on subtasks of a common task.
+package errgroup
+
+import (
+	"context"
+	"fmt"
+	"sync"
+)
+
+type token struct{}
+
+// A Group is a collection of goroutines working on subtasks that are part of
+// the same overall task.
+//
+// A zero Group is valid, has no limit on the number of active goroutines,
+// and does not cancel on error.
+type Group struct {
+	cancel func()
+
+	wg sync.WaitGroup
+
+	sem chan token
+
+	errOnce sync.Once
+	err     error
+}
+
+func (g *Group) done() {
+	if g.sem != nil {
+		<-g.sem
+	}
+	g.wg.Done()
+}
+
+// WithContext returns a new Group and an associated Context derived from ctx.
+//
+// The derived Context is canceled the first time a function passed to Go
+// returns a non-nil error or the first time Wait returns, whichever occurs
+// first.
+func WithContext(ctx context.Context) (*Group, context.Context) {
+	ctx, cancel := context.WithCancel(ctx)
+	return &Group{cancel: cancel}, ctx
+}
+
+// Wait blocks until all function calls from the Go method have returned, then
+// returns the first non-nil error (if any) from them.
+func (g *Group) Wait() error {
+	g.wg.Wait()
+	if g.cancel != nil {
+		g.cancel()
+	}
+	return g.err
+}
+
+// Go calls the given function in a new goroutine.
+// It blocks until the new goroutine can be added without the number of
+// active goroutines in the group exceeding the configured limit.
+//
+// The first call to return a non-nil error cancels the group's context, if the
+// group was created by calling WithContext. The error will be returned by Wait.
+func (g *Group) Go(f func() error) {
+	if g.sem != nil {
+		g.sem <- token{}
+	}
+
+	g.wg.Add(1)
+	go func() {
+		defer g.done()
+
+		if err := f(); err != nil {
+			g.errOnce.Do(func() {
+				g.err = err
+				if g.cancel != nil {
+					g.cancel()
+				}
+			})
+		}
+	}()
+}
+
+// TryGo calls the given function in a new goroutine only if the number of
+// active goroutines in the group is currently below the configured limit.
+//
+// The return value reports whether the goroutine was started.
+func (g *Group) TryGo(f func() error) bool {
+	if g.sem != nil {
+		select {
+		case g.sem <- token{}:
+			// Note: this allows barging iff channels in general allow barging.
+		default:
+			return false
+		}
+	}
+
+	g.wg.Add(1)
+	go func() {
+		defer g.done()
+
+		if err := f(); err != nil {
+			g.errOnce.Do(func() {
+				g.err = err
+				if g.cancel != nil {
+					g.cancel()
+				}
+			})
+		}
+	}()
+	return true
+}
+
+// SetLimit limits the number of active goroutines in this group to at most n.
+// A negative value indicates no limit.
+//
+// Any subsequent call to the Go method will block until it can add an active
+// goroutine without exceeding the configured limit.
+//
+// The limit must not be modified while any goroutines in the group are active.
+func (g *Group) SetLimit(n int) {
+	if n < 0 {
+		g.sem = nil
+		return
+	}
+	if len(g.sem) != 0 {
+		panic(fmt.Errorf("errgroup: modify limit while %v goroutines in the group are still active", len(g.sem)))
+	}
+	g.sem = make(chan token, n)
+}
--- a/vendor/golang.org/x/sys/unix/gccgo_c.c
+++ b/vendor/golang.org/x/sys/unix/gccgo_c.c
@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build gccgo,!hurd
-// +build !aix,!hurd
+//go:build gccgo && !aix && !hurd
+// +build gccgo,!aix,!hurd

 #include <errno.h>
 #include <stdint.h>
--- a/vendor/golang.org/x/sys/unix/syscall_darwin.go
+++ b/vendor/golang.org/x/sys/unix/syscall_darwin.go
@ -230,6 +230,7 @@ func direntNamlen(buf []byte) (uint64, bool) {

 func PtraceAttach(pid int) (err error) { return ptrace(PT_ATTACH, pid, 0, 0) }
 func PtraceDetach(pid int) (err error) { return ptrace(PT_DETACH, pid, 0, 0) }
+func PtraceDenyAttach() (err error)    { return ptrace(PT_DENY_ATTACH, 0, 0, 0) }

 //sysnb	pipe(p *[2]int32) (err error)

--- a/vendor/golang.org/x/sys/unix/syscall_freebsd_386.go
+++ b/vendor/golang.org/x/sys/unix/syscall_freebsd_386.go
@ -60,8 +60,13 @@ func PtraceGetFsBase(pid int, fsbase *int64) (err error) {
 	return ptrace(PT_GETFSBASE, pid, uintptr(unsafe.Pointer(fsbase)), 0)
 }

-func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) {
-	ioDesc := PtraceIoDesc{Op: int32(req), Offs: uintptr(unsafe.Pointer(addr)), Addr: uintptr(unsafe.Pointer(&out[0])), Len: uint32(countin)}
+func PtraceIO(req int, pid int, offs uintptr, out []byte, countin int) (count int, err error) {
+	ioDesc := PtraceIoDesc{
+		Op:   int32(req),
+		Offs: offs,
+		Addr: uintptr(unsafe.Pointer(&out[0])), // TODO(#58351): this is not safe.
+		Len:  uint32(countin),
+	}
 	err = ptrace(PT_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0)
 	return int(ioDesc.Len), err
 }
--- a/vendor/golang.org/x/sys/unix/syscall_freebsd_amd64.go
+++ b/vendor/golang.org/x/sys/unix/syscall_freebsd_amd64.go
@ -60,8 +60,13 @@ func PtraceGetFsBase(pid int, fsbase *int64) (err error) {
 	return ptrace(PT_GETFSBASE, pid, uintptr(unsafe.Pointer(fsbase)), 0)
 }

-func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) {
-	ioDesc := PtraceIoDesc{Op: int32(req), Offs: uintptr(unsafe.Pointer(addr)), Addr: uintptr(unsafe.Pointer(&out[0])), Len: uint64(countin)}
+func PtraceIO(req int, pid int, offs uintptr, out []byte, countin int) (count int, err error) {
+	ioDesc := PtraceIoDesc{
+		Op:   int32(req),
+		Offs: offs,
+		Addr: uintptr(unsafe.Pointer(&out[0])), // TODO(#58351): this is not safe.
+		Len:  uint64(countin),
+	}
 	err = ptrace(PT_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0)
 	return int(ioDesc.Len), err
 }
--- a/vendor/golang.org/x/sys/unix/syscall_freebsd_arm.go
+++ b/vendor/golang.org/x/sys/unix/syscall_freebsd_arm.go
@ -56,8 +56,13 @@ func sendfile(outfd int, infd int, offset *int64, count int) (written int, err e

 func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err syscall.Errno)

-func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) {
-	ioDesc := PtraceIoDesc{Op: int32(req), Offs: uintptr(unsafe.Pointer(addr)), Addr: uintptr(unsafe.Pointer(&out[0])), Len: uint32(countin)}
+func PtraceIO(req int, pid int, offs uintptr, out []byte, countin int) (count int, err error) {
+	ioDesc := PtraceIoDesc{
+		Op:   int32(req),
+		Offs: offs,
+		Addr: uintptr(unsafe.Pointer(&out[0])), // TODO(#58351): this is not safe.
+		Len:  uint32(countin),
+	}
 	err = ptrace(PT_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0)
 	return int(ioDesc.Len), err
 }
--- a/vendor/golang.org/x/sys/unix/syscall_freebsd_arm64.go
+++ b/vendor/golang.org/x/sys/unix/syscall_freebsd_arm64.go
@ -56,8 +56,13 @@ func sendfile(outfd int, infd int, offset *int64, count int) (written int, err e

 func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err syscall.Errno)

-func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) {
-	ioDesc := PtraceIoDesc{Op: int32(req), Offs: uintptr(unsafe.Pointer(addr)), Addr: uintptr(unsafe.Pointer(&out[0])), Len: uint64(countin)}
+func PtraceIO(req int, pid int, offs uintptr, out []byte, countin int) (count int, err error) {
+	ioDesc := PtraceIoDesc{
+		Op:   int32(req),
+		Offs: offs,
+		Addr: uintptr(unsafe.Pointer(&out[0])), // TODO(#58351): this is not safe.
+		Len:  uint64(countin),
+	}
 	err = ptrace(PT_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0)
 	return int(ioDesc.Len), err
 }
--- a/vendor/golang.org/x/sys/unix/syscall_freebsd_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/syscall_freebsd_riscv64.go
@ -56,8 +56,13 @@ func sendfile(outfd int, infd int, offset *int64, count int) (written int, err e

 func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err syscall.Errno)

-func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) {
-	ioDesc := PtraceIoDesc{Op: int32(req), Offs: uintptr(unsafe.Pointer(addr)), Addr: uintptr(unsafe.Pointer(&out[0])), Len: uint64(countin)}
+func PtraceIO(req int, pid int, offs uintptr, out []byte, countin int) (count int, err error) {
+	ioDesc := PtraceIoDesc{
+		Op:   int32(req),
+		Offs: offs,
+		Addr: uintptr(unsafe.Pointer(&out[0])), // TODO(#58351): this is not safe.
+		Len:  uint64(countin),
+	}
 	err = ptrace(PT_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0)
 	return int(ioDesc.Len), err
 }
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				{"Client":{"Platform":{"Name":""},"Version":"18.99.5-ce","ApiVersion":"1.38","DefaultAPIVersion":"1.38","GitCommit":"deadbeef","GoVersion":"go1.10.2","Os":"linux","Arch":"amd64","BuildTime":"Wed May 30 22:21:05 2018","Context":"my-context"},"Server":{"Platform":{"Name":"Docker Enterprise Edition (EE) 2.0"},"Components":[{"Name":"Engine","Version":"17.06.2-ee-15","Details":{"ApiVersion":"1.30","Arch":"amd64","BuildTime":"Mon Jul 9 23:38:38 2018","Experimental":"false","GitCommit":"64ddfa6","GoVersion":"go1.8.7","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"Universal Control Plane","Version":"17.06.2-ee-15","Details":{"ApiVersion":"1.30","Arch":"amd64","BuildTime":"Mon Jul 2 21:24:07 UTC 2018","GitCommit":"4513922","GoVersion":"go1.9.4","MinApiVersion":"1.20","Os":"linux","Version":"3.0.3-tp2"}},{"Name":"Kubernetes","Version":"1.8+","Details":{"buildDate":"2018-04-26T16:51:21Z","compiler":"gc","gitCommit":"8d637aedf46b9c21dde723e29c645b9f27106fa5","gitTreeState":"clean","gitVersion":"v1.8.11-docker-8d637ae","goVersion":"go1.8.3","major":"1","minor":"8+","platform":"linux/amd64"}},{"Name":"Calico","Version":"v3.0.8","Details":{"cni":"v2.0.6","kube-controllers":"v2.0.5","node":"v3.0.8"}}],"Version":"","ApiVersion":"","GitCommit":"","GoVersion":"","Os":"","Arch":""}}