Merge pull request #5845 from vvoland/vendor-docker

vendor: github.com/docker/docker v28.0.0-dev (af898abe4466)

.gitattributes

@@ -1,3 +1,14 @@
+* text=auto
+
 Dockerfile* linguist-language=Dockerfile
 vendor.mod linguist-language=Go-Module
 vendor.sum linguist-language=Go-Checksums
+
+*.go -text diff=golang
+
+# scripts directory contains shell scripts
+# without extensions, so we need to force
+scripts/** text=auto eol=lf
+
+# shell scripts should always have LF
+*.sh text eol=lf

.github/PULL_REQUEST_TEMPLATE.md

@@ -19,11 +19,14 @@ Provide the following information:
 
 **- How to verify it**
 
-**- Description for the changelog**
+**- Human readable description for the release notes**
 <!--
 Write a short (one line) summary that describes the changes in this
 pull request for inclusion in the changelog.
-It must be placed inside the below triple backticks section:
+It must be placed inside the below triple backticks section.
+
+NOTE: Only fill this section if changes introduced in this PR are user-facing.
+The PR must have a relevant impact/ label.
 -->
 ```markdown changelog
 

.github/workflows/build.yml

@@ -22,6 +22,7 @@ on:
     branches:
       - 'master'
       - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
     tags:
       - 'v*'
   pull_request:
@@ -60,17 +61,12 @@ jobs:
           - ""
           - glibc
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       -
         name: Build
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
         with:
           targets: ${{ matrix.target }}
           set: |
@@ -103,8 +99,12 @@ jobs:
     if: ${{ github.event_name != 'pull_request' && github.repository == 'docker/cli' }}
     steps:
       -
-        name: Checkout
-        uses: actions/checkout@v4
+        name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_CLIBIN_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_CLIBIN_TOKEN }}
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -122,20 +122,13 @@ jobs:
             type=ref,event=branch
             type=ref,event=pr
             type=sha
-      -
-        name: Login to DockerHub
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_CLIBIN_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_CLIBIN_TOKEN }}
       -
         name: Build and push image
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
         with:
           files: |
             ./docker-bake.hcl
-            ${{ steps.meta.outputs.bake-file }}
+            cwd://${{ steps.meta.outputs.bake-file }}
           targets: bin-image-cross
           push: ${{ github.event_name != 'pull_request' }}
           set: |
@@ -169,15 +162,12 @@ jobs:
       matrix:
         platform: ${{ fromJson(needs.prepare-plugins.outputs.matrix) }}
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       -
         name: Build
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
         with:
           targets: plugins-cross
           set: |

.github/workflows/codeql.yml

@@ -11,14 +11,15 @@ permissions:
 
 on:
   push:
-    branches: 
-      - 'master' 
-      - '[0-9]+.[0-9]+' 
-    tags: 
-      - 'v*' 
+    branches:
+      - 'master'
+      - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
+    tags:
+      - 'v*'
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "master" ]
+    branches: ["master"]
   schedule:
     #        ┌───────────── minute (0 - 59)
     #        │ ┌───────────── hour (0 - 23)
@@ -33,26 +34,21 @@ on:
 
 jobs:
   codeql:
-    runs-on: 'ubuntu-latest'
-    timeout-minutes: 360
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
     env:
       DISABLE_WARN_OUTSIDE_CONTAINER: '1'
     permissions:
       actions: read
       contents: read
       security-events: write
-    
+
     steps:
       -
         name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 2
-      -
-        name: Checkout HEAD on PR
-        if: ${{ github.event_name == 'pull_request' }}
-        run: |
-          git checkout HEAD^2
       # CodeQL 2.16.4's auto-build added support for multi-module repositories,
       # and is trying to be smart by searching for modules in every directory,
       # including vendor directories. If no module is found, it's creating one
@@ -67,7 +63,7 @@ jobs:
         name: Update Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.21'
+          go-version: "1.23.6"
       -
         name: Initialize CodeQL
         uses: github/codeql-action/init@v3

.github/workflows/e2e.yml

@@ -19,6 +19,7 @@ on:
     branches:
       - 'master'
       - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
     tags:
       - 'v*'
   pull_request:
@@ -75,7 +76,7 @@ jobs:
           TESTFLAGS: -coverprofile=/tmp/coverage/coverage.txt
       -
         name: Send to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
-          file: ./build/coverage/coverage.txt
+          files: ./build/coverage/coverage.txt
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/test.yml

@@ -19,6 +19,7 @@ on:
     branches:
       - 'master'
       - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
     tags:
       - 'v*'
   pull_request:
@@ -27,22 +28,19 @@ jobs:
   ctn:
     runs-on: ubuntu-24.04
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       -
         name: Test
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
         with:
           targets: test-coverage
       -
         name: Send to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
-          file: ./build/coverage/coverage.txt
+          files: ./build/coverage/coverage.txt
           token: ${{ secrets.CODECOV_TOKEN }}
 
   host:
@@ -59,12 +57,6 @@ jobs:
           - macos-14  # macOS 14 on arm64 (Apple Silicon M1)
 #          - windows-2022 # FIXME: some tests are failing on the Windows runner, as well as on Appveyor since June 24, 2018: https://ci.appveyor.com/project/docker/cli/history
     steps:
-      -
-        name: Prepare git
-        if: matrix.os == 'windows-latest'
-        run: |
-          git config --system core.autocrlf false
-          git config --system core.eol lf
       -
         name: Checkout
         uses: actions/checkout@v4
@@ -74,7 +66,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.21.13
+          go-version: "1.23.6"
       -
         name: Test
         run: |
@@ -84,8 +76,8 @@ jobs:
         shell: bash
       -
         name: Send to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
-          file: /tmp/coverage.txt
+          files: /tmp/coverage.txt
           working-directory: ${{ env.GOPATH }}/src/github.com/docker/cli
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/validate-pr.yml

@@ -16,6 +16,7 @@ on:
 jobs:
   check-area-label:
     runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
     steps:
       - name: Missing `area/` label
         if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
@@ -26,9 +27,10 @@ jobs:
         run: exit 0
 
   check-changelog:
-    if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/')
     runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
     env:
+      HAS_IMPACT_LABEL: ${{ contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') }}
       PR_BODY: |
         ${{ github.event.pull_request.body }}
     steps:
@@ -40,15 +42,23 @@ jobs:
           # Strip empty lines
           desc=$(echo "$block" |  awk NF)
 
-          if [ -z "$desc" ]; then
-            echo "::error::Changelog section is empty. Provide a description for the changelog."
-            exit 1
-          fi
+          if [ "$HAS_IMPACT_LABEL" = "true" ]; then
+            if [ -z "$desc" ]; then
+              echo "::error::Changelog section is empty. Please provide a description for the changelog."
+              exit 1
+            fi
 
-          len=$(echo -n "$desc" | wc -c)
-          if [[ $len -le 6 ]]; then
-            echo "::error::Description looks too short: $desc"
-            exit 1
+            len=$(echo -n "$desc" | wc -c)
+            if [[ $len -le 6 ]]; then
+              echo "::error::Description looks too short: $desc"
+              exit 1
+            fi
+          else
+            if [ -n "$desc" ]; then
+              echo "::error::PR has a changelog description, but no changelog label"
+              echo "::error::Please add the relevant 'impact/' label to the PR or remove the changelog description"
+              exit 1
+            fi
           fi
 
           echo "This PR will be included in the release notes with the following note:"
@@ -56,6 +66,7 @@ jobs:
 
   check-pr-branch:
     runs-on: ubuntu-20.04
+    timeout-minutes: 120 # guardrails timeout for the whole job
     env:
       PR_TITLE: ${{ github.event.pull_request.title }}
     steps:

.github/workflows/validate.yml

@@ -19,6 +19,7 @@ on:
     branches:
       - 'master'
       - '[0-9]+.[0-9]+'
+      - '[0-9]+.x'
     tags:
       - 'v*'
   pull_request:
@@ -35,12 +36,9 @@ jobs:
           - validate-vendor
           - update-authors # ensure authors update target runs fine
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
       -
         name: Run
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
         with:
           targets: ${{ matrix.target }}
 

.golangci.yml

@@ -1,12 +1,12 @@
 linters:
   enable:
     - bodyclose
+    - copyloopvar   # Detects places where loop variables are copied.
     - depguard
     - dogsled
     - dupword       # Detects duplicate words.
     - durationcheck
     - errchkjson
-    - exportloopref # Detects pointers to enclosing loop variables.
     - gocritic      # Metalinter; detects bugs, performance, and styling issues.
     - gocyclo
     - gofumpt       # Detects whether code was gofumpt-ed.
@@ -15,10 +15,8 @@ linters:
     - gosimple
     - govet
     - ineffassign
-    - lll
-    - megacheck
     - misspell      # Detects commonly misspelled English words in comments.
-    - nakedret
+    - nakedret      # Detects uses of naked returns.
     - nilerr        # Detects code that returns nil even if it checks that the error is not nil.
     - nolintlint    # Detects ill-formed or insufficient nolint directives.
     - perfsprint    # Detects fmt.Sprintf uses that can be replaced with a faster alternative.
@@ -28,7 +26,6 @@ linters:
     - revive        # Metalinter; drop-in replacement for golint.
     - staticcheck
     - stylecheck    # Replacement for golint
-    - tenv          # Detects using os.Setenv instead of t.Setenv.
     - thelper       # Detects test helpers without t.Helper().
     - tparallel     # Detects inappropriate usage of t.Parallel().
     - typecheck
@@ -36,13 +33,18 @@ linters:
     - unparam
     - unused
     - usestdlibvars
-    - vet
+    - usetesting    # Reports uses of functions with replacement inside the testing package.
     - wastedassign
 
   disable:
     - errcheck
 
 run:
+  # prevent golangci-lint from deducting the go version to lint for through go.mod,
+  # which causes it to fallback to go1.17 semantics.
+  #
+  # TODO(thaJeztah): update "usetesting" settings to enable go1.24 features once our minimum version is go1.24
+  go: "1.23.6"
   timeout: 5m
 
 linters-settings:
@@ -50,10 +52,27 @@ linters-settings:
     rules:
       main:
         deny:
-          - pkg: io/ioutil
+          - pkg: "github.com/containerd/containerd/errdefs"
+            desc: The containerd errdefs package was migrated to a separate module. Use github.com/containerd/errdefs instead.
+          - pkg: "github.com/containerd/containerd/log"
+            desc: The containerd log package was migrated to a separate module. Use github.com/containerd/log instead.
+          - pkg: "github.com/containerd/containerd/pkg/userns"
+            desc: Use github.com/moby/sys/userns instead.
+          - pkg: "github.com/containerd/containerd/platforms"
+            desc: The containerd platforms package was migrated to a separate module. Use github.com/containerd/platforms instead.
+          - pkg: "github.com/docker/docker/pkg/system"
+            desc: This package should not be used unless strictly necessary.
+          - pkg: "io/ioutil"
             desc: The io/ioutil package has been deprecated, see https://go.dev/doc/go1.16#ioutil
   gocyclo:
     min-complexity: 16
+  gosec:
+    excludes:
+      - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
+      - G113 # G113: Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772); (only affects go < 1.16.14. and go < 1.17.7)
+      - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/docker/cli/issues/5584)
+      - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
+      - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
   govet:
     enable:
       - shadow
@@ -63,15 +82,12 @@ linters-settings:
   lll:
     line-length: 200
   nakedret:
-    command: nakedret
-    pattern: ^(?P<path>.*?\\.go):(?P<line>\\d+)\\s*(?P<message>.*)$
+    # Disallow naked returns if func has more lines of code than this setting.
+    # Default: 30
+    max-func-lines: 0
 
   revive:
     rules:
-      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#import-shadowing
-      - name: import-shadowing
-        severity: warning
-        disabled: false
       # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#empty-block
       - name: empty-block
         severity: warning
@@ -80,15 +96,40 @@ linters-settings:
       - name: empty-lines
         severity: warning
         disabled: false
+      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#import-shadowing
+      - name: import-shadowing
+        severity: warning
+        disabled: false
+      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#line-length-limit
+      - name: line-length-limit
+        severity: warning
+        disabled: false
+        arguments: [200]
+      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#unused-receiver
+      - name: unused-receiver
+        severity: warning
+        disabled: false
       # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#use-any
       - name: use-any
         severity: warning
         disabled: false
 
+  usetesting:
+    # FIXME(thaJeztah): Disable `os.Chdir()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
+    os-chdir: false
+    # FIXME(thaJeztah): Disable `context.Background()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
+    context-background: false
+    # FIXME(thaJeztah): Disable `context.TODO()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
+    context-todo: false
+
 issues:
   # The default exclusion rules are a bit too permissive, so copying the relevant ones below
   exclude-use-default: false
 
+  # This option has been defined when Go modules was not existed and when the
+  # golangci-lint core was different, this is not something we still recommend.
+  exclude-dirs-use-default: false
+
   exclude:
     - parameter .* always receives
 
@@ -106,6 +147,9 @@ issues:
     #
     # These exclusion patterns are copied from the default excluses at:
     # https://github.com/golangci/golangci-lint/blob/v1.44.0/pkg/config/issues.go#L10-L104
+    #
+    # The default list of exclusions can be found at:
+    # https://golangci-lint.run/usage/false-positives/#default-exclusions
 
     # EXC0001
     - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*print(f|ln)?|os\\.(Un)?Setenv). is not checked"
@@ -123,11 +167,6 @@ issues:
     - text: "Subprocess launch(ed with variable|ing should be audited)"
       linters:
         - gosec
-    # EXC0008
-    # TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close" (gosec)
-    - text: "G307"
-      linters:
-        - gosec
     # EXC0009
     - text: "(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
       linters:
@@ -137,34 +176,11 @@ issues:
       linters:
         - gosec
 
-    # G113 Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772)
-    # only affects gp < 1.16.14. and go < 1.17.7
-    - text: "G113"
-      linters:
-        - gosec
-    # TODO: G104: Errors unhandled. (gosec)
-    - text: "G104"
-      linters:
-        - gosec
-    # Looks like the match in "EXC0007" above doesn't catch this one
-    # TODO: consider upstreaming this to golangci-lint's default exclusion rules
-    - text: "G204: Subprocess launched with a potential tainted input or cmd arguments"
-      linters:
-        - gosec
-    # Looks like the match in "EXC0009" above doesn't catch this one
-    # TODO: consider upstreaming this to golangci-lint's default exclusion rules
-    - text: "G306: Expect WriteFile permissions to be 0600 or less"
-      linters:
-        - gosec
-
     # TODO: make sure all packages have a description. Currently, there's 67 packages without.
     - text: "package-comments: should have a package comment"
       linters:
         - revive
-    # FIXME temporarily suppress these (see https://github.com/gotestyourself/gotest.tools/issues/272)
-    - text: "SA1019: (assert|cmp|is)\\.ErrorType is deprecated"
-      linters:
-        - staticcheck
+
     # Exclude some linters from running on tests files.
     - path: _test\.go
       linters:

CONTRIBUTING.md

@@ -66,7 +66,7 @@ anybody starts working on it.
 We are always thrilled to receive pull requests. We do our best to process them
 quickly. If your pull request is not accepted on the first try,
 don't get discouraged! Our contributor's guide explains [the review process we
-use for simple changes](https://docs.docker.com/opensource/workflow/make-a-contribution/).
+use for simple changes](https://github.com/docker/docker/blob/master/project/REVIEWING.md).
 
 ### Talking to other Docker users and contributors
 
@@ -124,8 +124,8 @@ submitting a pull request.
 Update the documentation when creating or modifying features. Test your
 documentation changes for clarity, concision, and correctness, as well as a
 clean documentation build. See our contributors guide for [our style
-guide](https://docs.docker.com/opensource/doc-style) and instructions on [building
-the documentation](https://docs.docker.com/opensource/project/test-and-docs/#build-and-test-the-documentation).
+guide](https://docs.docker.com/contribute/style/grammar/) and instructions on [building
+the documentation](https://docs.docker.com/contribute/).
 
 Write clean code. Universally formatted code promotes ease of writing, reading,
 and maintenance. Always run `gofmt -s -w file.go` on each changed file before
@@ -134,9 +134,41 @@ committing your changes. Most editors have plug-ins that do this automatically.
 Pull request descriptions should be as clear as possible and include a reference
 to all the issues that they address.
 
-Commit messages must start with a capitalized and short summary (max. 50 chars)
-written in the imperative, followed by an optional, more detailed explanatory
-text which is separated from the summary by an empty line.
+Commit messages must be written in the imperative mood (max. 72 chars), followed
+by an optional, more detailed explanatory text usually expanding on
+why the work is necessary. The explanatory text should be separated by an
+empty line.
+
+The commit message *could* have a prefix scoping the change, however this is
+not enforced. Common prefixes are `docs: <message>`, `vendor: <message>`,
+`chore: <message>` or the package/area related to the change such as `pkg/foo: <message>`
+or `telemetry: <message>`.
+
+A standard commit.
+```
+Fix the exploding flux capacitor
+
+A call to function A causes the flux capacitor to blow up every time
+the sun and the moon align.
+```
+
+Using a package as prefix.
+```
+pkg/foo: prevent panic in flux capacitor
+
+Calling function A causes the flux capacitor to blow up every time
+the sun and the moon align.
+```
+
+Updating a specific vendored package.
+```
+vendor: github.com/docker/docker 6ac445c42bad (master, v28.0-dev)
+```
+
+Fixing a broken docs link.
+```
+docs: fix style/lint issues in deprecated.md
+```
 
 Code review comments may be added to your pull request. Discuss, then make the
 suggested modifications and push additional commits to your feature branch. Post

Dockerfile

@@ -1,15 +1,19 @@
 # syntax=docker/dockerfile:1
 
 ARG BASE_VARIANT=alpine
-ARG ALPINE_VERSION=3.20
+ARG ALPINE_VERSION=3.21
 ARG BASE_DEBIAN_DISTRO=bookworm
 
-ARG GO_VERSION=1.21.13
-ARG XX_VERSION=1.4.0
-ARG GOVERSIONINFO_VERSION=v1.3.0
-ARG GOTESTSUM_VERSION=v1.10.0
-ARG BUILDX_VERSION=0.16.1
-ARG COMPOSE_VERSION=v2.29.0
+ARG GO_VERSION=1.23.6
+ARG XX_VERSION=1.6.1
+ARG GOVERSIONINFO_VERSION=v1.4.1
+ARG GOTESTSUM_VERSION=v1.12.0
+
+# BUILDX_VERSION sets the version of buildx to use for the e2e tests.
+# It must be a tag in the docker.io/docker/buildx-bin image repository
+# on Docker Hub.
+ARG BUILDX_VERSION=0.20.1
+ARG COMPOSE_VERSION=v2.32.4
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 

Makefile

@@ -52,7 +52,7 @@ shellcheck: ## run shellcheck validation
 .PHONY: fmt
 fmt: ## run gofumpt (if present) or gofmt
 	@if command -v gofumpt > /dev/null; then \
-		gofumpt -w -d -lang=1.21 . ; \
+		gofumpt -w -d -lang=1.23 . ; \
 	else \
 		go list -f {{.Dir}} ./... | xargs gofmt -w -s -d ; \
 	fi
@@ -87,14 +87,31 @@ authors: ## generate AUTHORS file from git history
 	scripts/docs/generate-authors.sh
 
 .PHONY: completion
-completion: binary
-completion: /etc/bash_completion.d/docker
-completion: ## generate and install the completion scripts
+completion: shell-completion
+completion: ## generate and install the shell-completion scripts
+# Note: this uses system-wide paths, and so may overwrite completion
+# scripts installed as part of deb/rpm packages.
+#
+# Given that this target is intended to debug/test updated versions, we could
+# consider installing in per-user (~/.config, XDG_DATA_DIR) paths instead, but
+# this will add more complexity.
+#
+# See https://github.com/docker/cli/pull/5770#discussion_r1927772710
+	install -D -p -m 0644 ./build/completion/bash/docker /usr/share/bash-completion/completions/docker
+	install -D -p -m 0644 ./build/completion/fish/docker.fish debian/docker-ce-cli/usr/share/fish/vendor_completions.d/docker.fish
+	install -D -p -m 0644 ./build/completion/zsh/_docker debian/docker-ce-cli/usr/share/zsh/vendor-completions/_docker
 
-.PHONY: /etc/bash_completion.d/docker
-/etc/bash_completion.d/docker: ## generate and install the bash-completion script
-	mkdir -p /etc/bash_completion.d
-	docker completion bash > /etc/bash_completion.d/docker
+
+build/docker:
+# This target is used by the "shell-completion" target, which requires either
+# "binary" or "dynbinary" to have been built. We don't want to trigger those
+# to prevent replacing a static binary with a dynamic one, or vice-versa.
+	@echo "Run 'make binary' or 'make dynbinary' first" && exit 1
+
+.PHONY: shell-completion
+shell-completion: build/docker # requires either "binary" or "dynbinary" to be built.
+shell-completion: ## generate shell-completion scripts
+	@ ./scripts/build/shell-completion
 
 .PHONY: manpages
 manpages: ## generate man pages from go source and markdown

README.md

@@ -1,9 +1,10 @@
 # Docker CLI
 
-[![PkgGoDev](https://img.shields.io/badge/go.dev-docs-007d9c?logo=go&logoColor=white)](https://pkg.go.dev/github.com/docker/cli)
+[![PkgGoDev](https://pkg.go.dev/badge/github.com/docker/cli)](https://pkg.go.dev/github.com/docker/cli)
 [![Build Status](https://img.shields.io/github/actions/workflow/status/docker/cli/build.yml?branch=master&label=build&logo=github)](https://github.com/docker/cli/actions?query=workflow%3Abuild)
 [![Test Status](https://img.shields.io/github/actions/workflow/status/docker/cli/test.yml?branch=master&label=test&logo=github)](https://github.com/docker/cli/actions?query=workflow%3Atest)
 [![Go Report Card](https://goreportcard.com/badge/github.com/docker/cli)](https://goreportcard.com/report/github.com/docker/cli)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/docker/cli/badge)](https://scorecard.dev/viewer/?uri=github.com/docker/cli)
 [![Codecov](https://img.shields.io/codecov/c/github/docker/cli?logo=codecov)](https://codecov.io/gh/docker/cli)
 
 ## About

SECURITY.md

@@ -0,0 +1,44 @@
+# Security Policy
+
+The maintainers of the Docker CLI take security seriously. If you discover
+a security issue, please bring it to their attention right away!
+
+## Reporting a Vulnerability
+
+Please **DO NOT** file a public issue, instead send your report privately
+to [security@docker.com](mailto:security@docker.com).
+
+Reporter(s) can expect a response within 72 hours, acknowledging the issue was
+received.
+
+## Review Process
+
+After receiving the report, an initial triage and technical analysis is
+performed to confirm the report and determine its scope. We may request
+additional information in this stage of the process.
+
+Once a reviewer has confirmed the relevance of the report, a draft security
+advisory will be created on GitHub. The draft advisory will be used to discuss
+the issue with maintainers, the reporter(s), and where applicable, other
+affected parties under embargo.
+
+If the vulnerability is accepted, a timeline for developing a patch, public
+disclosure, and patch release will be determined. If there is an embargo period
+on public disclosure before the patch release, the reporter(s) are expected to
+participate in the discussion of the timeline and abide by agreed upon dates
+for public disclosure.
+
+## Accreditation
+
+Security reports are greatly appreciated and we will publicly thank you,
+although we will keep your name confidential if you request it. We also like to
+send gifts - if you're into swag, make sure to let us know. We do not currently
+offer a paid security bounty program at this time.
+
+## Supported Versions
+
+This project uses long-lived branches to maintain releases, and follows
+the maintenance cycle of the Moby project.
+Refer to [BRANCHES-AND-TAGS.md](https://github.com/moby/moby/blob/master/project/BRANCHES-AND-TAGS.md)
+in the default branch of the moby repository to learn about the current
+maintenance status of each branch.

VERSION

@@ -1 +1 @@
-27.0.1-dev
+28.0.0-dev

cli-plugins/examples/helloworld/main.go

@@ -12,24 +12,24 @@ import (
 )
 
 func main() {
-	plugin.Run(func(dockerCli command.Cli) *cobra.Command {
+	plugin.Run(func(dockerCLI command.Cli) *cobra.Command {
 		goodbye := &cobra.Command{
 			Use:   "goodbye",
 			Short: "Say Goodbye instead of Hello",
 			Run: func(cmd *cobra.Command, _ []string) {
-				fmt.Fprintln(dockerCli.Out(), "Goodbye World!")
+				_, _ = fmt.Fprintln(dockerCLI.Out(), "Goodbye World!")
 			},
 		}
 		apiversion := &cobra.Command{
 			Use:   "apiversion",
 			Short: "Print the API version of the server",
 			RunE: func(_ *cobra.Command, _ []string) error {
-				cli := dockerCli.Client()
-				ping, err := cli.Ping(context.Background())
+				apiClient := dockerCLI.Client()
+				ping, err := apiClient.Ping(context.Background())
 				if err != nil {
 					return err
 				}
-				fmt.Println(ping.APIVersion)
+				_, _ = fmt.Println(ping.APIVersion)
 				return nil
 			},
 		}
@@ -38,7 +38,7 @@ func main() {
 			Use:   "exitstatus2",
 			Short: "Exit with status 2",
 			RunE: func(_ *cobra.Command, _ []string) error {
-				fmt.Fprintln(dockerCli.Err(), "Exiting with error status 2")
+				_, _ = fmt.Fprintln(dockerCLI.Err(), "Exiting with error status 2")
 				os.Exit(2)
 				return nil
 			},
@@ -56,33 +56,33 @@ func main() {
 					return err
 				}
 				if preRun {
-					fmt.Fprintf(dockerCli.Err(), "Plugin PersistentPreRunE called")
+					_, _ = fmt.Fprintln(dockerCLI.Err(), "Plugin PersistentPreRunE called")
 				}
 				return nil
 			},
 			RunE: func(cmd *cobra.Command, args []string) error {
 				if debug {
-					fmt.Fprintf(dockerCli.Err(), "Plugin debug mode enabled")
+					_, _ = fmt.Fprintln(dockerCLI.Err(), "Plugin debug mode enabled")
 				}
 
 				switch optContext {
 				case "Christmas":
-					fmt.Fprintf(dockerCli.Out(), "Merry Christmas!\n")
+					_, _ = fmt.Fprintln(dockerCLI.Out(), "Merry Christmas!")
 					return nil
 				case "":
 					// nothing
 				}
 
 				if who == "" {
-					who, _ = dockerCli.ConfigFile().PluginConfig("helloworld", "who")
+					who, _ = dockerCLI.ConfigFile().PluginConfig("helloworld", "who")
 				}
 				if who == "" {
 					who = "World"
 				}
 
-				fmt.Fprintf(dockerCli.Out(), "Hello %s!\n", who)
-				dockerCli.ConfigFile().SetPluginConfig("helloworld", "lastwho", who)
-				return dockerCli.ConfigFile().Save()
+				_, _ = fmt.Fprintln(dockerCLI.Out(), "Hello", who)
+				dockerCLI.ConfigFile().SetPluginConfig("helloworld", "lastwho", who)
+				return dockerCLI.ConfigFile().Save()
 			},
 		}
 

cli-plugins/hooks/printer.go

@@ -11,8 +11,8 @@ func PrintNextSteps(out io.Writer, messages []string) {
 	if len(messages) == 0 {
 		return
 	}
-	fmt.Fprintln(out, aec.Bold.Apply("\nWhat's next:"))
+	_, _ = fmt.Fprintln(out, aec.Bold.Apply("\nWhat's next:"))
 	for _, n := range messages {
-		_, _ = fmt.Fprintf(out, "    %s\n", n)
+		_, _ = fmt.Fprintln(out, "   ", n)
 	}
 }

cli-plugins/manager/candidate.go

@@ -17,5 +17,5 @@ func (c *candidate) Path() string {
 }
 
 func (c *candidate) Metadata() ([]byte, error) {
-	return exec.Command(c.path, MetadataSubcommandName).Output()
+	return exec.Command(c.path, MetadataSubcommandName).Output() // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
 }

cli-plugins/manager/cobra.go

@@ -52,7 +52,6 @@ func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err e
 			return
 		}
 		for _, p := range plugins {
-			p := p
 			vendor := p.Vendor
 			if vendor == "" {
 				vendor = "unknown"
@@ -82,7 +81,7 @@ func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err e
 						cmd.HelpFunc()(rootCmd, args)
 						return nil
 					}
-					return fmt.Errorf("docker: '%s' is not a docker command.\nSee 'docker --help'", cmd.Name())
+					return fmt.Errorf("docker: unknown command: docker %s\n\nRun 'docker --help' for more information", cmd.Name())
 				},
 				ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 					// Delegate completion to plugin

cli-plugins/manager/error.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22
 
 package manager
 

cli-plugins/manager/manager.go

@@ -32,7 +32,7 @@ const (
 // errPluginNotFound is the error returned when a plugin could not be found.
 type errPluginNotFound string
 
-func (e errPluginNotFound) NotFound() {}
+func (errPluginNotFound) NotFound() {}
 
 func (e errPluginNotFound) Error() string {
 	return "Error: No such CLI plugin: " + string(e)
@@ -75,10 +75,12 @@ func getPluginDirs(cfg *configfile.ConfigFile) ([]string, error) {
 	return pluginDirs, nil
 }
 
-func addPluginCandidatesFromDir(res map[string][]string, d string) error {
+func addPluginCandidatesFromDir(res map[string][]string, d string) {
 	dentries, err := os.ReadDir(d)
+	// Silently ignore any directories which we cannot list (e.g. due to
+	// permissions or anything else) or which is not a directory
 	if err != nil {
-		return err
+		return
 	}
 	for _, dentry := range dentries {
 		switch dentry.Type() & os.ModeType {
@@ -99,28 +101,15 @@ func addPluginCandidatesFromDir(res map[string][]string, d string) error {
 		}
 		res[name] = append(res[name], filepath.Join(d, dentry.Name()))
 	}
-	return nil
 }
 
 // listPluginCandidates returns a map from plugin name to the list of (unvalidated) Candidates. The list is in descending order of priority.
-func listPluginCandidates(dirs []string) (map[string][]string, error) {
+func listPluginCandidates(dirs []string) map[string][]string {
 	result := make(map[string][]string)
 	for _, d := range dirs {
-		// Silently ignore any directories which we cannot
-		// Stat (e.g. due to permissions or anything else) or
-		// which is not a directory.
-		if fi, err := os.Stat(d); err != nil || !fi.IsDir() {
-			continue
-		}
-		if err := addPluginCandidatesFromDir(result, d); err != nil {
-			// Silently ignore paths which don't exist.
-			if os.IsNotExist(err) {
-				continue
-			}
-			return nil, err // Or return partial result?
-		}
+		addPluginCandidatesFromDir(result, d)
 	}
-	return result, nil
+	return result
 }
 
 // GetPlugin returns a plugin on the system by its name
@@ -130,11 +119,7 @@ func GetPlugin(name string, dockerCli command.Cli, rootcmd *cobra.Command) (*Plu
 		return nil, err
 	}
 
-	candidates, err := listPluginCandidates(pluginDirs)
-	if err != nil {
-		return nil, err
-	}
-
+	candidates := listPluginCandidates(pluginDirs)
 	if paths, ok := candidates[name]; ok {
 		if len(paths) == 0 {
 			return nil, errPluginNotFound(name)
@@ -160,10 +145,7 @@ func ListPlugins(dockerCli command.Cli, rootcmd *cobra.Command) ([]Plugin, error
 		return nil, err
 	}
 
-	candidates, err := listPluginCandidates(pluginDirs)
-	if err != nil {
-		return nil, err
-	}
+	candidates := listPluginCandidates(pluginDirs)
 
 	var plugins []Plugin
 	var mu sync.Mutex
@@ -240,7 +222,8 @@ func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command
 			// TODO: why are we not returning plugin.Err?
 			return nil, errPluginNotFound(name)
 		}
-		cmd := exec.Command(plugin.Path, args...)
+		cmd := exec.Command(plugin.Path, args...) // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
+
 		// Using dockerCli.{In,Out,Err}() here results in a hang until something is input.
 		// See: - https://github.com/golang/go/issues/10338
 		//      - https://github.com/golang/go/commit/d000e8742a173aa0659584aa01b7ba2834ba28ab

cli-plugins/manager/manager_test.go

@@ -51,8 +51,7 @@ func TestListPluginCandidates(t *testing.T) {
 		dirs = append(dirs, dir.Join(d))
 	}
 
-	candidates, err := listPluginCandidates(dirs)
-	assert.NilError(t, err)
+	candidates := listPluginCandidates(dirs)
 	exp := map[string][]string{
 		"plugin1": {
 			dir.Join("plugins1", "docker-plugin1"),
@@ -82,6 +81,29 @@ func TestListPluginCandidates(t *testing.T) {
 	assert.DeepEqual(t, candidates, exp)
 }
 
+// Regression test for https://github.com/docker/cli/issues/5643.
+// Check that inaccessible directories that come before accessible ones are ignored
+// and do not prevent the latter from being processed.
+func TestListPluginCandidatesInaccesibleDir(t *testing.T) {
+	dir := fs.NewDir(t, t.Name(),
+		fs.WithDir("no-perm", fs.WithMode(0)),
+		fs.WithDir("plugins",
+			fs.WithFile("docker-buildx", ""),
+		),
+	)
+	defer dir.Remove()
+
+	candidates := listPluginCandidates([]string{
+		dir.Join("no-perm"),
+		dir.Join("plugins"),
+	})
+	assert.DeepEqual(t, candidates, map[string][]string{
+		"buildx": {
+			dir.Join("plugins", "docker-buildx"),
+		},
+	})
+}
+
 func TestGetPlugin(t *testing.T) {
 	dir := fs.NewDir(t, t.Name(),
 		fs.WithFile("docker-bbb", `

cli-plugins/manager/plugin.go

@@ -112,7 +112,7 @@ func (p *Plugin) RunHook(ctx context.Context, hookData HookPluginData) ([]byte,
 		return nil, wrapAsPluginError(err, "failed to marshall hook data")
 	}
 
-	pCmd := exec.CommandContext(ctx, p.Path, p.Name, HookSubcommandName, string(hDataBytes))
+	pCmd := exec.CommandContext(ctx, p.Path, p.Name, HookSubcommandName, string(hDataBytes)) // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
 	pCmd.Env = os.Environ()
 	pCmd.Env = append(pCmd.Env, ReexecEnvvar+"="+os.Args[0])
 	hookCmdOutput, err := pCmd.Output()

cli-plugins/plugin/plugin.go

@@ -3,6 +3,7 @@ package plugin
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"sync"
@@ -34,7 +35,7 @@ func RunPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager
 
 	var persistentPreRunOnce sync.Once
 	PersistentPreRunE = func(cmd *cobra.Command, _ []string) error {
-		var err error
+		var retErr error
 		persistentPreRunOnce.Do(func() {
 			ctx, cancel := context.WithCancel(cmd.Context())
 			cmd.SetContext(ctx)
@@ -46,7 +47,7 @@ func RunPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager
 				opts = append(opts, withPluginClientConn(plugin.Name()))
 			}
 			opts = append(opts, command.WithEnableGlobalMeterProvider(), command.WithEnableGlobalTracerProvider())
-			err = tcmd.Initialize(opts...)
+			retErr = tcmd.Initialize(opts...)
 			ogRunE := cmd.RunE
 			if ogRunE == nil {
 				ogRun := cmd.Run
@@ -66,7 +67,7 @@ func RunPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager
 				return err
 			}
 		})
-		return err
+		return retErr
 	}
 
 	cmd, args, err := tcmd.HandleGlobalFlags()
@@ -92,18 +93,17 @@ func Run(makeCmd func(command.Cli) *cobra.Command, meta manager.Metadata) {
 	plugin := makeCmd(dockerCli)
 
 	if err := RunPlugin(dockerCli, plugin, meta); err != nil {
-		if sterr, ok := err.(cli.StatusError); ok {
-			if sterr.Status != "" {
-				fmt.Fprintln(dockerCli.Err(), sterr.Status)
-			}
+		var stErr cli.StatusError
+		if errors.As(err, &stErr) {
 			// StatusError should only be used for errors, and all errors should
 			// have a non-zero exit status, so never exit with 0
-			if sterr.StatusCode == 0 {
-				os.Exit(1)
+			if stErr.StatusCode == 0 { // FIXME(thaJeztah): this should never be used with a zero status-code. Check if we do this anywhere.
+				stErr.StatusCode = 1
 			}
-			os.Exit(sterr.StatusCode)
+			_, _ = fmt.Fprintln(dockerCli.Err(), stErr)
+			os.Exit(stErr.StatusCode)
 		}
-		fmt.Fprintln(dockerCli.Err(), err)
+		_, _ = fmt.Fprintln(dockerCli.Err(), err)
 		os.Exit(1)
 	}
 }
@@ -158,7 +158,7 @@ func newPluginCommand(dockerCli *command.DockerCli, plugin *cobra.Command, meta
 		CompletionOptions: cobra.CompletionOptions{
 			DisableDefaultCmd:   false,
 			HiddenDefaultCmd:    true,
-			DisableDescriptions: true,
+			DisableDescriptions: os.Getenv("DOCKER_CLI_DISABLE_COMPLETION_DESCRIPTION") != "",
 		},
 	}
 	opts, _ := cli.SetupPluginRootCommand(cmd)

cli/cobra.go

@@ -92,12 +92,8 @@ func FlagErrorFunc(cmd *cobra.Command, err error) error {
 		return nil
 	}
 
-	usage := ""
-	if cmd.HasSubCommands() {
-		usage = "\n\n" + cmd.UsageString()
-	}
 	return StatusError{
-		Status:     fmt.Sprintf("%s\nSee '%s --help'.%s", err, cmd.CommandPath(), usage),
+		Status:     fmt.Sprintf("%s\n\nUsage:  %s\n\nRun '%s --help' for more information", err, cmd.UseLine(), cmd.CommandPath()),
 		StatusCode: 125,
 	}
 }
@@ -341,8 +337,10 @@ func operationSubCommands(cmd *cobra.Command) []*cobra.Command {
 	return cmds
 }
 
+const defaultTermWidth = 80
+
 func wrappedFlagUsages(cmd *cobra.Command) string {
-	width := 80
+	width := defaultTermWidth
 	if ws, err := term.GetWinsize(0); err == nil {
 		width = int(ws.Width)
 	}
@@ -522,4 +520,4 @@ Run '{{.CommandPath}} COMMAND --help' for more information on a command.
 `
 
 const helpTemplate = `
-{{if or .Runnable .HasSubCommands}}{{.UsageString}}{{end}}`
+{{- if or .Runnable .HasSubCommands}}{{.UsageString}}{{end}}`

cli/command/checkpoint/create.go

@@ -40,8 +40,8 @@ func newCreateCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-func runCreate(ctx context.Context, dockerCli command.Cli, opts createOptions) error {
-	err := dockerCli.Client().CheckpointCreate(ctx, opts.container, checkpoint.CreateOptions{
+func runCreate(ctx context.Context, dockerCLI command.Cli, opts createOptions) error {
+	err := dockerCLI.Client().CheckpointCreate(ctx, opts.container, checkpoint.CreateOptions{
 		CheckpointID:  opts.checkpoint,
 		CheckpointDir: opts.checkpointDir,
 		Exit:          !opts.leaveRunning,
@@ -50,6 +50,6 @@ func runCreate(ctx context.Context, dockerCli command.Cli, opts createOptions) e
 		return err
 	}
 
-	fmt.Fprintf(dockerCli.Out(), "%s\n", opts.checkpoint)
+	_, _ = fmt.Fprintln(dockerCLI.Out(), opts.checkpoint)
 	return nil
 }

cli/command/checkpoint/create_test.go

@@ -1,13 +1,14 @@
 package checkpoint
 
 import (
+	"errors"
 	"io"
+	"strconv"
 	"strings"
 	"testing"
 
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types/checkpoint"
-	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -20,16 +21,16 @@ func TestCheckpointCreateErrors(t *testing.T) {
 	}{
 		{
 			args:          []string{"too-few-arguments"},
-			expectedError: "requires exactly 2 arguments",
+			expectedError: "requires 2 arguments",
 		},
 		{
 			args:          []string{"too", "many", "arguments"},
-			expectedError: "requires exactly 2 arguments",
+			expectedError: "requires 2 arguments",
 		},
 		{
 			args: []string{"foo", "bar"},
 			checkpointCreateFunc: func(container string, options checkpoint.CreateOptions) error {
-				return errors.Errorf("error creating checkpoint for container foo")
+				return errors.New("error creating checkpoint for container foo")
 			},
 			expectedError: "error creating checkpoint for container foo",
 		},
@@ -48,26 +49,39 @@ func TestCheckpointCreateErrors(t *testing.T) {
 }
 
 func TestCheckpointCreateWithOptions(t *testing.T) {
-	var containerID, checkpointID, checkpointDir string
-	var exit bool
-	cli := test.NewFakeCli(&fakeClient{
-		checkpointCreateFunc: func(container string, options checkpoint.CreateOptions) error {
-			containerID = container
-			checkpointID = options.CheckpointID
-			checkpointDir = options.CheckpointDir
-			exit = options.Exit
-			return nil
-		},
-	})
-	cmd := newCreateCommand(cli)
-	cp := "checkpoint-bar"
-	cmd.SetArgs([]string{"container-foo", cp})
-	cmd.Flags().Set("leave-running", "true")
-	cmd.Flags().Set("checkpoint-dir", "/dir/foo")
-	assert.NilError(t, cmd.Execute())
-	assert.Check(t, is.Equal("container-foo", containerID))
-	assert.Check(t, is.Equal(cp, checkpointID))
-	assert.Check(t, is.Equal("/dir/foo", checkpointDir))
-	assert.Check(t, is.Equal(false, exit))
-	assert.Check(t, is.Equal(cp, strings.TrimSpace(cli.OutBuffer().String())))
+	const (
+		containerName  = "container-foo"
+		checkpointName = "checkpoint-bar"
+		checkpointDir  = "/dir/foo"
+	)
+
+	for _, tc := range []bool{true, false} {
+		leaveRunning := strconv.FormatBool(tc)
+		t.Run("leave-running="+leaveRunning, func(t *testing.T) {
+			var actualContainerName string
+			var actualOptions checkpoint.CreateOptions
+			cli := test.NewFakeCli(&fakeClient{
+				checkpointCreateFunc: func(container string, options checkpoint.CreateOptions) error {
+					actualContainerName = container
+					actualOptions = options
+					return nil
+				},
+			})
+			cmd := newCreateCommand(cli)
+			cmd.SetOut(io.Discard)
+			cmd.SetErr(io.Discard)
+			cmd.SetArgs([]string{containerName, checkpointName})
+			assert.Check(t, cmd.Flags().Set("leave-running", leaveRunning))
+			assert.Check(t, cmd.Flags().Set("checkpoint-dir", checkpointDir))
+			assert.NilError(t, cmd.Execute())
+			assert.Check(t, is.Equal(actualContainerName, containerName))
+			expected := checkpoint.CreateOptions{
+				CheckpointID:  checkpointName,
+				CheckpointDir: checkpointDir,
+				Exit:          !tc,
+			}
+			assert.Check(t, is.Equal(actualOptions, expected))
+			assert.Check(t, is.Equal(strings.TrimSpace(cli.OutBuffer().String()), checkpointName))
+		})
+	}
 }

cli/command/checkpoint/list_test.go

@@ -1,12 +1,12 @@
 package checkpoint
 
 import (
+	"errors"
 	"io"
 	"testing"
 
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types/checkpoint"
-	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/golden"
@@ -20,16 +20,16 @@ func TestCheckpointListErrors(t *testing.T) {
 	}{
 		{
 			args:          []string{},
-			expectedError: "requires exactly 1 argument",
+			expectedError: "requires 1 argument",
 		},
 		{
 			args:          []string{"too", "many", "arguments"},
-			expectedError: "requires exactly 1 argument",
+			expectedError: "requires 1 argument",
 		},
 		{
 			args: []string{"foo"},
 			checkpointListFunc: func(container string, options checkpoint.ListOptions) ([]checkpoint.Summary, error) {
-				return []checkpoint.Summary{}, errors.Errorf("error getting checkpoints for container foo")
+				return []checkpoint.Summary{}, errors.New("error getting checkpoints for container foo")
 			},
 			expectedError: "error getting checkpoints for container foo",
 		},

cli/command/checkpoint/remove_test.go

@@ -1,12 +1,12 @@
 package checkpoint
 
 import (
+	"errors"
 	"io"
 	"testing"
 
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types/checkpoint"
-	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -19,16 +19,16 @@ func TestCheckpointRemoveErrors(t *testing.T) {
 	}{
 		{
 			args:          []string{"too-few-arguments"},
-			expectedError: "requires exactly 2 arguments",
+			expectedError: "requires 2 arguments",
 		},
 		{
 			args:          []string{"too", "many", "arguments"},
-			expectedError: "requires exactly 2 arguments",
+			expectedError: "requires 2 arguments",
 		},
 		{
 			args: []string{"foo", "bar"},
 			checkpointDeleteFunc: func(container string, options checkpoint.DeleteOptions) error {
-				return errors.Errorf("error deleting checkpoint")
+				return errors.New("error deleting checkpoint")
 			},
 			expectedError: "error deleting checkpoint",
 		},

cli/command/cli.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22
 
 package command
 
@@ -97,7 +97,7 @@ type DockerCli struct {
 }
 
 // DefaultVersion returns api.defaultVersion.
-func (cli *DockerCli) DefaultVersion() string {
+func (*DockerCli) DefaultVersion() string {
 	return api.DefaultVersion
 }
 
@@ -114,7 +114,7 @@ func (cli *DockerCli) CurrentVersion() string {
 // Client returns the APIClient
 func (cli *DockerCli) Client() client.APIClient {
 	if err := cli.initialize(); err != nil {
-		_, _ = fmt.Fprintf(cli.Err(), "Failed to initialize: %s\n", err)
+		_, _ = fmt.Fprintln(cli.Err(), "Failed to initialize:", err)
 		os.Exit(1)
 	}
 	return cli.client
@@ -231,7 +231,7 @@ func (cli *DockerCli) HooksEnabled() bool {
 }
 
 // ManifestStore returns a store for local manifests
-func (cli *DockerCli) ManifestStore() manifeststore.Store {
+func (*DockerCli) ManifestStore() manifeststore.Store {
 	// TODO: support override default location from config file
 	return manifeststore.NewStore(filepath.Join(config.Dir(), "manifests"))
 }
@@ -272,7 +272,7 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption)
 		debug.Enable()
 	}
 	if opts.Context != "" && len(opts.Hosts) > 0 {
-		return errors.New("conflicting options: either specify --host or --context, not both")
+		return errors.New("conflicting options: cannot specify both --host and --context")
 	}
 
 	cli.options = opts
@@ -299,7 +299,7 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption)
 // NewAPIClientFromFlags creates a new APIClient from command line flags
 func NewAPIClientFromFlags(opts *cliflags.ClientOptions, configFile *configfile.ConfigFile) (client.APIClient, error) {
 	if opts.Context != "" && len(opts.Hosts) > 0 {
-		return nil, errors.New("conflicting options: either specify --host or --context, not both")
+		return nil, errors.New("conflicting options: cannot specify both --host and --context")
 	}
 
 	storeConfig := DefaultContextStoreConfig()
@@ -475,7 +475,7 @@ func (cli *DockerCli) DockerEndpoint() docker.Endpoint {
 	if err := cli.initialize(); err != nil {
 		// Note that we're not terminating here, as this function may be used
 		// in cases where we're able to continue.
-		_, _ = fmt.Fprintf(cli.Err(), "%v\n", cli.initErr)
+		_, _ = fmt.Fprintln(cli.Err(), cli.initErr)
 	}
 	return cli.dockerEndpoint
 }

cli/command/cli_options.go

@@ -177,7 +177,10 @@ func withCustomHeadersFromEnv() client.Opt {
 		csvReader := csv.NewReader(strings.NewReader(value))
 		fields, err := csvReader.Read()
 		if err != nil {
-			return errdefs.InvalidParameter(errors.Errorf("failed to parse custom headers from %s environment variable: value must be formatted as comma-separated key=value pairs", envOverrideHTTPHeaders))
+			return errdefs.InvalidParameter(errors.Errorf(
+				"failed to parse custom headers from %s environment variable: value must be formatted as comma-separated key=value pairs",
+				envOverrideHTTPHeaders,
+			))
 		}
 		if len(fields) == 0 {
 			return nil
@@ -191,7 +194,10 @@ func withCustomHeadersFromEnv() client.Opt {
 			k = strings.TrimSpace(k)
 
 			if k == "" {
-				return errdefs.InvalidParameter(errors.Errorf(`failed to set custom headers from %s environment variable: value contains a key=value pair with an empty key: '%s'`, envOverrideHTTPHeaders, kv))
+				return errdefs.InvalidParameter(errors.Errorf(
+					`failed to set custom headers from %s environment variable: value contains a key=value pair with an empty key: '%s'`,
+					envOverrideHTTPHeaders, kv,
+				))
 			}
 
 			// We don't currently allow empty key=value pairs, and produce an error.
@@ -199,7 +205,10 @@ func withCustomHeadersFromEnv() client.Opt {
 			// from an environment variable with the same name). In the meantime,
 			// produce an error to prevent users from depending on this.
 			if !hasValue {
-				return errdefs.InvalidParameter(errors.Errorf(`failed to set custom headers from %s environment variable: missing "=" in key=value pair: '%s'`, envOverrideHTTPHeaders, kv))
+				return errdefs.InvalidParameter(errors.Errorf(
+					`failed to set custom headers from %s environment variable: missing "=" in key=value pair: '%s'`,
+					envOverrideHTTPHeaders, kv,
+				))
 			}
 
 			env[http.CanonicalHeaderKey(k)] = v

cli/command/cli_test.go

@@ -3,6 +3,7 @@ package command
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -22,7 +23,6 @@ import (
 	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
-	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	"gotest.tools/v3/fs"
 )
@@ -123,7 +123,8 @@ func TestNewAPIClientFromFlagsWithCustomHeadersFromEnv(t *testing.T) {
 }
 
 func TestNewAPIClientFromFlagsWithAPIVersionFromEnv(t *testing.T) {
-	customVersion := "v3.3.3"
+	const customVersion = "v3.3.3"
+	const expectedVersion = "3.3.3"
 	t.Setenv("DOCKER_API_VERSION", customVersion)
 	t.Setenv("DOCKER_HOST", ":2375")
 
@@ -131,7 +132,7 @@ func TestNewAPIClientFromFlagsWithAPIVersionFromEnv(t *testing.T) {
 	configFile := &configfile.ConfigFile{}
 	apiclient, err := NewAPIClientFromFlags(opts, configFile)
 	assert.NilError(t, err)
-	assert.Equal(t, apiclient.ClientVersion(), customVersion)
+	assert.Equal(t, apiclient.ClientVersion(), expectedVersion)
 }
 
 type fakeClient struct {
@@ -187,19 +188,18 @@ func TestInitializeFromClient(t *testing.T) {
 		},
 	}
 
-	for _, testcase := range testcases {
-		testcase := testcase
-		t.Run(testcase.doc, func(t *testing.T) {
+	for _, tc := range testcases {
+		t.Run(tc.doc, func(t *testing.T) {
 			apiclient := &fakeClient{
-				pingFunc: testcase.pingFunc,
+				pingFunc: tc.pingFunc,
 				version:  defaultVersion,
 			}
 
 			cli := &DockerCli{client: apiclient}
 			err := cli.Initialize(flags.NewClientOptions())
 			assert.NilError(t, err)
-			assert.DeepEqual(t, cli.ServerInfo(), testcase.expectedServer)
-			assert.Equal(t, apiclient.negotiated, testcase.negotiated)
+			assert.DeepEqual(t, cli.ServerInfo(), tc.expectedServer)
+			assert.Equal(t, apiclient.negotiated, tc.negotiated)
 		})
 	}
 }
@@ -277,10 +277,9 @@ func TestExperimentalCLI(t *testing.T) {
 		},
 	}
 
-	for _, testcase := range testcases {
-		testcase := testcase
-		t.Run(testcase.doc, func(t *testing.T) {
-			dir := fs.NewDir(t, testcase.doc, fs.WithFile("config.json", testcase.configfile))
+	for _, tc := range testcases {
+		t.Run(tc.doc, func(t *testing.T) {
+			dir := fs.NewDir(t, tc.doc, fs.WithFile("config.json", tc.configfile))
 			defer dir.Remove()
 			apiclient := &fakeClient{
 				version: defaultVersion,

cli/command/completion/functions.go

@@ -5,7 +5,6 @@ import (
 	"strings"
 
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/network"
@@ -28,8 +27,11 @@ type APIClientProvider interface {
 }
 
 // ImageNames offers completion for images present within the local store
-func ImageNames(dockerCLI APIClientProvider) ValidArgsFn {
+func ImageNames(dockerCLI APIClientProvider, limit int) ValidArgsFn {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		if limit > 0 && len(args) >= limit {
+			return nil, cobra.ShellCompDirectiveNoFileComp
+		}
 		list, err := dockerCLI.Client().ImageList(cmd.Context(), image.ListOptions{})
 		if err != nil {
 			return nil, cobra.ShellCompDirectiveError
@@ -45,7 +47,7 @@ func ImageNames(dockerCLI APIClientProvider) ValidArgsFn {
 // ContainerNames offers completion for container names and IDs
 // By default, only names are returned.
 // Set DOCKER_COMPLETION_SHOW_CONTAINER_IDS=yes to also complete IDs.
-func ContainerNames(dockerCLI APIClientProvider, all bool, filters ...func(types.Container) bool) ValidArgsFn {
+func ContainerNames(dockerCLI APIClientProvider, all bool, filters ...func(container.Summary) bool) ValidArgsFn {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		list, err := dockerCLI.Client().ContainerList(cmd.Context(), container.ListOptions{
 			All: all,
@@ -60,7 +62,7 @@ func ContainerNames(dockerCLI APIClientProvider, all bool, filters ...func(types
 		for _, ctr := range list {
 			skip := false
 			for _, fn := range filters {
-				if !fn(ctr) {
+				if fn != nil && !fn(ctr) {
 					skip = true
 					break
 				}
@@ -146,3 +148,47 @@ func FileNames(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCom
 func NoComplete(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
 	return nil, cobra.ShellCompDirectiveNoFileComp
 }
+
+var commonPlatforms = []string{
+	"linux",
+	"linux/386",
+	"linux/amd64",
+	"linux/arm",
+	"linux/arm/v5",
+	"linux/arm/v6",
+	"linux/arm/v7",
+	"linux/arm64",
+	"linux/arm64/v8",
+
+	// IBM power and z platforms
+	"linux/ppc64le",
+	"linux/s390x",
+
+	// Not yet supported
+	"linux/riscv64",
+
+	"windows",
+	"windows/amd64",
+
+	"wasip1",
+	"wasip1/wasm",
+}
+
+// Platforms offers completion for platform-strings. It provides a non-exhaustive
+// list of platforms to be used for completion. Platform-strings are based on
+// [runtime.GOOS] and [runtime.GOARCH], but with (optional) variants added. A
+// list of recognised os/arch combinations from the Go runtime can be obtained
+// through "go tool dist list".
+//
+// Some noteworthy exclusions from this list:
+//
+//   - arm64 images ("windows/arm64", "windows/arm64/v8") do not yet exist for windows.
+//   - we don't (yet) include `os-variant` for completion (as can be used for Windows images)
+//   - we don't (yet) include platforms for which we don't build binaries, such as
+//     BSD platforms (freebsd, netbsd, openbsd), android, macOS (darwin).
+//   - we currently exclude architectures that may have unofficial builds,
+//     but don't have wide adoption (and no support), such as loong64, mipsXXX,
+//     ppc64 (non-le) to prevent confusion.
+func Platforms(_ *cobra.Command, _ []string, _ string) (platforms []string, _ cobra.ShellCompDirective) {
+	return commonPlatforms, cobra.ShellCompDirectiveNoFileComp
+}

cli/command/completion/functions_test.go

@@ -0,0 +1,346 @@
+package completion
+
+import (
+	"context"
+	"errors"
+	"sort"
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/volume"
+	"github.com/docker/docker/client"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/spf13/cobra"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+	"gotest.tools/v3/env"
+)
+
+type fakeCLI struct {
+	*fakeClient
+}
+
+// Client implements [APIClientProvider].
+func (c fakeCLI) Client() client.APIClient {
+	return c.fakeClient
+}
+
+type fakeClient struct {
+	client.Client
+	containerListFunc func(options container.ListOptions) ([]container.Summary, error)
+	imageListFunc     func(options image.ListOptions) ([]image.Summary, error)
+	networkListFunc   func(ctx context.Context, options network.ListOptions) ([]network.Summary, error)
+	volumeListFunc    func(filter filters.Args) (volume.ListResponse, error)
+}
+
+func (c *fakeClient) ContainerList(_ context.Context, options container.ListOptions) ([]container.Summary, error) {
+	if c.containerListFunc != nil {
+		return c.containerListFunc(options)
+	}
+	return []container.Summary{}, nil
+}
+
+func (c *fakeClient) ImageList(_ context.Context, options image.ListOptions) ([]image.Summary, error) {
+	if c.imageListFunc != nil {
+		return c.imageListFunc(options)
+	}
+	return []image.Summary{}, nil
+}
+
+func (c *fakeClient) NetworkList(ctx context.Context, options network.ListOptions) ([]network.Summary, error) {
+	if c.networkListFunc != nil {
+		return c.networkListFunc(ctx, options)
+	}
+	return []network.Inspect{}, nil
+}
+
+func (c *fakeClient) VolumeList(_ context.Context, options volume.ListOptions) (volume.ListResponse, error) {
+	if c.volumeListFunc != nil {
+		return c.volumeListFunc(options.Filters)
+	}
+	return volume.ListResponse{}, nil
+}
+
+func TestCompleteContainerNames(t *testing.T) {
+	tests := []struct {
+		doc              string
+		showAll, showIDs bool
+		filters          []func(container.Summary) bool
+		containers       []container.Summary
+		expOut           []string
+		expOpts          container.ListOptions
+		expDirective     cobra.ShellCompDirective
+	}{
+		{
+			doc:          "no results",
+			expDirective: cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			doc:     "all containers",
+			showAll: true,
+			containers: []container.Summary{
+				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-b", State: "created", Names: []string{"/container-b"}},
+				{ID: "id-a", State: "exited", Names: []string{"/container-a"}},
+			},
+			expOut:       []string{"container-c", "container-c/link-b", "container-b", "container-a"},
+			expOpts:      container.ListOptions{All: true},
+			expDirective: cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			doc:     "all containers with ids",
+			showAll: true,
+			showIDs: true,
+			containers: []container.Summary{
+				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-b", State: "created", Names: []string{"/container-b"}},
+				{ID: "id-a", State: "exited", Names: []string{"/container-a"}},
+			},
+			expOut:       []string{"id-c", "container-c", "container-c/link-b", "id-b", "container-b", "id-a", "container-a"},
+			expOpts:      container.ListOptions{All: true},
+			expDirective: cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			doc:     "only running containers",
+			showAll: false,
+			containers: []container.Summary{
+				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
+			},
+			expOut:       []string{"container-c", "container-c/link-b"},
+			expDirective: cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			doc:     "with filter",
+			showAll: true,
+			filters: []func(container.Summary) bool{
+				func(container container.Summary) bool { return container.State == "created" },
+			},
+			containers: []container.Summary{
+				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-b", State: "created", Names: []string{"/container-b"}},
+				{ID: "id-a", State: "exited", Names: []string{"/container-a"}},
+			},
+			expOut:       []string{"container-b"},
+			expOpts:      container.ListOptions{All: true},
+			expDirective: cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			doc:     "multiple filters",
+			showAll: true,
+			filters: []func(container.Summary) bool{
+				func(container container.Summary) bool { return container.ID == "id-a" },
+				func(container container.Summary) bool { return container.State == "created" },
+			},
+			containers: []container.Summary{
+				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-b", State: "created", Names: []string{"/container-b"}},
+				{ID: "id-a", State: "created", Names: []string{"/container-a"}},
+			},
+			expOut:       []string{"container-a"},
+			expOpts:      container.ListOptions{All: true},
+			expDirective: cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			doc:          "with error",
+			expDirective: cobra.ShellCompDirectiveError,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.doc, func(t *testing.T) {
+			if tc.showIDs {
+				t.Setenv("DOCKER_COMPLETION_SHOW_CONTAINER_IDS", "yes")
+			}
+			comp := ContainerNames(fakeCLI{&fakeClient{
+				containerListFunc: func(opts container.ListOptions) ([]container.Summary, error) {
+					assert.Check(t, is.DeepEqual(opts, tc.expOpts, cmpopts.IgnoreUnexported(container.ListOptions{}, filters.Args{})))
+					if tc.expDirective == cobra.ShellCompDirectiveError {
+						return nil, errors.New("some error occurred")
+					}
+					return tc.containers, nil
+				},
+			}}, tc.showAll, tc.filters...)
+
+			containers, directives := comp(&cobra.Command{}, nil, "")
+			assert.Check(t, is.Equal(directives&tc.expDirective, tc.expDirective))
+			assert.Check(t, is.DeepEqual(containers, tc.expOut))
+		})
+	}
+}
+
+func TestCompleteEnvVarNames(t *testing.T) {
+	env.PatchAll(t, map[string]string{
+		"ENV_A": "hello-a",
+		"ENV_B": "hello-b",
+	})
+	values, directives := EnvVarNames(nil, nil, "")
+	assert.Check(t, is.Equal(directives&cobra.ShellCompDirectiveNoFileComp, cobra.ShellCompDirectiveNoFileComp), "Should not perform file completion")
+
+	sort.Strings(values)
+	expected := []string{"ENV_A", "ENV_B"}
+	assert.Check(t, is.DeepEqual(values, expected))
+}
+
+func TestCompleteFileNames(t *testing.T) {
+	values, directives := FileNames(nil, nil, "")
+	assert.Check(t, is.Equal(directives, cobra.ShellCompDirectiveDefault))
+	assert.Check(t, is.Len(values, 0))
+}
+
+func TestCompleteFromList(t *testing.T) {
+	expected := []string{"one", "two", "three"}
+
+	values, directives := FromList(expected...)(nil, nil, "")
+	assert.Check(t, is.Equal(directives&cobra.ShellCompDirectiveNoFileComp, cobra.ShellCompDirectiveNoFileComp), "Should not perform file completion")
+	assert.Check(t, is.DeepEqual(values, expected))
+}
+
+func TestCompleteImageNames(t *testing.T) {
+	tests := []struct {
+		doc          string
+		images       []image.Summary
+		expOut       []string
+		expDirective cobra.ShellCompDirective
+	}{
+		{
+			doc:          "no results",
+			expDirective: cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			doc: "with results",
+			images: []image.Summary{
+				{RepoTags: []string{"image-c:latest", "image-c:other"}},
+				{RepoTags: []string{"image-b:latest", "image-b:other"}},
+				{RepoTags: []string{"image-a:latest", "image-a:other"}},
+			},
+			expOut:       []string{"image-c:latest", "image-c:other", "image-b:latest", "image-b:other", "image-a:latest", "image-a:other"},
+			expDirective: cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			doc:          "with error",
+			expDirective: cobra.ShellCompDirectiveError,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.doc, func(t *testing.T) {
+			comp := ImageNames(fakeCLI{&fakeClient{
+				imageListFunc: func(options image.ListOptions) ([]image.Summary, error) {
+					if tc.expDirective == cobra.ShellCompDirectiveError {
+						return nil, errors.New("some error occurred")
+					}
+					return tc.images, nil
+				},
+			}}, -1)
+
+			volumes, directives := comp(&cobra.Command{}, nil, "")
+			assert.Check(t, is.Equal(directives&tc.expDirective, tc.expDirective))
+			assert.Check(t, is.DeepEqual(volumes, tc.expOut))
+		})
+	}
+}
+
+func TestCompleteNetworkNames(t *testing.T) {
+	tests := []struct {
+		doc          string
+		networks     []network.Summary
+		expOut       []string
+		expDirective cobra.ShellCompDirective
+	}{
+		{
+			doc:          "no results",
+			expDirective: cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			doc: "with results",
+			networks: []network.Summary{
+				{ID: "nw-c", Name: "network-c"},
+				{ID: "nw-b", Name: "network-b"},
+				{ID: "nw-a", Name: "network-a"},
+			},
+			expOut:       []string{"network-c", "network-b", "network-a"},
+			expDirective: cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			doc:          "with error",
+			expDirective: cobra.ShellCompDirectiveError,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.doc, func(t *testing.T) {
+			comp := NetworkNames(fakeCLI{&fakeClient{
+				networkListFunc: func(ctx context.Context, options network.ListOptions) ([]network.Summary, error) {
+					if tc.expDirective == cobra.ShellCompDirectiveError {
+						return nil, errors.New("some error occurred")
+					}
+					return tc.networks, nil
+				},
+			}})
+
+			volumes, directives := comp(&cobra.Command{}, nil, "")
+			assert.Check(t, is.Equal(directives&tc.expDirective, tc.expDirective))
+			assert.Check(t, is.DeepEqual(volumes, tc.expOut))
+		})
+	}
+}
+
+func TestCompleteNoComplete(t *testing.T) {
+	values, directives := NoComplete(nil, nil, "")
+	assert.Check(t, is.Equal(directives, cobra.ShellCompDirectiveNoFileComp))
+	assert.Check(t, is.Len(values, 0))
+}
+
+func TestCompletePlatforms(t *testing.T) {
+	values, directives := Platforms(nil, nil, "")
+	assert.Check(t, is.Equal(directives&cobra.ShellCompDirectiveNoFileComp, cobra.ShellCompDirectiveNoFileComp), "Should not perform file completion")
+	assert.Check(t, is.DeepEqual(values, commonPlatforms))
+}
+
+func TestCompleteVolumeNames(t *testing.T) {
+	tests := []struct {
+		doc          string
+		volumes      []*volume.Volume
+		expOut       []string
+		expDirective cobra.ShellCompDirective
+	}{
+		{
+			doc:          "no results",
+			expDirective: cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			doc: "with results",
+			volumes: []*volume.Volume{
+				{Name: "volume-c"},
+				{Name: "volume-b"},
+				{Name: "volume-a"},
+			},
+			expOut:       []string{"volume-c", "volume-b", "volume-a"},
+			expDirective: cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			doc:          "with error",
+			expDirective: cobra.ShellCompDirectiveError,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.doc, func(t *testing.T) {
+			comp := VolumeNames(fakeCLI{&fakeClient{
+				volumeListFunc: func(filter filters.Args) (volume.ListResponse, error) {
+					if tc.expDirective == cobra.ShellCompDirectiveError {
+						return volume.ListResponse{}, errors.New("some error occurred")
+					}
+					return volume.ListResponse{Volumes: tc.volumes}, nil
+				},
+			}})
+
+			volumes, directives := comp(&cobra.Command{}, nil, "")
+			assert.Check(t, is.Equal(directives&tc.expDirective, tc.expDirective))
+			assert.Check(t, is.DeepEqual(volumes, tc.expOut))
+		})
+	}
+}

cli/command/config/create.go

@@ -48,10 +48,10 @@ func newConfigCreateCommand(dockerCli command.Cli) *cobra.Command {
 }
 
 // RunConfigCreate creates a config with the given options.
-func RunConfigCreate(ctx context.Context, dockerCli command.Cli, options CreateOptions) error {
-	client := dockerCli.Client()
+func RunConfigCreate(ctx context.Context, dockerCLI command.Cli, options CreateOptions) error {
+	apiClient := dockerCLI.Client()
 
-	var in io.Reader = dockerCli.In()
+	var in io.Reader = dockerCLI.In()
 	if options.File != "-" {
 		file, err := sequential.Open(options.File)
 		if err != nil {
@@ -78,11 +78,11 @@ func RunConfigCreate(ctx context.Context, dockerCli command.Cli, options CreateO
 			Name: options.TemplateDriver,
 		}
 	}
-	r, err := client.ConfigCreate(ctx, spec)
+	r, err := apiClient.ConfigCreate(ctx, spec)
 	if err != nil {
 		return err
 	}
 
-	fmt.Fprintln(dockerCli.Out(), r.ID)
+	fmt.Fprintln(dockerCLI.Out(), r.ID)
 	return nil
 }

cli/command/config/create_test.go

@@ -2,6 +2,8 @@ package config
 
 import (
 	"context"
+	"errors"
+	"fmt"
 	"io"
 	"os"
 	"path/filepath"
@@ -12,7 +14,6 @@ import (
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
-	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/golden"
@@ -28,22 +29,21 @@ func TestConfigCreateErrors(t *testing.T) {
 	}{
 		{
 			args:          []string{"too_few"},
-			expectedError: "requires exactly 2 arguments",
+			expectedError: "requires 2 arguments",
 		},
 		{
 			args:          []string{"too", "many", "arguments"},
-			expectedError: "requires exactly 2 arguments",
+			expectedError: "requires 2 arguments",
 		},
 		{
 			args: []string{"name", filepath.Join("testdata", configDataFile)},
 			configCreateFunc: func(_ context.Context, configSpec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
-				return types.ConfigCreateResponse{}, errors.Errorf("error creating config")
+				return types.ConfigCreateResponse{}, errors.New("error creating config")
 			},
 			expectedError: "error creating config",
 		},
 	}
 	for _, tc := range testCases {
-		tc := tc
 		t.Run(tc.expectedError, func(t *testing.T) {
 			cmd := newConfigCreateCommand(
 				test.NewFakeCli(&fakeClient{
@@ -64,7 +64,7 @@ func TestConfigCreateWithName(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
 		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
 			if spec.Name != name {
-				return types.ConfigCreateResponse{}, errors.Errorf("expected name %q, got %q", name, spec.Name)
+				return types.ConfigCreateResponse{}, fmt.Errorf("expected name %q, got %q", name, spec.Name)
 			}
 
 			actual = spec.Data
@@ -103,7 +103,7 @@ func TestConfigCreateWithLabels(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
 		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
 			if !reflect.DeepEqual(spec, expected) {
-				return types.ConfigCreateResponse{}, errors.Errorf("expected %+v, got %+v", expected, spec)
+				return types.ConfigCreateResponse{}, fmt.Errorf("expected %+v, got %+v", expected, spec)
 			}
 
 			return types.ConfigCreateResponse{
@@ -129,11 +129,11 @@ func TestConfigCreateWithTemplatingDriver(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
 		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
 			if spec.Name != name {
-				return types.ConfigCreateResponse{}, errors.Errorf("expected name %q, got %q", name, spec.Name)
+				return types.ConfigCreateResponse{}, fmt.Errorf("expected name %q, got %q", name, spec.Name)
 			}
 
 			if spec.Templating.Name != expectedDriver.Name {
-				return types.ConfigCreateResponse{}, errors.Errorf("expected driver %v, got %v", expectedDriver, spec.Labels)
+				return types.ConfigCreateResponse{}, fmt.Errorf("expected driver %v, got %v", expectedDriver, spec.Labels)
 			}
 
 			return types.ConfigCreateResponse{

cli/command/config/formatter_test.go

@@ -61,7 +61,6 @@ id_rsa
 		},
 	}
 	for _, tc := range cases {
-		tc := tc
 		t.Run(string(tc.context.Format), func(t *testing.T) {
 			var out bytes.Buffer
 			tc.context.Output = &out

cli/command/config/inspect.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22
 
 package config
 
@@ -43,15 +43,15 @@ func newConfigInspectCommand(dockerCli command.Cli) *cobra.Command {
 }
 
 // RunConfigInspect inspects the given Swarm config.
-func RunConfigInspect(ctx context.Context, dockerCli command.Cli, opts InspectOptions) error {
-	client := dockerCli.Client()
+func RunConfigInspect(ctx context.Context, dockerCLI command.Cli, opts InspectOptions) error {
+	apiClient := dockerCLI.Client()
 
 	if opts.Pretty {
 		opts.Format = "pretty"
 	}
 
 	getRef := func(id string) (any, []byte, error) {
-		return client.ConfigInspectWithRaw(ctx, id)
+		return apiClient.ConfigInspectWithRaw(ctx, id)
 	}
 	f := opts.Format
 
@@ -62,7 +62,7 @@ func RunConfigInspect(ctx context.Context, dockerCli command.Cli, opts InspectOp
 	}
 
 	configCtx := formatter.Context{
-		Output: dockerCli.Out(),
+		Output: dockerCLI.Out(),
 		Format: NewFormat(f, false),
 	}
 

cli/command/config/inspect_test.go

@@ -2,6 +2,7 @@ package config
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"testing"
@@ -10,7 +11,6 @@ import (
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/builders"
 	"github.com/docker/docker/api/types/swarm"
-	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	"gotest.tools/v3/golden"
 )
@@ -28,7 +28,7 @@ func TestConfigInspectErrors(t *testing.T) {
 		{
 			args: []string{"foo"},
 			configInspectFunc: func(_ context.Context, configID string) (swarm.Config, []byte, error) {
-				return swarm.Config{}, nil, errors.Errorf("error while inspecting the config")
+				return swarm.Config{}, nil, errors.New("error while inspecting the config")
 			},
 			expectedError: "error while inspecting the config",
 		},
@@ -45,7 +45,7 @@ func TestConfigInspectErrors(t *testing.T) {
 				if configID == "foo" {
 					return *builders.Config(builders.ConfigName("foo")), nil, nil
 				}
-				return swarm.Config{}, nil, errors.Errorf("error while inspecting the config")
+				return swarm.Config{}, nil, errors.New("error while inspecting the config")
 			},
 			expectedError: "error while inspecting the config",
 		},
@@ -77,7 +77,7 @@ func TestConfigInspectWithoutFormat(t *testing.T) {
 			args: []string{"foo"},
 			configInspectFunc: func(_ context.Context, name string) (swarm.Config, []byte, error) {
 				if name != "foo" {
-					return swarm.Config{}, nil, errors.Errorf("Invalid name, expected %s, got %s", "foo", name)
+					return swarm.Config{}, nil, fmt.Errorf("invalid name, expected %s, got %s", "foo", name)
 				}
 				return *builders.Config(builders.ConfigID("ID-foo"), builders.ConfigName("foo")), nil, nil
 			},

cli/command/config/ls.go

@@ -45,18 +45,18 @@ func newConfigListCommand(dockerCli command.Cli) *cobra.Command {
 }
 
 // RunConfigList lists Swarm configs.
-func RunConfigList(ctx context.Context, dockerCli command.Cli, options ListOptions) error {
-	client := dockerCli.Client()
+func RunConfigList(ctx context.Context, dockerCLI command.Cli, options ListOptions) error {
+	apiClient := dockerCLI.Client()
 
-	configs, err := client.ConfigList(ctx, types.ConfigListOptions{Filters: options.Filter.Value()})
+	configs, err := apiClient.ConfigList(ctx, types.ConfigListOptions{Filters: options.Filter.Value()})
 	if err != nil {
 		return err
 	}
 
 	format := options.Format
 	if len(format) == 0 {
-		if len(dockerCli.ConfigFile().ConfigFormat) > 0 && !options.Quiet {
-			format = dockerCli.ConfigFile().ConfigFormat
+		if len(dockerCLI.ConfigFile().ConfigFormat) > 0 && !options.Quiet {
+			format = dockerCLI.ConfigFile().ConfigFormat
 		} else {
 			format = formatter.TableFormatKey
 		}
@@ -67,7 +67,7 @@ func RunConfigList(ctx context.Context, dockerCli command.Cli, options ListOptio
 	})
 
 	configCtx := formatter.Context{
-		Output: dockerCli.Out(),
+		Output: dockerCLI.Out(),
 		Format: NewFormat(format, options.Quiet),
 	}
 	return FormatWrite(configCtx, configs)

cli/command/config/ls_test.go

@@ -2,6 +2,7 @@ package config
 
 import (
 	"context"
+	"errors"
 	"io"
 	"testing"
 	"time"
@@ -11,7 +12,6 @@ import (
 	"github.com/docker/cli/internal/test/builders"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
-	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/golden"
@@ -29,7 +29,7 @@ func TestConfigListErrors(t *testing.T) {
 		},
 		{
 			configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
-				return []swarm.Config{}, errors.Errorf("error listing configs")
+				return []swarm.Config{}, errors.New("error listing configs")
 			},
 			expectedError: "error listing configs",
 		},

cli/command/config/remove.go

@@ -2,12 +2,11 @@ package config
 
 import (
 	"context"
+	"errors"
 	"fmt"
-	"strings"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -35,23 +34,17 @@ func newConfigRemoveCommand(dockerCli command.Cli) *cobra.Command {
 }
 
 // RunConfigRemove removes the given Swarm configs.
-func RunConfigRemove(ctx context.Context, dockerCli command.Cli, opts RemoveOptions) error {
-	client := dockerCli.Client()
-
-	var errs []string
+func RunConfigRemove(ctx context.Context, dockerCLI command.Cli, opts RemoveOptions) error {
+	apiClient := dockerCLI.Client()
 
+	var errs []error
 	for _, name := range opts.Names {
-		if err := client.ConfigRemove(ctx, name); err != nil {
-			errs = append(errs, err.Error())
+		if err := apiClient.ConfigRemove(ctx, name); err != nil {
+			errs = append(errs, err)
 			continue
 		}
-
-		fmt.Fprintln(dockerCli.Out(), name)
+		_, _ = fmt.Fprintln(dockerCLI.Out(), name)
 	}
 
-	if len(errs) > 0 {
-		return errors.Errorf("%s", strings.Join(errs, "\n"))
-	}
-
-	return nil
+	return errors.Join(errs...)
 }

cli/command/config/remove_test.go

@@ -1,12 +1,12 @@
 package config
 
 import (
+	"errors"
 	"io"
 	"strings"
 	"testing"
 
 	"github.com/docker/cli/internal/test"
-	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -19,12 +19,12 @@ func TestConfigRemoveErrors(t *testing.T) {
 	}{
 		{
 			args:          []string{},
-			expectedError: "requires at least 1 argument.",
+			expectedError: "requires at least 1 argument",
 		},
 		{
 			args: []string{"foo"},
 			configRemoveFunc: func(name string) error {
-				return errors.Errorf("error removing config")
+				return errors.New("error removing config")
 			},
 			expectedError: "error removing config",
 		},
@@ -66,7 +66,7 @@ func TestConfigRemoveContinueAfterError(t *testing.T) {
 		configRemoveFunc: func(name string) error {
 			removedConfigs = append(removedConfigs, name)
 			if name == "foo" {
-				return errors.Errorf("error removing config: %s", name)
+				return errors.New("error removing config: " + name)
 			}
 			return nil
 		},

cli/command/container/attach.go

@@ -7,7 +7,6 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
 	"github.com/moby/sys/signal"
@@ -23,7 +22,7 @@ type AttachOptions struct {
 	DetachKeys string
 }
 
-func inspectContainerAndCheckState(ctx context.Context, apiClient client.APIClient, args string) (*types.ContainerJSON, error) {
+func inspectContainerAndCheckState(ctx context.Context, apiClient client.APIClient, args string) (*container.InspectResponse, error) {
 	c, err := apiClient.ContainerInspect(ctx, args)
 	if err != nil {
 		return nil, err
@@ -56,7 +55,7 @@ func NewAttachCommand(dockerCLI command.Cli) *cobra.Command {
 		Annotations: map[string]string{
 			"aliases": "docker container attach, docker attach",
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCLI, false, func(ctr types.Container) bool {
+		ValidArgsFunction: completion.ContainerNames(dockerCLI, false, func(ctr container.Summary) bool {
 			return ctr.State != "paused"
 		}),
 	}
@@ -165,9 +164,6 @@ func getExitStatus(errC <-chan error, resultC <-chan container.WaitResponse) err
 			return cli.StatusError{StatusCode: int(result.StatusCode)}
 		}
 	case err := <-errC:
-		if errors.Is(err, context.Canceled) {
-			return nil
-		}
 		return err
 	}
 

cli/command/container/attach_test.go

@@ -1,15 +1,13 @@
 package container
 
 import (
-	"context"
+	"errors"
 	"io"
 	"testing"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
-	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 )
 
@@ -18,59 +16,63 @@ func TestNewAttachCommandErrors(t *testing.T) {
 		name                 string
 		args                 []string
 		expectedError        string
-		containerInspectFunc func(img string) (types.ContainerJSON, error)
+		containerInspectFunc func(img string) (container.InspectResponse, error)
 	}{
 		{
 			name:          "client-error",
 			args:          []string{"5cb5bb5e4a3b"},
 			expectedError: "something went wrong",
-			containerInspectFunc: func(containerID string) (types.ContainerJSON, error) {
-				return types.ContainerJSON{}, errors.Errorf("something went wrong")
+			containerInspectFunc: func(containerID string) (container.InspectResponse, error) {
+				return container.InspectResponse{}, errors.New("something went wrong")
 			},
 		},
 		{
 			name:          "client-stopped",
 			args:          []string{"5cb5bb5e4a3b"},
 			expectedError: "You cannot attach to a stopped container",
-			containerInspectFunc: func(containerID string) (types.ContainerJSON, error) {
-				c := types.ContainerJSON{}
-				c.ContainerJSONBase = &types.ContainerJSONBase{}
-				c.ContainerJSONBase.State = &types.ContainerState{Running: false}
-				return c, nil
+			containerInspectFunc: func(containerID string) (container.InspectResponse, error) {
+				return container.InspectResponse{
+					ContainerJSONBase: &container.ContainerJSONBase{
+						State: &container.State{
+							Running: false,
+						},
+					},
+				}, nil
 			},
 		},
 		{
 			name:          "client-paused",
 			args:          []string{"5cb5bb5e4a3b"},
 			expectedError: "You cannot attach to a paused container",
-			containerInspectFunc: func(containerID string) (types.ContainerJSON, error) {
-				c := types.ContainerJSON{}
-				c.ContainerJSONBase = &types.ContainerJSONBase{}
-				c.ContainerJSONBase.State = &types.ContainerState{
-					Running: true,
-					Paused:  true,
-				}
-				return c, nil
+			containerInspectFunc: func(containerID string) (container.InspectResponse, error) {
+				return container.InspectResponse{
+					ContainerJSONBase: &container.ContainerJSONBase{
+						State: &container.State{
+							Running: true,
+							Paused:  true,
+						},
+					},
+				}, nil
 			},
 		},
 		{
 			name:          "client-restarting",
 			args:          []string{"5cb5bb5e4a3b"},
 			expectedError: "You cannot attach to a restarting container",
-			containerInspectFunc: func(containerID string) (types.ContainerJSON, error) {
-				c := types.ContainerJSON{}
-				c.ContainerJSONBase = &types.ContainerJSONBase{}
-				c.ContainerJSONBase.State = &types.ContainerState{
-					Running:    true,
-					Paused:     false,
-					Restarting: true,
-				}
-				return c, nil
+			containerInspectFunc: func(containerID string) (container.InspectResponse, error) {
+				return container.InspectResponse{
+					ContainerJSONBase: &container.ContainerJSONBase{
+						State: &container.State{
+							Running:    true,
+							Paused:     false,
+							Restarting: true,
+						},
+					},
+				}, nil
 			},
 		},
 	}
 	for _, tc := range testCases {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			cmd := NewAttachCommand(test.NewFakeCli(&fakeClient{inspectFunc: tc.containerInspectFunc}))
 			cmd.SetOut(io.Discard)
@@ -110,10 +112,6 @@ func TestGetExitStatus(t *testing.T) {
 			},
 			expectedError: cli.StatusError{StatusCode: 15},
 		},
-		{
-			err:           context.Canceled,
-			expectedError: nil,
-		},
 	}
 
 	for _, testcase := range testcases {

cli/command/container/client_test.go

@@ -16,50 +16,56 @@ import (
 
 type fakeClient struct {
 	client.Client
-	inspectFunc         func(string) (types.ContainerJSON, error)
+	inspectFunc         func(string) (container.InspectResponse, error)
 	execInspectFunc     func(execID string) (container.ExecInspect, error)
-	execCreateFunc      func(containerID string, options container.ExecOptions) (types.IDResponse, error)
+	execCreateFunc      func(containerID string, options container.ExecOptions) (container.ExecCreateResponse, error)
 	createContainerFunc func(config *container.Config,
 		hostConfig *container.HostConfig,
 		networkingConfig *network.NetworkingConfig,
 		platform *specs.Platform,
 		containerName string) (container.CreateResponse, error)
 	containerStartFunc      func(containerID string, options container.StartOptions) error
-	imageCreateFunc         func(parentReference string, options image.CreateOptions) (io.ReadCloser, error)
+	imageCreateFunc         func(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error)
 	infoFunc                func() (system.Info, error)
 	containerStatPathFunc   func(containerID, path string) (container.PathStat, error)
 	containerCopyFromFunc   func(containerID, srcPath string) (io.ReadCloser, container.PathStat, error)
 	logFunc                 func(string, container.LogsOptions) (io.ReadCloser, error)
 	waitFunc                func(string) (<-chan container.WaitResponse, <-chan error)
-	containerListFunc       func(container.ListOptions) ([]types.Container, error)
+	containerListFunc       func(container.ListOptions) ([]container.Summary, error)
 	containerExportFunc     func(string) (io.ReadCloser, error)
 	containerExecResizeFunc func(id string, options container.ResizeOptions) error
 	containerRemoveFunc     func(ctx context.Context, containerID string, options container.RemoveOptions) error
+	containerRestartFunc    func(ctx context.Context, containerID string, options container.StopOptions) error
+	containerStopFunc       func(ctx context.Context, containerID string, options container.StopOptions) error
 	containerKillFunc       func(ctx context.Context, containerID, signal string) error
 	containerPruneFunc      func(ctx context.Context, pruneFilters filters.Args) (container.PruneReport, error)
 	containerAttachFunc     func(ctx context.Context, containerID string, options container.AttachOptions) (types.HijackedResponse, error)
+	containerDiffFunc       func(ctx context.Context, containerID string) ([]container.FilesystemChange, error)
+	containerRenameFunc     func(ctx context.Context, oldName, newName string) error
+	containerCommitFunc     func(ctx context.Context, container string, options container.CommitOptions) (container.CommitResponse, error)
+	containerPauseFunc      func(ctx context.Context, container string) error
 	Version                 string
 }
 
-func (f *fakeClient) ContainerList(_ context.Context, options container.ListOptions) ([]types.Container, error) {
+func (f *fakeClient) ContainerList(_ context.Context, options container.ListOptions) ([]container.Summary, error) {
 	if f.containerListFunc != nil {
 		return f.containerListFunc(options)
 	}
-	return []types.Container{}, nil
+	return []container.Summary{}, nil
 }
 
-func (f *fakeClient) ContainerInspect(_ context.Context, containerID string) (types.ContainerJSON, error) {
+func (f *fakeClient) ContainerInspect(_ context.Context, containerID string) (container.InspectResponse, error) {
 	if f.inspectFunc != nil {
 		return f.inspectFunc(containerID)
 	}
-	return types.ContainerJSON{}, nil
+	return container.InspectResponse{}, nil
 }
 
-func (f *fakeClient) ContainerExecCreate(_ context.Context, containerID string, config container.ExecOptions) (types.IDResponse, error) {
+func (f *fakeClient) ContainerExecCreate(_ context.Context, containerID string, config container.ExecOptions) (container.ExecCreateResponse, error) {
 	if f.execCreateFunc != nil {
 		return f.execCreateFunc(containerID, config)
 	}
-	return types.IDResponse{}, nil
+	return container.ExecCreateResponse{}, nil
 }
 
 func (f *fakeClient) ContainerExecInspect(_ context.Context, execID string) (container.ExecInspect, error) {
@@ -69,7 +75,7 @@ func (f *fakeClient) ContainerExecInspect(_ context.Context, execID string) (con
 	return container.ExecInspect{}, nil
 }
 
-func (f *fakeClient) ContainerExecStart(context.Context, string, container.ExecStartOptions) error {
+func (*fakeClient) ContainerExecStart(context.Context, string, container.ExecStartOptions) error {
 	return nil
 }
 
@@ -94,9 +100,9 @@ func (f *fakeClient) ContainerRemove(ctx context.Context, containerID string, op
 	return nil
 }
 
-func (f *fakeClient) ImageCreate(_ context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error) {
+func (f *fakeClient) ImageCreate(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error) {
 	if f.imageCreateFunc != nil {
-		return f.imageCreateFunc(parentReference, options)
+		return f.imageCreateFunc(ctx, parentReference, options)
 	}
 	return nil, nil
 }
@@ -175,9 +181,54 @@ func (f *fakeClient) ContainersPrune(ctx context.Context, pruneFilters filters.A
 	return container.PruneReport{}, nil
 }
 
+func (f *fakeClient) ContainerRestart(ctx context.Context, containerID string, options container.StopOptions) error {
+	if f.containerRestartFunc != nil {
+		return f.containerRestartFunc(ctx, containerID, options)
+	}
+	return nil
+}
+
+func (f *fakeClient) ContainerStop(ctx context.Context, containerID string, options container.StopOptions) error {
+	if f.containerStopFunc != nil {
+		return f.containerStopFunc(ctx, containerID, options)
+	}
+	return nil
+}
+
 func (f *fakeClient) ContainerAttach(ctx context.Context, containerID string, options container.AttachOptions) (types.HijackedResponse, error) {
 	if f.containerAttachFunc != nil {
 		return f.containerAttachFunc(ctx, containerID, options)
 	}
 	return types.HijackedResponse{}, nil
 }
+
+func (f *fakeClient) ContainerDiff(ctx context.Context, containerID string) ([]container.FilesystemChange, error) {
+	if f.containerDiffFunc != nil {
+		return f.containerDiffFunc(ctx, containerID)
+	}
+
+	return []container.FilesystemChange{}, nil
+}
+
+func (f *fakeClient) ContainerRename(ctx context.Context, oldName, newName string) error {
+	if f.containerRenameFunc != nil {
+		return f.containerRenameFunc(ctx, oldName, newName)
+	}
+
+	return nil
+}
+
+func (f *fakeClient) ContainerCommit(ctx context.Context, containerID string, options container.CommitOptions) (container.CommitResponse, error) {
+	if f.containerCommitFunc != nil {
+		return f.containerCommitFunc(ctx, containerID, options)
+	}
+	return container.CommitResponse{}, nil
+}
+
+func (f *fakeClient) ContainerPause(ctx context.Context, containerID string) error {
+	if f.containerPauseFunc != nil {
+		return f.containerPauseFunc(ctx, containerID)
+	}
+
+	return nil
+}

cli/command/container/commit_test.go

@@ -0,0 +1,70 @@
+package container
+
+import (
+	"context"
+	"errors"
+	"io"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types/container"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestRunCommit(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerCommitFunc: func(
+			ctx context.Context,
+			ctr string,
+			options container.CommitOptions,
+		) (container.CommitResponse, error) {
+			assert.Check(t, is.Equal(options.Author, "Author Name <author@name.com>"))
+			assert.Check(t, is.DeepEqual(options.Changes, []string{"EXPOSE 80"}))
+			assert.Check(t, is.Equal(options.Comment, "commit message"))
+			assert.Check(t, is.Equal(options.Pause, false))
+			assert.Check(t, is.Equal(ctr, "container-id"))
+
+			return container.CommitResponse{ID: "image-id"}, nil
+		},
+	})
+
+	cmd := NewCommitCommand(cli)
+	cmd.SetOut(io.Discard)
+	cmd.SetArgs(
+		[]string{
+			"--author", "Author Name <author@name.com>",
+			"--change", "EXPOSE 80",
+			"--message", "commit message",
+			"--pause=false",
+			"container-id",
+		},
+	)
+
+	err := cmd.Execute()
+	assert.NilError(t, err)
+
+	assert.Assert(t, is.Equal(cli.OutBuffer().String(), "image-id\n"))
+}
+
+func TestRunCommitClientError(t *testing.T) {
+	clientError := errors.New("client error")
+
+	cli := test.NewFakeCli(&fakeClient{
+		containerCommitFunc: func(
+			ctx context.Context,
+			ctr string,
+			options container.CommitOptions,
+		) (container.CommitResponse, error) {
+			return container.CommitResponse{}, clientError
+		},
+	})
+
+	cmd := NewCommitCommand(cli)
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
+	cmd.SetArgs([]string{"container-id"})
+
+	err := cmd.Execute()
+	assert.ErrorIs(t, err, clientError)
+}

cli/command/container/completion.go

@@ -1,71 +1,112 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.22
+// +build go1.22
+
 package container
 
 import (
+	"strings"
+	"sync"
+
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/docker/api/types/container"
+	"github.com/moby/sys/capability"
 	"github.com/moby/sys/signal"
 	"github.com/spf13/cobra"
 )
 
+// allCaps is the magic value for "all capabilities".
+const allCaps = "ALL"
+
 // allLinuxCapabilities is a list of all known Linux capabilities.
 //
-// This list was based on the containerd pkg/cap package;
-// https://github.com/containerd/containerd/blob/v1.7.19/pkg/cap/cap_linux.go#L133-L181
-//
 // TODO(thaJeztah): add descriptions, and enable descriptions for our completion scripts (cobra.CompletionOptions.DisableDescriptions is currently set to "true")
-var allLinuxCapabilities = []string{
-	"ALL", // magic value for "all capabilities"
+// TODO(thaJeztah): consider what casing we want to use for completion (see below);
+//
+// We need to consider what format is most convenient; currently we use the
+// canonical name (uppercase and "CAP_" prefix), however, tab-completion is
+// case-sensitive by default, so requires the user to type uppercase letters
+// to filter the list of options.
+//
+// Bash completion provides a `completion-ignore-case on` option to make completion
+// case-insensitive (https://askubuntu.com/a/87066), but it looks to be a global
+// option; the current cobra.CompletionOptions also don't provide this as an option
+// to be used in the generated completion-script.
+//
+// Fish completion has `smartcase` (by default?) which matches any case if
+// all of the input is lowercase.
+//
+// Zsh does not appear have a dedicated option, but allows setting matching-rules
+// (see https://superuser.com/a/1092328).
+var allLinuxCapabilities = sync.OnceValue(func() []string {
+	caps := capability.ListKnown()
+	out := make([]string, 0, len(caps)+1)
+	out = append(out, allCaps)
+	for _, c := range caps {
+		out = append(out, "CAP_"+strings.ToUpper(c.String()))
+	}
+	return out
+})
 
-	// caps35 is the caps of kernel 3.5 (37 entries)
-	"CAP_CHOWN",            // 2.2
-	"CAP_DAC_OVERRIDE",     // 2.2
-	"CAP_DAC_READ_SEARCH",  // 2.2
-	"CAP_FOWNER",           // 2.2
-	"CAP_FSETID",           // 2.2
-	"CAP_KILL",             // 2.2
-	"CAP_SETGID",           // 2.2
-	"CAP_SETUID",           // 2.2
-	"CAP_SETPCAP",          // 2.2
-	"CAP_LINUX_IMMUTABLE",  // 2.2
-	"CAP_NET_BIND_SERVICE", // 2.2
-	"CAP_NET_BROADCAST",    // 2.2
-	"CAP_NET_ADMIN",        // 2.2
-	"CAP_NET_RAW",          // 2.2
-	"CAP_IPC_LOCK",         // 2.2
-	"CAP_IPC_OWNER",        // 2.2
-	"CAP_SYS_MODULE",       // 2.2
-	"CAP_SYS_RAWIO",        // 2.2
-	"CAP_SYS_CHROOT",       // 2.2
-	"CAP_SYS_PTRACE",       // 2.2
-	"CAP_SYS_PACCT",        // 2.2
-	"CAP_SYS_ADMIN",        // 2.2
-	"CAP_SYS_BOOT",         // 2.2
-	"CAP_SYS_NICE",         // 2.2
-	"CAP_SYS_RESOURCE",     // 2.2
-	"CAP_SYS_TIME",         // 2.2
-	"CAP_SYS_TTY_CONFIG",   // 2.2
-	"CAP_MKNOD",            // 2.4
-	"CAP_LEASE",            // 2.4
-	"CAP_AUDIT_WRITE",      // 2.6.11
-	"CAP_AUDIT_CONTROL",    // 2.6.11
-	"CAP_SETFCAP",          // 2.6.24
-	"CAP_MAC_OVERRIDE",     // 2.6.25
-	"CAP_MAC_ADMIN",        // 2.6.25
-	"CAP_SYSLOG",           // 2.6.37
-	"CAP_WAKE_ALARM",       // 3.0
-	"CAP_BLOCK_SUSPEND",    // 3.5
-
-	// caps316 is the caps of kernel 3.16 (38 entries)
-	"CAP_AUDIT_READ",
-
-	// caps58 is the caps of kernel 5.8 (40 entries)
-	"CAP_PERFMON",
-	"CAP_BPF",
-
-	// caps59 is the caps of kernel 5.9 (41 entries)
-	"CAP_CHECKPOINT_RESTORE",
+// logDriverOptions provides the options for each built-in logging driver.
+var logDriverOptions = map[string][]string{
+	"awslogs": {
+		"max-buffer-size", "mode", "awslogs-create-group", "awslogs-credentials-endpoint", "awslogs-datetime-format",
+		"awslogs-group", "awslogs-multiline-pattern", "awslogs-region", "awslogs-stream", "tag",
+	},
+	"fluentd": {
+		"max-buffer-size", "mode", "env", "env-regex", "labels", "fluentd-address", "fluentd-async",
+		"fluentd-buffer-limit", "fluentd-request-ack", "fluentd-retry-wait", "fluentd-max-retries",
+		"fluentd-sub-second-precision", "tag",
+	},
+	"gcplogs": {
+		"max-buffer-size", "mode", "env", "env-regex", "labels", "gcp-log-cmd", "gcp-meta-id", "gcp-meta-name",
+		"gcp-meta-zone", "gcp-project",
+	},
+	"gelf": {
+		"max-buffer-size", "mode", "env", "env-regex", "labels", "gelf-address", "gelf-compression-level",
+		"gelf-compression-type", "gelf-tcp-max-reconnect", "gelf-tcp-reconnect-delay", "tag",
+	},
+	"journald":  {"max-buffer-size", "mode", "env", "env-regex", "labels", "tag"},
+	"json-file": {"max-buffer-size", "mode", "env", "env-regex", "labels", "compress", "max-file", "max-size"},
+	"local":     {"max-buffer-size", "mode", "compress", "max-file", "max-size"},
+	"none":      {},
+	"splunk": {
+		"max-buffer-size", "mode", "env", "env-regex", "labels", "splunk-caname", "splunk-capath", "splunk-format",
+		"splunk-gzip", "splunk-gzip-level", "splunk-index", "splunk-insecureskipverify", "splunk-source",
+		"splunk-sourcetype", "splunk-token", "splunk-url", "splunk-verify-connection", "tag",
+	},
+	"syslog": {
+		"max-buffer-size", "mode", "env", "env-regex", "labels", "syslog-address", "syslog-facility", "syslog-format",
+		"syslog-tls-ca-cert", "syslog-tls-cert", "syslog-tls-key", "syslog-tls-skip-verify", "tag",
+	},
 }
 
+// builtInLogDrivers provides a list of the built-in logging drivers.
+var builtInLogDrivers = sync.OnceValue(func() []string {
+	drivers := make([]string, 0, len(logDriverOptions))
+	for driver := range logDriverOptions {
+		drivers = append(drivers, driver)
+	}
+	return drivers
+})
+
+// allLogDriverOptions provides all options of the built-in logging drivers.
+// The list does not contain duplicates.
+var allLogDriverOptions = sync.OnceValue(func() []string {
+	var result []string
+	seen := make(map[string]bool)
+	for driver := range logDriverOptions {
+		for _, opt := range logDriverOptions[driver] {
+			if !seen[opt] {
+				seen[opt] = true
+				result = append(result, opt)
+			}
+		}
+	}
+	return result
+})
+
 // restartPolicies is a list of all valid restart-policies..
 //
 // TODO(thaJeztah): add descriptions, and enable descriptions for our completion scripts (cobra.CompletionOptions.DisableDescriptions is currently set to "true")
@@ -76,8 +117,209 @@ var restartPolicies = []string{
 	string(container.RestartPolicyUnlessStopped),
 }
 
+// addCompletions adds the completions that `run` and `create` have in common.
+func addCompletions(cmd *cobra.Command, dockerCLI completion.APIClientProvider) {
+	_ = cmd.RegisterFlagCompletionFunc("attach", completion.FromList("stderr", "stdin", "stdout"))
+	_ = cmd.RegisterFlagCompletionFunc("cap-add", completeLinuxCapabilityNames)
+	_ = cmd.RegisterFlagCompletionFunc("cap-drop", completeLinuxCapabilityNames)
+	_ = cmd.RegisterFlagCompletionFunc("cgroupns", completeCgroupns())
+	_ = cmd.RegisterFlagCompletionFunc("env", completion.EnvVarNames)
+	_ = cmd.RegisterFlagCompletionFunc("env-file", completion.FileNames)
+	_ = cmd.RegisterFlagCompletionFunc("ipc", completeIpc(dockerCLI))
+	_ = cmd.RegisterFlagCompletionFunc("link", completeLink(dockerCLI))
+	_ = cmd.RegisterFlagCompletionFunc("log-driver", completeLogDriver(dockerCLI))
+	_ = cmd.RegisterFlagCompletionFunc("log-opt", completeLogOpt)
+	_ = cmd.RegisterFlagCompletionFunc("network", completion.NetworkNames(dockerCLI))
+	_ = cmd.RegisterFlagCompletionFunc("pid", completePid(dockerCLI))
+	_ = cmd.RegisterFlagCompletionFunc("platform", completion.Platforms)
+	_ = cmd.RegisterFlagCompletionFunc("pull", completion.FromList(PullImageAlways, PullImageMissing, PullImageNever))
+	_ = cmd.RegisterFlagCompletionFunc("restart", completeRestartPolicies)
+	_ = cmd.RegisterFlagCompletionFunc("security-opt", completeSecurityOpt)
+	_ = cmd.RegisterFlagCompletionFunc("stop-signal", completeSignals)
+	_ = cmd.RegisterFlagCompletionFunc("storage-opt", completeStorageOpt)
+	_ = cmd.RegisterFlagCompletionFunc("ulimit", completeUlimit)
+	_ = cmd.RegisterFlagCompletionFunc("userns", completion.FromList("host"))
+	_ = cmd.RegisterFlagCompletionFunc("uts", completion.FromList("host"))
+	_ = cmd.RegisterFlagCompletionFunc("volume-driver", completeVolumeDriver(dockerCLI))
+	_ = cmd.RegisterFlagCompletionFunc("volumes-from", completion.ContainerNames(dockerCLI, true))
+}
+
+// completeCgroupns implements shell completion for the `--cgroupns` option of `run` and `create`.
+func completeCgroupns() completion.ValidArgsFn {
+	return completion.FromList(string(container.CgroupnsModeHost), string(container.CgroupnsModePrivate))
+}
+
+// completeDetachKeys implements shell completion for the `--detach-keys` option of `run` and `create`.
+func completeDetachKeys(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
+	return []string{"ctrl-"}, cobra.ShellCompDirectiveNoSpace
+}
+
+// completeIpc implements shell completion for the `--ipc` option of `run` and `create`.
+// The completion is partly composite.
+func completeIpc(dockerCLI completion.APIClientProvider) func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		if len(toComplete) > 0 && strings.HasPrefix("container", toComplete) { //nolint:gocritic // not swapped, matches partly typed "container"
+			return []string{"container:"}, cobra.ShellCompDirectiveNoSpace
+		}
+		if strings.HasPrefix(toComplete, "container:") {
+			names, _ := completion.ContainerNames(dockerCLI, true)(cmd, args, toComplete)
+			return prefixWith("container:", names), cobra.ShellCompDirectiveNoFileComp
+		}
+		return []string{
+			string(container.IPCModeContainer + ":"),
+			string(container.IPCModeHost),
+			string(container.IPCModeNone),
+			string(container.IPCModePrivate),
+			string(container.IPCModeShareable),
+		}, cobra.ShellCompDirectiveNoFileComp
+	}
+}
+
+// completeLink implements shell completion for the `--link` option  of `run` and `create`.
+func completeLink(dockerCLI completion.APIClientProvider) func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		return postfixWith(":", containerNames(dockerCLI, cmd, args, toComplete)), cobra.ShellCompDirectiveNoSpace
+	}
+}
+
+// completeLogDriver implements shell completion for the `--log-driver` option  of `run` and `create`.
+// The log drivers are collected from a call to the Info endpoint with a fallback to a hard-coded list
+// of the build-in log drivers.
+func completeLogDriver(dockerCLI completion.APIClientProvider) completion.ValidArgsFn {
+	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		info, err := dockerCLI.Client().Info(cmd.Context())
+		if err != nil {
+			return builtInLogDrivers(), cobra.ShellCompDirectiveNoFileComp
+		}
+		drivers := info.Plugins.Log
+		return drivers, cobra.ShellCompDirectiveNoFileComp
+	}
+}
+
+// completeLogOpt implements shell completion for the `--log-opt` option  of `run` and `create`.
+// If the user supplied a log-driver, only options for that driver are returned.
+func completeLogOpt(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
+	driver, _ := cmd.Flags().GetString("log-driver")
+	if options, exists := logDriverOptions[driver]; exists {
+		return postfixWith("=", options), cobra.ShellCompDirectiveNoSpace | cobra.ShellCompDirectiveNoFileComp
+	}
+	return postfixWith("=", allLogDriverOptions()), cobra.ShellCompDirectiveNoSpace
+}
+
+// completePid implements shell completion for the `--pid` option  of `run` and `create`.
+func completePid(dockerCLI completion.APIClientProvider) func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		if len(toComplete) > 0 && strings.HasPrefix("container", toComplete) { //nolint:gocritic // not swapped, matches partly typed "container"
+			return []string{"container:"}, cobra.ShellCompDirectiveNoSpace
+		}
+		if strings.HasPrefix(toComplete, "container:") {
+			names, _ := completion.ContainerNames(dockerCLI, true)(cmd, args, toComplete)
+			return prefixWith("container:", names), cobra.ShellCompDirectiveNoFileComp
+		}
+		return []string{"container:", "host"}, cobra.ShellCompDirectiveNoFileComp
+	}
+}
+
+// completeSecurityOpt implements shell completion for the `--security-opt` option of `run` and `create`.
+// The completion is partly composite.
+func completeSecurityOpt(_ *cobra.Command, _ []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	if len(toComplete) > 0 && strings.HasPrefix("apparmor=", toComplete) { //nolint:gocritic // not swapped, matches partly typed "apparmor="
+		return []string{"apparmor="}, cobra.ShellCompDirectiveNoSpace
+	}
+	if len(toComplete) > 0 && strings.HasPrefix("label", toComplete) { //nolint:gocritic // not swapped, matches partly typed "label"
+		return []string{"label="}, cobra.ShellCompDirectiveNoSpace
+	}
+	if strings.HasPrefix(toComplete, "label=") {
+		if strings.HasPrefix(toComplete, "label=d") {
+			return []string{"label=disable"}, cobra.ShellCompDirectiveNoFileComp
+		}
+		labels := []string{"disable", "level:", "role:", "type:", "user:"}
+		return prefixWith("label=", labels), cobra.ShellCompDirectiveNoSpace | cobra.ShellCompDirectiveNoFileComp
+	}
+	// length must be > 1 here so that completion of "s" falls through.
+	if len(toComplete) > 1 && strings.HasPrefix("seccomp", toComplete) { //nolint:gocritic // not swapped, matches partly typed "seccomp"
+		return []string{"seccomp="}, cobra.ShellCompDirectiveNoSpace
+	}
+	if strings.HasPrefix(toComplete, "seccomp=") {
+		return []string{"seccomp=unconfined"}, cobra.ShellCompDirectiveNoFileComp
+	}
+	return []string{"apparmor=", "label=", "no-new-privileges", "seccomp=", "systempaths=unconfined"}, cobra.ShellCompDirectiveNoFileComp
+}
+
+// completeStorageOpt implements shell completion for the `--storage-opt` option  of `run` and `create`.
+func completeStorageOpt(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
+	return []string{"size="}, cobra.ShellCompDirectiveNoSpace
+}
+
+// completeUlimit implements shell completion for the `--ulimit` option of `run` and `create`.
+func completeUlimit(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
+	limits := []string{
+		"as",
+		"chroot",
+		"core",
+		"cpu",
+		"data",
+		"fsize",
+		"locks",
+		"maxlogins",
+		"maxsyslogins",
+		"memlock",
+		"msgqueue",
+		"nice",
+		"nofile",
+		"nproc",
+		"priority",
+		"rss",
+		"rtprio",
+		"sigpending",
+		"stack",
+	}
+	return postfixWith("=", limits), cobra.ShellCompDirectiveNoSpace
+}
+
+// completeVolumeDriver contacts the API to get the built-in and installed volume drivers.
+func completeVolumeDriver(dockerCLI completion.APIClientProvider) completion.ValidArgsFn {
+	return func(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
+		info, err := dockerCLI.Client().Info(cmd.Context())
+		if err != nil {
+			// fallback: the built-in drivers
+			return []string{"local"}, cobra.ShellCompDirectiveNoFileComp
+		}
+		drivers := info.Plugins.Volume
+		return drivers, cobra.ShellCompDirectiveNoFileComp
+	}
+}
+
+// containerNames contacts the API to get names and optionally IDs of containers.
+// In case of an error, an empty list is returned.
+func containerNames(dockerCLI completion.APIClientProvider, cmd *cobra.Command, args []string, toComplete string) []string {
+	names, _ := completion.ContainerNames(dockerCLI, true)(cmd, args, toComplete)
+	if names == nil {
+		return []string{}
+	}
+	return names
+}
+
+// prefixWith prefixes every element in the slice with the given prefix.
+func prefixWith(prefix string, values []string) []string {
+	result := make([]string, len(values))
+	for i, v := range values {
+		result[i] = prefix + v
+	}
+	return result
+}
+
+// postfixWith appends postfix to every element in the slice.
+func postfixWith(postfix string, values []string) []string {
+	result := make([]string, len(values))
+	for i, v := range values {
+		result[i] = v + postfix
+	}
+	return result
+}
+
 func completeLinuxCapabilityNames(cmd *cobra.Command, args []string, toComplete string) (names []string, _ cobra.ShellCompDirective) {
-	return completion.FromList(allLinuxCapabilities...)(cmd, args, toComplete)
+	return completion.FromList(allLinuxCapabilities()...)(cmd, args, toComplete)
 }
 
 func completeRestartPolicies(cmd *cobra.Command, args []string, toComplete string) (names []string, _ cobra.ShellCompDirective) {

cli/command/container/completion_test.go

@@ -0,0 +1,134 @@
+package container
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/cli/internal/test/builders"
+	"github.com/docker/docker/api/types/container"
+	"github.com/moby/sys/signal"
+	"github.com/spf13/cobra"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestCompleteLinuxCapabilityNames(t *testing.T) {
+	names, directives := completeLinuxCapabilityNames(nil, nil, "")
+	assert.Check(t, is.Equal(directives&cobra.ShellCompDirectiveNoFileComp, cobra.ShellCompDirectiveNoFileComp), "Should not perform file completion")
+	assert.Assert(t, len(names) > 1)
+	assert.Check(t, names[0] == allCaps)
+	for _, name := range names[1:] {
+		assert.Check(t, strings.HasPrefix(name, "CAP_"))
+		assert.Check(t, is.Equal(name, strings.ToUpper(name)), "Should be formatted uppercase")
+	}
+}
+
+func TestCompletePid(t *testing.T) {
+	tests := []struct {
+		containerListFunc   func(container.ListOptions) ([]container.Summary, error)
+		toComplete          string
+		expectedCompletions []string
+		expectedDirective   cobra.ShellCompDirective
+	}{
+		{
+			toComplete:          "",
+			expectedCompletions: []string{"container:", "host"},
+			expectedDirective:   cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			toComplete:          "c",
+			expectedCompletions: []string{"container:"},
+			expectedDirective:   cobra.ShellCompDirectiveNoSpace,
+		},
+		{
+			containerListFunc: func(container.ListOptions) ([]container.Summary, error) {
+				return []container.Summary{
+					*builders.Container("c1"),
+					*builders.Container("c2"),
+				}, nil
+			},
+			toComplete:          "container:",
+			expectedCompletions: []string{"container:c1", "container:c2"},
+			expectedDirective:   cobra.ShellCompDirectiveNoFileComp,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.toComplete, func(t *testing.T) {
+			cli := test.NewFakeCli(&fakeClient{
+				containerListFunc: tc.containerListFunc,
+			})
+			completions, directive := completePid(cli)(NewRunCommand(cli), nil, tc.toComplete)
+			assert.Check(t, is.DeepEqual(completions, tc.expectedCompletions))
+			assert.Check(t, is.Equal(directive, tc.expectedDirective))
+		})
+	}
+}
+
+func TestCompleteRestartPolicies(t *testing.T) {
+	values, directives := completeRestartPolicies(nil, nil, "")
+	assert.Check(t, is.Equal(directives&cobra.ShellCompDirectiveNoFileComp, cobra.ShellCompDirectiveNoFileComp), "Should not perform file completion")
+	expected := restartPolicies
+	assert.Check(t, is.DeepEqual(values, expected))
+}
+
+func TestCompleteSecurityOpt(t *testing.T) {
+	tests := []struct {
+		toComplete          string
+		expectedCompletions []string
+		expectedDirective   cobra.ShellCompDirective
+	}{
+		{
+			toComplete:          "",
+			expectedCompletions: []string{"apparmor=", "label=", "no-new-privileges", "seccomp=", "systempaths=unconfined"},
+			expectedDirective:   cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			toComplete:          "apparmor=",
+			expectedCompletions: []string{"apparmor="},
+			expectedDirective:   cobra.ShellCompDirectiveNoSpace,
+		},
+		{
+			toComplete:          "label=",
+			expectedCompletions: []string{"label=disable", "label=level:", "label=role:", "label=type:", "label=user:"},
+			expectedDirective:   cobra.ShellCompDirectiveNoSpace | cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			toComplete: "s",
+			// We do not filter matching completions but delegate this task to the shell script.
+			expectedCompletions: []string{"apparmor=", "label=", "no-new-privileges", "seccomp=", "systempaths=unconfined"},
+			expectedDirective:   cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			toComplete:          "se",
+			expectedCompletions: []string{"seccomp="},
+			expectedDirective:   cobra.ShellCompDirectiveNoSpace,
+		},
+		{
+			toComplete:          "seccomp=",
+			expectedCompletions: []string{"seccomp=unconfined"},
+			expectedDirective:   cobra.ShellCompDirectiveNoFileComp,
+		},
+		{
+			toComplete:          "sy",
+			expectedCompletions: []string{"apparmor=", "label=", "no-new-privileges", "seccomp=", "systempaths=unconfined"},
+			expectedDirective:   cobra.ShellCompDirectiveNoFileComp,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.toComplete, func(t *testing.T) {
+			completions, directive := completeSecurityOpt(nil, nil, tc.toComplete)
+			assert.Check(t, is.DeepEqual(completions, tc.expectedCompletions))
+			assert.Check(t, is.Equal(directive, tc.expectedDirective))
+		})
+	}
+}
+
+func TestCompleteSignals(t *testing.T) {
+	values, directives := completeSignals(nil, nil, "")
+	assert.Check(t, is.Equal(directives&cobra.ShellCompDirectiveNoFileComp, cobra.ShellCompDirectiveNoFileComp), "Should not perform file completion")
+	assert.Check(t, len(values) > 1)
+	assert.Check(t, is.Len(values, len(signal.SignalMap)))
+}

cli/command/container/cp.go

@@ -17,7 +17,6 @@ import (
 	"github.com/docker/cli/cli/streams"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/system"
 	units "github.com/docker/go-units"
 	"github.com/morikuni/aec"
 	"github.com/pkg/errors"
@@ -130,13 +129,12 @@ func NewCopyCommand(dockerCli command.Cli) *cobra.Command {
 		Use: `cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH|-
 	docker cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH`,
 		Short: "Copy files/folders between a container and the local filesystem",
-		Long: strings.Join([]string{
-			"Copy files/folders between a container and the local filesystem\n",
-			"\nUse '-' as the source to read a tar archive from stdin\n",
-			"and extract it to a directory destination in a container.\n",
-			"Use '-' as the destination to stream a tar archive of a\n",
-			"container source to stdout.",
-		}, ""),
+		Long: `Copy files/folders between a container and the local filesystem
+
+Use '-' as the source to read a tar archive from stdin
+and extract it to a directory destination in a container.
+Use '-' as the destination to stream a tar archive of a
+container source to stdout.`,
 		Args: cli.ExactArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if args[0] == "" {
@@ -203,14 +201,15 @@ func runCopy(ctx context.Context, dockerCli command.Cli, opts copyOptions) error
 	}
 }
 
-func resolveLocalPath(localPath string) (absPath string, err error) {
-	if absPath, err = filepath.Abs(localPath); err != nil {
-		return
+func resolveLocalPath(localPath string) (absPath string, _ error) {
+	absPath, err := filepath.Abs(localPath)
+	if err != nil {
+		return "", err
 	}
 	return archive.PreserveTrailingDotOrSeparator(absPath, localPath), nil
 }
 
-func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpConfig) (err error) {
+func copyFromContainer(ctx context.Context, dockerCLI command.Cli, copyConfig cpConfig) (err error) {
 	dstPath := copyConfig.destPath
 	srcPath := copyConfig.sourcePath
 
@@ -226,16 +225,16 @@ func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cp
 		return err
 	}
 
-	client := dockerCli.Client()
+	apiClient := dockerCLI.Client()
 	// if client requests to follow symbol link, then must decide target file to be copied
 	var rebaseName string
 	if copyConfig.followLink {
-		srcStat, err := client.ContainerStatPath(ctx, copyConfig.container, srcPath)
+		srcStat, err := apiClient.ContainerStatPath(ctx, copyConfig.container, srcPath)
 
 		// If the destination is a symbolic link, we should follow it.
 		if err == nil && srcStat.Mode&os.ModeSymlink != 0 {
 			linkTarget := srcStat.LinkTarget
-			if !system.IsAbs(linkTarget) {
+			if !isAbs(linkTarget) {
 				// Join with the parent directory.
 				srcParent, _ := archive.SplitPathDirEntry(srcPath)
 				linkTarget = filepath.Join(srcParent, linkTarget)
@@ -249,14 +248,14 @@ func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cp
 	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt)
 	defer cancel()
 
-	content, stat, err := client.CopyFromContainer(ctx, copyConfig.container, srcPath)
+	content, stat, err := apiClient.CopyFromContainer(ctx, copyConfig.container, srcPath)
 	if err != nil {
 		return err
 	}
 	defer content.Close()
 
 	if dstPath == "-" {
-		_, err = io.Copy(dockerCli.Out(), content)
+		_, err = io.Copy(dockerCLI.Out(), content)
 		return err
 	}
 
@@ -285,12 +284,12 @@ func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cp
 		return archive.CopyTo(preArchive, srcInfo, dstPath)
 	}
 
-	restore, done := copyProgress(ctx, dockerCli.Err(), copyFromContainerHeader, &copiedSize)
+	restore, done := copyProgress(ctx, dockerCLI.Err(), copyFromContainerHeader, &copiedSize)
 	res := archive.CopyTo(preArchive, srcInfo, dstPath)
 	cancel()
 	<-done
 	restore()
-	fmt.Fprintln(dockerCli.Err(), "Successfully copied", progressHumanSize(copiedSize), "to", dstPath)
+	_, _ = fmt.Fprintln(dockerCLI.Err(), "Successfully copied", progressHumanSize(copiedSize), "to", dstPath)
 
 	return res
 }
@@ -299,7 +298,7 @@ func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cp
 // about both the source and destination. The API is a simple tar
 // archive/extract API but we can use the stat info header about the
 // destination to be more informed about exactly what the destination is.
-func copyToContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpConfig) (err error) {
+func copyToContainer(ctx context.Context, dockerCLI command.Cli, copyConfig cpConfig) (err error) {
 	srcPath := copyConfig.sourcePath
 	dstPath := copyConfig.destPath
 
@@ -311,22 +310,23 @@ func copyToContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpCo
 		}
 	}
 
-	client := dockerCli.Client()
+	apiClient := dockerCLI.Client()
 	// Prepare destination copy info by stat-ing the container path.
 	dstInfo := archive.CopyInfo{Path: dstPath}
-	dstStat, err := client.ContainerStatPath(ctx, copyConfig.container, dstPath)
+	dstStat, err := apiClient.ContainerStatPath(ctx, copyConfig.container, dstPath)
 
 	// If the destination is a symbolic link, we should evaluate it.
 	if err == nil && dstStat.Mode&os.ModeSymlink != 0 {
 		linkTarget := dstStat.LinkTarget
-		if !system.IsAbs(linkTarget) {
+		if !isAbs(linkTarget) {
 			// Join with the parent directory.
 			dstParent, _ := archive.SplitPathDirEntry(dstPath)
 			linkTarget = filepath.Join(dstParent, linkTarget)
 		}
 
 		dstInfo.Path = linkTarget
-		dstStat, err = client.ContainerStatPath(ctx, copyConfig.container, linkTarget)
+		dstStat, err = apiClient.ContainerStatPath(ctx, copyConfig.container, linkTarget)
+		// FIXME(thaJeztah): unhandled error (should this return?)
 	}
 
 	// Validate the destination path
@@ -403,16 +403,16 @@ func copyToContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpCo
 	}
 
 	if copyConfig.quiet {
-		return client.CopyToContainer(ctx, copyConfig.container, resolvedDstPath, content, options)
+		return apiClient.CopyToContainer(ctx, copyConfig.container, resolvedDstPath, content, options)
 	}
 
 	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt)
-	restore, done := copyProgress(ctx, dockerCli.Err(), copyToContainerHeader, &copiedSize)
-	res := client.CopyToContainer(ctx, copyConfig.container, resolvedDstPath, content, options)
+	restore, done := copyProgress(ctx, dockerCLI.Err(), copyToContainerHeader, &copiedSize)
+	res := apiClient.CopyToContainer(ctx, copyConfig.container, resolvedDstPath, content, options)
 	cancel()
 	<-done
 	restore()
-	fmt.Fprintln(dockerCli.Err(), "Successfully copied", progressHumanSize(copiedSize), "to", copyConfig.container+":"+dstInfo.Path)
+	fmt.Fprintln(dockerCLI.Err(), "Successfully copied", progressHumanSize(copiedSize), "to", copyConfig.container+":"+dstInfo.Path)
 
 	return res
 }
@@ -434,7 +434,7 @@ func copyToContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpCo
 // client, a `:` could be part of an absolute Windows path, in which case it
 // is immediately proceeded by a backslash.
 func splitCpArg(arg string) (ctr, path string) {
-	if system.IsAbs(arg) {
+	if isAbs(arg) {
 		// Explicit local absolute path, e.g., `C:\foo` or `/foo`.
 		return "", arg
 	}
@@ -448,3 +448,15 @@ func splitCpArg(arg string) (ctr, path string) {
 
 	return ctr, path
 }
+
+// IsAbs is a platform-agnostic wrapper for filepath.IsAbs.
+//
+// On Windows, golang filepath.IsAbs does not consider a path \windows\system32
+// as absolute as it doesn't start with a drive-letter/colon combination. However,
+// in docker we need to verify things such as WORKDIR /windows/system32 in
+// a Dockerfile (which gets translated to \windows\system32 when being processed
+// by the daemon). This SHOULD be treated as absolute from a docker processing
+// perspective.
+func isAbs(path string) bool {
+	return filepath.IsAbs(path) || strings.HasPrefix(path, string(os.PathSeparator))
+}

cli/command/container/cp_test.go

@@ -14,7 +14,6 @@ import (
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/fs"
-	"gotest.tools/v3/skip"
 )
 
 func TestRunCopyWithInvalidArguments(t *testing.T) {
@@ -67,14 +66,15 @@ func TestRunCopyFromContainerToStdout(t *testing.T) {
 }
 
 func TestRunCopyFromContainerToFilesystem(t *testing.T) {
-	destDir := fs.NewDir(t, "cp-test",
+	srcDir := fs.NewDir(t, "cp-test",
 		fs.WithFile("file1", "content\n"))
-	defer destDir.Remove()
+
+	destDir := fs.NewDir(t, "cp-test")
 
 	cli := test.NewFakeCli(&fakeClient{
 		containerCopyFromFunc: func(ctr, srcPath string) (io.ReadCloser, container.PathStat, error) {
 			assert.Check(t, is.Equal("container", ctr))
-			readCloser, err := archive.TarWithOptions(destDir.Path(), &archive.TarOptions{})
+			readCloser, err := archive.Tar(srcDir.Path(), archive.Uncompressed)
 			return readCloser, container.PathStat{}, err
 		},
 	})
@@ -151,7 +151,7 @@ func TestSplitCpArg(t *testing.T) {
 	}{
 		{
 			doc:          "absolute path with colon",
-			os:           "linux",
+			os:           "unix",
 			path:         "/abs/path:withcolon",
 			expectedPath: "/abs/path:withcolon",
 		},
@@ -179,9 +179,13 @@ func TestSplitCpArg(t *testing.T) {
 		},
 	}
 	for _, tc := range testcases {
-		tc := tc
 		t.Run(tc.doc, func(t *testing.T) {
-			skip.If(t, tc.os == "windows" && runtime.GOOS != "windows" || tc.os == "linux" && runtime.GOOS == "windows")
+			if tc.os == "windows" && runtime.GOOS != "windows" {
+				t.Skip("skipping windows test on non-windows platform")
+			}
+			if tc.os == "unix" && runtime.GOOS == "windows" {
+				t.Skip("skipping unix test on windows")
+			}
 
 			ctr, path := splitCpArg(tc.path)
 			assert.Check(t, is.Equal(tc.expectedContainer, ctr))

cli/command/container/create.go

@@ -13,13 +13,13 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/cli/cli/internal/jsonstream"
 	"github.com/docker/cli/cli/streams"
 	"github.com/docker/cli/opts"
 	"github.com/docker/docker/api/types/container"
 	imagetypes "github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/pkg/jsonmessage"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@@ -60,7 +60,7 @@ func NewCreateCommand(dockerCli command.Cli) *cobra.Command {
 		Annotations: map[string]string{
 			"aliases": "docker container create, docker create",
 		},
-		ValidArgsFunction: completion.ImageNames(dockerCli),
+		ValidArgsFunction: completion.ImageNames(dockerCli, -1),
 	}
 
 	flags := cmd.Flags()
@@ -78,22 +78,24 @@ func NewCreateCommand(dockerCli command.Cli) *cobra.Command {
 	command.AddTrustVerificationFlags(flags, &options.untrusted, dockerCli.ContentTrustEnabled())
 	copts = addFlags(flags)
 
-	_ = cmd.RegisterFlagCompletionFunc("cap-add", completeLinuxCapabilityNames)
-	_ = cmd.RegisterFlagCompletionFunc("cap-drop", completeLinuxCapabilityNames)
-	_ = cmd.RegisterFlagCompletionFunc("env", completion.EnvVarNames)
-	_ = cmd.RegisterFlagCompletionFunc("env-file", completion.FileNames)
-	_ = cmd.RegisterFlagCompletionFunc("network", completion.NetworkNames(dockerCli))
-	_ = cmd.RegisterFlagCompletionFunc("pull", completion.FromList(PullImageAlways, PullImageMissing, PullImageNever))
-	_ = cmd.RegisterFlagCompletionFunc("restart", completeRestartPolicies)
-	_ = cmd.RegisterFlagCompletionFunc("stop-signal", completeSignals)
-	_ = cmd.RegisterFlagCompletionFunc("volumes-from", completion.ContainerNames(dockerCli, true))
+	addCompletions(cmd, dockerCli)
+
+	flags.VisitAll(func(flag *pflag.Flag) {
+		// Set a default completion function if none was set. We don't look
+		// up if it does already have one set, because Cobra does this for
+		// us, and returns an error (which we ignore for this reason).
+		_ = cmd.RegisterFlagCompletionFunc(flag.Name, completion.NoComplete)
+	})
+
 	return cmd
 }
 
 func runCreate(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet, options *createOptions, copts *containerOptions) error {
 	if err := validatePullOpt(options.pull); err != nil {
-		reportError(dockerCli.Err(), "create", err.Error(), true)
-		return cli.StatusError{StatusCode: 125}
+		return cli.StatusError{
+			Status:     withHelp(err, "create").Error(),
+			StatusCode: 125,
+		}
 	}
 	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), opts.ConvertKVStringsToMapWithNil(copts.env.GetAll()))
 	newEnv := []string{}
@@ -107,12 +109,16 @@ func runCreate(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet,
 	copts.env = *opts.NewListOptsRef(&newEnv, nil)
 	containerCfg, err := parse(flags, copts, dockerCli.ServerInfo().OSType)
 	if err != nil {
-		reportError(dockerCli.Err(), "create", err.Error(), true)
-		return cli.StatusError{StatusCode: 125}
+		return cli.StatusError{
+			Status:     withHelp(err, "create").Error(),
+			StatusCode: 125,
+		}
 	}
 	if err = validateAPIVersion(containerCfg, dockerCli.Client().ClientVersion()); err != nil {
-		reportError(dockerCli.Err(), "create", err.Error(), true)
-		return cli.StatusError{StatusCode: 125}
+		return cli.StatusError{
+			Status:     withHelp(err, "create").Error(),
+			StatusCode: 125,
+		}
 	}
 	id, err := createContainer(ctx, dockerCli, containerCfg, options)
 	if err != nil {
@@ -142,7 +148,7 @@ func pullImage(ctx context.Context, dockerCli command.Cli, img string, options *
 	if options.quiet {
 		out = streams.NewOut(io.Discard)
 	}
-	return jsonmessage.DisplayJSONMessagesToStream(responseBody, out, nil)
+	return jsonstream.Display(ctx, responseBody, out)
 }
 
 type cidFile struct {
@@ -268,7 +274,7 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 		if errdefs.IsNotFound(err) && namedRef != nil && options.pull == PullImageMissing {
 			if !options.quiet {
 				// we don't want to write to stdout anything apart from container.ID
-				fmt.Fprintf(dockerCli.Err(), "Unable to find image '%s' locally\n", reference.FamiliarString(namedRef))
+				_, _ = fmt.Fprintf(dockerCli.Err(), "Unable to find image '%s' locally\n", reference.FamiliarString(namedRef))
 			}
 
 			if err := pullAndTagImage(); err != nil {
@@ -286,7 +292,7 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 	}
 
 	for _, w := range response.Warnings {
-		_, _ = fmt.Fprintf(dockerCli.Err(), "WARNING: %s\n", w)
+		_, _ = fmt.Fprintln(dockerCli.Err(), "WARNING:", w)
 	}
 	err = containerIDFile.Write(response.ID)
 	return response.ID, err
@@ -294,7 +300,7 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 
 func warnOnOomKillDisable(hostConfig container.HostConfig, stderr io.Writer) {
 	if hostConfig.OomKillDisable != nil && *hostConfig.OomKillDisable && hostConfig.Memory == 0 {
-		fmt.Fprintln(stderr, "WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.")
+		_, _ = fmt.Fprintln(stderr, "WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.")
 	}
 }
 
@@ -303,7 +309,7 @@ func warnOnOomKillDisable(hostConfig container.HostConfig, stderr io.Writer) {
 func warnOnLocalhostDNS(hostConfig container.HostConfig, stderr io.Writer) {
 	for _, dnsIP := range hostConfig.DNS {
 		if isLocalhost(dnsIP) {
-			fmt.Fprintf(stderr, "WARNING: Localhost DNS setting (--dns=%s) may fail in containers.\n", dnsIP)
+			_, _ = fmt.Fprintf(stderr, "WARNING: Localhost DNS setting (--dns=%s) may fail in containers.\n", dnsIP)
 			return
 		}
 	}

cli/command/container/create_test.go

@@ -113,7 +113,6 @@ func TestCreateContainerImagePullPolicy(t *testing.T) {
 		},
 	}
 	for _, tc := range cases {
-		tc := tc
 		t.Run(tc.PullPolicy, func(t *testing.T) {
 			pullCounter := 0
 
@@ -133,7 +132,7 @@ func TestCreateContainerImagePullPolicy(t *testing.T) {
 						return container.CreateResponse{ID: containerID}, nil
 					}
 				},
-				imageCreateFunc: func(parentReference string, options image.CreateOptions) (io.ReadCloser, error) {
+				imageCreateFunc: func(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error) {
 					defer func() { pullCounter++ }()
 					return io.NopCloser(strings.NewReader("")), nil
 				},
@@ -176,7 +175,6 @@ func TestCreateContainerImagePullPolicyInvalid(t *testing.T) {
 		},
 	}
 	for _, tc := range cases {
-		tc := tc
 		t.Run(tc.PullPolicy, func(t *testing.T) {
 			dockerCli := test.NewFakeCli(&fakeClient{})
 			err := runCreate(
@@ -189,8 +187,36 @@ func TestCreateContainerImagePullPolicyInvalid(t *testing.T) {
 
 			statusErr := cli.StatusError{}
 			assert.Check(t, errors.As(err, &statusErr))
-			assert.Equal(t, statusErr.StatusCode, 125)
-			assert.Check(t, is.Contains(dockerCli.ErrBuffer().String(), tc.ExpectedErrMsg))
+			assert.Check(t, is.Equal(statusErr.StatusCode, 125))
+			assert.Check(t, is.ErrorContains(err, tc.ExpectedErrMsg))
+		})
+	}
+}
+
+func TestCreateContainerValidateFlags(t *testing.T) {
+	for _, tc := range []struct {
+		name        string
+		args        []string
+		expectedErr string
+	}{
+		{
+			name:        "with invalid --attach value",
+			args:        []string{"--attach", "STDINFO", "myimage"},
+			expectedErr: `invalid argument "STDINFO" for "-a, --attach" flag: valid streams are STDIN, STDOUT and STDERR`,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			cmd := NewCreateCommand(test.NewFakeCli(&fakeClient{}))
+			cmd.SetOut(io.Discard)
+			cmd.SetErr(io.Discard)
+			cmd.SetArgs(tc.args)
+
+			err := cmd.Execute()
+			if tc.expectedErr != "" {
+				assert.Check(t, is.ErrorContains(err, tc.expectedErr))
+			} else {
+				assert.Check(t, is.Nil(err))
+			}
 		})
 	}
 }
@@ -222,7 +248,6 @@ func TestNewCreateCommandWithContentTrustErrors(t *testing.T) {
 		},
 	}
 	for _, tc := range testCases {
-		tc := tc
 		fakeCLI := test.NewFakeCli(&fakeClient{
 			createContainerFunc: func(config *container.Config,
 				hostConfig *container.HostConfig,
@@ -283,9 +308,8 @@ func TestNewCreateCommandWithWarnings(t *testing.T) {
 		},
 	}
 	for _, tc := range testCases {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
-			cli := test.NewFakeCli(&fakeClient{
+			fakeCLI := test.NewFakeCli(&fakeClient{
 				createContainerFunc: func(config *container.Config,
 					hostConfig *container.HostConfig,
 					networkingConfig *network.NetworkingConfig,
@@ -295,15 +319,15 @@ func TestNewCreateCommandWithWarnings(t *testing.T) {
 					return container.CreateResponse{}, nil
 				},
 			})
-			cmd := NewCreateCommand(cli)
+			cmd := NewCreateCommand(fakeCLI)
 			cmd.SetOut(io.Discard)
 			cmd.SetArgs(tc.args)
 			err := cmd.Execute()
 			assert.NilError(t, err)
 			if tc.warning {
-				golden.Assert(t, cli.ErrBuffer().String(), tc.name+".golden")
+				golden.Assert(t, fakeCLI.ErrBuffer().String(), tc.name+".golden")
 			} else {
-				assert.Equal(t, cli.ErrBuffer().String(), "")
+				assert.Equal(t, fakeCLI.ErrBuffer().String(), "")
 			}
 		})
 	}
@@ -356,5 +380,5 @@ func TestCreateContainerWithProxyConfig(t *testing.T) {
 
 type fakeNotFound struct{}
 
-func (f fakeNotFound) NotFound()     {}
-func (f fakeNotFound) Error() string { return "error fake not found" }
+func (fakeNotFound) NotFound()     {}
+func (fakeNotFound) Error() string { return "error fake not found" }

cli/command/container/diff_test.go

@@ -0,0 +1,93 @@
+package container
+
+import (
+	"context"
+	"errors"
+	"io"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types/container"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestRunDiff(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerDiffFunc: func(
+			ctx context.Context,
+			containerID string,
+		) ([]container.FilesystemChange, error) {
+			return []container.FilesystemChange{
+				{
+					Kind: container.ChangeModify,
+					Path: "/path/to/file0",
+				},
+				{
+					Kind: container.ChangeAdd,
+					Path: "/path/to/file1",
+				},
+				{
+					Kind: container.ChangeDelete,
+					Path: "/path/to/file2",
+				},
+			}, nil
+		},
+	})
+
+	cmd := NewDiffCommand(cli)
+	cmd.SetOut(io.Discard)
+
+	cmd.SetArgs([]string{"container-id"})
+
+	err := cmd.Execute()
+	assert.NilError(t, err)
+
+	diff := strings.SplitN(cli.OutBuffer().String(), "\n", 3)
+	assert.Assert(t, is.Len(diff, 3))
+
+	file0 := strings.TrimSpace(diff[0])
+	file1 := strings.TrimSpace(diff[1])
+	file2 := strings.TrimSpace(diff[2])
+
+	assert.Check(t, is.Equal(file0, "C /path/to/file0"))
+	assert.Check(t, is.Equal(file1, "A /path/to/file1"))
+	assert.Check(t, is.Equal(file2, "D /path/to/file2"))
+}
+
+func TestRunDiffClientError(t *testing.T) {
+	clientError := errors.New("client error")
+
+	cli := test.NewFakeCli(&fakeClient{
+		containerDiffFunc: func(
+			ctx context.Context,
+			containerID string,
+		) ([]container.FilesystemChange, error) {
+			return nil, clientError
+		},
+	})
+
+	cmd := NewDiffCommand(cli)
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
+
+	cmd.SetArgs([]string{"container-id"})
+
+	err := cmd.Execute()
+	assert.ErrorIs(t, err, clientError)
+}
+
+func TestRunDiffEmptyContainerError(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+
+	cmd := NewDiffCommand(cli)
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
+
+	containerID := ""
+	cmd.SetArgs([]string{containerID})
+
+	err := cmd.Execute()
+	assert.Error(t, err, "Container name cannot be empty")
+}

cli/command/container/exec.go

@@ -10,7 +10,6 @@ import (
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
 	"github.com/pkg/errors"
@@ -53,7 +52,7 @@ func NewExecCommand(dockerCli command.Cli) *cobra.Command {
 			options.Command = args[1:]
 			return RunExec(cmd.Context(), dockerCli, containerIDorName, options)
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, false, func(ctr types.Container) bool {
+		ValidArgsFunction: completion.ContainerNames(dockerCli, false, func(ctr container.Summary) bool {
 			return ctr.State != "paused"
 		}),
 		Annotations: map[string]string{
@@ -85,13 +84,13 @@ func NewExecCommand(dockerCli command.Cli) *cobra.Command {
 }
 
 // RunExec executes an `exec` command
-func RunExec(ctx context.Context, dockerCli command.Cli, containerIDorName string, options ExecOptions) error {
-	execOptions, err := parseExec(options, dockerCli.ConfigFile())
+func RunExec(ctx context.Context, dockerCLI command.Cli, containerIDorName string, options ExecOptions) error {
+	execOptions, err := parseExec(options, dockerCLI.ConfigFile())
 	if err != nil {
 		return err
 	}
 
-	apiClient := dockerCli.Client()
+	apiClient := dockerCLI.Client()
 
 	// We need to check the tty _before_ we do the ContainerExecCreate, because
 	// otherwise if we error out we will leak execIDs on the server (and
@@ -101,12 +100,12 @@ func RunExec(ctx context.Context, dockerCli command.Cli, containerIDorName strin
 		return err
 	}
 	if !execOptions.Detach {
-		if err := dockerCli.In().CheckTty(execOptions.AttachStdin, execOptions.Tty); err != nil {
+		if err := dockerCLI.In().CheckTty(execOptions.AttachStdin, execOptions.Tty); err != nil {
 			return err
 		}
 	}
 
-	fillConsoleSize(execOptions, dockerCli)
+	fillConsoleSize(execOptions, dockerCLI)
 
 	response, err := apiClient.ContainerExecCreate(ctx, containerIDorName, *execOptions)
 	if err != nil {
@@ -125,7 +124,7 @@ func RunExec(ctx context.Context, dockerCli command.Cli, containerIDorName strin
 			ConsoleSize: execOptions.ConsoleSize,
 		})
 	}
-	return interactiveExec(ctx, dockerCli, execOptions, execID)
+	return interactiveExec(ctx, dockerCLI, execOptions, execID)
 }
 
 func fillConsoleSize(execOptions *container.ExecOptions, dockerCli command.Cli) {

cli/command/container/exec_test.go

@@ -2,6 +2,7 @@ package container
 
 import (
 	"context"
+	"errors"
 	"io"
 	"os"
 	"testing"
@@ -10,9 +11,7 @@ import (
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
-	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/fs"
@@ -178,8 +177,8 @@ func TestRunExec(t *testing.T) {
 			doc:     "inspect error",
 			options: NewExecOptions(),
 			client: &fakeClient{
-				inspectFunc: func(string) (types.ContainerJSON, error) {
-					return types.ContainerJSON{}, errors.New("failed inspect")
+				inspectFunc: func(string) (container.InspectResponse, error) {
+					return container.InspectResponse{}, errors.New("failed inspect")
 				},
 			},
 			expectedError: "failed inspect",
@@ -208,8 +207,8 @@ func TestRunExec(t *testing.T) {
 	}
 }
 
-func execCreateWithID(_ string, _ container.ExecOptions) (types.IDResponse, error) {
-	return types.IDResponse{ID: "execid"}, nil
+func execCreateWithID(_ string, _ container.ExecOptions) (container.ExecCreateResponse, error) {
+	return container.ExecCreateResponse{ID: "execid"}, nil
 }
 
 func TestGetExecExitStatus(t *testing.T) {
@@ -252,14 +251,14 @@ func TestNewExecCommandErrors(t *testing.T) {
 		name                 string
 		args                 []string
 		expectedError        string
-		containerInspectFunc func(img string) (types.ContainerJSON, error)
+		containerInspectFunc func(img string) (container.InspectResponse, error)
 	}{
 		{
 			name:          "client-error",
 			args:          []string{"5cb5bb5e4a3b", "-t", "-i", "bash"},
 			expectedError: "something went wrong",
-			containerInspectFunc: func(containerID string) (types.ContainerJSON, error) {
-				return types.ContainerJSON{}, errors.Errorf("something went wrong")
+			containerInspectFunc: func(containerID string) (container.InspectResponse, error) {
+				return container.InspectResponse{}, errors.New("something went wrong")
 			},
 		},
 	}

cli/command/container/formatter_diff_test.go

@@ -47,7 +47,6 @@ D: /usr/app/old_app.js
 	}
 
 	for _, tc := range cases {
-		tc := tc
 		t.Run(string(tc.context.Format), func(t *testing.T) {
 			out := bytes.NewBufferString("")
 			tc.context.Output = out

cli/command/container/formatter_stats.go

@@ -22,6 +22,8 @@ const (
 	winMemUseHeader = "PRIV WORKING SET"  // Used only on Windows
 	memUseHeader    = "MEM USAGE / LIMIT" // Used only on Linux
 	pidsHeader      = "PIDS"              // Used only on Linux
+
+	noValue = "--"
 )
 
 // StatsEntry represents the statistics data collected from a container
@@ -169,7 +171,7 @@ func (c *statsContext) Name() string {
 	if len(c.s.Name) > 1 {
 		return c.s.Name[1:]
 	}
-	return "--"
+	return noValue
 }
 
 func (c *statsContext) ID() string {
@@ -181,7 +183,7 @@ func (c *statsContext) ID() string {
 
 func (c *statsContext) CPUPerc() string {
 	if c.s.IsInvalid {
-		return "--"
+		return noValue
 	}
 	return formatPercentage(c.s.CPUPercentage)
 }
@@ -198,28 +200,28 @@ func (c *statsContext) MemUsage() string {
 
 func (c *statsContext) MemPerc() string {
 	if c.s.IsInvalid || c.os == winOSType {
-		return "--"
+		return noValue
 	}
 	return formatPercentage(c.s.MemoryPercentage)
 }
 
 func (c *statsContext) NetIO() string {
 	if c.s.IsInvalid {
-		return "--"
+		return noValue
 	}
 	return units.HumanSizeWithPrecision(c.s.NetworkRx, 3) + " / " + units.HumanSizeWithPrecision(c.s.NetworkTx, 3)
 }
 
 func (c *statsContext) BlockIO() string {
 	if c.s.IsInvalid {
-		return "--"
+		return noValue
 	}
 	return units.HumanSizeWithPrecision(c.s.BlockRead, 3) + " / " + units.HumanSizeWithPrecision(c.s.BlockWrite, 3)
 }
 
 func (c *statsContext) PIDs() string {
 	if c.s.IsInvalid || c.os == winOSType {
-		return "--"
+		return noValue
 	}
 	return strconv.FormatUint(c.s.PidsCurrent, 10)
 }

cli/command/container/formatter_stats_test.go

@@ -178,7 +178,6 @@ container2  --  --
 	}
 
 	for _, tc := range cases {
-		tc := tc
 		t.Run(string(tc.context.Format), func(t *testing.T) {
 			var out bytes.Buffer
 			tc.context.Output = &out
@@ -223,7 +222,6 @@ func TestContainerStatsContextWriteWithNoStats(t *testing.T) {
 	}
 
 	for _, tc := range cases {
-		tc := tc
 		t.Run(string(tc.context.Format), func(t *testing.T) {
 			err := statsFormatWrite(tc.context, []StatsEntry{}, "linux", false)
 			assert.NilError(t, err)
@@ -265,7 +263,6 @@ func TestContainerStatsContextWriteWithNoStatsWindows(t *testing.T) {
 	}
 
 	for _, tc := range cases {
-		tc := tc
 		t.Run(string(tc.context.Format), func(t *testing.T) {
 			err := statsFormatWrite(tc.context, []StatsEntry{}, "windows", false)
 			assert.NilError(t, err)

cli/command/container/inspect.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22
 
 package container
 
@@ -42,11 +42,9 @@ func newInspectCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-func runInspect(ctx context.Context, dockerCli command.Cli, opts inspectOptions) error {
-	client := dockerCli.Client()
-
-	getRefFunc := func(ref string) (any, []byte, error) {
-		return client.ContainerInspectWithRaw(ctx, ref, opts.size)
-	}
-	return inspect.Inspect(dockerCli.Out(), opts.refs, opts.format, getRefFunc)
+func runInspect(ctx context.Context, dockerCLI command.Cli, opts inspectOptions) error {
+	apiClient := dockerCLI.Client()
+	return inspect.Inspect(dockerCLI.Out(), opts.refs, opts.format, func(ref string) (any, []byte, error) {
+		return apiClient.ContainerInspectWithRaw(ctx, ref, opts.size)
+	})
 }

cli/command/container/kill.go

@@ -2,13 +2,12 @@ package container
 
 import (
 	"context"
+	"errors"
 	"fmt"
-	"strings"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -44,20 +43,19 @@ func NewKillCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-func runKill(ctx context.Context, dockerCli command.Cli, opts *killOptions) error {
-	var errs []string
+func runKill(ctx context.Context, dockerCLI command.Cli, opts *killOptions) error {
+	apiClient := dockerCLI.Client()
 	errChan := parallelOperation(ctx, opts.containers, func(ctx context.Context, container string) error {
-		return dockerCli.Client().ContainerKill(ctx, container, opts.signal)
+		return apiClient.ContainerKill(ctx, container, opts.signal)
 	})
+
+	var errs []error
 	for _, name := range opts.containers {
 		if err := <-errChan; err != nil {
-			errs = append(errs, err.Error())
-		} else {
-			_, _ = fmt.Fprintln(dockerCli.Out(), name)
+			errs = append(errs, err)
+			continue
 		}
+		_, _ = fmt.Fprintln(dockerCLI.Out(), name)
 	}
-	if len(errs) > 0 {
-		return errors.New(strings.Join(errs, "\n"))
-	}
-	return nil
+	return errors.Join(errs...)
 }

cli/command/container/kill_test.go

@@ -0,0 +1,74 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestRunKill(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerKillFunc: func(
+			ctx context.Context,
+			container string,
+			signal string,
+		) error {
+			assert.Assert(t, is.Equal(signal, "STOP"))
+			return nil
+		},
+	})
+
+	cmd := NewKillCommand(cli)
+	cmd.SetOut(io.Discard)
+
+	cmd.SetArgs([]string{
+		"--signal", "STOP",
+		"container-id-1",
+		"container-id-2",
+	})
+	err := cmd.Execute()
+	assert.NilError(t, err)
+
+	containerIDs := strings.SplitN(cli.OutBuffer().String(), "\n", 2)
+	assert.Assert(t, is.Len(containerIDs, 2))
+
+	containerID1 := strings.TrimSpace(containerIDs[0])
+	containerID2 := strings.TrimSpace(containerIDs[1])
+
+	assert.Check(t, is.Equal(containerID1, "container-id-1"))
+	assert.Check(t, is.Equal(containerID2, "container-id-2"))
+}
+
+func TestRunKillClientError(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerKillFunc: func(
+			ctx context.Context,
+			container string,
+			signal string,
+		) error {
+			return fmt.Errorf("client error for container %s", container)
+		},
+	})
+
+	cmd := NewKillCommand(cli)
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
+
+	cmd.SetArgs([]string{"container-id-1", "container-id-2"})
+	err := cmd.Execute()
+
+	errs := strings.SplitN(err.Error(), "\n", 2)
+	assert.Assert(t, is.Len(errs, 2))
+
+	errContainerID1 := errs[0]
+	errContainerID2 := errs[1]
+
+	assert.Assert(t, is.Equal(errContainerID1, "client error for container container-id-1"))
+	assert.Assert(t, is.Equal(errContainerID2, "client error for container container-id-2"))
+}

cli/command/container/list_test.go

@@ -9,7 +9,6 @@ import (
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/builders"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -128,9 +127,8 @@ func TestContainerListBuildContainerListOptions(t *testing.T) {
 
 func TestContainerListErrors(t *testing.T) {
 	testCases := []struct {
-		args              []string
 		flags             map[string]string
-		containerListFunc func(container.ListOptions) ([]types.Container, error)
+		containerListFunc func(container.ListOptions) ([]container.Summary, error)
 		expectedError     string
 	}{
 		{
@@ -146,7 +144,7 @@ func TestContainerListErrors(t *testing.T) {
 			expectedError: `wrong number of args for join`,
 		},
 		{
-			containerListFunc: func(_ container.ListOptions) ([]types.Container, error) {
+			containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
 				return nil, errors.New("error listing containers")
 			},
 			expectedError: "error listing containers",
@@ -158,10 +156,10 @@ func TestContainerListErrors(t *testing.T) {
 				containerListFunc: tc.containerListFunc,
 			}),
 		)
-		cmd.SetArgs(tc.args)
 		for key, value := range tc.flags {
 			assert.Check(t, cmd.Flags().Set(key, value))
 		}
+		cmd.SetArgs([]string{})
 		cmd.SetOut(io.Discard)
 		cmd.SetErr(io.Discard)
 		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
@@ -170,8 +168,8 @@ func TestContainerListErrors(t *testing.T) {
 
 func TestContainerListWithoutFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(_ container.ListOptions) ([]types.Container, error) {
-			return []types.Container{
+		containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
+			return []container.Summary{
 				*builders.Container("c1"),
 				*builders.Container("c2", builders.WithName("foo")),
 				*builders.Container("c3", builders.WithPort(80, 80, builders.TCP), builders.WithPort(81, 81, builders.TCP), builders.WithPort(82, 82, builders.TCP)),
@@ -181,20 +179,26 @@ func TestContainerListWithoutFormat(t *testing.T) {
 		},
 	})
 	cmd := newListCommand(cli)
+	cmd.SetArgs([]string{})
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
 	assert.NilError(t, cmd.Execute())
 	golden.Assert(t, cli.OutBuffer().String(), "container-list-without-format.golden")
 }
 
 func TestContainerListNoTrunc(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(_ container.ListOptions) ([]types.Container, error) {
-			return []types.Container{
+		containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
+			return []container.Summary{
 				*builders.Container("c1"),
 				*builders.Container("c2", builders.WithName("foo/bar")),
 			}, nil
 		},
 	})
 	cmd := newListCommand(cli)
+	cmd.SetArgs([]string{})
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
 	assert.Check(t, cmd.Flags().Set("no-trunc", "true"))
 	assert.NilError(t, cmd.Execute())
 	golden.Assert(t, cli.OutBuffer().String(), "container-list-without-format-no-trunc.golden")
@@ -203,14 +207,17 @@ func TestContainerListNoTrunc(t *testing.T) {
 // Test for GitHub issue docker/docker#21772
 func TestContainerListNamesMultipleTime(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(_ container.ListOptions) ([]types.Container, error) {
-			return []types.Container{
+		containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
+			return []container.Summary{
 				*builders.Container("c1"),
 				*builders.Container("c2", builders.WithName("foo/bar")),
 			}, nil
 		},
 	})
 	cmd := newListCommand(cli)
+	cmd.SetArgs([]string{})
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
 	assert.Check(t, cmd.Flags().Set("format", "{{.Names}} {{.Names}}"))
 	assert.NilError(t, cmd.Execute())
 	golden.Assert(t, cli.OutBuffer().String(), "container-list-format-name-name.golden")
@@ -219,14 +226,17 @@ func TestContainerListNamesMultipleTime(t *testing.T) {
 // Test for GitHub issue docker/docker#30291
 func TestContainerListFormatTemplateWithArg(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(_ container.ListOptions) ([]types.Container, error) {
-			return []types.Container{
+		containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
+			return []container.Summary{
 				*builders.Container("c1", builders.WithLabel("some.label", "value")),
 				*builders.Container("c2", builders.WithName("foo/bar"), builders.WithLabel("foo", "bar")),
 			}, nil
 		},
 	})
 	cmd := newListCommand(cli)
+	cmd.SetArgs([]string{})
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
 	assert.Check(t, cmd.Flags().Set("format", `{{.Names}} {{.Label "some.label"}}`))
 	assert.NilError(t, cmd.Execute())
 	golden.Assert(t, cli.OutBuffer().String(), "container-list-format-with-arg.golden")
@@ -267,15 +277,17 @@ func TestContainerListFormatSizeSetsOption(t *testing.T) {
 	}
 
 	for _, tc := range tests {
-		tc := tc
 		t.Run(tc.doc, func(t *testing.T) {
 			cli := test.NewFakeCli(&fakeClient{
-				containerListFunc: func(options container.ListOptions) ([]types.Container, error) {
+				containerListFunc: func(options container.ListOptions) ([]container.Summary, error) {
 					assert.Check(t, is.Equal(options.Size, tc.sizeExpected))
-					return []types.Container{}, nil
+					return []container.Summary{}, nil
 				},
 			})
 			cmd := newListCommand(cli)
+			cmd.SetArgs([]string{})
+			cmd.SetOut(io.Discard)
+			cmd.SetErr(io.Discard)
 			assert.Check(t, cmd.Flags().Set("format", tc.format))
 			if tc.sizeFlag != "" {
 				assert.Check(t, cmd.Flags().Set("size", tc.sizeFlag))
@@ -287,8 +299,8 @@ func TestContainerListFormatSizeSetsOption(t *testing.T) {
 
 func TestContainerListWithConfigFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(_ container.ListOptions) ([]types.Container, error) {
-			return []types.Container{
+		containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
+			return []container.Summary{
 				*builders.Container("c1", builders.WithLabel("some.label", "value"), builders.WithSize(10700000)),
 				*builders.Container("c2", builders.WithName("foo/bar"), builders.WithLabel("foo", "bar"), builders.WithSize(3200000)),
 			}, nil
@@ -298,14 +310,17 @@ func TestContainerListWithConfigFormat(t *testing.T) {
 		PsFormat: "{{ .Names }} {{ .Image }} {{ .Labels }} {{ .Size}}",
 	})
 	cmd := newListCommand(cli)
+	cmd.SetArgs([]string{})
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
 	assert.NilError(t, cmd.Execute())
 	golden.Assert(t, cli.OutBuffer().String(), "container-list-with-config-format.golden")
 }
 
 func TestContainerListWithFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(_ container.ListOptions) ([]types.Container, error) {
-			return []types.Container{
+		containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
+			return []container.Summary{
 				*builders.Container("c1", builders.WithLabel("some.label", "value")),
 				*builders.Container("c2", builders.WithName("foo/bar"), builders.WithLabel("foo", "bar")),
 			}, nil
@@ -315,6 +330,9 @@ func TestContainerListWithFormat(t *testing.T) {
 	t.Run("with format", func(t *testing.T) {
 		cli.OutBuffer().Reset()
 		cmd := newListCommand(cli)
+		cmd.SetArgs([]string{})
+		cmd.SetOut(io.Discard)
+		cmd.SetErr(io.Discard)
 		assert.Check(t, cmd.Flags().Set("format", "{{ .Names }} {{ .Image }} {{ .Labels }}"))
 		assert.NilError(t, cmd.Execute())
 		golden.Assert(t, cli.OutBuffer().String(), "container-list-with-format.golden")
@@ -323,6 +341,9 @@ func TestContainerListWithFormat(t *testing.T) {
 	t.Run("with format and quiet", func(t *testing.T) {
 		cli.OutBuffer().Reset()
 		cmd := newListCommand(cli)
+		cmd.SetArgs([]string{})
+		cmd.SetOut(io.Discard)
+		cmd.SetErr(io.Discard)
 		assert.Check(t, cmd.Flags().Set("format", "{{ .Names }} {{ .Image }} {{ .Labels }}"))
 		assert.Check(t, cmd.Flags().Set("quiet", "true"))
 		assert.NilError(t, cmd.Execute())

cli/command/container/logs_test.go

@@ -7,7 +7,6 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -20,10 +19,10 @@ var logFn = func(expectedOut string) func(string, container.LogsOptions) (io.Rea
 }
 
 func TestRunLogs(t *testing.T) {
-	inspectFn := func(containerID string) (types.ContainerJSON, error) {
-		return types.ContainerJSON{
+	inspectFn := func(containerID string) (container.InspectResponse, error) {
+		return container.InspectResponse{
 			Config:            &container.Config{Tty: true},
-			ContainerJSONBase: &types.ContainerJSONBase{State: &types.ContainerState{Running: false}},
+			ContainerJSONBase: &container.ContainerJSONBase{State: &container.State{Running: false}},
 		}, nil
 	}
 

cli/command/container/opts.go

@@ -23,7 +23,6 @@ import (
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/go-connections/nat"
 	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
 	"github.com/spf13/pflag"
 	cdi "tags.cncf.io/container-device-interface/pkg/parser"
 )
@@ -364,10 +363,6 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		return nil, errors.Errorf("invalid value: %d. Valid memory swappiness range is 0-100", swappiness)
 	}
 
-	mounts := copts.mounts.Value()
-	if len(mounts) > 0 && copts.volumeDriver != "" {
-		logrus.Warn("`--volume-driver` is ignored for volumes specified via `--mount`. Use `--mount type=volume,volume-driver=...` instead.")
-	}
 	var binds []string
 	volumes := copts.volumes.GetMap()
 	// add any bind targets to the list of container volumes
@@ -697,14 +692,14 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		Tmpfs:          tmpfs,
 		Sysctls:        copts.sysctls.GetAll(),
 		Runtime:        copts.runtime,
-		Mounts:         mounts,
+		Mounts:         copts.mounts.Value(),
 		MaskedPaths:    maskedPaths,
 		ReadonlyPaths:  readonlyPaths,
 		Annotations:    copts.annotations.GetAll(),
 	}
 
 	if copts.autoRemove && !hostConfig.RestartPolicy.IsNone() {
-		return nil, errors.Errorf("Conflicting options: --restart and --rm")
+		return nil, errors.Errorf("conflicting options: cannot specify both --restart and --rm")
 	}
 
 	// only set this value if the user provided the flag, else it should default to nil
@@ -767,7 +762,6 @@ func parseNetworkOpts(copts *containerOptions) (map[string]*networktypes.Endpoin
 	}
 
 	for i, n := range copts.netMode.Value() {
-		n := n
 		if container.NetworkMode(n.Target).IsUserDefined() {
 			hasUserDefined = true
 		} else {
@@ -831,7 +825,9 @@ func applyContainerOptions(n *opts.NetworkAttachmentOpts, copts *containerOption
 		n.Aliases = make([]string, copts.aliases.Len())
 		copy(n.Aliases, copts.aliases.GetAll())
 	}
-	if n.Target != "default" && copts.links.Len() > 0 {
+	// For a user-defined network, "--link" is an endpoint option, it creates an alias. But,
+	// for the default bridge it defines a legacy-link.
+	if container.NetworkMode(n.Target).IsUserDefined() && copts.links.Len() > 0 {
 		n.Links = make([]string, copts.links.Len())
 		copy(n.Links, copts.links.GetAll())
 	}
@@ -864,7 +860,9 @@ func parseNetworkAttachmentOpt(ep opts.NetworkAttachmentOpts) (*networktypes.End
 		}
 	}
 
-	epConfig := &networktypes.EndpointSettings{}
+	epConfig := &networktypes.EndpointSettings{
+		GwPriority: ep.GwPriority,
+	}
 	epConfig.Aliases = append(epConfig.Aliases, ep.Aliases...)
 	if len(ep.DriverOpts) > 0 {
 		epConfig.DriverOpts = make(map[string]string)

cli/command/container/opts_test.go

@@ -1,6 +1,7 @@
 package container
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -12,7 +13,6 @@ import (
 	"github.com/docker/docker/api/types/container"
 	networktypes "github.com/docker/docker/api/types/network"
 	"github.com/docker/go-connections/nat"
-	"github.com/pkg/errors"
 	"github.com/spf13/pflag"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -72,14 +72,75 @@ func mustParse(t *testing.T, args string) (*container.Config, *container.HostCon
 }
 
 func TestParseRunLinks(t *testing.T) {
-	if _, hostConfig, _ := mustParse(t, "--link a:b"); len(hostConfig.Links) == 0 || hostConfig.Links[0] != "a:b" {
-		t.Fatalf("Error parsing links. Expected []string{\"a:b\"}, received: %v", hostConfig.Links)
+	tests := []struct {
+		name               string
+		input              string
+		expHostConfigLinks []string
+		expNetConfigLinks  map[string][]string
+	}{
+		// Default bridge - legacy links ...
+		{
+			name:               "default/onelink",
+			input:              "--link a:b",
+			expHostConfigLinks: []string{"a:b"},
+			expNetConfigLinks:  map[string][]string{"default": nil},
+		},
+		{
+			name:               "default/twolinks",
+			input:              "--link a:b --link c:d",
+			expHostConfigLinks: []string{"a:b", "c:d"},
+			expNetConfigLinks:  map[string][]string{"default": nil},
+		},
+		{
+			name:               "bridge/onelink",
+			input:              "--network bridge --link a:b",
+			expHostConfigLinks: []string{"a:b"},
+			// expNetConfigLinks - no EndpointsConfig is created for a single named network with no options set.
+			// See the "For backward compatibility" comment in parseNetworkOpts().
+		},
+		{
+			name:              "default/nolinks",
+			expNetConfigLinks: map[string][]string{"default": nil},
+		},
+
+		// User-defined bridge - links become DNS aliases ...
+		{
+			name:               "userdefnet/onelink",
+			input:              "--network userdefnet --link a:b",
+			expHostConfigLinks: []string{"a:b"},
+			expNetConfigLinks:  map[string][]string{"userdefnet": {"a:b"}},
+		},
+		{
+			name:               "userdefnet/twolinks",
+			input:              "--network userdefnet --link a:b --link c:d",
+			expHostConfigLinks: []string{"a:b", "c:d"},
+			expNetConfigLinks:  map[string][]string{"userdefnet": {"a:b", "c:d"}},
+		},
+		{
+			name:  "userdefnet/nolinks",
+			input: "--network userdefnet",
+		},
+		{
+			// Link options are applied to the first network (and there's no "advanced syntax"
+			// link key, like "--network name=userdefnet,link=a:b").
+			name:               "links apply to the first network",
+			input:              "--network userdefnet --link a:b --network bar --link c:d",
+			expHostConfigLinks: []string{"a:b", "c:d"},
+			expNetConfigLinks:  map[string][]string{"userdefnet": {"a:b", "c:d"}, "bar": nil},
+		},
 	}
-	if _, hostConfig, _ := mustParse(t, "--link a:b --link c:d"); len(hostConfig.Links) < 2 || hostConfig.Links[0] != "a:b" || hostConfig.Links[1] != "c:d" {
-		t.Fatalf("Error parsing links. Expected []string{\"a:b\", \"c:d\"}, received: %v", hostConfig.Links)
-	}
-	if _, hostConfig, _ := mustParse(t, ""); len(hostConfig.Links) != 0 {
-		t.Fatalf("Error parsing links. No link expected, received: %v", hostConfig.Links)
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			_, hostConfig, netConfig := mustParse(t, tc.input)
+			assert.Check(t, is.DeepEqual(hostConfig.Links, tc.expHostConfigLinks))
+			assert.Check(t, is.Len(netConfig.EndpointsConfig, len(tc.expNetConfigLinks)))
+			for netName, expLinks := range tc.expNetConfigLinks {
+				nc, ok := netConfig.EndpointsConfig[netName]
+				assert.Assert(t, ok)
+				assert.Check(t, is.DeepEqual(nc.Links, expLinks))
+			}
+		})
 	}
 }
 
@@ -126,7 +187,6 @@ func TestParseRunAttach(t *testing.T) {
 		},
 	}
 	for _, tc := range tests {
-		tc := tc
 		t.Run(tc.input, func(t *testing.T) {
 			config, _, _ := mustParse(t, tc.input)
 			assert.Equal(t, config.AttachStdin, tc.expected.AttachStdin)
@@ -280,7 +340,7 @@ func compareRandomizedStrings(a, b, c, d string) error {
 	if a == d && b == c {
 		return nil
 	}
-	return errors.Errorf("strings don't match")
+	return errors.New("strings don't match")
 }
 
 // Simple parse with MacAddress validation
@@ -802,7 +862,6 @@ func TestParseRestartPolicy(t *testing.T) {
 		},
 	}
 	for _, tc := range tests {
-		tc := tc
 		t.Run(tc.input, func(t *testing.T) {
 			_, hostConfig, _, err := parseRun([]string{"--restart=" + tc.input, "img", "cmd"})
 			if tc.expectedErr != "" {
@@ -817,11 +876,9 @@ func TestParseRestartPolicy(t *testing.T) {
 }
 
 func TestParseRestartPolicyAutoRemove(t *testing.T) {
-	expected := "Conflicting options: --restart and --rm"
 	_, _, _, err := parseRun([]string{"--rm", "--restart=always", "img", "cmd"}) //nolint:dogsled
-	if err == nil || err.Error() != expected {
-		t.Fatalf("Expected error %v, but got none", expected)
-	}
+	const expected = "conflicting options: cannot specify both --restart and --rm"
+	assert.Check(t, is.Error(err, expected))
 }
 
 func TestParseHealth(t *testing.T) {
@@ -921,7 +978,7 @@ func TestParseEnvfileVariablesWithBOMUnicode(t *testing.T) {
 	}
 
 	// UTF16 with BOM
-	e := "contains invalid utf8 bytes at line"
+	e := "invalid utf8 bytes at line"
 	if _, _, _, err := parseRun([]string{"--env-file=testdata/utf16.env", "img", "cmd"}); err == nil || !strings.Contains(err.Error(), e) {
 		t.Fatalf("Expected an error with message '%s', got %v", e, err)
 	}
@@ -959,12 +1016,8 @@ func TestParseLabelfileVariables(t *testing.T) {
 
 func TestParseEntryPoint(t *testing.T) {
 	config, _, _, err := parseRun([]string{"--entrypoint=anything", "cmd", "img"})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(config.Entrypoint) != 1 && config.Entrypoint[0] != "anything" {
-		t.Fatalf("Expected entrypoint 'anything', got %v", config.Entrypoint)
-	}
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual([]string(config.Entrypoint), []string{"anything"}))
 }
 
 func TestValidateDevice(t *testing.T) {

cli/command/container/pause.go

@@ -2,14 +2,13 @@ package container
 
 import (
 	"context"
+	"errors"
 	"fmt"
-	"strings"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
-	"github.com/docker/docker/api/types"
-	"github.com/pkg/errors"
+	"github.com/docker/docker/api/types/container"
 	"github.com/spf13/cobra"
 )
 
@@ -32,24 +31,23 @@ func NewPauseCommand(dockerCli command.Cli) *cobra.Command {
 		Annotations: map[string]string{
 			"aliases": "docker container pause, docker pause",
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, false, func(container types.Container) bool {
-			return container.State != "paused"
+		ValidArgsFunction: completion.ContainerNames(dockerCli, false, func(ctr container.Summary) bool {
+			return ctr.State != "paused"
 		}),
 	}
 }
 
-func runPause(ctx context.Context, dockerCli command.Cli, opts *pauseOptions) error {
-	var errs []string
-	errChan := parallelOperation(ctx, opts.containers, dockerCli.Client().ContainerPause)
-	for _, container := range opts.containers {
+func runPause(ctx context.Context, dockerCLI command.Cli, opts *pauseOptions) error {
+	apiClient := dockerCLI.Client()
+	errChan := parallelOperation(ctx, opts.containers, apiClient.ContainerPause)
+
+	var errs []error
+	for _, ctr := range opts.containers {
 		if err := <-errChan; err != nil {
-			errs = append(errs, err.Error())
+			errs = append(errs, err)
 			continue
 		}
-		fmt.Fprintln(dockerCli.Out(), container)
+		_, _ = fmt.Fprintln(dockerCLI.Out(), ctr)
 	}
-	if len(errs) > 0 {
-		return errors.New(strings.Join(errs, "\n"))
-	}
-	return nil
+	return errors.Join(errs...)
 }

cli/command/container/pause_test.go

@@ -0,0 +1,65 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestRunPause(t *testing.T) {
+	cli := test.NewFakeCli(
+		&fakeClient{
+			containerPauseFunc: func(ctx context.Context, container string) error {
+				return nil
+			},
+		},
+	)
+
+	cmd := NewPauseCommand(cli)
+	cmd.SetOut(io.Discard)
+	cmd.SetArgs([]string{"container-id-1", "container-id-2"})
+
+	err := cmd.Execute()
+	assert.NilError(t, err)
+
+	containerIDs := strings.SplitN(cli.OutBuffer().String(), "\n", 2)
+	assert.Assert(t, is.Len(containerIDs, 2))
+
+	containerID1 := strings.TrimSpace(containerIDs[0])
+	containerID2 := strings.TrimSpace(containerIDs[1])
+
+	assert.Check(t, is.Equal(containerID1, "container-id-1"))
+	assert.Check(t, is.Equal(containerID2, "container-id-2"))
+}
+
+func TestRunPauseClientError(t *testing.T) {
+	cli := test.NewFakeCli(
+		&fakeClient{
+			containerPauseFunc: func(ctx context.Context, container string) error {
+				return fmt.Errorf("client error for container %s", container)
+			},
+		},
+	)
+
+	cmd := NewPauseCommand(cli)
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
+	cmd.SetArgs([]string{"container-id-1", "container-id-2"})
+
+	err := cmd.Execute()
+
+	errs := strings.SplitN(err.Error(), "\n", 2)
+	assert.Assert(t, is.Len(errs, 2))
+
+	errContainerID1 := errs[0]
+	errContainerID2 := errs[1]
+
+	assert.Assert(t, is.Equal(errContainerID1, "client error for container container-id-1"))
+	assert.Assert(t, is.Equal(errContainerID2, "client error for container container-id-2"))
+}

cli/command/container/port_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
 	"github.com/docker/go-connections/nat"
 	"gotest.tools/v3/assert"
 	"gotest.tools/v3/golden"
@@ -43,11 +43,10 @@ func TestNewPortCommandOutput(t *testing.T) {
 		},
 	}
 	for _, tc := range testCases {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			cli := test.NewFakeCli(&fakeClient{
-				inspectFunc: func(string) (types.ContainerJSON, error) {
-					ci := types.ContainerJSON{NetworkSettings: &types.NetworkSettings{}}
+				inspectFunc: func(string) (container.InspectResponse, error) {
+					ci := container.InspectResponse{NetworkSettings: &container.NetworkSettings{}}
 					ci.NetworkSettings.Ports = nat.PortMap{
 						"80/tcp":  make([]nat.PortBinding, len(tc.ips)),
 						"443/tcp": make([]nat.PortBinding, len(tc.ips)),

cli/command/container/prune_test.go

@@ -2,13 +2,13 @@ package container
 
 import (
 	"context"
+	"errors"
 	"io"
 	"testing"
 
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
-	"github.com/pkg/errors"
 )
 
 func TestContainerPrunePromptTermination(t *testing.T) {
@@ -21,6 +21,7 @@ func TestContainerPrunePromptTermination(t *testing.T) {
 		},
 	})
 	cmd := NewPruneCommand(cli)
+	cmd.SetArgs([]string{})
 	cmd.SetOut(io.Discard)
 	cmd.SetErr(io.Discard)
 	test.TerminatePrompt(ctx, t, cmd, cli)

cli/command/container/rename_test.go

@@ -0,0 +1,77 @@
+package container
+
+import (
+	"context"
+	"errors"
+	"io"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestRunRename(t *testing.T) {
+	testcases := []struct {
+		doc, oldName, newName, expectedErr string
+	}{
+		{
+			doc:         "success",
+			oldName:     "oldName",
+			newName:     "newName",
+			expectedErr: "",
+		},
+		{
+			doc:         "empty old name",
+			oldName:     "",
+			newName:     "newName",
+			expectedErr: "Error: Neither old nor new names may be empty",
+		},
+		{
+			doc:         "empty new name",
+			oldName:     "oldName",
+			newName:     "",
+			expectedErr: "Error: Neither old nor new names may be empty",
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.doc, func(t *testing.T) {
+			cli := test.NewFakeCli(&fakeClient{
+				containerRenameFunc: func(ctx context.Context, oldName, newName string) error {
+					return nil
+				},
+			})
+
+			cmd := NewRenameCommand(cli)
+			cmd.SetOut(io.Discard)
+			cmd.SetErr(io.Discard)
+			cmd.SetArgs([]string{tc.oldName, tc.newName})
+
+			err := cmd.Execute()
+
+			if tc.expectedErr != "" {
+				assert.ErrorContains(t, err, tc.expectedErr)
+			} else {
+				assert.NilError(t, err)
+			}
+		})
+	}
+}
+
+func TestRunRenameClientError(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerRenameFunc: func(ctx context.Context, oldName, newName string) error {
+			return errors.New("client error")
+		},
+	})
+
+	cmd := NewRenameCommand(cli)
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
+	cmd.SetArgs([]string{"oldName", "newName"})
+
+	err := cmd.Execute()
+
+	assert.Check(t, is.Error(err, "Error: failed to rename container named oldName"))
+}

cli/command/container/restart.go

@@ -2,14 +2,13 @@ package container
 
 import (
 	"context"
+	"errors"
 	"fmt"
-	"strings"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/docker/api/types/container"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -30,8 +29,11 @@ func NewRestartCommand(dockerCli command.Cli) *cobra.Command {
 		Short: "Restart one or more containers",
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if cmd.Flags().Changed("time") && cmd.Flags().Changed("timeout") {
+				return errors.New("conflicting options: cannot specify both --timeout and --time")
+			}
 			opts.containers = args
-			opts.timeoutChanged = cmd.Flags().Changed("time")
+			opts.timeoutChanged = cmd.Flags().Changed("timeout") || cmd.Flags().Changed("time")
 			return runRestart(cmd.Context(), dockerCli, &opts)
 		},
 		Annotations: map[string]string{
@@ -42,32 +44,36 @@ func NewRestartCommand(dockerCli command.Cli) *cobra.Command {
 
 	flags := cmd.Flags()
 	flags.StringVarP(&opts.signal, "signal", "s", "", "Signal to send to the container")
-	flags.IntVarP(&opts.timeout, "time", "t", 0, "Seconds to wait before killing the container")
+	flags.IntVarP(&opts.timeout, "timeout", "t", 0, "Seconds to wait before killing the container")
+
+	// The --time option is deprecated, but kept for backward compatibility.
+	flags.IntVar(&opts.timeout, "time", 0, "Seconds to wait before killing the container (deprecated: use --timeout)")
+	_ = flags.MarkDeprecated("time", "use --timeout instead")
 
 	_ = cmd.RegisterFlagCompletionFunc("signal", completeSignals)
 
 	return cmd
 }
 
-func runRestart(ctx context.Context, dockerCli command.Cli, opts *restartOptions) error {
-	var errs []string
+func runRestart(ctx context.Context, dockerCLI command.Cli, opts *restartOptions) error {
 	var timeout *int
 	if opts.timeoutChanged {
 		timeout = &opts.timeout
 	}
+
+	apiClient := dockerCLI.Client()
+	var errs []error
+	// TODO(thaJeztah): consider using parallelOperation for restart, similar to "stop" and "remove"
 	for _, name := range opts.containers {
-		err := dockerCli.Client().ContainerRestart(ctx, name, container.StopOptions{
+		err := apiClient.ContainerRestart(ctx, name, container.StopOptions{
 			Signal:  opts.signal,
 			Timeout: timeout,
 		})
 		if err != nil {
-			errs = append(errs, err.Error())
+			errs = append(errs, err)
 			continue
 		}
-		_, _ = fmt.Fprintln(dockerCli.Out(), name)
+		_, _ = fmt.Fprintln(dockerCLI.Out(), name)
 	}
-	if len(errs) > 0 {
-		return errors.New(strings.Join(errs, "\n"))
-	}
-	return nil
+	return errors.Join(errs...)
 }

cli/command/container/restart_test.go

@@ -0,0 +1,95 @@
+package container
+
+import (
+	"context"
+	"errors"
+	"io"
+	"sort"
+	"sync"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/errdefs"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestRestart(t *testing.T) {
+	for _, tc := range []struct {
+		name         string
+		args         []string
+		restarted    []string
+		expectedOpts container.StopOptions
+		expectedErr  string
+	}{
+		{
+			name:      "without options",
+			args:      []string{"container-1", "container-2"},
+			restarted: []string{"container-1", "container-2"},
+		},
+		{
+			name:        "with unknown container",
+			args:        []string{"container-1", "nosuchcontainer", "container-2"},
+			expectedErr: "no such container",
+			restarted:   []string{"container-1", "container-2"},
+		},
+		{
+			name:         "with -t",
+			args:         []string{"-t", "2", "container-1"},
+			expectedOpts: container.StopOptions{Timeout: func(to int) *int { return &to }(2)},
+			restarted:    []string{"container-1"},
+		},
+		{
+			name:         "with --timeout",
+			args:         []string{"--timeout", "2", "container-1"},
+			expectedOpts: container.StopOptions{Timeout: func(to int) *int { return &to }(2)},
+			restarted:    []string{"container-1"},
+		},
+		{
+			name:         "with --time",
+			args:         []string{"--time", "2", "container-1"},
+			expectedOpts: container.StopOptions{Timeout: func(to int) *int { return &to }(2)},
+			restarted:    []string{"container-1"},
+		},
+		{
+			name:        "conflicting options",
+			args:        []string{"--timeout", "2", "--time", "2", "container-1"},
+			expectedErr: "conflicting options: cannot specify both --timeout and --time",
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			var restarted []string
+			mutex := new(sync.Mutex)
+
+			cli := test.NewFakeCli(&fakeClient{
+				containerRestartFunc: func(ctx context.Context, containerID string, options container.StopOptions) error {
+					assert.Check(t, is.DeepEqual(options, tc.expectedOpts))
+					if containerID == "nosuchcontainer" {
+						return errdefs.NotFound(errors.New("Error: no such container: " + containerID))
+					}
+
+					// TODO(thaJeztah): consider using parallelOperation for restart, similar to "stop" and "remove"
+					mutex.Lock()
+					restarted = append(restarted, containerID)
+					mutex.Unlock()
+					return nil
+				},
+				Version: "1.36",
+			})
+			cmd := NewRestartCommand(cli)
+			cmd.SetOut(io.Discard)
+			cmd.SetErr(io.Discard)
+			cmd.SetArgs(tc.args)
+
+			err := cmd.Execute()
+			if tc.expectedErr != "" {
+				assert.Check(t, is.ErrorContains(err, tc.expectedErr))
+			} else {
+				assert.Check(t, is.Nil(err))
+			}
+			sort.Strings(restarted)
+			assert.Check(t, is.DeepEqual(restarted, tc.restarted))
+		})
+	}
+}

cli/command/container/rm.go

@@ -2,6 +2,7 @@ package container
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 
@@ -10,7 +11,6 @@ import (
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/errdefs"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -38,7 +38,9 @@ func NewRmCommand(dockerCli command.Cli) *cobra.Command {
 		Annotations: map[string]string{
 			"aliases": "docker container rm, docker container remove, docker rm",
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, true),
+		ValidArgsFunction: completion.ContainerNames(dockerCli, true, func(ctr container.Summary) bool {
+			return opts.force || ctr.State == "exited" || ctr.State == "created"
+		}),
 	}
 
 	flags := cmd.Flags()
@@ -48,33 +50,31 @@ func NewRmCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-func runRm(ctx context.Context, dockerCli command.Cli, opts *rmOptions) error {
-	var errs []string
+func runRm(ctx context.Context, dockerCLI command.Cli, opts *rmOptions) error {
+	apiClient := dockerCLI.Client()
 	errChan := parallelOperation(ctx, opts.containers, func(ctx context.Context, ctrID string) error {
 		ctrID = strings.Trim(ctrID, "/")
 		if ctrID == "" {
-			return errors.New("Container name cannot be empty")
+			return errors.New("container name cannot be empty")
 		}
-		return dockerCli.Client().ContainerRemove(ctx, ctrID, container.RemoveOptions{
+		return apiClient.ContainerRemove(ctx, ctrID, container.RemoveOptions{
 			RemoveVolumes: opts.rmVolumes,
 			RemoveLinks:   opts.rmLink,
 			Force:         opts.force,
 		})
 	})
 
+	var errs []error
 	for _, name := range opts.containers {
 		if err := <-errChan; err != nil {
 			if opts.force && errdefs.IsNotFound(err) {
-				fmt.Fprintln(dockerCli.Err(), err)
+				_, _ = fmt.Fprintln(dockerCLI.Err(), err)
 				continue
 			}
-			errs = append(errs, err.Error())
+			errs = append(errs, err)
 			continue
 		}
-		fmt.Fprintln(dockerCli.Out(), name)
+		_, _ = fmt.Fprintln(dockerCLI.Out(), name)
 	}
-	if len(errs) > 0 {
-		return errors.New(strings.Join(errs, "\n"))
-	}
-	return nil
+	return errors.Join(errs...)
 }

cli/command/container/rm_test.go

@@ -23,7 +23,6 @@ func TestRemoveForce(t *testing.T) {
 		{name: "without force", args: []string{"nosuchcontainer", "mycontainer"}, expectedErr: "no such container"},
 		{name: "with force", args: []string{"--force", "nosuchcontainer", "mycontainer"}, expectedErr: ""},
 	} {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			var removed []string
 			mutex := new(sync.Mutex)

cli/command/container/run.go

@@ -43,7 +43,7 @@ func NewRunCommand(dockerCli command.Cli) *cobra.Command {
 			}
 			return runRun(cmd.Context(), dockerCli, cmd.Flags(), &options, copts)
 		},
-		ValidArgsFunction: completion.ImageNames(dockerCli),
+		ValidArgsFunction: completion.ImageNames(dockerCli, 1),
 		Annotations: map[string]string{
 			"category-top": "1",
 			"aliases":      "docker container run, docker run",
@@ -69,22 +69,25 @@ func NewRunCommand(dockerCli command.Cli) *cobra.Command {
 	command.AddTrustVerificationFlags(flags, &options.untrusted, dockerCli.ContentTrustEnabled())
 	copts = addFlags(flags)
 
-	_ = cmd.RegisterFlagCompletionFunc("cap-add", completeLinuxCapabilityNames)
-	_ = cmd.RegisterFlagCompletionFunc("cap-drop", completeLinuxCapabilityNames)
-	_ = cmd.RegisterFlagCompletionFunc("env", completion.EnvVarNames)
-	_ = cmd.RegisterFlagCompletionFunc("env-file", completion.FileNames)
-	_ = cmd.RegisterFlagCompletionFunc("network", completion.NetworkNames(dockerCli))
-	_ = cmd.RegisterFlagCompletionFunc("pull", completion.FromList(PullImageAlways, PullImageMissing, PullImageNever))
-	_ = cmd.RegisterFlagCompletionFunc("restart", completeRestartPolicies)
-	_ = cmd.RegisterFlagCompletionFunc("stop-signal", completeSignals)
-	_ = cmd.RegisterFlagCompletionFunc("volumes-from", completion.ContainerNames(dockerCli, true))
+	_ = cmd.RegisterFlagCompletionFunc("detach-keys", completeDetachKeys)
+	addCompletions(cmd, dockerCli)
+
+	flags.VisitAll(func(flag *pflag.Flag) {
+		// Set a default completion function if none was set. We don't look
+		// up if it does already have one set, because Cobra does this for
+		// us, and returns an error (which we ignore for this reason).
+		_ = cmd.RegisterFlagCompletionFunc(flag.Name, completion.NoComplete)
+	})
+
 	return cmd
 }
 
 func runRun(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet, ropts *runOptions, copts *containerOptions) error {
 	if err := validatePullOpt(ropts.pull); err != nil {
-		reportError(dockerCli.Err(), "run", err.Error(), true)
-		return cli.StatusError{StatusCode: 125}
+		return cli.StatusError{
+			Status:     withHelp(err, "run").Error(),
+			StatusCode: 125,
+		}
 	}
 	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), opts.ConvertKVStringsToMapWithNil(copts.env.GetAll()))
 	newEnv := []string{}
@@ -99,20 +102,22 @@ func runRun(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet, ro
 	containerCfg, err := parse(flags, copts, dockerCli.ServerInfo().OSType)
 	// just in case the parse does not exit
 	if err != nil {
-		reportError(dockerCli.Err(), "run", err.Error(), true)
-		return cli.StatusError{StatusCode: 125}
+		return cli.StatusError{
+			Status:     withHelp(err, "run").Error(),
+			StatusCode: 125,
+		}
 	}
 	if err = validateAPIVersion(containerCfg, dockerCli.CurrentVersion()); err != nil {
-		reportError(dockerCli.Err(), "run", err.Error(), true)
-		return cli.StatusError{StatusCode: 125}
+		return cli.StatusError{
+			Status:     withHelp(err, "run").Error(),
+			StatusCode: 125,
+		}
 	}
 	return runContainer(ctx, dockerCli, ropts, copts, containerCfg)
 }
 
 //nolint:gocyclo
 func runContainer(ctx context.Context, dockerCli command.Cli, runOpts *runOptions, copts *containerOptions, containerCfg *containerConfig) error {
-	ctx = context.WithoutCancel(ctx)
-
 	config := containerCfg.Config
 	stdout, stderr := dockerCli.Out(), dockerCli.Err()
 	apiClient := dockerCli.Client()
@@ -125,7 +130,7 @@ func runContainer(ctx context.Context, dockerCli command.Cli, runOpts *runOption
 		}
 	} else {
 		if copts.attach.Len() != 0 {
-			return errors.New("Conflicting options: -a and -d")
+			return errors.New("conflicting options: cannot specify both --attach and --detach")
 		}
 
 		config.AttachStdin = false
@@ -134,13 +139,9 @@ func runContainer(ctx context.Context, dockerCli command.Cli, runOpts *runOption
 		config.StdinOnce = false
 	}
 
-	ctx, cancelFun := context.WithCancel(ctx)
-	defer cancelFun()
-
 	containerID, err := createContainer(ctx, dockerCli, containerCfg, &runOpts.createOptions)
 	if err != nil {
-		reportError(stderr, "run", err.Error(), true)
-		return runStartContainerErr(err)
+		return toStatusError(err)
 	}
 	if runOpts.sigProxy {
 		sigc := notifyAllSignals()
@@ -153,11 +154,15 @@ func runContainer(ctx context.Context, dockerCli command.Cli, runOpts *runOption
 		defer signal.StopCatch(sigc)
 	}
 
+	ctx, cancelFun := context.WithCancel(context.WithoutCancel(ctx))
+	defer cancelFun()
+
 	var (
 		waitDisplayID chan struct{}
 		errCh         chan error
 	)
-	if !config.AttachStdout && !config.AttachStderr {
+	attach := config.AttachStdin || config.AttachStdout || config.AttachStderr
+	if !attach {
 		// Make this asynchronous to allow the client to write to stdin before having to read the ID
 		waitDisplayID = make(chan struct{})
 		go func() {
@@ -165,7 +170,6 @@ func runContainer(ctx context.Context, dockerCli command.Cli, runOpts *runOption
 			_, _ = fmt.Fprintln(stdout, containerID)
 		}()
 	}
-	attach := config.AttachStdin || config.AttachStdout || config.AttachStderr
 	if attach {
 		detachKeys := dockerCli.ConfigFile().DetachKeys
 		if runOpts.detachKeys != "" {
@@ -204,22 +208,29 @@ func runContainer(ctx context.Context, dockerCli command.Cli, runOpts *runOption
 			<-errCh
 		}
 
-		reportError(stderr, "run", err.Error(), false)
 		if copts.autoRemove {
 			// wait container to be removed
 			<-statusChan
 		}
-		return runStartContainerErr(err)
+		return toStatusError(err)
 	}
 
-	if (config.AttachStdin || config.AttachStdout || config.AttachStderr) && config.Tty && dockerCli.Out().IsTerminal() {
+	// Detached mode: wait for the id to be displayed and return.
+	if !attach {
+		// Detached mode
+		<-waitDisplayID
+		return nil
+	}
+
+	if config.Tty && dockerCli.Out().IsTerminal() {
 		if err := MonitorTtySize(ctx, dockerCli, containerID, false); err != nil {
 			_, _ = fmt.Fprintln(stderr, "Error monitoring TTY size:", err)
 		}
 	}
 
-	if errCh != nil {
-		if err := <-errCh; err != nil {
+	select {
+	case err := <-errCh:
+		if err != nil {
 			if _, ok := err.(term.EscapeError); ok {
 				// The user entered the detach escape sequence.
 				return nil
@@ -228,19 +239,20 @@ func runContainer(ctx context.Context, dockerCli command.Cli, runOpts *runOption
 			logrus.Debugf("Error hijack: %s", err)
 			return err
 		}
+		status := <-statusChan
+		if status != 0 {
+			return cli.StatusError{StatusCode: status}
+		}
+	case status := <-statusChan:
+		// notify hijackedIOStreamer that we're exiting and wait
+		// so that the terminal can be restored.
+		cancelFun()
+		<-errCh
+		if status != 0 {
+			return cli.StatusError{StatusCode: status}
+		}
 	}
 
-	// Detached mode: wait for the id to be displayed and return.
-	if !config.AttachStdout && !config.AttachStderr {
-		// Detached mode
-		<-waitDisplayID
-		return nil
-	}
-
-	status := <-statusChan
-	if status != 0 {
-		return cli.StatusError{StatusCode: status}
-	}
 	return nil
 }
 
@@ -292,30 +304,43 @@ func attachContainer(ctx context.Context, dockerCli command.Cli, containerID str
 	return resp.Close, nil
 }
 
-// reportError is a utility method that prints a user-friendly message
-// containing the error that occurred during parsing and a suggestion to get help
-func reportError(stderr io.Writer, name string, str string, withHelp bool) {
-	str = strings.TrimSuffix(str, ".") + "."
-	if withHelp {
-		str += "\nSee 'docker " + name + " --help'."
-	}
-	_, _ = fmt.Fprintln(stderr, "docker:", str)
+// withHelp decorates the error with a suggestion to use "--help".
+func withHelp(err error, commandName string) error {
+	return fmt.Errorf("docker: %w\n\nRun 'docker %s --help' for more information", err, commandName)
 }
 
-// if container start fails with 'not found'/'no such' error, return 127
-// if container start fails with 'permission denied' error, return 126
-// return 125 for generic docker daemon failures
-func runStartContainerErr(err error) error {
-	trimmedErr := strings.TrimPrefix(err.Error(), "Error response from daemon: ")
-	statusError := cli.StatusError{StatusCode: 125}
-	if strings.Contains(trimmedErr, "executable file not found") ||
-		strings.Contains(trimmedErr, "no such file or directory") ||
-		strings.Contains(trimmedErr, "system cannot find the file specified") {
-		statusError = cli.StatusError{StatusCode: 127}
-	} else if strings.Contains(trimmedErr, syscall.EACCES.Error()) ||
-		strings.Contains(trimmedErr, syscall.EISDIR.Error()) {
-		statusError = cli.StatusError{StatusCode: 126}
+// toStatusError attempts to detect specific error-conditions to assign
+// an appropriate exit-code for situations where the problem originates
+// from the container. It returns [cli.StatusError] with the original
+// error message and the Status field set as follows:
+//
+// - 125: for generic failures sent back from the daemon
+// - 126: if container start fails with 'permission denied' error
+// - 127: if container start fails with 'not found'/'no such' error
+func toStatusError(err error) error {
+	// TODO(thaJeztah): some of these errors originate from the container: should we actually suggest "--help" for those?
+
+	errMsg := err.Error()
+
+	if strings.Contains(errMsg, "executable file not found") || strings.Contains(errMsg, "no such file or directory") || strings.Contains(errMsg, "system cannot find the file specified") {
+		return cli.StatusError{
+			Cause:      err,
+			Status:     withHelp(err, "run").Error(),
+			StatusCode: 127,
+		}
 	}
 
-	return statusError
+	if strings.Contains(errMsg, syscall.EACCES.Error()) || strings.Contains(errMsg, syscall.EISDIR.Error()) {
+		return cli.StatusError{
+			Cause:      err,
+			Status:     withHelp(err, "run").Error(),
+			StatusCode: 126,
+		}
+	}
+
+	return cli.StatusError{
+		Cause:      err,
+		Status:     withHelp(err, "run").Error(),
+		StatusCode: 125,
+	}
 }

cli/command/container/run_test.go

@@ -2,7 +2,9 @@ package container
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
 	"net"
 	"syscall"
@@ -16,13 +18,43 @@ import (
 	"github.com/docker/cli/internal/test/notary"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/pkg/jsonmessage"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/pflag"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
 
+func TestRunValidateFlags(t *testing.T) {
+	for _, tc := range []struct {
+		name        string
+		args        []string
+		expectedErr string
+	}{
+		{
+			name:        "with conflicting --attach, --detach",
+			args:        []string{"--attach", "stdin", "--detach", "myimage"},
+			expectedErr: "conflicting options: cannot specify both --attach and --detach",
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			cmd := NewRunCommand(test.NewFakeCli(&fakeClient{}))
+			cmd.SetOut(io.Discard)
+			cmd.SetErr(io.Discard)
+			cmd.SetArgs(tc.args)
+
+			err := cmd.Execute()
+			if tc.expectedErr != "" {
+				assert.Check(t, is.ErrorContains(err, tc.expectedErr))
+			} else {
+				assert.Check(t, is.Nil(err))
+			}
+		})
+	}
+}
+
 func TestRunLabel(t *testing.T) {
 	fakeCLI := test.NewFakeCli(&fakeClient{
 		createContainerFunc: func(_ *container.Config, _ *container.HostConfig, _ *network.NetworkingConfig, _ *specs.Platform, _ string) (container.CreateResponse, error) {
@@ -189,6 +221,84 @@ func TestRunAttachTermination(t *testing.T) {
 	}
 }
 
+func TestRunPullTermination(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	attachCh := make(chan struct{})
+	fakeCLI := test.NewFakeCli(&fakeClient{
+		createContainerFunc: func(config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig,
+			platform *specs.Platform, containerName string,
+		) (container.CreateResponse, error) {
+			return container.CreateResponse{}, errors.New("shouldn't try to create a container")
+		},
+		containerAttachFunc: func(ctx context.Context, containerID string, options container.AttachOptions) (types.HijackedResponse, error) {
+			return types.HijackedResponse{}, errors.New("shouldn't try to attach to a container")
+		},
+		imageCreateFunc: func(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error) {
+			server, client := net.Pipe()
+			t.Cleanup(func() {
+				_ = server.Close()
+			})
+			go func() {
+				enc := json.NewEncoder(server)
+				for i := 0; i < 100; i++ {
+					select {
+					case <-ctx.Done():
+						assert.NilError(t, server.Close(), "failed to close imageCreateFunc server")
+						return
+					default:
+						assert.NilError(t, enc.Encode(jsonmessage.JSONMessage{
+							Status:   "Downloading",
+							ID:       fmt.Sprintf("id-%d", i),
+							TimeNano: time.Now().UnixNano(),
+							Time:     time.Now().Unix(),
+							Progress: &jsonmessage.JSONProgress{
+								Current: int64(i),
+								Total:   100,
+								Start:   0,
+							},
+						}))
+						time.Sleep(100 * time.Millisecond)
+					}
+				}
+			}()
+			attachCh <- struct{}{}
+			return client, nil
+		},
+		Version: "1.30",
+	})
+
+	cmd := NewRunCommand(fakeCLI)
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
+	cmd.SetArgs([]string{"--pull", "always", "foobar:latest"})
+
+	cmdErrC := make(chan error, 1)
+	go func() {
+		cmdErrC <- cmd.ExecuteContext(ctx)
+	}()
+
+	select {
+	case <-time.After(5 * time.Second):
+		t.Fatal("imageCreateFunc was not called before the timeout")
+	case <-attachCh:
+	}
+
+	cancel()
+
+	select {
+	case cmdErr := <-cmdErrC:
+		assert.Equal(t, cmdErr, cli.StatusError{
+			Cause:      context.Canceled,
+			StatusCode: 125,
+			Status:     "docker: context canceled\n\nRun 'docker run --help' for more information",
+		})
+	case <-time.After(10 * time.Second):
+		t.Fatal("cmd did not return before the timeout")
+	}
+}
+
 func TestRunCommandWithContentTrustErrors(t *testing.T) {
 	testCases := []struct {
 		name          string
@@ -216,7 +326,6 @@ func TestRunCommandWithContentTrustErrors(t *testing.T) {
 		},
 	}
 	for _, tc := range testCases {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			fakeCLI := test.NewFakeCli(&fakeClient{
 				createContainerFunc: func(config *container.Config,
@@ -234,8 +343,10 @@ func TestRunCommandWithContentTrustErrors(t *testing.T) {
 			cmd.SetOut(io.Discard)
 			cmd.SetErr(io.Discard)
 			err := cmd.Execute()
-			assert.Assert(t, err != nil)
-			assert.Assert(t, is.Contains(fakeCLI.ErrBuffer().String(), tc.expectedError))
+			statusErr := cli.StatusError{}
+			assert.Check(t, errors.As(err, &statusErr))
+			assert.Check(t, is.Equal(statusErr.StatusCode, 125))
+			assert.Check(t, is.ErrorContains(err, tc.expectedError))
 		})
 	}
 }
@@ -255,7 +366,6 @@ func TestRunContainerImagePullPolicyInvalid(t *testing.T) {
 		},
 	}
 	for _, tc := range cases {
-		tc := tc
 		t.Run(tc.PullPolicy, func(t *testing.T) {
 			dockerCli := test.NewFakeCli(&fakeClient{})
 			err := runRun(
@@ -268,8 +378,8 @@ func TestRunContainerImagePullPolicyInvalid(t *testing.T) {
 
 			statusErr := cli.StatusError{}
 			assert.Check(t, errors.As(err, &statusErr))
-			assert.Equal(t, statusErr.StatusCode, 125)
-			assert.Check(t, is.Contains(dockerCli.ErrBuffer().String(), tc.ExpectedErrMsg))
+			assert.Check(t, is.Equal(statusErr.StatusCode, 125))
+			assert.Check(t, is.ErrorContains(err, tc.ExpectedErrMsg))
 		})
 	}
 }

cli/command/container/start.go

@@ -9,7 +9,6 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/moby/sys/signal"
 	"github.com/moby/term"
@@ -43,8 +42,8 @@ func NewStartCommand(dockerCli command.Cli) *cobra.Command {
 		Annotations: map[string]string{
 			"aliases": "docker container start, docker start",
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, true, func(container types.Container) bool {
-			return container.State == "exited" || container.State == "created"
+		ValidArgsFunction: completion.ContainerNames(dockerCli, true, func(ctr container.Summary) bool {
+			return ctr.State == "exited" || ctr.State == "created"
 		}),
 	}
 

cli/command/container/stats.go

@@ -1,7 +1,9 @@
 package container
 
 import (
+	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"strings"
@@ -16,7 +18,6 @@ import (
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/filters"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
@@ -237,16 +238,16 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 		// make sure each container get at least one valid stat data
 		waitFirst.Wait()
 
-		var errs []string
+		var errs []error
 		cStats.mu.RLock()
 		for _, c := range cStats.cs {
 			if err := c.GetError(); err != nil {
-				errs = append(errs, err.Error())
+				errs = append(errs, err)
 			}
 		}
 		cStats.mu.RUnlock()
-		if len(errs) > 0 {
-			return errors.New(strings.Join(errs, "\n"))
+		if err := errors.Join(errs...); err != nil {
+			return err
 		}
 	}
 
@@ -264,31 +265,50 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 		// so we unlikely hit this code in practice.
 		daemonOSType = dockerCLI.ServerInfo().OSType
 	}
+
+	// Buffer to store formatted stats text.
+	// Once formatted, it will be printed in one write to avoid screen flickering.
+	var statsTextBuffer bytes.Buffer
+
 	statsCtx := formatter.Context{
-		Output: dockerCLI.Out(),
+		Output: &statsTextBuffer,
 		Format: NewStatsFormat(format, daemonOSType),
 	}
-	cleanScreen := func() {
-		if !options.NoStream {
-			_, _ = fmt.Fprint(dockerCLI.Out(), "\033[2J")
-			_, _ = fmt.Fprint(dockerCLI.Out(), "\033[H")
-		}
-	}
 
 	var err error
 	ticker := time.NewTicker(500 * time.Millisecond)
 	defer ticker.Stop()
 	for range ticker.C {
-		cleanScreen()
 		var ccStats []StatsEntry
 		cStats.mu.RLock()
 		for _, c := range cStats.cs {
 			ccStats = append(ccStats, c.GetStatistics())
 		}
 		cStats.mu.RUnlock()
+
+		if !options.NoStream {
+			// Start by moving the cursor to the top-left
+			_, _ = fmt.Fprint(&statsTextBuffer, "\033[H")
+		}
+
 		if err = statsFormatWrite(statsCtx, ccStats, daemonOSType, !options.NoTrunc); err != nil {
 			break
 		}
+
+		if !options.NoStream {
+			for _, line := range strings.Split(statsTextBuffer.String(), "\n") {
+				// In case the new text is shorter than the one we are writing over,
+				// we'll append the "erase line" escape sequence to clear the remaining text.
+				_, _ = fmt.Fprintln(&statsTextBuffer, line, "\033[K")
+			}
+
+			// We might have fewer containers than before, so let's clear the remaining text
+			_, _ = fmt.Fprint(&statsTextBuffer, "\033[J")
+		}
+
+		_, _ = fmt.Fprint(dockerCLI.Out(), statsTextBuffer.String())
+		statsTextBuffer.Reset()
+
 		if len(cStats.cs) == 0 && !showAll {
 			break
 		}

cli/command/container/stop.go

@@ -2,14 +2,13 @@ package container
 
 import (
 	"context"
+	"errors"
 	"fmt"
-	"strings"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/docker/api/types/container"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -30,8 +29,11 @@ func NewStopCommand(dockerCli command.Cli) *cobra.Command {
 		Short: "Stop one or more running containers",
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if cmd.Flags().Changed("time") && cmd.Flags().Changed("timeout") {
+				return errors.New("conflicting options: cannot specify both --timeout and --time")
+			}
 			opts.containers = args
-			opts.timeoutChanged = cmd.Flags().Changed("time")
+			opts.timeoutChanged = cmd.Flags().Changed("timeout") || cmd.Flags().Changed("time")
 			return runStop(cmd.Context(), dockerCli, &opts)
 		},
 		Annotations: map[string]string{
@@ -42,35 +44,37 @@ func NewStopCommand(dockerCli command.Cli) *cobra.Command {
 
 	flags := cmd.Flags()
 	flags.StringVarP(&opts.signal, "signal", "s", "", "Signal to send to the container")
-	flags.IntVarP(&opts.timeout, "time", "t", 0, "Seconds to wait before killing the container")
+	flags.IntVarP(&opts.timeout, "timeout", "t", 0, "Seconds to wait before killing the container")
+
+	// The --time option is deprecated, but kept for backward compatibility.
+	flags.IntVar(&opts.timeout, "time", 0, "Seconds to wait before killing the container (deprecated: use --timeout)")
+	_ = flags.MarkDeprecated("time", "use --timeout instead")
 
 	_ = cmd.RegisterFlagCompletionFunc("signal", completeSignals)
 
 	return cmd
 }
 
-func runStop(ctx context.Context, dockerCli command.Cli, opts *stopOptions) error {
+func runStop(ctx context.Context, dockerCLI command.Cli, opts *stopOptions) error {
 	var timeout *int
 	if opts.timeoutChanged {
 		timeout = &opts.timeout
 	}
 
+	apiClient := dockerCLI.Client()
 	errChan := parallelOperation(ctx, opts.containers, func(ctx context.Context, id string) error {
-		return dockerCli.Client().ContainerStop(ctx, id, container.StopOptions{
+		return apiClient.ContainerStop(ctx, id, container.StopOptions{
 			Signal:  opts.signal,
 			Timeout: timeout,
 		})
 	})
-	var errs []string
+	var errs []error
 	for _, ctr := range opts.containers {
 		if err := <-errChan; err != nil {
-			errs = append(errs, err.Error())
+			errs = append(errs, err)
 			continue
 		}
-		_, _ = fmt.Fprintln(dockerCli.Out(), ctr)
+		_, _ = fmt.Fprintln(dockerCLI.Out(), ctr)
 	}
-	if len(errs) > 0 {
-		return errors.New(strings.Join(errs, "\n"))
-	}
-	return nil
+	return errors.Join(errs...)
 }

cli/command/container/stop_test.go

@@ -0,0 +1,96 @@
+package container
+
+import (
+	"context"
+	"errors"
+	"io"
+	"sort"
+	"sync"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/errdefs"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestStop(t *testing.T) {
+	for _, tc := range []struct {
+		name         string
+		args         []string
+		stopped      []string
+		expectedOpts container.StopOptions
+		expectedErr  string
+	}{
+		{
+			name:    "without options",
+			args:    []string{"container-1", "container-2"},
+			stopped: []string{"container-1", "container-2"},
+		},
+		{
+			name:        "with unknown container",
+			args:        []string{"container-1", "nosuchcontainer", "container-2"},
+			expectedErr: "no such container",
+			stopped:     []string{"container-1", "container-2"},
+		},
+		{
+			name:         "with -t",
+			args:         []string{"-t", "2", "container-1"},
+			expectedOpts: container.StopOptions{Timeout: func(to int) *int { return &to }(2)},
+			stopped:      []string{"container-1"},
+		},
+		{
+			name:         "with --timeout",
+			args:         []string{"--timeout", "2", "container-1"},
+			expectedOpts: container.StopOptions{Timeout: func(to int) *int { return &to }(2)},
+			stopped:      []string{"container-1"},
+		},
+		{
+			name:         "with --time",
+			args:         []string{"--time", "2", "container-1"},
+			expectedOpts: container.StopOptions{Timeout: func(to int) *int { return &to }(2)},
+			stopped:      []string{"container-1"},
+		},
+		{
+			name:        "conflicting options",
+			args:        []string{"--timeout", "2", "--time", "2", "container-1"},
+			expectedErr: "conflicting options: cannot specify both --timeout and --time",
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			var stopped []string
+			mutex := new(sync.Mutex)
+
+			cli := test.NewFakeCli(&fakeClient{
+				containerStopFunc: func(ctx context.Context, containerID string, options container.StopOptions) error {
+					assert.Check(t, is.DeepEqual(options, tc.expectedOpts))
+					if containerID == "nosuchcontainer" {
+						return errdefs.NotFound(errors.New("Error: no such container: " + containerID))
+					}
+
+					// containerStopFunc is called in parallel for each container
+					// so append must be synchronized.
+					mutex.Lock()
+					stopped = append(stopped, containerID)
+					mutex.Unlock()
+					return nil
+				},
+				Version: "1.36",
+			})
+			cmd := NewStopCommand(cli)
+			cmd.SetOut(io.Discard)
+			cmd.SetErr(io.Discard)
+			cmd.SetArgs(tc.args)
+
+			err := cmd.Execute()
+			if tc.expectedErr != "" {
+				assert.Check(t, is.ErrorContains(err, tc.expectedErr))
+			} else {
+				assert.Check(t, is.Nil(err))
+			}
+			sort.Strings(stopped)
+			assert.Check(t, is.DeepEqual(stopped, tc.stopped))
+		})
+	}
+}

cli/command/container/tty_test.go

@@ -2,13 +2,13 @@ package container
 
 import (
 	"context"
+	"errors"
 	"testing"
 	"time"
 
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types/container"
-	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -16,7 +16,7 @@ import (
 func TestInitTtySizeErrors(t *testing.T) {
 	expectedError := "failed to resize tty, using default size\n"
 	fakeContainerExecResizeFunc := func(id string, options container.ResizeOptions) error {
-		return errors.Errorf("Error response from daemon: no such exec")
+		return errors.New("Error response from daemon: no such exec")
 	}
 	fakeResizeTtyFunc := func(ctx context.Context, cli command.Cli, id string, isExec bool) error {
 		height, width := uint(1024), uint(768)

cli/command/container/unpause.go

@@ -2,14 +2,13 @@ package container
 
 import (
 	"context"
+	"errors"
 	"fmt"
-	"strings"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
-	"github.com/docker/docker/api/types"
-	"github.com/pkg/errors"
+	"github.com/docker/docker/api/types/container"
 	"github.com/spf13/cobra"
 )
 
@@ -32,25 +31,23 @@ func NewUnpauseCommand(dockerCli command.Cli) *cobra.Command {
 		Annotations: map[string]string{
 			"aliases": "docker container unpause, docker unpause",
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, false, func(container types.Container) bool {
-			return container.State == "paused"
+		ValidArgsFunction: completion.ContainerNames(dockerCli, false, func(ctr container.Summary) bool {
+			return ctr.State == "paused"
 		}),
 	}
 	return cmd
 }
 
-func runUnpause(ctx context.Context, dockerCli command.Cli, opts *unpauseOptions) error {
-	var errs []string
-	errChan := parallelOperation(ctx, opts.containers, dockerCli.Client().ContainerUnpause)
-	for _, container := range opts.containers {
+func runUnpause(ctx context.Context, dockerCLI command.Cli, opts *unpauseOptions) error {
+	apiClient := dockerCLI.Client()
+	errChan := parallelOperation(ctx, opts.containers, apiClient.ContainerUnpause)
+	var errs []error
+	for _, ctr := range opts.containers {
 		if err := <-errChan; err != nil {
-			errs = append(errs, err.Error())
+			errs = append(errs, err)
 			continue
 		}
-		fmt.Fprintln(dockerCli.Out(), container)
+		_, _ = fmt.Fprintln(dockerCLI.Out(), ctr)
 	}
-	if len(errs) > 0 {
-		return errors.New(strings.Join(errs, "\n"))
-	}
-	return nil
+	return errors.Join(errs...)
 }

cli/command/container/update.go

@@ -132,17 +132,17 @@ func runUpdate(ctx context.Context, dockerCli command.Cli, options *updateOption
 		warns []string
 		errs  []string
 	)
-	for _, container := range options.containers {
-		r, err := dockerCli.Client().ContainerUpdate(ctx, container, updateConfig)
+	for _, ctr := range options.containers {
+		r, err := dockerCli.Client().ContainerUpdate(ctx, ctr, updateConfig)
 		if err != nil {
 			errs = append(errs, err.Error())
 		} else {
-			fmt.Fprintln(dockerCli.Out(), container)
+			_, _ = fmt.Fprintln(dockerCli.Out(), ctr)
 		}
 		warns = append(warns, r.Warnings...)
 	}
 	if len(warns) > 0 {
-		fmt.Fprintln(dockerCli.Out(), strings.Join(warns, "\n"))
+		_, _ = fmt.Fprintln(dockerCli.Out(), strings.Join(warns, "\n"))
 	}
 	if len(errs) > 0 {
 		return errors.New(strings.Join(errs, "\n"))

cli/command/container/utils_test.go

@@ -38,7 +38,7 @@ func waitFn(cid string) (<-chan container.WaitResponse, <-chan error) {
 }
 
 func TestWaitExitOrRemoved(t *testing.T) {
-	testcases := []struct {
+	tests := []struct {
 		cid      string
 		exitCode int
 	}{
@@ -61,9 +61,11 @@ func TestWaitExitOrRemoved(t *testing.T) {
 	}
 
 	client := &fakeClient{waitFunc: waitFn, Version: api.DefaultVersion}
-	for _, testcase := range testcases {
-		statusC := waitExitOrRemoved(context.Background(), client, testcase.cid, true)
-		exitCode := <-statusC
-		assert.Check(t, is.Equal(testcase.exitCode, exitCode))
+	for _, tc := range tests {
+		t.Run(tc.cid, func(t *testing.T) {
+			statusC := waitExitOrRemoved(context.Background(), client, tc.cid, true)
+			exitCode := <-statusC
+			assert.Check(t, is.Equal(tc.exitCode, exitCode))
+		})
 	}
 }

cli/command/container/wait.go

@@ -2,13 +2,12 @@ package container
 
 import (
 	"context"
+	"errors"
 	"fmt"
-	"strings"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -37,20 +36,19 @@ func NewWaitCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-func runWait(ctx context.Context, dockerCli command.Cli, opts *waitOptions) error {
-	var errs []string
-	for _, container := range opts.containers {
-		resultC, errC := dockerCli.Client().ContainerWait(ctx, container, "")
+func runWait(ctx context.Context, dockerCLI command.Cli, opts *waitOptions) error {
+	apiClient := dockerCLI.Client()
+
+	var errs []error
+	for _, ctr := range opts.containers {
+		resultC, errC := apiClient.ContainerWait(ctx, ctr, "")
 
 		select {
 		case result := <-resultC:
-			fmt.Fprintf(dockerCli.Out(), "%d\n", result.StatusCode)
+			_, _ = fmt.Fprintf(dockerCLI.Out(), "%d\n", result.StatusCode)
 		case err := <-errC:
-			errs = append(errs, err.Error())
+			errs = append(errs, err)
 		}
 	}
-	if len(errs) > 0 {
-		return errors.New(strings.Join(errs, "\n"))
-	}
-	return nil
+	return errors.Join(errs...)
 }

cli/command/context.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22
 
 package command
 

cli/command/context/create.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22
 
 package context
 
@@ -34,11 +34,11 @@ func longCreateDescription() string {
 	buf := bytes.NewBuffer(nil)
 	buf.WriteString("Create a context\n\nDocker endpoint config:\n\n")
 	tw := tabwriter.NewWriter(buf, 20, 1, 3, ' ', 0)
-	fmt.Fprintln(tw, "NAME\tDESCRIPTION")
+	_, _ = fmt.Fprintln(tw, "NAME\tDESCRIPTION")
 	for _, d := range dockerConfigKeysDescriptions {
-		fmt.Fprintf(tw, "%s\t%s\n", d.name, d.description)
+		_, _ = fmt.Fprintf(tw, "%s\t%s\n", d.name, d.description)
 	}
-	tw.Flush()
+	_ = tw.Flush()
 	buf.WriteString("\nExample:\n\n$ docker context create my-context --description \"some description\" --docker \"host=tcp://myserver:2376,ca=~/ca-file,cert=~/cert-file,key=~/key-file\"\n")
 	return buf.String()
 }
@@ -79,8 +79,8 @@ func RunCreate(dockerCLI command.Cli, o *CreateOptions) error {
 		err = createNewContext(s, o)
 	}
 	if err == nil {
-		fmt.Fprintln(dockerCLI.Out(), o.Name)
-		fmt.Fprintf(dockerCLI.Err(), "Successfully created context %q\n", o.Name)
+		_, _ = fmt.Fprintln(dockerCLI.Out(), o.Name)
+		_, _ = fmt.Fprintf(dockerCLI.Err(), "Successfully created context %q\n", o.Name)
 	}
 	return err
 }

cli/command/context/create_test.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22
 
 package context
 
@@ -94,7 +94,6 @@ func TestCreate(t *testing.T) {
 		},
 	}
 	for _, tc := range tests {
-		tc := tc
 		t.Run(tc.options.Name, func(t *testing.T) {
 			err := RunCreate(cli, &tc.options)
 			if tc.expecterErr == "" {
@@ -164,25 +163,24 @@ func TestCreateFromContext(t *testing.T) {
 
 	cli.SetCurrentContext("dummy")
 
-	for _, c := range cases {
-		c := c
-		t.Run(c.name, func(t *testing.T) {
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
 			cli.ResetOutputBuffers()
 			err := RunCreate(cli, &CreateOptions{
 				From:        "original",
-				Name:        c.name,
-				Description: c.description,
-				Docker:      c.docker,
+				Name:        tc.name,
+				Description: tc.description,
+				Docker:      tc.docker,
 			})
 			assert.NilError(t, err)
-			assertContextCreateLogging(t, cli, c.name)
-			newContext, err := cli.ContextStore().GetMetadata(c.name)
+			assertContextCreateLogging(t, cli, tc.name)
+			newContext, err := cli.ContextStore().GetMetadata(tc.name)
 			assert.NilError(t, err)
 			newContextTyped, err := command.GetDockerContext(newContext)
 			assert.NilError(t, err)
 			dockerEndpoint, err := docker.EndpointFromContext(newContext)
 			assert.NilError(t, err)
-			assert.Equal(t, newContextTyped.Description, c.expectedDescription)
+			assert.Equal(t, newContextTyped.Description, tc.expectedDescription)
 			assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375")
 		})
 	}
@@ -219,23 +217,22 @@ func TestCreateFromCurrent(t *testing.T) {
 
 	cli.SetCurrentContext("original")
 
-	for _, c := range cases {
-		c := c
-		t.Run(c.name, func(t *testing.T) {
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
 			cli.ResetOutputBuffers()
 			err := RunCreate(cli, &CreateOptions{
-				Name:        c.name,
-				Description: c.description,
+				Name:        tc.name,
+				Description: tc.description,
 			})
 			assert.NilError(t, err)
-			assertContextCreateLogging(t, cli, c.name)
-			newContext, err := cli.ContextStore().GetMetadata(c.name)
+			assertContextCreateLogging(t, cli, tc.name)
+			newContext, err := cli.ContextStore().GetMetadata(tc.name)
 			assert.NilError(t, err)
 			newContextTyped, err := command.GetDockerContext(newContext)
 			assert.NilError(t, err)
 			dockerEndpoint, err := docker.EndpointFromContext(newContext)
 			assert.NilError(t, err)
-			assert.Equal(t, newContextTyped.Description, c.expectedDescription)
+			assert.Equal(t, newContextTyped.Description, tc.expectedDescription)
 			assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375")
 		})
 	}

cli/command/context/import.go

@@ -45,7 +45,7 @@ func RunImport(dockerCli command.Cli, name string, source string) error {
 		return err
 	}
 
-	fmt.Fprintln(dockerCli.Out(), name)
-	fmt.Fprintf(dockerCli.Err(), "Successfully imported context %q\n", name)
+	_, _ = fmt.Fprintln(dockerCli.Out(), name)
+	_, _ = fmt.Fprintf(dockerCli.Err(), "Successfully imported context %q\n", name)
 	return nil
 }

cli/command/context/inspect.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22
 
 package context
 

cli/command/context/list.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22
 
 package context
 

cli/command/context/options.go

@@ -1,14 +1,14 @@
 package context
 
 import (
+	"errors"
+	"fmt"
 	"strconv"
-	"strings"
 
 	"github.com/docker/cli/cli/context"
 	"github.com/docker/cli/cli/context/docker"
 	"github.com/docker/cli/cli/context/store"
 	"github.com/docker/docker/client"
-	"github.com/pkg/errors"
 )
 
 const (
@@ -68,20 +68,17 @@ func parseBool(config map[string]string, name string) (bool, error) {
 		return false, nil
 	}
 	res, err := strconv.ParseBool(strVal)
-	return res, errors.Wrap(err, name)
+	return res, fmt.Errorf("name: %w", err)
 }
 
 func validateConfig(config map[string]string, allowedKeys map[string]struct{}) error {
-	var errs []string
+	var errs []error
 	for k := range config {
 		if _, ok := allowedKeys[k]; !ok {
-			errs = append(errs, "unrecognized config key: "+k)
+			errs = append(errs, errors.New("unrecognized config key: "+k))
 		}
 	}
-	if len(errs) == 0 {
-		return nil
-	}
-	return errors.New(strings.Join(errs, "\n"))
+	return errors.Join(errs...)
 }
 
 func getDockerEndpoint(contextStore store.Reader, config map[string]string) (docker.Endpoint, error) {
@@ -96,7 +93,7 @@ func getDockerEndpoint(contextStore store.Reader, config map[string]string) (doc
 		if ep, ok := metadata.Endpoints[docker.DockerEndpoint].(docker.EndpointMeta); ok {
 			return docker.Endpoint{EndpointMeta: ep}, nil
 		}
-		return docker.Endpoint{}, errors.Errorf("unable to get endpoint from context %q", contextName)
+		return docker.Endpoint{}, fmt.Errorf("unable to get endpoint from context %q", contextName)
 	}
 	tlsData, err := context.TLSDataFromFiles(config[keyCA], config[keyCert], config[keyKey])
 	if err != nil {
@@ -116,10 +113,11 @@ func getDockerEndpoint(contextStore store.Reader, config map[string]string) (doc
 	// try to resolve a docker client, validating the configuration
 	opts, err := ep.ClientOpts()
 	if err != nil {
-		return docker.Endpoint{}, errors.Wrap(err, "invalid docker endpoint options")
+		return docker.Endpoint{}, fmt.Errorf("invalid docker endpoint options: %w", err)
 	}
+	// FIXME(thaJeztah): this creates a new client (but discards it) only to validate the options; are the validation steps above not enough?
 	if _, err := client.NewClientWithOpts(opts...); err != nil {
-		return docker.Endpoint{}, errors.Wrap(err, "unable to apply docker endpoint options")
+		return docker.Endpoint{}, fmt.Errorf("unable to apply docker endpoint options: %w", err)
 	}
 	return ep, nil
 }

cli/command/context/remove.go

@@ -1,14 +1,13 @@
 package context
 
 import (
+	"errors"
 	"fmt"
 	"os"
-	"strings"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/docker/errdefs"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -33,28 +32,25 @@ func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
 }
 
 // RunRemove removes one or more contexts
-func RunRemove(dockerCli command.Cli, opts RemoveOptions, names []string) error {
-	var errs []string
-	currentCtx := dockerCli.CurrentContext()
+func RunRemove(dockerCLI command.Cli, opts RemoveOptions, names []string) error {
+	var errs []error
+	currentCtx := dockerCLI.CurrentContext()
 	for _, name := range names {
 		if name == "default" {
-			errs = append(errs, `default: context "default" cannot be removed`)
-		} else if err := doRemove(dockerCli, name, name == currentCtx, opts.Force); err != nil {
-			errs = append(errs, err.Error())
+			errs = append(errs, errors.New(`context "default" cannot be removed`))
+		} else if err := doRemove(dockerCLI, name, name == currentCtx, opts.Force); err != nil {
+			errs = append(errs, err)
 		} else {
-			fmt.Fprintln(dockerCli.Out(), name)
+			_, _ = fmt.Fprintln(dockerCLI.Out(), name)
 		}
 	}
-	if len(errs) > 0 {
-		return errors.New(strings.Join(errs, "\n"))
-	}
-	return nil
+	return errors.Join(errs...)
 }
 
 func doRemove(dockerCli command.Cli, name string, isCurrent, force bool) error {
 	if isCurrent {
 		if !force {
-			return errors.Errorf("context %q is in use, set -f flag to force remove", name)
+			return fmt.Errorf("context %q is in use, set -f flag to force remove", name)
 		}
 		// fallback to DOCKER_HOST
 		cfg := dockerCli.ConfigFile()
@@ -65,6 +61,7 @@ func doRemove(dockerCli command.Cli, name string, isCurrent, force bool) error {
 	}
 
 	if !force {
+		// TODO(thaJeztah): instead of checking before removing, can we make ContextStore().Remove() return a proper errdef and ignore "not found" errors?
 		if err := checkContextExists(dockerCli, name); err != nil {
 			return err
 		}
@@ -77,7 +74,7 @@ func checkContextExists(dockerCli command.Cli, name string) error {
 	contextDir := dockerCli.ContextStore().GetStorageInfo(name).MetadataPath
 	_, err := os.Stat(contextDir)
 	if os.IsNotExist(err) {
-		return errdefs.NotFound(errors.Errorf("context %q does not exist", name))
+		return errdefs.NotFound(fmt.Errorf("context %q does not exist", name))
 	}
 	// Ignore other errors; if relevant, they will produce an error when
 	// performing the actual delete.

cli/command/context/remove_test.go

@@ -60,5 +60,5 @@ func TestRemoveDefault(t *testing.T) {
 	createTestContext(t, cli, "other", nil)
 	cli.SetCurrentContext("current")
 	err := RunRemove(cli, RemoveOptions{}, []string{"default"})
-	assert.ErrorContains(t, err, `default: context "default" cannot be removed`)
+	assert.ErrorContains(t, err, `context "default" cannot be removed`)
 }

cli/command/context/update.go

@@ -24,11 +24,11 @@ func longUpdateDescription() string {
 	buf := bytes.NewBuffer(nil)
 	buf.WriteString("Update a context\n\nDocker endpoint config:\n\n")
 	tw := tabwriter.NewWriter(buf, 20, 1, 3, ' ', 0)
-	fmt.Fprintln(tw, "NAME\tDESCRIPTION")
+	_, _ = fmt.Fprintln(tw, "NAME\tDESCRIPTION")
 	for _, d := range dockerConfigKeysDescriptions {
-		fmt.Fprintf(tw, "%s\t%s\n", d.name, d.description)
+		_, _ = fmt.Fprintf(tw, "%s\t%s\n", d.name, d.description)
 	}
-	tw.Flush()
+	_ = tw.Flush()
 	buf.WriteString("\nExample:\n\n$ docker context update my-context --description \"some description\" --docker \"host=tcp://myserver:2376,ca=~/ca-file,cert=~/cert-file,key=~/key-file\"\n")
 	return buf.String()
 }
@@ -93,8 +93,8 @@ func RunUpdate(dockerCLI command.Cli, o *UpdateOptions) error {
 		}
 	}
 
-	fmt.Fprintln(dockerCLI.Out(), o.Name)
-	fmt.Fprintf(dockerCLI.Err(), "Successfully updated context %q\n", o.Name)
+	_, _ = fmt.Fprintln(dockerCLI.Out(), o.Name)
+	_, _ = fmt.Fprintf(dockerCLI.Err(), "Successfully updated context %q\n", o.Name)
 	return nil
 }
 

cli/command/context/use.go

@@ -24,19 +24,19 @@ func newUseCommand(dockerCli command.Cli) *cobra.Command {
 }
 
 // RunUse set the current Docker context
-func RunUse(dockerCli command.Cli, name string) error {
+func RunUse(dockerCLI command.Cli, name string) error {
 	// configValue uses an empty string for "default"
 	var configValue string
 	if name != command.DefaultContextName {
 		if err := store.ValidateContextName(name); err != nil {
 			return err
 		}
-		if _, err := dockerCli.ContextStore().GetMetadata(name); err != nil {
+		if _, err := dockerCLI.ContextStore().GetMetadata(name); err != nil {
 			return err
 		}
 		configValue = name
 	}
-	dockerConfig := dockerCli.ConfigFile()
+	dockerConfig := dockerCLI.ConfigFile()
 	// Avoid updating the config-file if nothing changed. This also prevents
 	// creating the file and config-directory if the default is used and
 	// no config-file existed yet.
@@ -46,10 +46,10 @@ func RunUse(dockerCli command.Cli, name string) error {
 			return err
 		}
 	}
-	fmt.Fprintln(dockerCli.Out(), name)
-	fmt.Fprintf(dockerCli.Err(), "Current context is now %q\n", name)
+	_, _ = fmt.Fprintln(dockerCLI.Out(), name)
+	_, _ = fmt.Fprintf(dockerCLI.Err(), "Current context is now %q\n", name)
 	if name != command.DefaultContextName && os.Getenv(client.EnvOverrideHost) != "" {
-		fmt.Fprintf(dockerCli.Err(), "Warning: %[1]s environment variable overrides the active context. "+
+		_, _ = fmt.Fprintf(dockerCLI.Err(), "Warning: %[1]s environment variable overrides the active context. "+
 			"To use %[2]q, either set the global --context flag, or unset %[1]s environment variable.\n", client.EnvOverrideHost, name)
 	}
 	return nil

cli/command/context_test.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22
 
 package command
 

cli/command/defaultcontextstore.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22
 
 package command
 

cli/command/defaultcontextstore_test.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.21
+//go:build go1.22
 
 package command