Merge pull request #6148 from thaJeztah/vendor_rc2

vendor: github.com/docker/docker v28.3.0-rc.2

.dockerignore

@@ -1,6 +1,6 @@
 /build/
-/cli/winresources/versioninfo.json
-/cli/winresources/*.syso
+/cmd/docker/winresources/versioninfo.json
+/cmd/docker/winresources/*.syso
 /man/man*/
 /man/vendor/
 /man/go.sum

.github/workflows/build.yml

@@ -121,7 +121,6 @@ jobs:
             type=semver,pattern={{version}}
             type=ref,event=branch
             type=ref,event=pr
-            type=sha
       -
         name: Build and push image
         uses: docker/bake-action@v6

.github/workflows/codeql.yml

@@ -63,7 +63,7 @@ jobs:
         name: Update Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.23.6"
+          go-version: "1.24.4"
       -
         name: Initialize CodeQL
         uses: github/codeql-action/init@v3

.github/workflows/e2e.yml

@@ -25,24 +25,22 @@ on:
   pull_request:
 
 jobs:
-  e2e:
+  tests:
     runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
         target:
-          - non-experimental
-          - experimental
+          - local
           - connhelper-ssh
         base:
           - alpine
           - debian
         engine-version:
-          - 27.0  # latest
-          - 26.1  # latest - 1
-          - 23.0  # mirantis lts
-          # TODO(krissetto) 19.03 needs a look, doesn't work ubuntu 22.04 (cgroup errors). 
-          # we could have a separate job that tests it against ubuntu 20.04
+          - 28  # latest
+          - 27  # latest - 1
+          - 26  # github actions default
+          - 23  # mirantis lts
     steps:
       -
         name: Checkout

.github/workflows/test.yml

@@ -66,7 +66,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.23.6"
+          go-version: "1.24.4"
       -
         name: Test
         run: |

.github/workflows/validate-pr.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   check-area-label:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
     steps:
       - name: Missing `area/` label
@@ -27,7 +27,7 @@ jobs:
         run: exit 0
 
   check-changelog:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
     env:
       HAS_IMPACT_LABEL: ${{ contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') }}
@@ -65,7 +65,7 @@ jobs:
           echo "$desc"
 
   check-pr-branch:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
     env:
       PR_TITLE: ${{ github.event.pull_request.title }}

.gitignore

@@ -8,8 +8,8 @@
 Thumbs.db
 .editorconfig
 /build/
-/cli/winresources/versioninfo.json
-/cli/winresources/*.syso
+/cmd/docker/winresources/versioninfo.json
+/cmd/docker/winresources/*.syso
 profile.out
 
 # top-level go.mod is not meant to be checked in

.golangci.yml

@@ -1,203 +1,226 @@
-linters:
-  enable:
-    - bodyclose
-    - copyloopvar   # Detects places where loop variables are copied.
-    - depguard
-    - dogsled
-    - dupword       # Detects duplicate words.
-    - durationcheck
-    - errchkjson
-    - gocritic      # Metalinter; detects bugs, performance, and styling issues.
-    - gocyclo
-    - gofumpt       # Detects whether code was gofumpt-ed.
-    - goimports
-    - gosec         # Detects security problems.
-    - gosimple
-    - govet
-    - ineffassign
-    - misspell      # Detects commonly misspelled English words in comments.
-    - nakedret      # Detects uses of naked returns.
-    - nilerr        # Detects code that returns nil even if it checks that the error is not nil.
-    - nolintlint    # Detects ill-formed or insufficient nolint directives.
-    - perfsprint    # Detects fmt.Sprintf uses that can be replaced with a faster alternative.
-    - prealloc      # Detects slice declarations that could potentially be pre-allocated.
-    - predeclared   # Detects code that shadows one of Go's predeclared identifiers
-    - reassign
-    - revive        # Metalinter; drop-in replacement for golint.
-    - staticcheck
-    - stylecheck    # Replacement for golint
-    - thelper       # Detects test helpers without t.Helper().
-    - tparallel     # Detects inappropriate usage of t.Parallel().
-    - typecheck
-    - unconvert     # Detects unnecessary type conversions.
-    - unparam
-    - unused
-    - usestdlibvars
-    - usetesting    # Reports uses of functions with replacement inside the testing package.
-    - wastedassign
-
-  disable:
-    - errcheck
+version: "2"
 
 run:
   # prevent golangci-lint from deducting the go version to lint for through go.mod,
   # which causes it to fallback to go1.17 semantics.
   #
   # TODO(thaJeztah): update "usetesting" settings to enable go1.24 features once our minimum version is go1.24
-  go: "1.23.6"
+  go: "1.24.4"
+
   timeout: 5m
 
-linters-settings:
-  depguard:
-    rules:
-      main:
-        deny:
-          - pkg: "github.com/containerd/containerd/errdefs"
-            desc: The containerd errdefs package was migrated to a separate module. Use github.com/containerd/errdefs instead.
-          - pkg: "github.com/containerd/containerd/log"
-            desc: The containerd log package was migrated to a separate module. Use github.com/containerd/log instead.
-          - pkg: "github.com/containerd/containerd/pkg/userns"
-            desc: Use github.com/moby/sys/userns instead.
-          - pkg: "github.com/containerd/containerd/platforms"
-            desc: The containerd platforms package was migrated to a separate module. Use github.com/containerd/platforms instead.
-          - pkg: "github.com/docker/docker/pkg/system"
-            desc: This package should not be used unless strictly necessary.
-          - pkg: "io/ioutil"
-            desc: The io/ioutil package has been deprecated, see https://go.dev/doc/go1.16#ioutil
-  gocyclo:
-    min-complexity: 16
-  gosec:
-    excludes:
-      - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
-      - G113 # G113: Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772); (only affects go < 1.16.14. and go < 1.17.7)
-      - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/docker/cli/issues/5584)
-      - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
-      - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
-  govet:
-    enable:
-      - shadow
-    settings:
-      shadow:
-        strict: true
-  lll:
-    line-length: 200
-  nakedret:
-    # Disallow naked returns if func has more lines of code than this setting.
-    # Default: 30
-    max-func-lines: 0
-
-  revive:
-    rules:
-      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#empty-block
-      - name: empty-block
-        severity: warning
-        disabled: false
-      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#empty-lines
-      - name: empty-lines
-        severity: warning
-        disabled: false
-      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#import-shadowing
-      - name: import-shadowing
-        severity: warning
-        disabled: false
-      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#line-length-limit
-      - name: line-length-limit
-        severity: warning
-        disabled: false
-        arguments: [200]
-      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#unused-receiver
-      - name: unused-receiver
-        severity: warning
-        disabled: false
-      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#use-any
-      - name: use-any
-        severity: warning
-        disabled: false
-
-  usetesting:
-    # FIXME(thaJeztah): Disable `os.Chdir()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
-    os-chdir: false
-    # FIXME(thaJeztah): Disable `context.Background()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
-    context-background: false
-    # FIXME(thaJeztah): Disable `context.TODO()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
-    context-todo: false
-
 issues:
-  # The default exclusion rules are a bit too permissive, so copying the relevant ones below
-  exclude-use-default: false
+  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
+  max-issues-per-linter: 0
 
-  # This option has been defined when Go modules was not existed and when the
-  # golangci-lint core was different, this is not something we still recommend.
-  exclude-dirs-use-default: false
+  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
+  max-same-issues: 0
 
-  exclude:
-    - parameter .* always receives
+formatters:
+  enable:
+    - gofumpt       # Detects whether code was gofumpt-ed.
+    - goimports
 
-  exclude-files:
-    - cli/compose/schema/bindata.go
-    - .*generated.*
+  exclusions:
+    generated: strict
 
-  exclude-rules:
-    # We prefer to use an "exclude-list" so that new "default" exclusions are not
+linters:
+  enable:
+    - asasalint                 # Detects "[]any" used as argument for variadic "func(...any)".
+    - bodyclose
+    - copyloopvar               # Detects places where loop variables are copied.
+    - depguard
+    - dogsled                   # Detects assignments with too many blank identifiers.
+    - dupword                   # Detects duplicate words.
+    - durationcheck             # Detect cases where two time.Duration values are being multiplied in possibly erroneous ways.
+    - errcheck
+    - errchkjson                # Detects unsupported types passed to json encoding functions and reports if checks for the returned error can be omitted.
+    - exhaustive                # Detects missing options in enum switch statements.
+    - exptostd                  # Detects functions from golang.org/x/exp/ that can be replaced by std functions.
+    - fatcontext                # Detects nested contexts in loops and function literals.
+    - forbidigo
+    - gocheckcompilerdirectives # Detects invalid go compiler directive comments (//go:).
+    - gocritic                  # Metalinter; detects bugs, performance, and styling issues.
+    - gocyclo
+    - gosec                     # Detects security problems.
+    - govet
+    - iface                     # Detects incorrect use of interfaces. Currently only used for "identical" interfaces in the same package.
+    - importas                  # Enforces consistent import aliases.
+    - ineffassign
+    - makezero                  # Finds slice declarations with non-zero initial length.
+    - mirror                    # Detects wrong mirror patterns of bytes/strings usage.
+    - misspell                  # Detects commonly misspelled English words in comments.
+    - nakedret                  # Detects uses of naked returns.
+    - nilnesserr                # Detects returning nil errors. It combines the features of nilness and nilerr,
+    - nosprintfhostport         # Detects misuse of Sprintf to construct a host with port in a URL.
+    - nolintlint                # Detects ill-formed or insufficient nolint directives.
+    - perfsprint                # Detects fmt.Sprintf uses that can be replaced with a faster alternative.
+    - prealloc                  # Detects slice declarations that could potentially be pre-allocated.
+    - predeclared               # Detects code that shadows one of Go's predeclared identifiers
+    - reassign                  # Detects reassigning a top-level variable in another package.
+    - revive                    # Metalinter; drop-in replacement for golint.
+    - spancheck                 # Detects mistakes with OpenTelemetry/Census spans.
+    - staticcheck
+    - thelper                   # Detects test helpers without t.Helper().
+    - tparallel                 # Detects inappropriate usage of t.Parallel().
+    - unconvert                 # Detects unnecessary type conversions.
+    - unparam
+    - unused
+    - usestdlibvars             # Detects the possibility to use variables/constants from the Go standard library.
+    - usetesting                # Reports uses of functions with replacement inside the testing package.
+    - wastedassign              # Detects wasted assignment statements.
+
+  disable:
+    - errcheck
+
+  settings:
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: "github.com/containerd/containerd/errdefs"
+              desc: The containerd errdefs package was migrated to a separate module. Use github.com/containerd/errdefs instead.
+            - pkg: "github.com/containerd/containerd/log"
+              desc: The containerd log package was migrated to a separate module. Use github.com/containerd/log instead.
+            - pkg: "github.com/containerd/containerd/pkg/userns"
+              desc: Use github.com/moby/sys/userns instead.
+            - pkg: "github.com/containerd/containerd/platforms"
+              desc: The containerd platforms package was migrated to a separate module. Use github.com/containerd/platforms instead.
+            - pkg: "github.com/docker/docker/pkg/system"
+              desc: This package should not be used unless strictly necessary.
+            - pkg: "github.com/docker/distribution/uuid"
+              desc: Use github.com/google/uuid instead.
+            - pkg: "io/ioutil"
+              desc: The io/ioutil package has been deprecated, see https://go.dev/doc/go1.16#ioutil
+
+    forbidigo:
+      forbid:
+        - pkg: ^regexp$
+          pattern: ^regexp\.MustCompile
+          msg: Use internal/lazyregexp.New instead.
+
+    gocyclo:
+      min-complexity: 16
+
+    gosec:
+      excludes:
+        - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
+        - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/docker/cli/issues/5584)
+        - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
+        - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
+
+    govet:
+      enable:
+        - shadow
+      settings:
+        shadow:
+          strict: true
+
+    lll:
+      line-length: 200
+
+    importas:
+      # Do not allow unaliased imports of aliased packages.
+      no-unaliased: true
+
+      alias:
+        # Enforce alias to prevent it accidentally being used instead of our
+        # own errdefs package (or vice-versa).
+        - pkg: github.com/containerd/errdefs
+          alias: cerrdefs
+        - pkg: github.com/opencontainers/image-spec/specs-go/v1
+          alias: ocispec
+          # Enforce that gotest.tools/v3/assert/cmp is always aliased as "is"
+        - pkg: gotest.tools/v3/assert/cmp
+          alias: is
+
+    nakedret:
+      # Disallow naked returns if func has more lines of code than this setting.
+      # Default: 30
+      max-func-lines: 0
+
+    staticcheck:
+      checks:
+        - all
+        - -QF1008 # Omit embedded fields from selector expression; https://staticcheck.dev/docs/checks/#QF1008
+
+    revive:
+      rules:
+        - name: empty-block       # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#empty-block
+        - name: empty-lines       # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#empty-lines
+        - name: import-shadowing  # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#import-shadowing
+        - name: line-length-limit # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#line-length-limit
+          arguments: [200]
+        - name: unused-receiver   # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#unused-receiver
+        - name: use-any           # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#use-any
+
+    usetesting:
+      os-chdir: false           # FIXME(thaJeztah): Disable `os.Chdir()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
+      context-background: false # FIXME(thaJeztah): Disable `context.Background()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
+      context-todo: false       # FIXME(thaJeztah): Disable `context.TODO()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
+
+  exclusions:
+    # We prefer to use an "linters.exclusions.rules" so that new "default" exclusions are not
     # automatically inherited. We can decide whether or not to follow upstream
     # defaults when updating golang-ci-lint versions.
     # Unfortunately, this means we have to copy the whole exclusion pattern, as
     # (unlike the "include" option), the "exclude" option does not take exclusion
     # ID's.
     #
-    # These exclusion patterns are copied from the default excluses at:
-    # https://github.com/golangci/golangci-lint/blob/v1.44.0/pkg/config/issues.go#L10-L104
+    # These exclusion patterns are copied from the default excludes at:
+    # https://github.com/golangci/golangci-lint/blob/v1.61.0/pkg/config/issues.go#L11-L104
     #
     # The default list of exclusions can be found at:
     # https://golangci-lint.run/usage/false-positives/#default-exclusions
+    generated: strict
 
-    # EXC0001
-    - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*print(f|ln)?|os\\.(Un)?Setenv). is not checked"
-      linters:
-        - errcheck
-    # EXC0003
-    - text: "func name will be used as test\\.Test.* by other packages, and that stutters; consider calling this"
-      linters:
-        - revive
-    # EXC0006
-    - text: "Use of unsafe calls should be audited"
-      linters:
-        - gosec
-    # EXC0007
-    - text: "Subprocess launch(ed with variable|ing should be audited)"
-      linters:
-        - gosec
-    # EXC0009
-    - text: "(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
-      linters:
-        - gosec
-    # EXC0010
-    - text: "Potential file inclusion via variable"
-      linters:
-        - gosec
+    rules:
+        # EXC0003
+      - text: "func name will be used as test\\.Test.* by other packages, and that stutters; consider calling this"
+        linters:
+          - revive
 
-    # TODO: make sure all packages have a description. Currently, there's 67 packages without.
-    - text: "package-comments: should have a package comment"
-      linters:
-        - revive
+        # EXC0007
+      - text: "Subprocess launch(ed with variable|ing should be audited)"
+        linters:
+          - gosec
 
-    # Exclude some linters from running on tests files.
-    - path: _test\.go
-      linters:
-        - errcheck
-        - gosec
-    - text: "ST1000: at least one file in a package should have a package comment"
-      linters:
-        - stylecheck
+        # EXC0009
+      - text: "(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
+        linters:
+          - gosec
 
-    # Allow "err" and "ok" vars to shadow existing declarations, otherwise we get too many false positives.
-    - text: '^shadow: declaration of "(err|ok)" shadows declaration'
-      linters:
-        - govet
+        # EXC0010
+      - text: "Potential file inclusion via variable"
+        linters:
+          - gosec
 
+        # TODO: make sure all packages have a description. Currently, there's 67 packages without.
+      - text: "package-comments: should have a package comment"
+        linters:
+          - revive
 
-  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
-  max-issues-per-linter: 0
+        # Exclude some linters from running on tests files.
+      - path: _test\.go
+        linters:
+          - errcheck
+          - gosec
 
-  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
-  max-same-issues: 0
+      - text: "ST1000: at least one file in a package should have a package comment"
+        linters:
+          - staticcheck
+
+        # Allow "err" and "ok" vars to shadow existing declarations, otherwise we get too many false positives.
+      - text: '^shadow: declaration of "(err|ok)" shadows declaration'
+        linters:
+          - govet
+
+      # Ignore for cli/command/formatter/tabwriter, which is forked from go stdlib, so we want to align with it.
+      - text: '^(ST1020|ST1022): comment on exported'
+        path: "cli/command/formatter/tabwriter"
+        linters:
+          - staticcheck
+
+    # Log a warning if an exclusion rule is unused.
+    # Default: false
+    warn-unused: true

.mailmap

@@ -43,6 +43,7 @@ Alexis Couvreur <alexiscouvreur.pro@gmail.com>
 Alicia Lauerman <alicia@eta.im> <allydevour@me.com>
 Allen Sun <allensun.shl@alibaba-inc.com> <allen.sun@daocloud.io>
 Allen Sun <allensun.shl@alibaba-inc.com> <shlallen1990@gmail.com>
+Allie Sadler <allie.sadler@docker.com>
 Andrew Weiss <andrew.weiss@docker.com> <andrew.weiss@microsoft.com>
 Andrew Weiss <andrew.weiss@docker.com> <andrew.weiss@outlook.com>
 André Martins  <aanm90@gmail.com> <martins@noironetworks.com>
@@ -65,6 +66,9 @@ Arnaud Porterie <icecrime@gmail.com>
 Arnaud Porterie <icecrime@gmail.com> <arnaud.porterie@docker.com>
 Arthur Gautier <baloo@gandi.net> <superbaloo+registrations.github@superbaloo.net>
 Arthur Peka <arthur.peka@outlook.com> <arthrp@users.noreply.github.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com> <55906459+austinvazquez@users.noreply.github.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com> <macedonv@amazon.com>
 Avi Miller <avi.miller@oracle.com> <avi.miller@gmail.com>
 Ben Bonnefoy <frenchben@docker.com>
 Ben Golub <ben.golub@dotcloud.com>
@@ -195,6 +199,8 @@ Gaetan de Villele <gdevillele@gmail.com>
 Gang Qiao <qiaohai8866@gmail.com> <1373319223@qq.com>
 George Kontridze <george@bugsnag.com>
 Gerwim Feiken <g.feiken@tfe.nl> <gerwim@gmail.com>
+Giau. Tran Minh <hello@giautm.dev>
+Giau. Tran Minh <hello@giautm.dev> <12751435+giautm@users.noreply.github.com>
 Giampaolo Mancini <giampaolo@trampolineup.com>
 Gopikannan Venugopalsamy <gopikannan.venugopalsamy@gmail.com>
 Gou Rao <gou@portworx.com> <gourao@users.noreply.github.com>
@@ -214,6 +220,7 @@ Günther Jungbluth <gunther@gameslabs.net>
 Hakan Özler <hakan.ozler@kodcu.com>
 Hao Shu Wei <haosw@cn.ibm.com>
 Hao Shu Wei <haosw@cn.ibm.com> <haoshuwei1989@163.com>
+Harald Albers <github@albersweb.de>
 Harald Albers <github@albersweb.de> <albers@users.noreply.github.com>
 Harold Cooper <hrldcpr@gmail.com>
 Harry Zhang <harryz@hyper.sh> <harryzhang@zju.edu.cn>
@@ -330,6 +337,8 @@ Lajos Papp <lajos.papp@sequenceiq.com> <lalyos@yahoo.com>
 Lei Jitang <leijitang@huawei.com>
 Lei Jitang <leijitang@huawei.com> <leijitang@gmail.com>
 Li Fu Bang <lifubang@acmcoder.com>
+Li Yi <denverdino@gmail.com>
+Li Yi <denverdino@gmail.com> <weiyuan.yl@alibaba-inc.com>
 Liang Mingqiang <mqliang.zju@gmail.com>
 Liang-Chi Hsieh <viirya@gmail.com>
 Liao Qingwei <liaoqingwei@huawei.com>
@@ -339,6 +348,7 @@ Lokesh Mandvekar <lsm5@fedoraproject.org> <lsm5@redhat.com>
 Lorenzo Fontana <lo@linux.com> <fontanalorenzo@me.com>
 Louis Opter <kalessin@kalessin.fr>
 Louis Opter <kalessin@kalessin.fr> <louis@dotcloud.com>
+Lovekesh Kumar <lovekesh.kumar@rtcamp.com>
 Luca Favatella <luca.favatella@erlang-solutions.com> <lucafavatella@users.noreply.github.com>
 Luke Marsden <me@lukemarsden.net> <luke@digital-crocus.com>
 Lyn <energylyn@zju.edu.cn>
@@ -396,6 +406,7 @@ Mike Dalton <mikedalton@github.com> <19153140+mikedalton@users.noreply.github.co
 Mike Goelzer <mike.goelzer@docker.com> <mgoelzer@docker.com>
 Milind Chawre <milindchawre@gmail.com>
 Misty Stanley-Jones <misty@docker.com> <misty@apache.org>
+Mohammad Hossein <mhm98035@gmail.com>
 Mohit Soni <mosoni@ebay.com> <mohitsoni1989@gmail.com>
 Moorthy RS <rsmoorthy@gmail.com> <rsmoorthy@users.noreply.github.com>
 Morten Hekkvang <morten.hekkvang@sbab.se>
@@ -419,6 +430,7 @@ O.S. Tezer <ostezer@gmail.com> <ostezer@users.noreply.github.com>
 Oh Jinkyun <tintypemolly@gmail.com> <tintypemolly@Ohui-MacBook-Pro.local>
 Oliver Pomeroy <oppomeroy@gmail.com>
 Ouyang Liduo <oyld0210@163.com>
+Patrick St. laurent <patrick@saint-laurent.us>
 Patrick Stapleton <github@gdi2290.com>
 Paul Liljenberg <liljenberg.paul@gmail.com> <letters@paulnotcom.se>
 Pavel Tikhomirov <ptikhomirov@virtuozzo.com> <ptikhomirov@parallels.com>
@@ -498,6 +510,7 @@ Stephen Day <stevvooe@gmail.com> <stephen.day@docker.com>
 Stephen Day <stevvooe@gmail.com> <stevvooe@users.noreply.github.com>
 Steve Desmond <steve@vtsv.ca> <stevedesmond-ca@users.noreply.github.com>
 Steve Richards <steve.richards@docker.com> stevejr <>
+Stuart Williams <pid@pidster.com>
 Sun Gengze <690388648@qq.com>
 Sun Jianbo <wonderflow.sun@gmail.com>
 Sun Jianbo <wonderflow.sun@gmail.com> <wonderflow@zju.edu.cn>

AUTHORS

@@ -48,6 +48,7 @@ Alfred Landrum <alfred.landrum@docker.com>
 Ali Rostami <rostami.ali@gmail.com>
 Alicia Lauerman <alicia@eta.im>
 Allen Sun <allensun.shl@alibaba-inc.com>
+Allie Sadler <allie.sadler@docker.com>
 Alvin Deng <alvin.q.deng@utexas.edu>
 Amen Belayneh <amenbelayneh@gmail.com>
 Amey Shrivastava <72866602+AmeyShrivastava@users.noreply.github.com>
@@ -81,6 +82,7 @@ Antonis Kalipetis <akalipetis@gmail.com>
 Anusha Ragunathan <anusha.ragunathan@docker.com>
 Ao Li <la9249@163.com>
 Arash Deshmeh <adeshmeh@ca.ibm.com>
+Archimedes Trajano <developer@trajano.net>
 Arko Dasgupta <arko@tetrate.io>
 Arnaud Porterie <icecrime@gmail.com>
 Arnaud Rebillout <elboulangero@gmail.com>
@@ -88,6 +90,7 @@ Arthur Peka <arthur.peka@outlook.com>
 Ashly Mathew <ashly.mathew@sap.com>
 Ashwini Oruganti <ashwini.oruganti@gmail.com>
 Aslam Ahemad <aslamahemad@gmail.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com>
 Azat Khuyiyakhmetov <shadow_uz@mail.ru>
 Bardia Keyoumarsi <bkeyouma@ucsc.edu>
 Barnaby Gray <barnaby@pickle.me.uk>
@@ -132,6 +135,7 @@ Cao Weiwei <cao.weiwei30@zte.com.cn>
 Carlo Mion <mion00@gmail.com>
 Carlos Alexandro Becker <caarlos0@gmail.com>
 Carlos de Paula <me@carlosedp.com>
+Carston Schilds <Carston.Schilds@visier.com>
 Casey Korver <casey@korver.dev>
 Ce Gao <ce.gao@outlook.com>
 Cedric Davies <cedricda@microsoft.com>
@@ -189,6 +193,7 @@ Daisuke Ito <itodaisuke00@gmail.com>
 dalanlan <dalanlan925@gmail.com>
 Damien Nadé <github@livna.org>
 Dan Cotora <dan@bluevision.ro>
+Dan Wallis <dan@wallis.nz>
 Danial Gharib <danial.mail.gh@gmail.com>
 Daniel Artine <daniel.artine@ufrj.br>
 Daniel Cassidy <mail@danielcassidy.me.uk>
@@ -237,6 +242,7 @@ Deshi Xiao <dxiao@redhat.com>
 Dharmit Shah <shahdharmit@gmail.com>
 Dhawal Yogesh Bhanushali <dbhanushali@vmware.com>
 Dieter Reuter <dieter.reuter@me.com>
+Dilep Dev <34891655+DilepDev@users.noreply.github.com>
 Dima Stopel <dima@twistlock.com>
 Dimitry Andric <d.andric@activevideo.com>
 Ding Fei <dingfei@stars.org.cn>
@@ -308,6 +314,8 @@ George MacRorie <gmacr31@gmail.com>
 George Margaritis <gmargaritis@protonmail.com>
 George Xie <georgexsh@gmail.com>
 Gianluca Borello <g.borello@gmail.com>
+Giau. Tran Minh <hello@giautm.dev>
+Giedrius Jonikas <giedriusj1@gmail.com>
 Gildas Cuisinier <gildas.cuisinier@gcuisinier.net>
 Gio d'Amelio <giodamelio@gmail.com>
 Gleb Stsenov <gleb.stsenov@gmail.com>
@@ -344,6 +352,7 @@ Hugo Gabriel Eyherabide <hugogabriel.eyherabide@gmail.com>
 huqun <huqun@zju.edu.cn>
 Huu Nguyen <huu@prismskylabs.com>
 Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com>
+Iain MacDonald <IJMacD@gmail.com>
 Iain Samuel McLean Elder <iain@isme.es>
 Ian Campbell <ian.campbell@docker.com>
 Ian Philpot <ian.philpot@microsoft.com>
@@ -393,6 +402,7 @@ Jesse Adametz <jesseadametz@gmail.com>
 Jessica Frazelle <jess@oxide.computer>
 Jezeniel Zapanta <jpzapanta22@gmail.com>
 Jian Zhang <zhangjian.fnst@cn.fujitsu.com>
+Jianyong Wu <wujianyong@hygon.cn>
 Jie Luo <luo612@zju.edu.cn>
 Jilles Oldenbeuving <ojilles@gmail.com>
 Jim Chen <njucjc@gmail.com>
@@ -446,6 +456,7 @@ Julian <gitea+julian@ic.thejulian.uk>
 Julien Barbier <write0@gmail.com>
 Julien Kassar <github@kassisol.com>
 Julien Maitrehenry <julien.maitrehenry@me.com>
+Julio Cesar Garcia <juliogarciamelgarejo@gmail.com>
 Justas Brazauskas <brazauskasjustas@gmail.com>
 Justin Chadwell <me@jedevc.com>
 Justin Cormack <justin.cormack@docker.com>
@@ -490,19 +501,22 @@ Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
 Kyle Mitofsky <Kylemit@gmail.com>
 Lachlan Cooper <lachlancooper@gmail.com>
 Lai Jiangshan <jiangshanlai@gmail.com>
+Lajos Papp <lajos.papp@sequenceiq.com>
 Lars Kellogg-Stedman <lars@redhat.com>
 Laura Brehm <laurabrehm@hey.com>
 Laura Frank <ljfrank@gmail.com>
 Laurent Erignoux <lerignoux@gmail.com>
+Laurent Goderre <laurent.goderre@docker.com>
 Lee Gaines <eightlimbed@gmail.com>
 Lei Jitang <leijitang@huawei.com>
 Lennie <github@consolejunkie.net>
+lentil32 <lentil32@icloud.com>
 Leo Gallucci <elgalu3@gmail.com>
 Leonid Skorospelov <leosko94@gmail.com>
 Lewis Daly <lewisdaly@me.com>
 Li Fu Bang <lifubang@acmcoder.com>
 Li Yi <denverdino@gmail.com>
-Li Yi <weiyuan.yl@alibaba-inc.com>
+Li Zeghong <zeghong@hotmail.com>
 Liang-Chi Hsieh <viirya@gmail.com>
 Lihua Tang <lhtang@alauda.io>
 Lily Guo <lily.guo@docker.com>
@@ -515,6 +529,7 @@ lixiaobing10051267 <li.xiaobing1@zte.com.cn>
 Lloyd Dewolf <foolswisdom@gmail.com>
 Lorenzo Fontana <lo@linux.com>
 Louis Opter <kalessin@kalessin.fr>
+Lovekesh Kumar <lovekesh.kumar@rtcamp.com>
 Luca Favatella <luca.favatella@erlang-solutions.com>
 Luca Marturana <lucamarturana@gmail.com>
 Lucas Chan <lucas-github@lucaschan.com>
@@ -559,6 +574,7 @@ Matt Robenolt <matt@ydekproductions.com>
 Matteo Orefice <matteo.orefice@bites4bits.software>
 Matthew Heon <mheon@redhat.com>
 Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
+Matthieu MOREL <matthieu.morel35@gmail.com>
 Mauro Porras P <mauroporrasp@gmail.com>
 Max Shytikov <mshytikov@gmail.com>
 Max-Julian Pogner <max-julian@pogner.at>
@@ -566,6 +582,7 @@ Maxime Petazzoni <max@signalfuse.com>
 Maximillian Fan Xavier <maximillianfx@gmail.com>
 Mei ChunTao <mei.chuntao@zte.com.cn>
 Melroy van den Berg <melroy@melroy.org>
+Mert Şişmanoğlu <mert190737fb@gmail.com>
 Metal <2466052+tedhexaflow@users.noreply.github.com>
 Micah Zoltu <micah@newrelic.com>
 Michael A. Smith <michael@smith-li.com>
@@ -598,7 +615,9 @@ Mindaugas Rukas <momomg@gmail.com>
 Miroslav Gula <miroslav.gula@naytrolabs.com>
 Misty Stanley-Jones <misty@docker.com>
 Mohammad Banikazemi <mb@us.ibm.com>
+Mohammad Hossein <mhm98035@gmail.com>
 Mohammed Aaqib Ansari <maaquib@gmail.com>
+Mohammed Aminu Futa <mohammedfuta2000@gmail.com>
 Mohini Anne Dsouza <mohini3917@gmail.com>
 Moorthy RS <rsmoorthy@gmail.com>
 Morgan Bauer <mbauer@us.ibm.com>
@@ -633,9 +652,11 @@ Nicolas De Loof <nicolas.deloof@gmail.com>
 Nikhil Chawla <chawlanikhil24@gmail.com>
 Nikolas Garofil <nikolas.garofil@uantwerpen.be>
 Nikolay Milovanov <nmil@itransformers.net>
+NinaLua <iturf@sina.cn>
 Nir Soffer <nsoffer@redhat.com>
 Nishant Totla <nishanttotla@gmail.com>
 NIWA Hideyuki <niwa.niwa@nifty.ne.jp>
+Noah Silas <noah@hustle.com>
 Noah Treuhaft <noah.treuhaft@docker.com>
 O.S. Tezer <ostezer@gmail.com>
 Oded Arbel <oded@geek.co.il>
@@ -653,10 +674,12 @@ Patrick Böänziger <patrick.baenziger@bsi-software.com>
 Patrick Daigle <114765035+pdaig@users.noreply.github.com>
 Patrick Hemmer <patrick.hemmer@gmail.com>
 Patrick Lang <plang@microsoft.com>
+Patrick St. laurent <patrick@saint-laurent.us>
 Paul <paul9869@gmail.com>
 Paul Kehrer <paul.l.kehrer@gmail.com>
 Paul Lietar <paul@lietar.net>
 Paul Mulders <justinkb@gmail.com>
+Paul Rogalski <mail@paul-rogalski.de>
 Paul Seyfert <pseyfert.mathphys@gmail.com>
 Paul Weaver <pauweave@cisco.com>
 Pavel Pospisil <pospispa@gmail.com>
@@ -678,7 +701,6 @@ Philip Alexander Etling <paetling@gmail.com>
 Philipp Gillé <philipp.gille@gmail.com>
 Philipp Schmied <pschmied@schutzwerk.com>
 Phong Tran <tran.pho@northeastern.edu>
-pidster <pid@pidster.com>
 Pieter E Smit <diepes@github.com>
 pixelistik <pixelistik@users.noreply.github.com>
 Pratik Karki <prertik@outlook.com>
@@ -738,6 +760,7 @@ Samuel Cochran <sj26@sj26.com>
 Samuel Karp <skarp@amazon.com>
 Sandro Jäckel <sandro.jaeckel@gmail.com>
 Santhosh Manohar <santhosh@docker.com>
+Sarah Sanders <sarah.sanders@docker.com>
 Sargun Dhillon <sargun@netflix.com>
 Saswat Bhattacharya <sas.saswat@gmail.com>
 Saurabh Kumar <saurabhkumar0184@gmail.com>
@@ -770,6 +793,7 @@ Spencer Brown <spencer@spencerbrown.org>
 Spring Lee <xi.shuai@outlook.com>
 squeegels <lmscrewy@gmail.com>
 Srini Brahmaroutu <srbrahma@us.ibm.com>
+Stavros Panakakis <stavrospanakakis@gmail.com>
 Stefan S. <tronicum@user.github.com>
 Stefan Scherer <stefan.scherer@docker.com>
 Stefan Weil <sw@weilnetz.de>
@@ -780,6 +804,7 @@ Steve Durrheimer <s.durrheimer@gmail.com>
 Steve Richards <steve.richards@docker.com>
 Steven Burgess <steven.a.burgess@hotmail.com>
 Stoica-Marcu Floris-Andrei <floris.sm@gmail.com>
+Stuart Williams <pid@pidster.com>
 Subhajit Ghosh <isubuz.g@gmail.com>
 Sun Jianbo <wonderflow.sun@gmail.com>
 Sune Keller <absukl@almbrand.dk>
@@ -867,6 +892,7 @@ Wang Yumu <37442693@qq.com>
 Wataru Ishida <ishida.wataru@lab.ntt.co.jp>
 Wayne Song <wsong@docker.com>
 Wen Cheng Ma <wenchma@cn.ibm.com>
+Wenlong Zhang <zhangwenlong@loongson.cn>
 Wenzhi Liang <wenzhi.liang@gmail.com>
 Wes Morgan <cap10morgan@gmail.com>
 Wewang Xiaorenfine <wang.xiaoren@zte.com.cn>
@@ -908,3 +934,4 @@ Zhuo Zhi <h.dwwwwww@gmail.com>
 Átila Camurça Alves <camurca.home@gmail.com>
 Александр Менщиков <__Singleton__@hackerdom.ru>
 徐俊杰 <paco.xu@daocloud.io>
+林博仁 Buo-ren Lin <Buo.Ren.Lin@gmail.com>

Dockerfile

@@ -4,7 +4,7 @@ ARG BASE_VARIANT=alpine
 ARG ALPINE_VERSION=3.21
 ARG BASE_DEBIAN_DISTRO=bookworm
 
-ARG GO_VERSION=1.23.6
+ARG GO_VERSION=1.24.4
 ARG XX_VERSION=1.6.1
 ARG GOVERSIONINFO_VERSION=v1.4.1
 ARG GOTESTSUM_VERSION=v1.12.0
@@ -12,8 +12,8 @@ ARG GOTESTSUM_VERSION=v1.12.0
 # BUILDX_VERSION sets the version of buildx to use for the e2e tests.
 # It must be a tag in the docker.io/docker/buildx-bin image repository
 # on Docker Hub.
-ARG BUILDX_VERSION=0.20.1
-ARG COMPOSE_VERSION=v2.32.4
+ARG BUILDX_VERSION=0.24.0
+ARG COMPOSE_VERSION=v2.36.2
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
@@ -67,7 +67,7 @@ ARG PACKAGER_NAME
 COPY --link --from=goversioninfo /out/goversioninfo /usr/bin/goversioninfo
 RUN --mount=type=bind,target=.,ro \
     --mount=type=cache,target=/root/.cache \
-    --mount=type=tmpfs,target=cli/winresources \
+    --mount=type=tmpfs,target=cmd/docker/winresources \
     # override the default behavior of go with xx-go
     xx-go --wrap && \
     # export GOCACHE=$(go env GOCACHE)/$(xx-info)$([ -f /etc/alpine-release ] && echo "alpine") && \
@@ -117,7 +117,7 @@ COPY --link --from=compose /docker-compose /usr/libexec/docker/cli-plugins/docke
 COPY --link . .
 ENV DOCKER_BUILDKIT=1
 ENV PATH=/go/src/github.com/docker/cli/build:$PATH
-CMD ./scripts/test/e2e/entry
+CMD ["./scripts/test/e2e/entry"]
 
 FROM build-base-${BASE_VARIANT} AS dev
 COPY --link . .

Makefile

@@ -67,20 +67,20 @@ dynbinary: ## build dynamically linked binary
 
 .PHONY: plugins
 plugins: ## build example CLI plugins
-	./scripts/build/plugins
+	scripts/build/plugins
 
 .PHONY: vendor
 vendor: ## update vendor with go modules
 	rm -rf vendor
-	./scripts/vendor update
+	scripts/with-go-mod.sh scripts/vendor update
 
 .PHONY: validate-vendor
 validate-vendor: ## validate vendor
-	./scripts/vendor validate
+	scripts/with-go-mod.sh scripts/vendor validate
 
 .PHONY: mod-outdated
 mod-outdated: ## check outdated dependencies
-	./scripts/vendor outdated
+	scripts/with-go-mod.sh scripts/vendor outdated
 
 .PHONY: authors
 authors: ## generate AUTHORS file from git history
@@ -115,15 +115,15 @@ shell-completion: ## generate shell-completion scripts
 
 .PHONY: manpages
 manpages: ## generate man pages from go source and markdown
-	scripts/docs/generate-man.sh
+	scripts/with-go-mod.sh scripts/docs/generate-man.sh
 
 .PHONY: mddocs
 mddocs: ## generate markdown files from go source
-	scripts/docs/generate-md.sh
+	scripts/with-go-mod.sh scripts/docs/generate-md.sh
 
 .PHONY: yamldocs
 yamldocs: ## generate documentation YAML files consumed by docs repo
-	scripts/docs/generate-yaml.sh
+	scripts/with-go-mod.sh scripts/docs/generate-yaml.sh
 
 .PHONY: help
 help: ## print this help

VERSION

@@ -1 +1 @@
-28.0.0-dev
+28.3.0-dev

cli-plugins/examples/helloworld/main.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/docker/cli/cli-plugins/plugin"
 	"github.com/docker/cli/cli/command"
 	"github.com/spf13/cobra"
@@ -97,7 +97,7 @@ func main() {
 		cmd.AddCommand(goodbye, apiversion, exitStatus2)
 		return cmd
 	},
-		manager.Metadata{
+		metadata.Metadata{
 			SchemaVersion: "0.1.0",
 			Vendor:        "Docker Inc.",
 			Version:       "testing",

cli-plugins/manager/annotations.go

@@ -0,0 +1,30 @@
+package manager
+
+import "github.com/docker/cli/cli-plugins/metadata"
+
+const (
+	// CommandAnnotationPlugin is added to every stub command added by
+	// AddPluginCommandStubs with the value "true" and so can be
+	// used to distinguish plugin stubs from regular commands.
+	CommandAnnotationPlugin = metadata.CommandAnnotationPlugin
+
+	// CommandAnnotationPluginVendor is added to every stub command
+	// added by AddPluginCommandStubs and contains the vendor of
+	// that plugin.
+	CommandAnnotationPluginVendor = metadata.CommandAnnotationPluginVendor
+
+	// CommandAnnotationPluginVersion is added to every stub command
+	// added by AddPluginCommandStubs and contains the version of
+	// that plugin.
+	CommandAnnotationPluginVersion = metadata.CommandAnnotationPluginVersion
+
+	// CommandAnnotationPluginInvalid is added to any stub command
+	// added by AddPluginCommandStubs for an invalid command (that
+	// is, one which failed it's candidate test) and contains the
+	// reason for the failure.
+	CommandAnnotationPluginInvalid = metadata.CommandAnnotationPluginInvalid
+
+	// CommandAnnotationPluginCommandPath is added to overwrite the
+	// command path for a plugin invocation.
+	CommandAnnotationPluginCommandPath = metadata.CommandAnnotationPluginCommandPath
+)

cli-plugins/manager/candidate.go

@@ -1,6 +1,10 @@
 package manager
 
-import "os/exec"
+import (
+	"os/exec"
+
+	"github.com/docker/cli/cli-plugins/metadata"
+)
 
 // Candidate represents a possible plugin candidate, for mocking purposes
 type Candidate interface {
@@ -17,5 +21,5 @@ func (c *candidate) Path() string {
 }
 
 func (c *candidate) Metadata() ([]byte, error) {
-	return exec.Command(c.path, MetadataSubcommandName).Output() // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
+	return exec.Command(c.path, metadata.MetadataSubcommandName).Output() // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
 }

cli-plugins/manager/candidate_test.go

@@ -6,9 +6,10 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/spf13/cobra"
 	"gotest.tools/v3/assert"
-	"gotest.tools/v3/assert/cmp"
+	is "gotest.tools/v3/assert/cmp"
 )
 
 type fakeCandidate struct {
@@ -30,10 +31,10 @@ func (c *fakeCandidate) Metadata() ([]byte, error) {
 
 func TestValidateCandidate(t *testing.T) {
 	const (
-		goodPluginName = NamePrefix + "goodplugin"
+		goodPluginName = metadata.NamePrefix + "goodplugin"
 
-		builtinName  = NamePrefix + "builtin"
-		builtinAlias = NamePrefix + "alias"
+		builtinName  = metadata.NamePrefix + "builtin"
+		builtinAlias = metadata.NamePrefix + "alias"
 
 		badPrefixPath    = "/usr/local/libexec/cli-plugins/wobble"
 		badNamePath      = "/usr/local/libexec/cli-plugins/docker-123456"
@@ -43,9 +44,9 @@ func TestValidateCandidate(t *testing.T) {
 
 	fakeroot := &cobra.Command{Use: "docker"}
 	fakeroot.AddCommand(&cobra.Command{
-		Use: strings.TrimPrefix(builtinName, NamePrefix),
+		Use: strings.TrimPrefix(builtinName, metadata.NamePrefix),
 		Aliases: []string{
-			strings.TrimPrefix(builtinAlias, NamePrefix),
+			strings.TrimPrefix(builtinAlias, metadata.NamePrefix),
 		},
 	})
 
@@ -59,7 +60,7 @@ func TestValidateCandidate(t *testing.T) {
 	}{
 		/* Each failing one of the tests */
 		{name: "empty path", c: &fakeCandidate{path: ""}, err: "plugin candidate path cannot be empty"},
-		{name: "bad prefix", c: &fakeCandidate{path: badPrefixPath}, err: fmt.Sprintf("does not have %q prefix", NamePrefix)},
+		{name: "bad prefix", c: &fakeCandidate{path: badPrefixPath}, err: fmt.Sprintf("does not have %q prefix", metadata.NamePrefix)},
 		{name: "bad path", c: &fakeCandidate{path: badNamePath}, invalid: "did not match"},
 		{name: "builtin command", c: &fakeCandidate{path: builtinName}, invalid: `plugin "builtin" duplicates builtin command`},
 		{name: "builtin alias", c: &fakeCandidate{path: builtinAlias}, invalid: `plugin "alias" duplicates an alias of builtin command "builtin"`},
@@ -80,11 +81,11 @@ func TestValidateCandidate(t *testing.T) {
 				assert.ErrorContains(t, err, tc.err)
 			case tc.invalid != "":
 				assert.NilError(t, err)
-				assert.Assert(t, cmp.ErrorType(p.Err, reflect.TypeOf(&pluginError{})))
+				assert.Assert(t, is.ErrorType(p.Err, reflect.TypeOf(&pluginError{})))
 				assert.ErrorContains(t, p.Err, tc.invalid)
 			default:
 				assert.NilError(t, err)
-				assert.Equal(t, NamePrefix+p.Name, goodPluginName)
+				assert.Equal(t, metadata.NamePrefix+p.Name, goodPluginName)
 				assert.Equal(t, p.SchemaVersion, "0.1.0")
 				assert.Equal(t, p.Vendor, "e2e-testing")
 			}

cli-plugins/manager/cobra.go

@@ -2,41 +2,12 @@ package manager
 
 import (
 	"fmt"
-	"net/url"
 	"os"
-	"strings"
 	"sync"
 
-	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli-plugins/metadata"
+	"github.com/docker/cli/cli/config"
 	"github.com/spf13/cobra"
-	"go.opentelemetry.io/otel/attribute"
-)
-
-const (
-	// CommandAnnotationPlugin is added to every stub command added by
-	// AddPluginCommandStubs with the value "true" and so can be
-	// used to distinguish plugin stubs from regular commands.
-	CommandAnnotationPlugin = "com.docker.cli.plugin"
-
-	// CommandAnnotationPluginVendor is added to every stub command
-	// added by AddPluginCommandStubs and contains the vendor of
-	// that plugin.
-	CommandAnnotationPluginVendor = "com.docker.cli.plugin.vendor"
-
-	// CommandAnnotationPluginVersion is added to every stub command
-	// added by AddPluginCommandStubs and contains the version of
-	// that plugin.
-	CommandAnnotationPluginVersion = "com.docker.cli.plugin.version"
-
-	// CommandAnnotationPluginInvalid is added to any stub command
-	// added by AddPluginCommandStubs for an invalid command (that
-	// is, one which failed it's candidate test) and contains the
-	// reason for the failure.
-	CommandAnnotationPluginInvalid = "com.docker.cli.plugin-invalid"
-
-	// CommandAnnotationPluginCommandPath is added to overwrite the
-	// command path for a plugin invocation.
-	CommandAnnotationPluginCommandPath = "com.docker.cli.plugin.command_path"
 )
 
 var pluginCommandStubsOnce sync.Once
@@ -44,10 +15,10 @@ var pluginCommandStubsOnce sync.Once
 // AddPluginCommandStubs adds a stub cobra.Commands for each valid and invalid
 // plugin. The command stubs will have several annotations added, see
 // `CommandAnnotationPlugin*`.
-func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err error) {
+func AddPluginCommandStubs(dockerCLI config.Provider, rootCmd *cobra.Command) (err error) {
 	pluginCommandStubsOnce.Do(func() {
 		var plugins []Plugin
-		plugins, err = ListPlugins(dockerCli, rootCmd)
+		plugins, err = ListPlugins(dockerCLI, rootCmd)
 		if err != nil {
 			return
 		}
@@ -57,12 +28,12 @@ func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err e
 				vendor = "unknown"
 			}
 			annotations := map[string]string{
-				CommandAnnotationPlugin:        "true",
-				CommandAnnotationPluginVendor:  vendor,
-				CommandAnnotationPluginVersion: p.Version,
+				metadata.CommandAnnotationPlugin:        "true",
+				metadata.CommandAnnotationPluginVendor:  vendor,
+				metadata.CommandAnnotationPluginVersion: p.Version,
 			}
 			if p.Err != nil {
-				annotations[CommandAnnotationPluginInvalid] = p.Err.Error()
+				annotations[metadata.CommandAnnotationPluginInvalid] = p.Err.Error()
 			}
 			rootCmd.AddCommand(&cobra.Command{
 				Use:                p.Name,
@@ -89,7 +60,7 @@ func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err e
 					cargs = append(cargs, args...)
 					cargs = append(cargs, toComplete)
 					os.Args = cargs
-					runCommand, runErr := PluginRunCommand(dockerCli, p.Name, cmd)
+					runCommand, runErr := PluginRunCommand(dockerCLI, p.Name, cmd)
 					if runErr != nil {
 						return nil, cobra.ShellCompDirectiveError
 					}
@@ -104,44 +75,3 @@ func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err e
 	})
 	return err
 }
-
-const (
-	dockerCliAttributePrefix = attribute.Key("docker.cli")
-
-	cobraCommandPath = attribute.Key("cobra.command_path")
-)
-
-func getPluginResourceAttributes(cmd *cobra.Command, plugin Plugin) attribute.Set {
-	commandPath := cmd.Annotations[CommandAnnotationPluginCommandPath]
-	if commandPath == "" {
-		commandPath = fmt.Sprintf("%s %s", cmd.CommandPath(), plugin.Name)
-	}
-
-	attrSet := attribute.NewSet(
-		cobraCommandPath.String(commandPath),
-	)
-
-	kvs := make([]attribute.KeyValue, 0, attrSet.Len())
-	for iter := attrSet.Iter(); iter.Next(); {
-		attr := iter.Attribute()
-		kvs = append(kvs, attribute.KeyValue{
-			Key:   dockerCliAttributePrefix + "." + attr.Key,
-			Value: attr.Value,
-		})
-	}
-	return attribute.NewSet(kvs...)
-}
-
-func appendPluginResourceAttributesEnvvar(env []string, cmd *cobra.Command, plugin Plugin) []string {
-	if attrs := getPluginResourceAttributes(cmd, plugin); attrs.Len() > 0 {
-		// values in environment variables need to be in baggage format
-		// otel/baggage package can be used after update to v1.22, currently it encodes incorrectly
-		attrsSlice := make([]string, attrs.Len())
-		for iter := attrs.Iter(); iter.Next(); {
-			i, v := iter.IndexedAttribute()
-			attrsSlice[i] = string(v.Key) + "=" + url.PathEscape(v.Value.AsString())
-		}
-		env = append(env, ResourceAttributesEnvvar+"="+strings.Join(attrsSlice, ","))
-	}
-	return env
-}

cli-plugins/manager/cobra_test.go

@@ -0,0 +1,26 @@
+package manager
+
+import (
+	"testing"
+
+	"github.com/spf13/cobra"
+	"gotest.tools/v3/assert"
+)
+
+func TestPluginResourceAttributesEnvvar(t *testing.T) {
+	cmd := &cobra.Command{
+		Annotations: map[string]string{
+			cobra.CommandDisplayNameAnnotation: "docker",
+		},
+	}
+
+	// Ensure basic usage is fine.
+	env := appendPluginResourceAttributesEnvvar(nil, cmd, Plugin{Name: "compose"})
+	assert.DeepEqual(t, []string{"OTEL_RESOURCE_ATTRIBUTES=docker.cli.cobra.command_path=docker%20compose"}, env)
+
+	// Add a user-based environment variable to OTEL_RESOURCE_ATTRIBUTES.
+	t.Setenv("OTEL_RESOURCE_ATTRIBUTES", "a.b.c=foo")
+
+	env = appendPluginResourceAttributesEnvvar(nil, cmd, Plugin{Name: "compose"})
+	assert.DeepEqual(t, []string{"OTEL_RESOURCE_ATTRIBUTES=a.b.c=foo,docker.cli.cobra.command_path=docker%20compose"}, env)
+}

cli-plugins/manager/error.go

@@ -1,10 +1,10 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package manager
 
 import (
-	"github.com/pkg/errors"
+	"fmt"
 )
 
 // pluginError is set as Plugin.Err by NewPlugin if the plugin
@@ -39,16 +39,16 @@ func (e *pluginError) MarshalText() (text []byte, err error) {
 }
 
 // wrapAsPluginError wraps an error in a pluginError with an
-// additional message, analogous to errors.Wrapf.
+// additional message.
 func wrapAsPluginError(err error, msg string) error {
 	if err == nil {
 		return nil
 	}
-	return &pluginError{cause: errors.Wrap(err, msg)}
+	return &pluginError{cause: fmt.Errorf("%s: %w", msg, err)}
 }
 
 // NewPluginError creates a new pluginError, analogous to
 // errors.Errorf.
 func NewPluginError(msg string, args ...any) error {
-	return &pluginError{cause: errors.Errorf(msg, args...)}
+	return &pluginError{cause: fmt.Errorf(msg, args...)}
 }

cli-plugins/manager/hooks.go

@@ -6,7 +6,8 @@ import (
 	"strings"
 
 	"github.com/docker/cli/cli-plugins/hooks"
-	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -29,29 +30,28 @@ type HookPluginData struct {
 // a main CLI command was executed. It calls the hook subcommand for all
 // present CLI plugins that declare support for hooks in their metadata and
 // parses/prints their responses.
-func RunCLICommandHooks(ctx context.Context, dockerCli command.Cli, rootCmd, subCommand *cobra.Command, cmdErrorMessage string) {
+func RunCLICommandHooks(ctx context.Context, dockerCLI config.Provider, rootCmd, subCommand *cobra.Command, cmdErrorMessage string) {
 	commandName := strings.TrimPrefix(subCommand.CommandPath(), rootCmd.Name()+" ")
 	flags := getCommandFlags(subCommand)
 
-	runHooks(ctx, dockerCli, rootCmd, subCommand, commandName, flags, cmdErrorMessage)
+	runHooks(ctx, dockerCLI.ConfigFile(), rootCmd, subCommand, commandName, flags, cmdErrorMessage)
 }
 
 // RunPluginHooks is the entrypoint for the hooks execution flow
 // after a plugin command was just executed by the CLI.
-func RunPluginHooks(ctx context.Context, dockerCli command.Cli, rootCmd, subCommand *cobra.Command, args []string) {
+func RunPluginHooks(ctx context.Context, dockerCLI config.Provider, rootCmd, subCommand *cobra.Command, args []string) {
 	commandName := strings.Join(args, " ")
 	flags := getNaiveFlags(args)
 
-	runHooks(ctx, dockerCli, rootCmd, subCommand, commandName, flags, "")
+	runHooks(ctx, dockerCLI.ConfigFile(), rootCmd, subCommand, commandName, flags, "")
 }
 
-func runHooks(ctx context.Context, dockerCli command.Cli, rootCmd, subCommand *cobra.Command, invokedCommand string, flags map[string]string, cmdErrorMessage string) {
-	nextSteps := invokeAndCollectHooks(ctx, dockerCli, rootCmd, subCommand, invokedCommand, flags, cmdErrorMessage)
-
-	hooks.PrintNextSteps(dockerCli.Err(), nextSteps)
+func runHooks(ctx context.Context, cfg *configfile.ConfigFile, rootCmd, subCommand *cobra.Command, invokedCommand string, flags map[string]string, cmdErrorMessage string) {
+	nextSteps := invokeAndCollectHooks(ctx, cfg, rootCmd, subCommand, invokedCommand, flags, cmdErrorMessage)
+	hooks.PrintNextSteps(subCommand.ErrOrStderr(), nextSteps)
 }
 
-func invokeAndCollectHooks(ctx context.Context, dockerCli command.Cli, rootCmd, subCmd *cobra.Command, subCmdStr string, flags map[string]string, cmdErrorMessage string) []string {
+func invokeAndCollectHooks(ctx context.Context, cfg *configfile.ConfigFile, rootCmd, subCmd *cobra.Command, subCmdStr string, flags map[string]string, cmdErrorMessage string) []string {
 	// check if the context was cancelled before invoking hooks
 	select {
 	case <-ctx.Done():
@@ -59,19 +59,20 @@ func invokeAndCollectHooks(ctx context.Context, dockerCli command.Cli, rootCmd,
 	default:
 	}
 
-	pluginsCfg := dockerCli.ConfigFile().Plugins
+	pluginsCfg := cfg.Plugins
 	if pluginsCfg == nil {
 		return nil
 	}
 
+	pluginDirs := getPluginDirs(cfg)
 	nextSteps := make([]string, 0, len(pluginsCfg))
-	for pluginName, cfg := range pluginsCfg {
-		match, ok := pluginMatch(cfg, subCmdStr)
+	for pluginName, pluginCfg := range pluginsCfg {
+		match, ok := pluginMatch(pluginCfg, subCmdStr)
 		if !ok {
 			continue
 		}
 
-		p, err := GetPlugin(pluginName, dockerCli, rootCmd)
+		p, err := getPlugin(pluginName, pluginDirs, rootCmd)
 		if err != nil {
 			continue
 		}

cli-plugins/manager/manager.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/fvbommel/sortorder"
@@ -22,10 +22,12 @@ const (
 	// used to originally invoke the docker CLI when executing a
 	// plugin. Assuming $PATH and $CWD remain unchanged this should allow
 	// the plugin to re-execute the original CLI.
-	ReexecEnvvar = "DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND"
+	ReexecEnvvar = metadata.ReexecEnvvar
 
 	// ResourceAttributesEnvvar is the name of the envvar that includes additional
 	// resource attributes for OTEL.
+	//
+	// Deprecated: The "OTEL_RESOURCE_ATTRIBUTES" env-var is part of the OpenTelemetry specification; users should define their own const for this. This const will be removed in the next release.
 	ResourceAttributesEnvvar = "OTEL_RESOURCE_ATTRIBUTES"
 )
 
@@ -59,20 +61,16 @@ func IsNotFound(err error) bool {
 // 3. Platform-specific defaultSystemPluginDirs.
 //
 // [ConfigFile.CLIPluginsExtraDirs]: https://pkg.go.dev/github.com/docker/cli@v26.1.4+incompatible/cli/config/configfile#ConfigFile.CLIPluginsExtraDirs
-func getPluginDirs(cfg *configfile.ConfigFile) ([]string, error) {
+func getPluginDirs(cfg *configfile.ConfigFile) []string {
 	var pluginDirs []string
 
 	if cfg != nil {
 		pluginDirs = append(pluginDirs, cfg.CLIPluginsExtraDirs...)
 	}
-	pluginDir, err := config.Path("cli-plugins")
-	if err != nil {
-		return nil, err
-	}
-
+	pluginDir := filepath.Join(config.Dir(), "cli-plugins")
 	pluginDirs = append(pluginDirs, pluginDir)
 	pluginDirs = append(pluginDirs, defaultSystemPluginDirs...)
-	return pluginDirs, nil
+	return pluginDirs
 }
 
 func addPluginCandidatesFromDir(res map[string][]string, d string) {
@@ -83,7 +81,7 @@ func addPluginCandidatesFromDir(res map[string][]string, d string) {
 		return
 	}
 	for _, dentry := range dentries {
-		switch dentry.Type() & os.ModeType {
+		switch dentry.Type() & os.ModeType { //nolint:exhaustive,nolintlint // no need to include all possible file-modes in this list
 		case 0, os.ModeSymlink:
 			// Regular file or symlink, keep going
 		default:
@@ -91,10 +89,10 @@ func addPluginCandidatesFromDir(res map[string][]string, d string) {
 			continue
 		}
 		name := dentry.Name()
-		if !strings.HasPrefix(name, NamePrefix) {
+		if !strings.HasPrefix(name, metadata.NamePrefix) {
 			continue
 		}
-		name = strings.TrimPrefix(name, NamePrefix)
+		name = strings.TrimPrefix(name, metadata.NamePrefix)
 		var err error
 		if name, err = trimExeSuffix(name); err != nil {
 			continue
@@ -113,12 +111,12 @@ func listPluginCandidates(dirs []string) map[string][]string {
 }
 
 // GetPlugin returns a plugin on the system by its name
-func GetPlugin(name string, dockerCli command.Cli, rootcmd *cobra.Command) (*Plugin, error) {
-	pluginDirs, err := getPluginDirs(dockerCli.ConfigFile())
-	if err != nil {
-		return nil, err
-	}
+func GetPlugin(name string, dockerCLI config.Provider, rootcmd *cobra.Command) (*Plugin, error) {
+	pluginDirs := getPluginDirs(dockerCLI.ConfigFile())
+	return getPlugin(name, pluginDirs, rootcmd)
+}
 
+func getPlugin(name string, pluginDirs []string, rootcmd *cobra.Command) (*Plugin, error) {
 	candidates := listPluginCandidates(pluginDirs)
 	if paths, ok := candidates[name]; ok {
 		if len(paths) == 0 {
@@ -139,17 +137,21 @@ func GetPlugin(name string, dockerCli command.Cli, rootcmd *cobra.Command) (*Plu
 }
 
 // ListPlugins produces a list of the plugins available on the system
-func ListPlugins(dockerCli command.Cli, rootcmd *cobra.Command) ([]Plugin, error) {
-	pluginDirs, err := getPluginDirs(dockerCli.ConfigFile())
-	if err != nil {
-		return nil, err
-	}
-
+func ListPlugins(dockerCli config.Provider, rootcmd *cobra.Command) ([]Plugin, error) {
+	pluginDirs := getPluginDirs(dockerCli.ConfigFile())
 	candidates := listPluginCandidates(pluginDirs)
+	if len(candidates) == 0 {
+		return nil, nil
+	}
 
 	var plugins []Plugin
 	var mu sync.Mutex
-	eg, _ := errgroup.WithContext(context.TODO())
+	ctx := rootcmd.Context()
+	if ctx == nil {
+		// Fallback, mostly for tests that pass a bare cobra.command
+		ctx = context.Background()
+	}
+	eg, _ := errgroup.WithContext(ctx)
 	cmds := rootcmd.Commands()
 	for _, paths := range candidates {
 		func(paths []string) {
@@ -186,7 +188,7 @@ func ListPlugins(dockerCli command.Cli, rootcmd *cobra.Command) ([]Plugin, error
 // PluginRunCommand returns an "os/exec".Cmd which when .Run() will execute the named plugin.
 // The rootcmd argument is referenced to determine the set of builtin commands in order to detect conficts.
 // The error returned satisfies the IsNotFound() predicate if no plugin was found or if the first candidate plugin was invalid somehow.
-func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command) (*exec.Cmd, error) {
+func PluginRunCommand(dockerCli config.Provider, name string, rootcmd *cobra.Command) (*exec.Cmd, error) {
 	// This uses the full original args, not the args which may
 	// have been provided by cobra to our caller. This is because
 	// they lack e.g. global options which we must propagate here.
@@ -196,11 +198,8 @@ func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command
 		// fallback to their "invalid" command path.
 		return nil, errPluginNotFound(name)
 	}
-	exename := addExeSuffix(NamePrefix + name)
-	pluginDirs, err := getPluginDirs(dockerCli.ConfigFile())
-	if err != nil {
-		return nil, err
-	}
+	exename := addExeSuffix(metadata.NamePrefix + name)
+	pluginDirs := getPluginDirs(dockerCli.ConfigFile())
 
 	for _, d := range pluginDirs {
 		path := filepath.Join(d, exename)
@@ -233,7 +232,7 @@ func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
 
-		cmd.Env = append(cmd.Environ(), ReexecEnvvar+"="+os.Args[0])
+		cmd.Env = append(cmd.Environ(), metadata.ReexecEnvvar+"="+os.Args[0])
 		cmd.Env = appendPluginResourceAttributesEnvvar(cmd.Env, rootcmd, plugin)
 
 		return cmd, nil
@@ -243,5 +242,5 @@ func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command
 
 // IsPluginCommand checks if the given cmd is a plugin-stub.
 func IsPluginCommand(cmd *cobra.Command) bool {
-	return cmd.Annotations[CommandAnnotationPlugin] == "true"
+	return cmd.Annotations[metadata.CommandAnnotationPlugin] == "true"
 }

cli-plugins/manager/manager_test.go

@@ -1,6 +1,7 @@
 package manager
 
 import (
+	"path/filepath"
 	"strings"
 	"testing"
 
@@ -81,6 +82,12 @@ func TestListPluginCandidates(t *testing.T) {
 	assert.DeepEqual(t, candidates, exp)
 }
 
+func TestListPluginCandidatesEmpty(t *testing.T) {
+	tmpDir := t.TempDir()
+	candidates := listPluginCandidates([]string{tmpDir, filepath.Join(tmpDir, "no-such-dir")})
+	assert.Assert(t, len(candidates) == 0)
+}
+
 // Regression test for https://github.com/docker/cli/issues/5643.
 // Check that inaccessible directories that come before accessible ones are ignored
 // and do not prevent the latter from being processed.
@@ -166,14 +173,11 @@ func TestErrPluginNotFound(t *testing.T) {
 func TestGetPluginDirs(t *testing.T) {
 	cli := test.NewFakeCli(nil)
 
-	pluginDir, err := config.Path("cli-plugins")
-	assert.NilError(t, err)
+	pluginDir := filepath.Join(config.Dir(), "cli-plugins")
 	expected := append([]string{pluginDir}, defaultSystemPluginDirs...)
 
-	var pluginDirs []string
-	pluginDirs, err = getPluginDirs(cli.ConfigFile())
+	pluginDirs := getPluginDirs(cli.ConfigFile())
 	assert.Equal(t, strings.Join(expected, ":"), strings.Join(pluginDirs, ":"))
-	assert.NilError(t, err)
 
 	extras := []string{
 		"foo", "bar", "baz",
@@ -182,7 +186,6 @@ func TestGetPluginDirs(t *testing.T) {
 	cli.SetConfigFile(&configfile.ConfigFile{
 		CLIPluginsExtraDirs: extras,
 	})
-	pluginDirs, err = getPluginDirs(cli.ConfigFile())
+	pluginDirs = getPluginDirs(cli.ConfigFile())
 	assert.DeepEqual(t, expected, pluginDirs)
-	assert.NilError(t, err)
 }

cli-plugins/manager/metadata.go

@@ -1,30 +1,23 @@
 package manager
 
+import (
+	"github.com/docker/cli/cli-plugins/metadata"
+)
+
 const (
 	// NamePrefix is the prefix required on all plugin binary names
-	NamePrefix = "docker-"
+	NamePrefix = metadata.NamePrefix
 
 	// MetadataSubcommandName is the name of the plugin subcommand
 	// which must be supported by every plugin and returns the
 	// plugin metadata.
-	MetadataSubcommandName = "docker-cli-plugin-metadata"
+	MetadataSubcommandName = metadata.MetadataSubcommandName
 
 	// HookSubcommandName is the name of the plugin subcommand
 	// which must be implemented by plugins declaring support
 	// for hooks in their metadata.
-	HookSubcommandName = "docker-cli-plugin-hooks"
+	HookSubcommandName = metadata.HookSubcommandName
 )
 
 // Metadata provided by the plugin.
-type Metadata struct {
-	// SchemaVersion describes the version of this struct. Mandatory, must be "0.1.0"
-	SchemaVersion string `json:",omitempty"`
-	// Vendor is the name of the plugin vendor. Mandatory
-	Vendor string `json:",omitempty"`
-	// Version is the optional version of this plugin.
-	Version string `json:",omitempty"`
-	// ShortDescription should be suitable for a single line help message.
-	ShortDescription string `json:",omitempty"`
-	// URL is a pointer to the plugin's homepage.
-	URL string `json:",omitempty"`
-}
+type Metadata = metadata.Metadata

cli-plugins/manager/plugin.go

@@ -3,21 +3,23 @@ package manager
 import (
 	"context"
 	"encoding/json"
+	"errors"
+	"fmt"
 	"os"
 	"os/exec"
 	"path/filepath"
-	"regexp"
 	"strings"
 
-	"github.com/pkg/errors"
+	"github.com/docker/cli/cli-plugins/metadata"
+	"github.com/docker/cli/internal/lazyregexp"
 	"github.com/spf13/cobra"
 )
 
-var pluginNameRe = regexp.MustCompile("^[a-z][a-z0-9]*$")
+var pluginNameRe = lazyregexp.New("^[a-z][a-z0-9]*$")
 
 // Plugin represents a potential plugin with all it's metadata.
 type Plugin struct {
-	Metadata
+	metadata.Metadata
 
 	Name string `json:",omitempty"`
 	Path string `json:",omitempty"`
@@ -44,18 +46,18 @@ func newPlugin(c Candidate, cmds []*cobra.Command) (Plugin, error) {
 	// which would fail here, so there are all real errors.
 	fullname := filepath.Base(path)
 	if fullname == "." {
-		return Plugin{}, errors.Errorf("unable to determine basename of plugin candidate %q", path)
+		return Plugin{}, fmt.Errorf("unable to determine basename of plugin candidate %q", path)
 	}
 	var err error
 	if fullname, err = trimExeSuffix(fullname); err != nil {
-		return Plugin{}, errors.Wrapf(err, "plugin candidate %q", path)
+		return Plugin{}, fmt.Errorf("plugin candidate %q: %w", path, err)
 	}
-	if !strings.HasPrefix(fullname, NamePrefix) {
-		return Plugin{}, errors.Errorf("plugin candidate %q: does not have %q prefix", path, NamePrefix)
+	if !strings.HasPrefix(fullname, metadata.NamePrefix) {
+		return Plugin{}, fmt.Errorf("plugin candidate %q: does not have %q prefix", path, metadata.NamePrefix)
 	}
 
 	p := Plugin{
-		Name: strings.TrimPrefix(fullname, NamePrefix),
+		Name: strings.TrimPrefix(fullname, metadata.NamePrefix),
 		Path: path,
 	}
 
@@ -112,9 +114,9 @@ func (p *Plugin) RunHook(ctx context.Context, hookData HookPluginData) ([]byte,
 		return nil, wrapAsPluginError(err, "failed to marshall hook data")
 	}
 
-	pCmd := exec.CommandContext(ctx, p.Path, p.Name, HookSubcommandName, string(hDataBytes)) // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
+	pCmd := exec.CommandContext(ctx, p.Path, p.Name, metadata.HookSubcommandName, string(hDataBytes)) // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
 	pCmd.Env = os.Environ()
-	pCmd.Env = append(pCmd.Env, ReexecEnvvar+"="+os.Args[0])
+	pCmd.Env = append(pCmd.Env, metadata.ReexecEnvvar+"="+os.Args[0])
 	hookCmdOutput, err := pCmd.Output()
 	if err != nil {
 		return nil, wrapAsPluginError(err, "failed to execute plugin hook subcommand")

cli-plugins/manager/suffix_windows.go

@@ -1,22 +1,16 @@
 package manager
 
 import (
+	"fmt"
 	"path/filepath"
 	"strings"
-
-	"github.com/pkg/errors"
 )
 
-// This is made slightly more complex due to needing to be case insensitive.
+// This is made slightly more complex due to needing to be case-insensitive.
 func trimExeSuffix(s string) (string, error) {
 	ext := filepath.Ext(s)
-	if ext == "" {
-		return "", errors.Errorf("path %q lacks required file extension", s)
-	}
-
-	exe := ".exe"
-	if !strings.EqualFold(ext, exe) {
-		return "", errors.Errorf("path %q lacks required %q suffix", s, exe)
+	if ext == "" || !strings.EqualFold(ext, ".exe") {
+		return "", fmt.Errorf("path %q lacks required file extension (.exe)", s)
 	}
 	return strings.TrimSuffix(s, ext), nil
 }

cli-plugins/manager/telemetry.go

@@ -0,0 +1,85 @@
+package manager
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/docker/cli/cli-plugins/metadata"
+	"github.com/spf13/cobra"
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/baggage"
+)
+
+const (
+	// resourceAttributesEnvVar is the name of the envvar that includes additional
+	// resource attributes for OTEL as defined in the [OpenTelemetry specification].
+	//
+	// [OpenTelemetry specification]: https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/#general-sdk-configuration
+	resourceAttributesEnvVar = "OTEL_RESOURCE_ATTRIBUTES"
+
+	// dockerCLIAttributePrefix is the prefix for any docker cli OTEL attributes.
+	//
+	// It is a copy of the const defined in [command.dockerCLIAttributePrefix].
+	dockerCLIAttributePrefix = "docker.cli."
+	cobraCommandPath         = attribute.Key("cobra.command_path")
+)
+
+func getPluginResourceAttributes(cmd *cobra.Command, plugin Plugin) attribute.Set {
+	commandPath := cmd.Annotations[metadata.CommandAnnotationPluginCommandPath]
+	if commandPath == "" {
+		commandPath = fmt.Sprintf("%s %s", cmd.CommandPath(), plugin.Name)
+	}
+
+	attrSet := attribute.NewSet(
+		cobraCommandPath.String(commandPath),
+	)
+
+	kvs := make([]attribute.KeyValue, 0, attrSet.Len())
+	for iter := attrSet.Iter(); iter.Next(); {
+		attr := iter.Attribute()
+		kvs = append(kvs, attribute.KeyValue{
+			Key:   dockerCLIAttributePrefix + attr.Key,
+			Value: attr.Value,
+		})
+	}
+	return attribute.NewSet(kvs...)
+}
+
+func appendPluginResourceAttributesEnvvar(env []string, cmd *cobra.Command, plugin Plugin) []string {
+	if attrs := getPluginResourceAttributes(cmd, plugin); attrs.Len() > 0 {
+		// Construct baggage members for each of the attributes.
+		// Ignore any failures as these aren't significant and
+		// represent an internal issue.
+		members := make([]baggage.Member, 0, attrs.Len())
+		for iter := attrs.Iter(); iter.Next(); {
+			attr := iter.Attribute()
+			m, err := baggage.NewMemberRaw(string(attr.Key), attr.Value.AsString())
+			if err != nil {
+				otel.Handle(err)
+				continue
+			}
+			members = append(members, m)
+		}
+
+		// Combine plugin added resource attributes with ones found in the environment
+		// variable. Our own attributes should be namespaced so there shouldn't be a
+		// conflict. We do not parse the environment variable because we do not want
+		// to handle errors in user configuration.
+		attrsSlice := make([]string, 0, 2)
+		if v := strings.TrimSpace(os.Getenv(resourceAttributesEnvVar)); v != "" {
+			attrsSlice = append(attrsSlice, v)
+		}
+		if b, err := baggage.New(members...); err != nil {
+			otel.Handle(err)
+		} else if b.Len() > 0 {
+			attrsSlice = append(attrsSlice, b.String())
+		}
+
+		if len(attrsSlice) > 0 {
+			env = append(env, resourceAttributesEnvVar+"="+strings.Join(attrsSlice, ","))
+		}
+	}
+	return env
+}

cli-plugins/metadata/annotations.go

@@ -0,0 +1,28 @@
+package metadata
+
+const (
+	// CommandAnnotationPlugin is added to every stub command added by
+	// AddPluginCommandStubs with the value "true" and so can be
+	// used to distinguish plugin stubs from regular commands.
+	CommandAnnotationPlugin = "com.docker.cli.plugin"
+
+	// CommandAnnotationPluginVendor is added to every stub command
+	// added by AddPluginCommandStubs and contains the vendor of
+	// that plugin.
+	CommandAnnotationPluginVendor = "com.docker.cli.plugin.vendor"
+
+	// CommandAnnotationPluginVersion is added to every stub command
+	// added by AddPluginCommandStubs and contains the version of
+	// that plugin.
+	CommandAnnotationPluginVersion = "com.docker.cli.plugin.version"
+
+	// CommandAnnotationPluginInvalid is added to any stub command
+	// added by AddPluginCommandStubs for an invalid command (that
+	// is, one which failed it's candidate test) and contains the
+	// reason for the failure.
+	CommandAnnotationPluginInvalid = "com.docker.cli.plugin-invalid"
+
+	// CommandAnnotationPluginCommandPath is added to overwrite the
+	// command path for a plugin invocation.
+	CommandAnnotationPluginCommandPath = "com.docker.cli.plugin.command_path"
+)

cli-plugins/metadata/metadata.go

@@ -0,0 +1,36 @@
+package metadata
+
+const (
+	// NamePrefix is the prefix required on all plugin binary names
+	NamePrefix = "docker-"
+
+	// MetadataSubcommandName is the name of the plugin subcommand
+	// which must be supported by every plugin and returns the
+	// plugin metadata.
+	MetadataSubcommandName = "docker-cli-plugin-metadata"
+
+	// HookSubcommandName is the name of the plugin subcommand
+	// which must be implemented by plugins declaring support
+	// for hooks in their metadata.
+	HookSubcommandName = "docker-cli-plugin-hooks"
+
+	// ReexecEnvvar is the name of an ennvar which is set to the command
+	// used to originally invoke the docker CLI when executing a
+	// plugin. Assuming $PATH and $CWD remain unchanged this should allow
+	// the plugin to re-execute the original CLI.
+	ReexecEnvvar = "DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND"
+)
+
+// Metadata provided by the plugin.
+type Metadata struct {
+	// SchemaVersion describes the version of this struct. Mandatory, must be "0.1.0"
+	SchemaVersion string `json:",omitempty"`
+	// Vendor is the name of the plugin vendor. Mandatory
+	Vendor string `json:",omitempty"`
+	// Version is the optional version of this plugin.
+	Version string `json:",omitempty"`
+	// ShortDescription should be suitable for a single line help message.
+	ShortDescription string `json:",omitempty"`
+	// URL is a pointer to the plugin's homepage.
+	URL string `json:",omitempty"`
+}

cli-plugins/plugin/plugin.go

@@ -9,7 +9,7 @@ import (
 	"sync"
 
 	"github.com/docker/cli/cli"
-	"github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/docker/cli/cli-plugins/socket"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/connhelper"
@@ -30,7 +30,7 @@ import (
 var PersistentPreRunE func(*cobra.Command, []string) error
 
 // RunPlugin executes the specified plugin command
-func RunPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager.Metadata) error {
+func RunPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta metadata.Metadata) error {
 	tcmd := newPluginCommand(dockerCli, plugin, meta)
 
 	var persistentPreRunOnce sync.Once
@@ -81,7 +81,7 @@ func RunPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager
 }
 
 // Run is the top-level entry point to the CLI plugin framework. It should be called from your plugin's `main()` function.
-func Run(makeCmd func(command.Cli) *cobra.Command, meta manager.Metadata) {
+func Run(makeCmd func(command.Cli) *cobra.Command, meta metadata.Metadata) {
 	otel.SetErrorHandler(debug.OTELErrorHandler)
 
 	dockerCli, err := command.NewDockerCli()
@@ -109,9 +109,9 @@ func Run(makeCmd func(command.Cli) *cobra.Command, meta manager.Metadata) {
 }
 
 func withPluginClientConn(name string) command.CLIOption {
-	return command.WithInitializeClient(func(dockerCli *command.DockerCli) (client.APIClient, error) {
+	return func(cli *command.DockerCli) error {
 		cmd := "docker"
-		if x := os.Getenv(manager.ReexecEnvvar); x != "" {
+		if x := os.Getenv(metadata.ReexecEnvvar); x != "" {
 			cmd = x
 		}
 		var flags []string
@@ -133,16 +133,19 @@ func withPluginClientConn(name string) command.CLIOption {
 
 		helper, err := connhelper.GetCommandConnectionHelper(cmd, flags...)
 		if err != nil {
-			return nil, err
+			return err
 		}
-
-		return client.NewClientWithOpts(client.WithDialContext(helper.Dialer))
-	})
+		apiClient, err := client.NewClientWithOpts(client.WithDialContext(helper.Dialer))
+		if err != nil {
+			return err
+		}
+		return command.WithAPIClient(apiClient)(cli)
+	}
 }
 
-func newPluginCommand(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager.Metadata) *cli.TopLevelCommand {
+func newPluginCommand(dockerCli *command.DockerCli, plugin *cobra.Command, meta metadata.Metadata) *cli.TopLevelCommand {
 	name := plugin.Name()
-	fullname := manager.NamePrefix + name
+	fullname := metadata.NamePrefix + name
 
 	cmd := &cobra.Command{
 		Use:           fmt.Sprintf("docker [OPTIONS] %s [ARG...]", name),
@@ -177,12 +180,12 @@ func newPluginCommand(dockerCli *command.DockerCli, plugin *cobra.Command, meta
 	return cli.NewTopLevelCommand(cmd, dockerCli, opts, cmd.Flags())
 }
 
-func newMetadataSubcommand(plugin *cobra.Command, meta manager.Metadata) *cobra.Command {
+func newMetadataSubcommand(plugin *cobra.Command, meta metadata.Metadata) *cobra.Command {
 	if meta.ShortDescription == "" {
 		meta.ShortDescription = plugin.Short
 	}
 	cmd := &cobra.Command{
-		Use:    manager.MetadataSubcommandName,
+		Use:    metadata.MetadataSubcommandName,
 		Hidden: true,
 		// Suppress the global/parent PersistentPreRunE, which
 		// needlessly initializes the client and tries to
@@ -200,8 +203,8 @@ func newMetadataSubcommand(plugin *cobra.Command, meta manager.Metadata) *cobra.
 
 // RunningStandalone tells a CLI plugin it is run standalone by direct execution
 func RunningStandalone() bool {
-	if os.Getenv(manager.ReexecEnvvar) != "" {
+	if os.Getenv(metadata.ReexecEnvvar) != "" {
 		return false
 	}
-	return len(os.Args) < 2 || os.Args[1] != manager.MetadataSubcommandName
+	return len(os.Args) < 2 || os.Args[1] != metadata.MetadataSubcommandName
 }

cli-plugins/socket/socket_test.go

@@ -178,24 +178,39 @@ func TestConnectAndWait(t *testing.T) {
 	// TODO: this test cannot be executed with `t.Parallel()`, due to
 	// relying on goroutine numbers to ensure correct behaviour
 	t.Run("connect goroutine exits after EOF", func(t *testing.T) {
+		runtime.LockOSThread()
+		defer runtime.UnlockOSThread()
 		srv, err := NewPluginServer(nil)
 		assert.NilError(t, err, "failed to setup server")
 
 		defer srv.Close()
 
 		t.Setenv(EnvKey, srv.Addr().String())
+
+		runtime.Gosched()
 		numGoroutines := runtime.NumGoroutine()
 
 		ConnectAndWait(func() {})
-		assert.Equal(t, runtime.NumGoroutine(), numGoroutines+1)
+
+		runtime.Gosched()
+		poll.WaitOn(t, func(t poll.LogT) poll.Result {
+			// +1 goroutine for the poll.WaitOn
+			// +1 goroutine for the connect goroutine
+			if runtime.NumGoroutine() < numGoroutines+1+1 {
+				return poll.Continue("waiting for connect goroutine to spawn")
+			}
+			return poll.Success()
+		}, poll.WithDelay(1*time.Millisecond), poll.WithTimeout(500*time.Millisecond))
 
 		srv.Close()
 
+		runtime.Gosched()
 		poll.WaitOn(t, func(t poll.LogT) poll.Result {
+			// +1 goroutine for the poll.WaitOn
 			if runtime.NumGoroutine() > numGoroutines+1 {
 				return poll.Continue("waiting for connect goroutine to exit")
 			}
 			return poll.Success()
-		}, poll.WithDelay(1*time.Millisecond), poll.WithTimeout(10*time.Millisecond))
+		}, poll.WithDelay(1*time.Millisecond), poll.WithTimeout(500*time.Millisecond))
 	})
 }

cli/cobra.go

@@ -3,15 +3,12 @@ package cli
 import (
 	"fmt"
 	"os"
-	"path/filepath"
 	"sort"
 	"strings"
 
-	pluginmanager "github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/docker/cli/cli/command"
 	cliflags "github.com/docker/cli/cli/flags"
-	"github.com/docker/docker/pkg/homedir"
-	"github.com/docker/docker/registry"
 	"github.com/fvbommel/sortorder"
 	"github.com/moby/term"
 	"github.com/morikuni/aec"
@@ -62,13 +59,6 @@ func setupCommonRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *c
 		"docs.code-delimiter": `"`, // https://github.com/docker/cli-docs-tool/blob/77abede22166eaea4af7335096bdcedd043f5b19/annotation/annotation.go#L20-L22
 	}
 
-	// Configure registry.CertsDir() when running in rootless-mode
-	if os.Getenv("ROOTLESSKIT_STATE_DIR") != "" {
-		if configHome, err := homedir.GetConfigHome(); err == nil {
-			registry.SetCertsDir(filepath.Join(configHome, "docker/certs.d"))
-		}
-	}
-
 	return opts, helpCommand
 }
 
@@ -252,7 +242,7 @@ func hasAdditionalHelp(cmd *cobra.Command) bool {
 }
 
 func isPlugin(cmd *cobra.Command) bool {
-	return pluginmanager.IsPluginCommand(cmd)
+	return cmd.Annotations[metadata.CommandAnnotationPlugin] == "true"
 }
 
 func hasAliases(cmd *cobra.Command) bool {
@@ -356,9 +346,9 @@ func decoratedName(cmd *cobra.Command) string {
 }
 
 func vendorAndVersion(cmd *cobra.Command) string {
-	if vendor, ok := cmd.Annotations[pluginmanager.CommandAnnotationPluginVendor]; ok && isPlugin(cmd) {
+	if vendor, ok := cmd.Annotations[metadata.CommandAnnotationPluginVendor]; ok && isPlugin(cmd) {
 		version := ""
-		if v, ok := cmd.Annotations[pluginmanager.CommandAnnotationPluginVersion]; ok && v != "" {
+		if v, ok := cmd.Annotations[metadata.CommandAnnotationPluginVersion]; ok && v != "" {
 			version = ", " + v
 		}
 		return fmt.Sprintf("(%s%s)", vendor, version)
@@ -417,7 +407,7 @@ func invalidPlugins(cmd *cobra.Command) []*cobra.Command {
 }
 
 func invalidPluginReason(cmd *cobra.Command) string {
-	return cmd.Annotations[pluginmanager.CommandAnnotationPluginInvalid]
+	return cmd.Annotations[metadata.CommandAnnotationPluginInvalid]
 }
 
 const usageTemplate = `Usage:

cli/cobra_test.go

@@ -3,7 +3,7 @@ package cli
 import (
 	"testing"
 
-	pluginmanager "github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/spf13/cobra"
 	"gotest.tools/v3/assert"
@@ -49,9 +49,9 @@ func TestVendorAndVersion(t *testing.T) {
 			cmd := &cobra.Command{
 				Use: "test",
 				Annotations: map[string]string{
-					pluginmanager.CommandAnnotationPlugin:        "true",
-					pluginmanager.CommandAnnotationPluginVendor:  tc.vendor,
-					pluginmanager.CommandAnnotationPluginVersion: tc.version,
+					metadata.CommandAnnotationPlugin:        "true",
+					metadata.CommandAnnotationPluginVendor:  tc.vendor,
+					metadata.CommandAnnotationPluginVersion: tc.version,
 				},
 			}
 			assert.Equal(t, vendorAndVersion(cmd), tc.expected)
@@ -69,8 +69,8 @@ func TestInvalidPlugin(t *testing.T) {
 	assert.Assert(t, is.Len(invalidPlugins(root), 0))
 
 	sub1.Annotations = map[string]string{
-		pluginmanager.CommandAnnotationPlugin:        "true",
-		pluginmanager.CommandAnnotationPluginInvalid: "foo",
+		metadata.CommandAnnotationPlugin:        "true",
+		metadata.CommandAnnotationPluginInvalid: "foo",
 	}
 	root.AddCommand(sub1, sub2)
 	sub1.AddCommand(sub1sub1, sub1sub2)
@@ -100,6 +100,6 @@ func TestDecoratedName(t *testing.T) {
 	topLevelCommand := &cobra.Command{Use: "pluginTopLevelCommand"}
 	root.AddCommand(topLevelCommand)
 	assert.Equal(t, decoratedName(topLevelCommand), "pluginTopLevelCommand ")
-	topLevelCommand.Annotations = map[string]string{pluginmanager.CommandAnnotationPlugin: "true"}
+	topLevelCommand.Annotations = map[string]string{metadata.CommandAnnotationPlugin: "true"}
 	assert.Equal(t, decoratedName(topLevelCommand), "pluginTopLevelCommand*")
 }

cli/command/builder/client_test.go

@@ -3,16 +3,16 @@ package builder
 import (
 	"context"
 
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/client"
 )
 
 type fakeClient struct {
 	client.Client
-	builderPruneFunc func(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error)
+	builderPruneFunc func(ctx context.Context, opts build.CachePruneOptions) (*build.CachePruneReport, error)
 }
 
-func (c *fakeClient) BuildCachePrune(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error) {
+func (c *fakeClient) BuildCachePrune(ctx context.Context, opts build.CachePruneOptions) (*build.CachePruneReport, error) {
 	if c.builderPruneFunc != nil {
 		return c.builderPruneFunc(ctx, opts)
 	}

cli/command/builder/cmd.go

@@ -23,3 +23,22 @@ func NewBuilderCommand(dockerCli command.Cli) *cobra.Command {
 	)
 	return cmd
 }
+
+// NewBakeStubCommand returns a cobra command "stub" for the "bake" subcommand.
+// This command is a placeholder / stub that is dynamically replaced by an
+// alias for "docker buildx bake" if BuildKit is enabled (and the buildx plugin
+// installed).
+func NewBakeStubCommand(dockerCLI command.Streams) *cobra.Command {
+	return &cobra.Command{
+		Use:   "bake [OPTIONS] [TARGET...]",
+		Short: "Build from a file",
+		RunE:  command.ShowHelp(dockerCLI.Err()),
+		Annotations: map[string]string{
+			// We want to show this command in the "top" category in --help
+			// output, and not to be grouped under "management commands".
+			"category-top": "5",
+			"aliases":      "docker buildx bake",
+			"version":      "1.31",
+		},
+	}
+}

cli/command/builder/prune.go

@@ -9,10 +9,10 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
+	"github.com/docker/cli/internal/prompt"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/errdefs"
-	units "github.com/docker/go-units"
+	"github.com/docker/docker/api/types/build"
+	"github.com/docker/go-units"
 	"github.com/spf13/cobra"
 )
 
@@ -69,18 +69,18 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 		warning = allCacheWarning
 	}
 	if !options.force {
-		r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning)
+		r, err := prompt.Confirm(ctx, dockerCli.In(), dockerCli.Out(), warning)
 		if err != nil {
 			return 0, "", err
 		}
 		if !r {
-			return 0, "", errdefs.Cancelled(errors.New("builder prune has been cancelled"))
+			return 0, "", cancelledErr{errors.New("builder prune has been cancelled")}
 		}
 	}
 
-	report, err := dockerCli.Client().BuildCachePrune(ctx, types.BuildCachePruneOptions{
+	report, err := dockerCli.Client().BuildCachePrune(ctx, build.CachePruneOptions{
 		All:         options.all,
-		KeepStorage: options.keepStorage.Value(),
+		KeepStorage: options.keepStorage.Value(), // FIXME(thaJeztah): rewrite to use new options; see https://github.com/moby/moby/pull/48720
 		Filters:     pruneFilters,
 	})
 	if err != nil {
@@ -100,6 +100,10 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 	return report.SpaceReclaimed, output, nil
 }
 
+type cancelledErr struct{ error }
+
+func (cancelledErr) Cancelled() {}
+
 // CachePrune executes a prune command for build cache
 func CachePrune(ctx context.Context, dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error) {
 	return runPrune(ctx, dockerCli, pruneOptions{force: true, all: all, filter: filter})

cli/command/builder/prune_test.go

@@ -7,7 +7,7 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/build"
 )
 
 func TestBuilderPromptTermination(t *testing.T) {
@@ -15,7 +15,7 @@ func TestBuilderPromptTermination(t *testing.T) {
 	t.Cleanup(cancel)
 
 	cli := test.NewFakeCli(&fakeClient{
-		builderPruneFunc: func(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error) {
+		builderPruneFunc: func(ctx context.Context, opts build.CachePruneOptions) (*build.CachePruneReport, error) {
 			return nil, errors.New("fakeClient builderPruneFunc should not be called")
 		},
 	})

cli/command/cli.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package command
 
@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"path/filepath"
 	"runtime"
 	"strconv"
 	"sync"
@@ -21,21 +20,15 @@ import (
 	"github.com/docker/cli/cli/context/store"
 	"github.com/docker/cli/cli/debug"
 	cliflags "github.com/docker/cli/cli/flags"
-	manifeststore "github.com/docker/cli/cli/manifest/store"
-	registryclient "github.com/docker/cli/cli/registry/client"
 	"github.com/docker/cli/cli/streams"
-	"github.com/docker/cli/cli/trust"
 	"github.com/docker/cli/cli/version"
 	dopts "github.com/docker/cli/opts"
 	"github.com/docker/docker/api"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/client"
-	"github.com/docker/go-connections/tlsconfig"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
-	notaryclient "github.com/theupdateframework/notary/client"
 )
 
 const defaultInitTimeout = 2 * time.Second
@@ -53,13 +46,10 @@ type Cli interface {
 	Streams
 	SetIn(in *streams.In)
 	Apply(ops ...CLIOption) error
-	ConfigFile() *configfile.ConfigFile
+	config.Provider
 	ServerInfo() ServerInfo
-	NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (notaryclient.Repository, error)
 	DefaultVersion() string
 	CurrentVersion() string
-	ManifestStore() manifeststore.Store
-	RegistryClient(bool) registryclient.RegistryClient
 	ContentTrustEnabled() bool
 	BuildKitEnabled() (bool, error)
 	ContextStore() store.Store
@@ -69,7 +59,9 @@ type Cli interface {
 }
 
 // DockerCli is an instance the docker command line client.
-// Instances of the client can be returned from NewDockerCli.
+// Instances of the client should be created using the [NewDockerCli]
+// constructor to make sure they are properly initialized with defaults
+// set.
 type DockerCli struct {
 	configFile         *configfile.ConfigFile
 	options            *cliflags.ClientOptions
@@ -84,7 +76,7 @@ type DockerCli struct {
 	init               sync.Once
 	initErr            error
 	dockerEndpoint     docker.Endpoint
-	contextStoreConfig store.Config
+	contextStoreConfig *store.Config
 	initTimeout        time.Duration
 	res                telemetryResource
 
@@ -96,7 +88,7 @@ type DockerCli struct {
 	enableGlobalMeter, enableGlobalTracer bool
 }
 
-// DefaultVersion returns api.defaultVersion.
+// DefaultVersion returns [api.DefaultVersion].
 func (*DockerCli) DefaultVersion() string {
 	return api.DefaultVersion
 }
@@ -188,7 +180,7 @@ func (cli *DockerCli) BuildKitEnabled() (bool, error) {
 	}
 
 	si := cli.ServerInfo()
-	if si.BuildkitVersion == types.BuilderBuildKit {
+	if si.BuildkitVersion == build.BuilderBuildKit {
 		// The daemon advertised BuildKit as the preferred builder; this may
 		// be either a Linux daemon or a Windows daemon with experimental
 		// BuildKit support enabled.
@@ -202,16 +194,16 @@ func (cli *DockerCli) BuildKitEnabled() (bool, error) {
 
 // HooksEnabled returns whether plugin hooks are enabled.
 func (cli *DockerCli) HooksEnabled() bool {
-	// legacy support DOCKER_CLI_HINTS env var
-	if v := os.Getenv("DOCKER_CLI_HINTS"); v != "" {
+	// use DOCKER_CLI_HOOKS env var value if set and not empty
+	if v := os.Getenv("DOCKER_CLI_HOOKS"); v != "" {
 		enabled, err := strconv.ParseBool(v)
 		if err != nil {
 			return false
 		}
 		return enabled
 	}
-	// use DOCKER_CLI_HOOKS env var value if set and not empty
-	if v := os.Getenv("DOCKER_CLI_HOOKS"); v != "" {
+	// legacy support DOCKER_CLI_HINTS env var
+	if v := os.Getenv("DOCKER_CLI_HINTS"); v != "" {
 		enabled, err := strconv.ParseBool(v)
 		if err != nil {
 			return false
@@ -230,30 +222,6 @@ func (cli *DockerCli) HooksEnabled() bool {
 	return false
 }
 
-// ManifestStore returns a store for local manifests
-func (*DockerCli) ManifestStore() manifeststore.Store {
-	// TODO: support override default location from config file
-	return manifeststore.NewStore(filepath.Join(config.Dir(), "manifests"))
-}
-
-// RegistryClient returns a client for communicating with a Docker distribution
-// registry
-func (cli *DockerCli) RegistryClient(allowInsecure bool) registryclient.RegistryClient {
-	resolver := func(ctx context.Context, index *registry.IndexInfo) registry.AuthConfig {
-		return ResolveAuthConfig(cli.ConfigFile(), index)
-	}
-	return registryclient.NewRegistryClient(resolver, UserAgent(), allowInsecure)
-}
-
-// WithInitializeClient is passed to DockerCli.Initialize by callers who wish to set a particular API Client for use by the CLI.
-func WithInitializeClient(makeClient func(dockerCli *DockerCli) (client.APIClient, error)) CLIOption {
-	return func(dockerCli *DockerCli) error {
-		var err error
-		dockerCli.client, err = makeClient(dockerCli)
-		return err
-	}
-}
-
 // Initialize the dockerCli runs initialization that must happen after command
 // line flags are parsed.
 func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption) error {
@@ -275,13 +243,33 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption)
 		return errors.New("conflicting options: cannot specify both --host and --context")
 	}
 
+	if cli.contextStoreConfig == nil {
+		// This path can be hit when calling Initialize on a DockerCli that's
+		// not constructed through [NewDockerCli]. Using the default context
+		// store without a config set will result in Endpoints from contexts
+		// not being type-mapped correctly, and used as a generic "map[string]any",
+		// instead of a [docker.EndpointMeta].
+		//
+		// When looking up the API endpoint (using [EndpointFromContext]), no
+		// endpoint will be found, and a default, empty endpoint will be used
+		// instead which in its turn, causes newAPIClientFromEndpoint to
+		// be initialized with the default config instead of settings for
+		// the current context (which may mean; connecting with the wrong
+		// endpoint and/or TLS Config to be missing).
+		//
+		// [EndpointFromContext]: https://github.com/docker/cli/blob/33494921b80fd0b5a06acc3a34fa288de4bb2e6b/cli/context/docker/load.go#L139-L149
+		if err := WithDefaultContextStoreConfig()(cli); err != nil {
+			return err
+		}
+	}
+
 	cli.options = opts
 	cli.configFile = config.LoadDefaultConfigFile(cli.err)
 	cli.currentContext = resolveContextName(cli.options, cli.configFile)
 	cli.contextStore = &ContextStoreWithDefault{
-		Store: store.New(config.ContextStoreDir(), cli.contextStoreConfig),
+		Store: store.New(config.ContextStoreDir(), *cli.contextStoreConfig),
 		Resolver: func() (*DefaultContext, error) {
-			return ResolveDefaultContext(cli.options, cli.contextStoreConfig)
+			return ResolveDefaultContext(cli.options, *cli.contextStoreConfig)
 		},
 	}
 
@@ -292,6 +280,7 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption)
 	if cli.enableGlobalTracer {
 		cli.createGlobalTracerProvider(cli.baseCtx)
 	}
+	filterResourceAttributesEnvvar()
 
 	return nil
 }
@@ -345,7 +334,10 @@ func resolveDockerEndpoint(s store.Reader, contextName string) (docker.Endpoint,
 
 // Resolve the Docker endpoint for the default context (based on config, env vars and CLI flags)
 func resolveDefaultDockerEndpoint(opts *cliflags.ClientOptions) (docker.Endpoint, error) {
-	host, err := getServerHost(opts.Hosts, opts.TLSOptions)
+	// defaultToTLS determines whether we should use a TLS host as default
+	// if nothing was configured by the user.
+	defaultToTLS := opts.TLSOptions != nil
+	host, err := getServerHost(opts.Hosts, defaultToTLS)
 	if err != nil {
 		return docker.Endpoint{}, err
 	}
@@ -403,11 +395,6 @@ func (cli *DockerCli) initializeFromClient() {
 	cli.client.NegotiateAPIVersionPing(ping)
 }
 
-// NotaryClient provides a Notary Repository to interact with signed metadata for an image
-func (cli *DockerCli) NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (notaryclient.Repository, error) {
-	return trust.GetNotaryRepository(cli.In(), cli.Out(), UserAgent(), imgRefAndAuth.RepoInfo(), imgRefAndAuth.AuthConfig(), actions...)
-}
-
 // ContextStore returns the ContextStore
 func (cli *DockerCli) ContextStore() store.Store {
 	return cli.contextStore
@@ -523,7 +510,7 @@ func (cli *DockerCli) Apply(ops ...CLIOption) error {
 type ServerInfo struct {
 	HasExperimental bool
 	OSType          string
-	BuildkitVersion types.BuilderVersion
+	BuildkitVersion build.BuilderVersion
 
 	// SwarmStatus provides information about the current swarm status of the
 	// engine, obtained from the "Swarm" header in the API response.
@@ -553,18 +540,15 @@ func NewDockerCli(ops ...CLIOption) (*DockerCli, error) {
 	return cli, nil
 }
 
-func getServerHost(hosts []string, tlsOptions *tlsconfig.Options) (string, error) {
-	var host string
+func getServerHost(hosts []string, defaultToTLS bool) (string, error) {
 	switch len(hosts) {
 	case 0:
-		host = os.Getenv(client.EnvOverrideHost)
+		return dopts.ParseHost(defaultToTLS, os.Getenv(client.EnvOverrideHost))
 	case 1:
-		host = hosts[0]
+		return dopts.ParseHost(defaultToTLS, hosts[0])
 	default:
 		return "", errors.New("Specify only one -H")
 	}
-
-	return dopts.ParseHost(tlsOptions != nil, host)
 }
 
 // UserAgent returns the user agent string used for making API requests

cli/command/cli_options.go

@@ -11,7 +11,6 @@ import (
 
 	"github.com/docker/cli/cli/streams"
 	"github.com/docker/docker/client"
-	"github.com/docker/docker/errdefs"
 	"github.com/moby/term"
 	"github.com/pkg/errors"
 )
@@ -101,7 +100,8 @@ func WithContentTrust(enabled bool) CLIOption {
 // WithDefaultContextStoreConfig configures the cli to use the default context store configuration.
 func WithDefaultContextStoreConfig() CLIOption {
 	return func(cli *DockerCli) error {
-		cli.contextStoreConfig = DefaultContextStoreConfig()
+		cfg := DefaultContextStoreConfig()
+		cli.contextStoreConfig = &cfg
 		return nil
 	}
 }
@@ -114,6 +114,18 @@ func WithAPIClient(c client.APIClient) CLIOption {
 	}
 }
 
+// WithInitializeClient is passed to [DockerCli.Initialize] to initialize
+// an API Client for use by the CLI.
+func WithInitializeClient(makeClient func(*DockerCli) (client.APIClient, error)) CLIOption {
+	return func(cli *DockerCli) error {
+		c, err := makeClient(cli)
+		if err != nil {
+			return err
+		}
+		return WithAPIClient(c)(cli)
+	}
+}
+
 // envOverrideHTTPHeaders is the name of the environment-variable that can be
 // used to set custom HTTP headers to be sent by the client. This environment
 // variable is the equivalent to the HttpHeaders field in the configuration
@@ -177,7 +189,7 @@ func withCustomHeadersFromEnv() client.Opt {
 		csvReader := csv.NewReader(strings.NewReader(value))
 		fields, err := csvReader.Read()
 		if err != nil {
-			return errdefs.InvalidParameter(errors.Errorf(
+			return invalidParameter(errors.Errorf(
 				"failed to parse custom headers from %s environment variable: value must be formatted as comma-separated key=value pairs",
 				envOverrideHTTPHeaders,
 			))
@@ -194,7 +206,7 @@ func withCustomHeadersFromEnv() client.Opt {
 			k = strings.TrimSpace(k)
 
 			if k == "" {
-				return errdefs.InvalidParameter(errors.Errorf(
+				return invalidParameter(errors.Errorf(
 					`failed to set custom headers from %s environment variable: value contains a key=value pair with an empty key: '%s'`,
 					envOverrideHTTPHeaders, kv,
 				))
@@ -205,7 +217,7 @@ func withCustomHeadersFromEnv() client.Opt {
 			// from an environment variable with the same name). In the meantime,
 			// produce an error to prevent users from depending on this.
 			if !hasValue {
-				return errdefs.InvalidParameter(errors.Errorf(
+				return invalidParameter(errors.Errorf(
 					`failed to set custom headers from %s environment variable: missing "=" in key=value pair: '%s'`,
 					envOverrideHTTPHeaders, kv,
 				))

cli/command/cli_test.go

@@ -19,12 +19,10 @@ import (
 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/cli/flags"
-	"github.com/docker/cli/cli/streams"
 	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
 	"gotest.tools/v3/assert"
-	"gotest.tools/v3/fs"
 )
 
 func TestNewAPIClientFromFlags(t *testing.T) {
@@ -207,8 +205,8 @@ func TestInitializeFromClient(t *testing.T) {
 // Makes sure we don't hang forever on the initial connection.
 // https://github.com/docker/cli/issues/3652
 func TestInitializeFromClientHangs(t *testing.T) {
-	dir := t.TempDir()
-	socket := filepath.Join(dir, "my.sock")
+	tmpDir := t.TempDir()
+	socket := filepath.Join(tmpDir, "my.sock")
 	l, err := net.Listen("unix", socket)
 	assert.NilError(t, err)
 
@@ -256,79 +254,40 @@ func TestInitializeFromClientHangs(t *testing.T) {
 	}
 }
 
-// The CLI no longer disables/hides experimental CLI features, however, we need
-// to verify that existing configuration files do not break
-func TestExperimentalCLI(t *testing.T) {
-	defaultVersion := "v1.55"
-
-	testcases := []struct {
-		doc        string
-		configfile string
-	}{
-		{
-			doc:        "default",
-			configfile: `{}`,
-		},
-		{
-			doc: "experimental",
-			configfile: `{
-	"experimental": "enabled"
-}`,
-		},
-	}
-
-	for _, tc := range testcases {
-		t.Run(tc.doc, func(t *testing.T) {
-			dir := fs.NewDir(t, tc.doc, fs.WithFile("config.json", tc.configfile))
-			defer dir.Remove()
-			apiclient := &fakeClient{
-				version: defaultVersion,
-				pingFunc: func() (types.Ping, error) {
-					return types.Ping{Experimental: true, OSType: "linux", APIVersion: defaultVersion}, nil
-				},
-			}
-
-			cli := &DockerCli{client: apiclient, err: streams.NewOut(os.Stderr)}
-			config.SetDir(dir.Path())
-			err := cli.Initialize(flags.NewClientOptions())
-			assert.NilError(t, err)
-		})
-	}
-}
-
 func TestNewDockerCliAndOperators(t *testing.T) {
 	// Test default operations and also overriding default ones
-	cli, err := NewDockerCli(
-		WithContentTrust(true),
-	)
+	cli, err := NewDockerCli(WithInputStream(io.NopCloser(strings.NewReader("some input"))))
 	assert.NilError(t, err)
 	// Check streams are initialized
 	assert.Check(t, cli.In() != nil)
 	assert.Check(t, cli.Out() != nil)
 	assert.Check(t, cli.Err() != nil)
-	assert.Equal(t, cli.ContentTrustEnabled(), true)
+	inputStream, err := io.ReadAll(cli.In())
+	assert.NilError(t, err)
+	assert.Equal(t, string(inputStream), "some input")
 
 	// Apply can modify a dockerCli after construction
-	inbuf := bytes.NewBuffer([]byte("input"))
 	outbuf := bytes.NewBuffer(nil)
 	errbuf := bytes.NewBuffer(nil)
 	err = cli.Apply(
-		WithInputStream(io.NopCloser(inbuf)),
+		WithInputStream(io.NopCloser(strings.NewReader("input"))),
 		WithOutputStream(outbuf),
 		WithErrorStream(errbuf),
 	)
 	assert.NilError(t, err)
 	// Check input stream
-	inputStream, err := io.ReadAll(cli.In())
+	inputStream, err = io.ReadAll(cli.In())
 	assert.NilError(t, err)
 	assert.Equal(t, string(inputStream), "input")
 	// Check output stream
-	fmt.Fprintf(cli.Out(), "output")
+	_, err = fmt.Fprint(cli.Out(), "output")
+	assert.NilError(t, err)
 	outputStream, err := io.ReadAll(outbuf)
 	assert.NilError(t, err)
 	assert.Equal(t, string(outputStream), "output")
 	// Check error stream
-	fmt.Fprintf(cli.Err(), "error")
+	_, err = fmt.Fprint(cli.Err(), "error")
+	assert.NilError(t, err)
 	errStream, err := io.ReadAll(errbuf)
 	assert.NilError(t, err)
 	assert.Equal(t, string(errStream), "error")
@@ -345,6 +304,8 @@ func TestInitializeShouldAlwaysCreateTheContextStore(t *testing.T) {
 
 func TestHooksEnabled(t *testing.T) {
 	t.Run("disabled by default", func(t *testing.T) {
+		// Make sure we don't depend on any existing ~/.docker/config.json
+		config.SetDir(t.TempDir())
 		cli, err := NewDockerCli()
 		assert.NilError(t, err)
 
@@ -356,12 +317,11 @@ func TestHooksEnabled(t *testing.T) {
     "features": {
       "hooks": "true"
     }}`
-		dir := fs.NewDir(t, "", fs.WithFile("config.json", configFile))
-		defer dir.Remove()
+		config.SetDir(t.TempDir())
+		err := os.WriteFile(filepath.Join(config.Dir(), "config.json"), []byte(configFile), 0o600)
+		assert.NilError(t, err)
 		cli, err := NewDockerCli()
 		assert.NilError(t, err)
-		config.SetDir(dir.Path())
-
 		assert.Check(t, cli.HooksEnabled())
 	})
 
@@ -371,12 +331,11 @@ func TestHooksEnabled(t *testing.T) {
       "hooks": "true"
     }}`
 		t.Setenv("DOCKER_CLI_HOOKS", "false")
-		dir := fs.NewDir(t, "", fs.WithFile("config.json", configFile))
-		defer dir.Remove()
+		config.SetDir(t.TempDir())
+		err := os.WriteFile(filepath.Join(config.Dir(), "config.json"), []byte(configFile), 0o600)
+		assert.NilError(t, err)
 		cli, err := NewDockerCli()
 		assert.NilError(t, err)
-		config.SetDir(dir.Path())
-
 		assert.Check(t, !cli.HooksEnabled())
 	})
 
@@ -386,12 +345,11 @@ func TestHooksEnabled(t *testing.T) {
       "hooks": "true"
     }}`
 		t.Setenv("DOCKER_CLI_HINTS", "false")
-		dir := fs.NewDir(t, "", fs.WithFile("config.json", configFile))
-		defer dir.Remove()
+		config.SetDir(t.TempDir())
+		err := os.WriteFile(filepath.Join(config.Dir(), "config.json"), []byte(configFile), 0o600)
+		assert.NilError(t, err)
 		cli, err := NewDockerCli()
 		assert.NilError(t, err)
-		config.SetDir(dir.Path())
-
 		assert.Check(t, !cli.HooksEnabled())
 	})
 }

cli/command/commands/commands.go

@@ -43,6 +43,7 @@ func AddCommands(cmd *cobra.Command, dockerCli command.Cli) {
 		system.NewInfoCommand(dockerCli),
 
 		// management commands
+		builder.NewBakeStubCommand(dockerCli),
 		builder.NewBuilderCommand(dockerCli),
 		checkpoint.NewCheckpointCommand(dockerCli),
 		container.NewContainerCommand(dockerCli),

cli/command/completion/functions.go

@@ -13,8 +13,10 @@ import (
 	"github.com/spf13/cobra"
 )
 
-// ValidArgsFn a function to be used by cobra command as `ValidArgsFunction` to offer command line completion
-type ValidArgsFn func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective)
+// ValidArgsFn a function to be used by cobra command as `ValidArgsFunction` to offer command line completion.
+//
+// Deprecated: use [cobra.CompletionFunc].
+type ValidArgsFn = cobra.CompletionFunc
 
 // APIClientProvider provides a method to get an [client.APIClient], initializing
 // it if needed.
@@ -27,7 +29,7 @@ type APIClientProvider interface {
 }
 
 // ImageNames offers completion for images present within the local store
-func ImageNames(dockerCLI APIClientProvider, limit int) ValidArgsFn {
+func ImageNames(dockerCLI APIClientProvider, limit int) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		if limit > 0 && len(args) >= limit {
 			return nil, cobra.ShellCompDirectiveNoFileComp
@@ -47,7 +49,7 @@ func ImageNames(dockerCLI APIClientProvider, limit int) ValidArgsFn {
 // ContainerNames offers completion for container names and IDs
 // By default, only names are returned.
 // Set DOCKER_COMPLETION_SHOW_CONTAINER_IDS=yes to also complete IDs.
-func ContainerNames(dockerCLI APIClientProvider, all bool, filters ...func(container.Summary) bool) ValidArgsFn {
+func ContainerNames(dockerCLI APIClientProvider, all bool, filters ...func(container.Summary) bool) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		list, err := dockerCLI.Client().ContainerList(cmd.Context(), container.ListOptions{
 			All: all,
@@ -80,7 +82,7 @@ func ContainerNames(dockerCLI APIClientProvider, all bool, filters ...func(conta
 }
 
 // VolumeNames offers completion for volumes
-func VolumeNames(dockerCLI APIClientProvider) ValidArgsFn {
+func VolumeNames(dockerCLI APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		list, err := dockerCLI.Client().VolumeList(cmd.Context(), volume.ListOptions{})
 		if err != nil {
@@ -95,7 +97,7 @@ func VolumeNames(dockerCLI APIClientProvider) ValidArgsFn {
 }
 
 // NetworkNames offers completion for networks
-func NetworkNames(dockerCLI APIClientProvider) ValidArgsFn {
+func NetworkNames(dockerCLI APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		list, err := dockerCLI.Client().NetworkList(cmd.Context(), network.ListOptions{})
 		if err != nil {
@@ -133,7 +135,7 @@ func EnvVarNames(_ *cobra.Command, _ []string, _ string) (names []string, _ cobr
 }
 
 // FromList offers completion for the given list of options.
-func FromList(options ...string) ValidArgsFn {
+func FromList(options ...string) cobra.CompletionFunc {
 	return cobra.FixedCompletions(options, cobra.ShellCompDirectiveNoFileComp)
 }
 
@@ -150,7 +152,6 @@ func NoComplete(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCo
 }
 
 var commonPlatforms = []string{
-	"linux",
 	"linux/386",
 	"linux/amd64",
 	"linux/arm",
@@ -167,10 +168,8 @@ var commonPlatforms = []string{
 	// Not yet supported
 	"linux/riscv64",
 
-	"windows",
 	"windows/amd64",
 
-	"wasip1",
 	"wasip1/wasm",
 }
 

cli/command/completion/functions_test.go

@@ -82,9 +82,9 @@ func TestCompleteContainerNames(t *testing.T) {
 			doc:     "all containers",
 			showAll: true,
 			containers: []container.Summary{
-				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
-				{ID: "id-b", State: "created", Names: []string{"/container-b"}},
-				{ID: "id-a", State: "exited", Names: []string{"/container-a"}},
+				{ID: "id-c", State: container.StateRunning, Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-b", State: container.StateCreated, Names: []string{"/container-b"}},
+				{ID: "id-a", State: container.StateExited, Names: []string{"/container-a"}},
 			},
 			expOut:       []string{"container-c", "container-c/link-b", "container-b", "container-a"},
 			expOpts:      container.ListOptions{All: true},
@@ -95,9 +95,9 @@ func TestCompleteContainerNames(t *testing.T) {
 			showAll: true,
 			showIDs: true,
 			containers: []container.Summary{
-				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
-				{ID: "id-b", State: "created", Names: []string{"/container-b"}},
-				{ID: "id-a", State: "exited", Names: []string{"/container-a"}},
+				{ID: "id-c", State: container.StateRunning, Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-b", State: container.StateCreated, Names: []string{"/container-b"}},
+				{ID: "id-a", State: container.StateExited, Names: []string{"/container-a"}},
 			},
 			expOut:       []string{"id-c", "container-c", "container-c/link-b", "id-b", "container-b", "id-a", "container-a"},
 			expOpts:      container.ListOptions{All: true},
@@ -107,7 +107,7 @@ func TestCompleteContainerNames(t *testing.T) {
 			doc:     "only running containers",
 			showAll: false,
 			containers: []container.Summary{
-				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-c", State: container.StateRunning, Names: []string{"/container-c", "/container-c/link-b"}},
 			},
 			expOut:       []string{"container-c", "container-c/link-b"},
 			expDirective: cobra.ShellCompDirectiveNoFileComp,
@@ -116,12 +116,12 @@ func TestCompleteContainerNames(t *testing.T) {
 			doc:     "with filter",
 			showAll: true,
 			filters: []func(container.Summary) bool{
-				func(container container.Summary) bool { return container.State == "created" },
+				func(ctr container.Summary) bool { return ctr.State == container.StateCreated },
 			},
 			containers: []container.Summary{
-				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
-				{ID: "id-b", State: "created", Names: []string{"/container-b"}},
-				{ID: "id-a", State: "exited", Names: []string{"/container-a"}},
+				{ID: "id-c", State: container.StateRunning, Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-b", State: container.StateCreated, Names: []string{"/container-b"}},
+				{ID: "id-a", State: container.StateExited, Names: []string{"/container-a"}},
 			},
 			expOut:       []string{"container-b"},
 			expOpts:      container.ListOptions{All: true},
@@ -131,13 +131,13 @@ func TestCompleteContainerNames(t *testing.T) {
 			doc:     "multiple filters",
 			showAll: true,
 			filters: []func(container.Summary) bool{
-				func(container container.Summary) bool { return container.ID == "id-a" },
-				func(container container.Summary) bool { return container.State == "created" },
+				func(ctr container.Summary) bool { return ctr.ID == "id-a" },
+				func(ctr container.Summary) bool { return ctr.State == container.StateCreated },
 			},
 			containers: []container.Summary{
-				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
-				{ID: "id-b", State: "created", Names: []string{"/container-b"}},
-				{ID: "id-a", State: "created", Names: []string{"/container-a"}},
+				{ID: "id-c", State: container.StateRunning, Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-b", State: container.StateCreated, Names: []string{"/container-b"}},
+				{ID: "id-a", State: container.StateCreated, Names: []string{"/container-a"}},
 			},
 			expOut:       []string{"container-a"},
 			expOpts:      container.ListOptions{All: true},

cli/command/config/client_test.go

@@ -3,24 +3,23 @@ package config
 import (
 	"context"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/client"
 )
 
 type fakeClient struct {
 	client.Client
-	configCreateFunc  func(context.Context, swarm.ConfigSpec) (types.ConfigCreateResponse, error)
+	configCreateFunc  func(context.Context, swarm.ConfigSpec) (swarm.ConfigCreateResponse, error)
 	configInspectFunc func(context.Context, string) (swarm.Config, []byte, error)
-	configListFunc    func(context.Context, types.ConfigListOptions) ([]swarm.Config, error)
+	configListFunc    func(context.Context, swarm.ConfigListOptions) ([]swarm.Config, error)
 	configRemoveFunc  func(string) error
 }
 
-func (c *fakeClient) ConfigCreate(ctx context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+func (c *fakeClient) ConfigCreate(ctx context.Context, spec swarm.ConfigSpec) (swarm.ConfigCreateResponse, error) {
 	if c.configCreateFunc != nil {
 		return c.configCreateFunc(ctx, spec)
 	}
-	return types.ConfigCreateResponse{}, nil
+	return swarm.ConfigCreateResponse{}, nil
 }
 
 func (c *fakeClient) ConfigInspectWithRaw(ctx context.Context, id string) (swarm.Config, []byte, error) {
@@ -30,7 +29,7 @@ func (c *fakeClient) ConfigInspectWithRaw(ctx context.Context, id string) (swarm
 	return swarm.Config{}, nil, nil
 }
 
-func (c *fakeClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+func (c *fakeClient) ConfigList(ctx context.Context, options swarm.ConfigListOptions) ([]swarm.Config, error) {
 	if c.configListFunc != nil {
 		return c.configListFunc(ctx, options)
 	}

cli/command/config/cmd.go

@@ -4,7 +4,7 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
 	"github.com/spf13/cobra"
 )
 
@@ -30,9 +30,9 @@ func NewConfigCommand(dockerCli command.Cli) *cobra.Command {
 }
 
 // completeNames offers completion for swarm configs
-func completeNames(dockerCLI completion.APIClientProvider) completion.ValidArgsFn {
+func completeNames(dockerCLI completion.APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-		list, err := dockerCLI.Client().ConfigList(cmd.Context(), types.ConfigListOptions{})
+		list, err := dockerCLI.Client().ConfigList(cmd.Context(), swarm.ConfigListOptions{})
 		if err != nil {
 			return nil, cobra.ShellCompDirectiveError
 		}

cli/command/config/create.go

@@ -51,17 +51,7 @@ func newConfigCreateCommand(dockerCli command.Cli) *cobra.Command {
 func RunConfigCreate(ctx context.Context, dockerCLI command.Cli, options CreateOptions) error {
 	apiClient := dockerCLI.Client()
 
-	var in io.Reader = dockerCLI.In()
-	if options.File != "-" {
-		file, err := sequential.Open(options.File)
-		if err != nil {
-			return err
-		}
-		in = file
-		defer file.Close()
-	}
-
-	configData, err := io.ReadAll(in)
+	configData, err := readConfigData(dockerCLI.In(), options.File)
 	if err != nil {
 		return errors.Errorf("Error reading content from %q: %v", options.File, err)
 	}
@@ -69,7 +59,7 @@ func RunConfigCreate(ctx context.Context, dockerCLI command.Cli, options CreateO
 	spec := swarm.ConfigSpec{
 		Annotations: swarm.Annotations{
 			Name:   options.Name,
-			Labels: opts.ConvertKVStringsToMap(options.Labels.GetAll()),
+			Labels: opts.ConvertKVStringsToMap(options.Labels.GetSlice()),
 		},
 		Data: configData,
 	}
@@ -83,6 +73,54 @@ func RunConfigCreate(ctx context.Context, dockerCLI command.Cli, options CreateO
 		return err
 	}
 
-	fmt.Fprintln(dockerCLI.Out(), r.ID)
+	_, _ = fmt.Fprintln(dockerCLI.Out(), r.ID)
 	return nil
 }
+
+// maxConfigSize is the maximum byte length of the [swarm.ConfigSpec.Data] field,
+// as defined by [MaxConfigSize] in SwarmKit.
+//
+// [MaxConfigSize]: https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize
+const maxConfigSize = 1000 * 1024 // 1000KB
+
+// readConfigData reads the config from either stdin or the given fileName.
+//
+// It reads up to twice the maximum size of the config ([maxConfigSize]),
+// just in case swarm's limit changes; this is only a safeguard to prevent
+// reading arbitrary files into memory.
+func readConfigData(in io.Reader, fileName string) ([]byte, error) {
+	switch fileName {
+	case "-":
+		data, err := io.ReadAll(io.LimitReader(in, 2*maxConfigSize))
+		if err != nil {
+			return nil, fmt.Errorf("error reading from STDIN: %w", err)
+		}
+		if len(data) == 0 {
+			return nil, errors.New("error reading from STDIN: data is empty")
+		}
+		return data, nil
+	case "":
+		return nil, errors.New("config file is required")
+	default:
+		// Open file with [FILE_FLAG_SEQUENTIAL_SCAN] on Windows, which
+		// prevents Windows from aggressively caching it. We expect this
+		// file to be only read once. Given that this is expected to be
+		// a small file, this may not be a significant optimization, so
+		// we could choose to omit this, and use a regular [os.Open].
+		//
+		// [FILE_FLAG_SEQUENTIAL_SCAN]: https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea#FILE_FLAG_SEQUENTIAL_SCAN
+		f, err := sequential.Open(fileName)
+		if err != nil {
+			return nil, fmt.Errorf("error reading from %s: %w", fileName, err)
+		}
+		defer f.Close()
+		data, err := io.ReadAll(io.LimitReader(f, 2*maxConfigSize))
+		if err != nil {
+			return nil, fmt.Errorf("error reading from %s: %w", fileName, err)
+		}
+		if len(data) == 0 {
+			return nil, fmt.Errorf("error reading from %s: data is empty", fileName)
+		}
+		return data, nil
+	}
+}

cli/command/config/create_test.go

@@ -12,7 +12,6 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -24,7 +23,7 @@ const configDataFile = "config-create-with-name.golden"
 func TestConfigCreateErrors(t *testing.T) {
 	testCases := []struct {
 		args             []string
-		configCreateFunc func(context.Context, swarm.ConfigSpec) (types.ConfigCreateResponse, error)
+		configCreateFunc func(context.Context, swarm.ConfigSpec) (swarm.ConfigCreateResponse, error)
 		expectedError    string
 	}{
 		{
@@ -37,8 +36,8 @@ func TestConfigCreateErrors(t *testing.T) {
 		},
 		{
 			args: []string{"name", filepath.Join("testdata", configDataFile)},
-			configCreateFunc: func(_ context.Context, configSpec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
-				return types.ConfigCreateResponse{}, errors.New("error creating config")
+			configCreateFunc: func(_ context.Context, configSpec swarm.ConfigSpec) (swarm.ConfigCreateResponse, error) {
+				return swarm.ConfigCreateResponse{}, errors.New("error creating config")
 			},
 			expectedError: "error creating config",
 		},
@@ -59,17 +58,17 @@ func TestConfigCreateErrors(t *testing.T) {
 }
 
 func TestConfigCreateWithName(t *testing.T) {
-	name := "foo"
+	const name = "config-with-name"
 	var actual []byte
 	cli := test.NewFakeCli(&fakeClient{
-		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (swarm.ConfigCreateResponse, error) {
 			if spec.Name != name {
-				return types.ConfigCreateResponse{}, fmt.Errorf("expected name %q, got %q", name, spec.Name)
+				return swarm.ConfigCreateResponse{}, fmt.Errorf("expected name %q, got %q", name, spec.Name)
 			}
 
 			actual = spec.Data
 
-			return types.ConfigCreateResponse{
+			return swarm.ConfigCreateResponse{
 				ID: "ID-" + spec.Name,
 			}, nil
 		},
@@ -87,7 +86,7 @@ func TestConfigCreateWithLabels(t *testing.T) {
 		"lbl1": "Label-foo",
 		"lbl2": "Label-bar",
 	}
-	name := "foo"
+	const name = "config-with-labels"
 
 	data, err := os.ReadFile(filepath.Join("testdata", configDataFile))
 	assert.NilError(t, err)
@@ -101,12 +100,12 @@ func TestConfigCreateWithLabels(t *testing.T) {
 	}
 
 	cli := test.NewFakeCli(&fakeClient{
-		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (swarm.ConfigCreateResponse, error) {
 			if !reflect.DeepEqual(spec, expected) {
-				return types.ConfigCreateResponse{}, fmt.Errorf("expected %+v, got %+v", expected, spec)
+				return swarm.ConfigCreateResponse{}, fmt.Errorf("expected %+v, got %+v", expected, spec)
 			}
 
-			return types.ConfigCreateResponse{
+			return swarm.ConfigCreateResponse{
 				ID: "ID-" + spec.Name,
 			}, nil
 		},
@@ -124,19 +123,19 @@ func TestConfigCreateWithTemplatingDriver(t *testing.T) {
 	expectedDriver := &swarm.Driver{
 		Name: "template-driver",
 	}
-	name := "foo"
+	const name = "config-with-template-driver"
 
 	cli := test.NewFakeCli(&fakeClient{
-		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (swarm.ConfigCreateResponse, error) {
 			if spec.Name != name {
-				return types.ConfigCreateResponse{}, fmt.Errorf("expected name %q, got %q", name, spec.Name)
+				return swarm.ConfigCreateResponse{}, fmt.Errorf("expected name %q, got %q", name, spec.Name)
 			}
 
 			if spec.Templating.Name != expectedDriver.Name {
-				return types.ConfigCreateResponse{}, fmt.Errorf("expected driver %v, got %v", expectedDriver, spec.Labels)
+				return swarm.ConfigCreateResponse{}, fmt.Errorf("expected driver %v, got %v", expectedDriver, spec.Labels)
 			}
 
-			return types.ConfigCreateResponse{
+			return swarm.ConfigCreateResponse{
 				ID: "ID-" + spec.Name,
 			}, nil
 		},

cli/command/config/formatter.go

@@ -5,7 +5,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/cli/cli/command/inspect"
 	"github.com/docker/docker/api/types/swarm"
@@ -157,11 +156,11 @@ func (ctx *configInspectContext) Labels() map[string]string {
 }
 
 func (ctx *configInspectContext) CreatedAt() string {
-	return command.PrettyPrint(ctx.Config.CreatedAt)
+	return formatter.PrettyPrint(ctx.Config.CreatedAt)
 }
 
 func (ctx *configInspectContext) UpdatedAt() string {
-	return command.PrettyPrint(ctx.Config.UpdatedAt)
+	return formatter.PrettyPrint(ctx.Config.UpdatedAt)
 }
 
 func (ctx *configInspectContext) Data() string {

cli/command/config/inspect.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package config
 

cli/command/config/ls.go

@@ -10,7 +10,7 @@ import (
 	"github.com/docker/cli/cli/command/formatter"
 	flagsHelper "github.com/docker/cli/cli/flags"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
 	"github.com/fvbommel/sortorder"
 	"github.com/spf13/cobra"
 )
@@ -48,7 +48,7 @@ func newConfigListCommand(dockerCli command.Cli) *cobra.Command {
 func RunConfigList(ctx context.Context, dockerCLI command.Cli, options ListOptions) error {
 	apiClient := dockerCLI.Client()
 
-	configs, err := apiClient.ConfigList(ctx, types.ConfigListOptions{Filters: options.Filter.Value()})
+	configs, err := apiClient.ConfigList(ctx, swarm.ConfigListOptions{Filters: options.Filter.Value()})
 	if err != nil {
 		return err
 	}

cli/command/config/ls_test.go

@@ -10,7 +10,6 @@ import (
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/builders"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -20,7 +19,7 @@ import (
 func TestConfigListErrors(t *testing.T) {
 	testCases := []struct {
 		args           []string
-		configListFunc func(context.Context, types.ConfigListOptions) ([]swarm.Config, error)
+		configListFunc func(context.Context, swarm.ConfigListOptions) ([]swarm.Config, error)
 		expectedError  string
 	}{
 		{
@@ -28,7 +27,7 @@ func TestConfigListErrors(t *testing.T) {
 			expectedError: "accepts no argument",
 		},
 		{
-			configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+			configListFunc: func(_ context.Context, options swarm.ConfigListOptions) ([]swarm.Config, error) {
 				return []swarm.Config{}, errors.New("error listing configs")
 			},
 			expectedError: "error listing configs",
@@ -49,7 +48,7 @@ func TestConfigListErrors(t *testing.T) {
 
 func TestConfigList(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+		configListFunc: func(_ context.Context, options swarm.ConfigListOptions) ([]swarm.Config, error) {
 			return []swarm.Config{
 				*builders.Config(builders.ConfigID("ID-1-foo"),
 					builders.ConfigName("1-foo"),
@@ -79,7 +78,7 @@ func TestConfigList(t *testing.T) {
 
 func TestConfigListWithQuietOption(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+		configListFunc: func(_ context.Context, options swarm.ConfigListOptions) ([]swarm.Config, error) {
 			return []swarm.Config{
 				*builders.Config(builders.ConfigID("ID-foo"), builders.ConfigName("foo")),
 				*builders.Config(builders.ConfigID("ID-bar"), builders.ConfigName("bar"), builders.ConfigLabels(map[string]string{
@@ -96,7 +95,7 @@ func TestConfigListWithQuietOption(t *testing.T) {
 
 func TestConfigListWithConfigFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+		configListFunc: func(_ context.Context, options swarm.ConfigListOptions) ([]swarm.Config, error) {
 			return []swarm.Config{
 				*builders.Config(builders.ConfigID("ID-foo"), builders.ConfigName("foo")),
 				*builders.Config(builders.ConfigID("ID-bar"), builders.ConfigName("bar"), builders.ConfigLabels(map[string]string{
@@ -115,7 +114,7 @@ func TestConfigListWithConfigFormat(t *testing.T) {
 
 func TestConfigListWithFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+		configListFunc: func(_ context.Context, options swarm.ConfigListOptions) ([]swarm.Config, error) {
 			return []swarm.Config{
 				*builders.Config(builders.ConfigID("ID-foo"), builders.ConfigName("foo")),
 				*builders.Config(builders.ConfigID("ID-bar"), builders.ConfigName("bar"), builders.ConfigLabels(map[string]string{
@@ -132,7 +131,7 @@ func TestConfigListWithFormat(t *testing.T) {
 
 func TestConfigListWithFilter(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+		configListFunc: func(_ context.Context, options swarm.ConfigListOptions) ([]swarm.Config, error) {
 			assert.Check(t, is.Equal("foo", options.Filters.Get("name")[0]))
 			assert.Check(t, is.Equal("lbl1=Label-bar", options.Filters.Get("label")[0]))
 			return []swarm.Config{

cli/command/container/attach.go

@@ -56,7 +56,7 @@ func NewAttachCommand(dockerCLI command.Cli) *cobra.Command {
 			"aliases": "docker container attach, docker attach",
 		},
 		ValidArgsFunction: completion.ContainerNames(dockerCLI, false, func(ctr container.Summary) bool {
-			return ctr.State != "paused"
+			return ctr.State != container.StatePaused
 		}),
 	}
 

cli/command/container/auth_config_utils.go

@@ -0,0 +1,46 @@
+package container
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/config/types"
+)
+
+// readCredentials resolves auth-config from the current environment to be
+// applied to the container if the `--use-api-socket` flag is set.
+//
+//   - If a valid "DOCKER_AUTH_CONFIG" env-var is found, and it contains
+//     credentials, it's value is used.
+//   - If no "DOCKER_AUTH_CONFIG" env-var is found, or it does not contain
+//     credentials, it attempts to read from the CLI's credentials store.
+//
+// It returns an error if either the "DOCKER_AUTH_CONFIG" is incorrectly
+// formatted, or when failing to read from the credentials store.
+//
+// A nil value is returned if neither option contained any credentials.
+func readCredentials(dockerCLI config.Provider) (creds map[string]types.AuthConfig, _ error) {
+	if v, ok := os.LookupEnv("DOCKER_AUTH_CONFIG"); ok && v != "" {
+		// The results are expected to have been unmarshaled the same as
+		// when reading from a config-file, which includes decoding the
+		// base64-encoded "username:password" into the "UserName" and
+		// "Password" fields.
+		ac := &configfile.ConfigFile{}
+		if err := ac.LoadFromReader(strings.NewReader(v)); err != nil {
+			return nil, fmt.Errorf("failed to read credentials from DOCKER_AUTH_CONFIG: %w", err)
+		}
+		if len(ac.AuthConfigs) > 0 {
+			return ac.AuthConfigs, nil
+		}
+	}
+
+	// Resolve this here for later, ensuring we error our before we create the container.
+	creds, err := dockerCLI.ConfigFile().GetAllCredentials()
+	if err != nil {
+		return nil, fmt.Errorf("resolving credentials failed: %w", err)
+	}
+	return creds, nil
+}

cli/command/container/client_test.go

@@ -11,7 +11,7 @@ import (
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/system"
 	"github.com/docker/docker/client"
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 type fakeClient struct {
@@ -22,7 +22,7 @@ type fakeClient struct {
 	createContainerFunc func(config *container.Config,
 		hostConfig *container.HostConfig,
 		networkingConfig *network.NetworkingConfig,
-		platform *specs.Platform,
+		platform *ocispec.Platform,
 		containerName string) (container.CreateResponse, error)
 	containerStartFunc      func(containerID string, options container.StartOptions) error
 	imageCreateFunc         func(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error)
@@ -84,7 +84,7 @@ func (f *fakeClient) ContainerCreate(
 	config *container.Config,
 	hostConfig *container.HostConfig,
 	networkingConfig *network.NetworkingConfig,
-	platform *specs.Platform,
+	platform *ocispec.Platform,
 	containerName string,
 ) (container.CreateResponse, error) {
 	if f.createContainerFunc != nil {

cli/command/container/cmd.go

@@ -28,7 +28,7 @@ func NewContainerCommand(dockerCli command.Cli) *cobra.Command {
 		NewPortCommand(dockerCli),
 		NewRenameCommand(dockerCli),
 		NewRestartCommand(dockerCli),
-		NewRmCommand(dockerCli),
+		newRemoveCommand(dockerCli),
 		NewRunCommand(dockerCli),
 		NewStartCommand(dockerCli),
 		NewStatsCommand(dockerCli),

cli/command/container/commit.go

@@ -61,7 +61,7 @@ func runCommit(ctx context.Context, dockerCli command.Cli, options *commitOption
 		Reference: options.reference,
 		Comment:   options.comment,
 		Author:    options.author,
-		Changes:   options.changes.GetAll(),
+		Changes:   options.changes.GetSlice(),
 		Pause:     options.pause,
 	})
 	if err != nil {

cli/command/container/completion.go

@@ -1,6 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
-// +build go1.22
+//go:build go1.23
 
 package container
 
@@ -57,7 +56,7 @@ var logDriverOptions = map[string][]string{
 	"fluentd": {
 		"max-buffer-size", "mode", "env", "env-regex", "labels", "fluentd-address", "fluentd-async",
 		"fluentd-buffer-limit", "fluentd-request-ack", "fluentd-retry-wait", "fluentd-max-retries",
-		"fluentd-sub-second-precision", "tag",
+		"fluentd-sub-second-precision", "fluentd-write-timeout", "tag",
 	},
 	"gcplogs": {
 		"max-buffer-size", "mode", "env", "env-regex", "labels", "gcp-log-cmd", "gcp-meta-id", "gcp-meta-name",
@@ -145,7 +144,7 @@ func addCompletions(cmd *cobra.Command, dockerCLI completion.APIClientProvider)
 }
 
 // completeCgroupns implements shell completion for the `--cgroupns` option of `run` and `create`.
-func completeCgroupns() completion.ValidArgsFn {
+func completeCgroupns() cobra.CompletionFunc {
 	return completion.FromList(string(container.CgroupnsModeHost), string(container.CgroupnsModePrivate))
 }
 
@@ -156,7 +155,7 @@ func completeDetachKeys(_ *cobra.Command, _ []string, _ string) ([]string, cobra
 
 // completeIpc implements shell completion for the `--ipc` option of `run` and `create`.
 // The completion is partly composite.
-func completeIpc(dockerCLI completion.APIClientProvider) func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+func completeIpc(dockerCLI completion.APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		if len(toComplete) > 0 && strings.HasPrefix("container", toComplete) { //nolint:gocritic // not swapped, matches partly typed "container"
 			return []string{"container:"}, cobra.ShellCompDirectiveNoSpace
@@ -176,7 +175,7 @@ func completeIpc(dockerCLI completion.APIClientProvider) func(cmd *cobra.Command
 }
 
 // completeLink implements shell completion for the `--link` option  of `run` and `create`.
-func completeLink(dockerCLI completion.APIClientProvider) func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+func completeLink(dockerCLI completion.APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return postfixWith(":", containerNames(dockerCLI, cmd, args, toComplete)), cobra.ShellCompDirectiveNoSpace
 	}
@@ -185,7 +184,7 @@ func completeLink(dockerCLI completion.APIClientProvider) func(cmd *cobra.Comman
 // completeLogDriver implements shell completion for the `--log-driver` option  of `run` and `create`.
 // The log drivers are collected from a call to the Info endpoint with a fallback to a hard-coded list
 // of the build-in log drivers.
-func completeLogDriver(dockerCLI completion.APIClientProvider) completion.ValidArgsFn {
+func completeLogDriver(dockerCLI completion.APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		info, err := dockerCLI.Client().Info(cmd.Context())
 		if err != nil {
@@ -207,7 +206,7 @@ func completeLogOpt(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.S
 }
 
 // completePid implements shell completion for the `--pid` option  of `run` and `create`.
-func completePid(dockerCLI completion.APIClientProvider) func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+func completePid(dockerCLI completion.APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		if len(toComplete) > 0 && strings.HasPrefix("container", toComplete) { //nolint:gocritic // not swapped, matches partly typed "container"
 			return []string{"container:"}, cobra.ShellCompDirectiveNoSpace
@@ -278,7 +277,7 @@ func completeUlimit(_ *cobra.Command, _ []string, _ string) ([]string, cobra.She
 }
 
 // completeVolumeDriver contacts the API to get the built-in and installed volume drivers.
-func completeVolumeDriver(dockerCLI completion.APIClientProvider) completion.ValidArgsFn {
+func completeVolumeDriver(dockerCLI completion.APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
 		info, err := dockerCLI.Client().Info(cmd.Context())
 		if err != nil {

cli/command/container/cp.go

@@ -16,8 +16,8 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/streams"
 	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/pkg/archive"
 	units "github.com/docker/go-units"
+	"github.com/moby/go-archive"
 	"github.com/morikuni/aec"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"

cli/command/container/cp_test.go

@@ -10,7 +10,8 @@ import (
 
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/compression"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/fs"
@@ -74,7 +75,7 @@ func TestRunCopyFromContainerToFilesystem(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
 		containerCopyFromFunc: func(ctr, srcPath string) (io.ReadCloser, container.PathStat, error) {
 			assert.Check(t, is.Equal("container", ctr))
-			readCloser, err := archive.Tar(srcDir.Path(), archive.Uncompressed)
+			readCloser, err := archive.Tar(srcDir.Path(), compression.None)
 			return readCloser, container.PathStat{}, err
 		},
 	})

cli/command/container/create.go

@@ -1,26 +1,35 @@
 package container
 
 import (
+	"archive/tar"
+	"bytes"
 	"context"
 	"fmt"
 	"io"
+	"net/netip"
 	"os"
-	"regexp"
+	"path"
+	"strings"
 
+	cerrdefs "github.com/containerd/errdefs"
 	"github.com/containerd/platforms"
 	"github.com/distribution/reference"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/cli/command/image"
-	"github.com/docker/cli/cli/internal/jsonstream"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/config/types"
 	"github.com/docker/cli/cli/streams"
+	"github.com/docker/cli/cli/trust"
+	"github.com/docker/cli/internal/jsonstream"
 	"github.com/docker/cli/opts"
 	"github.com/docker/docker/api/types/container"
 	imagetypes "github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/versions"
-	"github.com/docker/docker/errdefs"
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/docker/docker/client"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -34,11 +43,12 @@ const (
 )
 
 type createOptions struct {
-	name      string
-	platform  string
-	untrusted bool
-	pull      string // always, missing, never
-	quiet     bool
+	name         string
+	platform     string
+	untrusted    bool
+	pull         string // always, missing, never
+	quiet        bool
+	useAPISocket bool
 }
 
 // NewCreateCommand creates a new cobra.Command for `docker create`
@@ -69,6 +79,8 @@ func NewCreateCommand(dockerCli command.Cli) *cobra.Command {
 	flags.StringVar(&options.name, "name", "", "Assign a name to the container")
 	flags.StringVar(&options.pull, "pull", PullImageMissing, `Pull image before creating ("`+PullImageAlways+`", "|`+PullImageMissing+`", "`+PullImageNever+`")`)
 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the pull output")
+	flags.BoolVarP(&options.useAPISocket, "use-api-socket", "", false, "Bind mount Docker API socket and required auth")
+	flags.SetAnnotation("use-api-socket", "experimentalCLI", nil) // Marks flag as experimental for now.
 
 	// Add an explicit help that doesn't have a `-h` to prevent the conflict
 	// with hostname
@@ -97,7 +109,7 @@ func runCreate(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet,
 			StatusCode: 125,
 		}
 	}
-	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), opts.ConvertKVStringsToMapWithNil(copts.env.GetAll()))
+	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), opts.ConvertKVStringsToMapWithNil(copts.env.GetSlice()))
 	newEnv := []string{}
 	for k, v := range proxyConfig {
 		if v == nil {
@@ -114,12 +126,6 @@ func runCreate(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet,
 			StatusCode: 125,
 		}
 	}
-	if err = validateAPIVersion(containerCfg, dockerCli.Client().ClientVersion()); err != nil {
-		return cli.StatusError{
-			Status:     withHelp(err, "create").Error(),
-			StatusCode: 125,
-		}
-	}
 	id, err := createContainer(ctx, dockerCli, containerCfg, options)
 	if err != nil {
 		return err
@@ -184,20 +190,20 @@ func (cid *cidFile) Write(id string) error {
 	return nil
 }
 
-func newCIDFile(path string) (*cidFile, error) {
-	if path == "" {
+func newCIDFile(cidPath string) (*cidFile, error) {
+	if cidPath == "" {
 		return &cidFile{}, nil
 	}
-	if _, err := os.Stat(path); err == nil {
-		return nil, errors.Errorf("container ID file found, make sure the other container isn't running or delete %s", path)
+	if _, err := os.Stat(cidPath); err == nil {
+		return nil, errors.Errorf("container ID file found, make sure the other container isn't running or delete %s", cidPath)
 	}
 
-	f, err := os.Create(path)
+	f, err := os.Create(cidPath)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create the container ID file")
 	}
 
-	return &cidFile{path: path, file: f}, nil
+	return &cidFile{path: cidPath, file: f}, nil
 }
 
 //nolint:gocyclo
@@ -206,9 +212,6 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 	hostConfig := containerCfg.HostConfig
 	networkingConfig := containerCfg.NetworkingConfig
 
-	warnOnOomKillDisable(*hostConfig, dockerCli.Err())
-	warnOnLocalhostDNS(*hostConfig, dockerCli.Err())
-
 	var (
 		trustedRef reference.Canonical
 		namedRef   reference.Named
@@ -237,17 +240,75 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 		}
 	}
 
-	pullAndTagImage := func() error {
-		if err := pullImage(ctx, dockerCli, config.Image, options); err != nil {
-			return err
+	const dockerConfigPathInContainer = "/run/secrets/docker/config.json"
+	var apiSocketCreds map[string]types.AuthConfig
+
+	if options.useAPISocket {
+		// We'll create two new mounts to handle this flag:
+		// 1. Mount the actual docker socket.
+		// 2. A synthezised ~/.docker/config.json with resolved tokens.
+
+		socket := dockerCli.DockerEndpoint().Host
+		if !strings.HasPrefix(socket, "unix://") {
+			return "", fmt.Errorf("flag --use-api-socket can only be used with unix sockets: docker endpoint %s incompatible", socket)
 		}
-		if taggedRef, ok := namedRef.(reference.NamedTagged); ok && trustedRef != nil {
-			return image.TagTrusted(ctx, dockerCli, trustedRef, taggedRef)
+		socket = strings.TrimPrefix(socket, "unix://") // should we confirm absolute path?
+
+		containerCfg.HostConfig.Mounts = append(containerCfg.HostConfig.Mounts, mount.Mount{
+			Type:        mount.TypeBind,
+			Source:      socket,
+			Target:      "/var/run/docker.sock",
+			BindOptions: &mount.BindOptions{},
+		})
+
+		/*
+
+		   Ideally, we'd like to copy the config into a tmpfs but unfortunately,
+		   the mounts won't be in place until we start the container. This can
+		   leave around the config if the container doesn't get deleted.
+
+		   We are using the most compose-secret-compatible approach,
+		   which is implemented at
+		   https://github.com/docker/compose/blob/main/pkg/compose/convergence.go#L737
+
+		   // Prepare a tmpfs mount for our credentials so they go away after the
+		   // container exits. We'll copy into this mount after the container is
+		   // created.
+		   containerCfg.HostConfig.Mounts = append(containerCfg.HostConfig.Mounts, mount.Mount{
+		       Type:   mount.TypeTmpfs,
+		       Target: "/docker/",
+		       TmpfsOptions: &mount.TmpfsOptions{
+		           SizeBytes: 1 << 20, // only need a small partition
+		           Mode:      0o600,
+		       },
+		   })
+		*/
+
+		var envvarPresent bool
+		for _, envvar := range containerCfg.Config.Env {
+			if strings.HasPrefix(envvar, "DOCKER_CONFIG=") {
+				envvarPresent = true
+			}
+		}
+
+		// If the DOCKER_CONFIG env var is already present, we assume the client knows
+		// what they're doing and don't inject the creds.
+		if !envvarPresent {
+			// Resolve this here for later, ensuring we error our before we create the container.
+			creds, err := readCredentials(dockerCli)
+			if err != nil {
+				return "", fmt.Errorf("resolving credentials failed: %w", err)
+			}
+			if len(creds) > 0 {
+				// Set our special little location for the config file.
+				containerCfg.Config.Env = append(containerCfg.Config.Env, "DOCKER_CONFIG="+path.Dir(dockerConfigPathInContainer))
+
+				apiSocketCreds = creds // inject these after container creation.
+			}
 		}
-		return nil
 	}
 
-	var platform *specs.Platform
+	var platform *ocispec.Platform
 	// Engine API version 1.41 first introduced the option to specify platform on
 	// create. It will produce an error if you try to set a platform on older API
 	// versions, so check the API version here to maintain backwards
@@ -255,11 +316,21 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 	if options.platform != "" && versions.GreaterThanOrEqualTo(dockerCli.Client().ClientVersion(), "1.41") {
 		p, err := platforms.Parse(options.platform)
 		if err != nil {
-			return "", errors.Wrap(errdefs.InvalidParameter(err), "error parsing specified platform")
+			return "", errors.Wrap(invalidParameter(err), "error parsing specified platform")
 		}
 		platform = &p
 	}
 
+	pullAndTagImage := func() error {
+		if err := pullImage(ctx, dockerCli, config.Image, options); err != nil {
+			return err
+		}
+		if taggedRef, ok := namedRef.(reference.NamedTagged); ok && trustedRef != nil {
+			return trust.TagTrusted(ctx, dockerCli.Client(), dockerCli.Err(), trustedRef, taggedRef)
+		}
+		return nil
+	}
+
 	if options.pull == PullImageAlways {
 		if err := pullAndTagImage(); err != nil {
 			return "", err
@@ -271,7 +342,7 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 	response, err := dockerCli.Client().ContainerCreate(ctx, config, hostConfig, networkingConfig, platform, options.name)
 	if err != nil {
 		// Pull image if it does not exist locally and we have the PullImageMissing option. Default behavior.
-		if errdefs.IsNotFound(err) && namedRef != nil && options.pull == PullImageMissing {
+		if cerrdefs.IsNotFound(err) && namedRef != nil && options.pull == PullImageMissing {
 			if !options.quiet {
 				// we don't want to write to stdout anything apart from container.ID
 				_, _ = fmt.Fprintf(dockerCli.Err(), "Unable to find image '%s' locally\n", reference.FamiliarString(namedRef))
@@ -291,40 +362,41 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 		}
 	}
 
+	if warn := localhostDNSWarning(*hostConfig); warn != "" {
+		response.Warnings = append(response.Warnings, warn)
+	}
+
+	containerID = response.ID
 	for _, w := range response.Warnings {
 		_, _ = fmt.Fprintln(dockerCli.Err(), "WARNING:", w)
 	}
-	err = containerIDFile.Write(response.ID)
-	return response.ID, err
-}
+	err = containerIDFile.Write(containerID)
 
-func warnOnOomKillDisable(hostConfig container.HostConfig, stderr io.Writer) {
-	if hostConfig.OomKillDisable != nil && *hostConfig.OomKillDisable && hostConfig.Memory == 0 {
-		_, _ = fmt.Fprintln(stderr, "WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.")
+	if options.useAPISocket && len(apiSocketCreds) > 0 {
+		// Create a new config file with just the auth.
+		newConfig := &configfile.ConfigFile{
+			AuthConfigs: apiSocketCreds,
+		}
+
+		if err := copyDockerConfigIntoContainer(ctx, dockerCli.Client(), containerID, dockerConfigPathInContainer, newConfig); err != nil {
+			return "", fmt.Errorf("injecting docker config.json into container failed: %w", err)
+		}
 	}
+
+	return containerID, err
 }
 
 // check the DNS settings passed via --dns against localhost regexp to warn if
-// they are trying to set a DNS to a localhost address
-func warnOnLocalhostDNS(hostConfig container.HostConfig, stderr io.Writer) {
+// they are trying to set a DNS to a localhost address.
+//
+// TODO(thaJeztah): move this to the daemon, which can make a better call if it will work or not (depending on networking mode).
+func localhostDNSWarning(hostConfig container.HostConfig) string {
 	for _, dnsIP := range hostConfig.DNS {
-		if isLocalhost(dnsIP) {
-			_, _ = fmt.Fprintf(stderr, "WARNING: Localhost DNS setting (--dns=%s) may fail in containers.\n", dnsIP)
-			return
+		if addr, err := netip.ParseAddr(dnsIP); err == nil && addr.IsLoopback() {
+			return fmt.Sprintf("Localhost DNS (%s) may fail in containers.", addr)
 		}
 	}
-}
-
-// IPLocalhost is a regex pattern for IPv4 or IPv6 loopback range.
-const ipLocalhost = `((127\.([0-9]{1,3}\.){2}[0-9]{1,3})|(::1)$)`
-
-var localhostIPRegexp = regexp.MustCompile(ipLocalhost)
-
-// IsLocalhost returns true if ip matches the localhost IP regular expression.
-// Used for determining if nameserver settings are being passed which are
-// localhost addresses
-func isLocalhost(ip string) bool {
-	return localhostIPRegexp.MatchString(ip)
+	return ""
 }
 
 func validatePullOpt(val string) error {
@@ -342,3 +414,39 @@ func validatePullOpt(val string) error {
 		)
 	}
 }
+
+// copyDockerConfigIntoContainer takes the client configuration and copies it
+// into the container.
+//
+// The path should be an absolute path in the container, commonly
+// /root/.docker/config.json.
+func copyDockerConfigIntoContainer(ctx context.Context, dockerAPI client.APIClient, containerID string, configPath string, config *configfile.ConfigFile) error {
+	var configBuf bytes.Buffer
+	if err := config.SaveToWriter(&configBuf); err != nil {
+		return fmt.Errorf("saving creds: %w", err)
+	}
+
+	// We don't need to get super fancy with the tar creation.
+	var tarBuf bytes.Buffer
+	tarWriter := tar.NewWriter(&tarBuf)
+	tarWriter.WriteHeader(&tar.Header{
+		Name: configPath,
+		Size: int64(configBuf.Len()),
+		Mode: 0o600,
+	})
+
+	if _, err := io.Copy(tarWriter, &configBuf); err != nil {
+		return fmt.Errorf("writing config to tar file for config copy: %w", err)
+	}
+
+	if err := tarWriter.Close(); err != nil {
+		return fmt.Errorf("closing tar for config copy failed: %w", err)
+	}
+
+	if err := dockerAPI.CopyToContainer(ctx, containerID, "/",
+		&tarBuf, container.CopyToContainerOptions{}); err != nil {
+		return fmt.Errorf("copying config.json into container failed: %w", err)
+	}
+
+	return nil
+}

cli/command/container/create_test.go

@@ -19,7 +19,7 @@ import (
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/system"
 	"github.com/google/go-cmp/cmp"
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/pflag"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -121,7 +121,7 @@ func TestCreateContainerImagePullPolicy(t *testing.T) {
 					config *container.Config,
 					hostConfig *container.HostConfig,
 					networkingConfig *network.NetworkingConfig,
-					platform *specs.Platform,
+					platform *ocispec.Platform,
 					containerName string,
 				) (container.CreateResponse, error) {
 					defer func() { tc.ResponseCounter++ }()
@@ -248,53 +248,48 @@ func TestNewCreateCommandWithContentTrustErrors(t *testing.T) {
 		},
 	}
 	for _, tc := range testCases {
-		fakeCLI := test.NewFakeCli(&fakeClient{
-			createContainerFunc: func(config *container.Config,
-				hostConfig *container.HostConfig,
-				networkingConfig *network.NetworkingConfig,
-				platform *specs.Platform,
-				containerName string,
-			) (container.CreateResponse, error) {
-				return container.CreateResponse{}, errors.New("shouldn't try to pull image")
-			},
-		}, test.EnableContentTrust)
-		fakeCLI.SetNotaryClient(tc.notaryFunc)
-		cmd := NewCreateCommand(fakeCLI)
-		cmd.SetOut(io.Discard)
-		cmd.SetErr(io.Discard)
-		cmd.SetArgs(tc.args)
-		err := cmd.Execute()
-		assert.ErrorContains(t, err, tc.expectedError)
+		t.Run(tc.name, func(t *testing.T) {
+			fakeCLI := test.NewFakeCli(&fakeClient{
+				createContainerFunc: func(config *container.Config,
+					hostConfig *container.HostConfig,
+					networkingConfig *network.NetworkingConfig,
+					platform *ocispec.Platform,
+					containerName string,
+				) (container.CreateResponse, error) {
+					return container.CreateResponse{}, errors.New("shouldn't try to pull image")
+				},
+			}, test.EnableContentTrust)
+			fakeCLI.SetNotaryClient(tc.notaryFunc)
+			cmd := NewCreateCommand(fakeCLI)
+			cmd.SetOut(io.Discard)
+			cmd.SetErr(io.Discard)
+			cmd.SetArgs(tc.args)
+			err := cmd.Execute()
+			assert.ErrorContains(t, err, tc.expectedError)
+		})
 	}
 }
 
 func TestNewCreateCommandWithWarnings(t *testing.T) {
 	testCases := []struct {
-		name    string
-		args    []string
-		warning bool
+		name     string
+		args     []string
+		warnings []string
+		warning  bool
 	}{
 		{
-			name: "container-create-without-oom-kill-disable",
+			name: "container-create-no-warnings",
 			args: []string{"image:tag"},
 		},
 		{
-			name: "container-create-oom-kill-disable-false",
-			args: []string{"--oom-kill-disable=false", "image:tag"},
+			name:     "container-create-daemon-single-warning",
+			args:     []string{"image:tag"},
+			warnings: []string{"warning from daemon"},
 		},
 		{
-			name:    "container-create-oom-kill-without-memory-limit",
-			args:    []string{"--oom-kill-disable", "image:tag"},
-			warning: true,
-		},
-		{
-			name:    "container-create-oom-kill-true-without-memory-limit",
-			args:    []string{"--oom-kill-disable=true", "image:tag"},
-			warning: true,
-		},
-		{
-			name: "container-create-oom-kill-true-with-memory-limit",
-			args: []string{"--oom-kill-disable=true", "--memory=100M", "image:tag"},
+			name:     "container-create-daemon-multiple-warnings",
+			args:     []string{"image:tag"},
+			warnings: []string{"warning from daemon", "another warning from daemon"},
 		},
 		{
 			name:    "container-create-localhost-dns",
@@ -313,10 +308,10 @@ func TestNewCreateCommandWithWarnings(t *testing.T) {
 				createContainerFunc: func(config *container.Config,
 					hostConfig *container.HostConfig,
 					networkingConfig *network.NetworkingConfig,
-					platform *specs.Platform,
+					platform *ocispec.Platform,
 					containerName string,
 				) (container.CreateResponse, error) {
-					return container.CreateResponse{}, nil
+					return container.CreateResponse{Warnings: tc.warnings}, nil
 				},
 			})
 			cmd := NewCreateCommand(fakeCLI)
@@ -324,7 +319,7 @@ func TestNewCreateCommandWithWarnings(t *testing.T) {
 			cmd.SetArgs(tc.args)
 			err := cmd.Execute()
 			assert.NilError(t, err)
-			if tc.warning {
+			if tc.warning || len(tc.warnings) > 0 {
 				golden.Assert(t, fakeCLI.ErrBuffer().String(), tc.name+".golden")
 			} else {
 				assert.Equal(t, fakeCLI.ErrBuffer().String(), "")
@@ -352,7 +347,7 @@ func TestCreateContainerWithProxyConfig(t *testing.T) {
 		createContainerFunc: func(config *container.Config,
 			hostConfig *container.HostConfig,
 			networkingConfig *network.NetworkingConfig,
-			platform *specs.Platform,
+			platform *ocispec.Platform,
 			containerName string,
 		) (container.CreateResponse, error) {
 			sort.Strings(config.Env)

cli/command/container/errors.go

@@ -0,0 +1,31 @@
+package container
+
+import cerrdefs "github.com/containerd/errdefs"
+
+func invalidParameter(err error) error {
+	if err == nil || cerrdefs.IsInvalidArgument(err) {
+		return err
+	}
+	return invalidParameterErr{err}
+}
+
+type invalidParameterErr struct{ error }
+
+func (invalidParameterErr) InvalidParameter() {}
+func (e invalidParameterErr) Unwrap() error {
+	return e.error
+}
+
+func notFound(err error) error {
+	if err == nil || cerrdefs.IsNotFound(err) {
+		return err
+	}
+	return notFoundErr{err}
+}
+
+type notFoundErr struct{ error }
+
+func (notFoundErr) NotFound() {}
+func (e notFoundErr) Unwrap() error {
+	return e.error
+}

cli/command/container/exec.go

@@ -53,7 +53,7 @@ func NewExecCommand(dockerCli command.Cli) *cobra.Command {
 			return RunExec(cmd.Context(), dockerCli, containerIDorName, options)
 		},
 		ValidArgsFunction: completion.ContainerNames(dockerCli, false, func(ctr container.Summary) bool {
-			return ctr.State != "paused"
+			return ctr.State != container.StatePaused
 		}),
 		Annotations: map[string]string{
 			"category-top": "2",
@@ -99,7 +99,7 @@ func RunExec(ctx context.Context, dockerCLI command.Cli, containerIDorName strin
 	if _, err := apiClient.ContainerInspect(ctx, containerIDorName); err != nil {
 		return err
 	}
-	if !execOptions.Detach {
+	if !options.Detach {
 		if err := dockerCLI.In().CheckTty(execOptions.AttachStdin, execOptions.Tty); err != nil {
 			return err
 		}
@@ -117,9 +117,9 @@ func RunExec(ctx context.Context, dockerCLI command.Cli, containerIDorName strin
 		return errors.New("exec ID empty")
 	}
 
-	if execOptions.Detach {
+	if options.Detach {
 		return apiClient.ContainerExecStart(ctx, execID, container.ExecStartOptions{
-			Detach:      execOptions.Detach,
+			Detach:      options.Detach,
 			Tty:         execOptions.Tty,
 			ConsoleSize: execOptions.ConsoleSize,
 		})
@@ -223,13 +223,12 @@ func parseExec(execOpts ExecOptions, configFile *configfile.ConfigFile) (*contai
 		Privileged: execOpts.Privileged,
 		Tty:        execOpts.TTY,
 		Cmd:        execOpts.Command,
-		Detach:     execOpts.Detach,
 		WorkingDir: execOpts.Workdir,
 	}
 
 	// collect all the environment variables for the container
 	var err error
-	if execOptions.Env, err = opts.ReadKVEnvStrings(execOpts.EnvFile.GetAll(), execOpts.Env.GetAll()); err != nil {
+	if execOptions.Env, err = opts.ReadKVEnvStrings(execOpts.EnvFile.GetSlice(), execOpts.Env.GetSlice()); err != nil {
 		return nil, err
 	}
 

cli/command/container/exec_test.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"io"
 	"os"
+	"strconv"
 	"testing"
 
 	"github.com/docker/cli/cli"
@@ -75,8 +76,7 @@ TWO=2
 		{
 			options: withDefaultOpts(ExecOptions{Detach: true}),
 			expected: container.ExecOptions{
-				Detach: true,
-				Cmd:    []string{"command"},
+				Cmd: []string{"command"},
 			},
 		},
 		{
@@ -86,9 +86,8 @@ TWO=2
 				Detach:      true,
 			}),
 			expected: container.ExecOptions{
-				Detach: true,
-				Tty:    true,
-				Cmd:    []string{"command"},
+				Tty: true,
+				Cmd: []string{"command"},
 			},
 		},
 		{
@@ -97,7 +96,6 @@ TWO=2
 			expected: container.ExecOptions{
 				Cmd:        []string{"command"},
 				DetachKeys: "de",
-				Detach:     true,
 			},
 		},
 		{
@@ -109,7 +107,6 @@ TWO=2
 			expected: container.ExecOptions{
 				Cmd:        []string{"command"},
 				DetachKeys: "ab",
-				Detach:     true,
 			},
 		},
 		{
@@ -141,10 +138,12 @@ TWO=2
 		},
 	}
 
-	for _, testcase := range testcases {
-		execConfig, err := parseExec(testcase.options, &testcase.configFile)
-		assert.NilError(t, err)
-		assert.Check(t, is.DeepEqual(testcase.expected, *execConfig))
+	for i, testcase := range testcases {
+		t.Run("test "+strconv.Itoa(i+1), func(t *testing.T) {
+			execConfig, err := parseExec(testcase.options, &testcase.configFile)
+			assert.NilError(t, err)
+			assert.Check(t, is.DeepEqual(testcase.expected, *execConfig))
+		})
 	}
 }
 

cli/command/container/export.go

@@ -7,6 +7,7 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
+	"github.com/moby/sys/atomicwriter"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
@@ -41,27 +42,28 @@ func NewExportCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-func runExport(ctx context.Context, dockerCli command.Cli, opts exportOptions) error {
-	if opts.output == "" && dockerCli.Out().IsTerminal() {
-		return errors.New("cowardly refusing to save to a terminal. Use the -o flag or redirect")
+func runExport(ctx context.Context, dockerCLI command.Cli, opts exportOptions) error {
+	var output io.Writer
+	if opts.output == "" {
+		if dockerCLI.Out().IsTerminal() {
+			return errors.New("cowardly refusing to save to a terminal. Use the -o flag or redirect")
+		}
+		output = dockerCLI.Out()
+	} else {
+		writer, err := atomicwriter.New(opts.output, 0o600)
+		if err != nil {
+			return errors.Wrap(err, "failed to export container")
+		}
+		defer writer.Close()
+		output = writer
 	}
 
-	if err := command.ValidateOutputPath(opts.output); err != nil {
-		return errors.Wrap(err, "failed to export container")
-	}
-
-	clnt := dockerCli.Client()
-
-	responseBody, err := clnt.ContainerExport(ctx, opts.container)
+	responseBody, err := dockerCLI.Client().ContainerExport(ctx, opts.container)
 	if err != nil {
 		return err
 	}
 	defer responseBody.Close()
 
-	if opts.output == "" {
-		_, err := io.Copy(dockerCli.Out(), responseBody)
-		return err
-	}
-
-	return command.CopyToFile(opts.output, responseBody)
+	_, err = io.Copy(output, responseBody)
+	return err
 }

cli/command/container/export_test.go

@@ -42,8 +42,6 @@ func TestContainerExportOutputToIrregularFile(t *testing.T) {
 	cmd.SetErr(io.Discard)
 	cmd.SetArgs([]string{"-o", "/dev/random", "container"})
 
-	err := cmd.Execute()
-	assert.Assert(t, err != nil)
-	expected := `"/dev/random" must be a directory or a regular file`
-	assert.ErrorContains(t, err, expected)
+	const expected = `failed to export container: cannot write to a character device file`
+	assert.Error(t, cmd.Execute(), expected)
 }

cli/command/container/formatter_stats_test.go

@@ -148,7 +148,7 @@ container2  --  --
 `,
 		},
 	}
-	stats := []StatsEntry{
+	entries := []StatsEntry{
 		{
 			Container:        "container1",
 			CPUPercentage:    20,
@@ -181,7 +181,7 @@ container2  --  --
 		t.Run(string(tc.context.Format), func(t *testing.T) {
 			var out bytes.Buffer
 			tc.context.Output = &out
-			err := statsFormatWrite(tc.context, stats, "windows", false)
+			err := statsFormatWrite(tc.context, entries, "windows", false)
 			if err != nil {
 				assert.Error(t, err, tc.expected)
 			} else {
@@ -273,45 +273,46 @@ func TestContainerStatsContextWriteWithNoStatsWindows(t *testing.T) {
 }
 
 func TestContainerStatsContextWriteTrunc(t *testing.T) {
-	var out bytes.Buffer
-
-	contexts := []struct {
+	tests := []struct {
+		doc      string
 		context  formatter.Context
 		trunc    bool
 		expected string
 	}{
 		{
-			formatter.Context{
+			doc: "non-truncated",
+			context: formatter.Context{
 				Format: "{{.ID}}",
-				Output: &out,
 			},
-			false,
-			"b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc\n",
+			expected: "b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc\n",
 		},
 		{
-			formatter.Context{
+			doc: "truncated",
+			context: formatter.Context{
 				Format: "{{.ID}}",
-				Output: &out,
 			},
-			true,
-			"b95a83497c91\n",
+			trunc:    true,
+			expected: "b95a83497c91\n",
 		},
 	}
 
-	for _, context := range contexts {
-		statsFormatWrite(context.context, []StatsEntry{{ID: "b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc"}}, "linux", context.trunc)
-		assert.Check(t, is.Equal(context.expected, out.String()))
-		// Clean buffer
-		out.Reset()
+	for _, tc := range tests {
+		t.Run(tc.doc, func(t *testing.T) {
+			var out bytes.Buffer
+			tc.context.Output = &out
+			err := statsFormatWrite(tc.context, []StatsEntry{{ID: "b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc"}}, "linux", tc.trunc)
+			assert.NilError(t, err)
+			assert.Check(t, is.Equal(tc.expected, out.String()))
+		})
 	}
 }
 
 func BenchmarkStatsFormat(b *testing.B) {
 	b.ReportAllocs()
-	stats := genStats()
+	entries := genStats()
 
 	for i := 0; i < b.N; i++ {
-		for _, s := range stats {
+		for _, s := range entries {
 			_ = s.CPUPerc()
 			_ = s.MemUsage()
 			_ = s.MemPerc()
@@ -334,9 +335,9 @@ func genStats() []statsContext {
 		NetworkTx:        987.654321,
 		PidsCurrent:      123456789,
 	}}
-	stats := make([]statsContext, 100)
-	for i := 0; i < 100; i++ {
-		stats = append(stats, entry)
+	entries := make([]statsContext, 0, 100)
+	for range 100 {
+		entries = append(entries, entry)
 	}
-	return stats
+	return entries
 }

cli/command/container/hijack.go

@@ -84,12 +84,9 @@ func (h *hijackedIOStreamer) setupInput() (restore func(), err error) {
 
 	// Use sync.Once so we may call restore multiple times but ensure we
 	// only restore the terminal once.
-	var restoreOnce sync.Once
-	restore = func() {
-		restoreOnce.Do(func() {
-			_ = restoreTerminal(h.streams, h.inputStream)
-		})
-	}
+	restore = sync.OnceFunc(func() {
+		_ = restoreTerminal(h.streams, h.inputStream)
+	})
 
 	// Wrap the input to detect detach escape sequence.
 	// Use default escape keys if an invalid sequence is given.

cli/command/container/inspect.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package container
 

cli/command/container/opts.go

@@ -8,19 +8,17 @@ import (
 	"path"
 	"path/filepath"
 	"reflect"
-	"regexp"
 	"strconv"
 	"strings"
 	"time"
 
-	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/compose/loader"
+	"github.com/docker/cli/internal/lazyregexp"
 	"github.com/docker/cli/opts"
 	"github.com/docker/docker/api/types/container"
 	mounttypes "github.com/docker/docker/api/types/mount"
 	networktypes "github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/strslice"
-	"github.com/docker/docker/errdefs"
 	"github.com/docker/go-connections/nat"
 	"github.com/pkg/errors"
 	"github.com/spf13/pflag"
@@ -41,7 +39,7 @@ const (
 	seccompProfileUnconfined = "unconfined"
 )
 
-var deviceCgroupRuleRegexp = regexp.MustCompile(`^[acb] ([0-9]+|\*):([0-9]+|\*) [rwm]{1,3}$`)
+var deviceCgroupRuleRegexp = lazyregexp.New(`^[acb] ([0-9]+|\*):([0-9]+|\*) [rwm]{1,3}$`)
 
 // containerOptions is a data object with all the options for creating a container
 type containerOptions struct {
@@ -377,7 +375,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 
 			if parsed.Type == string(mounttypes.TypeBind) {
 				if hostPart, targetPath, ok := strings.Cut(bind, ":"); ok {
-					if strings.HasPrefix(hostPart, "."+string(filepath.Separator)) || hostPart == "." {
+					if !filepath.IsAbs(hostPart) && strings.HasPrefix(hostPart, ".") {
 						if absHostPart, err := filepath.Abs(hostPart); err == nil {
 							hostPart = absHostPart
 						}
@@ -397,7 +395,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 
 	// Can't evaluate options passed into --tmpfs until we actually mount
 	tmpfs := make(map[string]string)
-	for _, t := range copts.tmpfs.GetAll() {
+	for _, t := range copts.tmpfs.GetSlice() {
 		k, v, _ := strings.Cut(t, ":")
 		tmpfs[k] = v
 	}
@@ -418,7 +416,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		entrypoint = []string{""}
 	}
 
-	publishOpts := copts.publish.GetAll()
+	publishOpts := copts.publish.GetSlice()
 	var (
 		ports         map[nat.Port]struct{}
 		portBindings  map[nat.Port][]nat.PortBinding
@@ -436,7 +434,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 	}
 
 	// Merge in exposed ports to the map of published ports
-	for _, e := range copts.expose.GetAll() {
+	for _, e := range copts.expose.GetSlice() {
 		if strings.Contains(e, ":") {
 			return nil, errors.Errorf("invalid port format for --expose: %s", e)
 		}
@@ -466,7 +464,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 	// what operating system it is.
 	deviceMappings := []container.DeviceMapping{}
 	var cdiDeviceNames []string
-	for _, device := range copts.devices.GetAll() {
+	for _, device := range copts.devices.GetSlice() {
 		var (
 			validated     string
 			deviceMapping container.DeviceMapping
@@ -488,13 +486,13 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 	}
 
 	// collect all the environment variables for the container
-	envVariables, err := opts.ReadKVEnvStrings(copts.envFile.GetAll(), copts.env.GetAll())
+	envVariables, err := opts.ReadKVEnvStrings(copts.envFile.GetSlice(), copts.env.GetSlice())
 	if err != nil {
 		return nil, err
 	}
 
 	// collect all the labels for the container
-	labels, err := opts.ReadKVStrings(copts.labelsFile.GetAll(), copts.labels.GetAll())
+	labels, err := opts.ReadKVStrings(copts.labelsFile.GetSlice(), copts.labels.GetSlice())
 	if err != nil {
 		return nil, err
 	}
@@ -524,19 +522,19 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		return nil, err
 	}
 
-	loggingOpts, err := parseLoggingOpts(copts.loggingDriver, copts.loggingOpts.GetAll())
+	loggingOpts, err := parseLoggingOpts(copts.loggingDriver, copts.loggingOpts.GetSlice())
 	if err != nil {
 		return nil, err
 	}
 
-	securityOpts, err := parseSecurityOpts(copts.securityOpt.GetAll())
+	securityOpts, err := parseSecurityOpts(copts.securityOpt.GetSlice())
 	if err != nil {
 		return nil, err
 	}
 
 	securityOpts, maskedPaths, readonlyPaths := parseSystemPaths(securityOpts)
 
-	storageOpts, err := parseStorageOpts(copts.storageOpt.GetAll())
+	storageOpts, err := parseStorageOpts(copts.storageOpt.GetSlice())
 	if err != nil {
 		return nil, err
 	}
@@ -622,7 +620,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		IOMaximumIOps:        copts.ioMaxIOps,
 		IOMaximumBandwidth:   uint64(copts.ioMaxBandwidth),
 		Ulimits:              copts.ulimits.GetList(),
-		DeviceCgroupRules:    copts.deviceCgroupRules.GetAll(),
+		DeviceCgroupRules:    copts.deviceCgroupRules.GetSlice(),
 		Devices:              deviceMappings,
 		DeviceRequests:       deviceRequests,
 	}
@@ -659,7 +657,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		AutoRemove:      copts.autoRemove,
 		Privileged:      copts.privileged,
 		PortBindings:    portBindings,
-		Links:           copts.links.GetAll(),
+		Links:           copts.links.GetSlice(),
 		PublishAllPorts: copts.publishAll,
 		// Make sure the dns fields are never nil.
 		// New containers don't ever have those fields nil,
@@ -669,17 +667,17 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		DNS:            copts.dns.GetAllOrEmpty(),
 		DNSSearch:      copts.dnsSearch.GetAllOrEmpty(),
 		DNSOptions:     copts.dnsOptions.GetAllOrEmpty(),
-		ExtraHosts:     copts.extraHosts.GetAll(),
-		VolumesFrom:    copts.volumesFrom.GetAll(),
+		ExtraHosts:     copts.extraHosts.GetSlice(),
+		VolumesFrom:    copts.volumesFrom.GetSlice(),
 		IpcMode:        container.IpcMode(copts.ipcMode),
 		NetworkMode:    container.NetworkMode(copts.netMode.NetworkMode()),
 		PidMode:        pidMode,
 		UTSMode:        utsMode,
 		UsernsMode:     usernsMode,
 		CgroupnsMode:   cgroupnsMode,
-		CapAdd:         strslice.StrSlice(copts.capAdd.GetAll()),
-		CapDrop:        strslice.StrSlice(copts.capDrop.GetAll()),
-		GroupAdd:       copts.groupAdd.GetAll(),
+		CapAdd:         strslice.StrSlice(copts.capAdd.GetSlice()),
+		CapDrop:        strslice.StrSlice(copts.capDrop.GetSlice()),
+		GroupAdd:       copts.groupAdd.GetSlice(),
 		RestartPolicy:  restartPolicy,
 		SecurityOpt:    securityOpts,
 		StorageOpt:     storageOpts,
@@ -782,7 +780,7 @@ func parseNetworkOpts(copts *containerOptions) (map[string]*networktypes.Endpoin
 			return nil, err
 		}
 		if _, ok := endpoints[n.Target]; ok {
-			return nil, errdefs.InvalidParameter(errors.Errorf("network %q is specified multiple times", n.Target))
+			return nil, invalidParameter(errors.Errorf("network %q is specified multiple times", n.Target))
 		}
 
 		// For backward compatibility: if no custom options are provided for the network,
@@ -796,7 +794,7 @@ func parseNetworkOpts(copts *containerOptions) (map[string]*networktypes.Endpoin
 		endpoints[n.Target] = ep
 	}
 	if hasUserDefined && hasNonUserDefined {
-		return nil, errdefs.InvalidParameter(errors.New("conflicting options: cannot attach both user-defined and non-user-defined network-modes"))
+		return nil, invalidParameter(errors.New("conflicting options: cannot attach both user-defined and non-user-defined network-modes"))
 	}
 	return endpoints, nil
 }
@@ -804,32 +802,32 @@ func parseNetworkOpts(copts *containerOptions) (map[string]*networktypes.Endpoin
 func applyContainerOptions(n *opts.NetworkAttachmentOpts, copts *containerOptions) error { //nolint:gocyclo
 	// TODO should we error if _any_ advanced option is used? (i.e. forbid to combine advanced notation with the "old" flags (`--network-alias`, `--link`, `--ip`, `--ip6`)?
 	if len(n.Aliases) > 0 && copts.aliases.Len() > 0 {
-		return errdefs.InvalidParameter(errors.New("conflicting options: cannot specify both --network-alias and per-network alias"))
+		return invalidParameter(errors.New("conflicting options: cannot specify both --network-alias and per-network alias"))
 	}
 	if len(n.Links) > 0 && copts.links.Len() > 0 {
-		return errdefs.InvalidParameter(errors.New("conflicting options: cannot specify both --link and per-network links"))
+		return invalidParameter(errors.New("conflicting options: cannot specify both --link and per-network links"))
 	}
 	if n.IPv4Address != "" && copts.ipv4Address != "" {
-		return errdefs.InvalidParameter(errors.New("conflicting options: cannot specify both --ip and per-network IPv4 address"))
+		return invalidParameter(errors.New("conflicting options: cannot specify both --ip and per-network IPv4 address"))
 	}
 	if n.IPv6Address != "" && copts.ipv6Address != "" {
-		return errdefs.InvalidParameter(errors.New("conflicting options: cannot specify both --ip6 and per-network IPv6 address"))
+		return invalidParameter(errors.New("conflicting options: cannot specify both --ip6 and per-network IPv6 address"))
 	}
 	if n.MacAddress != "" && copts.macAddress != "" {
-		return errdefs.InvalidParameter(errors.New("conflicting options: cannot specify both --mac-address and per-network MAC address"))
+		return invalidParameter(errors.New("conflicting options: cannot specify both --mac-address and per-network MAC address"))
 	}
 	if len(n.LinkLocalIPs) > 0 && copts.linkLocalIPs.Len() > 0 {
-		return errdefs.InvalidParameter(errors.New("conflicting options: cannot specify both --link-local-ip and per-network link-local IP addresses"))
+		return invalidParameter(errors.New("conflicting options: cannot specify both --link-local-ip and per-network link-local IP addresses"))
 	}
 	if copts.aliases.Len() > 0 {
 		n.Aliases = make([]string, copts.aliases.Len())
-		copy(n.Aliases, copts.aliases.GetAll())
+		copy(n.Aliases, copts.aliases.GetSlice())
 	}
 	// For a user-defined network, "--link" is an endpoint option, it creates an alias. But,
 	// for the default bridge it defines a legacy-link.
 	if container.NetworkMode(n.Target).IsUserDefined() && copts.links.Len() > 0 {
 		n.Links = make([]string, copts.links.Len())
-		copy(n.Links, copts.links.GetAll())
+		copy(n.Links, copts.links.GetSlice())
 	}
 	if copts.ipv4Address != "" {
 		n.IPv4Address = copts.ipv4Address
@@ -842,7 +840,7 @@ func applyContainerOptions(n *opts.NetworkAttachmentOpts, copts *containerOption
 	}
 	if copts.linkLocalIPs.Len() > 0 {
 		n.LinkLocalIPs = make([]string, copts.linkLocalIPs.Len())
-		copy(n.LinkLocalIPs, copts.linkLocalIPs.GetAll())
+		copy(n.LinkLocalIPs, copts.linkLocalIPs.GetSlice())
 	}
 	return nil
 }
@@ -1135,12 +1133,3 @@ func validateAttach(val string) (string, error) {
 	}
 	return val, errors.Errorf("valid streams are STDIN, STDOUT and STDERR")
 }
-
-func validateAPIVersion(c *containerConfig, serverAPIVersion string) error {
-	for _, m := range c.HostConfig.Mounts {
-		if err := command.ValidateMountWithAPIVersion(m, serverAPIVersion); err != nil {
-			return err
-		}
-	}
-	return nil
-}

cli/command/container/pause.go

@@ -32,7 +32,7 @@ func NewPauseCommand(dockerCli command.Cli) *cobra.Command {
 			"aliases": "docker container pause, docker pause",
 		},
 		ValidArgsFunction: completion.ContainerNames(dockerCli, false, func(ctr container.Summary) bool {
-			return ctr.State != "paused"
+			return ctr.State != container.StatePaused
 		}),
 	}
 }

cli/command/container/port.go

@@ -68,7 +68,7 @@ func runPort(ctx context.Context, dockerCli command.Cli, opts *portOptions) erro
 			return errors.Wrapf(err, "Error: invalid port (%s)", port)
 		}
 		frontends, exists := c.NetworkSettings.Ports[nat.Port(port+"/"+proto)]
-		if !exists || frontends == nil {
+		if !exists || len(frontends) == 0 {
 			return errors.Errorf("Error: No public port '%s' published for %s", opts.port, opts.container)
 		}
 		for _, frontend := range frontends {

cli/command/container/port_test.go

@@ -65,7 +65,7 @@ func TestNewPortCommandOutput(t *testing.T) {
 					}
 					return ci, nil
 				},
-			}, test.EnableContentTrust)
+			})
 			cmd := NewPortCommand(cli)
 			cmd.SetErr(io.Discard)
 			cmd.SetArgs([]string{"some_container", tc.port})

cli/command/container/prune.go

@@ -7,8 +7,8 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
+	"github.com/docker/cli/internal/prompt"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/errdefs"
 	units "github.com/docker/go-units"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@@ -56,12 +56,12 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 	pruneFilters := command.PruneFilters(dockerCli, options.filter.Value())
 
 	if !options.force {
-		r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning)
+		r, err := prompt.Confirm(ctx, dockerCli.In(), dockerCli.Out(), warning)
 		if err != nil {
 			return 0, "", err
 		}
 		if !r {
-			return 0, "", errdefs.Cancelled(errors.New("container prune has been cancelled"))
+			return 0, "", cancelledErr{errors.New("container prune has been cancelled")}
 		}
 	}
 
@@ -81,6 +81,10 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 	return spaceReclaimed, output, nil
 }
 
+type cancelledErr struct{ error }
+
+func (cancelledErr) Cancelled() {}
+
 // RunPrune calls the Container Prune API
 // This returns the amount of space reclaimed and a detailed output string
 func RunPrune(ctx context.Context, dockerCli command.Cli, _ bool, filter opts.FilterOpt) (uint64, string, error) {

cli/command/container/restart_test.go

@@ -10,7 +10,6 @@ import (
 
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/errdefs"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -66,7 +65,7 @@ func TestRestart(t *testing.T) {
 				containerRestartFunc: func(ctx context.Context, containerID string, options container.StopOptions) error {
 					assert.Check(t, is.DeepEqual(options, tc.expectedOpts))
 					if containerID == "nosuchcontainer" {
-						return errdefs.NotFound(errors.New("Error: no such container: " + containerID))
+						return notFound(errors.New("Error: no such container: " + containerID))
 					}
 
 					// TODO(thaJeztah): consider using parallelOperation for restart, similar to "stop" and "remove"

cli/command/container/rm.go

@@ -6,11 +6,11 @@ import (
 	"fmt"
 	"strings"
 
+	cerrdefs "github.com/containerd/errdefs"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/errdefs"
 	"github.com/spf13/cobra"
 )
 
@@ -27,10 +27,9 @@ func NewRmCommand(dockerCli command.Cli) *cobra.Command {
 	var opts rmOptions
 
 	cmd := &cobra.Command{
-		Use:     "rm [OPTIONS] CONTAINER [CONTAINER...]",
-		Aliases: []string{"remove"},
-		Short:   "Remove one or more containers",
-		Args:    cli.RequiresMinArgs(1),
+		Use:   "rm [OPTIONS] CONTAINER [CONTAINER...]",
+		Short: "Remove one or more containers",
+		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.containers = args
 			return runRm(cmd.Context(), dockerCli, &opts)
@@ -39,7 +38,7 @@ func NewRmCommand(dockerCli command.Cli) *cobra.Command {
 			"aliases": "docker container rm, docker container remove, docker rm",
 		},
 		ValidArgsFunction: completion.ContainerNames(dockerCli, true, func(ctr container.Summary) bool {
-			return opts.force || ctr.State == "exited" || ctr.State == "created"
+			return opts.force || ctr.State == container.StateExited || ctr.State == container.StateCreated
 		}),
 	}
 
@@ -50,6 +49,15 @@ func NewRmCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
+// newRemoveCommand adds subcommands for "docker container"; unlike the
+// top-level "docker rm", it also adds a "remove" alias to support
+// "docker container remove" in addition to "docker container rm".
+func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := *NewRmCommand(dockerCli)
+	cmd.Aliases = []string{"rm", "remove"}
+	return &cmd
+}
+
 func runRm(ctx context.Context, dockerCLI command.Cli, opts *rmOptions) error {
 	apiClient := dockerCLI.Client()
 	errChan := parallelOperation(ctx, opts.containers, func(ctx context.Context, ctrID string) error {
@@ -67,7 +75,7 @@ func runRm(ctx context.Context, dockerCLI command.Cli, opts *rmOptions) error {
 	var errs []error
 	for _, name := range opts.containers {
 		if err := <-errChan; err != nil {
-			if opts.force && errdefs.IsNotFound(err) {
+			if opts.force && cerrdefs.IsNotFound(err) {
 				_, _ = fmt.Fprintln(dockerCLI.Err(), err)
 				continue
 			}

cli/command/container/rm_test.go

@@ -10,7 +10,6 @@ import (
 
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/errdefs"
 	"gotest.tools/v3/assert"
 )
 
@@ -36,7 +35,7 @@ func TestRemoveForce(t *testing.T) {
 					mutex.Unlock()
 
 					if container == "nosuchcontainer" {
-						return errdefs.NotFound(errors.New("Error: no such container: " + container))
+						return notFound(errors.New("Error: no such container: " + container))
 					}
 					return nil
 				},

cli/command/container/run.go

@@ -60,6 +60,7 @@ func NewRunCommand(dockerCli command.Cli) *cobra.Command {
 	flags.StringVar(&options.detachKeys, "detach-keys", "", "Override the key sequence for detaching a container")
 	flags.StringVar(&options.pull, "pull", PullImageMissing, `Pull image before running ("`+PullImageAlways+`", "`+PullImageMissing+`", "`+PullImageNever+`")`)
 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the pull output")
+	flags.BoolVarP(&options.createOptions.useAPISocket, "use-api-socket", "", false, "Bind mount Docker API socket and required auth")
 
 	// Add an explicit help that doesn't have a `-h` to prevent the conflict
 	// with hostname
@@ -89,7 +90,7 @@ func runRun(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet, ro
 			StatusCode: 125,
 		}
 	}
-	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), opts.ConvertKVStringsToMapWithNil(copts.env.GetAll()))
+	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), opts.ConvertKVStringsToMapWithNil(copts.env.GetSlice()))
 	newEnv := []string{}
 	for k, v := range proxyConfig {
 		if v == nil {
@@ -107,12 +108,6 @@ func runRun(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet, ro
 			StatusCode: 125,
 		}
 	}
-	if err = validateAPIVersion(containerCfg, dockerCli.CurrentVersion()); err != nil {
-		return cli.StatusError{
-			Status:     withHelp(err, "run").Error(),
-			StatusCode: 125,
-		}
-	}
 	return runContainer(ctx, dockerCli, ropts, copts, containerCfg)
 }
 
@@ -244,10 +239,16 @@ func runContainer(ctx context.Context, dockerCli command.Cli, runOpts *runOption
 			return cli.StatusError{StatusCode: status}
 		}
 	case status := <-statusChan:
-		// notify hijackedIOStreamer that we're exiting and wait
-		// so that the terminal can be restored.
-		cancelFun()
-		<-errCh
+		// If container exits, output stream processing may not be finished yet,
+		// we need to keep the streamer running until all output is read.
+		// However, if stdout or stderr is not attached, we can just exit.
+		if !config.AttachStdout && !config.AttachStderr {
+			// Notify hijackedIOStreamer that we're exiting and wait
+			// so that the terminal can be restored.
+			cancelFun()
+		}
+		<-errCh // Drain channel but don't care about result
+
 		if status != 0 {
 			return cli.StatusError{StatusCode: status}
 		}

cli/command/container/run_test.go

@@ -21,7 +21,7 @@ import (
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/pkg/jsonmessage"
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/pflag"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -57,7 +57,7 @@ func TestRunValidateFlags(t *testing.T) {
 
 func TestRunLabel(t *testing.T) {
 	fakeCLI := test.NewFakeCli(&fakeClient{
-		createContainerFunc: func(_ *container.Config, _ *container.HostConfig, _ *network.NetworkingConfig, _ *specs.Platform, _ string) (container.CreateResponse, error) {
+		createContainerFunc: func(_ *container.Config, _ *container.HostConfig, _ *network.NetworkingConfig, _ *ocispec.Platform, _ string) (container.CreateResponse, error) {
 			return container.CreateResponse{
 				ID: "id",
 			}, nil
@@ -80,7 +80,7 @@ func TestRunAttach(t *testing.T) {
 	var conn net.Conn
 	attachCh := make(chan struct{})
 	fakeCLI := test.NewFakeCli(&fakeClient{
-		createContainerFunc: func(_ *container.Config, _ *container.HostConfig, _ *network.NetworkingConfig, _ *specs.Platform, _ string) (container.CreateResponse, error) {
+		createContainerFunc: func(_ *container.Config, _ *container.HostConfig, _ *network.NetworkingConfig, _ *ocispec.Platform, _ string) (container.CreateResponse, error) {
 			return container.CreateResponse{
 				ID: "id",
 			}, nil
@@ -151,13 +151,15 @@ func TestRunAttachTermination(t *testing.T) {
 	killCh := make(chan struct{})
 	attachCh := make(chan struct{})
 	fakeCLI := test.NewFakeCli(&fakeClient{
-		createContainerFunc: func(_ *container.Config, _ *container.HostConfig, _ *network.NetworkingConfig, _ *specs.Platform, _ string) (container.CreateResponse, error) {
+		createContainerFunc: func(_ *container.Config, _ *container.HostConfig, _ *network.NetworkingConfig, _ *ocispec.Platform, _ string) (container.CreateResponse, error) {
 			return container.CreateResponse{
 				ID: "id",
 			}, nil
 		},
-		containerKillFunc: func(ctx context.Context, containerID, signal string) error {
-			killCh <- struct{}{}
+		containerKillFunc: func(ctx context.Context, containerID, sig string) error {
+			if sig == "TERM" {
+				close(killCh)
+			}
 			return nil
 		},
 		containerAttachFunc: func(ctx context.Context, containerID string, options container.AttachOptions) (types.HijackedResponse, error) {
@@ -172,7 +174,7 @@ func TestRunAttachTermination(t *testing.T) {
 		waitFunc: func(_ string) (<-chan container.WaitResponse, <-chan error) {
 			responseChan := make(chan container.WaitResponse, 1)
 			errChan := make(chan error)
-
+			<-killCh
 			responseChan <- container.WaitResponse{
 				StatusCode: 130,
 			}
@@ -201,8 +203,7 @@ func TestRunAttachTermination(t *testing.T) {
 	case <-attachCh:
 	}
 
-	assert.NilError(t, syscall.Kill(syscall.Getpid(), syscall.SIGINT))
-	// end stream from "container" so that we'll detach
+	assert.NilError(t, syscall.Kill(syscall.Getpid(), syscall.SIGTERM))
 	conn.Close()
 
 	select {
@@ -228,7 +229,7 @@ func TestRunPullTermination(t *testing.T) {
 	attachCh := make(chan struct{})
 	fakeCLI := test.NewFakeCli(&fakeClient{
 		createContainerFunc: func(config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig,
-			platform *specs.Platform, containerName string,
+			platform *ocispec.Platform, containerName string,
 		) (container.CreateResponse, error) {
 			return container.CreateResponse{}, errors.New("shouldn't try to create a container")
 		},
@@ -331,7 +332,7 @@ func TestRunCommandWithContentTrustErrors(t *testing.T) {
 				createContainerFunc: func(config *container.Config,
 					hostConfig *container.HostConfig,
 					networkingConfig *network.NetworkingConfig,
-					platform *specs.Platform,
+					platform *ocispec.Platform,
 					containerName string,
 				) (container.CreateResponse, error) {
 					return container.CreateResponse{}, errors.New("shouldn't try to pull image")

cli/command/container/start.go

@@ -43,7 +43,7 @@ func NewStartCommand(dockerCli command.Cli) *cobra.Command {
 			"aliases": "docker container start, docker start",
 		},
 		ValidArgsFunction: completion.ContainerNames(dockerCli, true, func(ctr container.Summary) bool {
-			return ctr.State == "exited" || ctr.State == "created"
+			return ctr.State == container.StateExited || ctr.State == container.StateCreated
 		}),
 	}
 

cli/command/container/stop_test.go

@@ -10,7 +10,6 @@ import (
 
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/errdefs"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -66,7 +65,7 @@ func TestStop(t *testing.T) {
 				containerStopFunc: func(ctx context.Context, containerID string, options container.StopOptions) error {
 					assert.Check(t, is.DeepEqual(options, tc.expectedOpts))
 					if containerID == "nosuchcontainer" {
-						return errdefs.NotFound(errors.New("Error: no such container: " + containerID))
+						return notFound(errors.New("Error: no such container: " + containerID))
 					}
 
 					// containerStopFunc is called in parallel for each container

cli/command/container/testdata/container-create-daemon-multiple-warnings.golden

@@ -0,0 +1,2 @@
+WARNING: warning from daemon
+WARNING: another warning from daemon

cli/command/container/testdata/container-create-daemon-single-warning.golden

@@ -0,0 +1 @@
+WARNING: warning from daemon

cli/command/container/testdata/container-create-localhost-dns-ipv6.golden

@@ -1 +1 @@
-WARNING: Localhost DNS setting (--dns=::1) may fail in containers.
+WARNING: Localhost DNS (::1) may fail in containers.

cli/command/container/testdata/container-create-localhost-dns.golden

@@ -1 +1 @@
-WARNING: Localhost DNS setting (--dns=127.0.0.11) may fail in containers.
+WARNING: Localhost DNS (127.0.0.11) may fail in containers.

cli/command/container/testdata/container-create-oom-kill-true-without-memory-limit.golden

@@ -1 +0,0 @@
-WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.

cli/command/container/testdata/container-create-oom-kill-without-memory-limit.golden

@@ -1 +0,0 @@
-WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.

cli/command/container/unpause.go

@@ -32,7 +32,7 @@ func NewUnpauseCommand(dockerCli command.Cli) *cobra.Command {
 			"aliases": "docker container unpause, docker unpause",
 		},
 		ValidArgsFunction: completion.ContainerNames(dockerCli, false, func(ctr container.Summary) bool {
-			return ctr.State == "paused"
+			return ctr.State == container.StatePaused
 		}),
 	}
 	return cmd

cli/command/container/utils.go

@@ -75,8 +75,8 @@ func legacyWaitExitOrRemoved(ctx context.Context, apiClient client.APIClient, co
 
 	eventProcessor := func(e events.Message) bool {
 		stopProcessing := false
-		switch e.Status {
-		case "die":
+		switch e.Action { //nolint:exhaustive // TODO(thaJeztah): make exhaustive
+		case events.ActionDie:
 			if v, ok := e.Actor.Attributes["exitCode"]; ok {
 				code, cerr := strconv.Atoi(v)
 				if cerr != nil {
@@ -98,10 +98,10 @@ func legacyWaitExitOrRemoved(ctx context.Context, apiClient client.APIClient, co
 					}
 				}()
 			}
-		case "detach":
+		case events.ActionDetach:
 			exitCode = 0
 			stopProcessing = true
-		case "destroy":
+		case events.ActionDestroy:
 			stopProcessing = true
 		}
 		return stopProcessing

cli/command/context.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package command
 

cli/command/context/completion.go

@@ -0,0 +1,46 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.23
+
+package context
+
+import (
+	"slices"
+
+	"github.com/docker/cli/cli/context/store"
+	"github.com/spf13/cobra"
+)
+
+type contextProvider interface {
+	ContextStore() store.Store
+	CurrentContext() string
+}
+
+// completeContextNames implements shell completion for context-names.
+//
+// FIXME(thaJeztah): export, and remove duplicate of this function in cmd/docker.
+func completeContextNames(dockerCLI contextProvider, limit int, withFileComp bool) func(*cobra.Command, []string, string) ([]string, cobra.ShellCompDirective) {
+	return func(_ *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		if limit > 0 && len(args) >= limit {
+			if withFileComp {
+				// Provide file/path completion after context name (for "docker context export")
+				return nil, cobra.ShellCompDirectiveDefault
+			}
+			return nil, cobra.ShellCompDirectiveNoFileComp
+		}
+
+		// TODO(thaJeztah): implement function similar to [store.Names] to (also) include descriptions.
+		names, _ := store.Names(dockerCLI.ContextStore())
+		out := make([]string, 0, len(names))
+		for _, name := range names {
+			if slices.Contains(args, name) {
+				// Already completed
+				continue
+			}
+			if name == dockerCLI.CurrentContext() {
+				name += "\tcurrent"
+			}
+			out = append(out, name)
+		}
+		return out, cobra.ShellCompDirectiveNoFileComp
+	}
+}

cli/command/context/completion_test.go

@@ -0,0 +1,80 @@
+package context
+
+import (
+	"testing"
+
+	"github.com/docker/cli/cli/context/store"
+	"github.com/spf13/cobra"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+type fakeContextProvider struct {
+	contextStore store.Store
+}
+
+func (c *fakeContextProvider) ContextStore() store.Store {
+	return c.contextStore
+}
+
+func (*fakeContextProvider) CurrentContext() string {
+	return "default"
+}
+
+type fakeContextStore struct {
+	store.Store
+	names []string
+}
+
+func (f fakeContextStore) List() (c []store.Metadata, _ error) {
+	for _, name := range f.names {
+		c = append(c, store.Metadata{Name: name})
+	}
+	return c, nil
+}
+
+func TestCompleteContextNames(t *testing.T) {
+	allNames := []string{"context-b", "context-c", "context-a"}
+	cli := &fakeContextProvider{
+		contextStore: fakeContextStore{
+			names: allNames,
+		},
+	}
+
+	t.Run("with limit", func(t *testing.T) {
+		compFunc := completeContextNames(cli, 1, false)
+		values, directives := compFunc(nil, nil, "")
+		assert.Check(t, is.Equal(directives, cobra.ShellCompDirectiveNoFileComp))
+		assert.Check(t, is.DeepEqual(values, allNames))
+
+		values, directives = compFunc(nil, []string{"context-c"}, "")
+		assert.Check(t, is.Equal(directives, cobra.ShellCompDirectiveNoFileComp))
+		assert.Check(t, is.Len(values, 0))
+	})
+
+	t.Run("with limit and file completion", func(t *testing.T) {
+		compFunc := completeContextNames(cli, 1, true)
+		values, directives := compFunc(nil, nil, "")
+		assert.Check(t, is.Equal(directives, cobra.ShellCompDirectiveNoFileComp))
+		assert.Check(t, is.DeepEqual(values, allNames))
+
+		values, directives = compFunc(nil, []string{"context-c"}, "")
+		assert.Check(t, is.Equal(directives, cobra.ShellCompDirectiveDefault), "should provide filenames completion after limit")
+		assert.Check(t, is.Len(values, 0))
+	})
+
+	t.Run("without limits", func(t *testing.T) {
+		compFunc := completeContextNames(cli, -1, false)
+		values, directives := compFunc(nil, []string{"context-c"}, "")
+		assert.Check(t, is.Equal(directives, cobra.ShellCompDirectiveNoFileComp))
+		assert.Check(t, is.DeepEqual(values, []string{"context-b", "context-a"}), "should not contain already completed")
+
+		values, directives = compFunc(nil, []string{"context-c", "context-a"}, "")
+		assert.Check(t, is.Equal(directives, cobra.ShellCompDirectiveNoFileComp))
+		assert.Check(t, is.DeepEqual(values, []string{"context-b"}), "should not contain already completed")
+
+		values, directives = compFunc(nil, []string{"context-c", "context-a", "context-b"}, "")
+		assert.Check(t, is.Equal(directives, cobra.ShellCompDirectiveNoFileComp), "should provide filenames completion after limit")
+		assert.Check(t, is.Len(values, 0))
+	})
+}

cli/command/context/create.go

@@ -1,20 +1,20 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package context
 
 import (
 	"bytes"
+	"errors"
 	"fmt"
 
+	cerrdefs "github.com/containerd/errdefs"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/cli/command/formatter/tabwriter"
 	"github.com/docker/cli/cli/context/docker"
 	"github.com/docker/cli/cli/context/store"
-	"github.com/docker/docker/errdefs"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -91,7 +91,7 @@ func createNewContext(contextStore store.ReaderWriter, o *CreateOptions) error {
 	}
 	dockerEP, dockerTLS, err := getDockerEndpointMetadataAndTLS(contextStore, o.Docker)
 	if err != nil {
-		return errors.Wrap(err, "unable to create docker endpoint config")
+		return fmt.Errorf("unable to create docker endpoint config: %w", err)
 	}
 	contextMetadata := store.Metadata{
 		Endpoints: map[string]any{
@@ -122,11 +122,11 @@ func checkContextNameForCreation(s store.Reader, name string) error {
 	if err := store.ValidateContextName(name); err != nil {
 		return err
 	}
-	if _, err := s.GetMetadata(name); !errdefs.IsNotFound(err) {
+	if _, err := s.GetMetadata(name); !cerrdefs.IsNotFound(err) {
 		if err != nil {
-			return errors.Wrap(err, "error while getting existing contexts")
+			return fmt.Errorf("error while getting existing contexts: %w", err)
 		}
-		return errors.Errorf("context %q already exists", name)
+		return fmt.Errorf("context %q already exists", name)
 	}
 	return nil
 }

cli/command/context/create_test.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package context
 
@@ -59,42 +59,87 @@ func TestCreate(t *testing.T) {
 	cli := makeFakeCli(t)
 	assert.NilError(t, cli.ContextStore().CreateOrUpdate(store.Metadata{Name: "existing-context"}))
 	tests := []struct {
+		doc         string
 		options     CreateOptions
 		expecterErr string
 	}{
 		{
+			doc:         "empty name",
 			expecterErr: `context name cannot be empty`,
 		},
 		{
+			doc: "reserved name",
 			options: CreateOptions{
 				Name: "default",
 			},
 			expecterErr: `"default" is a reserved context name`,
 		},
 		{
+			doc: "whitespace-only name",
 			options: CreateOptions{
 				Name: " ",
 			},
 			expecterErr: `context name " " is invalid`,
 		},
 		{
+			doc: "existing context",
 			options: CreateOptions{
 				Name: "existing-context",
 			},
 			expecterErr: `context "existing-context" already exists`,
 		},
 		{
+			doc: "invalid docker host",
 			options: CreateOptions{
 				Name: "invalid-docker-host",
 				Docker: map[string]string{
-					keyHost: "some///invalid/host",
+					"host": "some///invalid/host",
 				},
 			},
 			expecterErr: `unable to parse docker host`,
 		},
+		{
+			doc: "ssh host with skip-tls-verify=false",
+			options: CreateOptions{
+				Name: "skip-tls-verify-false",
+				Docker: map[string]string{
+					"host": "ssh://example.com,skip-tls-verify=false",
+				},
+			},
+		},
+		{
+			doc: "ssh host with skip-tls-verify=true",
+			options: CreateOptions{
+				Name: "skip-tls-verify-true",
+				Docker: map[string]string{
+					"host": "ssh://example.com,skip-tls-verify=true",
+				},
+			},
+		},
+		{
+			doc: "ssh host with skip-tls-verify=INVALID",
+			options: CreateOptions{
+				Name: "skip-tls-verify-invalid",
+				Docker: map[string]string{
+					"host":            "ssh://example.com",
+					"skip-tls-verify": "INVALID",
+				},
+			},
+			expecterErr: `unable to create docker endpoint config: skip-tls-verify: parsing "INVALID": invalid syntax`,
+		},
+		{
+			doc: "unknown option",
+			options: CreateOptions{
+				Name: "unknown-option",
+				Docker: map[string]string{
+					"UNKNOWN": "value",
+				},
+			},
+			expecterErr: `unable to create docker endpoint config: unrecognized config key: UNKNOWN`,
+		},
 	}
 	for _, tc := range tests {
-		t.Run(tc.options.Name, func(t *testing.T) {
+		t.Run(tc.doc, func(t *testing.T) {
 			err := RunCreate(cli, &tc.options)
 			if tc.expecterErr == "" {
 				assert.NilError(t, err)

cli/command/context/export.go

@@ -18,7 +18,7 @@ type ExportOptions struct {
 	Dest        string
 }
 
-func newExportCommand(dockerCli command.Cli) *cobra.Command {
+func newExportCommand(dockerCLI command.Cli) *cobra.Command {
 	return &cobra.Command{
 		Use:   "export [OPTIONS] CONTEXT [FILE|-]",
 		Short: "Export a context to a tar archive FILE or a tar stream on STDOUT.",
@@ -32,8 +32,9 @@ func newExportCommand(dockerCli command.Cli) *cobra.Command {
 			} else {
 				opts.Dest = opts.ContextName + ".dockercontext"
 			}
-			return RunExport(dockerCli, opts)
+			return RunExport(dockerCLI, opts)
 		},
+		ValidArgsFunction: completeContextNames(dockerCLI, 1, true),
 	}
 }
 

cli/command/context/import.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/cli/context/store"
 	"github.com/spf13/cobra"
 )
@@ -19,6 +20,8 @@ func newImportCommand(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return RunImport(dockerCli, args[0], args[1])
 		},
+		// TODO(thaJeztah): this should also include "-"
+		ValidArgsFunction: completion.FileNames,
 	}
 	return cmd
 }

cli/command/context/inspect.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package context
 
@@ -19,7 +19,7 @@ type inspectOptions struct {
 }
 
 // newInspectCommand creates a new cobra.Command for `docker context inspect`
-func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+func newInspectCommand(dockerCLI command.Cli) *cobra.Command {
 	var opts inspectOptions
 
 	cmd := &cobra.Command{
@@ -28,13 +28,14 @@ func newInspectCommand(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.refs = args
 			if len(opts.refs) == 0 {
-				if dockerCli.CurrentContext() == "" {
+				if dockerCLI.CurrentContext() == "" {
 					return errors.New("no context specified")
 				}
-				opts.refs = []string{dockerCli.CurrentContext()}
+				opts.refs = []string{dockerCLI.CurrentContext()}
 			}
-			return runInspect(dockerCli, opts)
+			return runInspect(dockerCLI, opts)
 		},
+		ValidArgsFunction: completeContextNames(dockerCLI, -1, false),
 	}
 
 	flags := cmd.Flags()

cli/command/context/list.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package context
 
@@ -69,8 +69,6 @@ func runList(dockerCli command.Cli, opts *listOptions) error {
 				Name:    rawMeta.Name,
 				Current: isCurrent,
 				Error:   err.Error(),
-
-				ContextType: getContextType(nil, opts.format),
 			})
 			continue
 		}
@@ -85,8 +83,6 @@ func runList(dockerCli command.Cli, opts *listOptions) error {
 			Description:    meta.Description,
 			DockerEndpoint: dockerEndpoint.Host,
 			Error:          errMsg,
-
-			ContextType: getContextType(meta.AdditionalFields, opts.format),
 		}
 		contexts = append(contexts, &desc)
 	}
@@ -103,8 +99,6 @@ func runList(dockerCli command.Cli, opts *listOptions) error {
 			Name:    curContext,
 			Current: true,
 			Error:   errMsg,
-
-			ContextType: getContextType(nil, opts.format),
 		})
 	}
 	sort.Slice(contexts, func(i, j int) bool {
@@ -120,30 +114,6 @@ func runList(dockerCli command.Cli, opts *listOptions) error {
 	return nil
 }
 
-// getContextType sets the LegacyContextType field for compatibility with
-// Visual Studio, which depends on this field from the "cloud integration"
-// wrapper.
-//
-// https://github.com/docker/compose-cli/blob/c156ce6da4c2b317174d42daf1b019efa87e9f92/api/context/store/contextmetadata.go#L28-L34
-// https://github.com/docker/compose-cli/blob/c156ce6da4c2b317174d42daf1b019efa87e9f92/api/context/store/store.go#L34-L51
-//
-// TODO(thaJeztah): remove this and [ClientContext.ContextType] once Visual Studio is updated to no longer depend on this.
-func getContextType(meta map[string]any, format string) string {
-	if format != formatter.JSONFormat && format != formatter.JSONFormatKey {
-		// We only need the ContextType field when formatting as JSON,
-		// which is the format-string used by Visual Studio to detect the
-		// context-type.
-		return ""
-	}
-	if ct, ok := meta["Type"]; ok {
-		// If the context on-disk has a context-type (ecs, aci), return it.
-		return ct.(string)
-	}
-
-	// Use the default context-type.
-	return "moby"
-}
-
 func format(dockerCli command.Cli, opts *listOptions, contexts []*formatter.ClientContext) error {
 	contextCtx := formatter.Context{
 		Output: dockerCli.Out(),

cli/command/context/options.go

@@ -68,7 +68,14 @@ func parseBool(config map[string]string, name string) (bool, error) {
 		return false, nil
 	}
 	res, err := strconv.ParseBool(strVal)
-	return res, fmt.Errorf("name: %w", err)
+	if err != nil {
+		var nErr *strconv.NumError
+		if errors.As(err, &nErr) {
+			return res, fmt.Errorf("%s: parsing %q: %w", name, nErr.Num, nErr.Err)
+		}
+		return res, fmt.Errorf("%s: %w", name, err)
+	}
+	return res, nil
 }
 
 func validateConfig(config map[string]string, allowedKeys map[string]struct{}) error {

cli/command/context/remove.go

@@ -7,7 +7,6 @@ import (
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/docker/errdefs"
 	"github.com/spf13/cobra"
 )
 
@@ -16,7 +15,7 @@ type RemoveOptions struct {
 	Force bool
 }
 
-func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
+func newRemoveCommand(dockerCLI command.Cli) *cobra.Command {
 	var opts RemoveOptions
 	cmd := &cobra.Command{
 		Use:     "rm CONTEXT [CONTEXT...]",
@@ -24,8 +23,9 @@ func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
 		Short:   "Remove one or more contexts",
 		Args:    cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return RunRemove(dockerCli, opts, args)
+			return RunRemove(dockerCLI, opts, args)
 		},
+		ValidArgsFunction: completeContextNames(dockerCLI, -1, false),
 	}
 	cmd.Flags().BoolVarP(&opts.Force, "force", "f", false, "Force the removal of a context in use")
 	return cmd
@@ -74,9 +74,13 @@ func checkContextExists(dockerCli command.Cli, name string) error {
 	contextDir := dockerCli.ContextStore().GetStorageInfo(name).MetadataPath
 	_, err := os.Stat(contextDir)
 	if os.IsNotExist(err) {
-		return errdefs.NotFound(fmt.Errorf("context %q does not exist", name))
+		return notFoundErr{fmt.Errorf("context %q does not exist", name)}
 	}
 	// Ignore other errors; if relevant, they will produce an error when
 	// performing the actual delete.
 	return nil
 }
+
+type notFoundErr struct{ error }
+
+func (notFoundErr) NotFound() {}