Merge pull request #6667 from thaJeztah/use_format

image ls: allow custom format in cli config

.dockerignore

@@ -1,6 +1,6 @@
 /build/
-/cli/winresources/versioninfo.json
-/cli/winresources/*.syso
+/cmd/docker/winresources/versioninfo.json
+/cmd/docker/winresources/*.syso
 /man/man*/
 /man/vendor/
 /man/go.sum

.github/workflows/build.yml

@@ -35,7 +35,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Create matrix
         id: platforms
@@ -88,7 +88,7 @@ jobs:
           fi
       -
         name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: ${{ env.ARTIFACT_NAME }}
           path: /tmp/out/*
@@ -121,7 +121,8 @@ jobs:
             type=semver,pattern={{version}}
             type=ref,event=branch
             type=ref,event=pr
-            type=sha
+            type=semver,pattern={{major}}
+            type=semver,pattern={{major}}.{{minor}}
       -
         name: Build and push image
         uses: docker/bake-action@v6
@@ -142,7 +143,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Create matrix
         id: platforms

.github/workflows/codeql.yml

@@ -46,7 +46,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 2
       # CodeQL 2.16.4's auto-build added support for multi-module repositories,
@@ -61,19 +61,19 @@ jobs:
           ln -s vendor.sum go.sum
       -
         name: Update Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
-          go-version: "1.23.6"
+          go-version: "1.25.4"
       -
         name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: go
       -
         name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
       -
         name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:go"

.github/workflows/e2e.yml

@@ -25,28 +25,26 @@ on:
   pull_request:
 
 jobs:
-  e2e:
+  tests:
     runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
         target:
-          - non-experimental
-          - experimental
+          - local
           - connhelper-ssh
         base:
           - alpine
           - debian
         engine-version:
-          - 27.0  # latest
-          - 26.1  # latest - 1
-          - 23.0  # mirantis lts
-          # TODO(krissetto) 19.03 needs a look, doesn't work ubuntu 22.04 (cgroup errors). 
-          # we could have a separate job that tests it against ubuntu 20.04
+          - 29-rc  # latest rc
+          - 28  # latest
+          - 27  # latest - 1
+          - 25  # mirantis lts
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Update daemon.json
         run: |

.github/workflows/test.yml

@@ -53,24 +53,25 @@ jobs:
       fail-fast: false
       matrix:
         os:
-          - macos-13  # macOS 13 on Intel
-          - macos-14  # macOS 14 on arm64 (Apple Silicon M1)
+          - macos-14        # macOS 14 on arm64 (Apple Silicon M1)
+          - macos-15-intel  # macOS 15 on Intel
+          - macos-15        # macOS 15 on arm64 (Apple Silicon M1)
 #          - windows-2022 # FIXME: some tests are failing on the Windows runner, as well as on Appveyor since June 24, 2018: https://ci.appveyor.com/project/docker/cli/history
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: ${{ env.GOPATH }}/src/github.com/docker/cli
       -
         name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
-          go-version: "1.23.6"
+          go-version: "1.25.4"
       -
         name: Test
         run: |
-          go test -coverprofile=/tmp/coverage.txt $(go list ./... | grep -vE '/vendor/|/e2e/')
+          go test -coverprofile=/tmp/coverage.txt $(go list ./... | grep -vE '/vendor/|/e2e/|/cmd/docker-trust')
           go tool cover -func=/tmp/coverage.txt
         working-directory: ${{ env.GOPATH }}/src/github.com/docker/cli
         shell: bash

.github/workflows/validate-pr.yml

@@ -11,23 +11,28 @@ permissions:
 
 on:
   pull_request:
-    types: [opened, edited, labeled, unlabeled]
+    types: [opened, edited, labeled, unlabeled, synchronize]
 
 jobs:
-  check-area-label:
-    runs-on: ubuntu-20.04
+  check-labels:
+    runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
     steps:
       - name: Missing `area/` label
-        if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
+        if: always() && contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
         run: |
           echo "::error::Every PR with an 'impact/*' label should also have an 'area/*' label"
           exit 1
+      - name: Missing `kind/` label
+        if: always() && contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'kind/')
+        run: |
+          echo "::error::Every PR with an 'impact/*' label should also have a 'kind/*' label"
+          exit 1
       - name: OK
         run: exit 0
 
   check-changelog:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
     env:
       HAS_IMPACT_LABEL: ${{ contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') }}
@@ -65,7 +70,7 @@ jobs:
           echo "$desc"
 
   check-pr-branch:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 120 # guardrails timeout for the whole job
     env:
       PR_TITLE: ${{ github.event.pull_request.title }}

.github/workflows/validate.yml

@@ -48,7 +48,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Generate
         shell: 'script --return --quiet --command "bash {0}"'
@@ -74,7 +74,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Run
         shell: 'script --return --quiet --command "bash {0}"'

.gitignore

@@ -8,8 +8,8 @@
 Thumbs.db
 .editorconfig
 /build/
-/cli/winresources/versioninfo.json
-/cli/winresources/*.syso
+/cmd/docker/winresources/versioninfo.json
+/cmd/docker/winresources/*.syso
 profile.out
 
 # top-level go.mod is not meant to be checked in

.golangci.yml

@@ -1,203 +1,236 @@
-linters:
-  enable:
-    - bodyclose
-    - copyloopvar   # Detects places where loop variables are copied.
-    - depguard
-    - dogsled
-    - dupword       # Detects duplicate words.
-    - durationcheck
-    - errchkjson
-    - gocritic      # Metalinter; detects bugs, performance, and styling issues.
-    - gocyclo
-    - gofumpt       # Detects whether code was gofumpt-ed.
-    - goimports
-    - gosec         # Detects security problems.
-    - gosimple
-    - govet
-    - ineffassign
-    - misspell      # Detects commonly misspelled English words in comments.
-    - nakedret      # Detects uses of naked returns.
-    - nilerr        # Detects code that returns nil even if it checks that the error is not nil.
-    - nolintlint    # Detects ill-formed or insufficient nolint directives.
-    - perfsprint    # Detects fmt.Sprintf uses that can be replaced with a faster alternative.
-    - prealloc      # Detects slice declarations that could potentially be pre-allocated.
-    - predeclared   # Detects code that shadows one of Go's predeclared identifiers
-    - reassign
-    - revive        # Metalinter; drop-in replacement for golint.
-    - staticcheck
-    - stylecheck    # Replacement for golint
-    - thelper       # Detects test helpers without t.Helper().
-    - tparallel     # Detects inappropriate usage of t.Parallel().
-    - typecheck
-    - unconvert     # Detects unnecessary type conversions.
-    - unparam
-    - unused
-    - usestdlibvars
-    - usetesting    # Reports uses of functions with replacement inside the testing package.
-    - wastedassign
-
-  disable:
-    - errcheck
+version: "2"
 
 run:
   # prevent golangci-lint from deducting the go version to lint for through go.mod,
   # which causes it to fallback to go1.17 semantics.
   #
   # TODO(thaJeztah): update "usetesting" settings to enable go1.24 features once our minimum version is go1.24
-  go: "1.23.6"
+  go: "1.25.4"
+
   timeout: 5m
 
-linters-settings:
-  depguard:
-    rules:
-      main:
-        deny:
-          - pkg: "github.com/containerd/containerd/errdefs"
-            desc: The containerd errdefs package was migrated to a separate module. Use github.com/containerd/errdefs instead.
-          - pkg: "github.com/containerd/containerd/log"
-            desc: The containerd log package was migrated to a separate module. Use github.com/containerd/log instead.
-          - pkg: "github.com/containerd/containerd/pkg/userns"
-            desc: Use github.com/moby/sys/userns instead.
-          - pkg: "github.com/containerd/containerd/platforms"
-            desc: The containerd platforms package was migrated to a separate module. Use github.com/containerd/platforms instead.
-          - pkg: "github.com/docker/docker/pkg/system"
-            desc: This package should not be used unless strictly necessary.
-          - pkg: "io/ioutil"
-            desc: The io/ioutil package has been deprecated, see https://go.dev/doc/go1.16#ioutil
-  gocyclo:
-    min-complexity: 16
-  gosec:
-    excludes:
-      - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
-      - G113 # G113: Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772); (only affects go < 1.16.14. and go < 1.17.7)
-      - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/docker/cli/issues/5584)
-      - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
-      - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
-  govet:
-    enable:
-      - shadow
-    settings:
-      shadow:
-        strict: true
-  lll:
-    line-length: 200
-  nakedret:
-    # Disallow naked returns if func has more lines of code than this setting.
-    # Default: 30
-    max-func-lines: 0
-
-  revive:
-    rules:
-      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#empty-block
-      - name: empty-block
-        severity: warning
-        disabled: false
-      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#empty-lines
-      - name: empty-lines
-        severity: warning
-        disabled: false
-      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#import-shadowing
-      - name: import-shadowing
-        severity: warning
-        disabled: false
-      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#line-length-limit
-      - name: line-length-limit
-        severity: warning
-        disabled: false
-        arguments: [200]
-      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#unused-receiver
-      - name: unused-receiver
-        severity: warning
-        disabled: false
-      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#use-any
-      - name: use-any
-        severity: warning
-        disabled: false
-
-  usetesting:
-    # FIXME(thaJeztah): Disable `os.Chdir()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
-    os-chdir: false
-    # FIXME(thaJeztah): Disable `context.Background()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
-    context-background: false
-    # FIXME(thaJeztah): Disable `context.TODO()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
-    context-todo: false
-
 issues:
-  # The default exclusion rules are a bit too permissive, so copying the relevant ones below
-  exclude-use-default: false
+  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
+  max-issues-per-linter: 0
 
-  # This option has been defined when Go modules was not existed and when the
-  # golangci-lint core was different, this is not something we still recommend.
-  exclude-dirs-use-default: false
+  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
+  max-same-issues: 0
 
-  exclude:
-    - parameter .* always receives
+formatters:
+  enable:
+    - gofumpt       # Detects whether code was gofumpt-ed.
+    - goimports
 
-  exclude-files:
-    - cli/compose/schema/bindata.go
-    - .*generated.*
+  exclusions:
+    generated: strict
 
-  exclude-rules:
-    # We prefer to use an "exclude-list" so that new "default" exclusions are not
+linters:
+  enable:
+    - asasalint                 # Detects "[]any" used as argument for variadic "func(...any)".
+    - bodyclose
+    - copyloopvar               # Detects places where loop variables are copied.
+    - depguard
+    - dogsled                   # Detects assignments with too many blank identifiers.
+    - dupword                   # Detects duplicate words.
+    - durationcheck             # Detect cases where two time.Duration values are being multiplied in possibly erroneous ways.
+    - errcheck
+    - errchkjson                # Detects unsupported types passed to json encoding functions and reports if checks for the returned error can be omitted.
+    - exhaustive                # Detects missing options in enum switch statements.
+    - exptostd                  # Detects functions from golang.org/x/exp/ that can be replaced by std functions.
+    - fatcontext                # Detects nested contexts in loops and function literals.
+    - forbidigo
+    - gocheckcompilerdirectives # Detects invalid go compiler directive comments (//go:).
+    - gocritic                  # Metalinter; detects bugs, performance, and styling issues.
+    - gocyclo
+    - gosec                     # Detects security problems.
+    - govet
+    - iface                     # Detects incorrect use of interfaces. Currently only used for "identical" interfaces in the same package.
+    - importas                  # Enforces consistent import aliases.
+    - ineffassign
+    - makezero                  # Finds slice declarations with non-zero initial length.
+    - mirror                    # Detects wrong mirror patterns of bytes/strings usage.
+    - misspell                  # Detects commonly misspelled English words in comments.
+    - nakedret                  # Detects uses of naked returns.
+    - nilnesserr                # Detects returning nil errors. It combines the features of nilness and nilerr,
+    - nosprintfhostport         # Detects misuse of Sprintf to construct a host with port in a URL.
+    - nolintlint                # Detects ill-formed or insufficient nolint directives.
+    - perfsprint                # Detects fmt.Sprintf uses that can be replaced with a faster alternative.
+    - prealloc                  # Detects slice declarations that could potentially be pre-allocated.
+    - predeclared               # Detects code that shadows one of Go's predeclared identifiers
+    - reassign                  # Detects reassigning a top-level variable in another package.
+    - revive                    # Metalinter; drop-in replacement for golint.
+    - spancheck                 # Detects mistakes with OpenTelemetry/Census spans.
+    - staticcheck
+    - thelper                   # Detects test helpers without t.Helper().
+    - tparallel                 # Detects inappropriate usage of t.Parallel().
+    - unconvert                 # Detects unnecessary type conversions.
+    - unparam
+    - unused
+    - usestdlibvars             # Detects the possibility to use variables/constants from the Go standard library.
+    - usetesting                # Reports uses of functions with replacement inside the testing package.
+    - wastedassign              # Detects wasted assignment statements.
+
+  disable:
+    - errcheck
+
+  settings:
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: "github.com/containerd/containerd/errdefs"
+              desc: The containerd errdefs package was migrated to a separate module. Use github.com/containerd/errdefs instead.
+            - pkg: "github.com/containerd/containerd/log"
+              desc: The containerd log package was migrated to a separate module. Use github.com/containerd/log instead.
+            - pkg: "github.com/containerd/containerd/pkg/userns"
+              desc: Use github.com/moby/sys/userns instead.
+            - pkg: "github.com/containerd/containerd/platforms"
+              desc: The containerd platforms package was migrated to a separate module. Use github.com/containerd/platforms instead.
+            - pkg: "github.com/docker/docker/errdefs"
+              desc: Use github.com/containerd/errdefs instead.
+            - pkg: "github.com/docker/docker/pkg/system"
+              desc: This package should not be used unless strictly necessary.
+            - pkg: "github.com/docker/distribution/uuid"
+              desc: Use github.com/google/uuid instead.
+            - pkg: "io/ioutil"
+              desc: The io/ioutil package has been deprecated, see https://go.dev/doc/go1.16#ioutil
+
+    forbidigo:
+      forbid:
+        - pkg: ^regexp$
+          pattern: ^regexp\.MustCompile
+          msg: Use internal/lazyregexp.New instead.
+
+    gocyclo:
+      min-complexity: 16
+
+    gosec:
+      excludes:
+        - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
+        - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/docker/cli/issues/5584)
+        - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
+        - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
+
+    govet:
+      enable:
+        - shadow
+      settings:
+        shadow:
+          strict: true
+
+    lll:
+      line-length: 200
+
+    importas:
+      # Do not allow unaliased imports of aliased packages.
+      no-unaliased: true
+
+      alias:
+          # Should no longer be aliased, because we no longer allow moby/docker errdefs.
+        - pkg: "github.com/docker/docker/errdefs"
+          alias: ""
+        - pkg: github.com/opencontainers/image-spec/specs-go/v1
+          alias: ocispec
+          # Enforce that gotest.tools/v3/assert/cmp is always aliased as "is"
+        - pkg: gotest.tools/v3/assert/cmp
+          alias: is
+
+    nakedret:
+      # Disallow naked returns if func has more lines of code than this setting.
+      # Default: 30
+      max-func-lines: 0
+
+    staticcheck:
+      checks:
+        - all
+        - -QF1008 # Omit embedded fields from selector expression; https://staticcheck.dev/docs/checks/#QF1008
+
+    revive:
+      rules:
+        - name: empty-block       # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#empty-block
+        - name: empty-lines       # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#empty-lines
+        - name: import-shadowing  # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#import-shadowing
+        - name: line-length-limit # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#line-length-limit
+          arguments: [200]
+        - name: unused-receiver   # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#unused-receiver
+        - name: use-any           # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#use-any
+        - name: use-errors-new    # https://github.com/mgechev/revive/blob/HEAD/RULES_DESCRIPTIONS.md#use-errors-new
+
+    usetesting:
+      os-chdir: false           # FIXME(thaJeztah): Disable `os.Chdir()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
+      context-background: false # FIXME(thaJeztah): Disable `context.Background()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
+      context-todo: false       # FIXME(thaJeztah): Disable `context.TODO()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
+
+  exclusions:
+    # We prefer to use an "linters.exclusions.rules" so that new "default" exclusions are not
     # automatically inherited. We can decide whether or not to follow upstream
     # defaults when updating golang-ci-lint versions.
     # Unfortunately, this means we have to copy the whole exclusion pattern, as
     # (unlike the "include" option), the "exclude" option does not take exclusion
     # ID's.
     #
-    # These exclusion patterns are copied from the default excluses at:
-    # https://github.com/golangci/golangci-lint/blob/v1.44.0/pkg/config/issues.go#L10-L104
+    # These exclusion patterns are copied from the default excludes at:
+    # https://github.com/golangci/golangci-lint/blob/v1.61.0/pkg/config/issues.go#L11-L104
     #
     # The default list of exclusions can be found at:
     # https://golangci-lint.run/usage/false-positives/#default-exclusions
+    generated: strict
 
-    # EXC0001
-    - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*print(f|ln)?|os\\.(Un)?Setenv). is not checked"
-      linters:
-        - errcheck
-    # EXC0003
-    - text: "func name will be used as test\\.Test.* by other packages, and that stutters; consider calling this"
-      linters:
-        - revive
-    # EXC0006
-    - text: "Use of unsafe calls should be audited"
-      linters:
-        - gosec
-    # EXC0007
-    - text: "Subprocess launch(ed with variable|ing should be audited)"
-      linters:
-        - gosec
-    # EXC0009
-    - text: "(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
-      linters:
-        - gosec
-    # EXC0010
-    - text: "Potential file inclusion via variable"
-      linters:
-        - gosec
+    rules:
+        # EXC0003
+      - text: "func name will be used as test\\.Test.* by other packages, and that stutters; consider calling this"
+        linters:
+          - revive
 
-    # TODO: make sure all packages have a description. Currently, there's 67 packages without.
-    - text: "package-comments: should have a package comment"
-      linters:
-        - revive
+        # EXC0007
+      - text: "Subprocess launch(ed with variable|ing should be audited)"
+        linters:
+          - gosec
 
-    # Exclude some linters from running on tests files.
-    - path: _test\.go
-      linters:
-        - errcheck
-        - gosec
-    - text: "ST1000: at least one file in a package should have a package comment"
-      linters:
-        - stylecheck
+        # EXC0009
+      - text: "(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
+        linters:
+          - gosec
 
-    # Allow "err" and "ok" vars to shadow existing declarations, otherwise we get too many false positives.
-    - text: '^shadow: declaration of "(err|ok)" shadows declaration'
-      linters:
-        - govet
+        # EXC0010
+      - text: "Potential file inclusion via variable"
+        linters:
+          - gosec
 
+        # TODO: make sure all packages have a description. Currently, there's 67 packages without.
+      - text: "package-comments: should have a package comment"
+        linters:
+          - revive
 
-  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
-  max-issues-per-linter: 0
+        # Exclude some linters from running on tests files.
+      - path: _test\.go
+        linters:
+          - errcheck
+          - gosec
 
-  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
-  max-same-issues: 0
+      - text: "ST1000: at least one file in a package should have a package comment"
+        linters:
+          - staticcheck
+
+        # Allow "err" and "ok" vars to shadow existing declarations, otherwise we get too many false positives.
+      - text: '^shadow: declaration of "(err|ok)" shadows declaration'
+        linters:
+          - govet
+
+      # Ignore for cli/command/formatter/tabwriter, which is forked from go stdlib, so we want to align with it.
+      - text: '^(ST1020|ST1022): comment on exported'
+        path: "cli/command/formatter/tabwriter"
+        linters:
+          - staticcheck
+
+      # Ignore deprecation linting for cli/command/stack/*.
+      #
+      # FIXME(thaJeztah): remove exception once these functions are un-exported or internal; see https://github.com/docker/cli/pull/6389
+      - text: '^(SA1019): '
+        path: "cli/command/stack"
+        linters:
+          - staticcheck
+
+    # Log a warning if an exclusion rule is unused.
+    # Default: false
+    warn-unused: true

.mailmap

@@ -43,6 +43,7 @@ Alexis Couvreur <alexiscouvreur.pro@gmail.com>
 Alicia Lauerman <alicia@eta.im> <allydevour@me.com>
 Allen Sun <allensun.shl@alibaba-inc.com> <allen.sun@daocloud.io>
 Allen Sun <allensun.shl@alibaba-inc.com> <shlallen1990@gmail.com>
+Allie Sadler <allie.sadler@docker.com>
 Andrew Weiss <andrew.weiss@docker.com> <andrew.weiss@microsoft.com>
 Andrew Weiss <andrew.weiss@docker.com> <andrew.weiss@outlook.com>
 André Martins  <aanm90@gmail.com> <martins@noironetworks.com>
@@ -63,8 +64,14 @@ Arko Dasgupta <arko@tetrate.io> <arko.dasgupta@docker.com>
 Arko Dasgupta <arko@tetrate.io> <arkodg@users.noreply.github.com>
 Arnaud Porterie <icecrime@gmail.com>
 Arnaud Porterie <icecrime@gmail.com> <arnaud.porterie@docker.com>
+Arthur Flageul <arthur.flageul@gmail.com>
+Arthur Flageul <arthur.flageul@gmail.com> <arthur.flageul@docker.com>
 Arthur Gautier <baloo@gandi.net> <superbaloo+registrations.github@superbaloo.net>
 Arthur Peka <arthur.peka@outlook.com> <arthrp@users.noreply.github.com>
+Austin Vazquez <austin.vazquez@docker.com>
+Austin Vazquez <austin.vazquez@docker.com> <55906459+austinvazquez@users.noreply.github.com>
+Austin Vazquez <austin.vazquez@docker.com> <austin.vazquez.dev@gmail.com>
+Austin Vazquez <austin.vazquez@docker.com> <macedonv@amazon.com>
 Avi Miller <avi.miller@oracle.com> <avi.miller@gmail.com>
 Ben Bonnefoy <frenchben@docker.com>
 Ben Golub <ben.golub@dotcloud.com>
@@ -146,6 +153,8 @@ Dave Henderson <dhenderson@gmail.com> <Dave.Henderson@ca.ibm.com>
 Dave Tucker <dt@docker.com> <dave@dtucker.co.uk>
 David Alvarez <david.alvarez@flyeralarm.com>
 David Alvarez <david.alvarez@flyeralarm.com> <busilezas@gmail.com>
+David Dooling <david.dooling@docker.com>
+David Dooling <david.dooling@docker.com> <dooling@gmail.com>
 David Karlsson <david.karlsson@docker.com>
 David Karlsson <david.karlsson@docker.com> <35727626+dvdksn@users.noreply.github.com>
 David M. Karr <davidmichaelkarr@gmail.com>
@@ -195,6 +204,8 @@ Gaetan de Villele <gdevillele@gmail.com>
 Gang Qiao <qiaohai8866@gmail.com> <1373319223@qq.com>
 George Kontridze <george@bugsnag.com>
 Gerwim Feiken <g.feiken@tfe.nl> <gerwim@gmail.com>
+Giau. Tran Minh <hello@giautm.dev>
+Giau. Tran Minh <hello@giautm.dev> <12751435+giautm@users.noreply.github.com>
 Giampaolo Mancini <giampaolo@trampolineup.com>
 Gopikannan Venugopalsamy <gopikannan.venugopalsamy@gmail.com>
 Gou Rao <gou@portworx.com> <gourao@users.noreply.github.com>
@@ -214,6 +225,7 @@ Günther Jungbluth <gunther@gameslabs.net>
 Hakan Özler <hakan.ozler@kodcu.com>
 Hao Shu Wei <haosw@cn.ibm.com>
 Hao Shu Wei <haosw@cn.ibm.com> <haoshuwei1989@163.com>
+Harald Albers <github@albersweb.de>
 Harald Albers <github@albersweb.de> <albers@users.noreply.github.com>
 Harold Cooper <hrldcpr@gmail.com>
 Harry Zhang <harryz@hyper.sh> <harryzhang@zju.edu.cn>
@@ -330,6 +342,8 @@ Lajos Papp <lajos.papp@sequenceiq.com> <lalyos@yahoo.com>
 Lei Jitang <leijitang@huawei.com>
 Lei Jitang <leijitang@huawei.com> <leijitang@gmail.com>
 Li Fu Bang <lifubang@acmcoder.com>
+Li Yi <denverdino@gmail.com>
+Li Yi <denverdino@gmail.com> <weiyuan.yl@alibaba-inc.com>
 Liang Mingqiang <mqliang.zju@gmail.com>
 Liang-Chi Hsieh <viirya@gmail.com>
 Liao Qingwei <liaoqingwei@huawei.com>
@@ -339,6 +353,7 @@ Lokesh Mandvekar <lsm5@fedoraproject.org> <lsm5@redhat.com>
 Lorenzo Fontana <lo@linux.com> <fontanalorenzo@me.com>
 Louis Opter <kalessin@kalessin.fr>
 Louis Opter <kalessin@kalessin.fr> <louis@dotcloud.com>
+Lovekesh Kumar <lovekesh.kumar@rtcamp.com>
 Luca Favatella <luca.favatella@erlang-solutions.com> <lucafavatella@users.noreply.github.com>
 Luke Marsden <me@lukemarsden.net> <luke@digital-crocus.com>
 Lyn <energylyn@zju.edu.cn>
@@ -396,6 +411,7 @@ Mike Dalton <mikedalton@github.com> <19153140+mikedalton@users.noreply.github.co
 Mike Goelzer <mike.goelzer@docker.com> <mgoelzer@docker.com>
 Milind Chawre <milindchawre@gmail.com>
 Misty Stanley-Jones <misty@docker.com> <misty@apache.org>
+Mohammad Hossein <mhm98035@gmail.com>
 Mohit Soni <mosoni@ebay.com> <mohitsoni1989@gmail.com>
 Moorthy RS <rsmoorthy@gmail.com> <rsmoorthy@users.noreply.github.com>
 Morten Hekkvang <morten.hekkvang@sbab.se>
@@ -419,6 +435,7 @@ O.S. Tezer <ostezer@gmail.com> <ostezer@users.noreply.github.com>
 Oh Jinkyun <tintypemolly@gmail.com> <tintypemolly@Ohui-MacBook-Pro.local>
 Oliver Pomeroy <oppomeroy@gmail.com>
 Ouyang Liduo <oyld0210@163.com>
+Patrick St. laurent <patrick@saint-laurent.us>
 Patrick Stapleton <github@gdi2290.com>
 Paul Liljenberg <liljenberg.paul@gmail.com> <letters@paulnotcom.se>
 Pavel Tikhomirov <ptikhomirov@virtuozzo.com> <ptikhomirov@parallels.com>
@@ -498,6 +515,7 @@ Stephen Day <stevvooe@gmail.com> <stephen.day@docker.com>
 Stephen Day <stevvooe@gmail.com> <stevvooe@users.noreply.github.com>
 Steve Desmond <steve@vtsv.ca> <stevedesmond-ca@users.noreply.github.com>
 Steve Richards <steve.richards@docker.com> stevejr <>
+Stuart Williams <pid@pidster.com>
 Sun Gengze <690388648@qq.com>
 Sun Jianbo <wonderflow.sun@gmail.com>
 Sun Jianbo <wonderflow.sun@gmail.com> <wonderflow@zju.edu.cn>

AUTHORS

@@ -48,6 +48,7 @@ Alfred Landrum <alfred.landrum@docker.com>
 Ali Rostami <rostami.ali@gmail.com>
 Alicia Lauerman <alicia@eta.im>
 Allen Sun <allensun.shl@alibaba-inc.com>
+Allie Sadler <allie.sadler@docker.com>
 Alvin Deng <alvin.q.deng@utexas.edu>
 Amen Belayneh <amenbelayneh@gmail.com>
 Amey Shrivastava <72866602+AmeyShrivastava@users.noreply.github.com>
@@ -62,6 +63,7 @@ Andreas Köhler <andi5.py@gmx.net>
 Andres G. Aragoneses <knocte@gmail.com>
 Andres Leon Rangel <aleon1220@gmail.com>
 Andrew France <andrew@avito.co.uk>
+Andrew He <he.andrew.mail@gmail.com>
 Andrew Hsu <andrewhsu@docker.com>
 Andrew Macpherson <hopscotch23@gmail.com>
 Andrew McDonnell <bugs@andrewmcdonnell.net>
@@ -81,13 +83,16 @@ Antonis Kalipetis <akalipetis@gmail.com>
 Anusha Ragunathan <anusha.ragunathan@docker.com>
 Ao Li <la9249@163.com>
 Arash Deshmeh <adeshmeh@ca.ibm.com>
+Archimedes Trajano <developer@trajano.net>
 Arko Dasgupta <arko@tetrate.io>
 Arnaud Porterie <icecrime@gmail.com>
 Arnaud Rebillout <elboulangero@gmail.com>
+Arthur Flageul <arthur.flageul@gmail.com>
 Arthur Peka <arthur.peka@outlook.com>
 Ashly Mathew <ashly.mathew@sap.com>
 Ashwini Oruganti <ashwini.oruganti@gmail.com>
 Aslam Ahemad <aslamahemad@gmail.com>
+Austin Vazquez <austin.vazquez@docker.com>
 Azat Khuyiyakhmetov <shadow_uz@mail.ru>
 Bardia Keyoumarsi <bkeyouma@ucsc.edu>
 Barnaby Gray <barnaby@pickle.me.uk>
@@ -132,9 +137,12 @@ Cao Weiwei <cao.weiwei30@zte.com.cn>
 Carlo Mion <mion00@gmail.com>
 Carlos Alexandro Becker <caarlos0@gmail.com>
 Carlos de Paula <me@carlosedp.com>
+carsontham <carsontham@outlook.com>
+Carston Schilds <Carston.Schilds@visier.com>
 Casey Korver <casey@korver.dev>
 Ce Gao <ce.gao@outlook.com>
 Cedric Davies <cedricda@microsoft.com>
+Cesar Talledo <cesar.talledo@docker.com>
 Cezar Sa Espinola <cezarsa@gmail.com>
 Chad Faragher <wyckster@hotmail.com>
 Chao Wang <wangchao.fnst@cn.fujitsu.com>
@@ -189,6 +197,7 @@ Daisuke Ito <itodaisuke00@gmail.com>
 dalanlan <dalanlan925@gmail.com>
 Damien Nadé <github@livna.org>
 Dan Cotora <dan@bluevision.ro>
+Dan Wallis <dan@wallis.nz>
 Danial Gharib <danial.mail.gh@gmail.com>
 Daniel Artine <daniel.artine@ufrj.br>
 Daniel Cassidy <mail@danielcassidy.me.uk>
@@ -215,7 +224,7 @@ David Alvarez <david.alvarez@flyeralarm.com>
 David Beitey <david@davidjb.com>
 David Calavera <david.calavera@gmail.com>
 David Cramer <davcrame@cisco.com>
-David Dooling <dooling@gmail.com>
+David Dooling <david.dooling@docker.com>
 David Gageot <david@gageot.net>
 David Karlsson <david.karlsson@docker.com>
 David le Blanc <systemmonkey42@users.noreply.github.com>
@@ -237,6 +246,7 @@ Deshi Xiao <dxiao@redhat.com>
 Dharmit Shah <shahdharmit@gmail.com>
 Dhawal Yogesh Bhanushali <dbhanushali@vmware.com>
 Dieter Reuter <dieter.reuter@me.com>
+Dilep Dev <34891655+DilepDev@users.noreply.github.com>
 Dima Stopel <dima@twistlock.com>
 Dimitry Andric <d.andric@activevideo.com>
 Ding Fei <dingfei@stars.org.cn>
@@ -259,6 +269,7 @@ Eli Uriegas <eli.uriegas@docker.com>
 Eli Uriegas <seemethere101@gmail.com>
 Elias Faxö <elias.faxo@tre.se>
 Elliot Luo <956941328@qq.com>
+Eng Zer Jun <engzerjun@gmail.com>
 Eric Bode <eric.bode@foundries.io>
 Eric Curtin <ericcurtin17@gmail.com>
 Eric Engestrom <eric@engestrom.ch>
@@ -308,6 +319,8 @@ George MacRorie <gmacr31@gmail.com>
 George Margaritis <gmargaritis@protonmail.com>
 George Xie <georgexsh@gmail.com>
 Gianluca Borello <g.borello@gmail.com>
+Giau. Tran Minh <hello@giautm.dev>
+Giedrius Jonikas <giedriusj1@gmail.com>
 Gildas Cuisinier <gildas.cuisinier@gcuisinier.net>
 Gio d'Amelio <giodamelio@gmail.com>
 Gleb Stsenov <gleb.stsenov@gmail.com>
@@ -337,6 +350,7 @@ Henning Sprang <henning.sprang@gmail.com>
 Henry N <henrynmail-github@yahoo.de>
 Hernan Garcia <hernandanielg@gmail.com>
 Hongbin Lu <hongbin034@gmail.com>
+Hossein Abbasi <16090309+hsnabszhdn@users.noreply.github.com>
 Hu Keping <hukeping@huawei.com>
 Huayi Zhang <irachex@gmail.com>
 Hugo Chastel <Hugo-C@users.noreply.github.com>
@@ -344,6 +358,7 @@ Hugo Gabriel Eyherabide <hugogabriel.eyherabide@gmail.com>
 huqun <huqun@zju.edu.cn>
 Huu Nguyen <huu@prismskylabs.com>
 Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com>
+Iain MacDonald <IJMacD@gmail.com>
 Iain Samuel McLean Elder <iain@isme.es>
 Ian Campbell <ian.campbell@docker.com>
 Ian Philpot <ian.philpot@microsoft.com>
@@ -393,6 +408,7 @@ Jesse Adametz <jesseadametz@gmail.com>
 Jessica Frazelle <jess@oxide.computer>
 Jezeniel Zapanta <jpzapanta22@gmail.com>
 Jian Zhang <zhangjian.fnst@cn.fujitsu.com>
+Jianyong Wu <wujianyong@hygon.cn>
 Jie Luo <luo612@zju.edu.cn>
 Jilles Oldenbeuving <ojilles@gmail.com>
 Jim Chen <njucjc@gmail.com>
@@ -446,6 +462,7 @@ Julian <gitea+julian@ic.thejulian.uk>
 Julien Barbier <write0@gmail.com>
 Julien Kassar <github@kassisol.com>
 Julien Maitrehenry <julien.maitrehenry@me.com>
+Julio Cesar Garcia <juliogarciamelgarejo@gmail.com>
 Justas Brazauskas <brazauskasjustas@gmail.com>
 Justin Chadwell <me@jedevc.com>
 Justin Cormack <justin.cormack@docker.com>
@@ -490,19 +507,22 @@ Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
 Kyle Mitofsky <Kylemit@gmail.com>
 Lachlan Cooper <lachlancooper@gmail.com>
 Lai Jiangshan <jiangshanlai@gmail.com>
+Lajos Papp <lajos.papp@sequenceiq.com>
 Lars Kellogg-Stedman <lars@redhat.com>
 Laura Brehm <laurabrehm@hey.com>
 Laura Frank <ljfrank@gmail.com>
 Laurent Erignoux <lerignoux@gmail.com>
+Laurent Goderre <laurent.goderre@docker.com>
 Lee Gaines <eightlimbed@gmail.com>
 Lei Jitang <leijitang@huawei.com>
 Lennie <github@consolejunkie.net>
+lentil32 <lentil32@icloud.com>
 Leo Gallucci <elgalu3@gmail.com>
 Leonid Skorospelov <leosko94@gmail.com>
 Lewis Daly <lewisdaly@me.com>
 Li Fu Bang <lifubang@acmcoder.com>
 Li Yi <denverdino@gmail.com>
-Li Yi <weiyuan.yl@alibaba-inc.com>
+Li Zeghong <zeghong@hotmail.com>
 Liang-Chi Hsieh <viirya@gmail.com>
 Lihua Tang <lhtang@alauda.io>
 Lily Guo <lily.guo@docker.com>
@@ -515,6 +535,7 @@ lixiaobing10051267 <li.xiaobing1@zte.com.cn>
 Lloyd Dewolf <foolswisdom@gmail.com>
 Lorenzo Fontana <lo@linux.com>
 Louis Opter <kalessin@kalessin.fr>
+Lovekesh Kumar <lovekesh.kumar@rtcamp.com>
 Luca Favatella <luca.favatella@erlang-solutions.com>
 Luca Marturana <lucamarturana@gmail.com>
 Lucas Chan <lucas-github@lucaschan.com>
@@ -559,6 +580,7 @@ Matt Robenolt <matt@ydekproductions.com>
 Matteo Orefice <matteo.orefice@bites4bits.software>
 Matthew Heon <mheon@redhat.com>
 Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
+Matthieu MOREL <matthieu.morel35@gmail.com>
 Mauro Porras P <mauroporrasp@gmail.com>
 Max Shytikov <mshytikov@gmail.com>
 Max-Julian Pogner <max-julian@pogner.at>
@@ -566,6 +588,7 @@ Maxime Petazzoni <max@signalfuse.com>
 Maximillian Fan Xavier <maximillianfx@gmail.com>
 Mei ChunTao <mei.chuntao@zte.com.cn>
 Melroy van den Berg <melroy@melroy.org>
+Mert Şişmanoğlu <mert190737fb@gmail.com>
 Metal <2466052+tedhexaflow@users.noreply.github.com>
 Micah Zoltu <micah@newrelic.com>
 Michael A. Smith <michael@smith-li.com>
@@ -578,6 +601,7 @@ Michael Prokop <github@michael-prokop.at>
 Michael Scharf <github@scharf.gr>
 Michael Spetsiotis <michael_spets@hotmail.com>
 Michael Steinert <mike.steinert@gmail.com>
+Michael Tews <michael@tews.dev>
 Michael West <mwest@mdsol.com>
 Michal Minář <miminar@redhat.com>
 Michał Czeraszkiewicz <czerasz@gmail.com>
@@ -598,7 +622,9 @@ Mindaugas Rukas <momomg@gmail.com>
 Miroslav Gula <miroslav.gula@naytrolabs.com>
 Misty Stanley-Jones <misty@docker.com>
 Mohammad Banikazemi <mb@us.ibm.com>
+Mohammad Hossein <mhm98035@gmail.com>
 Mohammed Aaqib Ansari <maaquib@gmail.com>
+Mohammed Aminu Futa <mohammedfuta2000@gmail.com>
 Mohini Anne Dsouza <mohini3917@gmail.com>
 Moorthy RS <rsmoorthy@gmail.com>
 Morgan Bauer <mbauer@us.ibm.com>
@@ -633,9 +659,11 @@ Nicolas De Loof <nicolas.deloof@gmail.com>
 Nikhil Chawla <chawlanikhil24@gmail.com>
 Nikolas Garofil <nikolas.garofil@uantwerpen.be>
 Nikolay Milovanov <nmil@itransformers.net>
+NinaLua <iturf@sina.cn>
 Nir Soffer <nsoffer@redhat.com>
 Nishant Totla <nishanttotla@gmail.com>
 NIWA Hideyuki <niwa.niwa@nifty.ne.jp>
+Noah Silas <noah@hustle.com>
 Noah Treuhaft <noah.treuhaft@docker.com>
 O.S. Tezer <ostezer@gmail.com>
 Oded Arbel <oded@geek.co.il>
@@ -653,10 +681,12 @@ Patrick Böänziger <patrick.baenziger@bsi-software.com>
 Patrick Daigle <114765035+pdaig@users.noreply.github.com>
 Patrick Hemmer <patrick.hemmer@gmail.com>
 Patrick Lang <plang@microsoft.com>
+Patrick St. laurent <patrick@saint-laurent.us>
 Paul <paul9869@gmail.com>
 Paul Kehrer <paul.l.kehrer@gmail.com>
 Paul Lietar <paul@lietar.net>
 Paul Mulders <justinkb@gmail.com>
+Paul Rogalski <mail@paul-rogalski.de>
 Paul Seyfert <pseyfert.mathphys@gmail.com>
 Paul Weaver <pauweave@cisco.com>
 Pavel Pospisil <pospispa@gmail.com>
@@ -678,7 +708,6 @@ Philip Alexander Etling <paetling@gmail.com>
 Philipp Gillé <philipp.gille@gmail.com>
 Philipp Schmied <pschmied@schutzwerk.com>
 Phong Tran <tran.pho@northeastern.edu>
-pidster <pid@pidster.com>
 Pieter E Smit <diepes@github.com>
 pixelistik <pixelistik@users.noreply.github.com>
 Pratik Karki <prertik@outlook.com>
@@ -738,6 +767,7 @@ Samuel Cochran <sj26@sj26.com>
 Samuel Karp <skarp@amazon.com>
 Sandro Jäckel <sandro.jaeckel@gmail.com>
 Santhosh Manohar <santhosh@docker.com>
+Sarah Sanders <sarah.sanders@docker.com>
 Sargun Dhillon <sargun@netflix.com>
 Saswat Bhattacharya <sas.saswat@gmail.com>
 Saurabh Kumar <saurabhkumar0184@gmail.com>
@@ -770,6 +800,7 @@ Spencer Brown <spencer@spencerbrown.org>
 Spring Lee <xi.shuai@outlook.com>
 squeegels <lmscrewy@gmail.com>
 Srini Brahmaroutu <srbrahma@us.ibm.com>
+Stavros Panakakis <stavrospanakakis@gmail.com>
 Stefan S. <tronicum@user.github.com>
 Stefan Scherer <stefan.scherer@docker.com>
 Stefan Weil <sw@weilnetz.de>
@@ -780,6 +811,7 @@ Steve Durrheimer <s.durrheimer@gmail.com>
 Steve Richards <steve.richards@docker.com>
 Steven Burgess <steven.a.burgess@hotmail.com>
 Stoica-Marcu Floris-Andrei <floris.sm@gmail.com>
+Stuart Williams <pid@pidster.com>
 Subhajit Ghosh <isubuz.g@gmail.com>
 Sun Jianbo <wonderflow.sun@gmail.com>
 Sune Keller <absukl@almbrand.dk>
@@ -867,9 +899,11 @@ Wang Yumu <37442693@qq.com>
 Wataru Ishida <ishida.wataru@lab.ntt.co.jp>
 Wayne Song <wsong@docker.com>
 Wen Cheng Ma <wenchma@cn.ibm.com>
+Wenlong Zhang <zhangwenlong@loongson.cn>
 Wenzhi Liang <wenzhi.liang@gmail.com>
 Wes Morgan <cap10morgan@gmail.com>
 Wewang Xiaorenfine <wang.xiaoren@zte.com.cn>
+Will Wang <willww64@gmail.com>
 William Henry <whenry@redhat.com>
 Xianglin Gao <xlgao@zju.edu.cn>
 Xiaodong Liu <liuxiaodong@loongson.cn>
@@ -908,3 +942,4 @@ Zhuo Zhi <h.dwwwwww@gmail.com>
 Átila Camurça Alves <camurca.home@gmail.com>
 Александр Менщиков <__Singleton__@hackerdom.ru>
 徐俊杰 <paco.xu@daocloud.io>
+林博仁 Buo-ren Lin <Buo.Ren.Lin@gmail.com>

Dockerfile

@@ -1,26 +1,43 @@
 # syntax=docker/dockerfile:1
 
 ARG BASE_VARIANT=alpine
-ARG ALPINE_VERSION=3.21
+
+# ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image.
+# It must be a supported tag in the docker.io/library/alpine image repository
+# that's also available as alpine image variant for the Golang version used.
+ARG ALPINE_VERSION=3.22
 ARG BASE_DEBIAN_DISTRO=bookworm
 
-ARG GO_VERSION=1.23.6
-ARG XX_VERSION=1.6.1
-ARG GOVERSIONINFO_VERSION=v1.4.1
-ARG GOTESTSUM_VERSION=v1.12.0
+ARG GO_VERSION=1.25.4
+
+# XX_VERSION specifies the version of the xx utility to use.
+# It must be a valid tag in the docker.io/tonistiigi/xx image repository.
+ARG XX_VERSION=1.7.0
+
+# GOVERSIONINFO_VERSION is the version of GoVersionInfo to install.
+# It must be a valid tag from https://github.com/josephspurrier/goversioninfo
+ARG GOVERSIONINFO_VERSION=v1.5.0
+
+# GOTESTSUM_VERSION sets the version of gotestsum to install in the dev container.
+# It must be a valid tag in the https://github.com/gotestyourself/gotestsum repository.
+ARG GOTESTSUM_VERSION=v1.13.0
 
 # BUILDX_VERSION sets the version of buildx to use for the e2e tests.
 # It must be a tag in the docker.io/docker/buildx-bin image repository
 # on Docker Hub.
-ARG BUILDX_VERSION=0.20.1
-ARG COMPOSE_VERSION=v2.32.4
+ARG BUILDX_VERSION=0.29.1
+
+# COMPOSE_VERSION is the version of compose to install in the dev container.
+# It must be a tag in the docker.io/docker/compose-bin image repository
+# on Docker Hub.
+ARG COMPOSE_VERSION=v2.40.0
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build-base-alpine
 ENV GOTOOLCHAIN=local
 COPY --link --from=xx / /
-RUN apk add --no-cache bash clang lld llvm file git
+RUN apk add --no-cache bash clang lld llvm file git git-daemon
 WORKDIR /go/src/github.com/docker/cli
 
 FROM build-base-alpine AS build-alpine
@@ -67,7 +84,7 @@ ARG PACKAGER_NAME
 COPY --link --from=goversioninfo /out/goversioninfo /usr/bin/goversioninfo
 RUN --mount=type=bind,target=.,ro \
     --mount=type=cache,target=/root/.cache \
-    --mount=type=tmpfs,target=cli/winresources \
+    --mount=type=tmpfs,target=cmd/docker/winresources \
     # override the default behavior of go with xx-go
     xx-go --wrap && \
     # export GOCACHE=$(go env GOCACHE)/$(xx-info)$([ -f /etc/alpine-release ] && echo "alpine") && \
@@ -80,7 +97,7 @@ ENV GO111MODULE=auto
 RUN --mount=type=bind,target=.,rw \
     --mount=type=cache,target=/root/.cache \
     --mount=type=cache,target=/go/pkg/mod \
-    gotestsum -- -coverprofile=/tmp/coverage.txt $(go list ./... | grep -vE '/vendor/|/e2e/')
+    gotestsum -- -coverprofile=/tmp/coverage.txt $(go list ./... | grep -vE '/vendor/|/e2e/|/cmd/docker-trust')
 
 FROM scratch AS test-coverage
 COPY --from=test /tmp/coverage.txt /coverage.txt
@@ -105,10 +122,6 @@ FROM docker/buildx-bin:${BUILDX_VERSION}   AS buildx
 FROM docker/compose-bin:${COMPOSE_VERSION} AS compose
 
 FROM e2e-base-${BASE_VARIANT} AS e2e
-ARG NOTARY_VERSION=v0.6.1
-ADD --chmod=0755 https://github.com/theupdateframework/notary/releases/download/${NOTARY_VERSION}/notary-Linux-amd64 /usr/local/bin/notary
-COPY --link e2e/testdata/notary/root-ca.cert /usr/share/ca-certificates/notary.cert
-RUN echo 'notary.cert' >> /etc/ca-certificates.conf && update-ca-certificates
 COPY --link --from=gotestsum /out/gotestsum /usr/bin/gotestsum
 COPY --link --from=build /out ./build/
 COPY --link --from=build-plugins /out ./build/
@@ -117,7 +130,7 @@ COPY --link --from=compose /docker-compose /usr/libexec/docker/cli-plugins/docke
 COPY --link . .
 ENV DOCKER_BUILDKIT=1
 ENV PATH=/go/src/github.com/docker/cli/build:$PATH
-CMD ./scripts/test/e2e/entry
+CMD ["./scripts/test/e2e/entry"]
 
 FROM build-base-${BASE_VARIANT} AS dev
 COPY --link . .

Makefile

@@ -34,12 +34,12 @@ test: test-unit ## run tests
 
 .PHONY: test-unit
 test-unit: ## run unit tests, to change the output format use: GOTESTSUM_FORMAT=(dots|short|standard-quiet|short-verbose|standard-verbose) make test-unit
-	gotestsum -- $${TESTDIRS:-$(shell go list ./... | grep -vE '/vendor/|/e2e/')} $(TESTFLAGS)
+	gotestsum -- $${TESTDIRS:-$(shell go list ./... | grep -vE '/vendor/|/e2e/|/cmd/docker-trust')} $(TESTFLAGS)
 
 .PHONY: test-coverage
 test-coverage: ## run test coverage
 	mkdir -p $(CURDIR)/build/coverage
-	gotestsum -- $(shell go list ./... | grep -vE '/vendor/|/e2e/') -coverprofile=$(CURDIR)/build/coverage/coverage.txt
+	gotestsum -- $(shell go list ./... | grep -vE '/vendor/|/e2e/|/cmd/docker-trust') -coverprofile=$(CURDIR)/build/coverage/coverage.txt
 
 .PHONY: lint
 lint: ## run all the lint tools
@@ -52,7 +52,7 @@ shellcheck: ## run shellcheck validation
 .PHONY: fmt
 fmt: ## run gofumpt (if present) or gofmt
 	@if command -v gofumpt > /dev/null; then \
-		gofumpt -w -d -lang=1.23 . ; \
+		gofumpt -w -d -lang=1.24 . ; \
 	else \
 		go list -f {{.Dir}} ./... | xargs gofmt -w -s -d ; \
 	fi
@@ -67,20 +67,29 @@ dynbinary: ## build dynamically linked binary
 
 .PHONY: plugins
 plugins: ## build example CLI plugins
-	./scripts/build/plugins
+	scripts/build/plugins
+
+.PHONY: trust-plugin
+trust-plugin: ## build docker-trust CLI plugins
+	scripts/build/trust-plugin
+
+.PHONY: install-trust-plugin
+install-trust-plugin: trust-plugin
+install-trust-plugin: ## install docker-trust CLI plugins
+	install -D -m 0755 "$$(readlink -f build/docker-trust)" /usr/libexec/docker/cli-plugins/docker-trust
 
 .PHONY: vendor
 vendor: ## update vendor with go modules
 	rm -rf vendor
-	./scripts/vendor update
+	scripts/with-go-mod.sh scripts/vendor update
 
 .PHONY: validate-vendor
 validate-vendor: ## validate vendor
-	./scripts/vendor validate
+	scripts/with-go-mod.sh scripts/vendor validate
 
 .PHONY: mod-outdated
 mod-outdated: ## check outdated dependencies
-	./scripts/vendor outdated
+	scripts/with-go-mod.sh scripts/vendor outdated
 
 .PHONY: authors
 authors: ## generate AUTHORS file from git history
@@ -115,15 +124,15 @@ shell-completion: ## generate shell-completion scripts
 
 .PHONY: manpages
 manpages: ## generate man pages from go source and markdown
-	scripts/docs/generate-man.sh
+	scripts/with-go-mod.sh scripts/docs/generate-man.sh
 
 .PHONY: mddocs
 mddocs: ## generate markdown files from go source
-	scripts/docs/generate-md.sh
+	scripts/with-go-mod.sh scripts/docs/generate-md.sh
 
 .PHONY: yamldocs
 yamldocs: ## generate documentation YAML files consumed by docs repo
-	scripts/docs/generate-yaml.sh
+	scripts/with-go-mod.sh scripts/docs/generate-yaml.sh
 
 .PHONY: help
 help: ## print this help

VERSION

@@ -1 +1 @@
-28.0.0-dev
+29.0.0-dev

cli-plugins/examples/helloworld/main.go

@@ -5,9 +5,10 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/docker/cli/cli-plugins/plugin"
 	"github.com/docker/cli/cli/command"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
@@ -25,7 +26,7 @@ func main() {
 			Short: "Print the API version of the server",
 			RunE: func(_ *cobra.Command, _ []string) error {
 				apiClient := dockerCLI.Client()
-				ping, err := apiClient.Ping(context.Background())
+				ping, err := apiClient.Ping(context.Background(), client.PingOptions{})
 				if err != nil {
 					return err
 				}
@@ -97,7 +98,7 @@ func main() {
 		cmd.AddCommand(goodbye, apiversion, exitStatus2)
 		return cmd
 	},
-		manager.Metadata{
+		metadata.Metadata{
 			SchemaVersion: "0.1.0",
 			Vendor:        "Docker Inc.",
 			Version:       "testing",

cli-plugins/manager/candidate.go

@@ -1,12 +1,10 @@
 package manager
 
-import "os/exec"
+import (
+	"os/exec"
 
-// Candidate represents a possible plugin candidate, for mocking purposes
-type Candidate interface {
-	Path() string
-	Metadata() ([]byte, error)
-}
+	"github.com/docker/cli/cli-plugins/metadata"
+)
 
 type candidate struct {
 	path string
@@ -17,5 +15,5 @@ func (c *candidate) Path() string {
 }
 
 func (c *candidate) Metadata() ([]byte, error) {
-	return exec.Command(c.path, MetadataSubcommandName).Output() // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
+	return exec.Command(c.path, metadata.MetadataSubcommandName).Output() // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
 }

cli-plugins/manager/candidate_test.go

@@ -6,9 +6,10 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/spf13/cobra"
 	"gotest.tools/v3/assert"
-	"gotest.tools/v3/assert/cmp"
+	is "gotest.tools/v3/assert/cmp"
 )
 
 type fakeCandidate struct {
@@ -30,62 +31,132 @@ func (c *fakeCandidate) Metadata() ([]byte, error) {
 
 func TestValidateCandidate(t *testing.T) {
 	const (
-		goodPluginName = NamePrefix + "goodplugin"
+		goodPluginName = metadata.NamePrefix + "goodplugin"
+		builtinName    = metadata.NamePrefix + "builtin"
+		builtinAlias   = metadata.NamePrefix + "alias"
 
-		builtinName  = NamePrefix + "builtin"
-		builtinAlias = NamePrefix + "alias"
-
-		badPrefixPath    = "/usr/local/libexec/cli-plugins/wobble"
-		badNamePath      = "/usr/local/libexec/cli-plugins/docker-123456"
-		goodPluginPath   = "/usr/local/libexec/cli-plugins/" + goodPluginName
-		metaExperimental = `{"SchemaVersion": "0.1.0", "Vendor": "e2e-testing", "Experimental": true}`
+		badPrefixPath  = "/usr/local/libexec/cli-plugins/wobble"
+		badNamePath    = "/usr/local/libexec/cli-plugins/docker-123456"
+		goodPluginPath = "/usr/local/libexec/cli-plugins/" + goodPluginName
 	)
 
 	fakeroot := &cobra.Command{Use: "docker"}
 	fakeroot.AddCommand(&cobra.Command{
-		Use: strings.TrimPrefix(builtinName, NamePrefix),
+		Use: strings.TrimPrefix(builtinName, metadata.NamePrefix),
 		Aliases: []string{
-			strings.TrimPrefix(builtinAlias, NamePrefix),
+			strings.TrimPrefix(builtinAlias, metadata.NamePrefix),
 		},
 	})
 
 	for _, tc := range []struct {
-		name string
-		c    *fakeCandidate
+		name   string
+		plugin *fakeCandidate
 
 		// Either err or invalid may be non-empty, but not both (both can be empty for a good plugin).
 		err     string
 		invalid string
+		expVer  string
 	}{
-		/* Each failing one of the tests */
-		{name: "empty path", c: &fakeCandidate{path: ""}, err: "plugin candidate path cannot be empty"},
-		{name: "bad prefix", c: &fakeCandidate{path: badPrefixPath}, err: fmt.Sprintf("does not have %q prefix", NamePrefix)},
-		{name: "bad path", c: &fakeCandidate{path: badNamePath}, invalid: "did not match"},
-		{name: "builtin command", c: &fakeCandidate{path: builtinName}, invalid: `plugin "builtin" duplicates builtin command`},
-		{name: "builtin alias", c: &fakeCandidate{path: builtinAlias}, invalid: `plugin "alias" duplicates an alias of builtin command "builtin"`},
-		{name: "fetch failure", c: &fakeCandidate{path: goodPluginPath, exec: false}, invalid: fmt.Sprintf("failed to fetch metadata: faked a failure to exec %q", goodPluginPath)},
-		{name: "metadata not json", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `xyzzy`}, invalid: "invalid character"},
-		{name: "empty schemaversion", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{}`}, invalid: `plugin SchemaVersion "" is not valid`},
-		{name: "invalid schemaversion", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "xyzzy"}`}, invalid: `plugin SchemaVersion "xyzzy" is not valid`},
-		{name: "no vendor", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0"}`}, invalid: "plugin metadata does not define a vendor"},
-		{name: "empty vendor", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0", "Vendor": ""}`}, invalid: "plugin metadata does not define a vendor"},
-		// This one should work
-		{name: "valid", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0", "Vendor": "e2e-testing"}`}},
-		{name: "experimental + allowing experimental", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: metaExperimental}},
+		// Invalid cases.
+		{
+			name:   "empty path",
+			plugin: &fakeCandidate{path: ""},
+			err:    "plugin candidate path cannot be empty",
+		},
+		{
+			name:   "bad prefix",
+			plugin: &fakeCandidate{path: badPrefixPath},
+			err:    fmt.Sprintf("does not have %q prefix", metadata.NamePrefix),
+		},
+		{
+			name:    "bad path",
+			plugin:  &fakeCandidate{path: badNamePath},
+			invalid: "did not match",
+		},
+		{
+			name:    "builtin command",
+			plugin:  &fakeCandidate{path: builtinName},
+			invalid: `plugin "builtin" duplicates builtin command`,
+		},
+		{
+			name:    "builtin alias",
+			plugin:  &fakeCandidate{path: builtinAlias},
+			invalid: `plugin "alias" duplicates an alias of builtin command "builtin"`,
+		},
+		{
+			name:    "fetch failure",
+			plugin:  &fakeCandidate{path: goodPluginPath, exec: false},
+			invalid: fmt.Sprintf("failed to fetch metadata: faked a failure to exec %q", goodPluginPath),
+		},
+		{
+			name:    "metadata not json",
+			plugin:  &fakeCandidate{path: goodPluginPath, exec: true, meta: `xyzzy`},
+			invalid: "invalid character",
+		},
+		{
+			name:    "empty schemaversion",
+			plugin:  &fakeCandidate{path: goodPluginPath, exec: true, meta: `{}`},
+			invalid: `plugin SchemaVersion version cannot be empty`,
+		},
+		{
+			name:    "invalid schemaversion",
+			plugin:  &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "xyzzy"}`},
+			invalid: `plugin SchemaVersion "xyzzy" has wrong format: must be <major>.<minor>.<patch>`,
+		},
+		{
+			name:    "invalid schemaversion major",
+			plugin:  &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "2.0.0"}`},
+			invalid: `plugin SchemaVersion "2.0.0" is not supported: must be lower than 2.0.0`,
+		},
+		{
+			name:    "no vendor",
+			plugin:  &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0"}`},
+			invalid: "plugin metadata does not define a vendor",
+		},
+		{
+			name:    "empty vendor",
+			plugin:  &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0", "Vendor": ""}`},
+			invalid: "plugin metadata does not define a vendor",
+		},
+
+		// Valid cases.
+		{
+			name:   "valid",
+			plugin: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0", "Vendor": "e2e-testing"}`},
+			expVer: "0.1.0",
+		},
+		{
+			// Including the deprecated "experimental" field should not break processing.
+			name:   "with legacy experimental",
+			plugin: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0", "Vendor": "e2e-testing", "Experimental": true}`},
+			expVer: "0.1.0",
+		},
+		{
+			// note that this may not be supported by older CLIs
+			name:   "new minor schema version",
+			plugin: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.2.0", "Vendor": "e2e-testing"}`},
+			expVer: "0.2.0",
+		},
+		{
+			// note that this may not be supported by older CLIs
+			name:   "new major schema version",
+			plugin: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "1.0.0", "Vendor": "e2e-testing"}`},
+			expVer: "1.0.0",
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			p, err := newPlugin(tc.c, fakeroot.Commands())
+			p, err := newPlugin(tc.plugin, fakeroot.Commands())
 			switch {
 			case tc.err != "":
 				assert.ErrorContains(t, err, tc.err)
 			case tc.invalid != "":
 				assert.NilError(t, err)
-				assert.Assert(t, cmp.ErrorType(p.Err, reflect.TypeOf(&pluginError{})))
+				assert.Assert(t, is.ErrorType(p.Err, reflect.TypeOf(&pluginError{})))
 				assert.ErrorContains(t, p.Err, tc.invalid)
 			default:
 				assert.NilError(t, err)
-				assert.Equal(t, NamePrefix+p.Name, goodPluginName)
-				assert.Equal(t, p.SchemaVersion, "0.1.0")
+				assert.Equal(t, metadata.NamePrefix+p.Name, goodPluginName)
+				assert.Equal(t, p.SchemaVersion, tc.expVer)
 				assert.Equal(t, p.Vendor, "e2e-testing")
 			}
 		})

cli-plugins/manager/cobra.go

@@ -2,41 +2,12 @@ package manager
 
 import (
 	"fmt"
-	"net/url"
 	"os"
-	"strings"
 	"sync"
 
-	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli-plugins/metadata"
+	"github.com/docker/cli/cli/config"
 	"github.com/spf13/cobra"
-	"go.opentelemetry.io/otel/attribute"
-)
-
-const (
-	// CommandAnnotationPlugin is added to every stub command added by
-	// AddPluginCommandStubs with the value "true" and so can be
-	// used to distinguish plugin stubs from regular commands.
-	CommandAnnotationPlugin = "com.docker.cli.plugin"
-
-	// CommandAnnotationPluginVendor is added to every stub command
-	// added by AddPluginCommandStubs and contains the vendor of
-	// that plugin.
-	CommandAnnotationPluginVendor = "com.docker.cli.plugin.vendor"
-
-	// CommandAnnotationPluginVersion is added to every stub command
-	// added by AddPluginCommandStubs and contains the version of
-	// that plugin.
-	CommandAnnotationPluginVersion = "com.docker.cli.plugin.version"
-
-	// CommandAnnotationPluginInvalid is added to any stub command
-	// added by AddPluginCommandStubs for an invalid command (that
-	// is, one which failed it's candidate test) and contains the
-	// reason for the failure.
-	CommandAnnotationPluginInvalid = "com.docker.cli.plugin-invalid"
-
-	// CommandAnnotationPluginCommandPath is added to overwrite the
-	// command path for a plugin invocation.
-	CommandAnnotationPluginCommandPath = "com.docker.cli.plugin.command_path"
 )
 
 var pluginCommandStubsOnce sync.Once
@@ -44,10 +15,10 @@ var pluginCommandStubsOnce sync.Once
 // AddPluginCommandStubs adds a stub cobra.Commands for each valid and invalid
 // plugin. The command stubs will have several annotations added, see
 // `CommandAnnotationPlugin*`.
-func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err error) {
+func AddPluginCommandStubs(dockerCLI config.Provider, rootCmd *cobra.Command) (err error) {
 	pluginCommandStubsOnce.Do(func() {
 		var plugins []Plugin
-		plugins, err = ListPlugins(dockerCli, rootCmd)
+		plugins, err = ListPlugins(dockerCLI, rootCmd)
 		if err != nil {
 			return
 		}
@@ -57,16 +28,17 @@ func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err e
 				vendor = "unknown"
 			}
 			annotations := map[string]string{
-				CommandAnnotationPlugin:        "true",
-				CommandAnnotationPluginVendor:  vendor,
-				CommandAnnotationPluginVersion: p.Version,
+				metadata.CommandAnnotationPlugin:        "true",
+				metadata.CommandAnnotationPluginVendor:  vendor,
+				metadata.CommandAnnotationPluginVersion: p.Version,
 			}
 			if p.Err != nil {
-				annotations[CommandAnnotationPluginInvalid] = p.Err.Error()
+				annotations[metadata.CommandAnnotationPluginInvalid] = p.Err.Error()
 			}
 			rootCmd.AddCommand(&cobra.Command{
 				Use:                p.Name,
 				Short:              p.ShortDescription,
+				Hidden:             p.Hidden,
 				Run:                func(_ *cobra.Command, _ []string) {},
 				Annotations:        annotations,
 				DisableFlagParsing: true,
@@ -89,7 +61,7 @@ func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err e
 					cargs = append(cargs, args...)
 					cargs = append(cargs, toComplete)
 					os.Args = cargs
-					runCommand, runErr := PluginRunCommand(dockerCli, p.Name, cmd)
+					runCommand, runErr := PluginRunCommand(dockerCLI, p.Name, cmd)
 					if runErr != nil {
 						return nil, cobra.ShellCompDirectiveError
 					}
@@ -104,44 +76,3 @@ func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err e
 	})
 	return err
 }
-
-const (
-	dockerCliAttributePrefix = attribute.Key("docker.cli")
-
-	cobraCommandPath = attribute.Key("cobra.command_path")
-)
-
-func getPluginResourceAttributes(cmd *cobra.Command, plugin Plugin) attribute.Set {
-	commandPath := cmd.Annotations[CommandAnnotationPluginCommandPath]
-	if commandPath == "" {
-		commandPath = fmt.Sprintf("%s %s", cmd.CommandPath(), plugin.Name)
-	}
-
-	attrSet := attribute.NewSet(
-		cobraCommandPath.String(commandPath),
-	)
-
-	kvs := make([]attribute.KeyValue, 0, attrSet.Len())
-	for iter := attrSet.Iter(); iter.Next(); {
-		attr := iter.Attribute()
-		kvs = append(kvs, attribute.KeyValue{
-			Key:   dockerCliAttributePrefix + "." + attr.Key,
-			Value: attr.Value,
-		})
-	}
-	return attribute.NewSet(kvs...)
-}
-
-func appendPluginResourceAttributesEnvvar(env []string, cmd *cobra.Command, plugin Plugin) []string {
-	if attrs := getPluginResourceAttributes(cmd, plugin); attrs.Len() > 0 {
-		// values in environment variables need to be in baggage format
-		// otel/baggage package can be used after update to v1.22, currently it encodes incorrectly
-		attrsSlice := make([]string, attrs.Len())
-		for iter := attrs.Iter(); iter.Next(); {
-			i, v := iter.IndexedAttribute()
-			attrsSlice[i] = string(v.Key) + "=" + url.PathEscape(v.Value.AsString())
-		}
-		env = append(env, ResourceAttributesEnvvar+"="+strings.Join(attrsSlice, ","))
-	}
-	return env
-}

cli-plugins/manager/cobra_test.go

@@ -0,0 +1,26 @@
+package manager
+
+import (
+	"testing"
+
+	"github.com/spf13/cobra"
+	"gotest.tools/v3/assert"
+)
+
+func TestPluginResourceAttributesEnvvar(t *testing.T) {
+	cmd := &cobra.Command{
+		Annotations: map[string]string{
+			cobra.CommandDisplayNameAnnotation: "docker",
+		},
+	}
+
+	// Ensure basic usage is fine.
+	env := appendPluginResourceAttributesEnvvar(nil, cmd, Plugin{Name: "compose"})
+	assert.DeepEqual(t, []string{"OTEL_RESOURCE_ATTRIBUTES=docker.cli.cobra.command_path=docker%20compose"}, env)
+
+	// Add a user-based environment variable to OTEL_RESOURCE_ATTRIBUTES.
+	t.Setenv("OTEL_RESOURCE_ATTRIBUTES", "a.b.c=foo")
+
+	env = appendPluginResourceAttributesEnvvar(nil, cmd, Plugin{Name: "compose"})
+	assert.DeepEqual(t, []string{"OTEL_RESOURCE_ATTRIBUTES=a.b.c=foo,docker.cli.cobra.command_path=docker%20compose"}, env)
+}

cli-plugins/manager/error.go

@@ -1,10 +1,10 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.24
 
 package manager
 
 import (
-	"github.com/pkg/errors"
+	"fmt"
 )
 
 // pluginError is set as Plugin.Err by NewPlugin if the plugin
@@ -23,11 +23,6 @@ func (e *pluginError) Error() string {
 	return e.cause.Error()
 }
 
-// Cause satisfies the errors.causer interface for pluginError.
-func (e *pluginError) Cause() error {
-	return e.cause
-}
-
 // Unwrap provides compatibility for Go 1.13 error chains.
 func (e *pluginError) Unwrap() error {
 	return e.cause
@@ -39,16 +34,13 @@ func (e *pluginError) MarshalText() (text []byte, err error) {
 }
 
 // wrapAsPluginError wraps an error in a pluginError with an
-// additional message, analogous to errors.Wrapf.
+// additional message.
 func wrapAsPluginError(err error, msg string) error {
-	if err == nil {
-		return nil
-	}
-	return &pluginError{cause: errors.Wrap(err, msg)}
+	return &pluginError{cause: fmt.Errorf("%s: %w", msg, err)}
 }
 
-// NewPluginError creates a new pluginError, analogous to
+// newPluginError creates a new pluginError, analogous to
 // errors.Errorf.
-func NewPluginError(msg string, args ...any) error {
-	return &pluginError{cause: errors.Errorf(msg, args...)}
+func newPluginError(msg string, args ...any) error {
+	return &pluginError{cause: fmt.Errorf(msg, args...)}
 }

cli-plugins/manager/error_test.go

@@ -10,7 +10,7 @@ import (
 )
 
 func TestPluginError(t *testing.T) {
-	err := NewPluginError("new error")
+	err := newPluginError("new error")
 	assert.Check(t, is.Error(err, "new error"))
 
 	inner := errors.New("testing")
@@ -21,4 +21,7 @@ func TestPluginError(t *testing.T) {
 	actual, err := json.Marshal(err)
 	assert.Check(t, err)
 	assert.Check(t, is.Equal(`"wrapping: testing"`, string(actual)))
+
+	err = wrapAsPluginError(nil, "wrapping")
+	assert.Check(t, is.Error(err, "wrapping: %!w(<nil>)"))
 }

cli-plugins/manager/hooks.go

@@ -6,7 +6,8 @@ import (
 	"strings"
 
 	"github.com/docker/cli/cli-plugins/hooks"
-	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -29,29 +30,28 @@ type HookPluginData struct {
 // a main CLI command was executed. It calls the hook subcommand for all
 // present CLI plugins that declare support for hooks in their metadata and
 // parses/prints their responses.
-func RunCLICommandHooks(ctx context.Context, dockerCli command.Cli, rootCmd, subCommand *cobra.Command, cmdErrorMessage string) {
+func RunCLICommandHooks(ctx context.Context, dockerCLI config.Provider, rootCmd, subCommand *cobra.Command, cmdErrorMessage string) {
 	commandName := strings.TrimPrefix(subCommand.CommandPath(), rootCmd.Name()+" ")
 	flags := getCommandFlags(subCommand)
 
-	runHooks(ctx, dockerCli, rootCmd, subCommand, commandName, flags, cmdErrorMessage)
+	runHooks(ctx, dockerCLI.ConfigFile(), rootCmd, subCommand, commandName, flags, cmdErrorMessage)
 }
 
 // RunPluginHooks is the entrypoint for the hooks execution flow
 // after a plugin command was just executed by the CLI.
-func RunPluginHooks(ctx context.Context, dockerCli command.Cli, rootCmd, subCommand *cobra.Command, args []string) {
+func RunPluginHooks(ctx context.Context, dockerCLI config.Provider, rootCmd, subCommand *cobra.Command, args []string) {
 	commandName := strings.Join(args, " ")
 	flags := getNaiveFlags(args)
 
-	runHooks(ctx, dockerCli, rootCmd, subCommand, commandName, flags, "")
+	runHooks(ctx, dockerCLI.ConfigFile(), rootCmd, subCommand, commandName, flags, "")
 }
 
-func runHooks(ctx context.Context, dockerCli command.Cli, rootCmd, subCommand *cobra.Command, invokedCommand string, flags map[string]string, cmdErrorMessage string) {
-	nextSteps := invokeAndCollectHooks(ctx, dockerCli, rootCmd, subCommand, invokedCommand, flags, cmdErrorMessage)
-
-	hooks.PrintNextSteps(dockerCli.Err(), nextSteps)
+func runHooks(ctx context.Context, cfg *configfile.ConfigFile, rootCmd, subCommand *cobra.Command, invokedCommand string, flags map[string]string, cmdErrorMessage string) {
+	nextSteps := invokeAndCollectHooks(ctx, cfg, rootCmd, subCommand, invokedCommand, flags, cmdErrorMessage)
+	hooks.PrintNextSteps(subCommand.ErrOrStderr(), nextSteps)
 }
 
-func invokeAndCollectHooks(ctx context.Context, dockerCli command.Cli, rootCmd, subCmd *cobra.Command, subCmdStr string, flags map[string]string, cmdErrorMessage string) []string {
+func invokeAndCollectHooks(ctx context.Context, cfg *configfile.ConfigFile, rootCmd, subCmd *cobra.Command, subCmdStr string, flags map[string]string, cmdErrorMessage string) []string {
 	// check if the context was cancelled before invoking hooks
 	select {
 	case <-ctx.Done():
@@ -59,19 +59,20 @@ func invokeAndCollectHooks(ctx context.Context, dockerCli command.Cli, rootCmd,
 	default:
 	}
 
-	pluginsCfg := dockerCli.ConfigFile().Plugins
+	pluginsCfg := cfg.Plugins
 	if pluginsCfg == nil {
 		return nil
 	}
 
+	pluginDirs := getPluginDirs(cfg)
 	nextSteps := make([]string, 0, len(pluginsCfg))
-	for pluginName, cfg := range pluginsCfg {
-		match, ok := pluginMatch(cfg, subCmdStr)
+	for pluginName, pluginCfg := range pluginsCfg {
+		match, ok := pluginMatch(pluginCfg, subCmdStr)
 		if !ok {
 			continue
 		}
 
-		p, err := GetPlugin(pluginName, dockerCli, rootCmd)
+		p, err := getPlugin(pluginName, pluginDirs, rootCmd)
 		if err != nil {
 			continue
 		}

cli-plugins/manager/manager.go

@@ -2,6 +2,7 @@ package manager
 
 import (
 	"context"
+	"errors"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -9,26 +10,16 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/docker/cli/cli/command"
+	"github.com/containerd/errdefs"
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/debug"
 	"github.com/fvbommel/sortorder"
 	"github.com/spf13/cobra"
 	"golang.org/x/sync/errgroup"
 )
 
-const (
-	// ReexecEnvvar is the name of an ennvar which is set to the command
-	// used to originally invoke the docker CLI when executing a
-	// plugin. Assuming $PATH and $CWD remain unchanged this should allow
-	// the plugin to re-execute the original CLI.
-	ReexecEnvvar = "DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND"
-
-	// ResourceAttributesEnvvar is the name of the envvar that includes additional
-	// resource attributes for OTEL.
-	ResourceAttributesEnvvar = "OTEL_RESOURCE_ATTRIBUTES"
-)
-
 // errPluginNotFound is the error returned when a plugin could not be found.
 type errPluginNotFound string
 
@@ -38,17 +29,6 @@ func (e errPluginNotFound) Error() string {
 	return "Error: No such CLI plugin: " + string(e)
 }
 
-type notFound interface{ NotFound() }
-
-// IsNotFound is true if the given error is due to a plugin not being found.
-func IsNotFound(err error) bool {
-	if e, ok := err.(*pluginError); ok {
-		err = e.Cause()
-	}
-	_, ok := err.(notFound)
-	return ok
-}
-
 // getPluginDirs returns the platform-specific locations to search for plugins
 // in order of preference.
 //
@@ -59,20 +39,16 @@ func IsNotFound(err error) bool {
 // 3. Platform-specific defaultSystemPluginDirs.
 //
 // [ConfigFile.CLIPluginsExtraDirs]: https://pkg.go.dev/github.com/docker/cli@v26.1.4+incompatible/cli/config/configfile#ConfigFile.CLIPluginsExtraDirs
-func getPluginDirs(cfg *configfile.ConfigFile) ([]string, error) {
+func getPluginDirs(cfg *configfile.ConfigFile) []string {
 	var pluginDirs []string
 
 	if cfg != nil {
 		pluginDirs = append(pluginDirs, cfg.CLIPluginsExtraDirs...)
 	}
-	pluginDir, err := config.Path("cli-plugins")
-	if err != nil {
-		return nil, err
-	}
-
+	pluginDir := filepath.Join(config.Dir(), "cli-plugins")
 	pluginDirs = append(pluginDirs, pluginDir)
 	pluginDirs = append(pluginDirs, defaultSystemPluginDirs...)
-	return pluginDirs, nil
+	return pluginDirs
 }
 
 func addPluginCandidatesFromDir(res map[string][]string, d string) {
@@ -83,18 +59,26 @@ func addPluginCandidatesFromDir(res map[string][]string, d string) {
 		return
 	}
 	for _, dentry := range dentries {
-		switch dentry.Type() & os.ModeType {
-		case 0, os.ModeSymlink:
-			// Regular file or symlink, keep going
+		switch mode := dentry.Type() & os.ModeType; mode { //nolint:exhaustive,nolintlint // no need to include all possible file-modes in this list
+		case os.ModeSymlink:
+			if !debug.IsEnabled() {
+				// Skip broken symlinks unless debug is enabled. With debug
+				// enabled, this will print a warning in "docker info".
+				if _, err := os.Stat(filepath.Join(d, dentry.Name())); errors.Is(err, os.ErrNotExist) {
+					continue
+				}
+			}
+		case 0:
+			// Regular file, keep going
 		default:
 			// Something else, ignore.
 			continue
 		}
 		name := dentry.Name()
-		if !strings.HasPrefix(name, NamePrefix) {
+		if !strings.HasPrefix(name, metadata.NamePrefix) {
 			continue
 		}
-		name = strings.TrimPrefix(name, NamePrefix)
+		name = strings.TrimPrefix(name, metadata.NamePrefix)
 		var err error
 		if name, err = trimExeSuffix(name); err != nil {
 			continue
@@ -113,12 +97,12 @@ func listPluginCandidates(dirs []string) map[string][]string {
 }
 
 // GetPlugin returns a plugin on the system by its name
-func GetPlugin(name string, dockerCli command.Cli, rootcmd *cobra.Command) (*Plugin, error) {
-	pluginDirs, err := getPluginDirs(dockerCli.ConfigFile())
-	if err != nil {
-		return nil, err
-	}
+func GetPlugin(name string, dockerCLI config.Provider, rootcmd *cobra.Command) (*Plugin, error) {
+	pluginDirs := getPluginDirs(dockerCLI.ConfigFile())
+	return getPlugin(name, pluginDirs, rootcmd)
+}
 
+func getPlugin(name string, pluginDirs []string, rootcmd *cobra.Command) (*Plugin, error) {
 	candidates := listPluginCandidates(pluginDirs)
 	if paths, ok := candidates[name]; ok {
 		if len(paths) == 0 {
@@ -129,7 +113,7 @@ func GetPlugin(name string, dockerCli command.Cli, rootcmd *cobra.Command) (*Plu
 		if err != nil {
 			return nil, err
 		}
-		if !IsNotFound(p.Err) {
+		if !errdefs.IsNotFound(p.Err) {
 			p.ShadowedPaths = paths[1:]
 		}
 		return &p, nil
@@ -139,17 +123,21 @@ func GetPlugin(name string, dockerCli command.Cli, rootcmd *cobra.Command) (*Plu
 }
 
 // ListPlugins produces a list of the plugins available on the system
-func ListPlugins(dockerCli command.Cli, rootcmd *cobra.Command) ([]Plugin, error) {
-	pluginDirs, err := getPluginDirs(dockerCli.ConfigFile())
-	if err != nil {
-		return nil, err
-	}
-
+func ListPlugins(dockerCli config.Provider, rootcmd *cobra.Command) ([]Plugin, error) {
+	pluginDirs := getPluginDirs(dockerCli.ConfigFile())
 	candidates := listPluginCandidates(pluginDirs)
+	if len(candidates) == 0 {
+		return nil, nil
+	}
 
 	var plugins []Plugin
 	var mu sync.Mutex
-	eg, _ := errgroup.WithContext(context.TODO())
+	ctx := rootcmd.Context()
+	if ctx == nil {
+		// Fallback, mostly for tests that pass a bare cobra.command
+		ctx = context.Background()
+	}
+	eg, _ := errgroup.WithContext(ctx)
 	cmds := rootcmd.Commands()
 	for _, paths := range candidates {
 		func(paths []string) {
@@ -162,7 +150,7 @@ func ListPlugins(dockerCli command.Cli, rootcmd *cobra.Command) ([]Plugin, error
 				if err != nil {
 					return err
 				}
-				if !IsNotFound(p.Err) {
+				if !errdefs.IsNotFound(p.Err) {
 					p.ShadowedPaths = paths[1:]
 					mu.Lock()
 					defer mu.Unlock()
@@ -183,24 +171,21 @@ func ListPlugins(dockerCli command.Cli, rootcmd *cobra.Command) ([]Plugin, error
 	return plugins, nil
 }
 
-// PluginRunCommand returns an "os/exec".Cmd which when .Run() will execute the named plugin.
+// PluginRunCommand returns an [os/exec.Cmd] which when [os/exec.Cmd.Run] will execute the named plugin.
 // The rootcmd argument is referenced to determine the set of builtin commands in order to detect conficts.
-// The error returned satisfies the IsNotFound() predicate if no plugin was found or if the first candidate plugin was invalid somehow.
-func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command) (*exec.Cmd, error) {
+// The error returned satisfies the [errdefs.IsNotFound] predicate if no plugin was found or if the first candidate plugin was invalid somehow.
+func PluginRunCommand(dockerCli config.Provider, name string, rootcmd *cobra.Command) (*exec.Cmd, error) {
 	// This uses the full original args, not the args which may
 	// have been provided by cobra to our caller. This is because
 	// they lack e.g. global options which we must propagate here.
 	args := os.Args[1:]
-	if !pluginNameRe.MatchString(name) {
+	if !isValidPluginName(name) {
 		// We treat this as "not found" so that callers will
 		// fallback to their "invalid" command path.
 		return nil, errPluginNotFound(name)
 	}
-	exename := addExeSuffix(NamePrefix + name)
-	pluginDirs, err := getPluginDirs(dockerCli.ConfigFile())
-	if err != nil {
-		return nil, err
-	}
+	exename := addExeSuffix(metadata.NamePrefix + name)
+	pluginDirs := getPluginDirs(dockerCli.ConfigFile())
 
 	for _, d := range pluginDirs {
 		path := filepath.Join(d, exename)
@@ -233,7 +218,7 @@ func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
 
-		cmd.Env = append(cmd.Environ(), ReexecEnvvar+"="+os.Args[0])
+		cmd.Env = append(cmd.Environ(), metadata.ReexecEnvvar+"="+os.Args[0])
 		cmd.Env = appendPluginResourceAttributesEnvvar(cmd.Env, rootcmd, plugin)
 
 		return cmd, nil
@@ -243,5 +228,5 @@ func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command
 
 // IsPluginCommand checks if the given cmd is a plugin-stub.
 func IsPluginCommand(cmd *cobra.Command) bool {
-	return cmd.Annotations[CommandAnnotationPlugin] == "true"
+	return cmd.Annotations[metadata.CommandAnnotationPlugin] == "true"
 }

cli-plugins/manager/manager_test.go

@@ -1,9 +1,11 @@
 package manager
 
 import (
+	"path/filepath"
 	"strings"
 	"testing"
 
+	"github.com/containerd/errdefs"
 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
@@ -36,7 +38,7 @@ func TestListPluginCandidates(t *testing.T) {
 			"plugins3-target", // Will be referenced as a symlink from below
 			fs.WithFile("docker-plugin1", ""),
 			fs.WithDir("ignored3"),
-			fs.WithSymlink("docker-brokensymlink", "broken"),           // A broken symlink is still a candidate (but would fail tests later)
+			fs.WithSymlink("docker-brokensymlink", "broken"),           // A broken symlink is ignored
 			fs.WithFile("non-plugin-symlinked", ""),                    // This shouldn't appear, but ...
 			fs.WithSymlink("docker-symlinked", "non-plugin-symlinked"), // ... this link to it should.
 		),
@@ -70,9 +72,6 @@ func TestListPluginCandidates(t *testing.T) {
 		"hardlink2": {
 			dir.Join("plugins2", "docker-hardlink2"),
 		},
-		"brokensymlink": {
-			dir.Join("plugins3", "docker-brokensymlink"),
-		},
 		"symlinked": {
 			dir.Join("plugins3", "docker-symlinked"),
 		},
@@ -81,6 +80,12 @@ func TestListPluginCandidates(t *testing.T) {
 	assert.DeepEqual(t, candidates, exp)
 }
 
+func TestListPluginCandidatesEmpty(t *testing.T) {
+	tmpDir := t.TempDir()
+	candidates := listPluginCandidates([]string{tmpDir, filepath.Join(tmpDir, "no-such-dir")})
+	assert.Assert(t, len(candidates) == 0)
+}
+
 // Regression test for https://github.com/docker/cli/issues/5643.
 // Check that inaccessible directories that come before accessible ones are ignored
 // and do not prevent the latter from being processed.
@@ -124,7 +129,7 @@ echo '{"SchemaVersion":"0.1.0"}'`, fs.WithMode(0o777)),
 
 	_, err = GetPlugin("ccc", cli, &cobra.Command{})
 	assert.Error(t, err, "Error: No such CLI plugin: ccc")
-	assert.Assert(t, IsNotFound(err))
+	assert.Assert(t, errdefs.IsNotFound(err))
 }
 
 func TestListPluginsIsSorted(t *testing.T) {
@@ -159,21 +164,18 @@ func TestErrPluginNotFound(t *testing.T) {
 	var err error = errPluginNotFound("test")
 	err.(errPluginNotFound).NotFound()
 	assert.Error(t, err, "Error: No such CLI plugin: test")
-	assert.Assert(t, IsNotFound(err))
-	assert.Assert(t, !IsNotFound(nil))
+	assert.Assert(t, errdefs.IsNotFound(err))
+	assert.Assert(t, !errdefs.IsNotFound(nil))
 }
 
 func TestGetPluginDirs(t *testing.T) {
 	cli := test.NewFakeCli(nil)
 
-	pluginDir, err := config.Path("cli-plugins")
-	assert.NilError(t, err)
+	pluginDir := filepath.Join(config.Dir(), "cli-plugins")
 	expected := append([]string{pluginDir}, defaultSystemPluginDirs...)
 
-	var pluginDirs []string
-	pluginDirs, err = getPluginDirs(cli.ConfigFile())
+	pluginDirs := getPluginDirs(cli.ConfigFile())
 	assert.Equal(t, strings.Join(expected, ":"), strings.Join(pluginDirs, ":"))
-	assert.NilError(t, err)
 
 	extras := []string{
 		"foo", "bar", "baz",
@@ -182,7 +184,6 @@ func TestGetPluginDirs(t *testing.T) {
 	cli.SetConfigFile(&configfile.ConfigFile{
 		CLIPluginsExtraDirs: extras,
 	})
-	pluginDirs, err = getPluginDirs(cli.ConfigFile())
+	pluginDirs = getPluginDirs(cli.ConfigFile())
 	assert.DeepEqual(t, expected, pluginDirs)
-	assert.NilError(t, err)
 }

cli-plugins/manager/plugin.go

@@ -2,22 +2,23 @@ package manager
 
 import (
 	"context"
+	"encoding"
 	"encoding/json"
+	"errors"
+	"fmt"
 	"os"
 	"os/exec"
 	"path/filepath"
-	"regexp"
+	"strconv"
 	"strings"
 
-	"github.com/pkg/errors"
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/spf13/cobra"
 )
 
-var pluginNameRe = regexp.MustCompile("^[a-z][a-z0-9]*$")
-
 // Plugin represents a potential plugin with all it's metadata.
 type Plugin struct {
-	Metadata
+	metadata.Metadata
 
 	Name string `json:",omitempty"`
 	Path string `json:",omitempty"`
@@ -29,12 +30,34 @@ type Plugin struct {
 	ShadowedPaths []string `json:",omitempty"`
 }
 
+// MarshalJSON implements [json.Marshaler] to handle marshaling the
+// [Plugin.Err] field (Go doesn't marshal errors by default).
+func (p *Plugin) MarshalJSON() ([]byte, error) {
+	type Alias Plugin // avoid recursion
+
+	cp := *p // shallow copy to avoid mutating original
+
+	if cp.Err != nil {
+		if _, ok := cp.Err.(encoding.TextMarshaler); !ok {
+			cp.Err = &pluginError{cp.Err}
+		}
+	}
+
+	return json.Marshal((*Alias)(&cp))
+}
+
+// pluginCandidate represents a possible plugin candidate, for mocking purposes.
+type pluginCandidate interface {
+	Path() string
+	Metadata() ([]byte, error)
+}
+
 // newPlugin determines if the given candidate is valid and returns a
 // Plugin.  If the candidate fails one of the tests then `Plugin.Err`
 // is set, and is always a `pluginError`, but the `Plugin` is still
 // returned with no error. An error is only returned due to a
 // non-recoverable error.
-func newPlugin(c Candidate, cmds []*cobra.Command) (Plugin, error) {
+func newPlugin(c pluginCandidate, cmds []*cobra.Command) (Plugin, error) {
 	path := c.Path()
 	if path == "" {
 		return Plugin{}, errors.New("plugin candidate path cannot be empty")
@@ -44,24 +67,24 @@ func newPlugin(c Candidate, cmds []*cobra.Command) (Plugin, error) {
 	// which would fail here, so there are all real errors.
 	fullname := filepath.Base(path)
 	if fullname == "." {
-		return Plugin{}, errors.Errorf("unable to determine basename of plugin candidate %q", path)
+		return Plugin{}, fmt.Errorf("unable to determine basename of plugin candidate %q", path)
 	}
 	var err error
 	if fullname, err = trimExeSuffix(fullname); err != nil {
-		return Plugin{}, errors.Wrapf(err, "plugin candidate %q", path)
+		return Plugin{}, fmt.Errorf("plugin candidate %q: %w", path, err)
 	}
-	if !strings.HasPrefix(fullname, NamePrefix) {
-		return Plugin{}, errors.Errorf("plugin candidate %q: does not have %q prefix", path, NamePrefix)
+	if !strings.HasPrefix(fullname, metadata.NamePrefix) {
+		return Plugin{}, fmt.Errorf("plugin candidate %q: does not have %q prefix", path, metadata.NamePrefix)
 	}
 
 	p := Plugin{
-		Name: strings.TrimPrefix(fullname, NamePrefix),
+		Name: strings.TrimPrefix(fullname, metadata.NamePrefix),
 		Path: path,
 	}
 
 	// Now apply the candidate tests, so these update p.Err.
-	if !pluginNameRe.MatchString(p.Name) {
-		p.Err = NewPluginError("plugin candidate %q did not match %q", p.Name, pluginNameRe.String())
+	if !isValidPluginName(p.Name) {
+		p.Err = newPluginError("plugin candidate %q did not match %q", p.Name, pluginNameFormat)
 		return p, nil
 	}
 
@@ -73,11 +96,11 @@ func newPlugin(c Candidate, cmds []*cobra.Command) (Plugin, error) {
 			continue
 		}
 		if cmd.Name() == p.Name {
-			p.Err = NewPluginError("plugin %q duplicates builtin command", p.Name)
+			p.Err = newPluginError("plugin %q duplicates builtin command", p.Name)
 			return p, nil
 		}
 		if cmd.HasAlias(p.Name) {
-			p.Err = NewPluginError("plugin %q duplicates an alias of builtin command %q", p.Name, cmd.Name())
+			p.Err = newPluginError("plugin %q duplicates an alias of builtin command %q", p.Name, cmd.Name())
 			return p, nil
 		}
 	}
@@ -93,17 +116,42 @@ func newPlugin(c Candidate, cmds []*cobra.Command) (Plugin, error) {
 		p.Err = wrapAsPluginError(err, "invalid metadata")
 		return p, nil
 	}
-	if p.Metadata.SchemaVersion != "0.1.0" {
-		p.Err = NewPluginError("plugin SchemaVersion %q is not valid, must be 0.1.0", p.Metadata.SchemaVersion)
+	if err := validateSchemaVersion(p.Metadata.SchemaVersion); err != nil {
+		p.Err = &pluginError{cause: err}
 		return p, nil
 	}
 	if p.Metadata.Vendor == "" {
-		p.Err = NewPluginError("plugin metadata does not define a vendor")
+		p.Err = newPluginError("plugin metadata does not define a vendor")
 		return p, nil
 	}
 	return p, nil
 }
 
+// validateSchemaVersion validates if the plugin's schemaVersion is supported.
+//
+// The current schema-version is "0.1.0", but we don't want to break compatibility
+// until v2.0.0 of the schema version. Check for the major version to be < 2.0.0.
+//
+// Note that CLI versions before 28.4.1 may not support these versions as they were
+// hard-coded to only accept "0.1.0".
+func validateSchemaVersion(version string) error {
+	if version == "0.1.0" {
+		return nil
+	}
+	if version == "" {
+		return errors.New("plugin SchemaVersion version cannot be empty")
+	}
+	major, _, ok := strings.Cut(version, ".")
+	majorVersion, err := strconv.Atoi(major)
+	if !ok || err != nil {
+		return fmt.Errorf("plugin SchemaVersion %q has wrong format: must be <major>.<minor>.<patch>", version)
+	}
+	if majorVersion > 1 {
+		return fmt.Errorf("plugin SchemaVersion %q is not supported: must be lower than 2.0.0", version)
+	}
+	return nil
+}
+
 // RunHook executes the plugin's hooks command
 // and returns its unprocessed output.
 func (p *Plugin) RunHook(ctx context.Context, hookData HookPluginData) ([]byte, error) {
@@ -112,9 +160,9 @@ func (p *Plugin) RunHook(ctx context.Context, hookData HookPluginData) ([]byte,
 		return nil, wrapAsPluginError(err, "failed to marshall hook data")
 	}
 
-	pCmd := exec.CommandContext(ctx, p.Path, p.Name, HookSubcommandName, string(hDataBytes)) // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
+	pCmd := exec.CommandContext(ctx, p.Path, p.Name, metadata.HookSubcommandName, string(hDataBytes)) // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
 	pCmd.Env = os.Environ()
-	pCmd.Env = append(pCmd.Env, ReexecEnvvar+"="+os.Args[0])
+	pCmd.Env = append(pCmd.Env, metadata.ReexecEnvvar+"="+os.Args[0])
 	hookCmdOutput, err := pCmd.Output()
 	if err != nil {
 		return nil, wrapAsPluginError(err, "failed to execute plugin hook subcommand")
@@ -122,3 +170,26 @@ func (p *Plugin) RunHook(ctx context.Context, hookData HookPluginData) ([]byte,
 
 	return hookCmdOutput, nil
 }
+
+// pluginNameFormat is used as part of errors for invalid plugin-names.
+// We should consider making this less technical ("must start with "a-z",
+// and only consist of lowercase alphanumeric characters").
+const pluginNameFormat = `^[a-z][a-z0-9]*$`
+
+func isValidPluginName(s string) bool {
+	if len(s) == 0 {
+		return false
+	}
+	// first character must be a-z
+	if c := s[0]; c < 'a' || c > 'z' {
+		return false
+	}
+	// followed by a-z or 0-9
+	for i := 1; i < len(s); i++ {
+		c := s[i]
+		if (c < 'a' || c > 'z') && (c < '0' || c > '9') {
+			return false
+		}
+	}
+	return true
+}

cli-plugins/manager/plugin_test.go

@@ -0,0 +1,43 @@
+package manager
+
+import (
+	"encoding/json"
+	"errors"
+	"testing"
+
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestPluginMarshal(t *testing.T) {
+	const jsonWithError = `{"Name":"some-plugin","Err":"something went wrong"}`
+	const jsonNoError = `{"Name":"some-plugin"}`
+
+	tests := []struct {
+		doc      string
+		error    error
+		expected string
+	}{
+		{
+			doc:      "no error",
+			expected: jsonNoError,
+		},
+		{
+			doc:      "regular error",
+			error:    errors.New("something went wrong"),
+			expected: jsonWithError,
+		},
+		{
+			doc:      "custom error",
+			error:    newPluginError("something went wrong"),
+			expected: jsonWithError,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.doc, func(t *testing.T) {
+			actual, err := json.Marshal(&Plugin{Name: "some-plugin", Err: tc.error})
+			assert.NilError(t, err)
+			assert.Check(t, is.Equal(string(actual), tc.expected))
+		})
+	}
+}

cli-plugins/manager/suffix_windows.go

@@ -1,22 +1,16 @@
 package manager
 
 import (
+	"fmt"
 	"path/filepath"
 	"strings"
-
-	"github.com/pkg/errors"
 )
 
-// This is made slightly more complex due to needing to be case insensitive.
+// This is made slightly more complex due to needing to be case-insensitive.
 func trimExeSuffix(s string) (string, error) {
 	ext := filepath.Ext(s)
-	if ext == "" {
-		return "", errors.Errorf("path %q lacks required file extension", s)
-	}
-
-	exe := ".exe"
-	if !strings.EqualFold(ext, exe) {
-		return "", errors.Errorf("path %q lacks required %q suffix", s, exe)
+	if ext == "" || !strings.EqualFold(ext, ".exe") {
+		return "", fmt.Errorf("path %q lacks required file extension (.exe)", s)
 	}
 	return strings.TrimSuffix(s, ext), nil
 }

cli-plugins/manager/telemetry.go

@@ -0,0 +1,85 @@
+package manager
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/docker/cli/cli-plugins/metadata"
+	"github.com/spf13/cobra"
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/baggage"
+)
+
+const (
+	// resourceAttributesEnvVar is the name of the envvar that includes additional
+	// resource attributes for OTEL as defined in the [OpenTelemetry specification].
+	//
+	// [OpenTelemetry specification]: https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/#general-sdk-configuration
+	resourceAttributesEnvVar = "OTEL_RESOURCE_ATTRIBUTES"
+
+	// dockerCLIAttributePrefix is the prefix for any docker cli OTEL attributes.
+	//
+	// It is a copy of the const defined in [command.dockerCLIAttributePrefix].
+	dockerCLIAttributePrefix = "docker.cli."
+	cobraCommandPath         = attribute.Key("cobra.command_path")
+)
+
+func getPluginResourceAttributes(cmd *cobra.Command, plugin Plugin) attribute.Set {
+	commandPath := cmd.Annotations[metadata.CommandAnnotationPluginCommandPath]
+	if commandPath == "" {
+		commandPath = fmt.Sprintf("%s %s", cmd.CommandPath(), plugin.Name)
+	}
+
+	attrSet := attribute.NewSet(
+		cobraCommandPath.String(commandPath),
+	)
+
+	kvs := make([]attribute.KeyValue, 0, attrSet.Len())
+	for iter := attrSet.Iter(); iter.Next(); {
+		attr := iter.Attribute()
+		kvs = append(kvs, attribute.KeyValue{
+			Key:   dockerCLIAttributePrefix + attr.Key,
+			Value: attr.Value,
+		})
+	}
+	return attribute.NewSet(kvs...)
+}
+
+func appendPluginResourceAttributesEnvvar(env []string, cmd *cobra.Command, plugin Plugin) []string {
+	if attrs := getPluginResourceAttributes(cmd, plugin); attrs.Len() > 0 {
+		// Construct baggage members for each of the attributes.
+		// Ignore any failures as these aren't significant and
+		// represent an internal issue.
+		members := make([]baggage.Member, 0, attrs.Len())
+		for iter := attrs.Iter(); iter.Next(); {
+			attr := iter.Attribute()
+			m, err := baggage.NewMemberRaw(string(attr.Key), attr.Value.AsString())
+			if err != nil {
+				otel.Handle(err)
+				continue
+			}
+			members = append(members, m)
+		}
+
+		// Combine plugin added resource attributes with ones found in the environment
+		// variable. Our own attributes should be namespaced so there shouldn't be a
+		// conflict. We do not parse the environment variable because we do not want
+		// to handle errors in user configuration.
+		attrsSlice := make([]string, 0, 2)
+		if v := strings.TrimSpace(os.Getenv(resourceAttributesEnvVar)); v != "" {
+			attrsSlice = append(attrsSlice, v)
+		}
+		if b, err := baggage.New(members...); err != nil {
+			otel.Handle(err)
+		} else if b.Len() > 0 {
+			attrsSlice = append(attrsSlice, b.String())
+		}
+
+		if len(attrsSlice) > 0 {
+			env = append(env, resourceAttributesEnvVar+"="+strings.Join(attrsSlice, ","))
+		}
+	}
+	return env
+}

cli-plugins/metadata/annotations.go

@@ -0,0 +1,28 @@
+package metadata
+
+const (
+	// CommandAnnotationPlugin is added to every stub command added by
+	// AddPluginCommandStubs with the value "true" and so can be
+	// used to distinguish plugin stubs from regular commands.
+	CommandAnnotationPlugin = "com.docker.cli.plugin"
+
+	// CommandAnnotationPluginVendor is added to every stub command
+	// added by AddPluginCommandStubs and contains the vendor of
+	// that plugin.
+	CommandAnnotationPluginVendor = "com.docker.cli.plugin.vendor"
+
+	// CommandAnnotationPluginVersion is added to every stub command
+	// added by AddPluginCommandStubs and contains the version of
+	// that plugin.
+	CommandAnnotationPluginVersion = "com.docker.cli.plugin.version"
+
+	// CommandAnnotationPluginInvalid is added to any stub command
+	// added by AddPluginCommandStubs for an invalid command (that
+	// is, one which failed it's candidate test) and contains the
+	// reason for the failure.
+	CommandAnnotationPluginInvalid = "com.docker.cli.plugin-invalid"
+
+	// CommandAnnotationPluginCommandPath is added to overwrite the
+	// command path for a plugin invocation.
+	CommandAnnotationPluginCommandPath = "com.docker.cli.plugin.command_path"
+)

cli-plugins/metadata/metadata.go

@@ -1,4 +1,4 @@
-package manager
+package metadata
 
 const (
 	// NamePrefix is the prefix required on all plugin binary names
@@ -13,6 +13,12 @@ const (
 	// which must be implemented by plugins declaring support
 	// for hooks in their metadata.
 	HookSubcommandName = "docker-cli-plugin-hooks"
+
+	// ReexecEnvvar is the name of an ennvar which is set to the command
+	// used to originally invoke the docker CLI when executing a
+	// plugin. Assuming $PATH and $CWD remain unchanged this should allow
+	// the plugin to re-execute the original CLI.
+	ReexecEnvvar = "DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND"
 )
 
 // Metadata provided by the plugin.
@@ -27,4 +33,6 @@ type Metadata struct {
 	ShortDescription string `json:",omitempty"`
 	// URL is a pointer to the plugin's homepage.
 	URL string `json:",omitempty"`
+	// Hidden hides the plugin in completion and help message output.
+	Hidden bool `json:",omitempty"`
 }

cli-plugins/plugin/plugin.go

@@ -9,12 +9,12 @@ import (
 	"sync"
 
 	"github.com/docker/cli/cli"
-	"github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/docker/cli/cli-plugins/socket"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/connhelper"
 	"github.com/docker/cli/cli/debug"
-	"github.com/docker/docker/client"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 	"go.opentelemetry.io/otel"
 )
@@ -30,7 +30,7 @@ import (
 var PersistentPreRunE func(*cobra.Command, []string) error
 
 // RunPlugin executes the specified plugin command
-func RunPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager.Metadata) error {
+func RunPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta metadata.Metadata) error {
 	tcmd := newPluginCommand(dockerCli, plugin, meta)
 
 	var persistentPreRunOnce sync.Once
@@ -80,19 +80,23 @@ func RunPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager
 	return cmd.Execute()
 }
 
-// Run is the top-level entry point to the CLI plugin framework. It should be called from your plugin's `main()` function.
-func Run(makeCmd func(command.Cli) *cobra.Command, meta manager.Metadata) {
+// Run is the top-level entry point to the CLI plugin framework. It should
+// be called from the plugin's "main()" function. It initializes a new
+// [command.DockerCli] instance with the given options before calling
+// makeCmd to construct the plugin command, then invokes the plugin command
+// using [RunPlugin].
+func Run(makeCmd func(command.Cli) *cobra.Command, meta metadata.Metadata, ops ...command.CLIOption) {
 	otel.SetErrorHandler(debug.OTELErrorHandler)
 
-	dockerCli, err := command.NewDockerCli()
+	dockerCLI, err := command.NewDockerCli(ops...)
 	if err != nil {
-		fmt.Fprintln(os.Stderr, err)
+		_, _ = fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)
 	}
 
-	plugin := makeCmd(dockerCli)
+	plugin := makeCmd(dockerCLI)
 
-	if err := RunPlugin(dockerCli, plugin, meta); err != nil {
+	if err := RunPlugin(dockerCLI, plugin, meta); err != nil {
 		var stErr cli.StatusError
 		if errors.As(err, &stErr) {
 			// StatusError should only be used for errors, and all errors should
@@ -100,18 +104,18 @@ func Run(makeCmd func(command.Cli) *cobra.Command, meta manager.Metadata) {
 			if stErr.StatusCode == 0 { // FIXME(thaJeztah): this should never be used with a zero status-code. Check if we do this anywhere.
 				stErr.StatusCode = 1
 			}
-			_, _ = fmt.Fprintln(dockerCli.Err(), stErr)
+			_, _ = fmt.Fprintln(dockerCLI.Err(), stErr)
 			os.Exit(stErr.StatusCode)
 		}
-		_, _ = fmt.Fprintln(dockerCli.Err(), err)
+		_, _ = fmt.Fprintln(dockerCLI.Err(), err)
 		os.Exit(1)
 	}
 }
 
 func withPluginClientConn(name string) command.CLIOption {
-	return command.WithInitializeClient(func(dockerCli *command.DockerCli) (client.APIClient, error) {
+	return func(cli *command.DockerCli) error {
 		cmd := "docker"
-		if x := os.Getenv(manager.ReexecEnvvar); x != "" {
+		if x := os.Getenv(metadata.ReexecEnvvar); x != "" {
 			cmd = x
 		}
 		var flags []string
@@ -133,16 +137,19 @@ func withPluginClientConn(name string) command.CLIOption {
 
 		helper, err := connhelper.GetCommandConnectionHelper(cmd, flags...)
 		if err != nil {
-			return nil, err
+			return err
 		}
-
-		return client.NewClientWithOpts(client.WithDialContext(helper.Dialer))
-	})
+		apiClient, err := client.New(client.WithDialContext(helper.Dialer))
+		if err != nil {
+			return err
+		}
+		return command.WithAPIClient(apiClient)(cli)
+	}
 }
 
-func newPluginCommand(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager.Metadata) *cli.TopLevelCommand {
+func newPluginCommand(dockerCli *command.DockerCli, plugin *cobra.Command, meta metadata.Metadata) *cli.TopLevelCommand {
 	name := plugin.Name()
-	fullname := manager.NamePrefix + name
+	fullname := metadata.NamePrefix + name
 
 	cmd := &cobra.Command{
 		Use:           fmt.Sprintf("docker [OPTIONS] %s [ARG...]", name),
@@ -161,6 +168,11 @@ func newPluginCommand(dockerCli *command.DockerCli, plugin *cobra.Command, meta
 			DisableDescriptions: os.Getenv("DOCKER_CLI_DISABLE_COMPLETION_DESCRIPTION") != "",
 		},
 	}
+
+	// Disable file-completion by default. Most commands and flags should not
+	// complete with filenames.
+	cmd.CompletionOptions.SetDefaultShellCompDirective(cobra.ShellCompDirectiveNoFileComp)
+
 	opts, _ := cli.SetupPluginRootCommand(cmd)
 
 	cmd.SetIn(dockerCli.In())
@@ -172,17 +184,30 @@ func newPluginCommand(dockerCli *command.DockerCli, plugin *cobra.Command, meta
 		newMetadataSubcommand(plugin, meta),
 	)
 
-	cli.DisableFlagsInUseLine(cmd)
+	visitAll(cmd,
+		// prevent adding "[flags]" to the end of the usage line.
+		func(c *cobra.Command) { c.DisableFlagsInUseLine = true },
+	)
 
 	return cli.NewTopLevelCommand(cmd, dockerCli, opts, cmd.Flags())
 }
 
-func newMetadataSubcommand(plugin *cobra.Command, meta manager.Metadata) *cobra.Command {
+// visitAll traverses all commands from the root.
+func visitAll(root *cobra.Command, fns ...func(*cobra.Command)) {
+	for _, cmd := range root.Commands() {
+		visitAll(cmd, fns...)
+	}
+	for _, fn := range fns {
+		fn(root)
+	}
+}
+
+func newMetadataSubcommand(plugin *cobra.Command, meta metadata.Metadata) *cobra.Command {
 	if meta.ShortDescription == "" {
 		meta.ShortDescription = plugin.Short
 	}
 	cmd := &cobra.Command{
-		Use:    manager.MetadataSubcommandName,
+		Use:    metadata.MetadataSubcommandName,
 		Hidden: true,
 		// Suppress the global/parent PersistentPreRunE, which
 		// needlessly initializes the client and tries to
@@ -200,8 +225,8 @@ func newMetadataSubcommand(plugin *cobra.Command, meta manager.Metadata) *cobra.
 
 // RunningStandalone tells a CLI plugin it is run standalone by direct execution
 func RunningStandalone() bool {
-	if os.Getenv(manager.ReexecEnvvar) != "" {
+	if os.Getenv(metadata.ReexecEnvvar) != "" {
 		return false
 	}
-	return len(os.Args) < 2 || os.Args[1] != manager.MetadataSubcommandName
+	return len(os.Args) < 2 || os.Args[1] != metadata.MetadataSubcommandName
 }

cli-plugins/plugin/plugin_test.go

@@ -0,0 +1,28 @@
+package plugin
+
+import (
+	"slices"
+	"testing"
+
+	"github.com/spf13/cobra"
+)
+
+func TestVisitAll(t *testing.T) {
+	root := &cobra.Command{Use: "root"}
+	sub1 := &cobra.Command{Use: "sub1"}
+	sub1sub1 := &cobra.Command{Use: "sub1sub1"}
+	sub1sub2 := &cobra.Command{Use: "sub1sub2"}
+	sub2 := &cobra.Command{Use: "sub2"}
+
+	root.AddCommand(sub1, sub2)
+	sub1.AddCommand(sub1sub1, sub1sub2)
+
+	var visited []string
+	visitAll(root, func(ccmd *cobra.Command) {
+		visited = append(visited, ccmd.Name())
+	})
+	expected := []string{"sub1sub1", "sub1sub2", "sub1", "sub2", "root"}
+	if !slices.Equal(expected, visited) {
+		t.Errorf("expected %#v, got %#v", expected, visited)
+	}
+}

cli-plugins/socket/socket_test.go

@@ -178,24 +178,39 @@ func TestConnectAndWait(t *testing.T) {
 	// TODO: this test cannot be executed with `t.Parallel()`, due to
 	// relying on goroutine numbers to ensure correct behaviour
 	t.Run("connect goroutine exits after EOF", func(t *testing.T) {
+		runtime.LockOSThread()
+		defer runtime.UnlockOSThread()
 		srv, err := NewPluginServer(nil)
 		assert.NilError(t, err, "failed to setup server")
 
 		defer srv.Close()
 
 		t.Setenv(EnvKey, srv.Addr().String())
+
+		runtime.Gosched()
 		numGoroutines := runtime.NumGoroutine()
 
 		ConnectAndWait(func() {})
-		assert.Equal(t, runtime.NumGoroutine(), numGoroutines+1)
+
+		runtime.Gosched()
+		poll.WaitOn(t, func(t poll.LogT) poll.Result {
+			// +1 goroutine for the poll.WaitOn
+			// +1 goroutine for the connect goroutine
+			if runtime.NumGoroutine() < numGoroutines+1+1 {
+				return poll.Continue("waiting for connect goroutine to spawn")
+			}
+			return poll.Success()
+		}, poll.WithDelay(1*time.Millisecond), poll.WithTimeout(500*time.Millisecond))
 
 		srv.Close()
 
+		runtime.Gosched()
 		poll.WaitOn(t, func(t poll.LogT) poll.Result {
+			// +1 goroutine for the poll.WaitOn
 			if runtime.NumGoroutine() > numGoroutines+1 {
 				return poll.Continue("waiting for connect goroutine to exit")
 			}
 			return poll.Success()
-		}, poll.WithDelay(1*time.Millisecond), poll.WithTimeout(10*time.Millisecond))
+		}, poll.WithDelay(1*time.Millisecond), poll.WithTimeout(500*time.Millisecond))
 	})
 }

cli/cobra.go

@@ -3,19 +3,15 @@ package cli
 import (
 	"fmt"
 	"os"
-	"path/filepath"
 	"sort"
 	"strings"
 
-	pluginmanager "github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/docker/cli/cli/command"
 	cliflags "github.com/docker/cli/cli/flags"
-	"github.com/docker/docker/pkg/homedir"
-	"github.com/docker/docker/registry"
 	"github.com/fvbommel/sortorder"
 	"github.com/moby/term"
 	"github.com/morikuni/aec"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
@@ -62,13 +58,6 @@ func setupCommonRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *c
 		"docs.code-delimiter": `"`, // https://github.com/docker/cli-docs-tool/blob/77abede22166eaea4af7335096bdcedd043f5b19/annotation/annotation.go#L20-L22
 	}
 
-	// Configure registry.CertsDir() when running in rootless-mode
-	if os.Getenv("ROOTLESSKIT_STATE_DIR") != "" {
-		if configHome, err := homedir.GetConfigHome(); err == nil {
-			registry.SetCertsDir(filepath.Join(configHome, "docker/certs.d"))
-		}
-	}
-
 	return opts, helpCommand
 }
 
@@ -177,35 +166,6 @@ func (tcmd *TopLevelCommand) Initialize(ops ...command.CLIOption) error {
 	return tcmd.dockerCli.Initialize(tcmd.opts, ops...)
 }
 
-// VisitAll will traverse all commands from the root.
-// This is different from the VisitAll of cobra.Command where only parents
-// are checked.
-func VisitAll(root *cobra.Command, fn func(*cobra.Command)) {
-	for _, cmd := range root.Commands() {
-		VisitAll(cmd, fn)
-	}
-	fn(root)
-}
-
-// DisableFlagsInUseLine sets the DisableFlagsInUseLine flag on all
-// commands within the tree rooted at cmd.
-func DisableFlagsInUseLine(cmd *cobra.Command) {
-	VisitAll(cmd, func(ccmd *cobra.Command) {
-		// do not add a `[flags]` to the end of the usage line.
-		ccmd.DisableFlagsInUseLine = true
-	})
-}
-
-// HasCompletionArg returns true if a cobra completion arg request is found.
-func HasCompletionArg(args []string) bool {
-	for _, arg := range args {
-		if arg == cobra.ShellCompRequestCmd || arg == cobra.ShellCompNoDescRequestCmd {
-			return true
-		}
-	}
-	return false
-}
-
 var helpCommand = &cobra.Command{
 	Use:               "help [command]",
 	Short:             "Help about the command",
@@ -214,7 +174,7 @@ var helpCommand = &cobra.Command{
 	RunE: func(c *cobra.Command, args []string) error {
 		cmd, args, e := c.Root().Find(args)
 		if cmd == nil || e != nil || len(args) > 0 {
-			return errors.Errorf("unknown help topic: %v", strings.Join(args, " "))
+			return fmt.Errorf("unknown help topic: %v", strings.Join(args, " "))
 		}
 		helpFunc := cmd.HelpFunc()
 		helpFunc(cmd, args)
@@ -252,7 +212,7 @@ func hasAdditionalHelp(cmd *cobra.Command) bool {
 }
 
 func isPlugin(cmd *cobra.Command) bool {
-	return pluginmanager.IsPluginCommand(cmd)
+	return cmd.Annotations[metadata.CommandAnnotationPlugin] == "true"
 }
 
 func hasAliases(cmd *cobra.Command) bool {
@@ -290,11 +250,12 @@ func commandAliases(cmd *cobra.Command) string {
 	if cmd.HasParent() {
 		parentPath = cmd.Parent().CommandPath() + " "
 	}
-	aliases := cmd.CommandPath()
+	var aliases strings.Builder
+	aliases.WriteString(cmd.CommandPath())
 	for _, alias := range cmd.Aliases {
-		aliases += ", " + parentPath + alias
+		aliases.WriteString(", " + parentPath + alias)
 	}
-	return aliases
+	return aliases.String()
 }
 
 func topCommands(cmd *cobra.Command) []*cobra.Command {
@@ -356,9 +317,9 @@ func decoratedName(cmd *cobra.Command) string {
 }
 
 func vendorAndVersion(cmd *cobra.Command) string {
-	if vendor, ok := cmd.Annotations[pluginmanager.CommandAnnotationPluginVendor]; ok && isPlugin(cmd) {
+	if vendor, ok := cmd.Annotations[metadata.CommandAnnotationPluginVendor]; ok && isPlugin(cmd) {
 		version := ""
-		if v, ok := cmd.Annotations[pluginmanager.CommandAnnotationPluginVersion]; ok && v != "" {
+		if v, ok := cmd.Annotations[metadata.CommandAnnotationPluginVersion]; ok && v != "" {
 			version = ", " + v
 		}
 		return fmt.Sprintf("(%s%s)", vendor, version)
@@ -390,13 +351,10 @@ func orchestratorSubCommands(cmd *cobra.Command) []*cobra.Command {
 func allManagementSubCommands(cmd *cobra.Command) []*cobra.Command {
 	cmds := []*cobra.Command{}
 	for _, sub := range cmd.Commands() {
-		if isPlugin(sub) {
-			if invalidPluginReason(sub) == "" {
-				cmds = append(cmds, sub)
-			}
+		if invalidPluginReason(sub) != "" {
 			continue
 		}
-		if sub.IsAvailableCommand() && sub.HasSubCommands() {
+		if sub.IsAvailableCommand() && (isPlugin(sub) || sub.HasSubCommands()) {
 			cmds = append(cmds, sub)
 		}
 	}
@@ -417,7 +375,7 @@ func invalidPlugins(cmd *cobra.Command) []*cobra.Command {
 }
 
 func invalidPluginReason(cmd *cobra.Command) string {
-	return cmd.Annotations[pluginmanager.CommandAnnotationPluginInvalid]
+	return cmd.Annotations[metadata.CommandAnnotationPluginInvalid]
 }
 
 const usageTemplate = `Usage:

cli/cobra_test.go

@@ -3,35 +3,13 @@ package cli
 import (
 	"testing"
 
-	pluginmanager "github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/spf13/cobra"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
 
-func TestVisitAll(t *testing.T) {
-	root := &cobra.Command{Use: "root"}
-	sub1 := &cobra.Command{Use: "sub1"}
-	sub1sub1 := &cobra.Command{Use: "sub1sub1"}
-	sub1sub2 := &cobra.Command{Use: "sub1sub2"}
-	sub2 := &cobra.Command{Use: "sub2"}
-
-	root.AddCommand(sub1, sub2)
-	sub1.AddCommand(sub1sub1, sub1sub2)
-
-	// Take the opportunity to test DisableFlagsInUseLine too
-	DisableFlagsInUseLine(root)
-
-	var visited []string
-	VisitAll(root, func(ccmd *cobra.Command) {
-		visited = append(visited, ccmd.Name())
-		assert.Assert(t, ccmd.DisableFlagsInUseLine, "DisableFlagsInUseLine not set on %q", ccmd.Name())
-	})
-	expected := []string{"sub1sub1", "sub1sub2", "sub1", "sub2", "root"}
-	assert.DeepEqual(t, expected, visited)
-}
-
 func TestVendorAndVersion(t *testing.T) {
 	// Non plugin.
 	assert.Equal(t, vendorAndVersion(&cobra.Command{Use: "test"}), "")
@@ -49,9 +27,9 @@ func TestVendorAndVersion(t *testing.T) {
 			cmd := &cobra.Command{
 				Use: "test",
 				Annotations: map[string]string{
-					pluginmanager.CommandAnnotationPlugin:        "true",
-					pluginmanager.CommandAnnotationPluginVendor:  tc.vendor,
-					pluginmanager.CommandAnnotationPluginVersion: tc.version,
+					metadata.CommandAnnotationPlugin:        "true",
+					metadata.CommandAnnotationPluginVendor:  tc.vendor,
+					metadata.CommandAnnotationPluginVersion: tc.version,
 				},
 			}
 			assert.Equal(t, vendorAndVersion(cmd), tc.expected)
@@ -69,8 +47,8 @@ func TestInvalidPlugin(t *testing.T) {
 	assert.Assert(t, is.Len(invalidPlugins(root), 0))
 
 	sub1.Annotations = map[string]string{
-		pluginmanager.CommandAnnotationPlugin:        "true",
-		pluginmanager.CommandAnnotationPluginInvalid: "foo",
+		metadata.CommandAnnotationPlugin:        "true",
+		metadata.CommandAnnotationPluginInvalid: "foo",
 	}
 	root.AddCommand(sub1, sub2)
 	sub1.AddCommand(sub1sub1, sub1sub2)
@@ -78,6 +56,33 @@ func TestInvalidPlugin(t *testing.T) {
 	assert.DeepEqual(t, invalidPlugins(root), []*cobra.Command{sub1}, cmpopts.IgnoreUnexported(cobra.Command{}))
 }
 
+func TestHiddenPlugin(t *testing.T) {
+	root := &cobra.Command{Use: "root"}
+	sub1 := &cobra.Command{
+		Use:    "sub1",
+		Hidden: true,
+		Annotations: map[string]string{
+			metadata.CommandAnnotationPlugin: "true",
+		},
+		Run: func(cmd *cobra.Command, args []string) {},
+	}
+
+	sub1sub1 := &cobra.Command{Use: "sub1sub1"}
+	sub1sub2 := &cobra.Command{Use: "sub1sub2"}
+	sub2 := &cobra.Command{
+		Use: "sub2",
+		Annotations: map[string]string{
+			metadata.CommandAnnotationPlugin: "true",
+		},
+		Run: func(cmd *cobra.Command, args []string) {},
+	}
+
+	root.AddCommand(sub1, sub2)
+	sub1.AddCommand(sub1sub1, sub1sub2)
+
+	assert.DeepEqual(t, allManagementSubCommands(root), []*cobra.Command{sub2}, cmpopts.IgnoreFields(cobra.Command{}, "Run"), cmpopts.IgnoreUnexported(cobra.Command{}))
+}
+
 func TestCommandAliases(t *testing.T) {
 	root := &cobra.Command{Use: "root"}
 	sub := &cobra.Command{Use: "subcommand", Aliases: []string{"alias1", "alias2"}}
@@ -100,6 +105,6 @@ func TestDecoratedName(t *testing.T) {
 	topLevelCommand := &cobra.Command{Use: "pluginTopLevelCommand"}
 	root.AddCommand(topLevelCommand)
 	assert.Equal(t, decoratedName(topLevelCommand), "pluginTopLevelCommand ")
-	topLevelCommand.Annotations = map[string]string{pluginmanager.CommandAnnotationPlugin: "true"}
+	topLevelCommand.Annotations = map[string]string{metadata.CommandAnnotationPlugin: "true"}
 	assert.Equal(t, decoratedName(topLevelCommand), "pluginTopLevelCommand*")
 }

cli/command/builder/client_test.go

@@ -3,18 +3,17 @@ package builder
 import (
 	"context"
 
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/client"
+	"github.com/moby/moby/client"
 )
 
 type fakeClient struct {
 	client.Client
-	builderPruneFunc func(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error)
+	builderPruneFunc func(ctx context.Context, opts client.BuildCachePruneOptions) (client.BuildCachePruneResult, error)
 }
 
-func (c *fakeClient) BuildCachePrune(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error) {
+func (c *fakeClient) BuildCachePrune(ctx context.Context, opts client.BuildCachePruneOptions) (client.BuildCachePruneResult, error) {
 	if c.builderPruneFunc != nil {
 		return c.builderPruneFunc(ctx, opts)
 	}
-	return nil, nil
+	return client.BuildCachePruneResult{}, nil
 }

cli/command/builder/cmd.go

@@ -6,20 +6,52 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/cli/internal/commands"
 )
 
-// NewBuilderCommand returns a cobra command for `builder` subcommands
-func NewBuilderCommand(dockerCli command.Cli) *cobra.Command {
+func init() {
+	commands.Register(newBuilderCommand)
+	commands.Register(func(c command.Cli) *cobra.Command {
+		return newBakeStubCommand(c)
+	})
+}
+
+// newBuilderCommand returns a cobra command for `builder` subcommands
+func newBuilderCommand(dockerCLI command.Cli) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:         "builder",
 		Short:       "Manage builds",
 		Args:        cli.NoArgs,
-		RunE:        command.ShowHelp(dockerCli.Err()),
+		RunE:        command.ShowHelp(dockerCLI.Err()),
 		Annotations: map[string]string{"version": "1.31"},
+
+		DisableFlagsInUseLine: true,
 	}
 	cmd.AddCommand(
-		NewPruneCommand(dockerCli),
-		image.NewBuildCommand(dockerCli),
+		newPruneCommand(dockerCLI),
+		// we should have a mechanism for registering sub-commands in the cli/internal/commands.Register function.
+		//nolint:staticcheck // TODO: Remove when migration to cli/internal/commands.Register is complete. (see #6283)
+		image.NewBuildCommand(dockerCLI),
 	)
 	return cmd
 }
+
+// newBakeStubCommand returns a cobra command "stub" for the "bake" subcommand.
+// This command is a placeholder / stub that is dynamically replaced by an
+// alias for "docker buildx bake" if BuildKit is enabled (and the buildx plugin
+// installed).
+func newBakeStubCommand(dockerCLI command.Streams) *cobra.Command {
+	return &cobra.Command{
+		Use:   "bake [OPTIONS] [TARGET...]",
+		Short: "Build from a file",
+		RunE:  command.ShowHelp(dockerCLI.Err()),
+		Annotations: map[string]string{
+			// We want to show this command in the "top" category in --help
+			// output, and not to be grouped under "management commands".
+			"category-top": "5",
+			"aliases":      "docker buildx bake",
+			"version":      "1.31",
+		},
+		DisableFlagsInUseLine: true,
+	}
+}

cli/command/builder/prune.go

@@ -8,23 +8,30 @@ import (
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/command/completion"
+	"github.com/docker/cli/cli/command/system/pruner"
+	"github.com/docker/cli/internal/prompt"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/errdefs"
-	units "github.com/docker/go-units"
+	"github.com/docker/go-units"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
-type pruneOptions struct {
-	force       bool
-	all         bool
-	filter      opts.FilterOpt
-	keepStorage opts.MemBytes
+func init() {
+	// Register the prune command to run as part of "docker system prune"
+	if err := pruner.Register(pruner.TypeBuildCache, pruneFn); err != nil {
+		panic(err)
+	}
 }
 
-// NewPruneCommand returns a new cobra prune command for images
-func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
+type pruneOptions struct {
+	force         bool
+	all           bool
+	filter        opts.FilterOpt
+	reservedSpace opts.MemBytes
+}
+
+// newPruneCommand returns a new cobra prune command for images
+func newPruneCommand(dockerCLI command.Cli) *cobra.Command {
 	options := pruneOptions{filter: opts.NewFilterOpt()}
 
 	cmd := &cobra.Command{
@@ -32,25 +39,26 @@ func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
 		Short: "Remove build cache",
 		Args:  cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			spaceReclaimed, output, err := runPrune(cmd.Context(), dockerCli, options)
+			spaceReclaimed, output, err := runPrune(cmd.Context(), dockerCLI, options)
 			if err != nil {
 				return err
 			}
 			if output != "" {
-				fmt.Fprintln(dockerCli.Out(), output)
+				_, _ = fmt.Fprintln(dockerCLI.Out(), output)
 			}
-			fmt.Fprintln(dockerCli.Out(), "Total reclaimed space:", units.HumanSize(float64(spaceReclaimed)))
+			_, _ = fmt.Fprintln(dockerCLI.Out(), "Total reclaimed space:", units.HumanSize(float64(spaceReclaimed)))
 			return nil
 		},
-		Annotations:       map[string]string{"version": "1.39"},
-		ValidArgsFunction: completion.NoComplete,
+		Annotations:           map[string]string{"version": "1.39"},
+		ValidArgsFunction:     cobra.NoFileCompletions,
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
 	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
 	flags.BoolVarP(&options.all, "all", "a", false, "Remove all unused build cache, not just dangling ones")
 	flags.Var(&options.filter, "filter", `Provide filter values (e.g. "until=24h")`)
-	flags.Var(&options.keepStorage, "keep-storage", "Amount of disk space to keep for cache")
+	flags.Var(&options.reservedSpace, "keep-storage", "Amount of disk space to keep for cache")
 
 	return cmd
 }
@@ -61,32 +69,31 @@ const (
 )
 
 func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions) (spaceReclaimed uint64, output string, err error) {
-	pruneFilters := options.filter.Value()
-	pruneFilters = command.PruneFilters(dockerCli, pruneFilters)
+	pruneFilters := command.PruneFilters(dockerCli, options.filter.Value())
 
 	warning := normalWarning
 	if options.all {
 		warning = allCacheWarning
 	}
 	if !options.force {
-		r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning)
+		r, err := prompt.Confirm(ctx, dockerCli.In(), dockerCli.Out(), warning)
 		if err != nil {
 			return 0, "", err
 		}
 		if !r {
-			return 0, "", errdefs.Cancelled(errors.New("builder prune has been cancelled"))
+			return 0, "", cancelledErr{errors.New("builder prune has been cancelled")}
 		}
 	}
 
-	report, err := dockerCli.Client().BuildCachePrune(ctx, types.BuildCachePruneOptions{
-		All:         options.all,
-		KeepStorage: options.keepStorage.Value(),
-		Filters:     pruneFilters,
+	resp, err := dockerCli.Client().BuildCachePrune(ctx, client.BuildCachePruneOptions{
+		All:           options.all,
+		ReservedSpace: options.reservedSpace.Value(),
+		Filters:       pruneFilters,
 	})
 	if err != nil {
 		return 0, "", err
 	}
-
+	report := resp.Report
 	if len(report.CachesDeleted) > 0 {
 		var sb strings.Builder
 		sb.WriteString("Deleted build cache objects:\n")
@@ -100,7 +107,26 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 	return report.SpaceReclaimed, output, nil
 }
 
-// CachePrune executes a prune command for build cache
-func CachePrune(ctx context.Context, dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error) {
-	return runPrune(ctx, dockerCli, pruneOptions{force: true, all: all, filter: filter})
+type cancelledErr struct{ error }
+
+func (cancelledErr) Cancelled() {}
+
+// pruneFn prunes the build cache for use in "docker system prune" and
+// returns the amount of space reclaimed and a detailed output string.
+func pruneFn(ctx context.Context, dockerCLI command.Cli, options pruner.PruneOptions) (uint64, string, error) {
+	if !options.Confirmed {
+		// Dry-run: perform validation and produce confirmation before pruning.
+		var confirmMsg string
+		if options.All {
+			confirmMsg = "all build cache"
+		} else {
+			confirmMsg = "unused build cache"
+		}
+		return 0, confirmMsg, cancelledErr{errors.New("builder prune has been cancelled")}
+	}
+	return runPrune(ctx, dockerCLI, pruneOptions{
+		force:  true,
+		all:    options.All,
+		filter: options.Filter,
+	})
 }

cli/command/builder/prune_test.go

@@ -7,7 +7,7 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types"
+	"github.com/moby/moby/client"
 )
 
 func TestBuilderPromptTermination(t *testing.T) {
@@ -15,11 +15,11 @@ func TestBuilderPromptTermination(t *testing.T) {
 	t.Cleanup(cancel)
 
 	cli := test.NewFakeCli(&fakeClient{
-		builderPruneFunc: func(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error) {
-			return nil, errors.New("fakeClient builderPruneFunc should not be called")
+		builderPruneFunc: func(ctx context.Context, opts client.BuildCachePruneOptions) (client.BuildCachePruneResult, error) {
+			return client.BuildCachePruneResult{}, errors.New("fakeClient builderPruneFunc should not be called")
 		},
 	})
-	cmd := NewPruneCommand(cli)
+	cmd := newPruneCommand(cli)
 	cmd.SetOut(io.Discard)
 	cmd.SetErr(io.Discard)
 	test.TerminatePrompt(ctx, t, cmd, cli)

cli/command/checkpoint/client_test.go

@@ -3,34 +3,33 @@ package checkpoint
 import (
 	"context"
 
-	"github.com/docker/docker/api/types/checkpoint"
-	"github.com/docker/docker/client"
+	"github.com/moby/moby/client"
 )
 
 type fakeClient struct {
 	client.Client
-	checkpointCreateFunc func(container string, options checkpoint.CreateOptions) error
-	checkpointDeleteFunc func(container string, options checkpoint.DeleteOptions) error
-	checkpointListFunc   func(container string, options checkpoint.ListOptions) ([]checkpoint.Summary, error)
+	checkpointCreateFunc func(container string, options client.CheckpointCreateOptions) (client.CheckpointCreateResult, error)
+	checkpointDeleteFunc func(container string, options client.CheckpointRemoveOptions) (client.CheckpointRemoveResult, error)
+	checkpointListFunc   func(container string, options client.CheckpointListOptions) (client.CheckpointListResult, error)
 }
 
-func (cli *fakeClient) CheckpointCreate(_ context.Context, container string, options checkpoint.CreateOptions) error {
+func (cli *fakeClient) CheckpointCreate(_ context.Context, container string, options client.CheckpointCreateOptions) (client.CheckpointCreateResult, error) {
 	if cli.checkpointCreateFunc != nil {
 		return cli.checkpointCreateFunc(container, options)
 	}
-	return nil
+	return client.CheckpointCreateResult{}, nil
 }
 
-func (cli *fakeClient) CheckpointDelete(_ context.Context, container string, options checkpoint.DeleteOptions) error {
+func (cli *fakeClient) CheckpointRemove(_ context.Context, container string, options client.CheckpointRemoveOptions) (client.CheckpointRemoveResult, error) {
 	if cli.checkpointDeleteFunc != nil {
 		return cli.checkpointDeleteFunc(container, options)
 	}
-	return nil
+	return client.CheckpointRemoveResult{}, nil
 }
 
-func (cli *fakeClient) CheckpointList(_ context.Context, container string, options checkpoint.ListOptions) ([]checkpoint.Summary, error) {
+func (cli *fakeClient) CheckpointList(_ context.Context, container string, options client.CheckpointListOptions) (client.CheckpointListResult, error) {
 	if cli.checkpointListFunc != nil {
 		return cli.checkpointListFunc(container, options)
 	}
-	return []checkpoint.Summary{}, nil
+	return client.CheckpointListResult{}, nil
 }

cli/command/checkpoint/cmd.go

@@ -3,26 +3,32 @@ package checkpoint
 import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/commands"
 	"github.com/spf13/cobra"
 )
 
-// NewCheckpointCommand returns the `checkpoint` subcommand (only in experimental)
-func NewCheckpointCommand(dockerCli command.Cli) *cobra.Command {
+func init() {
+	commands.Register(newCheckpointCommand)
+}
+
+// newCheckpointCommand returns the `checkpoint` subcommand (only in experimental)
+func newCheckpointCommand(dockerCLI command.Cli) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "checkpoint",
 		Short: "Manage checkpoints",
 		Args:  cli.NoArgs,
-		RunE:  command.ShowHelp(dockerCli.Err()),
+		RunE:  command.ShowHelp(dockerCLI.Err()),
 		Annotations: map[string]string{
 			"experimental": "",
 			"ostype":       "linux",
 			"version":      "1.25",
 		},
+		DisableFlagsInUseLine: true,
 	}
 	cmd.AddCommand(
-		newCreateCommand(dockerCli),
-		newListCommand(dockerCli),
-		newRemoveCommand(dockerCli),
+		newCreateCommand(dockerCLI),
+		newListCommand(dockerCLI),
+		newRemoveCommand(dockerCLI),
 	)
 	return cmd
 }

cli/command/checkpoint/create.go

@@ -6,8 +6,7 @@ import (
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/command/completion"
-	"github.com/docker/docker/api/types/checkpoint"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
@@ -18,7 +17,7 @@ type createOptions struct {
 	leaveRunning  bool
 }
 
-func newCreateCommand(dockerCli command.Cli) *cobra.Command {
+func newCreateCommand(dockerCLI command.Cli) *cobra.Command {
 	var opts createOptions
 
 	cmd := &cobra.Command{
@@ -28,9 +27,10 @@ func newCreateCommand(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.container = args[0]
 			opts.checkpoint = args[1]
-			return runCreate(cmd.Context(), dockerCli, opts)
+			return runCreate(cmd.Context(), dockerCLI, opts)
 		},
-		ValidArgsFunction: completion.NoComplete,
+		ValidArgsFunction:     cobra.NoFileCompletions,
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
@@ -41,7 +41,7 @@ func newCreateCommand(dockerCli command.Cli) *cobra.Command {
 }
 
 func runCreate(ctx context.Context, dockerCLI command.Cli, opts createOptions) error {
-	err := dockerCLI.Client().CheckpointCreate(ctx, opts.container, checkpoint.CreateOptions{
+	_, err := dockerCLI.Client().CheckpointCreate(ctx, opts.container, client.CheckpointCreateOptions{
 		CheckpointID:  opts.checkpoint,
 		CheckpointDir: opts.checkpointDir,
 		Exit:          !opts.leaveRunning,

cli/command/checkpoint/create_test.go

@@ -8,7 +8,7 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types/checkpoint"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -16,7 +16,7 @@ import (
 func TestCheckpointCreateErrors(t *testing.T) {
 	testCases := []struct {
 		args                 []string
-		checkpointCreateFunc func(container string, options checkpoint.CreateOptions) error
+		checkpointCreateFunc func(container string, options client.CheckpointCreateOptions) (client.CheckpointCreateResult, error)
 		expectedError        string
 	}{
 		{
@@ -29,8 +29,8 @@ func TestCheckpointCreateErrors(t *testing.T) {
 		},
 		{
 			args: []string{"foo", "bar"},
-			checkpointCreateFunc: func(container string, options checkpoint.CreateOptions) error {
-				return errors.New("error creating checkpoint for container foo")
+			checkpointCreateFunc: func(container string, options client.CheckpointCreateOptions) (client.CheckpointCreateResult, error) {
+				return client.CheckpointCreateResult{}, errors.New("error creating checkpoint for container foo")
 			},
 			expectedError: "error creating checkpoint for container foo",
 		},
@@ -59,12 +59,12 @@ func TestCheckpointCreateWithOptions(t *testing.T) {
 		leaveRunning := strconv.FormatBool(tc)
 		t.Run("leave-running="+leaveRunning, func(t *testing.T) {
 			var actualContainerName string
-			var actualOptions checkpoint.CreateOptions
+			var actualOptions client.CheckpointCreateOptions
 			cli := test.NewFakeCli(&fakeClient{
-				checkpointCreateFunc: func(container string, options checkpoint.CreateOptions) error {
+				checkpointCreateFunc: func(container string, options client.CheckpointCreateOptions) (client.CheckpointCreateResult, error) {
 					actualContainerName = container
 					actualOptions = options
-					return nil
+					return client.CheckpointCreateResult{}, nil
 				},
 			})
 			cmd := newCreateCommand(cli)
@@ -75,7 +75,7 @@ func TestCheckpointCreateWithOptions(t *testing.T) {
 			assert.Check(t, cmd.Flags().Set("checkpoint-dir", checkpointDir))
 			assert.NilError(t, cmd.Execute())
 			assert.Check(t, is.Equal(actualContainerName, containerName))
-			expected := checkpoint.CreateOptions{
+			expected := client.CheckpointCreateOptions{
 				CheckpointID:  checkpointName,
 				CheckpointDir: checkpointDir,
 				Exit:          !tc,

cli/command/checkpoint/formatter.go

@@ -2,7 +2,7 @@ package checkpoint
 
 import (
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/docker/docker/api/types/checkpoint"
+	"github.com/moby/moby/api/types/checkpoint"
 )
 
 const (
@@ -10,25 +10,31 @@ const (
 	checkpointNameHeader    = "CHECKPOINT NAME"
 )
 
-// NewFormat returns a format for use with a checkpoint Context
-func NewFormat(source string) formatter.Format {
+// newFormat returns a format for use with a checkpointContext.
+func newFormat(source string) formatter.Format {
 	if source == formatter.TableFormatKey {
 		return defaultCheckpointFormat
 	}
 	return formatter.Format(source)
 }
 
-// FormatWrite writes formatted checkpoints using the Context
-func FormatWrite(ctx formatter.Context, checkpoints []checkpoint.Summary) error {
-	render := func(format func(subContext formatter.SubContext) error) error {
+// formatWrite writes formatted checkpoints using the Context
+func formatWrite(fmtCtx formatter.Context, checkpoints []checkpoint.Summary) error {
+	cpContext := &checkpointContext{
+		HeaderContext: formatter.HeaderContext{
+			Header: formatter.SubHeaderContext{
+				"Name": checkpointNameHeader,
+			},
+		},
+	}
+	return fmtCtx.Write(cpContext, func(format func(subContext formatter.SubContext) error) error {
 		for _, cp := range checkpoints {
 			if err := format(&checkpointContext{c: cp}); err != nil {
 				return err
 			}
 		}
 		return nil
-	}
-	return ctx.Write(newCheckpointContext(), render)
+	})
 }
 
 type checkpointContext struct {
@@ -36,14 +42,6 @@ type checkpointContext struct {
 	c checkpoint.Summary
 }
 
-func newCheckpointContext() *checkpointContext {
-	cpCtx := checkpointContext{}
-	cpCtx.Header = formatter.SubHeaderContext{
-		"Name": checkpointNameHeader,
-	}
-	return &cpCtx
-}
-
 func (c *checkpointContext) MarshalJSON() ([]byte, error) {
 	return formatter.MarshalJSON(c)
 }

cli/command/checkpoint/formatter_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/docker/docker/api/types/checkpoint"
+	"github.com/moby/moby/api/types/checkpoint"
 	"gotest.tools/v3/assert"
 )
 
@@ -15,7 +15,7 @@ func TestCheckpointContextFormatWrite(t *testing.T) {
 		expected string
 	}{
 		{
-			formatter.Context{Format: NewFormat(defaultCheckpointFormat)},
+			formatter.Context{Format: newFormat(defaultCheckpointFormat)},
 			`CHECKPOINT NAME
 checkpoint-1
 checkpoint-2
@@ -23,14 +23,14 @@ checkpoint-3
 `,
 		},
 		{
-			formatter.Context{Format: NewFormat("{{.Name}}")},
+			formatter.Context{Format: newFormat("{{.Name}}")},
 			`checkpoint-1
 checkpoint-2
 checkpoint-3
 `,
 		},
 		{
-			formatter.Context{Format: NewFormat("{{.Name}}:")},
+			formatter.Context{Format: newFormat("{{.Name}}:")},
 			`checkpoint-1:
 checkpoint-2:
 checkpoint-3:
@@ -41,7 +41,7 @@ checkpoint-3:
 	for _, testcase := range cases {
 		out := bytes.NewBufferString("")
 		testcase.context.Output = out
-		err := FormatWrite(testcase.context, []checkpoint.Summary{
+		err := formatWrite(testcase.context, []checkpoint.Summary{
 			{Name: "checkpoint-1"},
 			{Name: "checkpoint-2"},
 			{Name: "checkpoint-3"},

cli/command/checkpoint/list.go

@@ -7,7 +7,7 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/docker/docker/api/types/checkpoint"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
@@ -15,7 +15,7 @@ type listOptions struct {
 	checkpointDir string
 }
 
-func newListCommand(dockerCli command.Cli) *cobra.Command {
+func newListCommand(dockerCLI command.Cli) *cobra.Command {
 	var opts listOptions
 
 	cmd := &cobra.Command{
@@ -24,9 +24,10 @@ func newListCommand(dockerCli command.Cli) *cobra.Command {
 		Short:   "List checkpoints for a container",
 		Args:    cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runList(cmd.Context(), dockerCli, args[0], opts)
+			return runList(cmd.Context(), dockerCLI, args[0], opts)
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, false),
+		ValidArgsFunction:     completion.ContainerNames(dockerCLI, false),
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
@@ -35,8 +36,8 @@ func newListCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-func runList(ctx context.Context, dockerCli command.Cli, container string, opts listOptions) error {
-	checkpoints, err := dockerCli.Client().CheckpointList(ctx, container, checkpoint.ListOptions{
+func runList(ctx context.Context, dockerCLI command.Cli, container string, opts listOptions) error {
+	checkpoints, err := dockerCLI.Client().CheckpointList(ctx, container, client.CheckpointListOptions{
 		CheckpointDir: opts.checkpointDir,
 	})
 	if err != nil {
@@ -44,8 +45,8 @@ func runList(ctx context.Context, dockerCli command.Cli, container string, opts
 	}
 
 	cpCtx := formatter.Context{
-		Output: dockerCli.Out(),
-		Format: NewFormat(formatter.TableFormatKey),
+		Output: dockerCLI.Out(),
+		Format: newFormat(formatter.TableFormatKey),
 	}
-	return FormatWrite(cpCtx, checkpoints)
+	return formatWrite(cpCtx, checkpoints.Items)
 }

cli/command/checkpoint/list_test.go

@@ -6,7 +6,8 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types/checkpoint"
+	"github.com/moby/moby/api/types/checkpoint"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/golden"
@@ -15,7 +16,7 @@ import (
 func TestCheckpointListErrors(t *testing.T) {
 	testCases := []struct {
 		args               []string
-		checkpointListFunc func(container string, options checkpoint.ListOptions) ([]checkpoint.Summary, error)
+		checkpointListFunc func(container string, options client.CheckpointListOptions) (client.CheckpointListResult, error)
 		expectedError      string
 	}{
 		{
@@ -28,8 +29,8 @@ func TestCheckpointListErrors(t *testing.T) {
 		},
 		{
 			args: []string{"foo"},
-			checkpointListFunc: func(container string, options checkpoint.ListOptions) ([]checkpoint.Summary, error) {
-				return []checkpoint.Summary{}, errors.New("error getting checkpoints for container foo")
+			checkpointListFunc: func(container string, options client.CheckpointListOptions) (client.CheckpointListResult, error) {
+				return client.CheckpointListResult{}, errors.New("error getting checkpoints for container foo")
 			},
 			expectedError: "error getting checkpoints for container foo",
 		},
@@ -50,17 +51,19 @@ func TestCheckpointListErrors(t *testing.T) {
 func TestCheckpointListWithOptions(t *testing.T) {
 	var containerID, checkpointDir string
 	cli := test.NewFakeCli(&fakeClient{
-		checkpointListFunc: func(container string, options checkpoint.ListOptions) ([]checkpoint.Summary, error) {
+		checkpointListFunc: func(container string, options client.CheckpointListOptions) (client.CheckpointListResult, error) {
 			containerID = container
 			checkpointDir = options.CheckpointDir
-			return []checkpoint.Summary{
-				{Name: "checkpoint-foo"},
+			return client.CheckpointListResult{
+				Items: []checkpoint.Summary{
+					{Name: "checkpoint-foo"},
+				},
 			}, nil
 		},
 	})
 	cmd := newListCommand(cli)
 	cmd.SetArgs([]string{"container-foo"})
-	cmd.Flags().Set("checkpoint-dir", "/dir/foo")
+	assert.Check(t, cmd.Flags().Set("checkpoint-dir", "/dir/foo"))
 	assert.NilError(t, cmd.Execute())
 	assert.Check(t, is.Equal("container-foo", containerID))
 	assert.Check(t, is.Equal("/dir/foo", checkpointDir))

cli/command/checkpoint/remove.go

@@ -1,11 +1,9 @@
 package checkpoint
 
 import (
-	"context"
-
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/docker/api/types/checkpoint"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
@@ -13,7 +11,7 @@ type removeOptions struct {
 	checkpointDir string
 }
 
-func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
+func newRemoveCommand(dockerCLI command.Cli) *cobra.Command {
 	var opts removeOptions
 
 	cmd := &cobra.Command{
@@ -22,8 +20,14 @@ func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
 		Short:   "Remove a checkpoint",
 		Args:    cli.ExactArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runRemove(cmd.Context(), dockerCli, args[0], args[1], opts)
+			containerID, checkpointID := args[0], args[1]
+			_, err := dockerCLI.Client().CheckpointRemove(cmd.Context(), containerID, client.CheckpointRemoveOptions{
+				CheckpointID:  checkpointID,
+				CheckpointDir: opts.checkpointDir,
+			})
+			return err
 		},
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
@@ -31,10 +35,3 @@ func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
 
 	return cmd
 }
-
-func runRemove(ctx context.Context, dockerCli command.Cli, container string, checkpointID string, opts removeOptions) error {
-	return dockerCli.Client().CheckpointDelete(ctx, container, checkpoint.DeleteOptions{
-		CheckpointID:  checkpointID,
-		CheckpointDir: opts.checkpointDir,
-	})
-}

cli/command/checkpoint/remove_test.go

@@ -6,7 +6,7 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types/checkpoint"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -14,7 +14,7 @@ import (
 func TestCheckpointRemoveErrors(t *testing.T) {
 	testCases := []struct {
 		args                 []string
-		checkpointDeleteFunc func(container string, options checkpoint.DeleteOptions) error
+		checkpointDeleteFunc func(container string, options client.CheckpointRemoveOptions) (client.CheckpointRemoveResult, error)
 		expectedError        string
 	}{
 		{
@@ -27,8 +27,8 @@ func TestCheckpointRemoveErrors(t *testing.T) {
 		},
 		{
 			args: []string{"foo", "bar"},
-			checkpointDeleteFunc: func(container string, options checkpoint.DeleteOptions) error {
-				return errors.New("error deleting checkpoint")
+			checkpointDeleteFunc: func(container string, options client.CheckpointRemoveOptions) (client.CheckpointRemoveResult, error) {
+				return client.CheckpointRemoveResult{}, errors.New("error deleting checkpoint")
 			},
 			expectedError: "error deleting checkpoint",
 		},
@@ -49,16 +49,16 @@ func TestCheckpointRemoveErrors(t *testing.T) {
 func TestCheckpointRemoveWithOptions(t *testing.T) {
 	var containerID, checkpointID, checkpointDir string
 	cli := test.NewFakeCli(&fakeClient{
-		checkpointDeleteFunc: func(container string, options checkpoint.DeleteOptions) error {
+		checkpointDeleteFunc: func(container string, options client.CheckpointRemoveOptions) (client.CheckpointRemoveResult, error) {
 			containerID = container
 			checkpointID = options.CheckpointID
 			checkpointDir = options.CheckpointDir
-			return nil
+			return client.CheckpointRemoveResult{}, nil
 		},
 	})
 	cmd := newRemoveCommand(cli)
 	cmd.SetArgs([]string{"container-foo", "checkpoint-bar"})
-	cmd.Flags().Set("checkpoint-dir", "/dir/foo")
+	assert.Check(t, cmd.Flags().Set("checkpoint-dir", "/dir/foo"))
 	assert.NilError(t, cmd.Execute())
 	assert.Check(t, is.Equal("container-foo", containerID))
 	assert.Check(t, is.Equal("checkpoint-bar", checkpointID))

cli/command/cli.go

@@ -1,14 +1,14 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.24
 
 package command
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
-	"path/filepath"
 	"runtime"
 	"strconv"
 	"sync"
@@ -21,21 +21,12 @@ import (
 	"github.com/docker/cli/cli/context/store"
 	"github.com/docker/cli/cli/debug"
 	cliflags "github.com/docker/cli/cli/flags"
-	manifeststore "github.com/docker/cli/cli/manifest/store"
-	registryclient "github.com/docker/cli/cli/registry/client"
 	"github.com/docker/cli/cli/streams"
-	"github.com/docker/cli/cli/trust"
 	"github.com/docker/cli/cli/version"
 	dopts "github.com/docker/cli/opts"
-	"github.com/docker/docker/api"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/registry"
-	"github.com/docker/docker/api/types/swarm"
-	"github.com/docker/docker/client"
-	"github.com/docker/go-connections/tlsconfig"
-	"github.com/pkg/errors"
+	"github.com/moby/moby/api/types/build"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
-	notaryclient "github.com/theupdateframework/notary/client"
 )
 
 const defaultInitTimeout = 2 * time.Second
@@ -52,15 +43,9 @@ type Cli interface {
 	Client() client.APIClient
 	Streams
 	SetIn(in *streams.In)
-	Apply(ops ...CLIOption) error
-	ConfigFile() *configfile.ConfigFile
+	config.Provider
 	ServerInfo() ServerInfo
-	NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (notaryclient.Repository, error)
-	DefaultVersion() string
 	CurrentVersion() string
-	ManifestStore() manifeststore.Store
-	RegistryClient(bool) registryclient.RegistryClient
-	ContentTrustEnabled() bool
 	BuildKitEnabled() (bool, error)
 	ContextStore() store.Store
 	CurrentContext() string
@@ -69,7 +54,9 @@ type Cli interface {
 }
 
 // DockerCli is an instance the docker command line client.
-// Instances of the client can be returned from NewDockerCli.
+// Instances of the client should be created using the [NewDockerCli]
+// constructor to make sure they are properly initialized with defaults
+// set.
 type DockerCli struct {
 	configFile         *configfile.ConfigFile
 	options            *cliflags.ClientOptions
@@ -78,14 +65,14 @@ type DockerCli struct {
 	err                *streams.Out
 	client             client.APIClient
 	serverInfo         ServerInfo
-	contentTrust       bool
 	contextStore       store.Store
 	currentContext     string
 	init               sync.Once
 	initErr            error
 	dockerEndpoint     docker.Endpoint
-	contextStoreConfig store.Config
+	contextStoreConfig *store.Config
 	initTimeout        time.Duration
+	userAgent          string
 	res                telemetryResource
 
 	// baseCtx is the base context used for internal operations. In the future
@@ -96,17 +83,12 @@ type DockerCli struct {
 	enableGlobalMeter, enableGlobalTracer bool
 }
 
-// DefaultVersion returns api.defaultVersion.
-func (*DockerCli) DefaultVersion() string {
-	return api.DefaultVersion
-}
-
 // CurrentVersion returns the API version currently negotiated, or the default
 // version otherwise.
 func (cli *DockerCli) CurrentVersion() string {
 	_ = cli.initialize()
 	if cli.client == nil {
-		return api.DefaultVersion
+		return client.MaxAPIVersion
 	}
 	return cli.client.ClientVersion()
 }
@@ -165,19 +147,13 @@ func (cli *DockerCli) ServerInfo() ServerInfo {
 	return cli.serverInfo
 }
 
-// ContentTrustEnabled returns whether content trust has been enabled by an
-// environment variable.
-func (cli *DockerCli) ContentTrustEnabled() bool {
-	return cli.contentTrust
-}
-
 // BuildKitEnabled returns buildkit is enabled or not.
 func (cli *DockerCli) BuildKitEnabled() (bool, error) {
 	// use DOCKER_BUILDKIT env var value if set and not empty
 	if v := os.Getenv("DOCKER_BUILDKIT"); v != "" {
 		enabled, err := strconv.ParseBool(v)
 		if err != nil {
-			return false, errors.Wrap(err, "DOCKER_BUILDKIT environment variable expects boolean value")
+			return false, fmt.Errorf("DOCKER_BUILDKIT environment variable expects boolean value: %w", err)
 		}
 		return enabled, nil
 	}
@@ -188,7 +164,7 @@ func (cli *DockerCli) BuildKitEnabled() (bool, error) {
 	}
 
 	si := cli.ServerInfo()
-	if si.BuildkitVersion == types.BuilderBuildKit {
+	if si.BuildkitVersion == build.BuilderBuildKit {
 		// The daemon advertised BuildKit as the preferred builder; this may
 		// be either a Linux daemon or a Windows daemon with experimental
 		// BuildKit support enabled.
@@ -202,16 +178,16 @@ func (cli *DockerCli) BuildKitEnabled() (bool, error) {
 
 // HooksEnabled returns whether plugin hooks are enabled.
 func (cli *DockerCli) HooksEnabled() bool {
-	// legacy support DOCKER_CLI_HINTS env var
-	if v := os.Getenv("DOCKER_CLI_HINTS"); v != "" {
+	// use DOCKER_CLI_HOOKS env var value if set and not empty
+	if v := os.Getenv("DOCKER_CLI_HOOKS"); v != "" {
 		enabled, err := strconv.ParseBool(v)
 		if err != nil {
 			return false
 		}
 		return enabled
 	}
-	// use DOCKER_CLI_HOOKS env var value if set and not empty
-	if v := os.Getenv("DOCKER_CLI_HOOKS"); v != "" {
+	// legacy support DOCKER_CLI_HINTS env var
+	if v := os.Getenv("DOCKER_CLI_HINTS"); v != "" {
 		enabled, err := strconv.ParseBool(v)
 		if err != nil {
 			return false
@@ -230,30 +206,6 @@ func (cli *DockerCli) HooksEnabled() bool {
 	return false
 }
 
-// ManifestStore returns a store for local manifests
-func (*DockerCli) ManifestStore() manifeststore.Store {
-	// TODO: support override default location from config file
-	return manifeststore.NewStore(filepath.Join(config.Dir(), "manifests"))
-}
-
-// RegistryClient returns a client for communicating with a Docker distribution
-// registry
-func (cli *DockerCli) RegistryClient(allowInsecure bool) registryclient.RegistryClient {
-	resolver := func(ctx context.Context, index *registry.IndexInfo) registry.AuthConfig {
-		return ResolveAuthConfig(cli.ConfigFile(), index)
-	}
-	return registryclient.NewRegistryClient(resolver, UserAgent(), allowInsecure)
-}
-
-// WithInitializeClient is passed to DockerCli.Initialize by callers who wish to set a particular API Client for use by the CLI.
-func WithInitializeClient(makeClient func(dockerCli *DockerCli) (client.APIClient, error)) CLIOption {
-	return func(dockerCli *DockerCli) error {
-		var err error
-		dockerCli.client, err = makeClient(dockerCli)
-		return err
-	}
-}
-
 // Initialize the dockerCli runs initialization that must happen after command
 // line flags are parsed.
 func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption) error {
@@ -275,13 +227,33 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption)
 		return errors.New("conflicting options: cannot specify both --host and --context")
 	}
 
+	if cli.contextStoreConfig == nil {
+		// This path can be hit when calling Initialize on a DockerCli that's
+		// not constructed through [NewDockerCli]. Using the default context
+		// store without a config set will result in Endpoints from contexts
+		// not being type-mapped correctly, and used as a generic "map[string]any",
+		// instead of a [docker.EndpointMeta].
+		//
+		// When looking up the API endpoint (using [EndpointFromContext]), no
+		// endpoint will be found, and a default, empty endpoint will be used
+		// instead which in its turn, causes newAPIClientFromEndpoint to
+		// be initialized with the default config instead of settings for
+		// the current context (which may mean; connecting with the wrong
+		// endpoint and/or TLS Config to be missing).
+		//
+		// [EndpointFromContext]: https://github.com/docker/cli/blob/33494921b80fd0b5a06acc3a34fa288de4bb2e6b/cli/context/docker/load.go#L139-L149
+		if err := WithDefaultContextStoreConfig()(cli); err != nil {
+			return err
+		}
+	}
+
 	cli.options = opts
 	cli.configFile = config.LoadDefaultConfigFile(cli.err)
 	cli.currentContext = resolveContextName(cli.options, cli.configFile)
 	cli.contextStore = &ContextStoreWithDefault{
-		Store: store.New(config.ContextStoreDir(), cli.contextStoreConfig),
+		Store: store.New(config.ContextStoreDir(), *cli.contextStoreConfig),
 		Resolver: func() (*DefaultContext, error) {
-			return ResolveDefaultContext(cli.options, cli.contextStoreConfig)
+			return resolveDefaultContext(cli.options, *cli.contextStoreConfig)
 		},
 	}
 
@@ -292,6 +264,18 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption)
 	if cli.enableGlobalTracer {
 		cli.createGlobalTracerProvider(cli.baseCtx)
 	}
+	filterResourceAttributesEnvvar()
+
+	// early return if GODEBUG is already set or the docker context is
+	// the default context, i.e. is a virtual context where we won't override
+	// any GODEBUG values.
+	if v := os.Getenv("GODEBUG"); cli.currentContext == DefaultContextName || v != "" {
+		return nil
+	}
+	meta, err := cli.contextStore.GetMetadata(cli.currentContext)
+	if err == nil {
+		setGoDebug(meta)
+	}
 
 	return nil
 }
@@ -306,17 +290,17 @@ func NewAPIClientFromFlags(opts *cliflags.ClientOptions, configFile *configfile.
 	contextStore := &ContextStoreWithDefault{
 		Store: store.New(config.ContextStoreDir(), storeConfig),
 		Resolver: func() (*DefaultContext, error) {
-			return ResolveDefaultContext(opts, storeConfig)
+			return resolveDefaultContext(opts, storeConfig)
 		},
 	}
 	endpoint, err := resolveDockerEndpoint(contextStore, resolveContextName(opts, configFile))
 	if err != nil {
-		return nil, errors.Wrap(err, "unable to resolve docker endpoint")
+		return nil, fmt.Errorf("unable to resolve docker endpoint: %w", err)
 	}
-	return newAPIClientFromEndpoint(endpoint, configFile)
+	return newAPIClientFromEndpoint(endpoint, configFile, client.WithUserAgent(UserAgent()))
 }
 
-func newAPIClientFromEndpoint(ep docker.Endpoint, configFile *configfile.ConfigFile) (client.APIClient, error) {
+func newAPIClientFromEndpoint(ep docker.Endpoint, configFile *configfile.ConfigFile, extraOpts ...client.Opt) (client.APIClient, error) {
 	opts, err := ep.ClientOpts()
 	if err != nil {
 		return nil, err
@@ -324,8 +308,15 @@ func newAPIClientFromEndpoint(ep docker.Endpoint, configFile *configfile.ConfigF
 	if len(configFile.HTTPHeaders) > 0 {
 		opts = append(opts, client.WithHTTPHeaders(configFile.HTTPHeaders))
 	}
-	opts = append(opts, withCustomHeadersFromEnv(), client.WithUserAgent(UserAgent()))
-	return client.NewClientWithOpts(opts...)
+	withCustomHeaders, err := withCustomHeadersFromEnv()
+	if err != nil {
+		return nil, err
+	}
+	if withCustomHeaders != nil {
+		opts = append(opts, withCustomHeaders)
+	}
+	opts = append(opts, extraOpts...)
+	return client.New(opts...)
 }
 
 func resolveDockerEndpoint(s store.Reader, contextName string) (docker.Endpoint, error) {
@@ -345,7 +336,10 @@ func resolveDockerEndpoint(s store.Reader, contextName string) (docker.Endpoint,
 
 // Resolve the Docker endpoint for the default context (based on config, env vars and CLI flags)
 func resolveDefaultDockerEndpoint(opts *cliflags.ClientOptions) (docker.Endpoint, error) {
-	host, err := getServerHost(opts.Hosts, opts.TLSOptions)
+	// defaultToTLS determines whether we should use a TLS host as default
+	// if nothing was configured by the user.
+	defaultToTLS := opts.TLSOptions != nil
+	host, err := getServerHost(opts.Hosts, defaultToTLS)
 	if err != nil {
 		return docker.Endpoint{}, err
 	}
@@ -383,29 +377,21 @@ func (cli *DockerCli) initializeFromClient() {
 	ctx, cancel := context.WithTimeout(cli.baseCtx, cli.getInitTimeout())
 	defer cancel()
 
-	ping, err := cli.client.Ping(ctx)
+	ping, err := cli.client.Ping(ctx, client.PingOptions{
+		NegotiateAPIVersion: true,
+		ForceNegotiate:      true,
+	})
 	if err != nil {
 		// Default to true if we fail to connect to daemon
 		cli.serverInfo = ServerInfo{HasExperimental: true}
-
-		if ping.APIVersion != "" {
-			cli.client.NegotiateAPIVersionPing(ping)
-		}
 		return
 	}
-
 	cli.serverInfo = ServerInfo{
 		HasExperimental: ping.Experimental,
 		OSType:          ping.OSType,
 		BuildkitVersion: ping.BuilderVersion,
 		SwarmStatus:     ping.SwarmStatus,
 	}
-	cli.client.NegotiateAPIVersionPing(ping)
-}
-
-// NotaryClient provides a Notary Repository to interact with signed metadata for an image
-func (cli *DockerCli) NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (notaryclient.Repository, error) {
-	return trust.GetNotaryRepository(cli.In(), cli.Out(), UserAgent(), imgRefAndAuth.RepoInfo(), imgRefAndAuth.AuthConfig(), actions...)
 }
 
 // ContextStore returns the ContextStore
@@ -488,15 +474,67 @@ func (cli *DockerCli) getDockerEndPoint() (ep docker.Endpoint, err error) {
 	return resolveDockerEndpoint(cli.contextStore, cn)
 }
 
+// setGoDebug is an escape hatch that sets the GODEBUG environment
+// variable value using docker context metadata.
+//
+//	{
+//	  "Name": "my-context",
+//	  "Metadata": { "GODEBUG": "x509negativeserial=1" }
+//	}
+//
+// WARNING: Setting x509negativeserial=1 allows Go's x509 library to accept
+// X.509 certificates with negative serial numbers.
+// This behavior is deprecated and non-compliant with current security
+// standards (RFC 5280). Accepting negative serial numbers can introduce
+// serious security vulnerabilities, including the risk of certificate
+// collision or bypass attacks.
+// This option should only be used for legacy compatibility and never in
+// production environments.
+// Use at your own risk.
+func setGoDebug(meta store.Metadata) {
+	fieldName := "GODEBUG"
+	godebugEnv := os.Getenv(fieldName)
+	// early return if GODEBUG is already set. We don't want to override what
+	// the user already sets.
+	if godebugEnv != "" {
+		return
+	}
+
+	var cfg any
+	var ok bool
+	switch m := meta.Metadata.(type) {
+	case DockerContext:
+		cfg, ok = m.AdditionalFields[fieldName]
+		if !ok {
+			return
+		}
+	case map[string]any:
+		cfg, ok = m[fieldName]
+		if !ok {
+			return
+		}
+	default:
+		return
+	}
+
+	v, ok := cfg.(string)
+	if !ok {
+		return
+	}
+	// set the GODEBUG environment variable with whatever was in the context
+	_ = os.Setenv(fieldName, v)
+}
+
 func (cli *DockerCli) initialize() error {
 	cli.init.Do(func() {
 		cli.dockerEndpoint, cli.initErr = cli.getDockerEndPoint()
 		if cli.initErr != nil {
-			cli.initErr = errors.Wrap(cli.initErr, "unable to resolve docker endpoint")
+			cli.initErr = fmt.Errorf("unable to resolve docker endpoint: %w", cli.initErr)
 			return
 		}
 		if cli.client == nil {
-			if cli.client, cli.initErr = newAPIClientFromEndpoint(cli.dockerEndpoint, cli.configFile); cli.initErr != nil {
+			ops := []client.Opt{client.WithUserAgent(cli.userAgent)}
+			if cli.client, cli.initErr = newAPIClientFromEndpoint(cli.dockerEndpoint, cli.configFile, ops...); cli.initErr != nil {
 				return
 			}
 		}
@@ -508,22 +546,12 @@ func (cli *DockerCli) initialize() error {
 	return cli.initErr
 }
 
-// Apply all the operation on the cli
-func (cli *DockerCli) Apply(ops ...CLIOption) error {
-	for _, op := range ops {
-		if err := op(cli); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 // ServerInfo stores details about the supported features and platform of the
 // server
 type ServerInfo struct {
 	HasExperimental bool
 	OSType          string
-	BuildkitVersion types.BuilderVersion
+	BuildkitVersion build.BuilderVersion
 
 	// SwarmStatus provides information about the current swarm status of the
 	// engine, obtained from the "Swarm" header in the API response.
@@ -532,7 +560,7 @@ type ServerInfo struct {
 	// in the ping response, or if an error occurred, in which case the client
 	// should use other ways to get the current swarm status, such as the /swarm
 	// endpoint.
-	SwarmStatus *swarm.Status
+	SwarmStatus *client.SwarmStatus
 }
 
 // NewDockerCli returns a DockerCli instance with all operators applied on it.
@@ -540,34 +568,33 @@ type ServerInfo struct {
 // environment.
 func NewDockerCli(ops ...CLIOption) (*DockerCli, error) {
 	defaultOps := []CLIOption{
-		WithContentTrustFromEnv(),
 		WithDefaultContextStoreConfig(),
 		WithStandardStreams(),
+		WithUserAgent(UserAgent()),
 	}
 	ops = append(defaultOps, ops...)
 
 	cli := &DockerCli{baseCtx: context.Background()}
-	if err := cli.Apply(ops...); err != nil {
-		return nil, err
+	for _, op := range ops {
+		if err := op(cli); err != nil {
+			return nil, err
+		}
 	}
 	return cli, nil
 }
 
-func getServerHost(hosts []string, tlsOptions *tlsconfig.Options) (string, error) {
-	var host string
+func getServerHost(hosts []string, defaultToTLS bool) (string, error) {
 	switch len(hosts) {
 	case 0:
-		host = os.Getenv(client.EnvOverrideHost)
+		return dopts.ParseHost(defaultToTLS, os.Getenv(client.EnvOverrideHost))
 	case 1:
-		host = hosts[0]
+		return dopts.ParseHost(defaultToTLS, hosts[0])
 	default:
-		return "", errors.New("Specify only one -H")
+		return "", errors.New("specify only one -H")
 	}
-
-	return dopts.ParseHost(tlsOptions != nil, host)
 }
 
-// UserAgent returns the user agent string used for making API requests
+// UserAgent returns the default user agent string used for making API requests.
 func UserAgent() string {
 	return "Docker-Client/" + version.Version + " (" + runtime.GOOS + ")"
 }

cli/command/cli_options.go

@@ -3,17 +3,16 @@ package command
 import (
 	"context"
 	"encoding/csv"
+	"errors"
+	"fmt"
 	"io"
 	"net/http"
 	"os"
-	"strconv"
 	"strings"
 
 	"github.com/docker/cli/cli/streams"
-	"github.com/docker/docker/client"
-	"github.com/docker/docker/errdefs"
+	"github.com/moby/moby/client"
 	"github.com/moby/term"
-	"github.com/pkg/errors"
 )
 
 // CLIOption is a functional argument to apply options to a [DockerCli]. These
@@ -76,32 +75,11 @@ func WithErrorStream(err io.Writer) CLIOption {
 	}
 }
 
-// WithContentTrustFromEnv enables content trust on a cli from environment variable DOCKER_CONTENT_TRUST value.
-func WithContentTrustFromEnv() CLIOption {
-	return func(cli *DockerCli) error {
-		cli.contentTrust = false
-		if e := os.Getenv("DOCKER_CONTENT_TRUST"); e != "" {
-			if t, err := strconv.ParseBool(e); t || err != nil {
-				// treat any other value as true
-				cli.contentTrust = true
-			}
-		}
-		return nil
-	}
-}
-
-// WithContentTrust enables content trust on a cli.
-func WithContentTrust(enabled bool) CLIOption {
-	return func(cli *DockerCli) error {
-		cli.contentTrust = enabled
-		return nil
-	}
-}
-
 // WithDefaultContextStoreConfig configures the cli to use the default context store configuration.
 func WithDefaultContextStoreConfig() CLIOption {
 	return func(cli *DockerCli) error {
-		cli.contextStoreConfig = DefaultContextStoreConfig()
+		cfg := DefaultContextStoreConfig()
+		cli.contextStoreConfig = &cfg
 		return nil
 	}
 }
@@ -114,6 +92,18 @@ func WithAPIClient(c client.APIClient) CLIOption {
 	}
 }
 
+// WithInitializeClient is passed to [DockerCli.Initialize] to initialize
+// an API Client for use by the CLI.
+func WithInitializeClient(makeClient func(*DockerCli) (client.APIClient, error)) CLIOption {
+	return func(cli *DockerCli) error {
+		c, err := makeClient(cli)
+		if err != nil {
+			return err
+		}
+		return WithAPIClient(c)(cli)
+	}
+}
+
 // envOverrideHTTPHeaders is the name of the environment-variable that can be
 // used to set custom HTTP headers to be sent by the client. This environment
 // variable is the equivalent to the HttpHeaders field in the configuration
@@ -168,61 +158,70 @@ const envOverrideHTTPHeaders = "DOCKER_CUSTOM_HEADERS"
 // override headers with the same name).
 //
 // TODO(thaJeztah): this is a client Option, and should be moved to the client. It is non-exported for that reason.
-func withCustomHeadersFromEnv() client.Opt {
-	return func(apiClient *client.Client) error {
-		value := os.Getenv(envOverrideHTTPHeaders)
-		if value == "" {
-			return nil
-		}
-		csvReader := csv.NewReader(strings.NewReader(value))
-		fields, err := csvReader.Read()
-		if err != nil {
-			return errdefs.InvalidParameter(errors.Errorf(
-				"failed to parse custom headers from %s environment variable: value must be formatted as comma-separated key=value pairs",
-				envOverrideHTTPHeaders,
+func withCustomHeadersFromEnv() (client.Opt, error) {
+	value := os.Getenv(envOverrideHTTPHeaders)
+	if value == "" {
+		return nil, nil
+	}
+	csvReader := csv.NewReader(strings.NewReader(value))
+	fields, err := csvReader.Read()
+	if err != nil {
+		return nil, invalidParameter(fmt.Errorf(
+			"failed to parse custom headers from %s environment variable: value must be formatted as comma-separated key=value pairs",
+			envOverrideHTTPHeaders,
+		))
+	}
+	if len(fields) == 0 {
+		return nil, nil
+	}
+
+	env := map[string]string{}
+	for _, kv := range fields {
+		k, v, hasValue := strings.Cut(kv, "=")
+
+		// Only strip whitespace in keys; preserve whitespace in values.
+		k = strings.TrimSpace(k)
+
+		if k == "" {
+			return nil, invalidParameter(fmt.Errorf(
+				`failed to set custom headers from %s environment variable: value contains a key=value pair with an empty key: '%s'`,
+				envOverrideHTTPHeaders, kv,
 			))
 		}
-		if len(fields) == 0 {
-			return nil
+
+		// We don't currently allow empty key=value pairs, and produce an error.
+		// This is something we could allow in future (e.g. to read value
+		// from an environment variable with the same name). In the meantime,
+		// produce an error to prevent users from depending on this.
+		if !hasValue {
+			return nil, invalidParameter(fmt.Errorf(
+				`failed to set custom headers from %s environment variable: missing "=" in key=value pair: '%s'`,
+				envOverrideHTTPHeaders, kv,
+			))
 		}
 
-		env := map[string]string{}
-		for _, kv := range fields {
-			k, v, hasValue := strings.Cut(kv, "=")
+		env[http.CanonicalHeaderKey(k)] = v
+	}
 
-			// Only strip whitespace in keys; preserve whitespace in values.
-			k = strings.TrimSpace(k)
+	if len(env) == 0 {
+		// We should probably not hit this case, as we don't skip values
+		// (only return errors), but we don't want to discard existing
+		// headers with an empty set.
+		return nil, nil
+	}
 
-			if k == "" {
-				return errdefs.InvalidParameter(errors.Errorf(
-					`failed to set custom headers from %s environment variable: value contains a key=value pair with an empty key: '%s'`,
-					envOverrideHTTPHeaders, kv,
-				))
-			}
+	// TODO(thaJeztah): add a client.WithExtraHTTPHeaders() function to allow these headers to be _added_ to existing ones, instead of _replacing_
+	//  see https://github.com/docker/cli/pull/5098#issuecomment-2147403871  (when updating, also update the WARNING in the function and env-var GoDoc)
+	return client.WithHTTPHeaders(env), nil
+}
 
-			// We don't currently allow empty key=value pairs, and produce an error.
-			// This is something we could allow in future (e.g. to read value
-			// from an environment variable with the same name). In the meantime,
-			// produce an error to prevent users from depending on this.
-			if !hasValue {
-				return errdefs.InvalidParameter(errors.Errorf(
-					`failed to set custom headers from %s environment variable: missing "=" in key=value pair: '%s'`,
-					envOverrideHTTPHeaders, kv,
-				))
-			}
-
-			env[http.CanonicalHeaderKey(k)] = v
+// WithUserAgent configures the User-Agent string for cli HTTP requests.
+func WithUserAgent(userAgent string) CLIOption {
+	return func(cli *DockerCli) error {
+		if userAgent == "" {
+			return errors.New("user agent cannot be blank")
 		}
-
-		if len(env) == 0 {
-			// We should probably not hit this case, as we don't skip values
-			// (only return errors), but we don't want to discard existing
-			// headers with an empty set.
-			return nil
-		}
-
-		// TODO(thaJeztah): add a client.WithExtraHTTPHeaders() function to allow these headers to be _added_ to existing ones, instead of _replacing_
-		//  see https://github.com/docker/cli/pull/5098#issuecomment-2147403871  (when updating, also update the WARNING in the function and env-var GoDoc)
-		return client.WithHTTPHeaders(env)(apiClient)
+		cli.userAgent = userAgent
+		return nil
 	}
 }

cli/command/cli_options_test.go

@@ -1,28 +0,0 @@
-package command
-
-import (
-	"os"
-	"testing"
-
-	"gotest.tools/v3/assert"
-)
-
-func contentTrustEnabled(t *testing.T) bool {
-	t.Helper()
-	var cli DockerCli
-	assert.NilError(t, WithContentTrustFromEnv()(&cli))
-	return cli.contentTrust
-}
-
-// NB: Do not t.Parallel() this test -- it messes with the process environment.
-func TestWithContentTrustFromEnv(t *testing.T) {
-	const envvar = "DOCKER_CONTENT_TRUST"
-	t.Setenv(envvar, "true")
-	assert.Check(t, contentTrustEnabled(t))
-	t.Setenv(envvar, "false")
-	assert.Check(t, !contentTrustEnabled(t))
-	t.Setenv(envvar, "invalid")
-	assert.Check(t, contentTrustEnabled(t))
-	os.Unsetenv(envvar)
-	assert.Check(t, !contentTrustEnabled(t))
-}

cli/command/cli_test.go

@@ -18,13 +18,10 @@ import (
 
 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/context/store"
 	"github.com/docker/cli/cli/flags"
-	"github.com/docker/cli/cli/streams"
-	"github.com/docker/docker/api"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/client"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
-	"gotest.tools/v3/fs"
 )
 
 func TestNewAPIClientFromFlags(t *testing.T) {
@@ -36,7 +33,7 @@ func TestNewAPIClientFromFlags(t *testing.T) {
 	apiClient, err := NewAPIClientFromFlags(opts, &configfile.ConfigFile{})
 	assert.NilError(t, err)
 	assert.Equal(t, apiClient.DaemonHost(), host)
-	assert.Equal(t, apiClient.ClientVersion(), api.DefaultVersion)
+	assert.Equal(t, apiClient.ClientVersion(), client.MaxAPIVersion)
 }
 
 func TestNewAPIClientFromFlagsForDefaultSchema(t *testing.T) {
@@ -49,7 +46,7 @@ func TestNewAPIClientFromFlagsForDefaultSchema(t *testing.T) {
 	apiClient, err := NewAPIClientFromFlags(opts, &configfile.ConfigFile{})
 	assert.NilError(t, err)
 	assert.Equal(t, apiClient.DaemonHost(), slug+host)
-	assert.Equal(t, apiClient.ClientVersion(), api.DefaultVersion)
+	assert.Equal(t, apiClient.ClientVersion(), client.MaxAPIVersion)
 }
 
 func TestNewAPIClientFromFlagsWithCustomHeaders(t *testing.T) {
@@ -73,7 +70,7 @@ func TestNewAPIClientFromFlagsWithCustomHeaders(t *testing.T) {
 	apiClient, err := NewAPIClientFromFlags(opts, configFile)
 	assert.NilError(t, err)
 	assert.Equal(t, apiClient.DaemonHost(), host)
-	assert.Equal(t, apiClient.ClientVersion(), api.DefaultVersion)
+	assert.Equal(t, apiClient.ClientVersion(), client.MaxAPIVersion)
 
 	// verify User-Agent is not appended to the configfile. see https://github.com/docker/cli/pull/2756
 	assert.DeepEqual(t, configFile.HTTPHeaders, map[string]string{"My-Header": "Custom-Value"})
@@ -82,7 +79,7 @@ func TestNewAPIClientFromFlagsWithCustomHeaders(t *testing.T) {
 		"My-Header":  "Custom-Value",
 		"User-Agent": UserAgent(),
 	}
-	_, err = apiClient.Ping(context.Background())
+	_, err = apiClient.Ping(context.TODO(), client.PingOptions{})
 	assert.NilError(t, err)
 	assert.DeepEqual(t, received, expectedHeaders)
 }
@@ -108,7 +105,7 @@ func TestNewAPIClientFromFlagsWithCustomHeadersFromEnv(t *testing.T) {
 	apiClient, err := NewAPIClientFromFlags(opts, configFile)
 	assert.NilError(t, err)
 	assert.Equal(t, apiClient.DaemonHost(), host)
-	assert.Equal(t, apiClient.ClientVersion(), api.DefaultVersion)
+	assert.Equal(t, apiClient.ClientVersion(), client.MaxAPIVersion)
 
 	expectedHeaders := http.Header{
 		"One":        []string{"one-value"},
@@ -117,7 +114,7 @@ func TestNewAPIClientFromFlagsWithCustomHeadersFromEnv(t *testing.T) {
 		"Four":       []string{"four-value-override"},
 		"User-Agent": []string{UserAgent()},
 	}
-	_, err = apiClient.Ping(context.Background())
+	_, err = apiClient.Ping(context.TODO(), client.PingOptions{})
 	assert.NilError(t, err)
 	assert.DeepEqual(t, received, expectedHeaders)
 }
@@ -137,51 +134,55 @@ func TestNewAPIClientFromFlagsWithAPIVersionFromEnv(t *testing.T) {
 
 type fakeClient struct {
 	client.Client
-	pingFunc   func() (types.Ping, error)
+	pingFunc   func() (client.PingResult, error)
 	version    string
 	negotiated bool
 }
 
-func (c *fakeClient) Ping(_ context.Context) (types.Ping, error) {
-	return c.pingFunc()
+func (c *fakeClient) Ping(_ context.Context, options client.PingOptions) (client.PingResult, error) {
+	res, err := c.pingFunc()
+	if options.NegotiateAPIVersion {
+		if res.APIVersion != "" {
+			if c.negotiated || options.ForceNegotiate {
+				c.negotiated = true
+			}
+		}
+	}
+	return res, err
 }
 
 func (c *fakeClient) ClientVersion() string {
 	return c.version
 }
 
-func (c *fakeClient) NegotiateAPIVersionPing(types.Ping) {
-	c.negotiated = true
-}
-
 func TestInitializeFromClient(t *testing.T) {
 	const defaultVersion = "v1.55"
 
 	testcases := []struct {
 		doc            string
-		pingFunc       func() (types.Ping, error)
+		pingFunc       func() (client.PingResult, error)
 		expectedServer ServerInfo
 		negotiated     bool
 	}{
 		{
 			doc: "successful ping",
-			pingFunc: func() (types.Ping, error) {
-				return types.Ping{Experimental: true, OSType: "linux", APIVersion: "v1.30"}, nil
+			pingFunc: func() (client.PingResult, error) {
+				return client.PingResult{Experimental: true, OSType: "linux", APIVersion: "v1.44"}, nil
 			},
 			expectedServer: ServerInfo{HasExperimental: true, OSType: "linux"},
 			negotiated:     true,
 		},
 		{
 			doc: "failed ping, no API version",
-			pingFunc: func() (types.Ping, error) {
-				return types.Ping{}, errors.New("failed")
+			pingFunc: func() (client.PingResult, error) {
+				return client.PingResult{}, errors.New("failed")
 			},
 			expectedServer: ServerInfo{HasExperimental: true},
 		},
 		{
 			doc: "failed ping, with API version",
-			pingFunc: func() (types.Ping, error) {
-				return types.Ping{APIVersion: "v1.33"}, errors.New("failed")
+			pingFunc: func() (client.PingResult, error) {
+				return client.PingResult{APIVersion: "v1.44"}, errors.New("failed")
 			},
 			expectedServer: ServerInfo{HasExperimental: true},
 			negotiated:     true,
@@ -190,16 +191,16 @@ func TestInitializeFromClient(t *testing.T) {
 
 	for _, tc := range testcases {
 		t.Run(tc.doc, func(t *testing.T) {
-			apiclient := &fakeClient{
+			apiClient := &fakeClient{
 				pingFunc: tc.pingFunc,
 				version:  defaultVersion,
 			}
 
-			cli := &DockerCli{client: apiclient}
+			cli := &DockerCli{client: apiClient}
 			err := cli.Initialize(flags.NewClientOptions())
 			assert.NilError(t, err)
 			assert.DeepEqual(t, cli.ServerInfo(), tc.expectedServer)
-			assert.Equal(t, apiclient.negotiated, tc.negotiated)
+			assert.Equal(t, apiClient.negotiated, tc.negotiated)
 		})
 	}
 }
@@ -207,13 +208,13 @@ func TestInitializeFromClient(t *testing.T) {
 // Makes sure we don't hang forever on the initial connection.
 // https://github.com/docker/cli/issues/3652
 func TestInitializeFromClientHangs(t *testing.T) {
-	dir := t.TempDir()
-	socket := filepath.Join(dir, "my.sock")
+	tmpDir := t.TempDir()
+	socket := filepath.Join(tmpDir, "my.sock")
 	l, err := net.Listen("unix", socket)
 	assert.NilError(t, err)
 
 	receiveReqCh := make(chan bool)
-	timeoutCtx, cancel := context.WithTimeout(context.Background(), time.Second)
+	timeoutCtx, cancel := context.WithTimeout(context.TODO(), time.Second)
 	defer cancel()
 
 	// Simulate a server that hangs on connections.
@@ -256,79 +257,33 @@ func TestInitializeFromClientHangs(t *testing.T) {
 	}
 }
 
-// The CLI no longer disables/hides experimental CLI features, however, we need
-// to verify that existing configuration files do not break
-func TestExperimentalCLI(t *testing.T) {
-	defaultVersion := "v1.55"
-
-	testcases := []struct {
-		doc        string
-		configfile string
-	}{
-		{
-			doc:        "default",
-			configfile: `{}`,
-		},
-		{
-			doc: "experimental",
-			configfile: `{
-	"experimental": "enabled"
-}`,
-		},
-	}
-
-	for _, tc := range testcases {
-		t.Run(tc.doc, func(t *testing.T) {
-			dir := fs.NewDir(t, tc.doc, fs.WithFile("config.json", tc.configfile))
-			defer dir.Remove()
-			apiclient := &fakeClient{
-				version: defaultVersion,
-				pingFunc: func() (types.Ping, error) {
-					return types.Ping{Experimental: true, OSType: "linux", APIVersion: defaultVersion}, nil
-				},
-			}
-
-			cli := &DockerCli{client: apiclient, err: streams.NewOut(os.Stderr)}
-			config.SetDir(dir.Path())
-			err := cli.Initialize(flags.NewClientOptions())
-			assert.NilError(t, err)
-		})
-	}
-}
-
 func TestNewDockerCliAndOperators(t *testing.T) {
-	// Test default operations and also overriding default ones
+	outbuf := bytes.NewBuffer(nil)
+	errbuf := bytes.NewBuffer(nil)
+
 	cli, err := NewDockerCli(
-		WithContentTrust(true),
+		WithInputStream(io.NopCloser(strings.NewReader("some input"))),
+		WithOutputStream(outbuf),
+		WithErrorStream(errbuf),
 	)
 	assert.NilError(t, err)
 	// Check streams are initialized
 	assert.Check(t, cli.In() != nil)
 	assert.Check(t, cli.Out() != nil)
 	assert.Check(t, cli.Err() != nil)
-	assert.Equal(t, cli.ContentTrustEnabled(), true)
-
-	// Apply can modify a dockerCli after construction
-	inbuf := bytes.NewBuffer([]byte("input"))
-	outbuf := bytes.NewBuffer(nil)
-	errbuf := bytes.NewBuffer(nil)
-	err = cli.Apply(
-		WithInputStream(io.NopCloser(inbuf)),
-		WithOutputStream(outbuf),
-		WithErrorStream(errbuf),
-	)
-	assert.NilError(t, err)
-	// Check input stream
 	inputStream, err := io.ReadAll(cli.In())
 	assert.NilError(t, err)
-	assert.Equal(t, string(inputStream), "input")
+	assert.Equal(t, string(inputStream), "some input")
+
 	// Check output stream
-	fmt.Fprintf(cli.Out(), "output")
+	_, err = fmt.Fprint(cli.Out(), "output")
+	assert.NilError(t, err)
 	outputStream, err := io.ReadAll(outbuf)
 	assert.NilError(t, err)
 	assert.Equal(t, string(outputStream), "output")
 	// Check error stream
-	fmt.Fprintf(cli.Err(), "error")
+	_, err = fmt.Fprint(cli.Err(), "error")
+	assert.NilError(t, err)
 	errStream, err := io.ReadAll(errbuf)
 	assert.NilError(t, err)
 	assert.Equal(t, string(errStream), "error")
@@ -337,14 +292,16 @@ func TestNewDockerCliAndOperators(t *testing.T) {
 func TestInitializeShouldAlwaysCreateTheContextStore(t *testing.T) {
 	cli, err := NewDockerCli()
 	assert.NilError(t, err)
-	assert.NilError(t, cli.Initialize(flags.NewClientOptions(), WithInitializeClient(func(cli *DockerCli) (client.APIClient, error) {
-		return client.NewClientWithOpts()
-	})))
+	apiClient, err := client.New()
+	assert.NilError(t, err)
+	assert.NilError(t, cli.Initialize(flags.NewClientOptions(), WithAPIClient(apiClient)))
 	assert.Check(t, cli.ContextStore() != nil)
 }
 
 func TestHooksEnabled(t *testing.T) {
 	t.Run("disabled by default", func(t *testing.T) {
+		// Make sure we don't depend on any existing ~/.docker/config.json
+		config.SetDir(t.TempDir())
 		cli, err := NewDockerCli()
 		assert.NilError(t, err)
 
@@ -356,12 +313,11 @@ func TestHooksEnabled(t *testing.T) {
     "features": {
       "hooks": "true"
     }}`
-		dir := fs.NewDir(t, "", fs.WithFile("config.json", configFile))
-		defer dir.Remove()
+		config.SetDir(t.TempDir())
+		err := os.WriteFile(filepath.Join(config.Dir(), "config.json"), []byte(configFile), 0o600)
+		assert.NilError(t, err)
 		cli, err := NewDockerCli()
 		assert.NilError(t, err)
-		config.SetDir(dir.Path())
-
 		assert.Check(t, cli.HooksEnabled())
 	})
 
@@ -371,12 +327,11 @@ func TestHooksEnabled(t *testing.T) {
       "hooks": "true"
     }}`
 		t.Setenv("DOCKER_CLI_HOOKS", "false")
-		dir := fs.NewDir(t, "", fs.WithFile("config.json", configFile))
-		defer dir.Remove()
+		config.SetDir(t.TempDir())
+		err := os.WriteFile(filepath.Join(config.Dir(), "config.json"), []byte(configFile), 0o600)
+		assert.NilError(t, err)
 		cli, err := NewDockerCli()
 		assert.NilError(t, err)
-		config.SetDir(dir.Path())
-
 		assert.Check(t, !cli.HooksEnabled())
 	})
 
@@ -386,12 +341,54 @@ func TestHooksEnabled(t *testing.T) {
       "hooks": "true"
     }}`
 		t.Setenv("DOCKER_CLI_HINTS", "false")
-		dir := fs.NewDir(t, "", fs.WithFile("config.json", configFile))
-		defer dir.Remove()
+		config.SetDir(t.TempDir())
+		err := os.WriteFile(filepath.Join(config.Dir(), "config.json"), []byte(configFile), 0o600)
+		assert.NilError(t, err)
 		cli, err := NewDockerCli()
 		assert.NilError(t, err)
-		config.SetDir(dir.Path())
-
 		assert.Check(t, !cli.HooksEnabled())
 	})
 }
+
+func TestSetGoDebug(t *testing.T) {
+	t.Run("GODEBUG already set", func(t *testing.T) {
+		t.Setenv("GODEBUG", "val1,val2")
+		meta := store.Metadata{}
+		setGoDebug(meta)
+		assert.Equal(t, "val1,val2", os.Getenv("GODEBUG"))
+	})
+	t.Run("GODEBUG in context metadata can set env", func(t *testing.T) {
+		meta := store.Metadata{
+			Metadata: DockerContext{
+				AdditionalFields: map[string]any{
+					"GODEBUG": "val1,val2=1",
+				},
+			},
+		}
+		setGoDebug(meta)
+		assert.Equal(t, "val1,val2=1", os.Getenv("GODEBUG"))
+	})
+}
+
+func TestNewDockerCliWithCustomUserAgent(t *testing.T) {
+	var received string
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		received = r.UserAgent()
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer ts.Close()
+	host := strings.Replace(ts.URL, "http://", "tcp://", 1)
+	opts := &flags.ClientOptions{Hosts: []string{host}}
+
+	cli, err := NewDockerCli(
+		WithUserAgent("fake-agent/0.0.1"),
+	)
+	assert.NilError(t, err)
+	cli.currentContext = DefaultContextName
+	cli.options = opts
+	cli.configFile = &configfile.ConfigFile{}
+
+	_, err = cli.Client().Ping(context.TODO(), client.PingOptions{})
+	assert.NilError(t, err)
+	assert.DeepEqual(t, received, "fake-agent/0.0.1")
+}

cli/command/commands/commands.go

@@ -1,109 +1,30 @@
 package commands
 
 import (
-	"os"
-
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/command/builder"
-	"github.com/docker/cli/cli/command/checkpoint"
-	"github.com/docker/cli/cli/command/config"
-	"github.com/docker/cli/cli/command/container"
-	"github.com/docker/cli/cli/command/context"
-	"github.com/docker/cli/cli/command/image"
-	"github.com/docker/cli/cli/command/manifest"
-	"github.com/docker/cli/cli/command/network"
-	"github.com/docker/cli/cli/command/node"
-	"github.com/docker/cli/cli/command/plugin"
-	"github.com/docker/cli/cli/command/registry"
-	"github.com/docker/cli/cli/command/secret"
-	"github.com/docker/cli/cli/command/service"
-	"github.com/docker/cli/cli/command/stack"
-	"github.com/docker/cli/cli/command/swarm"
-	"github.com/docker/cli/cli/command/system"
-	"github.com/docker/cli/cli/command/trust"
-	"github.com/docker/cli/cli/command/volume"
+	_ "github.com/docker/cli/cli/command/builder"
+	_ "github.com/docker/cli/cli/command/checkpoint"
+	_ "github.com/docker/cli/cli/command/config"
+	_ "github.com/docker/cli/cli/command/container"
+	_ "github.com/docker/cli/cli/command/context"
+	_ "github.com/docker/cli/cli/command/image"
+	_ "github.com/docker/cli/cli/command/manifest"
+	_ "github.com/docker/cli/cli/command/network"
+	_ "github.com/docker/cli/cli/command/node"
+	_ "github.com/docker/cli/cli/command/plugin"
+	_ "github.com/docker/cli/cli/command/registry"
+	_ "github.com/docker/cli/cli/command/secret"
+	_ "github.com/docker/cli/cli/command/service"
+	_ "github.com/docker/cli/cli/command/stack"
+	_ "github.com/docker/cli/cli/command/swarm"
+	_ "github.com/docker/cli/cli/command/system"
+	_ "github.com/docker/cli/cli/command/volume"
+	"github.com/docker/cli/internal/commands"
 	"github.com/spf13/cobra"
 )
 
-// AddCommands adds all the commands from cli/command to the root command
-func AddCommands(cmd *cobra.Command, dockerCli command.Cli) {
-	cmd.AddCommand(
-		// commonly used shorthands
-		container.NewRunCommand(dockerCli),
-		container.NewExecCommand(dockerCli),
-		container.NewPsCommand(dockerCli),
-		image.NewBuildCommand(dockerCli),
-		image.NewPullCommand(dockerCli),
-		image.NewPushCommand(dockerCli),
-		image.NewImagesCommand(dockerCli),
-		registry.NewLoginCommand(dockerCli),
-		registry.NewLogoutCommand(dockerCli),
-		registry.NewSearchCommand(dockerCli),
-		system.NewVersionCommand(dockerCli),
-		system.NewInfoCommand(dockerCli),
-
-		// management commands
-		builder.NewBuilderCommand(dockerCli),
-		checkpoint.NewCheckpointCommand(dockerCli),
-		container.NewContainerCommand(dockerCli),
-		context.NewContextCommand(dockerCli),
-		image.NewImageCommand(dockerCli),
-		manifest.NewManifestCommand(dockerCli),
-		network.NewNetworkCommand(dockerCli),
-		plugin.NewPluginCommand(dockerCli),
-		system.NewSystemCommand(dockerCli),
-		trust.NewTrustCommand(dockerCli),
-		volume.NewVolumeCommand(dockerCli),
-
-		// orchestration (swarm) commands
-		config.NewConfigCommand(dockerCli),
-		node.NewNodeCommand(dockerCli),
-		secret.NewSecretCommand(dockerCli),
-		service.NewServiceCommand(dockerCli),
-		stack.NewStackCommand(dockerCli),
-		swarm.NewSwarmCommand(dockerCli),
-
-		// legacy commands may be hidden
-		hide(container.NewAttachCommand(dockerCli)),
-		hide(container.NewCommitCommand(dockerCli)),
-		hide(container.NewCopyCommand(dockerCli)),
-		hide(container.NewCreateCommand(dockerCli)),
-		hide(container.NewDiffCommand(dockerCli)),
-		hide(container.NewExportCommand(dockerCli)),
-		hide(container.NewKillCommand(dockerCli)),
-		hide(container.NewLogsCommand(dockerCli)),
-		hide(container.NewPauseCommand(dockerCli)),
-		hide(container.NewPortCommand(dockerCli)),
-		hide(container.NewRenameCommand(dockerCli)),
-		hide(container.NewRestartCommand(dockerCli)),
-		hide(container.NewRmCommand(dockerCli)),
-		hide(container.NewStartCommand(dockerCli)),
-		hide(container.NewStatsCommand(dockerCli)),
-		hide(container.NewStopCommand(dockerCli)),
-		hide(container.NewTopCommand(dockerCli)),
-		hide(container.NewUnpauseCommand(dockerCli)),
-		hide(container.NewUpdateCommand(dockerCli)),
-		hide(container.NewWaitCommand(dockerCli)),
-		hide(image.NewHistoryCommand(dockerCli)),
-		hide(image.NewImportCommand(dockerCli)),
-		hide(image.NewLoadCommand(dockerCli)),
-		hide(image.NewRemoveCommand(dockerCli)),
-		hide(image.NewSaveCommand(dockerCli)),
-		hide(image.NewTagCommand(dockerCli)),
-		hide(system.NewEventsCommand(dockerCli)),
-		hide(system.NewInspectCommand(dockerCli)),
-	)
-}
-
-func hide(cmd *cobra.Command) *cobra.Command {
-	// If the environment variable with name "DOCKER_HIDE_LEGACY_COMMANDS" is not empty,
-	// these legacy commands (such as `docker ps`, `docker exec`, etc)
-	// will not be shown in output console.
-	if os.Getenv("DOCKER_HIDE_LEGACY_COMMANDS") == "" {
-		return cmd
+func AddCommands(cmd *cobra.Command, dockerCLI command.Cli) {
+	for _, c := range commands.Commands() {
+		cmd.AddCommand(c(dockerCLI))
 	}
-	cmdCopy := *cmd
-	cmdCopy.Hidden = true
-	cmdCopy.Aliases = []string{}
-	return &cmdCopy
 }

cli/command/completion/functions.go

@@ -4,19 +4,14 @@ import (
 	"os"
 	"strings"
 
+	"github.com/distribution/reference"
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/api/types/volume"
-	"github.com/docker/docker/client"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
-// ValidArgsFn a function to be used by cobra command as `ValidArgsFunction` to offer command line completion
-type ValidArgsFn func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective)
-
-// APIClientProvider provides a method to get an [client.APIClient], initializing
+// APIClientProvider provides a method to get a [client.APIClient], initializing
 // it if needed.
 //
 // It's a smaller interface than [command.Cli], and used in situations where an
@@ -27,29 +22,62 @@ type APIClientProvider interface {
 }
 
 // ImageNames offers completion for images present within the local store
-func ImageNames(dockerCLI APIClientProvider, limit int) ValidArgsFn {
+func ImageNames(dockerCLI APIClientProvider, limit int) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		if limit > 0 && len(args) >= limit {
 			return nil, cobra.ShellCompDirectiveNoFileComp
 		}
-		list, err := dockerCLI.Client().ImageList(cmd.Context(), image.ListOptions{})
+		res, err := dockerCLI.Client().ImageList(cmd.Context(), client.ImageListOptions{})
 		if err != nil {
 			return nil, cobra.ShellCompDirectiveError
 		}
 		var names []string
-		for _, img := range list {
+		for _, img := range res.Items {
 			names = append(names, img.RepoTags...)
 		}
 		return names, cobra.ShellCompDirectiveNoFileComp
 	}
 }
 
+// ImageNamesWithBase offers completion for images present within the local store,
+// including both full image names with tags and base image names (repository names only)
+// when multiple tags exist for the same base name
+func ImageNamesWithBase(dockerCLI APIClientProvider, limit int) cobra.CompletionFunc {
+	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		if limit > 0 && len(args) >= limit {
+			return nil, cobra.ShellCompDirectiveNoFileComp
+		}
+		res, err := dockerCLI.Client().ImageList(cmd.Context(), client.ImageListOptions{})
+		if err != nil {
+			return nil, cobra.ShellCompDirectiveError
+		}
+		var names []string
+		baseNameCounts := make(map[string]int)
+		for _, img := range res.Items {
+			names = append(names, img.RepoTags...)
+			for _, tag := range img.RepoTags {
+				ref, err := reference.ParseNormalizedNamed(tag)
+				if err != nil {
+					continue
+				}
+				baseNameCounts[reference.FamiliarName(ref)]++
+			}
+		}
+		for baseName, count := range baseNameCounts {
+			if count > 1 {
+				names = append(names, baseName)
+			}
+		}
+		return names, cobra.ShellCompDirectiveNoSpace | cobra.ShellCompDirectiveNoFileComp
+	}
+}
+
 // ContainerNames offers completion for container names and IDs
 // By default, only names are returned.
 // Set DOCKER_COMPLETION_SHOW_CONTAINER_IDS=yes to also complete IDs.
-func ContainerNames(dockerCLI APIClientProvider, all bool, filters ...func(container.Summary) bool) ValidArgsFn {
+func ContainerNames(dockerCLI APIClientProvider, all bool, filters ...func(container.Summary) bool) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-		list, err := dockerCLI.Client().ContainerList(cmd.Context(), container.ListOptions{
+		res, err := dockerCLI.Client().ContainerList(cmd.Context(), client.ContainerListOptions{
 			All: all,
 		})
 		if err != nil {
@@ -59,7 +87,7 @@ func ContainerNames(dockerCLI APIClientProvider, all bool, filters ...func(conta
 		showContainerIDs := os.Getenv("DOCKER_COMPLETION_SHOW_CONTAINER_IDS") == "yes"
 
 		var names []string
-		for _, ctr := range list {
+		for _, ctr := range res.Items {
 			skip := false
 			for _, fn := range filters {
 				if fn != nil && !fn(ctr) {
@@ -80,14 +108,14 @@ func ContainerNames(dockerCLI APIClientProvider, all bool, filters ...func(conta
 }
 
 // VolumeNames offers completion for volumes
-func VolumeNames(dockerCLI APIClientProvider) ValidArgsFn {
+func VolumeNames(dockerCLI APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-		list, err := dockerCLI.Client().VolumeList(cmd.Context(), volume.ListOptions{})
+		res, err := dockerCLI.Client().VolumeList(cmd.Context(), client.VolumeListOptions{})
 		if err != nil {
 			return nil, cobra.ShellCompDirectiveError
 		}
 		var names []string
-		for _, vol := range list.Volumes {
+		for _, vol := range res.Items {
 			names = append(names, vol.Name)
 		}
 		return names, cobra.ShellCompDirectiveNoFileComp
@@ -95,14 +123,14 @@ func VolumeNames(dockerCLI APIClientProvider) ValidArgsFn {
 }
 
 // NetworkNames offers completion for networks
-func NetworkNames(dockerCLI APIClientProvider) ValidArgsFn {
+func NetworkNames(dockerCLI APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-		list, err := dockerCLI.Client().NetworkList(cmd.Context(), network.ListOptions{})
+		res, err := dockerCLI.Client().NetworkList(cmd.Context(), client.NetworkListOptions{})
 		if err != nil {
 			return nil, cobra.ShellCompDirectiveError
 		}
 		var names []string
-		for _, nw := range list {
+		for _, nw := range res.Items {
 			names = append(names, nw.Name)
 		}
 		return names, cobra.ShellCompDirectiveNoFileComp
@@ -122,35 +150,33 @@ func NetworkNames(dockerCLI APIClientProvider) ValidArgsFn {
 //	export MY_VAR=hello
 //	docker run --rm --env MY_VAR alpine printenv MY_VAR
 //	hello
-func EnvVarNames(_ *cobra.Command, _ []string, _ string) (names []string, _ cobra.ShellCompDirective) {
-	envs := os.Environ()
-	names = make([]string, 0, len(envs))
-	for _, env := range envs {
-		name, _, _ := strings.Cut(env, "=")
-		names = append(names, name)
+func EnvVarNames() cobra.CompletionFunc {
+	return func(_ *cobra.Command, _ []string, _ string) (names []string, _ cobra.ShellCompDirective) {
+		envs := os.Environ()
+		names = make([]string, 0, len(envs))
+		for _, env := range envs {
+			name, _, _ := strings.Cut(env, "=")
+			names = append(names, name)
+		}
+		return names, cobra.ShellCompDirectiveNoFileComp
 	}
-	return names, cobra.ShellCompDirectiveNoFileComp
 }
 
 // FromList offers completion for the given list of options.
-func FromList(options ...string) ValidArgsFn {
+func FromList(options ...string) cobra.CompletionFunc {
 	return cobra.FixedCompletions(options, cobra.ShellCompDirectiveNoFileComp)
 }
 
 // FileNames is a convenience function to use [cobra.ShellCompDirectiveDefault],
 // which indicates to let the shell perform its default behavior after
 // completions have been provided.
-func FileNames(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
-	return nil, cobra.ShellCompDirectiveDefault
-}
-
-// NoComplete is used for commands where there's no relevant completion
-func NoComplete(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
-	return nil, cobra.ShellCompDirectiveNoFileComp
+func FileNames() cobra.CompletionFunc {
+	return func(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
+		return nil, cobra.ShellCompDirectiveDefault
+	}
 }
 
 var commonPlatforms = []string{
-	"linux",
 	"linux/386",
 	"linux/amd64",
 	"linux/arm",
@@ -167,10 +193,8 @@ var commonPlatforms = []string{
 	// Not yet supported
 	"linux/riscv64",
 
-	"windows",
 	"windows/amd64",
 
-	"wasip1",
 	"wasip1/wasm",
 }
 
@@ -189,6 +213,8 @@ var commonPlatforms = []string{
 //   - we currently exclude architectures that may have unofficial builds,
 //     but don't have wide adoption (and no support), such as loong64, mipsXXX,
 //     ppc64 (non-le) to prevent confusion.
-func Platforms(_ *cobra.Command, _ []string, _ string) (platforms []string, _ cobra.ShellCompDirective) {
-	return commonPlatforms, cobra.ShellCompDirectiveNoFileComp
+func Platforms() cobra.CompletionFunc {
+	return func(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
+		return commonPlatforms, cobra.ShellCompDirectiveNoFileComp
+	}
 }

cli/command/completion/functions_test.go

@@ -6,13 +6,11 @@ import (
 	"sort"
 	"testing"
 
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/filters"
-	"github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/api/types/volume"
-	"github.com/docker/docker/client"
-	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/api/types/image"
+	"github.com/moby/moby/api/types/network"
+	"github.com/moby/moby/api/types/volume"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -30,38 +28,38 @@ func (c fakeCLI) Client() client.APIClient {
 
 type fakeClient struct {
 	client.Client
-	containerListFunc func(options container.ListOptions) ([]container.Summary, error)
-	imageListFunc     func(options image.ListOptions) ([]image.Summary, error)
-	networkListFunc   func(ctx context.Context, options network.ListOptions) ([]network.Summary, error)
-	volumeListFunc    func(filter filters.Args) (volume.ListResponse, error)
+	containerListFunc func(context.Context, client.ContainerListOptions) (client.ContainerListResult, error)
+	imageListFunc     func(context.Context, client.ImageListOptions) (client.ImageListResult, error)
+	networkListFunc   func(context.Context, client.NetworkListOptions) (client.NetworkListResult, error)
+	volumeListFunc    func(context.Context, client.VolumeListOptions) (client.VolumeListResult, error)
 }
 
-func (c *fakeClient) ContainerList(_ context.Context, options container.ListOptions) ([]container.Summary, error) {
+func (c *fakeClient) ContainerList(ctx context.Context, options client.ContainerListOptions) (client.ContainerListResult, error) {
 	if c.containerListFunc != nil {
-		return c.containerListFunc(options)
+		return c.containerListFunc(ctx, options)
 	}
-	return []container.Summary{}, nil
+	return client.ContainerListResult{}, nil
 }
 
-func (c *fakeClient) ImageList(_ context.Context, options image.ListOptions) ([]image.Summary, error) {
+func (c *fakeClient) ImageList(ctx context.Context, options client.ImageListOptions) (client.ImageListResult, error) {
 	if c.imageListFunc != nil {
-		return c.imageListFunc(options)
+		return c.imageListFunc(ctx, options)
 	}
-	return []image.Summary{}, nil
+	return client.ImageListResult{}, nil
 }
 
-func (c *fakeClient) NetworkList(ctx context.Context, options network.ListOptions) ([]network.Summary, error) {
+func (c *fakeClient) NetworkList(ctx context.Context, options client.NetworkListOptions) (client.NetworkListResult, error) {
 	if c.networkListFunc != nil {
 		return c.networkListFunc(ctx, options)
 	}
-	return []network.Inspect{}, nil
+	return client.NetworkListResult{}, nil
 }
 
-func (c *fakeClient) VolumeList(_ context.Context, options volume.ListOptions) (volume.ListResponse, error) {
+func (c *fakeClient) VolumeList(ctx context.Context, options client.VolumeListOptions) (client.VolumeListResult, error) {
 	if c.volumeListFunc != nil {
-		return c.volumeListFunc(options.Filters)
+		return c.volumeListFunc(ctx, options)
 	}
-	return volume.ListResponse{}, nil
+	return client.VolumeListResult{}, nil
 }
 
 func TestCompleteContainerNames(t *testing.T) {
@@ -71,7 +69,7 @@ func TestCompleteContainerNames(t *testing.T) {
 		filters          []func(container.Summary) bool
 		containers       []container.Summary
 		expOut           []string
-		expOpts          container.ListOptions
+		expOpts          client.ContainerListOptions
 		expDirective     cobra.ShellCompDirective
 	}{
 		{
@@ -82,12 +80,12 @@ func TestCompleteContainerNames(t *testing.T) {
 			doc:     "all containers",
 			showAll: true,
 			containers: []container.Summary{
-				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
-				{ID: "id-b", State: "created", Names: []string{"/container-b"}},
-				{ID: "id-a", State: "exited", Names: []string{"/container-a"}},
+				{ID: "id-c", State: container.StateRunning, Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-b", State: container.StateCreated, Names: []string{"/container-b"}},
+				{ID: "id-a", State: container.StateExited, Names: []string{"/container-a"}},
 			},
 			expOut:       []string{"container-c", "container-c/link-b", "container-b", "container-a"},
-			expOpts:      container.ListOptions{All: true},
+			expOpts:      client.ContainerListOptions{All: true},
 			expDirective: cobra.ShellCompDirectiveNoFileComp,
 		},
 		{
@@ -95,19 +93,19 @@ func TestCompleteContainerNames(t *testing.T) {
 			showAll: true,
 			showIDs: true,
 			containers: []container.Summary{
-				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
-				{ID: "id-b", State: "created", Names: []string{"/container-b"}},
-				{ID: "id-a", State: "exited", Names: []string{"/container-a"}},
+				{ID: "id-c", State: container.StateRunning, Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-b", State: container.StateCreated, Names: []string{"/container-b"}},
+				{ID: "id-a", State: container.StateExited, Names: []string{"/container-a"}},
 			},
 			expOut:       []string{"id-c", "container-c", "container-c/link-b", "id-b", "container-b", "id-a", "container-a"},
-			expOpts:      container.ListOptions{All: true},
+			expOpts:      client.ContainerListOptions{All: true},
 			expDirective: cobra.ShellCompDirectiveNoFileComp,
 		},
 		{
 			doc:     "only running containers",
 			showAll: false,
 			containers: []container.Summary{
-				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-c", State: container.StateRunning, Names: []string{"/container-c", "/container-c/link-b"}},
 			},
 			expOut:       []string{"container-c", "container-c/link-b"},
 			expDirective: cobra.ShellCompDirectiveNoFileComp,
@@ -116,31 +114,31 @@ func TestCompleteContainerNames(t *testing.T) {
 			doc:     "with filter",
 			showAll: true,
 			filters: []func(container.Summary) bool{
-				func(container container.Summary) bool { return container.State == "created" },
+				func(ctr container.Summary) bool { return ctr.State == container.StateCreated },
 			},
 			containers: []container.Summary{
-				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
-				{ID: "id-b", State: "created", Names: []string{"/container-b"}},
-				{ID: "id-a", State: "exited", Names: []string{"/container-a"}},
+				{ID: "id-c", State: container.StateRunning, Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-b", State: container.StateCreated, Names: []string{"/container-b"}},
+				{ID: "id-a", State: container.StateExited, Names: []string{"/container-a"}},
 			},
 			expOut:       []string{"container-b"},
-			expOpts:      container.ListOptions{All: true},
+			expOpts:      client.ContainerListOptions{All: true},
 			expDirective: cobra.ShellCompDirectiveNoFileComp,
 		},
 		{
 			doc:     "multiple filters",
 			showAll: true,
 			filters: []func(container.Summary) bool{
-				func(container container.Summary) bool { return container.ID == "id-a" },
-				func(container container.Summary) bool { return container.State == "created" },
+				func(ctr container.Summary) bool { return ctr.ID == "id-a" },
+				func(ctr container.Summary) bool { return ctr.State == container.StateCreated },
 			},
 			containers: []container.Summary{
-				{ID: "id-c", State: "running", Names: []string{"/container-c", "/container-c/link-b"}},
-				{ID: "id-b", State: "created", Names: []string{"/container-b"}},
-				{ID: "id-a", State: "created", Names: []string{"/container-a"}},
+				{ID: "id-c", State: container.StateRunning, Names: []string{"/container-c", "/container-c/link-b"}},
+				{ID: "id-b", State: container.StateCreated, Names: []string{"/container-b"}},
+				{ID: "id-a", State: container.StateCreated, Names: []string{"/container-a"}},
 			},
 			expOut:       []string{"container-a"},
-			expOpts:      container.ListOptions{All: true},
+			expOpts:      client.ContainerListOptions{All: true},
 			expDirective: cobra.ShellCompDirectiveNoFileComp,
 		},
 		{
@@ -155,12 +153,12 @@ func TestCompleteContainerNames(t *testing.T) {
 				t.Setenv("DOCKER_COMPLETION_SHOW_CONTAINER_IDS", "yes")
 			}
 			comp := ContainerNames(fakeCLI{&fakeClient{
-				containerListFunc: func(opts container.ListOptions) ([]container.Summary, error) {
-					assert.Check(t, is.DeepEqual(opts, tc.expOpts, cmpopts.IgnoreUnexported(container.ListOptions{}, filters.Args{})))
+				containerListFunc: func(_ context.Context, opts client.ContainerListOptions) (client.ContainerListResult, error) {
+					assert.Check(t, is.DeepEqual(opts, tc.expOpts))
 					if tc.expDirective == cobra.ShellCompDirectiveError {
-						return nil, errors.New("some error occurred")
+						return client.ContainerListResult{}, errors.New("some error occurred")
 					}
-					return tc.containers, nil
+					return client.ContainerListResult{Items: tc.containers}, nil
 				},
 			}}, tc.showAll, tc.filters...)
 
@@ -176,7 +174,7 @@ func TestCompleteEnvVarNames(t *testing.T) {
 		"ENV_A": "hello-a",
 		"ENV_B": "hello-b",
 	})
-	values, directives := EnvVarNames(nil, nil, "")
+	values, directives := EnvVarNames()(nil, nil, "")
 	assert.Check(t, is.Equal(directives&cobra.ShellCompDirectiveNoFileComp, cobra.ShellCompDirectiveNoFileComp), "Should not perform file completion")
 
 	sort.Strings(values)
@@ -185,7 +183,7 @@ func TestCompleteEnvVarNames(t *testing.T) {
 }
 
 func TestCompleteFileNames(t *testing.T) {
-	values, directives := FileNames(nil, nil, "")
+	values, directives := FileNames()(nil, nil, "")
 	assert.Check(t, is.Equal(directives, cobra.ShellCompDirectiveDefault))
 	assert.Check(t, is.Len(values, 0))
 }
@@ -228,11 +226,11 @@ func TestCompleteImageNames(t *testing.T) {
 	for _, tc := range tests {
 		t.Run(tc.doc, func(t *testing.T) {
 			comp := ImageNames(fakeCLI{&fakeClient{
-				imageListFunc: func(options image.ListOptions) ([]image.Summary, error) {
+				imageListFunc: func(context.Context, client.ImageListOptions) (client.ImageListResult, error) {
 					if tc.expDirective == cobra.ShellCompDirectiveError {
-						return nil, errors.New("some error occurred")
+						return client.ImageListResult{}, errors.New("some error occurred")
 					}
-					return tc.images, nil
+					return client.ImageListResult{Items: tc.images}, nil
 				},
 			}}, -1)
 
@@ -257,9 +255,24 @@ func TestCompleteNetworkNames(t *testing.T) {
 		{
 			doc: "with results",
 			networks: []network.Summary{
-				{ID: "nw-c", Name: "network-c"},
-				{ID: "nw-b", Name: "network-b"},
-				{ID: "nw-a", Name: "network-a"},
+				{
+					Network: network.Network{
+						ID:   "nw-c",
+						Name: "network-c",
+					},
+				},
+				{
+					Network: network.Network{
+						ID:   "nw-b",
+						Name: "network-b",
+					},
+				},
+				{
+					Network: network.Network{
+						ID:   "nw-a",
+						Name: "network-a",
+					},
+				},
 			},
 			expOut:       []string{"network-c", "network-b", "network-a"},
 			expDirective: cobra.ShellCompDirectiveNoFileComp,
@@ -273,11 +286,11 @@ func TestCompleteNetworkNames(t *testing.T) {
 	for _, tc := range tests {
 		t.Run(tc.doc, func(t *testing.T) {
 			comp := NetworkNames(fakeCLI{&fakeClient{
-				networkListFunc: func(ctx context.Context, options network.ListOptions) ([]network.Summary, error) {
+				networkListFunc: func(context.Context, client.NetworkListOptions) (client.NetworkListResult, error) {
 					if tc.expDirective == cobra.ShellCompDirectiveError {
-						return nil, errors.New("some error occurred")
+						return client.NetworkListResult{}, errors.New("some error occurred")
 					}
-					return tc.networks, nil
+					return client.NetworkListResult{Items: tc.networks}, nil
 				},
 			}})
 
@@ -288,14 +301,8 @@ func TestCompleteNetworkNames(t *testing.T) {
 	}
 }
 
-func TestCompleteNoComplete(t *testing.T) {
-	values, directives := NoComplete(nil, nil, "")
-	assert.Check(t, is.Equal(directives, cobra.ShellCompDirectiveNoFileComp))
-	assert.Check(t, is.Len(values, 0))
-}
-
 func TestCompletePlatforms(t *testing.T) {
-	values, directives := Platforms(nil, nil, "")
+	values, directives := Platforms()(nil, nil, "")
 	assert.Check(t, is.Equal(directives&cobra.ShellCompDirectiveNoFileComp, cobra.ShellCompDirectiveNoFileComp), "Should not perform file completion")
 	assert.Check(t, is.DeepEqual(values, commonPlatforms))
 }
@@ -303,7 +310,7 @@ func TestCompletePlatforms(t *testing.T) {
 func TestCompleteVolumeNames(t *testing.T) {
 	tests := []struct {
 		doc          string
-		volumes      []*volume.Volume
+		volumes      []volume.Volume
 		expOut       []string
 		expDirective cobra.ShellCompDirective
 	}{
@@ -313,7 +320,7 @@ func TestCompleteVolumeNames(t *testing.T) {
 		},
 		{
 			doc: "with results",
-			volumes: []*volume.Volume{
+			volumes: []volume.Volume{
 				{Name: "volume-c"},
 				{Name: "volume-b"},
 				{Name: "volume-a"},
@@ -330,11 +337,11 @@ func TestCompleteVolumeNames(t *testing.T) {
 	for _, tc := range tests {
 		t.Run(tc.doc, func(t *testing.T) {
 			comp := VolumeNames(fakeCLI{&fakeClient{
-				volumeListFunc: func(filter filters.Args) (volume.ListResponse, error) {
+				volumeListFunc: func(context.Context, client.VolumeListOptions) (client.VolumeListResult, error) {
 					if tc.expDirective == cobra.ShellCompDirectiveError {
-						return volume.ListResponse{}, errors.New("some error occurred")
+						return client.VolumeListResult{}, errors.New("some error occurred")
 					}
-					return volume.ListResponse{Volumes: tc.volumes}, nil
+					return client.VolumeListResult{Items: tc.volumes}, nil
 				},
 			}})
 

cli/command/config/client_test.go

@@ -3,43 +3,41 @@ package config
 import (
 	"context"
 
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/swarm"
-	"github.com/docker/docker/client"
+	"github.com/moby/moby/client"
 )
 
 type fakeClient struct {
 	client.Client
-	configCreateFunc  func(context.Context, swarm.ConfigSpec) (types.ConfigCreateResponse, error)
-	configInspectFunc func(context.Context, string) (swarm.Config, []byte, error)
-	configListFunc    func(context.Context, types.ConfigListOptions) ([]swarm.Config, error)
-	configRemoveFunc  func(string) error
+	configCreateFunc  func(context.Context, client.ConfigCreateOptions) (client.ConfigCreateResult, error)
+	configInspectFunc func(context.Context, string, client.ConfigInspectOptions) (client.ConfigInspectResult, error)
+	configListFunc    func(context.Context, client.ConfigListOptions) (client.ConfigListResult, error)
+	configRemoveFunc  func(context.Context, string, client.ConfigRemoveOptions) (client.ConfigRemoveResult, error)
 }
 
-func (c *fakeClient) ConfigCreate(ctx context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+func (c *fakeClient) ConfigCreate(ctx context.Context, options client.ConfigCreateOptions) (client.ConfigCreateResult, error) {
 	if c.configCreateFunc != nil {
-		return c.configCreateFunc(ctx, spec)
+		return c.configCreateFunc(ctx, options)
 	}
-	return types.ConfigCreateResponse{}, nil
+	return client.ConfigCreateResult{}, nil
 }
 
-func (c *fakeClient) ConfigInspectWithRaw(ctx context.Context, id string) (swarm.Config, []byte, error) {
+func (c *fakeClient) ConfigInspect(ctx context.Context, id string, options client.ConfigInspectOptions) (client.ConfigInspectResult, error) {
 	if c.configInspectFunc != nil {
-		return c.configInspectFunc(ctx, id)
+		return c.configInspectFunc(ctx, id, options)
 	}
-	return swarm.Config{}, nil, nil
+	return client.ConfigInspectResult{}, nil
 }
 
-func (c *fakeClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+func (c *fakeClient) ConfigList(ctx context.Context, options client.ConfigListOptions) (client.ConfigListResult, error) {
 	if c.configListFunc != nil {
 		return c.configListFunc(ctx, options)
 	}
-	return []swarm.Config{}, nil
+	return client.ConfigListResult{}, nil
 }
 
-func (c *fakeClient) ConfigRemove(_ context.Context, name string) error {
+func (c *fakeClient) ConfigRemove(ctx context.Context, name string, options client.ConfigRemoveOptions) (client.ConfigRemoveResult, error) {
 	if c.configRemoveFunc != nil {
-		return c.configRemoveFunc(name)
+		return c.configRemoveFunc(ctx, name, options)
 	}
-	return nil
+	return client.ConfigRemoveResult{}, nil
 }

cli/command/config/cmd.go

@@ -4,40 +4,46 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/cli/internal/commands"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
-// NewConfigCommand returns a cobra command for `config` subcommands
-func NewConfigCommand(dockerCli command.Cli) *cobra.Command {
+func init() {
+	commands.Register(newConfigCommand)
+}
+
+// newConfigCommand returns a cobra command for `config` subcommands
+func newConfigCommand(dockerCLI command.Cli) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "config",
 		Short: "Manage Swarm configs",
 		Args:  cli.NoArgs,
-		RunE:  command.ShowHelp(dockerCli.Err()),
+		RunE:  command.ShowHelp(dockerCLI.Err()),
 		Annotations: map[string]string{
 			"version": "1.30",
 			"swarm":   "manager",
 		},
+		DisableFlagsInUseLine: true,
 	}
 	cmd.AddCommand(
-		newConfigListCommand(dockerCli),
-		newConfigCreateCommand(dockerCli),
-		newConfigInspectCommand(dockerCli),
-		newConfigRemoveCommand(dockerCli),
+		newConfigListCommand(dockerCLI),
+		newConfigCreateCommand(dockerCLI),
+		newConfigInspectCommand(dockerCLI),
+		newConfigRemoveCommand(dockerCLI),
 	)
 	return cmd
 }
 
 // completeNames offers completion for swarm configs
-func completeNames(dockerCLI completion.APIClientProvider) completion.ValidArgsFn {
+func completeNames(dockerCLI completion.APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-		list, err := dockerCLI.Client().ConfigList(cmd.Context(), types.ConfigListOptions{})
+		res, err := dockerCLI.Client().ConfigList(cmd.Context(), client.ConfigListOptions{})
 		if err != nil {
 			return nil, cobra.ShellCompDirectiveError
 		}
 		var names []string
-		for _, config := range list {
+		for _, config := range res.Items {
 			names = append(names, config.ID)
 		}
 		return names, cobra.ShellCompDirectiveNoFileComp

cli/command/config/create.go

@@ -2,30 +2,30 @@ package config
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types/swarm"
+	"github.com/moby/moby/api/types/swarm"
+	"github.com/moby/moby/client"
 	"github.com/moby/sys/sequential"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
-// CreateOptions specifies some options that are used when creating a config.
-type CreateOptions struct {
-	Name           string
-	TemplateDriver string
-	File           string
-	Labels         opts.ListOpts
+// createOptions specifies some options that are used when creating a config.
+type createOptions struct {
+	name           string
+	templateDriver string
+	file           string
+	labels         opts.ListOpts
 }
 
-func newConfigCreateCommand(dockerCli command.Cli) *cobra.Command {
-	createOpts := CreateOptions{
-		Labels: opts.NewListOpts(opts.ValidateLabel),
+func newConfigCreateCommand(dockerCLI command.Cli) *cobra.Command {
+	createOpts := createOptions{
+		labels: opts.NewListOpts(opts.ValidateLabel),
 	}
 
 	cmd := &cobra.Command{
@@ -33,56 +33,113 @@ func newConfigCreateCommand(dockerCli command.Cli) *cobra.Command {
 		Short: "Create a config from a file or STDIN",
 		Args:  cli.ExactArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			createOpts.Name = args[0]
-			createOpts.File = args[1]
-			return RunConfigCreate(cmd.Context(), dockerCli, createOpts)
+			createOpts.name = args[0]
+			createOpts.file = args[1]
+			return runCreate(cmd.Context(), dockerCLI, createOpts)
 		},
-		ValidArgsFunction: completion.NoComplete,
+		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+			switch len(args) {
+			case 0:
+				// No completion for the first argument, which is the name for
+				// the new config, but if a non-empty name is given, we return
+				// it as completion to allow "tab"-ing to the next completion.
+				return []string{toComplete}, cobra.ShellCompDirectiveNoFileComp
+			case 1:
+				// Second argument is either "-" or a file to load.
+				//
+				// TODO(thaJeztah): provide completion for "-".
+				return nil, cobra.ShellCompDirectiveNoSpace | cobra.ShellCompDirectiveDefault
+			default:
+				// Command only accepts two arguments.
+				return nil, cobra.ShellCompDirectiveNoSpace | cobra.ShellCompDirectiveNoFileComp
+			}
+		},
+		DisableFlagsInUseLine: true,
 	}
 	flags := cmd.Flags()
-	flags.VarP(&createOpts.Labels, "label", "l", "Config labels")
-	flags.StringVar(&createOpts.TemplateDriver, "template-driver", "", "Template driver")
-	flags.SetAnnotation("template-driver", "version", []string{"1.37"})
+	flags.VarP(&createOpts.labels, "label", "l", "Config labels")
+	flags.StringVar(&createOpts.templateDriver, "template-driver", "", "Template driver")
+	_ = flags.SetAnnotation("template-driver", "version", []string{"1.37"})
 
 	return cmd
 }
 
-// RunConfigCreate creates a config with the given options.
-func RunConfigCreate(ctx context.Context, dockerCLI command.Cli, options CreateOptions) error {
+// runCreate creates a config with the given options.
+func runCreate(ctx context.Context, dockerCLI command.Cli, options createOptions) error {
 	apiClient := dockerCLI.Client()
 
-	var in io.Reader = dockerCLI.In()
-	if options.File != "-" {
-		file, err := sequential.Open(options.File)
-		if err != nil {
-			return err
-		}
-		in = file
-		defer file.Close()
-	}
-
-	configData, err := io.ReadAll(in)
+	configData, err := readConfigData(dockerCLI.In(), options.file)
 	if err != nil {
-		return errors.Errorf("Error reading content from %q: %v", options.File, err)
+		return fmt.Errorf("error reading content from %q: %v", options.file, err)
 	}
 
 	spec := swarm.ConfigSpec{
 		Annotations: swarm.Annotations{
-			Name:   options.Name,
-			Labels: opts.ConvertKVStringsToMap(options.Labels.GetAll()),
+			Name:   options.name,
+			Labels: opts.ConvertKVStringsToMap(options.labels.GetSlice()),
 		},
 		Data: configData,
 	}
-	if options.TemplateDriver != "" {
+	if options.templateDriver != "" {
 		spec.Templating = &swarm.Driver{
-			Name: options.TemplateDriver,
+			Name: options.templateDriver,
 		}
 	}
-	r, err := apiClient.ConfigCreate(ctx, spec)
+	r, err := apiClient.ConfigCreate(ctx, client.ConfigCreateOptions{
+		Spec: spec,
+	})
 	if err != nil {
 		return err
 	}
 
-	fmt.Fprintln(dockerCLI.Out(), r.ID)
+	_, _ = fmt.Fprintln(dockerCLI.Out(), r.ID)
 	return nil
 }
+
+// maxConfigSize is the maximum byte length of the [swarm.ConfigSpec.Data] field,
+// as defined by [MaxConfigSize] in SwarmKit.
+//
+// [MaxConfigSize]: https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize
+const maxConfigSize = 1000 * 1024 // 1000KB
+
+// readConfigData reads the config from either stdin or the given fileName.
+//
+// It reads up to twice the maximum size of the config ([maxConfigSize]),
+// just in case swarm's limit changes; this is only a safeguard to prevent
+// reading arbitrary files into memory.
+func readConfigData(in io.Reader, fileName string) ([]byte, error) {
+	switch fileName {
+	case "-":
+		data, err := io.ReadAll(io.LimitReader(in, 2*maxConfigSize))
+		if err != nil {
+			return nil, fmt.Errorf("error reading from STDIN: %w", err)
+		}
+		if len(data) == 0 {
+			return nil, errors.New("error reading from STDIN: data is empty")
+		}
+		return data, nil
+	case "":
+		return nil, errors.New("config file is required")
+	default:
+		// Open file with [FILE_FLAG_SEQUENTIAL_SCAN] on Windows, which
+		// prevents Windows from aggressively caching it. We expect this
+		// file to be only read once. Given that this is expected to be
+		// a small file, this may not be a significant optimization, so
+		// we could choose to omit this, and use a regular [os.Open].
+		//
+		// [FILE_FLAG_SEQUENTIAL_SCAN]: https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea#FILE_FLAG_SEQUENTIAL_SCAN
+		f, err := sequential.Open(fileName)
+		if err != nil {
+			return nil, fmt.Errorf("error reading from %s: %w", fileName, err)
+		}
+		defer f.Close()
+		data, err := io.ReadAll(io.LimitReader(f, 2*maxConfigSize))
+		if err != nil {
+			return nil, fmt.Errorf("error reading from %s: %w", fileName, err)
+		}
+		if len(data) == 0 {
+			return nil, fmt.Errorf("error reading from %s: data is empty", fileName)
+		}
+		return data, nil
+	}
+}

cli/command/config/create_test.go

@@ -12,8 +12,8 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/swarm"
+	"github.com/moby/moby/api/types/swarm"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/golden"
@@ -24,7 +24,7 @@ const configDataFile = "config-create-with-name.golden"
 func TestConfigCreateErrors(t *testing.T) {
 	testCases := []struct {
 		args             []string
-		configCreateFunc func(context.Context, swarm.ConfigSpec) (types.ConfigCreateResponse, error)
+		configCreateFunc func(context.Context, client.ConfigCreateOptions) (client.ConfigCreateResult, error)
 		expectedError    string
 	}{
 		{
@@ -37,8 +37,8 @@ func TestConfigCreateErrors(t *testing.T) {
 		},
 		{
 			args: []string{"name", filepath.Join("testdata", configDataFile)},
-			configCreateFunc: func(_ context.Context, configSpec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
-				return types.ConfigCreateResponse{}, errors.New("error creating config")
+			configCreateFunc: func(_ context.Context, options client.ConfigCreateOptions) (client.ConfigCreateResult, error) {
+				return client.ConfigCreateResult{}, errors.New("error creating config")
 			},
 			expectedError: "error creating config",
 		},
@@ -59,18 +59,18 @@ func TestConfigCreateErrors(t *testing.T) {
 }
 
 func TestConfigCreateWithName(t *testing.T) {
-	name := "foo"
+	const name = "config-with-name"
 	var actual []byte
 	cli := test.NewFakeCli(&fakeClient{
-		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
-			if spec.Name != name {
-				return types.ConfigCreateResponse{}, fmt.Errorf("expected name %q, got %q", name, spec.Name)
+		configCreateFunc: func(_ context.Context, options client.ConfigCreateOptions) (client.ConfigCreateResult, error) {
+			if options.Spec.Name != name {
+				return client.ConfigCreateResult{}, fmt.Errorf("expected name %q, got %q", name, options.Spec.Name)
 			}
 
-			actual = spec.Data
+			actual = options.Spec.Data
 
-			return types.ConfigCreateResponse{
-				ID: "ID-" + spec.Name,
+			return client.ConfigCreateResult{
+				ID: "ID-" + options.Spec.Name,
 			}, nil
 		},
 	})
@@ -87,7 +87,7 @@ func TestConfigCreateWithLabels(t *testing.T) {
 		"lbl1": "Label-foo",
 		"lbl2": "Label-bar",
 	}
-	name := "foo"
+	const name = "config-with-labels"
 
 	data, err := os.ReadFile(filepath.Join("testdata", configDataFile))
 	assert.NilError(t, err)
@@ -101,13 +101,13 @@ func TestConfigCreateWithLabels(t *testing.T) {
 	}
 
 	cli := test.NewFakeCli(&fakeClient{
-		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
-			if !reflect.DeepEqual(spec, expected) {
-				return types.ConfigCreateResponse{}, fmt.Errorf("expected %+v, got %+v", expected, spec)
+		configCreateFunc: func(_ context.Context, options client.ConfigCreateOptions) (client.ConfigCreateResult, error) {
+			if !reflect.DeepEqual(options.Spec, expected) {
+				return client.ConfigCreateResult{}, fmt.Errorf("expected %+v, got %+v", expected, options.Spec)
 			}
 
-			return types.ConfigCreateResponse{
-				ID: "ID-" + spec.Name,
+			return client.ConfigCreateResult{
+				ID: "ID-" + options.Spec.Name,
 			}, nil
 		},
 	})
@@ -124,20 +124,20 @@ func TestConfigCreateWithTemplatingDriver(t *testing.T) {
 	expectedDriver := &swarm.Driver{
 		Name: "template-driver",
 	}
-	name := "foo"
+	const name = "config-with-template-driver"
 
 	cli := test.NewFakeCli(&fakeClient{
-		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
-			if spec.Name != name {
-				return types.ConfigCreateResponse{}, fmt.Errorf("expected name %q, got %q", name, spec.Name)
+		configCreateFunc: func(_ context.Context, options client.ConfigCreateOptions) (client.ConfigCreateResult, error) {
+			if options.Spec.Name != name {
+				return client.ConfigCreateResult{}, fmt.Errorf("expected name %q, got %q", name, options.Spec.Name)
 			}
 
-			if spec.Templating.Name != expectedDriver.Name {
-				return types.ConfigCreateResponse{}, fmt.Errorf("expected driver %v, got %v", expectedDriver, spec.Labels)
+			if options.Spec.Templating.Name != expectedDriver.Name {
+				return client.ConfigCreateResult{}, fmt.Errorf("expected driver %v, got %v", expectedDriver, options.Spec.Labels)
 			}
 
-			return types.ConfigCreateResponse{
-				ID: "ID-" + spec.Name,
+			return client.ConfigCreateResult{
+				ID: "ID-" + options.Spec.Name,
 			}, nil
 		},
 	})

cli/command/config/formatter.go

@@ -5,11 +5,11 @@ import (
 	"strings"
 	"time"
 
-	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/cli/cli/command/inspect"
-	"github.com/docker/docker/api/types/swarm"
-	units "github.com/docker/go-units"
+	"github.com/docker/go-units"
+	"github.com/moby/moby/api/types/swarm"
+	"github.com/moby/moby/client"
 )
 
 const (
@@ -30,8 +30,8 @@ Data:
 {{.Data}}`
 )
 
-// NewFormat returns a Format for rendering using a config Context
-func NewFormat(source string, quiet bool) formatter.Format {
+// newFormat returns a Format for rendering using a configContext.
+func newFormat(source string, quiet bool) formatter.Format {
 	switch source {
 	case formatter.PrettyFormatKey:
 		return configInspectPrettyTemplate
@@ -44,31 +44,28 @@ func NewFormat(source string, quiet bool) formatter.Format {
 	return formatter.Format(source)
 }
 
-// FormatWrite writes the context
-func FormatWrite(ctx formatter.Context, configs []swarm.Config) error {
-	render := func(format func(subContext formatter.SubContext) error) error {
-		for _, config := range configs {
+// formatWrite writes the context
+func formatWrite(fmtCtx formatter.Context, configs client.ConfigListResult) error {
+	cCtx := &configContext{
+		HeaderContext: formatter.HeaderContext{
+			Header: formatter.SubHeaderContext{
+				"ID":        configIDHeader,
+				"Name":      formatter.NameHeader,
+				"CreatedAt": configCreatedHeader,
+				"UpdatedAt": configUpdatedHeader,
+				"Labels":    formatter.LabelsHeader,
+			},
+		},
+	}
+	return fmtCtx.Write(cCtx, func(format func(subContext formatter.SubContext) error) error {
+		for _, config := range configs.Items {
 			configCtx := &configContext{c: config}
 			if err := format(configCtx); err != nil {
 				return err
 			}
 		}
 		return nil
-	}
-	return ctx.Write(newConfigContext(), render)
-}
-
-func newConfigContext() *configContext {
-	cCtx := &configContext{}
-
-	cCtx.Header = formatter.SubHeaderContext{
-		"ID":        configIDHeader,
-		"Name":      formatter.NameHeader,
-		"CreatedAt": configCreatedHeader,
-		"UpdatedAt": configUpdatedHeader,
-		"Labels":    formatter.LabelsHeader,
-	}
-	return cCtx
+	})
 }
 
 type configContext struct {
@@ -115,12 +112,12 @@ func (c *configContext) Label(name string) string {
 	return c.c.Spec.Annotations.Labels[name]
 }
 
-// InspectFormatWrite renders the context for a list of configs
-func InspectFormatWrite(ctx formatter.Context, refs []string, getRef inspect.GetRefFunc) error {
-	if ctx.Format != configInspectPrettyTemplate {
-		return inspect.Inspect(ctx.Output, refs, string(ctx.Format), getRef)
+// inspectFormatWrite renders the context for a list of configs
+func inspectFormatWrite(fmtCtx formatter.Context, refs []string, getRef inspect.GetRefFunc) error {
+	if fmtCtx.Format != configInspectPrettyTemplate {
+		return inspect.Inspect(fmtCtx.Output, refs, string(fmtCtx.Format), getRef)
 	}
-	render := func(format func(subContext formatter.SubContext) error) error {
+	return fmtCtx.Write(&configInspectContext{}, func(format func(subContext formatter.SubContext) error) error {
 		for _, ref := range refs {
 			configI, _, err := getRef(ref)
 			if err != nil {
@@ -135,8 +132,7 @@ func InspectFormatWrite(ctx formatter.Context, refs []string, getRef inspect.Get
 			}
 		}
 		return nil
-	}
-	return ctx.Write(&configInspectContext{}, render)
+	})
 }
 
 type configInspectContext struct {
@@ -157,11 +153,11 @@ func (ctx *configInspectContext) Labels() map[string]string {
 }
 
 func (ctx *configInspectContext) CreatedAt() string {
-	return command.PrettyPrint(ctx.Config.CreatedAt)
+	return formatter.PrettyPrint(ctx.Config.CreatedAt)
 }
 
 func (ctx *configInspectContext) UpdatedAt() string {
-	return command.PrettyPrint(ctx.Config.UpdatedAt)
+	return formatter.PrettyPrint(ctx.Config.UpdatedAt)
 }
 
 func (ctx *configInspectContext) Data() string {

cli/command/config/formatter_test.go

@@ -6,7 +6,8 @@ import (
 	"time"
 
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/docker/docker/api/types/swarm"
+	"github.com/moby/moby/api/types/swarm"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 )
 
@@ -27,44 +28,46 @@ func TestConfigContextFormatWrite(t *testing.T) {
 		},
 		// Table format
 		{
-			formatter.Context{Format: NewFormat("table", false)},
+			formatter.Context{Format: newFormat("table", false)},
 			`ID        NAME        CREATED                  UPDATED
 1         passwords   Less than a second ago   Less than a second ago
 2         id_rsa      Less than a second ago   Less than a second ago
 `,
 		},
 		{
-			formatter.Context{Format: NewFormat("table {{.Name}}", true)},
+			formatter.Context{Format: newFormat("table {{.Name}}", true)},
 			`NAME
 passwords
 id_rsa
 `,
 		},
 		{
-			formatter.Context{Format: NewFormat("{{.ID}}-{{.Name}}", false)},
+			formatter.Context{Format: newFormat("{{.ID}}-{{.Name}}", false)},
 			`1-passwords
 2-id_rsa
 `,
 		},
 	}
 
-	configs := []swarm.Config{
-		{
-			ID:   "1",
-			Meta: swarm.Meta{CreatedAt: time.Now(), UpdatedAt: time.Now()},
-			Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "passwords"}},
-		},
-		{
-			ID:   "2",
-			Meta: swarm.Meta{CreatedAt: time.Now(), UpdatedAt: time.Now()},
-			Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "id_rsa"}},
+	res := client.ConfigListResult{
+		Items: []swarm.Config{
+			{
+				ID:   "1",
+				Meta: swarm.Meta{CreatedAt: time.Now(), UpdatedAt: time.Now()},
+				Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "passwords"}},
+			},
+			{
+				ID:   "2",
+				Meta: swarm.Meta{CreatedAt: time.Now(), UpdatedAt: time.Now()},
+				Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "id_rsa"}},
+			},
 		},
 	}
 	for _, tc := range cases {
 		t.Run(string(tc.context.Format), func(t *testing.T) {
 			var out bytes.Buffer
 			tc.context.Output = &out
-			if err := FormatWrite(tc.context, configs); err != nil {
+			if err := formatWrite(tc.context, res); err != nil {
 				assert.ErrorContains(t, err, tc.expected)
 			} else {
 				assert.Equal(t, out.String(), tc.expected)

cli/command/config/inspect.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.24
 
 package config
 
@@ -12,61 +12,61 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/formatter"
 	flagsHelper "github.com/docker/cli/cli/flags"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
-// InspectOptions contains options for the docker config inspect command.
-type InspectOptions struct {
-	Names  []string
-	Format string
-	Pretty bool
+// inspectOptions contains options for the docker config inspect command.
+type inspectOptions struct {
+	names  []string
+	format string
+	pretty bool
 }
 
-func newConfigInspectCommand(dockerCli command.Cli) *cobra.Command {
-	opts := InspectOptions{}
+func newConfigInspectCommand(dockerCLI command.Cli) *cobra.Command {
+	opts := inspectOptions{}
 	cmd := &cobra.Command{
 		Use:   "inspect [OPTIONS] CONFIG [CONFIG...]",
 		Short: "Display detailed information on one or more configs",
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			opts.Names = args
-			return RunConfigInspect(cmd.Context(), dockerCli, opts)
-		},
-		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-			return completeNames(dockerCli)(cmd, args, toComplete)
+			opts.names = args
+			return runInspect(cmd.Context(), dockerCLI, opts)
 		},
+		ValidArgsFunction:     completeNames(dockerCLI),
+		DisableFlagsInUseLine: true,
 	}
 
-	cmd.Flags().StringVarP(&opts.Format, "format", "f", "", flagsHelper.InspectFormatHelp)
-	cmd.Flags().BoolVar(&opts.Pretty, "pretty", false, "Print the information in a human friendly format")
+	cmd.Flags().StringVarP(&opts.format, "format", "f", "", flagsHelper.InspectFormatHelp)
+	cmd.Flags().BoolVar(&opts.pretty, "pretty", false, "Print the information in a human friendly format")
 	return cmd
 }
 
-// RunConfigInspect inspects the given Swarm config.
-func RunConfigInspect(ctx context.Context, dockerCLI command.Cli, opts InspectOptions) error {
+// runInspect inspects the given Swarm config.
+func runInspect(ctx context.Context, dockerCLI command.Cli, opts inspectOptions) error {
 	apiClient := dockerCLI.Client()
 
-	if opts.Pretty {
-		opts.Format = "pretty"
+	if opts.pretty {
+		opts.format = "pretty"
 	}
 
 	getRef := func(id string) (any, []byte, error) {
-		return apiClient.ConfigInspectWithRaw(ctx, id)
+		res, err := apiClient.ConfigInspect(ctx, id, client.ConfigInspectOptions{})
+		return res.Config, res.Raw, err
 	}
-	f := opts.Format
 
 	// check if the user is trying to apply a template to the pretty format, which
 	// is not supported
-	if strings.HasPrefix(f, "pretty") && f != "pretty" {
+	if strings.HasPrefix(opts.format, "pretty") && opts.format != "pretty" {
 		return errors.New("cannot supply extra formatting options to the pretty template")
 	}
 
 	configCtx := formatter.Context{
 		Output: dockerCLI.Out(),
-		Format: NewFormat(f, false),
+		Format: newFormat(opts.format, false),
 	}
 
-	if err := InspectFormatWrite(configCtx, opts.Names, getRef); err != nil {
+	if err := inspectFormatWrite(configCtx, opts.names, getRef); err != nil {
 		return cli.StatusError{StatusCode: 1, Status: err.Error()}
 	}
 	return nil

cli/command/config/inspect_test.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/builders"
-	"github.com/docker/docker/api/types/swarm"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 	"gotest.tools/v3/golden"
 )
@@ -19,7 +19,7 @@ func TestConfigInspectErrors(t *testing.T) {
 	testCases := []struct {
 		args              []string
 		flags             map[string]string
-		configInspectFunc func(_ context.Context, configID string) (swarm.Config, []byte, error)
+		configInspectFunc func(_ context.Context, configID string, _ client.ConfigInspectOptions) (client.ConfigInspectResult, error)
 		expectedError     string
 	}{
 		{
@@ -27,8 +27,8 @@ func TestConfigInspectErrors(t *testing.T) {
 		},
 		{
 			args: []string{"foo"},
-			configInspectFunc: func(_ context.Context, configID string) (swarm.Config, []byte, error) {
-				return swarm.Config{}, nil, errors.New("error while inspecting the config")
+			configInspectFunc: func(context.Context, string, client.ConfigInspectOptions) (client.ConfigInspectResult, error) {
+				return client.ConfigInspectResult{}, errors.New("error while inspecting the config")
 			},
 			expectedError: "error while inspecting the config",
 		},
@@ -41,11 +41,13 @@ func TestConfigInspectErrors(t *testing.T) {
 		},
 		{
 			args: []string{"foo", "bar"},
-			configInspectFunc: func(_ context.Context, configID string) (swarm.Config, []byte, error) {
+			configInspectFunc: func(_ context.Context, configID string, _ client.ConfigInspectOptions) (client.ConfigInspectResult, error) {
 				if configID == "foo" {
-					return *builders.Config(builders.ConfigName("foo")), nil, nil
+					return client.ConfigInspectResult{
+						Config: *builders.Config(builders.ConfigName("foo")),
+					}, nil
 				}
-				return swarm.Config{}, nil, errors.New("error while inspecting the config")
+				return client.ConfigInspectResult{}, errors.New("error while inspecting the config")
 			},
 			expectedError: "error while inspecting the config",
 		},
@@ -70,25 +72,34 @@ func TestConfigInspectWithoutFormat(t *testing.T) {
 	testCases := []struct {
 		name              string
 		args              []string
-		configInspectFunc func(_ context.Context, configID string) (swarm.Config, []byte, error)
+		configInspectFunc func(_ context.Context, configID string, _ client.ConfigInspectOptions) (client.ConfigInspectResult, error)
 	}{
 		{
 			name: "single-config",
 			args: []string{"foo"},
-			configInspectFunc: func(_ context.Context, name string) (swarm.Config, []byte, error) {
+			configInspectFunc: func(_ context.Context, name string, _ client.ConfigInspectOptions) (client.ConfigInspectResult, error) {
 				if name != "foo" {
-					return swarm.Config{}, nil, fmt.Errorf("invalid name, expected %s, got %s", "foo", name)
+					return client.ConfigInspectResult{}, fmt.Errorf("invalid name, expected %s, got %s", "foo", name)
 				}
-				return *builders.Config(builders.ConfigID("ID-foo"), builders.ConfigName("foo")), nil, nil
+				return client.ConfigInspectResult{
+					Config: *builders.Config(
+						builders.ConfigID("ID-foo"),
+						builders.ConfigName("foo"),
+					),
+				}, nil
 			},
 		},
 		{
 			name: "multiple-configs-with-labels",
 			args: []string{"foo", "bar"},
-			configInspectFunc: func(_ context.Context, name string) (swarm.Config, []byte, error) {
-				return *builders.Config(builders.ConfigID("ID-"+name), builders.ConfigName(name), builders.ConfigLabels(map[string]string{
-					"label1": "label-foo",
-				})), nil, nil
+			configInspectFunc: func(_ context.Context, name string, _ client.ConfigInspectOptions) (client.ConfigInspectResult, error) {
+				return client.ConfigInspectResult{
+					Config: *builders.Config(
+						builders.ConfigID("ID-"+name),
+						builders.ConfigName(name),
+						builders.ConfigLabels(map[string]string{"label1": "label-foo"}),
+					),
+				}, nil
 			},
 		},
 	}
@@ -102,16 +113,19 @@ func TestConfigInspectWithoutFormat(t *testing.T) {
 }
 
 func TestConfigInspectWithFormat(t *testing.T) {
-	configInspectFunc := func(_ context.Context, name string) (swarm.Config, []byte, error) {
-		return *builders.Config(builders.ConfigName("foo"), builders.ConfigLabels(map[string]string{
-			"label1": "label-foo",
-		})), nil, nil
+	configInspectFunc := func(_ context.Context, name string, _ client.ConfigInspectOptions) (client.ConfigInspectResult, error) {
+		return client.ConfigInspectResult{
+			Config: *builders.Config(
+				builders.ConfigName("foo"),
+				builders.ConfigLabels(map[string]string{"label1": "label-foo"}),
+			),
+		}, nil
 	}
 	testCases := []struct {
 		name              string
 		format            string
 		args              []string
-		configInspectFunc func(_ context.Context, name string) (swarm.Config, []byte, error)
+		configInspectFunc func(_ context.Context, name string, _ client.ConfigInspectOptions) (client.ConfigInspectResult, error)
 	}{
 		{
 			name:              "simple-template",
@@ -141,21 +155,23 @@ func TestConfigInspectWithFormat(t *testing.T) {
 func TestConfigInspectPretty(t *testing.T) {
 	testCases := []struct {
 		name              string
-		configInspectFunc func(context.Context, string) (swarm.Config, []byte, error)
+		configInspectFunc func(context.Context, string, client.ConfigInspectOptions) (client.ConfigInspectResult, error)
 	}{
 		{
 			name: "simple",
-			configInspectFunc: func(_ context.Context, id string) (swarm.Config, []byte, error) {
-				return *builders.Config(
-					builders.ConfigLabels(map[string]string{
-						"lbl1": "value1",
-					}),
-					builders.ConfigID("configID"),
-					builders.ConfigName("configName"),
-					builders.ConfigCreatedAt(time.Time{}),
-					builders.ConfigUpdatedAt(time.Time{}),
-					builders.ConfigData([]byte("payload here")),
-				), []byte{}, nil
+			configInspectFunc: func(_ context.Context, id string, _ client.ConfigInspectOptions) (client.ConfigInspectResult, error) {
+				return client.ConfigInspectResult{
+					Config: *builders.Config(
+						builders.ConfigLabels(map[string]string{
+							"lbl1": "value1",
+						}),
+						builders.ConfigID("configID"),
+						builders.ConfigName("configName"),
+						builders.ConfigCreatedAt(time.Time{}),
+						builders.ConfigUpdatedAt(time.Time{}),
+						builders.ConfigData([]byte("payload here")),
+					),
+				}, nil
 			},
 		},
 	}

cli/command/config/ls.go

@@ -6,24 +6,23 @@ import (
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/cli/command/formatter"
 	flagsHelper "github.com/docker/cli/cli/flags"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types"
 	"github.com/fvbommel/sortorder"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
-// ListOptions contains options for the docker config ls command.
-type ListOptions struct {
-	Quiet  bool
-	Format string
-	Filter opts.FilterOpt
+// listOptions contains options for the docker config ls command.
+type listOptions struct {
+	quiet  bool
+	format string
+	filter opts.FilterOpt
 }
 
-func newConfigListCommand(dockerCli command.Cli) *cobra.Command {
-	listOpts := ListOptions{Filter: opts.NewFilterOpt()}
+func newConfigListCommand(dockerCLI command.Cli) *cobra.Command {
+	listOpts := listOptions{filter: opts.NewFilterOpt()}
 
 	cmd := &cobra.Command{
 		Use:     "ls [OPTIONS]",
@@ -31,44 +30,45 @@ func newConfigListCommand(dockerCli command.Cli) *cobra.Command {
 		Short:   "List configs",
 		Args:    cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return RunConfigList(cmd.Context(), dockerCli, listOpts)
+			return runList(cmd.Context(), dockerCLI, listOpts)
 		},
-		ValidArgsFunction: completion.NoComplete,
+		ValidArgsFunction:     cobra.NoFileCompletions,
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
-	flags.BoolVarP(&listOpts.Quiet, "quiet", "q", false, "Only display IDs")
-	flags.StringVar(&listOpts.Format, "format", "", flagsHelper.FormatHelp)
-	flags.VarP(&listOpts.Filter, "filter", "f", "Filter output based on conditions provided")
+	flags.BoolVarP(&listOpts.quiet, "quiet", "q", false, "Only display IDs")
+	flags.StringVar(&listOpts.format, "format", "", flagsHelper.FormatHelp)
+	flags.VarP(&listOpts.filter, "filter", "f", "Filter output based on conditions provided")
 
 	return cmd
 }
 
-// RunConfigList lists Swarm configs.
-func RunConfigList(ctx context.Context, dockerCLI command.Cli, options ListOptions) error {
+// runList lists Swarm configs.
+func runList(ctx context.Context, dockerCLI command.Cli, options listOptions) error {
 	apiClient := dockerCLI.Client()
 
-	configs, err := apiClient.ConfigList(ctx, types.ConfigListOptions{Filters: options.Filter.Value()})
+	res, err := apiClient.ConfigList(ctx, client.ConfigListOptions{Filters: options.filter.Value()})
 	if err != nil {
 		return err
 	}
 
-	format := options.Format
+	format := options.format
 	if len(format) == 0 {
-		if len(dockerCLI.ConfigFile().ConfigFormat) > 0 && !options.Quiet {
+		if len(dockerCLI.ConfigFile().ConfigFormat) > 0 && !options.quiet {
 			format = dockerCLI.ConfigFile().ConfigFormat
 		} else {
 			format = formatter.TableFormatKey
 		}
 	}
 
-	sort.Slice(configs, func(i, j int) bool {
-		return sortorder.NaturalLess(configs[i].Spec.Name, configs[j].Spec.Name)
+	sort.Slice(res.Items, func(i, j int) bool {
+		return sortorder.NaturalLess(res.Items[i].Spec.Name, res.Items[j].Spec.Name)
 	})
 
 	configCtx := formatter.Context{
 		Output: dockerCLI.Out(),
-		Format: NewFormat(format, options.Quiet),
+		Format: newFormat(format, options.quiet),
 	}
-	return FormatWrite(configCtx, configs)
+	return formatWrite(configCtx, res)
 }

cli/command/config/ls_test.go

@@ -10,17 +10,16 @@ import (
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/builders"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/swarm"
+	"github.com/moby/moby/api/types/swarm"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
-	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/golden"
 )
 
 func TestConfigListErrors(t *testing.T) {
 	testCases := []struct {
 		args           []string
-		configListFunc func(context.Context, types.ConfigListOptions) ([]swarm.Config, error)
+		configListFunc func(context.Context, client.ConfigListOptions) (client.ConfigListResult, error)
 		expectedError  string
 	}{
 		{
@@ -28,8 +27,8 @@ func TestConfigListErrors(t *testing.T) {
 			expectedError: "accepts no argument",
 		},
 		{
-			configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
-				return []swarm.Config{}, errors.New("error listing configs")
+			configListFunc: func(_ context.Context, options client.ConfigListOptions) (client.ConfigListResult, error) {
+				return client.ConfigListResult{}, errors.New("error listing configs")
 			},
 			expectedError: "error listing configs",
 		},
@@ -49,26 +48,28 @@ func TestConfigListErrors(t *testing.T) {
 
 func TestConfigList(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
-			return []swarm.Config{
-				*builders.Config(builders.ConfigID("ID-1-foo"),
-					builders.ConfigName("1-foo"),
-					builders.ConfigVersion(swarm.Version{Index: 10}),
-					builders.ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
-					builders.ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
-				),
-				*builders.Config(builders.ConfigID("ID-10-foo"),
-					builders.ConfigName("10-foo"),
-					builders.ConfigVersion(swarm.Version{Index: 11}),
-					builders.ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
-					builders.ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
-				),
-				*builders.Config(builders.ConfigID("ID-2-foo"),
-					builders.ConfigName("2-foo"),
-					builders.ConfigVersion(swarm.Version{Index: 11}),
-					builders.ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
-					builders.ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
-				),
+		configListFunc: func(_ context.Context, options client.ConfigListOptions) (client.ConfigListResult, error) {
+			return client.ConfigListResult{
+				Items: []swarm.Config{
+					*builders.Config(builders.ConfigID("ID-1-foo"),
+						builders.ConfigName("1-foo"),
+						builders.ConfigVersion(swarm.Version{Index: 10}),
+						builders.ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
+						builders.ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
+					),
+					*builders.Config(builders.ConfigID("ID-10-foo"),
+						builders.ConfigName("10-foo"),
+						builders.ConfigVersion(swarm.Version{Index: 11}),
+						builders.ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
+						builders.ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
+					),
+					*builders.Config(builders.ConfigID("ID-2-foo"),
+						builders.ConfigName("2-foo"),
+						builders.ConfigVersion(swarm.Version{Index: 11}),
+						builders.ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
+						builders.ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
+					),
+				},
 			}, nil
 		},
 	})
@@ -79,12 +80,14 @@ func TestConfigList(t *testing.T) {
 
 func TestConfigListWithQuietOption(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
-			return []swarm.Config{
-				*builders.Config(builders.ConfigID("ID-foo"), builders.ConfigName("foo")),
-				*builders.Config(builders.ConfigID("ID-bar"), builders.ConfigName("bar"), builders.ConfigLabels(map[string]string{
-					"label": "label-bar",
-				})),
+		configListFunc: func(_ context.Context, options client.ConfigListOptions) (client.ConfigListResult, error) {
+			return client.ConfigListResult{
+				Items: []swarm.Config{
+					*builders.Config(builders.ConfigID("ID-foo"), builders.ConfigName("foo")),
+					*builders.Config(builders.ConfigID("ID-bar"), builders.ConfigName("bar"), builders.ConfigLabels(map[string]string{
+						"label": "label-bar",
+					})),
+				},
 			}, nil
 		},
 	})
@@ -96,12 +99,14 @@ func TestConfigListWithQuietOption(t *testing.T) {
 
 func TestConfigListWithConfigFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
-			return []swarm.Config{
-				*builders.Config(builders.ConfigID("ID-foo"), builders.ConfigName("foo")),
-				*builders.Config(builders.ConfigID("ID-bar"), builders.ConfigName("bar"), builders.ConfigLabels(map[string]string{
-					"label": "label-bar",
-				})),
+		configListFunc: func(_ context.Context, options client.ConfigListOptions) (client.ConfigListResult, error) {
+			return client.ConfigListResult{
+				Items: []swarm.Config{
+					*builders.Config(builders.ConfigID("ID-foo"), builders.ConfigName("foo")),
+					*builders.Config(builders.ConfigID("ID-bar"), builders.ConfigName("bar"), builders.ConfigLabels(map[string]string{
+						"label": "label-bar",
+					})),
+				},
 			}, nil
 		},
 	})
@@ -115,12 +120,14 @@ func TestConfigListWithConfigFormat(t *testing.T) {
 
 func TestConfigListWithFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
-			return []swarm.Config{
-				*builders.Config(builders.ConfigID("ID-foo"), builders.ConfigName("foo")),
-				*builders.Config(builders.ConfigID("ID-bar"), builders.ConfigName("bar"), builders.ConfigLabels(map[string]string{
-					"label": "label-bar",
-				})),
+		configListFunc: func(_ context.Context, options client.ConfigListOptions) (client.ConfigListResult, error) {
+			return client.ConfigListResult{
+				Items: []swarm.Config{
+					*builders.Config(builders.ConfigID("ID-foo"), builders.ConfigName("foo")),
+					*builders.Config(builders.ConfigID("ID-bar"), builders.ConfigName("bar"), builders.ConfigLabels(map[string]string{
+						"label": "label-bar",
+					})),
+				},
 			}, nil
 		},
 	})
@@ -132,22 +139,24 @@ func TestConfigListWithFormat(t *testing.T) {
 
 func TestConfigListWithFilter(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
-			assert.Check(t, is.Equal("foo", options.Filters.Get("name")[0]))
-			assert.Check(t, is.Equal("lbl1=Label-bar", options.Filters.Get("label")[0]))
-			return []swarm.Config{
-				*builders.Config(builders.ConfigID("ID-foo"),
-					builders.ConfigName("foo"),
-					builders.ConfigVersion(swarm.Version{Index: 10}),
-					builders.ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
-					builders.ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
-				),
-				*builders.Config(builders.ConfigID("ID-bar"),
-					builders.ConfigName("bar"),
-					builders.ConfigVersion(swarm.Version{Index: 11}),
-					builders.ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
-					builders.ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
-				),
+		configListFunc: func(_ context.Context, options client.ConfigListOptions) (client.ConfigListResult, error) {
+			assert.Check(t, options.Filters["name"]["foo"])
+			assert.Check(t, options.Filters["label"]["lbl1=Label-bar"])
+			return client.ConfigListResult{
+				Items: []swarm.Config{
+					*builders.Config(builders.ConfigID("ID-foo"),
+						builders.ConfigName("foo"),
+						builders.ConfigVersion(swarm.Version{Index: 10}),
+						builders.ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
+						builders.ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
+					),
+					*builders.Config(builders.ConfigID("ID-bar"),
+						builders.ConfigName("bar"),
+						builders.ConfigVersion(swarm.Version{Index: 11}),
+						builders.ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
+						builders.ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
+					),
+				},
 			}, nil
 		},
 	})

cli/command/config/remove.go

@@ -7,39 +7,31 @@ import (
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
-// RemoveOptions contains options for the docker config rm command.
-type RemoveOptions struct {
-	Names []string
-}
-
-func newConfigRemoveCommand(dockerCli command.Cli) *cobra.Command {
+func newConfigRemoveCommand(dockerCLI command.Cli) *cobra.Command {
 	return &cobra.Command{
 		Use:     "rm CONFIG [CONFIG...]",
 		Aliases: []string{"remove"},
 		Short:   "Remove one or more configs",
 		Args:    cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			opts := RemoveOptions{
-				Names: args,
-			}
-			return RunConfigRemove(cmd.Context(), dockerCli, opts)
-		},
-		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-			return completeNames(dockerCli)(cmd, args, toComplete)
+			return runRemove(cmd.Context(), dockerCLI, args)
 		},
+		ValidArgsFunction:     completeNames(dockerCLI),
+		DisableFlagsInUseLine: true,
 	}
 }
 
-// RunConfigRemove removes the given Swarm configs.
-func RunConfigRemove(ctx context.Context, dockerCLI command.Cli, opts RemoveOptions) error {
+// runRemove removes the given Swarm configs.
+func runRemove(ctx context.Context, dockerCLI command.Cli, names []string) error {
 	apiClient := dockerCLI.Client()
 
 	var errs []error
-	for _, name := range opts.Names {
-		if err := apiClient.ConfigRemove(ctx, name); err != nil {
+	for _, name := range names {
+		if _, err := apiClient.ConfigRemove(ctx, name, client.ConfigRemoveOptions{}); err != nil {
 			errs = append(errs, err)
 			continue
 		}

cli/command/config/remove_test.go

@@ -1,12 +1,14 @@
 package config
 
 import (
+	"context"
 	"errors"
 	"io"
 	"strings"
 	"testing"
 
 	"github.com/docker/cli/internal/test"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -14,7 +16,7 @@ import (
 func TestConfigRemoveErrors(t *testing.T) {
 	testCases := []struct {
 		args             []string
-		configRemoveFunc func(string) error
+		configRemoveFunc func(context.Context, string, client.ConfigRemoveOptions) (client.ConfigRemoveResult, error)
 		expectedError    string
 	}{
 		{
@@ -23,8 +25,8 @@ func TestConfigRemoveErrors(t *testing.T) {
 		},
 		{
 			args: []string{"foo"},
-			configRemoveFunc: func(name string) error {
-				return errors.New("error removing config")
+			configRemoveFunc: func(ctx context.Context, name string, options client.ConfigRemoveOptions) (client.ConfigRemoveResult, error) {
+				return client.ConfigRemoveResult{}, errors.New("error removing config")
 			},
 			expectedError: "error removing config",
 		},
@@ -46,9 +48,9 @@ func TestConfigRemoveWithName(t *testing.T) {
 	names := []string{"foo", "bar"}
 	var removedConfigs []string
 	cli := test.NewFakeCli(&fakeClient{
-		configRemoveFunc: func(name string) error {
+		configRemoveFunc: func(_ context.Context, name string, _ client.ConfigRemoveOptions) (client.ConfigRemoveResult, error) {
 			removedConfigs = append(removedConfigs, name)
-			return nil
+			return client.ConfigRemoveResult{}, nil
 		},
 	})
 	cmd := newConfigRemoveCommand(cli)
@@ -63,12 +65,12 @@ func TestConfigRemoveContinueAfterError(t *testing.T) {
 	var removedConfigs []string
 
 	cli := test.NewFakeCli(&fakeClient{
-		configRemoveFunc: func(name string) error {
+		configRemoveFunc: func(_ context.Context, name string, _ client.ConfigRemoveOptions) (client.ConfigRemoveResult, error) {
 			removedConfigs = append(removedConfigs, name)
 			if name == "foo" {
-				return errors.New("error removing config: " + name)
+				return client.ConfigRemoveResult{}, errors.New("error removing config: " + name)
 			}
-			return nil
+			return client.ConfigRemoveResult{}, nil
 		},
 	})
 

cli/command/container/attach.go

@@ -2,15 +2,15 @@ package container
 
 import (
 	"context"
+	"errors"
 	"io"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/client"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/client"
 	"github.com/moby/sys/signal"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
@@ -23,25 +23,25 @@ type AttachOptions struct {
 }
 
 func inspectContainerAndCheckState(ctx context.Context, apiClient client.APIClient, args string) (*container.InspectResponse, error) {
-	c, err := apiClient.ContainerInspect(ctx, args)
+	c, err := apiClient.ContainerInspect(ctx, args, client.ContainerInspectOptions{})
 	if err != nil {
 		return nil, err
 	}
-	if !c.State.Running {
-		return nil, errors.New("You cannot attach to a stopped container, start it first")
+	if !c.Container.State.Running {
+		return nil, errors.New("cannot attach to a stopped container, start it first")
 	}
-	if c.State.Paused {
-		return nil, errors.New("You cannot attach to a paused container, unpause it first")
+	if c.Container.State.Paused {
+		return nil, errors.New("cannot attach to a paused container, unpause it first")
 	}
-	if c.State.Restarting {
-		return nil, errors.New("You cannot attach to a restarting container, wait until it is running")
+	if c.Container.State.Restarting {
+		return nil, errors.New("cannot attach to a restarting container, wait until it is running")
 	}
 
-	return &c, nil
+	return &c.Container, nil
 }
 
-// NewAttachCommand creates a new cobra.Command for `docker attach`
-func NewAttachCommand(dockerCLI command.Cli) *cobra.Command {
+// newAttachCommand creates a new cobra.Command for `docker attach`
+func newAttachCommand(dockerCLI command.Cli) *cobra.Command {
 	var opts AttachOptions
 
 	cmd := &cobra.Command{
@@ -56,8 +56,9 @@ func NewAttachCommand(dockerCLI command.Cli) *cobra.Command {
 			"aliases": "docker container attach, docker attach",
 		},
 		ValidArgsFunction: completion.ContainerNames(dockerCLI, false, func(ctr container.Summary) bool {
-			return ctr.State != "paused"
+			return ctr.State != container.StatePaused
 		}),
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
@@ -73,7 +74,7 @@ func RunAttach(ctx context.Context, dockerCLI command.Cli, containerID string, o
 
 	// request channel to wait for client
 	waitCtx := context.WithoutCancel(ctx)
-	resultC, errC := apiClient.ContainerWait(waitCtx, containerID, "")
+	waitRes := apiClient.ContainerWait(waitCtx, containerID, client.ContainerWaitOptions{})
 
 	c, err := inspectContainerAndCheckState(ctx, apiClient, containerID)
 	if err != nil {
@@ -89,7 +90,7 @@ func RunAttach(ctx context.Context, dockerCLI command.Cli, containerID string, o
 		detachKeys = opts.DetachKeys
 	}
 
-	options := container.AttachOptions{
+	options := client.ContainerAttachOptions{
 		Stream:     true,
 		Stdin:      !opts.NoStdin && c.Config.OpenStdin,
 		Stdout:     true,
@@ -113,11 +114,11 @@ func RunAttach(ctx context.Context, dockerCLI command.Cli, containerID string, o
 		defer signal.StopCatch(sigc)
 	}
 
-	resp, errAttach := apiClient.ContainerAttach(ctx, containerID, options)
-	if errAttach != nil {
-		return errAttach
+	res, err := apiClient.ContainerAttach(ctx, containerID, options)
+	if err != nil {
+		return err
 	}
-	defer resp.Close()
+	defer res.HijackedResponse.Close()
 
 	// If use docker attach command to attach to a stop container, it will return
 	// "You cannot attach to a stopped container" error, it's ok, but when
@@ -141,7 +142,7 @@ func RunAttach(ctx context.Context, dockerCLI command.Cli, containerID string, o
 		inputStream:  in,
 		outputStream: dockerCLI.Out(),
 		errorStream:  dockerCLI.Err(),
-		resp:         resp,
+		resp:         res.HijackedResponse,
 		tty:          c.Config.Tty,
 		detachKeys:   options.DetachKeys,
 	}
@@ -151,19 +152,19 @@ func RunAttach(ctx context.Context, dockerCLI command.Cli, containerID string, o
 		return err
 	}
 
-	return getExitStatus(errC, resultC)
+	return getExitStatus(waitRes)
 }
 
-func getExitStatus(errC <-chan error, resultC <-chan container.WaitResponse) error {
+func getExitStatus(waitRes client.ContainerWaitResult) error {
 	select {
-	case result := <-resultC:
+	case result := <-waitRes.Result:
 		if result.Error != nil {
 			return errors.New(result.Error.Message)
 		}
 		if result.StatusCode != 0 {
 			return cli.StatusError{StatusCode: int(result.StatusCode)}
 		}
-	case err := <-errC:
+	case err := <-waitRes.Error:
 		return err
 	}
 
@@ -176,7 +177,7 @@ func resizeTTY(ctx context.Context, dockerCli command.Cli, containerID string) {
 	// terminal, the only way to get the shell prompt to display for attaches 2+ is to artificially
 	// resize it, then go back to normal. Without this, every attach after the first will
 	// require the user to manually resize or hit enter.
-	resizeTtyTo(ctx, dockerCli.Client(), containerID, height+1, width+1, false)
+	resizeTTYTo(ctx, dockerCli.Client(), containerID, height+1, width+1, false)
 
 	// After the above resizing occurs, the call to MonitorTtySize below will handle resetting back
 	// to the actual size.

cli/command/container/attach_test.go

@@ -7,7 +7,8 @@ import (
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types/container"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 )
 
@@ -16,23 +17,23 @@ func TestNewAttachCommandErrors(t *testing.T) {
 		name                 string
 		args                 []string
 		expectedError        string
-		containerInspectFunc func(img string) (container.InspectResponse, error)
+		containerInspectFunc func(img string) (client.ContainerInspectResult, error)
 	}{
 		{
 			name:          "client-error",
 			args:          []string{"5cb5bb5e4a3b"},
 			expectedError: "something went wrong",
-			containerInspectFunc: func(containerID string) (container.InspectResponse, error) {
-				return container.InspectResponse{}, errors.New("something went wrong")
+			containerInspectFunc: func(containerID string) (client.ContainerInspectResult, error) {
+				return client.ContainerInspectResult{}, errors.New("something went wrong")
 			},
 		},
 		{
 			name:          "client-stopped",
 			args:          []string{"5cb5bb5e4a3b"},
-			expectedError: "You cannot attach to a stopped container",
-			containerInspectFunc: func(containerID string) (container.InspectResponse, error) {
-				return container.InspectResponse{
-					ContainerJSONBase: &container.ContainerJSONBase{
+			expectedError: "cannot attach to a stopped container",
+			containerInspectFunc: func(containerID string) (client.ContainerInspectResult, error) {
+				return client.ContainerInspectResult{
+					Container: container.InspectResponse{
 						State: &container.State{
 							Running: false,
 						},
@@ -43,10 +44,10 @@ func TestNewAttachCommandErrors(t *testing.T) {
 		{
 			name:          "client-paused",
 			args:          []string{"5cb5bb5e4a3b"},
-			expectedError: "You cannot attach to a paused container",
-			containerInspectFunc: func(containerID string) (container.InspectResponse, error) {
-				return container.InspectResponse{
-					ContainerJSONBase: &container.ContainerJSONBase{
+			expectedError: "cannot attach to a paused container",
+			containerInspectFunc: func(containerID string) (client.ContainerInspectResult, error) {
+				return client.ContainerInspectResult{
+					Container: container.InspectResponse{
 						State: &container.State{
 							Running: true,
 							Paused:  true,
@@ -58,10 +59,10 @@ func TestNewAttachCommandErrors(t *testing.T) {
 		{
 			name:          "client-restarting",
 			args:          []string{"5cb5bb5e4a3b"},
-			expectedError: "You cannot attach to a restarting container",
-			containerInspectFunc: func(containerID string) (container.InspectResponse, error) {
-				return container.InspectResponse{
-					ContainerJSONBase: &container.ContainerJSONBase{
+			expectedError: "cannot attach to a restarting container",
+			containerInspectFunc: func(containerID string) (client.ContainerInspectResult, error) {
+				return client.ContainerInspectResult{
+					Container: container.InspectResponse{
 						State: &container.State{
 							Running:    true,
 							Paused:     false,
@@ -74,7 +75,7 @@ func TestNewAttachCommandErrors(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			cmd := NewAttachCommand(test.NewFakeCli(&fakeClient{inspectFunc: tc.containerInspectFunc}))
+			cmd := newAttachCommand(test.NewFakeCli(&fakeClient{inspectFunc: tc.containerInspectFunc}))
 			cmd.SetOut(io.Discard)
 			cmd.SetErr(io.Discard)
 			cmd.SetArgs(tc.args)
@@ -124,7 +125,10 @@ func TestGetExitStatus(t *testing.T) {
 			resultC <- *testcase.result
 		}
 
-		err := getExitStatus(errC, resultC)
+		err := getExitStatus(client.ContainerWaitResult{
+			Result: resultC,
+			Error:  errC,
+		})
 
 		if testcase.expectedError == nil {
 			assert.NilError(t, err)

cli/command/container/auth_config_utils.go

@@ -0,0 +1,46 @@
+package container
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/config/types"
+)
+
+// readCredentials resolves auth-config from the current environment to be
+// applied to the container if the `--use-api-socket` flag is set.
+//
+//   - If a valid "DOCKER_AUTH_CONFIG" env-var is found, and it contains
+//     credentials, it's value is used.
+//   - If no "DOCKER_AUTH_CONFIG" env-var is found, or it does not contain
+//     credentials, it attempts to read from the CLI's credentials store.
+//
+// It returns an error if either the "DOCKER_AUTH_CONFIG" is incorrectly
+// formatted, or when failing to read from the credentials store.
+//
+// A nil value is returned if neither option contained any credentials.
+func readCredentials(dockerCLI config.Provider) (creds map[string]types.AuthConfig, _ error) {
+	if v, ok := os.LookupEnv("DOCKER_AUTH_CONFIG"); ok && v != "" {
+		// The results are expected to have been unmarshaled the same as
+		// when reading from a config-file, which includes decoding the
+		// base64-encoded "username:password" into the "UserName" and
+		// "Password" fields.
+		ac := &configfile.ConfigFile{}
+		if err := ac.LoadFromReader(strings.NewReader(v)); err != nil {
+			return nil, fmt.Errorf("failed to read credentials from DOCKER_AUTH_CONFIG: %w", err)
+		}
+		if len(ac.AuthConfigs) > 0 {
+			return ac.AuthConfigs, nil
+		}
+	}
+
+	// Resolve this here for later, ensuring we error our before we create the container.
+	creds, err := dockerCLI.ConfigFile().GetAllCredentials()
+	if err != nil {
+		return nil, fmt.Errorf("resolving credentials failed: %w", err)
+	}
+	return creds, nil
+}

cli/command/container/client_test.go

@@ -3,232 +3,232 @@ package container
 import (
 	"context"
 	"io"
+	"net/http"
+	"strings"
 
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/filters"
-	"github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/api/types/system"
-	"github.com/docker/docker/client"
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/moby/moby/client"
 )
 
+func mockContainerExportResult(content string) client.ContainerExportResult {
+	return io.NopCloser(strings.NewReader(content))
+}
+
+func mockContainerLogsResult(content string) client.ContainerLogsResult {
+	return io.NopCloser(strings.NewReader(content))
+}
+
+type fakeStreamResult struct {
+	io.ReadCloser
+	client.ImagePushResponse // same interface as [client.ImagePushResponse]
+}
+
+func (e fakeStreamResult) Read(p []byte) (int, error) { return e.ReadCloser.Read(p) }
+func (e fakeStreamResult) Close() error               { return e.ReadCloser.Close() }
+
 type fakeClient struct {
 	client.Client
-	inspectFunc         func(string) (container.InspectResponse, error)
-	execInspectFunc     func(execID string) (container.ExecInspect, error)
-	execCreateFunc      func(containerID string, options container.ExecOptions) (container.ExecCreateResponse, error)
-	createContainerFunc func(config *container.Config,
-		hostConfig *container.HostConfig,
-		networkingConfig *network.NetworkingConfig,
-		platform *specs.Platform,
-		containerName string) (container.CreateResponse, error)
-	containerStartFunc      func(containerID string, options container.StartOptions) error
-	imageCreateFunc         func(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error)
-	infoFunc                func() (system.Info, error)
-	containerStatPathFunc   func(containerID, path string) (container.PathStat, error)
-	containerCopyFromFunc   func(containerID, srcPath string) (io.ReadCloser, container.PathStat, error)
-	logFunc                 func(string, container.LogsOptions) (io.ReadCloser, error)
-	waitFunc                func(string) (<-chan container.WaitResponse, <-chan error)
-	containerListFunc       func(container.ListOptions) ([]container.Summary, error)
-	containerExportFunc     func(string) (io.ReadCloser, error)
-	containerExecResizeFunc func(id string, options container.ResizeOptions) error
-	containerRemoveFunc     func(ctx context.Context, containerID string, options container.RemoveOptions) error
-	containerRestartFunc    func(ctx context.Context, containerID string, options container.StopOptions) error
-	containerStopFunc       func(ctx context.Context, containerID string, options container.StopOptions) error
-	containerKillFunc       func(ctx context.Context, containerID, signal string) error
-	containerPruneFunc      func(ctx context.Context, pruneFilters filters.Args) (container.PruneReport, error)
-	containerAttachFunc     func(ctx context.Context, containerID string, options container.AttachOptions) (types.HijackedResponse, error)
-	containerDiffFunc       func(ctx context.Context, containerID string) ([]container.FilesystemChange, error)
+	inspectFunc             func(string) (client.ContainerInspectResult, error)
+	execInspectFunc         func(execID string) (client.ExecInspectResult, error)
+	execCreateFunc          func(containerID string, options client.ExecCreateOptions) (client.ExecCreateResult, error)
+	createContainerFunc     func(options client.ContainerCreateOptions) (client.ContainerCreateResult, error)
+	containerStartFunc      func(containerID string, options client.ContainerStartOptions) (client.ContainerStartResult, error)
+	imagePullFunc           func(ctx context.Context, parentReference string, options client.ImagePullOptions) (client.ImagePullResponse, error)
+	infoFunc                func() (client.SystemInfoResult, error)
+	containerStatPathFunc   func(containerID, path string) (client.ContainerStatPathResult, error)
+	containerCopyFromFunc   func(containerID, srcPath string) (client.CopyFromContainerResult, error)
+	logFunc                 func(string, client.ContainerLogsOptions) (client.ContainerLogsResult, error)
+	waitFunc                func(string) client.ContainerWaitResult
+	containerListFunc       func(client.ContainerListOptions) (client.ContainerListResult, error)
+	containerExportFunc     func(string) (client.ContainerExportResult, error)
+	containerExecResizeFunc func(id string, options client.ExecResizeOptions) (client.ExecResizeResult, error)
+	containerRemoveFunc     func(ctx context.Context, containerID string, options client.ContainerRemoveOptions) (client.ContainerRemoveResult, error)
+	containerRestartFunc    func(ctx context.Context, containerID string, options client.ContainerRestartOptions) (client.ContainerRestartResult, error)
+	containerStopFunc       func(ctx context.Context, containerID string, options client.ContainerStopOptions) (client.ContainerStopResult, error)
+	containerKillFunc       func(ctx context.Context, containerID string, options client.ContainerKillOptions) (client.ContainerKillResult, error)
+	containerPruneFunc      func(ctx context.Context, options client.ContainerPruneOptions) (client.ContainerPruneResult, error)
+	containerAttachFunc     func(ctx context.Context, containerID string, options client.ContainerAttachOptions) (client.ContainerAttachResult, error)
+	containerDiffFunc       func(ctx context.Context, containerID string) (client.ContainerDiffResult, error)
 	containerRenameFunc     func(ctx context.Context, oldName, newName string) error
-	containerCommitFunc     func(ctx context.Context, container string, options container.CommitOptions) (container.CommitResponse, error)
-	containerPauseFunc      func(ctx context.Context, container string) error
+	containerCommitFunc     func(ctx context.Context, container string, options client.ContainerCommitOptions) (client.ContainerCommitResult, error)
+	containerPauseFunc      func(ctx context.Context, container string, options client.ContainerPauseOptions) (client.ContainerPauseResult, error)
 	Version                 string
 }
 
-func (f *fakeClient) ContainerList(_ context.Context, options container.ListOptions) ([]container.Summary, error) {
+func (f *fakeClient) ContainerList(_ context.Context, options client.ContainerListOptions) (client.ContainerListResult, error) {
 	if f.containerListFunc != nil {
 		return f.containerListFunc(options)
 	}
-	return []container.Summary{}, nil
+	return client.ContainerListResult{}, nil
 }
 
-func (f *fakeClient) ContainerInspect(_ context.Context, containerID string) (container.InspectResponse, error) {
+func (f *fakeClient) ContainerInspect(_ context.Context, containerID string, _ client.ContainerInspectOptions) (client.ContainerInspectResult, error) {
 	if f.inspectFunc != nil {
 		return f.inspectFunc(containerID)
 	}
-	return container.InspectResponse{}, nil
+	return client.ContainerInspectResult{}, nil
 }
 
-func (f *fakeClient) ContainerExecCreate(_ context.Context, containerID string, config container.ExecOptions) (container.ExecCreateResponse, error) {
+func (f *fakeClient) ExecCreate(_ context.Context, containerID string, config client.ExecCreateOptions) (client.ExecCreateResult, error) {
 	if f.execCreateFunc != nil {
 		return f.execCreateFunc(containerID, config)
 	}
-	return container.ExecCreateResponse{}, nil
+	return client.ExecCreateResult{}, nil
 }
 
-func (f *fakeClient) ContainerExecInspect(_ context.Context, execID string) (container.ExecInspect, error) {
+func (f *fakeClient) ExecInspect(_ context.Context, execID string, _ client.ExecInspectOptions) (client.ExecInspectResult, error) {
 	if f.execInspectFunc != nil {
 		return f.execInspectFunc(execID)
 	}
-	return container.ExecInspect{}, nil
+	return client.ExecInspectResult{}, nil
 }
 
-func (*fakeClient) ContainerExecStart(context.Context, string, container.ExecStartOptions) error {
-	return nil
+func (*fakeClient) ExecStart(context.Context, string, client.ExecStartOptions) (client.ExecStartResult, error) {
+	return client.ExecStartResult{}, nil
 }
 
-func (f *fakeClient) ContainerCreate(
-	_ context.Context,
-	config *container.Config,
-	hostConfig *container.HostConfig,
-	networkingConfig *network.NetworkingConfig,
-	platform *specs.Platform,
-	containerName string,
-) (container.CreateResponse, error) {
+func (f *fakeClient) ContainerCreate(_ context.Context, options client.ContainerCreateOptions) (client.ContainerCreateResult, error) {
 	if f.createContainerFunc != nil {
-		return f.createContainerFunc(config, hostConfig, networkingConfig, platform, containerName)
+		return f.createContainerFunc(options)
 	}
-	return container.CreateResponse{}, nil
+	return client.ContainerCreateResult{}, nil
 }
 
-func (f *fakeClient) ContainerRemove(ctx context.Context, containerID string, options container.RemoveOptions) error {
+func (f *fakeClient) ContainerRemove(ctx context.Context, containerID string, options client.ContainerRemoveOptions) (client.ContainerRemoveResult, error) {
 	if f.containerRemoveFunc != nil {
 		return f.containerRemoveFunc(ctx, containerID, options)
 	}
-	return nil
+	return client.ContainerRemoveResult{}, nil
 }
 
-func (f *fakeClient) ImageCreate(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error) {
-	if f.imageCreateFunc != nil {
-		return f.imageCreateFunc(ctx, parentReference, options)
+func (f *fakeClient) ImagePull(ctx context.Context, parentReference string, options client.ImagePullOptions) (client.ImagePullResponse, error) {
+	if f.imagePullFunc != nil {
+		return f.imagePullFunc(ctx, parentReference, options)
 	}
-	return nil, nil
+	return fakeStreamResult{}, nil
 }
 
-func (f *fakeClient) Info(_ context.Context) (system.Info, error) {
+func (f *fakeClient) Info(context.Context, client.InfoOptions) (client.SystemInfoResult, error) {
 	if f.infoFunc != nil {
 		return f.infoFunc()
 	}
-	return system.Info{}, nil
+	return client.SystemInfoResult{}, nil
 }
 
-func (f *fakeClient) ContainerStatPath(_ context.Context, containerID, path string) (container.PathStat, error) {
+func (f *fakeClient) ContainerStatPath(_ context.Context, containerID string, options client.ContainerStatPathOptions) (client.ContainerStatPathResult, error) {
 	if f.containerStatPathFunc != nil {
-		return f.containerStatPathFunc(containerID, path)
+		return f.containerStatPathFunc(containerID, options.Path)
 	}
-	return container.PathStat{}, nil
+	return client.ContainerStatPathResult{}, nil
 }
 
-func (f *fakeClient) CopyFromContainer(_ context.Context, containerID, srcPath string) (io.ReadCloser, container.PathStat, error) {
+func (f *fakeClient) CopyFromContainer(_ context.Context, containerID string, options client.CopyFromContainerOptions) (client.CopyFromContainerResult, error) {
 	if f.containerCopyFromFunc != nil {
-		return f.containerCopyFromFunc(containerID, srcPath)
+		return f.containerCopyFromFunc(containerID, options.SourcePath)
 	}
-	return nil, container.PathStat{}, nil
+	return client.CopyFromContainerResult{}, nil
 }
 
-func (f *fakeClient) ContainerLogs(_ context.Context, containerID string, options container.LogsOptions) (io.ReadCloser, error) {
+func (f *fakeClient) ContainerLogs(_ context.Context, containerID string, options client.ContainerLogsOptions) (client.ContainerLogsResult, error) {
 	if f.logFunc != nil {
 		return f.logFunc(containerID, options)
 	}
-	return nil, nil
+	return http.NoBody, nil
 }
 
 func (f *fakeClient) ClientVersion() string {
 	return f.Version
 }
 
-func (f *fakeClient) ContainerWait(_ context.Context, containerID string, _ container.WaitCondition) (<-chan container.WaitResponse, <-chan error) {
+func (f *fakeClient) ContainerWait(_ context.Context, containerID string, _ client.ContainerWaitOptions) client.ContainerWaitResult {
 	if f.waitFunc != nil {
 		return f.waitFunc(containerID)
 	}
-	return nil, nil
+	return client.ContainerWaitResult{}
 }
 
-func (f *fakeClient) ContainerStart(_ context.Context, containerID string, options container.StartOptions) error {
+func (f *fakeClient) ContainerStart(_ context.Context, containerID string, options client.ContainerStartOptions) (client.ContainerStartResult, error) {
 	if f.containerStartFunc != nil {
 		return f.containerStartFunc(containerID, options)
 	}
-	return nil
+	return client.ContainerStartResult{}, nil
 }
 
-func (f *fakeClient) ContainerExport(_ context.Context, containerID string) (io.ReadCloser, error) {
+func (f *fakeClient) ContainerExport(_ context.Context, containerID string, _ client.ContainerExportOptions) (client.ContainerExportResult, error) {
 	if f.containerExportFunc != nil {
 		return f.containerExportFunc(containerID)
 	}
-	return nil, nil
+	return http.NoBody, nil
 }
 
-func (f *fakeClient) ContainerExecResize(_ context.Context, id string, options container.ResizeOptions) error {
+func (f *fakeClient) ExecResize(_ context.Context, id string, options client.ExecResizeOptions) (client.ExecResizeResult, error) {
 	if f.containerExecResizeFunc != nil {
 		return f.containerExecResizeFunc(id, options)
 	}
-	return nil
+	return client.ExecResizeResult{}, nil
 }
 
-func (f *fakeClient) ContainerKill(ctx context.Context, containerID, signal string) error {
+func (f *fakeClient) ContainerKill(ctx context.Context, containerID string, options client.ContainerKillOptions) (client.ContainerKillResult, error) {
 	if f.containerKillFunc != nil {
-		return f.containerKillFunc(ctx, containerID, signal)
+		return f.containerKillFunc(ctx, containerID, options)
 	}
-	return nil
+	return client.ContainerKillResult{}, nil
 }
 
-func (f *fakeClient) ContainersPrune(ctx context.Context, pruneFilters filters.Args) (container.PruneReport, error) {
+func (f *fakeClient) ContainerPrune(ctx context.Context, options client.ContainerPruneOptions) (client.ContainerPruneResult, error) {
 	if f.containerPruneFunc != nil {
-		return f.containerPruneFunc(ctx, pruneFilters)
+		return f.containerPruneFunc(ctx, options)
 	}
-	return container.PruneReport{}, nil
+	return client.ContainerPruneResult{}, nil
 }
 
-func (f *fakeClient) ContainerRestart(ctx context.Context, containerID string, options container.StopOptions) error {
+func (f *fakeClient) ContainerRestart(ctx context.Context, containerID string, options client.ContainerRestartOptions) (client.ContainerRestartResult, error) {
 	if f.containerRestartFunc != nil {
 		return f.containerRestartFunc(ctx, containerID, options)
 	}
-	return nil
+	return client.ContainerRestartResult{}, nil
 }
 
-func (f *fakeClient) ContainerStop(ctx context.Context, containerID string, options container.StopOptions) error {
+func (f *fakeClient) ContainerStop(ctx context.Context, containerID string, options client.ContainerStopOptions) (client.ContainerStopResult, error) {
 	if f.containerStopFunc != nil {
 		return f.containerStopFunc(ctx, containerID, options)
 	}
-	return nil
+	return client.ContainerStopResult{}, nil
 }
 
-func (f *fakeClient) ContainerAttach(ctx context.Context, containerID string, options container.AttachOptions) (types.HijackedResponse, error) {
+func (f *fakeClient) ContainerAttach(ctx context.Context, containerID string, options client.ContainerAttachOptions) (client.ContainerAttachResult, error) {
 	if f.containerAttachFunc != nil {
 		return f.containerAttachFunc(ctx, containerID, options)
 	}
-	return types.HijackedResponse{}, nil
+	return client.ContainerAttachResult{}, nil
 }
 
-func (f *fakeClient) ContainerDiff(ctx context.Context, containerID string) ([]container.FilesystemChange, error) {
+func (f *fakeClient) ContainerDiff(ctx context.Context, containerID string, _ client.ContainerDiffOptions) (client.ContainerDiffResult, error) {
 	if f.containerDiffFunc != nil {
 		return f.containerDiffFunc(ctx, containerID)
 	}
 
-	return []container.FilesystemChange{}, nil
+	return client.ContainerDiffResult{}, nil
 }
 
-func (f *fakeClient) ContainerRename(ctx context.Context, oldName, newName string) error {
+func (f *fakeClient) ContainerRename(ctx context.Context, oldName string, options client.ContainerRenameOptions) (client.ContainerRenameResult, error) {
 	if f.containerRenameFunc != nil {
-		return f.containerRenameFunc(ctx, oldName, newName)
+		return client.ContainerRenameResult{}, f.containerRenameFunc(ctx, oldName, options.NewName)
 	}
 
-	return nil
+	return client.ContainerRenameResult{}, nil
 }
 
-func (f *fakeClient) ContainerCommit(ctx context.Context, containerID string, options container.CommitOptions) (container.CommitResponse, error) {
+func (f *fakeClient) ContainerCommit(ctx context.Context, containerID string, options client.ContainerCommitOptions) (client.ContainerCommitResult, error) {
 	if f.containerCommitFunc != nil {
 		return f.containerCommitFunc(ctx, containerID, options)
 	}
-	return container.CommitResponse{}, nil
+	return client.ContainerCommitResult{}, nil
 }
 
-func (f *fakeClient) ContainerPause(ctx context.Context, containerID string) error {
+func (f *fakeClient) ContainerPause(ctx context.Context, containerID string, options client.ContainerPauseOptions) (client.ContainerPauseResult, error) {
 	if f.containerPauseFunc != nil {
-		return f.containerPauseFunc(ctx, containerID)
+		return f.containerPauseFunc(ctx, containerID, options)
 	}
 
-	return nil
+	return client.ContainerPauseResult{}, nil
 }

cli/command/container/cmd.go

@@ -3,43 +3,73 @@ package container
 import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/commands"
 	"github.com/spf13/cobra"
 )
 
-// NewContainerCommand returns a cobra command for `container` subcommands
-func NewContainerCommand(dockerCli command.Cli) *cobra.Command {
+func init() {
+	commands.Register(newRunCommand)
+	commands.Register(newExecCommand)
+	commands.Register(newPsCommand)
+	commands.Register(newContainerCommand)
+	commands.RegisterLegacy(newAttachCommand)
+	commands.RegisterLegacy(newCommitCommand)
+	commands.RegisterLegacy(newCopyCommand)
+	commands.RegisterLegacy(newCreateCommand)
+	commands.RegisterLegacy(newDiffCommand)
+	commands.RegisterLegacy(newExportCommand)
+	commands.RegisterLegacy(newKillCommand)
+	commands.RegisterLegacy(newLogsCommand)
+	commands.RegisterLegacy(newPauseCommand)
+	commands.RegisterLegacy(newPortCommand)
+	commands.RegisterLegacy(newRenameCommand)
+	commands.RegisterLegacy(newRestartCommand)
+	commands.RegisterLegacy(newRmCommand)
+	commands.RegisterLegacy(newStartCommand)
+	commands.RegisterLegacy(newStatsCommand)
+	commands.RegisterLegacy(newStopCommand)
+	commands.RegisterLegacy(newTopCommand)
+	commands.RegisterLegacy(newUnpauseCommand)
+	commands.RegisterLegacy(newUpdateCommand)
+	commands.RegisterLegacy(newWaitCommand)
+}
+
+// newContainerCommand returns a cobra command for `container` subcommands
+func newContainerCommand(dockerCLI command.Cli) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "container",
 		Short: "Manage containers",
 		Args:  cli.NoArgs,
-		RunE:  command.ShowHelp(dockerCli.Err()),
+		RunE:  command.ShowHelp(dockerCLI.Err()),
+
+		DisableFlagsInUseLine: true,
 	}
 	cmd.AddCommand(
-		NewAttachCommand(dockerCli),
-		NewCommitCommand(dockerCli),
-		NewCopyCommand(dockerCli),
-		NewCreateCommand(dockerCli),
-		NewDiffCommand(dockerCli),
-		NewExecCommand(dockerCli),
-		NewExportCommand(dockerCli),
-		NewKillCommand(dockerCli),
-		NewLogsCommand(dockerCli),
-		NewPauseCommand(dockerCli),
-		NewPortCommand(dockerCli),
-		NewRenameCommand(dockerCli),
-		NewRestartCommand(dockerCli),
-		NewRmCommand(dockerCli),
-		NewRunCommand(dockerCli),
-		NewStartCommand(dockerCli),
-		NewStatsCommand(dockerCli),
-		NewStopCommand(dockerCli),
-		NewTopCommand(dockerCli),
-		NewUnpauseCommand(dockerCli),
-		NewUpdateCommand(dockerCli),
-		NewWaitCommand(dockerCli),
-		newListCommand(dockerCli),
-		newInspectCommand(dockerCli),
-		NewPruneCommand(dockerCli),
+		newAttachCommand(dockerCLI),
+		newCommitCommand(dockerCLI),
+		newCopyCommand(dockerCLI),
+		newCreateCommand(dockerCLI),
+		newDiffCommand(dockerCLI),
+		newExecCommand(dockerCLI),
+		newExportCommand(dockerCLI),
+		newKillCommand(dockerCLI),
+		newLogsCommand(dockerCLI),
+		newPauseCommand(dockerCLI),
+		newPortCommand(dockerCLI),
+		newRenameCommand(dockerCLI),
+		newRestartCommand(dockerCLI),
+		newRemoveCommand(dockerCLI),
+		newRunCommand(dockerCLI),
+		newStartCommand(dockerCLI),
+		newStatsCommand(dockerCLI),
+		newStopCommand(dockerCLI),
+		newTopCommand(dockerCLI),
+		newUnpauseCommand(dockerCLI),
+		newUpdateCommand(dockerCLI),
+		newWaitCommand(dockerCLI),
+		newListCommand(dockerCLI),
+		newInspectCommand(dockerCLI),
+		newPruneCommand(dockerCLI),
 	)
 	return cmd
 }

cli/command/container/commit.go

@@ -2,13 +2,14 @@ package container
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types/container"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
@@ -17,13 +18,14 @@ type commitOptions struct {
 	reference string
 
 	pause   bool
+	noPause bool
 	comment string
 	author  string
 	changes opts.ListOpts
 }
 
-// NewCommitCommand creates a new cobra.Command for `docker commit`
-func NewCommitCommand(dockerCli command.Cli) *cobra.Command {
+// newCommitCommand creates a new cobra.Command for `docker commit`
+func newCommitCommand(dockerCLI command.Cli) *cobra.Command {
 	var options commitOptions
 
 	cmd := &cobra.Command{
@@ -35,18 +37,29 @@ func NewCommitCommand(dockerCli command.Cli) *cobra.Command {
 			if len(args) > 1 {
 				options.reference = args[1]
 			}
-			return runCommit(cmd.Context(), dockerCli, &options)
+			if cmd.Flag("pause").Changed {
+				if cmd.Flag("no-pause").Changed {
+					return errors.New("conflicting options: --no-pause and --pause cannot be used together")
+				}
+				options.noPause = !options.pause
+			}
+			return runCommit(cmd.Context(), dockerCLI, &options)
 		},
 		Annotations: map[string]string{
 			"aliases": "docker container commit, docker commit",
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, false),
+		ValidArgsFunction:     completion.ContainerNames(dockerCLI, false),
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
 	flags.SetInterspersed(false)
 
-	flags.BoolVarP(&options.pause, "pause", "p", true, "Pause container during commit")
+	// TODO(thaJeztah): Deprecated: the --pause flag was deprecated in v29 and can be removed in v30.
+	flags.BoolVarP(&options.pause, "pause", "p", true, "Pause container during commit (deprecated: use --no-pause instead)")
+	_ = flags.MarkDeprecated("pause", "and enabled by default. Use --no-pause to disable pausing during commit.")
+
+	flags.BoolVar(&options.noPause, "no-pause", false, "Disable pausing container during commit")
 	flags.StringVarP(&options.comment, "message", "m", "", "Commit message")
 	flags.StringVarP(&options.author, "author", "a", "", `Author (e.g., "John Hannibal Smith <hannibal@a-team.com>")`)
 
@@ -57,17 +70,17 @@ func NewCommitCommand(dockerCli command.Cli) *cobra.Command {
 }
 
 func runCommit(ctx context.Context, dockerCli command.Cli, options *commitOptions) error {
-	response, err := dockerCli.Client().ContainerCommit(ctx, options.container, container.CommitOptions{
+	response, err := dockerCli.Client().ContainerCommit(ctx, options.container, client.ContainerCommitOptions{
 		Reference: options.reference,
 		Comment:   options.comment,
 		Author:    options.author,
-		Changes:   options.changes.GetAll(),
-		Pause:     options.pause,
+		Changes:   options.changes.GetSlice(),
+		NoPause:   options.noPause,
 	})
 	if err != nil {
 		return err
 	}
 
-	fmt.Fprintln(dockerCli.Out(), response.ID)
+	_, _ = fmt.Fprintln(dockerCli.Out(), response.ID)
 	return nil
 }

cli/command/container/commit_test.go

@@ -7,36 +7,32 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types/container"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
 
 func TestRunCommit(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerCommitFunc: func(
-			ctx context.Context,
-			ctr string,
-			options container.CommitOptions,
-		) (container.CommitResponse, error) {
+		containerCommitFunc: func(ctx context.Context, ctr string, options client.ContainerCommitOptions) (client.ContainerCommitResult, error) {
 			assert.Check(t, is.Equal(options.Author, "Author Name <author@name.com>"))
 			assert.Check(t, is.DeepEqual(options.Changes, []string{"EXPOSE 80"}))
 			assert.Check(t, is.Equal(options.Comment, "commit message"))
-			assert.Check(t, is.Equal(options.Pause, false))
+			assert.Check(t, is.Equal(options.NoPause, true))
 			assert.Check(t, is.Equal(ctr, "container-id"))
 
-			return container.CommitResponse{ID: "image-id"}, nil
+			return client.ContainerCommitResult{ID: "image-id"}, nil
 		},
 	})
 
-	cmd := NewCommitCommand(cli)
+	cmd := newCommitCommand(cli)
 	cmd.SetOut(io.Discard)
 	cmd.SetArgs(
 		[]string{
 			"--author", "Author Name <author@name.com>",
 			"--change", "EXPOSE 80",
 			"--message", "commit message",
-			"--pause=false",
+			"--no-pause",
 			"container-id",
 		},
 	)
@@ -51,16 +47,12 @@ func TestRunCommitClientError(t *testing.T) {
 	clientError := errors.New("client error")
 
 	cli := test.NewFakeCli(&fakeClient{
-		containerCommitFunc: func(
-			ctx context.Context,
-			ctr string,
-			options container.CommitOptions,
-		) (container.CommitResponse, error) {
-			return container.CommitResponse{}, clientError
+		containerCommitFunc: func(ctx context.Context, ctr string, options client.ContainerCommitOptions) (client.ContainerCommitResult, error) {
+			return client.ContainerCommitResult{}, clientError
 		},
 	})
 
-	cmd := NewCommitCommand(cli)
+	cmd := newCommitCommand(cli)
 	cmd.SetOut(io.Discard)
 	cmd.SetErr(io.Discard)
 	cmd.SetArgs([]string{"container-id"})

cli/command/container/completion.go

@@ -1,6 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
-// +build go1.22
+//go:build go1.24
 
 package container
 
@@ -9,7 +8,8 @@ import (
 	"sync"
 
 	"github.com/docker/cli/cli/command/completion"
-	"github.com/docker/docker/api/types/container"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/client"
 	"github.com/moby/sys/capability"
 	"github.com/moby/sys/signal"
 	"github.com/spf13/cobra"
@@ -57,7 +57,7 @@ var logDriverOptions = map[string][]string{
 	"fluentd": {
 		"max-buffer-size", "mode", "env", "env-regex", "labels", "fluentd-address", "fluentd-async",
 		"fluentd-buffer-limit", "fluentd-request-ack", "fluentd-retry-wait", "fluentd-max-retries",
-		"fluentd-sub-second-precision", "tag",
+		"fluentd-sub-second-precision", "fluentd-write-timeout", "tag",
 	},
 	"gcplogs": {
 		"max-buffer-size", "mode", "env", "env-regex", "labels", "gcp-log-cmd", "gcp-meta-id", "gcp-meta-name",
@@ -123,15 +123,15 @@ func addCompletions(cmd *cobra.Command, dockerCLI completion.APIClientProvider)
 	_ = cmd.RegisterFlagCompletionFunc("cap-add", completeLinuxCapabilityNames)
 	_ = cmd.RegisterFlagCompletionFunc("cap-drop", completeLinuxCapabilityNames)
 	_ = cmd.RegisterFlagCompletionFunc("cgroupns", completeCgroupns())
-	_ = cmd.RegisterFlagCompletionFunc("env", completion.EnvVarNames)
-	_ = cmd.RegisterFlagCompletionFunc("env-file", completion.FileNames)
+	_ = cmd.RegisterFlagCompletionFunc("env", completion.EnvVarNames())
+	_ = cmd.RegisterFlagCompletionFunc("env-file", completion.FileNames())
 	_ = cmd.RegisterFlagCompletionFunc("ipc", completeIpc(dockerCLI))
 	_ = cmd.RegisterFlagCompletionFunc("link", completeLink(dockerCLI))
 	_ = cmd.RegisterFlagCompletionFunc("log-driver", completeLogDriver(dockerCLI))
 	_ = cmd.RegisterFlagCompletionFunc("log-opt", completeLogOpt)
 	_ = cmd.RegisterFlagCompletionFunc("network", completion.NetworkNames(dockerCLI))
 	_ = cmd.RegisterFlagCompletionFunc("pid", completePid(dockerCLI))
-	_ = cmd.RegisterFlagCompletionFunc("platform", completion.Platforms)
+	_ = cmd.RegisterFlagCompletionFunc("platform", completion.Platforms())
 	_ = cmd.RegisterFlagCompletionFunc("pull", completion.FromList(PullImageAlways, PullImageMissing, PullImageNever))
 	_ = cmd.RegisterFlagCompletionFunc("restart", completeRestartPolicies)
 	_ = cmd.RegisterFlagCompletionFunc("security-opt", completeSecurityOpt)
@@ -145,7 +145,7 @@ func addCompletions(cmd *cobra.Command, dockerCLI completion.APIClientProvider)
 }
 
 // completeCgroupns implements shell completion for the `--cgroupns` option of `run` and `create`.
-func completeCgroupns() completion.ValidArgsFn {
+func completeCgroupns() cobra.CompletionFunc {
 	return completion.FromList(string(container.CgroupnsModeHost), string(container.CgroupnsModePrivate))
 }
 
@@ -156,7 +156,7 @@ func completeDetachKeys(_ *cobra.Command, _ []string, _ string) ([]string, cobra
 
 // completeIpc implements shell completion for the `--ipc` option of `run` and `create`.
 // The completion is partly composite.
-func completeIpc(dockerCLI completion.APIClientProvider) func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+func completeIpc(dockerCLI completion.APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		if len(toComplete) > 0 && strings.HasPrefix("container", toComplete) { //nolint:gocritic // not swapped, matches partly typed "container"
 			return []string{"container:"}, cobra.ShellCompDirectiveNoSpace
@@ -176,7 +176,7 @@ func completeIpc(dockerCLI completion.APIClientProvider) func(cmd *cobra.Command
 }
 
 // completeLink implements shell completion for the `--link` option  of `run` and `create`.
-func completeLink(dockerCLI completion.APIClientProvider) func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+func completeLink(dockerCLI completion.APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return postfixWith(":", containerNames(dockerCLI, cmd, args, toComplete)), cobra.ShellCompDirectiveNoSpace
 	}
@@ -185,13 +185,13 @@ func completeLink(dockerCLI completion.APIClientProvider) func(cmd *cobra.Comman
 // completeLogDriver implements shell completion for the `--log-driver` option  of `run` and `create`.
 // The log drivers are collected from a call to the Info endpoint with a fallback to a hard-coded list
 // of the build-in log drivers.
-func completeLogDriver(dockerCLI completion.APIClientProvider) completion.ValidArgsFn {
+func completeLogDriver(dockerCLI completion.APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-		info, err := dockerCLI.Client().Info(cmd.Context())
+		res, err := dockerCLI.Client().Info(cmd.Context(), client.InfoOptions{})
 		if err != nil {
 			return builtInLogDrivers(), cobra.ShellCompDirectiveNoFileComp
 		}
-		drivers := info.Plugins.Log
+		drivers := res.Info.Plugins.Log
 		return drivers, cobra.ShellCompDirectiveNoFileComp
 	}
 }
@@ -207,7 +207,7 @@ func completeLogOpt(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.S
 }
 
 // completePid implements shell completion for the `--pid` option  of `run` and `create`.
-func completePid(dockerCLI completion.APIClientProvider) func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+func completePid(dockerCLI completion.APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		if len(toComplete) > 0 && strings.HasPrefix("container", toComplete) { //nolint:gocritic // not swapped, matches partly typed "container"
 			return []string{"container:"}, cobra.ShellCompDirectiveNoSpace
@@ -278,14 +278,14 @@ func completeUlimit(_ *cobra.Command, _ []string, _ string) ([]string, cobra.She
 }
 
 // completeVolumeDriver contacts the API to get the built-in and installed volume drivers.
-func completeVolumeDriver(dockerCLI completion.APIClientProvider) completion.ValidArgsFn {
+func completeVolumeDriver(dockerCLI completion.APIClientProvider) cobra.CompletionFunc {
 	return func(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
-		info, err := dockerCLI.Client().Info(cmd.Context())
+		res, err := dockerCLI.Client().Info(cmd.Context(), client.InfoOptions{})
 		if err != nil {
 			// fallback: the built-in drivers
 			return []string{"local"}, cobra.ShellCompDirectiveNoFileComp
 		}
-		drivers := info.Plugins.Volume
+		drivers := res.Info.Plugins.Volume
 		return drivers, cobra.ShellCompDirectiveNoFileComp
 	}
 }

cli/command/container/completion_test.go

@@ -6,7 +6,8 @@ import (
 
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/builders"
-	"github.com/docker/docker/api/types/container"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/client"
 	"github.com/moby/sys/signal"
 	"github.com/spf13/cobra"
 	"gotest.tools/v3/assert"
@@ -26,7 +27,7 @@ func TestCompleteLinuxCapabilityNames(t *testing.T) {
 
 func TestCompletePid(t *testing.T) {
 	tests := []struct {
-		containerListFunc   func(container.ListOptions) ([]container.Summary, error)
+		containerListFunc   func(client.ContainerListOptions) (client.ContainerListResult, error)
 		toComplete          string
 		expectedCompletions []string
 		expectedDirective   cobra.ShellCompDirective
@@ -42,10 +43,12 @@ func TestCompletePid(t *testing.T) {
 			expectedDirective:   cobra.ShellCompDirectiveNoSpace,
 		},
 		{
-			containerListFunc: func(container.ListOptions) ([]container.Summary, error) {
-				return []container.Summary{
-					*builders.Container("c1"),
-					*builders.Container("c2"),
+			containerListFunc: func(client.ContainerListOptions) (client.ContainerListResult, error) {
+				return client.ContainerListResult{
+					Items: []container.Summary{
+						*builders.Container("c1"),
+						*builders.Container("c2"),
+					},
 				}, nil
 			},
 			toComplete:          "container:",
@@ -59,7 +62,7 @@ func TestCompletePid(t *testing.T) {
 			cli := test.NewFakeCli(&fakeClient{
 				containerListFunc: tc.containerListFunc,
 			})
-			completions, directive := completePid(cli)(NewRunCommand(cli), nil, tc.toComplete)
+			completions, directive := completePid(cli)(newRunCommand(cli), nil, tc.toComplete)
 			assert.Check(t, is.DeepEqual(completions, tc.expectedCompletions))
 			assert.Check(t, is.Equal(directive, tc.expectedDirective))
 		})

cli/command/container/cp.go

@@ -3,6 +3,7 @@ package container
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -15,11 +16,10 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/streams"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/pkg/archive"
-	units "github.com/docker/go-units"
+	"github.com/docker/go-units"
+	"github.com/moby/go-archive"
+	"github.com/moby/moby/client"
 	"github.com/morikuni/aec"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -121,8 +121,8 @@ func copyProgress(ctx context.Context, dst io.Writer, header string, total *int6
 	return restore, done
 }
 
-// NewCopyCommand creates a new `docker cp` command
-func NewCopyCommand(dockerCli command.Cli) *cobra.Command {
+// newCopyCommand creates a new `docker cp` command
+func newCopyCommand(dockerCLI command.Cli) *cobra.Command {
 	var opts copyOptions
 
 	cmd := &cobra.Command{
@@ -147,13 +147,14 @@ container source to stdout.`,
 			opts.destination = args[1]
 			if !cmd.Flag("quiet").Changed {
 				// User did not specify "quiet" flag; suppress output if no terminal is attached
-				opts.quiet = !dockerCli.Out().IsTerminal()
+				opts.quiet = !dockerCLI.Out().IsTerminal()
 			}
-			return runCopy(cmd.Context(), dockerCli, opts)
+			return runCopy(cmd.Context(), dockerCLI, opts)
 		},
 		Annotations: map[string]string{
 			"aliases": "docker container cp, docker cp",
 		},
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
@@ -229,11 +230,13 @@ func copyFromContainer(ctx context.Context, dockerCLI command.Cli, copyConfig cp
 	// if client requests to follow symbol link, then must decide target file to be copied
 	var rebaseName string
 	if copyConfig.followLink {
-		srcStat, err := apiClient.ContainerStatPath(ctx, copyConfig.container, srcPath)
+		src, err := apiClient.ContainerStatPath(ctx, copyConfig.container, client.ContainerStatPathOptions{
+			Path: srcPath,
+		})
 
 		// If the destination is a symbolic link, we should follow it.
-		if err == nil && srcStat.Mode&os.ModeSymlink != 0 {
-			linkTarget := srcStat.LinkTarget
+		if err == nil && src.Stat.Mode&os.ModeSymlink != 0 {
+			linkTarget := src.Stat.LinkTarget
 			if !isAbs(linkTarget) {
 				// Join with the parent directory.
 				srcParent, _ := archive.SplitPathDirEntry(srcPath)
@@ -248,11 +251,14 @@ func copyFromContainer(ctx context.Context, dockerCLI command.Cli, copyConfig cp
 	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt)
 	defer cancel()
 
-	content, stat, err := apiClient.CopyFromContainer(ctx, copyConfig.container, srcPath)
+	cpRes, err := apiClient.CopyFromContainer(ctx, copyConfig.container, client.CopyFromContainerOptions{
+		SourcePath: srcPath,
+	})
 	if err != nil {
 		return err
 	}
-	defer content.Close()
+	content := cpRes.Content
+	defer func() { _ = content.Close() }()
 
 	if dstPath == "-" {
 		_, err = io.Copy(dockerCLI.Out(), content)
@@ -262,7 +268,7 @@ func copyFromContainer(ctx context.Context, dockerCLI command.Cli, copyConfig cp
 	srcInfo := archive.CopyInfo{
 		Path:       srcPath,
 		Exists:     true,
-		IsDir:      stat.Mode.IsDir(),
+		IsDir:      cpRes.Stat.Mode.IsDir(),
 		RebaseName: rebaseName,
 	}
 
@@ -298,50 +304,50 @@ func copyFromContainer(ctx context.Context, dockerCLI command.Cli, copyConfig cp
 // about both the source and destination. The API is a simple tar
 // archive/extract API but we can use the stat info header about the
 // destination to be more informed about exactly what the destination is.
-func copyToContainer(ctx context.Context, dockerCLI command.Cli, copyConfig cpConfig) (err error) {
+func copyToContainer(ctx context.Context, dockerCLI command.Cli, copyConfig cpConfig) error {
 	srcPath := copyConfig.sourcePath
 	dstPath := copyConfig.destPath
 
 	if srcPath != "-" {
 		// Get an absolute source path.
-		srcPath, err = resolveLocalPath(srcPath)
+		p, err := resolveLocalPath(srcPath)
 		if err != nil {
 			return err
 		}
+		srcPath = p
 	}
 
 	apiClient := dockerCLI.Client()
 	// Prepare destination copy info by stat-ing the container path.
 	dstInfo := archive.CopyInfo{Path: dstPath}
-	dstStat, err := apiClient.ContainerStatPath(ctx, copyConfig.container, dstPath)
+	if dst, err := apiClient.ContainerStatPath(ctx, copyConfig.container, client.ContainerStatPathOptions{Path: dstPath}); err == nil {
+		// If the destination is a symbolic link, we should evaluate it.
+		if dst.Stat.Mode&os.ModeSymlink != 0 {
+			linkTarget := dst.Stat.LinkTarget
+			if !isAbs(linkTarget) {
+				// Join with the parent directory.
+				dstParent, _ := archive.SplitPathDirEntry(dstPath)
+				linkTarget = filepath.Join(dstParent, linkTarget)
+			}
 
-	// If the destination is a symbolic link, we should evaluate it.
-	if err == nil && dstStat.Mode&os.ModeSymlink != 0 {
-		linkTarget := dstStat.LinkTarget
-		if !isAbs(linkTarget) {
-			// Join with the parent directory.
-			dstParent, _ := archive.SplitPathDirEntry(dstPath)
-			linkTarget = filepath.Join(dstParent, linkTarget)
+			dstInfo.Path = linkTarget
+			dst, err = apiClient.ContainerStatPath(ctx, copyConfig.container, client.ContainerStatPathOptions{Path: linkTarget})
+		}
+		// Validate the destination path
+		if err == nil {
+			if err := command.ValidateOutputPathFileMode(dst.Stat.Mode); err != nil {
+				return fmt.Errorf(`destination "%s:%s" must be a directory or a regular file: %w`, copyConfig.container, dstPath, err)
+			}
+			dstInfo.Exists, dstInfo.IsDir = true, dst.Stat.Mode.IsDir()
 		}
 
-		dstInfo.Path = linkTarget
-		dstStat, err = apiClient.ContainerStatPath(ctx, copyConfig.container, linkTarget)
-		// FIXME(thaJeztah): unhandled error (should this return?)
-	}
-
-	// Validate the destination path
-	if err := command.ValidateOutputPathFileMode(dstStat.Mode); err != nil {
-		return errors.Wrapf(err, `destination "%s:%s" must be a directory or a regular file`, copyConfig.container, dstPath)
-	}
-
-	// Ignore any error and assume that the parent directory of the destination
-	// path exists, in which case the copy may still succeed. If there is any
-	// type of conflict (e.g., non-directory overwriting an existing directory
-	// or vice versa) the extraction will fail. If the destination simply did
-	// not exist, but the parent directory does, the extraction will still
-	// succeed.
-	if err == nil {
-		dstInfo.Exists, dstInfo.IsDir = true, dstStat.Mode.IsDir()
+		// Ignore any error and assume that the parent directory of the destination
+		// path exists, in which case the copy may still succeed. If there is any
+		// type of conflict (e.g., non-directory overwriting an existing directory
+		// or vice versa) the extraction will fail. If the destination simply did
+		// not exist, but the parent directory does, the extraction will still
+		// succeed.
+		_ = err // Intentionally ignore stat errors (see above)
 	}
 
 	var (
@@ -354,7 +360,7 @@ func copyToContainer(ctx context.Context, dockerCLI command.Cli, copyConfig cpCo
 		content = os.Stdin
 		resolvedDstPath = dstInfo.Path
 		if !dstInfo.IsDir {
-			return errors.Errorf("destination \"%s:%s\" must be a directory", copyConfig.container, dstPath)
+			return fmt.Errorf(`destination "%s:%s" must be a directory`, copyConfig.container, dstPath)
 		}
 	} else {
 		// Prepare source copy info.
@@ -397,24 +403,27 @@ func copyToContainer(ctx context.Context, dockerCLI command.Cli, copyConfig cpCo
 		}
 	}
 
-	options := container.CopyToContainerOptions{
-		AllowOverwriteDirWithFile: false,
-		CopyUIDGID:                copyConfig.copyUIDGID,
+	options := client.CopyToContainerOptions{
+		DestinationPath: resolvedDstPath,
+		Content:         content,
+		CopyUIDGID:      copyConfig.copyUIDGID,
 	}
 
 	if copyConfig.quiet {
-		return apiClient.CopyToContainer(ctx, copyConfig.container, resolvedDstPath, content, options)
+		_, err := apiClient.CopyToContainer(ctx, copyConfig.container, options)
+		return err
 	}
 
 	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt)
 	restore, done := copyProgress(ctx, dockerCLI.Err(), copyToContainerHeader, &copiedSize)
-	res := apiClient.CopyToContainer(ctx, copyConfig.container, resolvedDstPath, content, options)
+	// TODO(thaJeztah): error-handling looks odd here; should it be handled differently?
+	_, err := apiClient.CopyToContainer(ctx, copyConfig.container, options)
 	cancel()
 	<-done
 	restore()
-	fmt.Fprintln(dockerCLI.Err(), "Successfully copied", progressHumanSize(copiedSize), "to", copyConfig.container+":"+dstInfo.Path)
+	_, _ = fmt.Fprintln(dockerCLI.Err(), "Successfully copied", progressHumanSize(copiedSize), "to", copyConfig.container+":"+dstInfo.Path)
 
-	return res
+	return err
 }
 
 // We use `:` as a delimiter between CONTAINER and PATH, but `:` could also be

cli/command/container/cp_test.go

@@ -9,8 +9,9 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/compression"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/fs"
@@ -51,9 +52,11 @@ func TestRunCopyFromContainerToStdout(t *testing.T) {
 	tarContent := "the tar content"
 
 	cli := test.NewFakeCli(&fakeClient{
-		containerCopyFromFunc: func(ctr, srcPath string) (io.ReadCloser, container.PathStat, error) {
+		containerCopyFromFunc: func(ctr, srcPath string) (client.CopyFromContainerResult, error) {
 			assert.Check(t, is.Equal("container", ctr))
-			return io.NopCloser(strings.NewReader(tarContent)), container.PathStat{}, nil
+			return client.CopyFromContainerResult{
+				Content: io.NopCloser(strings.NewReader(tarContent)),
+			}, nil
 		},
 	})
 	err := runCopy(context.TODO(), cli, copyOptions{
@@ -72,10 +75,12 @@ func TestRunCopyFromContainerToFilesystem(t *testing.T) {
 	destDir := fs.NewDir(t, "cp-test")
 
 	cli := test.NewFakeCli(&fakeClient{
-		containerCopyFromFunc: func(ctr, srcPath string) (io.ReadCloser, container.PathStat, error) {
+		containerCopyFromFunc: func(ctr, srcPath string) (client.CopyFromContainerResult, error) {
 			assert.Check(t, is.Equal("container", ctr))
-			readCloser, err := archive.Tar(srcDir.Path(), archive.Uncompressed)
-			return readCloser, container.PathStat{}, err
+			readCloser, err := archive.Tar(srcDir.Path(), compression.None)
+			return client.CopyFromContainerResult{
+				Content: readCloser,
+			}, err
 		},
 	})
 	err := runCopy(context.TODO(), cli, copyOptions{
@@ -98,10 +103,12 @@ func TestRunCopyFromContainerToFilesystemMissingDestinationDirectory(t *testing.
 	defer destDir.Remove()
 
 	cli := test.NewFakeCli(&fakeClient{
-		containerCopyFromFunc: func(ctr, srcPath string) (io.ReadCloser, container.PathStat, error) {
+		containerCopyFromFunc: func(ctr, srcPath string) (client.CopyFromContainerResult, error) {
 			assert.Check(t, is.Equal("container", ctr))
 			readCloser, err := archive.TarWithOptions(destDir.Path(), &archive.TarOptions{})
-			return readCloser, container.PathStat{}, err
+			return client.CopyFromContainerResult{
+				Content: readCloser,
+			}, err
 		},
 	})
 	err := runCopy(context.TODO(), cli, copyOptions{

cli/command/container/create.go

@@ -1,27 +1,30 @@
 package container
 
 import (
+	"archive/tar"
+	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
-	"regexp"
+	"path"
+	"strings"
 
+	"github.com/containerd/errdefs"
 	"github.com/containerd/platforms"
 	"github.com/distribution/reference"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
-	"github.com/docker/cli/cli/command/image"
-	"github.com/docker/cli/cli/internal/jsonstream"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/config/types"
 	"github.com/docker/cli/cli/streams"
+	"github.com/docker/cli/internal/jsonstream"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types/container"
-	imagetypes "github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/api/types/versions"
-	"github.com/docker/docker/errdefs"
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
+	"github.com/moby/moby/api/types/mount"
+	"github.com/moby/moby/client"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
@@ -34,15 +37,15 @@ const (
 )
 
 type createOptions struct {
-	name      string
-	platform  string
-	untrusted bool
-	pull      string // always, missing, never
-	quiet     bool
+	name         string
+	platform     string
+	pull         string // always, missing, never
+	quiet        bool
+	useAPISocket bool
 }
 
-// NewCreateCommand creates a new cobra.Command for `docker create`
-func NewCreateCommand(dockerCli command.Cli) *cobra.Command {
+// newCreateCommand creates a new cobra.Command for `docker create`
+func newCreateCommand(dockerCLI command.Cli) *cobra.Command {
 	var options createOptions
 	var copts *containerOptions
 
@@ -55,12 +58,13 @@ func NewCreateCommand(dockerCli command.Cli) *cobra.Command {
 			if len(args) > 1 {
 				copts.Args = args[1:]
 			}
-			return runCreate(cmd.Context(), dockerCli, cmd.Flags(), &options, copts)
+			return runCreate(cmd.Context(), dockerCLI, cmd.Flags(), &options, copts)
 		},
 		Annotations: map[string]string{
 			"aliases": "docker container create, docker create",
 		},
-		ValidArgsFunction: completion.ImageNames(dockerCli, -1),
+		ValidArgsFunction:     completion.ImageNames(dockerCLI, -1),
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
@@ -69,23 +73,24 @@ func NewCreateCommand(dockerCli command.Cli) *cobra.Command {
 	flags.StringVar(&options.name, "name", "", "Assign a name to the container")
 	flags.StringVar(&options.pull, "pull", PullImageMissing, `Pull image before creating ("`+PullImageAlways+`", "|`+PullImageMissing+`", "`+PullImageNever+`")`)
 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the pull output")
+	flags.BoolVarP(&options.useAPISocket, "use-api-socket", "", false, "Bind mount Docker API socket and required auth")
+	_ = flags.SetAnnotation("use-api-socket", "experimentalCLI", nil) // Mark flag as experimental for now.
 
 	// Add an explicit help that doesn't have a `-h` to prevent the conflict
 	// with hostname
 	flags.Bool("help", false, "Print usage")
 
-	command.AddPlatformFlag(flags, &options.platform)
-	command.AddTrustVerificationFlags(flags, &options.untrusted, dockerCli.ContentTrustEnabled())
+	// TODO(thaJeztah): consider adding platform as "image create option" on containerOptions
+	flags.StringVar(&options.platform, "platform", os.Getenv("DOCKER_DEFAULT_PLATFORM"), "Set platform if server is multi-platform capable")
+	_ = flags.SetAnnotation("platform", "version", []string{"1.32"})
+	_ = cmd.RegisterFlagCompletionFunc("platform", completion.Platforms())
+
+	// TODO(thaJeztah): DEPRECATED: remove in v29.1 or v30
+	flags.Bool("disable-content-trust", true, "Skip image verification (deprecated)")
+	_ = flags.MarkDeprecated("disable-content-trust", "support for docker content trust was removed")
 	copts = addFlags(flags)
 
-	addCompletions(cmd, dockerCli)
-
-	flags.VisitAll(func(flag *pflag.Flag) {
-		// Set a default completion function if none was set. We don't look
-		// up if it does already have one set, because Cobra does this for
-		// us, and returns an error (which we ignore for this reason).
-		_ = cmd.RegisterFlagCompletionFunc(flag.Name, completion.NoComplete)
-	})
+	addCompletions(cmd, dockerCLI)
 
 	return cmd
 }
@@ -97,8 +102,8 @@ func runCreate(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet,
 			StatusCode: 125,
 		}
 	}
-	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), opts.ConvertKVStringsToMapWithNil(copts.env.GetAll()))
-	newEnv := []string{}
+	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), opts.ConvertKVStringsToMapWithNil(copts.env.GetSlice()))
+	newEnv := make([]string, 0, len(proxyConfig))
 	for k, v := range proxyConfig {
 		if v == nil {
 			newEnv = append(newEnv, k)
@@ -114,12 +119,6 @@ func runCreate(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet,
 			StatusCode: 125,
 		}
 	}
-	if err = validateAPIVersion(containerCfg, dockerCli.Client().ClientVersion()); err != nil {
-		return cli.StatusError{
-			Status:     withHelp(err, "create").Error(),
-			StatusCode: 125,
-		}
-	}
 	id, err := createContainer(ctx, dockerCli, containerCfg, options)
 	if err != nil {
 		return err
@@ -135,20 +134,27 @@ func pullImage(ctx context.Context, dockerCli command.Cli, img string, options *
 		return err
 	}
 
-	responseBody, err := dockerCli.Client().ImageCreate(ctx, img, imagetypes.CreateOptions{
+	var ociPlatforms []ocispec.Platform
+	if options.platform != "" {
+		// Already validated.
+		ociPlatforms = append(ociPlatforms, platforms.MustParse(options.platform))
+	}
+	resp, err := dockerCli.Client().ImagePull(ctx, img, client.ImagePullOptions{
 		RegistryAuth: encodedAuth,
-		Platform:     options.platform,
+		Platforms:    ociPlatforms,
 	})
 	if err != nil {
 		return err
 	}
-	defer responseBody.Close()
+	defer func() {
+		_ = resp.Close()
+	}()
 
 	out := dockerCli.Err()
 	if options.quiet {
 		out = streams.NewOut(io.Discard)
 	}
-	return jsonstream.Display(ctx, responseBody, out)
+	return jsonstream.Display(ctx, resp, out)
 }
 
 type cidFile struct {
@@ -161,13 +167,13 @@ func (cid *cidFile) Close() error {
 	if cid.file == nil {
 		return nil
 	}
-	cid.file.Close()
+	_ = cid.file.Close()
 
 	if cid.written {
 		return nil
 	}
 	if err := os.Remove(cid.path); err != nil {
-		return errors.Wrapf(err, "failed to remove the CID file '%s'", cid.path)
+		return fmt.Errorf("failed to remove the CID file '%s': %w", cid.path, err)
 	}
 
 	return nil
@@ -178,26 +184,26 @@ func (cid *cidFile) Write(id string) error {
 		return nil
 	}
 	if _, err := cid.file.Write([]byte(id)); err != nil {
-		return errors.Wrap(err, "failed to write the container ID to the file")
+		return fmt.Errorf("failed to write the container ID to the file: %w", err)
 	}
 	cid.written = true
 	return nil
 }
 
-func newCIDFile(path string) (*cidFile, error) {
-	if path == "" {
+func newCIDFile(cidPath string) (*cidFile, error) {
+	if cidPath == "" {
 		return &cidFile{}, nil
 	}
-	if _, err := os.Stat(path); err == nil {
-		return nil, errors.Errorf("container ID file found, make sure the other container isn't running or delete %s", path)
+	if _, err := os.Stat(cidPath); err == nil {
+		return nil, errors.New("container ID file found, make sure the other container isn't running or delete " + cidPath)
 	}
 
-	f, err := os.Create(path)
+	f, err := os.Create(cidPath)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to create the container ID file")
+		return nil, fmt.Errorf("failed to create the container ID file: %w", err)
 	}
 
-	return &cidFile{path: path, file: f}, nil
+	return &cidFile{path: cidPath, file: f}, nil
 }
 
 //nolint:gocyclo
@@ -206,19 +212,23 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 	hostConfig := containerCfg.HostConfig
 	networkingConfig := containerCfg.NetworkingConfig
 
-	warnOnOomKillDisable(*hostConfig, dockerCli.Err())
-	warnOnLocalhostDNS(*hostConfig, dockerCli.Err())
+	var namedRef reference.Named
 
-	var (
-		trustedRef reference.Canonical
-		namedRef   reference.Named
-	)
+	// TODO(thaJeztah): add a platform option-type / flag-type.
+	if options.platform != "" {
+		_, err = platforms.Parse(options.platform)
+		if err != nil {
+			return "", err
+		}
+	}
 
 	containerIDFile, err := newCIDFile(hostConfig.ContainerIDFile)
 	if err != nil {
 		return "", err
 	}
-	defer containerIDFile.Close()
+	defer func() {
+		_ = containerIDFile.Close()
+	}()
 
 	ref, err := reference.ParseAnyReference(config.Image)
 	if err != nil {
@@ -226,40 +236,91 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 	}
 	if named, ok := ref.(reference.Named); ok {
 		namedRef = reference.TagNameOnly(named)
+	}
 
-		if taggedRef, ok := namedRef.(reference.NamedTagged); ok && !options.untrusted {
-			var err error
-			trustedRef, err = image.TrustedReference(ctx, dockerCli, taggedRef)
-			if err != nil {
-				return "", err
-			}
-			config.Image = reference.FamiliarString(trustedRef)
+	const dockerConfigPathInContainer = "/run/secrets/docker/config.json"
+	var apiSocketCreds map[string]types.AuthConfig
+
+	if options.useAPISocket {
+		// We'll create two new mounts to handle this flag:
+		// 1. Mount the actual docker socket.
+		// 2. A synthezised ~/.docker/config.json with resolved tokens.
+
+		if dockerCli.ServerInfo().OSType == "windows" {
+			return "", errors.New("flag --use-api-socket can't be used with a Windows Docker Engine")
 		}
+
+		// hard-code engine socket path until https://github.com/moby/moby/pull/43459 gives us a discovery mechanism
+		containerCfg.HostConfig.Mounts = append(containerCfg.HostConfig.Mounts, mount.Mount{
+			Type:        mount.TypeBind,
+			Source:      "/var/run/docker.sock",
+			Target:      "/var/run/docker.sock",
+			BindOptions: &mount.BindOptions{},
+		})
+
+		/*
+
+		   Ideally, we'd like to copy the config into a tmpfs but unfortunately,
+		   the mounts won't be in place until we start the container. This can
+		   leave around the config if the container doesn't get deleted.
+
+		   We are using the most compose-secret-compatible approach,
+		   which is implemented at
+		   https://github.com/docker/compose/blob/main/pkg/compose/convergence.go#L737
+
+		   // Prepare a tmpfs mount for our credentials so they go away after the
+		   // container exits. We'll copy into this mount after the container is
+		   // created.
+		   containerCfg.HostConfig.Mounts = append(containerCfg.HostConfig.Mounts, mount.Mount{
+		       Type:   mount.TypeTmpfs,
+		       Target: "/docker/",
+		       TmpfsOptions: &mount.TmpfsOptions{
+		           SizeBytes: 1 << 20, // only need a small partition
+		           Mode:      0o600,
+		       },
+		   })
+		*/
+
+		var envvarPresent bool
+		for _, envvar := range containerCfg.Config.Env {
+			if strings.HasPrefix(envvar, "DOCKER_CONFIG=") {
+				envvarPresent = true
+			}
+		}
+
+		// If the DOCKER_CONFIG env var is already present, we assume the client knows
+		// what they're doing and don't inject the creds.
+		if !envvarPresent {
+			// Resolve this here for later, ensuring we error our before we create the container.
+			creds, err := readCredentials(dockerCli)
+			if err != nil {
+				return "", fmt.Errorf("resolving credentials failed: %w", err)
+			}
+			if len(creds) > 0 {
+				// Set our special little location for the config file.
+				containerCfg.Config.Env = append(containerCfg.Config.Env, "DOCKER_CONFIG="+path.Dir(dockerConfigPathInContainer))
+
+				apiSocketCreds = creds // inject these after container creation.
+			}
+		}
+	}
+
+	var platform *ocispec.Platform
+	if options.platform != "" {
+		p, err := platforms.Parse(options.platform)
+		if err != nil {
+			return "", invalidParameter(fmt.Errorf("error parsing specified platform: %w", err))
+		}
+		platform = &p
 	}
 
 	pullAndTagImage := func() error {
 		if err := pullImage(ctx, dockerCli, config.Image, options); err != nil {
 			return err
 		}
-		if taggedRef, ok := namedRef.(reference.NamedTagged); ok && trustedRef != nil {
-			return image.TagTrusted(ctx, dockerCli, trustedRef, taggedRef)
-		}
 		return nil
 	}
 
-	var platform *specs.Platform
-	// Engine API version 1.41 first introduced the option to specify platform on
-	// create. It will produce an error if you try to set a platform on older API
-	// versions, so check the API version here to maintain backwards
-	// compatibility for CLI users.
-	if options.platform != "" && versions.GreaterThanOrEqualTo(dockerCli.Client().ClientVersion(), "1.41") {
-		p, err := platforms.Parse(options.platform)
-		if err != nil {
-			return "", errors.Wrap(errdefs.InvalidParameter(err), "error parsing specified platform")
-		}
-		platform = &p
-	}
-
 	if options.pull == PullImageAlways {
 		if err := pullAndTagImage(); err != nil {
 			return "", err
@@ -268,7 +329,14 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 
 	hostConfig.ConsoleSize[0], hostConfig.ConsoleSize[1] = dockerCli.Out().GetTtySize()
 
-	response, err := dockerCli.Client().ContainerCreate(ctx, config, hostConfig, networkingConfig, platform, options.name)
+	response, err := dockerCli.Client().ContainerCreate(ctx, client.ContainerCreateOptions{
+		Name: options.name,
+		// Image:            config.Image, // TODO(thaJeztah): pass image-ref separate
+		Platform:         platform,
+		Config:           config,
+		HostConfig:       hostConfig,
+		NetworkingConfig: networkingConfig,
+	})
 	if err != nil {
 		// Pull image if it does not exist locally and we have the PullImageMissing option. Default behavior.
 		if errdefs.IsNotFound(err) && namedRef != nil && options.pull == PullImageMissing {
@@ -282,7 +350,14 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 			}
 
 			var retryErr error
-			response, retryErr = dockerCli.Client().ContainerCreate(ctx, config, hostConfig, networkingConfig, platform, options.name)
+			response, retryErr = dockerCli.Client().ContainerCreate(ctx, client.ContainerCreateOptions{
+				Name: options.name,
+				// Image:            config.Image, // TODO(thaJeztah): pass image-ref separate
+				Platform:         platform,
+				Config:           config,
+				HostConfig:       hostConfig,
+				NetworkingConfig: networkingConfig,
+			})
 			if retryErr != nil {
 				return "", retryErr
 			}
@@ -291,40 +366,24 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 		}
 	}
 
+	containerID = response.ID
 	for _, w := range response.Warnings {
 		_, _ = fmt.Fprintln(dockerCli.Err(), "WARNING:", w)
 	}
-	err = containerIDFile.Write(response.ID)
-	return response.ID, err
-}
+	err = containerIDFile.Write(containerID)
 
-func warnOnOomKillDisable(hostConfig container.HostConfig, stderr io.Writer) {
-	if hostConfig.OomKillDisable != nil && *hostConfig.OomKillDisable && hostConfig.Memory == 0 {
-		_, _ = fmt.Fprintln(stderr, "WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.")
-	}
-}
+	if options.useAPISocket && len(apiSocketCreds) > 0 {
+		// Create a new config file with just the auth.
+		newConfig := &configfile.ConfigFile{
+			AuthConfigs: apiSocketCreds,
+		}
 
-// check the DNS settings passed via --dns against localhost regexp to warn if
-// they are trying to set a DNS to a localhost address
-func warnOnLocalhostDNS(hostConfig container.HostConfig, stderr io.Writer) {
-	for _, dnsIP := range hostConfig.DNS {
-		if isLocalhost(dnsIP) {
-			_, _ = fmt.Fprintf(stderr, "WARNING: Localhost DNS setting (--dns=%s) may fail in containers.\n", dnsIP)
-			return
+		if err := copyDockerConfigIntoContainer(ctx, dockerCli.Client(), containerID, dockerConfigPathInContainer, newConfig); err != nil {
+			return "", fmt.Errorf("injecting docker config.json into container failed: %w", err)
 		}
 	}
-}
 
-// IPLocalhost is a regex pattern for IPv4 or IPv6 loopback range.
-const ipLocalhost = `((127\.([0-9]{1,3}\.){2}[0-9]{1,3})|(::1)$)`
-
-var localhostIPRegexp = regexp.MustCompile(ipLocalhost)
-
-// IsLocalhost returns true if ip matches the localhost IP regular expression.
-// Used for determining if nameserver settings are being passed which are
-// localhost addresses
-func isLocalhost(ip string) bool {
-	return localhostIPRegexp.MatchString(ip)
+	return containerID, err
 }
 
 func validatePullOpt(val string) error {
@@ -342,3 +401,42 @@ func validatePullOpt(val string) error {
 		)
 	}
 }
+
+// copyDockerConfigIntoContainer takes the client configuration and copies it
+// into the container.
+//
+// The path should be an absolute path in the container, commonly
+// /root/.docker/config.json.
+func copyDockerConfigIntoContainer(ctx context.Context, apiClient client.APIClient, containerID string, configPath string, config *configfile.ConfigFile) error {
+	var configBuf bytes.Buffer
+	if err := config.SaveToWriter(&configBuf); err != nil {
+		return fmt.Errorf("saving creds: %w", err)
+	}
+
+	// We don't need to get super fancy with the tar creation.
+	var tarBuf bytes.Buffer
+	tarWriter := tar.NewWriter(&tarBuf)
+	_ = tarWriter.WriteHeader(&tar.Header{
+		Name: configPath,
+		Size: int64(configBuf.Len()),
+		Mode: 0o600,
+	})
+
+	if _, err := io.Copy(tarWriter, &configBuf); err != nil {
+		return fmt.Errorf("writing config to tar file for config copy: %w", err)
+	}
+
+	if err := tarWriter.Close(); err != nil {
+		return fmt.Errorf("closing tar for config copy failed: %w", err)
+	}
+
+	_, err := apiClient.CopyToContainer(ctx, containerID, client.CopyToContainerOptions{
+		DestinationPath: "/",
+		Content:         &tarBuf,
+	})
+	if err != nil {
+		return fmt.Errorf("copying config.json into container failed: %w", err)
+	}
+
+	return nil
+}

cli/command/container/create_test.go

@@ -13,13 +13,10 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/cli/internal/test/notary"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/api/types/system"
 	"github.com/google/go-cmp/cmp"
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/api/types/system"
+	"github.com/moby/moby/client"
 	"github.com/spf13/pflag"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -116,36 +113,31 @@ func TestCreateContainerImagePullPolicy(t *testing.T) {
 		t.Run(tc.PullPolicy, func(t *testing.T) {
 			pullCounter := 0
 
-			client := &fakeClient{
-				createContainerFunc: func(
-					config *container.Config,
-					hostConfig *container.HostConfig,
-					networkingConfig *network.NetworkingConfig,
-					platform *specs.Platform,
-					containerName string,
-				) (container.CreateResponse, error) {
+			apiClient := &fakeClient{
+				createContainerFunc: func(options client.ContainerCreateOptions) (client.ContainerCreateResult, error) {
 					defer func() { tc.ResponseCounter++ }()
 					switch tc.ResponseCounter {
 					case 0:
-						return container.CreateResponse{}, fakeNotFound{}
+						return client.ContainerCreateResult{}, fakeNotFound{}
 					default:
-						return container.CreateResponse{ID: containerID}, nil
+						return client.ContainerCreateResult{ID: containerID}, nil
 					}
 				},
-				imageCreateFunc: func(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error) {
+				imagePullFunc: func(ctx context.Context, parentReference string, options client.ImagePullOptions) (client.ImagePullResponse, error) {
 					defer func() { pullCounter++ }()
-					return io.NopCloser(strings.NewReader("")), nil
+					return fakeStreamResult{ReadCloser: io.NopCloser(strings.NewReader(""))}, nil
 				},
-				infoFunc: func() (system.Info, error) {
-					return system.Info{IndexServerAddress: "https://indexserver.example.com"}, nil
+				infoFunc: func() (client.SystemInfoResult, error) {
+					return client.SystemInfoResult{
+						Info: system.Info{IndexServerAddress: "https://indexserver.example.com"},
+					}, nil
 				},
 			}
-			fakeCLI := test.NewFakeCli(client)
+			fakeCLI := test.NewFakeCli(apiClient)
 			id, err := createContainer(context.Background(), fakeCLI, config, &createOptions{
-				name:      "name",
-				platform:  runtime.GOOS,
-				untrusted: true,
-				pull:      tc.PullPolicy,
+				name:     "name",
+				platform: runtime.GOOS,
+				pull:     tc.PullPolicy,
 			})
 
 			if tc.ExpectedErrMsg != "" {
@@ -206,7 +198,7 @@ func TestCreateContainerValidateFlags(t *testing.T) {
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			cmd := NewCreateCommand(test.NewFakeCli(&fakeClient{}))
+			cmd := newCreateCommand(test.NewFakeCli(&fakeClient{}))
 			cmd.SetOut(io.Discard)
 			cmd.SetErr(io.Discard)
 			cmd.SetArgs(tc.args)
@@ -221,110 +213,41 @@ func TestCreateContainerValidateFlags(t *testing.T) {
 	}
 }
 
-func TestNewCreateCommandWithContentTrustErrors(t *testing.T) {
-	testCases := []struct {
-		name          string
-		args          []string
-		expectedError string
-		notaryFunc    test.NotaryClientFuncType
-	}{
-		{
-			name:          "offline-notary-server",
-			notaryFunc:    notary.GetOfflineNotaryRepository,
-			expectedError: "client is offline",
-			args:          []string{"image:tag"},
-		},
-		{
-			name:          "uninitialized-notary-server",
-			notaryFunc:    notary.GetUninitializedNotaryRepository,
-			expectedError: "remote trust data does not exist",
-			args:          []string{"image:tag"},
-		},
-		{
-			name:          "empty-notary-server",
-			notaryFunc:    notary.GetEmptyTargetsNotaryRepository,
-			expectedError: "No valid trust data for tag",
-			args:          []string{"image:tag"},
-		},
-	}
-	for _, tc := range testCases {
-		fakeCLI := test.NewFakeCli(&fakeClient{
-			createContainerFunc: func(config *container.Config,
-				hostConfig *container.HostConfig,
-				networkingConfig *network.NetworkingConfig,
-				platform *specs.Platform,
-				containerName string,
-			) (container.CreateResponse, error) {
-				return container.CreateResponse{}, errors.New("shouldn't try to pull image")
-			},
-		}, test.EnableContentTrust)
-		fakeCLI.SetNotaryClient(tc.notaryFunc)
-		cmd := NewCreateCommand(fakeCLI)
-		cmd.SetOut(io.Discard)
-		cmd.SetErr(io.Discard)
-		cmd.SetArgs(tc.args)
-		err := cmd.Execute()
-		assert.ErrorContains(t, err, tc.expectedError)
-	}
-}
-
 func TestNewCreateCommandWithWarnings(t *testing.T) {
 	testCases := []struct {
-		name    string
-		args    []string
-		warning bool
+		name     string
+		args     []string
+		warnings []string
+		warning  bool
 	}{
 		{
-			name: "container-create-without-oom-kill-disable",
+			name: "container-create-no-warnings",
 			args: []string{"image:tag"},
 		},
 		{
-			name: "container-create-oom-kill-disable-false",
-			args: []string{"--oom-kill-disable=false", "image:tag"},
+			name:     "container-create-daemon-single-warning",
+			args:     []string{"image:tag"},
+			warnings: []string{"warning from daemon"},
 		},
 		{
-			name:    "container-create-oom-kill-without-memory-limit",
-			args:    []string{"--oom-kill-disable", "image:tag"},
-			warning: true,
-		},
-		{
-			name:    "container-create-oom-kill-true-without-memory-limit",
-			args:    []string{"--oom-kill-disable=true", "image:tag"},
-			warning: true,
-		},
-		{
-			name: "container-create-oom-kill-true-with-memory-limit",
-			args: []string{"--oom-kill-disable=true", "--memory=100M", "image:tag"},
-		},
-		{
-			name:    "container-create-localhost-dns",
-			args:    []string{"--dns=127.0.0.11", "image:tag"},
-			warning: true,
-		},
-		{
-			name:    "container-create-localhost-dns-ipv6",
-			args:    []string{"--dns=::1", "image:tag"},
-			warning: true,
+			name:     "container-create-daemon-multiple-warnings",
+			args:     []string{"image:tag"},
+			warnings: []string{"warning from daemon", "another warning from daemon"},
 		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			fakeCLI := test.NewFakeCli(&fakeClient{
-				createContainerFunc: func(config *container.Config,
-					hostConfig *container.HostConfig,
-					networkingConfig *network.NetworkingConfig,
-					platform *specs.Platform,
-					containerName string,
-				) (container.CreateResponse, error) {
-					return container.CreateResponse{}, nil
+				createContainerFunc: func(options client.ContainerCreateOptions) (client.ContainerCreateResult, error) {
+					return client.ContainerCreateResult{Warnings: tc.warnings}, nil
 				},
 			})
-			cmd := NewCreateCommand(fakeCLI)
+			cmd := newCreateCommand(fakeCLI)
 			cmd.SetOut(io.Discard)
 			cmd.SetArgs(tc.args)
 			err := cmd.Execute()
 			assert.NilError(t, err)
-			if tc.warning {
+			if tc.warning || len(tc.warnings) > 0 {
 				golden.Assert(t, fakeCLI.ErrBuffer().String(), tc.name+".golden")
 			} else {
 				assert.Equal(t, fakeCLI.ErrBuffer().String(), "")
@@ -349,15 +272,10 @@ func TestCreateContainerWithProxyConfig(t *testing.T) {
 	sort.Strings(expected)
 
 	fakeCLI := test.NewFakeCli(&fakeClient{
-		createContainerFunc: func(config *container.Config,
-			hostConfig *container.HostConfig,
-			networkingConfig *network.NetworkingConfig,
-			platform *specs.Platform,
-			containerName string,
-		) (container.CreateResponse, error) {
-			sort.Strings(config.Env)
-			assert.DeepEqual(t, config.Env, expected)
-			return container.CreateResponse{}, nil
+		createContainerFunc: func(options client.ContainerCreateOptions) (client.ContainerCreateResult, error) {
+			sort.Strings(options.Config.Env)
+			assert.DeepEqual(t, options.Config.Env, expected)
+			return client.ContainerCreateResult{}, nil
 		},
 	})
 	fakeCLI.SetConfigFile(&configfile.ConfigFile{
@@ -371,7 +289,7 @@ func TestCreateContainerWithProxyConfig(t *testing.T) {
 			},
 		},
 	})
-	cmd := NewCreateCommand(fakeCLI)
+	cmd := newCreateCommand(fakeCLI)
 	cmd.SetOut(io.Discard)
 	cmd.SetArgs([]string{"image:tag"})
 	err := cmd.Execute()

cli/command/container/diff.go

@@ -7,44 +7,35 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/pkg/errors"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
-type diffOptions struct {
-	container string
-}
-
-// NewDiffCommand creates a new cobra.Command for `docker diff`
-func NewDiffCommand(dockerCli command.Cli) *cobra.Command {
-	var opts diffOptions
-
+// newDiffCommand creates a new cobra.Command for `docker diff`
+func newDiffCommand(dockerCLI command.Cli) *cobra.Command {
 	return &cobra.Command{
 		Use:   "diff CONTAINER",
 		Short: "Inspect changes to files or directories on a container's filesystem",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			opts.container = args[0]
-			return runDiff(cmd.Context(), dockerCli, &opts)
+			return runDiff(cmd.Context(), dockerCLI, args[0])
 		},
 		Annotations: map[string]string{
 			"aliases": "docker container diff, docker diff",
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, false),
+		ValidArgsFunction:     completion.ContainerNames(dockerCLI, false),
+		DisableFlagsInUseLine: true,
 	}
 }
 
-func runDiff(ctx context.Context, dockerCli command.Cli, opts *diffOptions) error {
-	if opts.container == "" {
-		return errors.New("Container name cannot be empty")
-	}
-	changes, err := dockerCli.Client().ContainerDiff(ctx, opts.container)
+func runDiff(ctx context.Context, dockerCLI command.Cli, containerID string) error {
+	res, err := dockerCLI.Client().ContainerDiff(ctx, containerID, client.ContainerDiffOptions{})
 	if err != nil {
 		return err
 	}
 	diffCtx := formatter.Context{
-		Output: dockerCli.Out(),
-		Format: NewDiffFormat("{{.Type}} {{.Path}}"),
+		Output: dockerCLI.Out(),
+		Format: newDiffFormat("{{.Type}} {{.Path}}"),
 	}
-	return DiffFormatWrite(diffCtx, changes)
+	return diffFormatWrite(diffCtx, res)
 }

cli/command/container/diff_test.go

@@ -8,35 +8,35 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types/container"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
 
 func TestRunDiff(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerDiffFunc: func(
-			ctx context.Context,
-			containerID string,
-		) ([]container.FilesystemChange, error) {
-			return []container.FilesystemChange{
-				{
-					Kind: container.ChangeModify,
-					Path: "/path/to/file0",
-				},
-				{
-					Kind: container.ChangeAdd,
-					Path: "/path/to/file1",
-				},
-				{
-					Kind: container.ChangeDelete,
-					Path: "/path/to/file2",
+		containerDiffFunc: func(ctx context.Context, containerID string) (client.ContainerDiffResult, error) {
+			return client.ContainerDiffResult{
+				Changes: []container.FilesystemChange{
+					{
+						Kind: container.ChangeModify,
+						Path: "/path/to/file0",
+					},
+					{
+						Kind: container.ChangeAdd,
+						Path: "/path/to/file1",
+					},
+					{
+						Kind: container.ChangeDelete,
+						Path: "/path/to/file2",
+					},
 				},
 			}, nil
 		},
 	})
 
-	cmd := NewDiffCommand(cli)
+	cmd := newDiffCommand(cli)
 	cmd.SetOut(io.Discard)
 
 	cmd.SetArgs([]string{"container-id"})
@@ -60,15 +60,12 @@ func TestRunDiffClientError(t *testing.T) {
 	clientError := errors.New("client error")
 
 	cli := test.NewFakeCli(&fakeClient{
-		containerDiffFunc: func(
-			ctx context.Context,
-			containerID string,
-		) ([]container.FilesystemChange, error) {
-			return nil, clientError
+		containerDiffFunc: func(ctx context.Context, containerID string) (client.ContainerDiffResult, error) {
+			return client.ContainerDiffResult{}, clientError
 		},
 	})
 
-	cmd := NewDiffCommand(cli)
+	cmd := newDiffCommand(cli)
 	cmd.SetOut(io.Discard)
 	cmd.SetErr(io.Discard)
 
@@ -77,17 +74,3 @@ func TestRunDiffClientError(t *testing.T) {
 	err := cmd.Execute()
 	assert.ErrorIs(t, err, clientError)
 }
-
-func TestRunDiffEmptyContainerError(t *testing.T) {
-	cli := test.NewFakeCli(&fakeClient{})
-
-	cmd := NewDiffCommand(cli)
-	cmd.SetOut(io.Discard)
-	cmd.SetErr(io.Discard)
-
-	containerID := ""
-	cmd.SetArgs([]string{containerID})
-
-	err := cmd.Execute()
-	assert.Error(t, err, "Container name cannot be empty")
-}

cli/command/container/errors.go

@@ -0,0 +1,31 @@
+package container
+
+import "github.com/containerd/errdefs"
+
+func invalidParameter(err error) error {
+	if err == nil || errdefs.IsInvalidArgument(err) {
+		return err
+	}
+	return invalidParameterErr{err}
+}
+
+type invalidParameterErr struct{ error }
+
+func (invalidParameterErr) InvalidParameter() {}
+func (e invalidParameterErr) Unwrap() error {
+	return e.error
+}
+
+func notFound(err error) error {
+	if err == nil || errdefs.IsNotFound(err) {
+		return err
+	}
+	return notFoundErr{err}
+}
+
+type notFoundErr struct{ error }
+
+func (notFoundErr) NotFound() {}
+func (e notFoundErr) Unwrap() error {
+	return e.error
+}

cli/command/container/exec.go

@@ -2,6 +2,7 @@ package container
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 
@@ -10,9 +11,8 @@ import (
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/client"
-	"github.com/pkg/errors"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/client"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
@@ -39,8 +39,8 @@ func NewExecOptions() ExecOptions {
 	}
 }
 
-// NewExecCommand creates a new cobra.Command for `docker exec`
-func NewExecCommand(dockerCli command.Cli) *cobra.Command {
+// newExecCommand creates a new cobra.Command for "docker exec".
+func newExecCommand(dockerCLI command.Cli) *cobra.Command {
 	options := NewExecOptions()
 
 	cmd := &cobra.Command{
@@ -50,15 +50,16 @@ func NewExecCommand(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			containerIDorName := args[0]
 			options.Command = args[1:]
-			return RunExec(cmd.Context(), dockerCli, containerIDorName, options)
+			return RunExec(cmd.Context(), dockerCLI, containerIDorName, options)
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, false, func(ctr container.Summary) bool {
-			return ctr.State != "paused"
+		ValidArgsFunction: completion.ContainerNames(dockerCLI, false, func(ctr container.Summary) bool {
+			return ctr.State != container.StatePaused
 		}),
 		Annotations: map[string]string{
 			"category-top": "2",
 			"aliases":      "docker container exec, docker exec",
 		},
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
@@ -71,14 +72,14 @@ func NewExecCommand(dockerCli command.Cli) *cobra.Command {
 	flags.StringVarP(&options.User, "user", "u", "", `Username or UID (format: "<name|uid>[:<group|gid>]")`)
 	flags.BoolVar(&options.Privileged, "privileged", false, "Give extended privileges to the command")
 	flags.VarP(&options.Env, "env", "e", "Set environment variables")
-	flags.SetAnnotation("env", "version", []string{"1.25"})
+	_ = flags.SetAnnotation("env", "version", []string{"1.25"})
 	flags.Var(&options.EnvFile, "env-file", "Read in a file of environment variables")
-	flags.SetAnnotation("env-file", "version", []string{"1.25"})
+	_ = flags.SetAnnotation("env-file", "version", []string{"1.25"})
 	flags.StringVarP(&options.Workdir, "workdir", "w", "", "Working directory inside the container")
-	flags.SetAnnotation("workdir", "version", []string{"1.35"})
+	_ = flags.SetAnnotation("workdir", "version", []string{"1.35"})
 
-	_ = cmd.RegisterFlagCompletionFunc("env", completion.EnvVarNames)
-	_ = cmd.RegisterFlagCompletionFunc("env-file", completion.FileNames)
+	_ = cmd.RegisterFlagCompletionFunc("env", completion.EnvVarNames())
+	_ = cmd.RegisterFlagCompletionFunc("env-file", completion.FileNames())
 
 	return cmd
 }
@@ -96,18 +97,18 @@ func RunExec(ctx context.Context, dockerCLI command.Cli, containerIDorName strin
 	// otherwise if we error out we will leak execIDs on the server (and
 	// there's no easy way to clean those up). But also in order to make "not
 	// exist" errors take precedence we do a dummy inspect first.
-	if _, err := apiClient.ContainerInspect(ctx, containerIDorName); err != nil {
+	if _, err := apiClient.ContainerInspect(ctx, containerIDorName, client.ContainerInspectOptions{}); err != nil {
 		return err
 	}
-	if !execOptions.Detach {
-		if err := dockerCLI.In().CheckTty(execOptions.AttachStdin, execOptions.Tty); err != nil {
+	if !options.Detach {
+		if err := dockerCLI.In().CheckTty(execOptions.AttachStdin, execOptions.TTY); err != nil {
 			return err
 		}
 	}
 
 	fillConsoleSize(execOptions, dockerCLI)
 
-	response, err := apiClient.ContainerExecCreate(ctx, containerIDorName, *execOptions)
+	response, err := apiClient.ExecCreate(ctx, containerIDorName, *execOptions)
 	if err != nil {
 		return err
 	}
@@ -117,24 +118,25 @@ func RunExec(ctx context.Context, dockerCLI command.Cli, containerIDorName strin
 		return errors.New("exec ID empty")
 	}
 
-	if execOptions.Detach {
-		return apiClient.ContainerExecStart(ctx, execID, container.ExecStartOptions{
-			Detach:      execOptions.Detach,
-			Tty:         execOptions.Tty,
-			ConsoleSize: execOptions.ConsoleSize,
+	if options.Detach {
+		_, err := apiClient.ExecStart(ctx, execID, client.ExecStartOptions{
+			Detach:      options.Detach,
+			TTY:         execOptions.TTY,
+			ConsoleSize: client.ConsoleSize{Height: execOptions.ConsoleSize.Height, Width: execOptions.ConsoleSize.Width},
 		})
+		return err
 	}
 	return interactiveExec(ctx, dockerCLI, execOptions, execID)
 }
 
-func fillConsoleSize(execOptions *container.ExecOptions, dockerCli command.Cli) {
-	if execOptions.Tty {
+func fillConsoleSize(execOptions *client.ExecCreateOptions, dockerCli command.Cli) {
+	if execOptions.TTY {
 		height, width := dockerCli.Out().GetTtySize()
-		execOptions.ConsoleSize = &[2]uint{height, width}
+		execOptions.ConsoleSize = client.ConsoleSize{Height: height, Width: width}
 	}
 }
 
-func interactiveExec(ctx context.Context, dockerCli command.Cli, execOptions *container.ExecOptions, execID string) error {
+func interactiveExec(ctx context.Context, dockerCli command.Cli, execOptions *client.ExecCreateOptions, execID string) error {
 	// Interactive exec requested.
 	var (
 		out, stderr io.Writer
@@ -148,7 +150,7 @@ func interactiveExec(ctx context.Context, dockerCli command.Cli, execOptions *co
 		out = dockerCli.Out()
 	}
 	if execOptions.AttachStderr {
-		if execOptions.Tty {
+		if execOptions.TTY {
 			stderr = dockerCli.Out()
 		} else {
 			stderr = dockerCli.Err()
@@ -157,9 +159,9 @@ func interactiveExec(ctx context.Context, dockerCli command.Cli, execOptions *co
 	fillConsoleSize(execOptions, dockerCli)
 
 	apiClient := dockerCli.Client()
-	resp, err := apiClient.ContainerExecAttach(ctx, execID, container.ExecAttachOptions{
-		Tty:         execOptions.Tty,
-		ConsoleSize: execOptions.ConsoleSize,
+	resp, err := apiClient.ExecAttach(ctx, execID, client.ExecAttachOptions{
+		TTY:         execOptions.TTY,
+		ConsoleSize: client.ConsoleSize{Height: execOptions.ConsoleSize.Height, Width: execOptions.ConsoleSize.Width},
 	})
 	if err != nil {
 		return err
@@ -176,8 +178,8 @@ func interactiveExec(ctx context.Context, dockerCli command.Cli, execOptions *co
 				inputStream:  in,
 				outputStream: out,
 				errorStream:  stderr,
-				resp:         resp,
-				tty:          execOptions.Tty,
+				resp:         resp.HijackedResponse,
+				tty:          execOptions.TTY,
 				detachKeys:   execOptions.DetachKeys,
 			}
 
@@ -185,7 +187,7 @@ func interactiveExec(ctx context.Context, dockerCli command.Cli, execOptions *co
 		}()
 	}()
 
-	if execOptions.Tty && dockerCli.In().IsTerminal() {
+	if execOptions.TTY && dockerCli.In().IsTerminal() {
 		if err := MonitorTtySize(ctx, dockerCli, execID, true); err != nil {
 			_, _ = fmt.Fprintln(dockerCli.Err(), "Error monitoring TTY size:", err)
 		}
@@ -199,8 +201,8 @@ func interactiveExec(ctx context.Context, dockerCli command.Cli, execOptions *co
 	return getExecExitStatus(ctx, apiClient, execID)
 }
 
-func getExecExitStatus(ctx context.Context, apiClient client.ContainerAPIClient, execID string) error {
-	resp, err := apiClient.ContainerExecInspect(ctx, execID)
+func getExecExitStatus(ctx context.Context, apiClient client.ExecAPIClient, execID string) error {
+	resp, err := apiClient.ExecInspect(ctx, execID, client.ExecInspectOptions{})
 	if err != nil {
 		// If we can't connect, then the daemon probably died.
 		if !client.IsErrConnectionFailed(err) {
@@ -217,19 +219,18 @@ func getExecExitStatus(ctx context.Context, apiClient client.ContainerAPIClient,
 
 // parseExec parses the specified args for the specified command and generates
 // an ExecConfig from it.
-func parseExec(execOpts ExecOptions, configFile *configfile.ConfigFile) (*container.ExecOptions, error) {
-	execOptions := &container.ExecOptions{
+func parseExec(execOpts ExecOptions, configFile *configfile.ConfigFile) (*client.ExecCreateOptions, error) {
+	execOptions := &client.ExecCreateOptions{
 		User:       execOpts.User,
 		Privileged: execOpts.Privileged,
-		Tty:        execOpts.TTY,
+		TTY:        execOpts.TTY,
 		Cmd:        execOpts.Command,
-		Detach:     execOpts.Detach,
 		WorkingDir: execOpts.Workdir,
 	}
 
 	// collect all the environment variables for the container
 	var err error
-	if execOptions.Env, err = opts.ReadKVEnvStrings(execOpts.EnvFile.GetAll(), execOpts.Env.GetAll()); err != nil {
+	if execOptions.Env, err = opts.ReadKVEnvStrings(execOpts.EnvFile.GetSlice(), execOpts.Env.GetSlice()); err != nil {
 		return nil, err
 	}
 

cli/command/container/exec_test.go

@@ -5,13 +5,14 @@ import (
 	"errors"
 	"io"
 	"os"
+	"strconv"
 	"testing"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types/container"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/fs"
@@ -37,10 +38,10 @@ TWO=2
 	testcases := []struct {
 		options    ExecOptions
 		configFile configfile.ConfigFile
-		expected   container.ExecOptions
+		expected   client.ExecCreateOptions
 	}{
 		{
-			expected: container.ExecOptions{
+			expected: client.ExecCreateOptions{
 				Cmd:          []string{"command"},
 				AttachStdout: true,
 				AttachStderr: true,
@@ -48,7 +49,7 @@ TWO=2
 			options: withDefaultOpts(ExecOptions{}),
 		},
 		{
-			expected: container.ExecOptions{
+			expected: client.ExecCreateOptions{
 				Cmd:          []string{"command1", "command2"},
 				AttachStdout: true,
 				AttachStderr: true,
@@ -63,20 +64,19 @@ TWO=2
 				TTY:         true,
 				User:        "uid",
 			}),
-			expected: container.ExecOptions{
+			expected: client.ExecCreateOptions{
 				User:         "uid",
 				AttachStdin:  true,
 				AttachStdout: true,
 				AttachStderr: true,
-				Tty:          true,
+				TTY:          true,
 				Cmd:          []string{"command"},
 			},
 		},
 		{
 			options: withDefaultOpts(ExecOptions{Detach: true}),
-			expected: container.ExecOptions{
-				Detach: true,
-				Cmd:    []string{"command"},
+			expected: client.ExecCreateOptions{
+				Cmd: []string{"command"},
 			},
 		},
 		{
@@ -85,19 +85,17 @@ TWO=2
 				Interactive: true,
 				Detach:      true,
 			}),
-			expected: container.ExecOptions{
-				Detach: true,
-				Tty:    true,
-				Cmd:    []string{"command"},
+			expected: client.ExecCreateOptions{
+				TTY: true,
+				Cmd: []string{"command"},
 			},
 		},
 		{
 			options:    withDefaultOpts(ExecOptions{Detach: true}),
 			configFile: configfile.ConfigFile{DetachKeys: "de"},
-			expected: container.ExecOptions{
+			expected: client.ExecCreateOptions{
 				Cmd:        []string{"command"},
 				DetachKeys: "de",
-				Detach:     true,
 			},
 		},
 		{
@@ -106,14 +104,13 @@ TWO=2
 				DetachKeys: "ab",
 			}),
 			configFile: configfile.ConfigFile{DetachKeys: "de"},
-			expected: container.ExecOptions{
+			expected: client.ExecCreateOptions{
 				Cmd:        []string{"command"},
 				DetachKeys: "ab",
-				Detach:     true,
 			},
 		},
 		{
-			expected: container.ExecOptions{
+			expected: client.ExecCreateOptions{
 				Cmd:          []string{"command"},
 				AttachStdout: true,
 				AttachStderr: true,
@@ -121,12 +118,12 @@ TWO=2
 			},
 			options: func() ExecOptions {
 				o := withDefaultOpts(ExecOptions{})
-				o.EnvFile.Set(tmpFile.Path())
+				_ = o.EnvFile.Set(tmpFile.Path())
 				return o
 			}(),
 		},
 		{
-			expected: container.ExecOptions{
+			expected: client.ExecCreateOptions{
 				Cmd:          []string{"command"},
 				AttachStdout: true,
 				AttachStderr: true,
@@ -134,23 +131,25 @@ TWO=2
 			},
 			options: func() ExecOptions {
 				o := withDefaultOpts(ExecOptions{})
-				o.EnvFile.Set(tmpFile.Path())
-				o.Env.Set("ONE=override")
+				_ = o.EnvFile.Set(tmpFile.Path())
+				_ = o.Env.Set("ONE=override")
 				return o
 			}(),
 		},
 	}
 
-	for _, testcase := range testcases {
-		execConfig, err := parseExec(testcase.options, &testcase.configFile)
-		assert.NilError(t, err)
-		assert.Check(t, is.DeepEqual(testcase.expected, *execConfig))
+	for i, testcase := range testcases {
+		t.Run("test "+strconv.Itoa(i+1), func(t *testing.T) {
+			execConfig, err := parseExec(testcase.options, &testcase.configFile)
+			assert.NilError(t, err)
+			assert.Check(t, is.DeepEqual(testcase.expected, *execConfig))
+		})
 	}
 }
 
 func TestParseExecNoSuchFile(t *testing.T) {
 	execOpts := withDefaultOpts(ExecOptions{})
-	execOpts.EnvFile.Set("no-such-env-file")
+	assert.Check(t, execOpts.EnvFile.Set("no-such-env-file"))
 	execConfig, err := parseExec(execOpts, &configfile.ConfigFile{})
 	assert.ErrorContains(t, err, "no-such-env-file")
 	assert.Check(t, os.IsNotExist(err))
@@ -177,8 +176,8 @@ func TestRunExec(t *testing.T) {
 			doc:     "inspect error",
 			options: NewExecOptions(),
 			client: &fakeClient{
-				inspectFunc: func(string) (container.InspectResponse, error) {
-					return container.InspectResponse{}, errors.New("failed inspect")
+				inspectFunc: func(string) (client.ContainerInspectResult, error) {
+					return client.ContainerInspectResult{}, errors.New("failed inspect")
 				},
 			},
 			expectedError: "failed inspect",
@@ -195,7 +194,7 @@ func TestRunExec(t *testing.T) {
 		t.Run(testcase.doc, func(t *testing.T) {
 			fakeCLI := test.NewFakeCli(testcase.client)
 
-			err := RunExec(context.TODO(), fakeCLI, "thecontainer", testcase.options)
+			err := RunExec(context.TODO(), fakeCLI, "the-container", testcase.options)
 			if testcase.expectedError != "" {
 				assert.ErrorContains(t, err, testcase.expectedError)
 			} else if !assert.Check(t, err) {
@@ -207,8 +206,8 @@ func TestRunExec(t *testing.T) {
 	}
 }
 
-func execCreateWithID(_ string, _ container.ExecOptions) (container.ExecCreateResponse, error) {
-	return container.ExecCreateResponse{ID: "execid"}, nil
+func execCreateWithID(_ string, _ client.ExecCreateOptions) (client.ExecCreateResult, error) {
+	return client.ExecCreateResult{ID: "exec-id"}, nil
 }
 
 func TestGetExecExitStatus(t *testing.T) {
@@ -235,13 +234,13 @@ func TestGetExecExitStatus(t *testing.T) {
 	}
 
 	for _, testcase := range testcases {
-		client := &fakeClient{
-			execInspectFunc: func(id string) (container.ExecInspect, error) {
+		apiClient := &fakeClient{
+			execInspectFunc: func(id string) (client.ExecInspectResult, error) {
 				assert.Check(t, is.Equal(execID, id))
-				return container.ExecInspect{ExitCode: testcase.exitCode}, testcase.inspectError
+				return client.ExecInspectResult{ExitCode: testcase.exitCode}, testcase.inspectError
 			},
 		}
-		err := getExecExitStatus(context.Background(), client, execID)
+		err := getExecExitStatus(context.Background(), apiClient, execID)
 		assert.Check(t, is.Equal(testcase.expectedError, err))
 	}
 }
@@ -251,20 +250,20 @@ func TestNewExecCommandErrors(t *testing.T) {
 		name                 string
 		args                 []string
 		expectedError        string
-		containerInspectFunc func(img string) (container.InspectResponse, error)
+		containerInspectFunc func(img string) (client.ContainerInspectResult, error)
 	}{
 		{
 			name:          "client-error",
 			args:          []string{"5cb5bb5e4a3b", "-t", "-i", "bash"},
 			expectedError: "something went wrong",
-			containerInspectFunc: func(containerID string) (container.InspectResponse, error) {
-				return container.InspectResponse{}, errors.New("something went wrong")
+			containerInspectFunc: func(containerID string) (client.ContainerInspectResult, error) {
+				return client.ContainerInspectResult{}, errors.New("something went wrong")
 			},
 		},
 	}
 	for _, tc := range testCases {
 		fakeCLI := test.NewFakeCli(&fakeClient{inspectFunc: tc.containerInspectFunc})
-		cmd := NewExecCommand(fakeCLI)
+		cmd := newExecCommand(fakeCLI)
 		cmd.SetOut(io.Discard)
 		cmd.SetArgs(tc.args)
 		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)

cli/command/container/export.go

@@ -2,12 +2,15 @@ package container
 
 import (
 	"context"
+	"errors"
+	"fmt"
 	"io"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
-	"github.com/pkg/errors"
+	"github.com/moby/moby/client"
+	"github.com/moby/sys/atomicwriter"
 	"github.com/spf13/cobra"
 )
 
@@ -16,8 +19,8 @@ type exportOptions struct {
 	output    string
 }
 
-// NewExportCommand creates a new `docker export` command
-func NewExportCommand(dockerCli command.Cli) *cobra.Command {
+// newExportCommand creates a new "docker container export" command.
+func newExportCommand(dockerCLI command.Cli) *cobra.Command {
 	var opts exportOptions
 
 	cmd := &cobra.Command{
@@ -26,12 +29,13 @@ func NewExportCommand(dockerCli command.Cli) *cobra.Command {
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.container = args[0]
-			return runExport(cmd.Context(), dockerCli, opts)
+			return runExport(cmd.Context(), dockerCLI, opts)
 		},
 		Annotations: map[string]string{
 			"aliases": "docker container export, docker export",
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, true),
+		ValidArgsFunction:     completion.ContainerNames(dockerCLI, true),
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
@@ -41,27 +45,28 @@ func NewExportCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-func runExport(ctx context.Context, dockerCli command.Cli, opts exportOptions) error {
-	if opts.output == "" && dockerCli.Out().IsTerminal() {
-		return errors.New("cowardly refusing to save to a terminal. Use the -o flag or redirect")
+func runExport(ctx context.Context, dockerCLI command.Cli, opts exportOptions) error {
+	var output io.Writer
+	if opts.output == "" {
+		if dockerCLI.Out().IsTerminal() {
+			return errors.New("cowardly refusing to save to a terminal. Use the -o flag or redirect")
+		}
+		output = dockerCLI.Out()
+	} else {
+		writer, err := atomicwriter.New(opts.output, 0o600)
+		if err != nil {
+			return fmt.Errorf("failed to export container: %w", err)
+		}
+		defer writer.Close()
+		output = writer
 	}
 
-	if err := command.ValidateOutputPath(opts.output); err != nil {
-		return errors.Wrap(err, "failed to export container")
-	}
-
-	clnt := dockerCli.Client()
-
-	responseBody, err := clnt.ContainerExport(ctx, opts.container)
+	responseBody, err := dockerCLI.Client().ContainerExport(ctx, opts.container, client.ContainerExportOptions{})
 	if err != nil {
 		return err
 	}
 	defer responseBody.Close()
 
-	if opts.output == "" {
-		_, err := io.Copy(dockerCli.Out(), responseBody)
-		return err
-	}
-
-	return command.CopyToFile(opts.output, responseBody)
+	_, err = io.Copy(output, responseBody)
+	return err
 }

cli/command/container/export_test.go

@@ -2,10 +2,10 @@ package container
 
 import (
 	"io"
-	"strings"
 	"testing"
 
 	"github.com/docker/cli/internal/test"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 	"gotest.tools/v3/fs"
 )
@@ -15,11 +15,12 @@ func TestContainerExportOutputToFile(t *testing.T) {
 	defer dir.Remove()
 
 	cli := test.NewFakeCli(&fakeClient{
-		containerExportFunc: func(container string) (io.ReadCloser, error) {
-			return io.NopCloser(strings.NewReader("bar")), nil
+		containerExportFunc: func(container string) (client.ContainerExportResult, error) {
+			// FIXME(thaJeztah): how to mock this?
+			return mockContainerExportResult("bar"), nil
 		},
 	})
-	cmd := NewExportCommand(cli)
+	cmd := newExportCommand(cli)
 	cmd.SetOut(io.Discard)
 	cmd.SetArgs([]string{"-o", dir.Join("foo"), "container"})
 	assert.NilError(t, cmd.Execute())
@@ -33,17 +34,16 @@ func TestContainerExportOutputToFile(t *testing.T) {
 
 func TestContainerExportOutputToIrregularFile(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerExportFunc: func(container string) (io.ReadCloser, error) {
-			return io.NopCloser(strings.NewReader("foo")), nil
+		containerExportFunc: func(container string) (client.ContainerExportResult, error) {
+			// FIXME(thaJeztah): how to mock this?
+			return mockContainerExportResult("foo"), nil
 		},
 	})
-	cmd := NewExportCommand(cli)
+	cmd := newExportCommand(cli)
 	cmd.SetOut(io.Discard)
 	cmd.SetErr(io.Discard)
 	cmd.SetArgs([]string{"-o", "/dev/random", "container"})
 
-	err := cmd.Execute()
-	assert.Assert(t, err != nil)
-	expected := `"/dev/random" must be a directory or a regular file`
-	assert.ErrorContains(t, err, expected)
+	const expected = `failed to export container: cannot write to a character device file`
+	assert.Error(t, cmd.Execute(), expected)
 }

cli/command/container/formatter_diff.go

@@ -2,7 +2,8 @@ package container
 
 import (
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/docker/docker/api/types/container"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/client"
 )
 
 const (
@@ -12,25 +13,24 @@ const (
 	pathHeader       = "PATH"
 )
 
-// NewDiffFormat returns a format for use with a diff Context
-func NewDiffFormat(source string) formatter.Format {
+// newDiffFormat returns a format for use with a diff [formatter.Context].
+func newDiffFormat(source string) formatter.Format {
 	if source == formatter.TableFormatKey {
 		return defaultDiffTableFormat
 	}
 	return formatter.Format(source)
 }
 
-// DiffFormatWrite writes formatted diff using the Context
-func DiffFormatWrite(ctx formatter.Context, changes []container.FilesystemChange) error {
-	render := func(format func(subContext formatter.SubContext) error) error {
-		for _, change := range changes {
+// diffFormatWrite writes formatted diff using the [formatter.Context].
+func diffFormatWrite(fmtCtx formatter.Context, changes client.ContainerDiffResult) error {
+	return fmtCtx.Write(newDiffContext(), func(format func(subContext formatter.SubContext) error) error {
+		for _, change := range changes.Changes {
 			if err := format(&diffContext{c: change}); err != nil {
 				return err
 			}
 		}
 		return nil
-	}
-	return ctx.Write(newDiffContext(), render)
+	})
 }
 
 type diffContext struct {
@@ -39,12 +39,14 @@ type diffContext struct {
 }
 
 func newDiffContext() *diffContext {
-	diffCtx := diffContext{}
-	diffCtx.Header = formatter.SubHeaderContext{
-		"Type": changeTypeHeader,
-		"Path": pathHeader,
+	return &diffContext{
+		HeaderContext: formatter.HeaderContext{
+			Header: formatter.SubHeaderContext{
+				"Type": changeTypeHeader,
+				"Path": pathHeader,
+			},
+		},
 	}
-	return &diffCtx
 }
 
 func (d *diffContext) MarshalJSON() ([]byte, error) {

cli/command/container/formatter_diff_test.go

@@ -5,7 +5,8 @@ import (
 	"testing"
 
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/docker/docker/api/types/container"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 )
 
@@ -16,7 +17,7 @@ func TestDiffContextFormatWrite(t *testing.T) {
 		expected string
 	}{
 		{
-			formatter.Context{Format: NewDiffFormat("table")},
+			formatter.Context{Format: newDiffFormat("table")},
 			`CHANGE TYPE   PATH
 C             /var/log/app.log
 A             /usr/app/app.js
@@ -24,7 +25,7 @@ D             /usr/app/old_app.js
 `,
 		},
 		{
-			formatter.Context{Format: NewDiffFormat("table {{.Path}}")},
+			formatter.Context{Format: newDiffFormat("table {{.Path}}")},
 			`PATH
 /var/log/app.log
 /usr/app/app.js
@@ -32,7 +33,7 @@ D             /usr/app/old_app.js
 `,
 		},
 		{
-			formatter.Context{Format: NewDiffFormat("{{.Type}}: {{.Path}}")},
+			formatter.Context{Format: newDiffFormat("{{.Type}}: {{.Path}}")},
 			`C: /var/log/app.log
 A: /usr/app/app.js
 D: /usr/app/old_app.js
@@ -40,17 +41,19 @@ D: /usr/app/old_app.js
 		},
 	}
 
-	diffs := []container.FilesystemChange{
-		{Kind: container.ChangeModify, Path: "/var/log/app.log"},
-		{Kind: container.ChangeAdd, Path: "/usr/app/app.js"},
-		{Kind: container.ChangeDelete, Path: "/usr/app/old_app.js"},
+	diffs := client.ContainerDiffResult{
+		Changes: []container.FilesystemChange{
+			{Kind: container.ChangeModify, Path: "/var/log/app.log"},
+			{Kind: container.ChangeAdd, Path: "/usr/app/app.js"},
+			{Kind: container.ChangeDelete, Path: "/usr/app/old_app.js"},
+		},
 	}
 
 	for _, tc := range cases {
 		t.Run(string(tc.context.Format), func(t *testing.T) {
 			out := bytes.NewBufferString("")
 			tc.context.Output = out
-			err := DiffFormatWrite(tc.context, diffs)
+			err := diffFormatWrite(tc.context, diffs)
 			if err != nil {
 				assert.Error(t, err, tc.expected)
 			} else {

cli/command/container/formatter_stats.go

@@ -5,8 +5,7 @@ import (
 	"sync"
 
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/docker/docker/pkg/stringid"
-	units "github.com/docker/go-units"
+	"github.com/docker/go-units"
 )
 
 const (
@@ -168,6 +167,7 @@ func (c *statsContext) Container() string {
 }
 
 func (c *statsContext) Name() string {
+	// TODO(thaJeztah): make this explicitly trim the "/" prefix, not just any char.
 	if len(c.s.Name) > 1 {
 		return c.s.Name[1:]
 	}
@@ -176,7 +176,7 @@ func (c *statsContext) Name() string {
 
 func (c *statsContext) ID() string {
 	if c.trunc {
-		return stringid.TruncateID(c.s.ID)
+		return formatter.TruncateID(c.s.ID)
 	}
 	return c.s.ID
 }

cli/command/container/formatter_stats_test.go

@@ -5,45 +5,181 @@ import (
 	"testing"
 
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/docker/docker/pkg/stringid"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
 
 func TestContainerStatsContext(t *testing.T) {
-	containerID := stringid.GenerateRandomID()
+	const actorID = "c74518277ddc15a6afeaaeb06ee5f7433dcb27188224777c1efa7df1e8766d65"
 
 	var ctx statsContext
-	tt := []struct {
+	tests := []struct {
+		name      string
 		stats     StatsEntry
 		osType    string
 		expValue  string
 		expHeader string
 		call      func() string
 	}{
-		{StatsEntry{Container: containerID}, "", containerID, containerHeader, ctx.Container},
-		{StatsEntry{CPUPercentage: 5.5}, "", "5.50%", cpuPercHeader, ctx.CPUPerc},
-		{StatsEntry{CPUPercentage: 5.5, IsInvalid: true}, "", "--", cpuPercHeader, ctx.CPUPerc},
-		{StatsEntry{NetworkRx: 0.31, NetworkTx: 12.3}, "", "0.31B / 12.3B", netIOHeader, ctx.NetIO},
-		{StatsEntry{NetworkRx: 0.31, NetworkTx: 12.3, IsInvalid: true}, "", "--", netIOHeader, ctx.NetIO},
-		{StatsEntry{BlockRead: 0.1, BlockWrite: 2.3}, "", "0.1B / 2.3B", blockIOHeader, ctx.BlockIO},
-		{StatsEntry{BlockRead: 0.1, BlockWrite: 2.3, IsInvalid: true}, "", "--", blockIOHeader, ctx.BlockIO},
-		{StatsEntry{MemoryPercentage: 10.2}, "", "10.20%", memPercHeader, ctx.MemPerc},
-		{StatsEntry{MemoryPercentage: 10.2, IsInvalid: true}, "", "--", memPercHeader, ctx.MemPerc},
-		{StatsEntry{MemoryPercentage: 10.2}, "windows", "--", memPercHeader, ctx.MemPerc},
-		{StatsEntry{Memory: 24, MemoryLimit: 30}, "", "24B / 30B", memUseHeader, ctx.MemUsage},
-		{StatsEntry{Memory: 24, MemoryLimit: 30, IsInvalid: true}, "", "-- / --", memUseHeader, ctx.MemUsage},
-		{StatsEntry{Memory: 24, MemoryLimit: 30}, "windows", "24B", winMemUseHeader, ctx.MemUsage},
-		{StatsEntry{PidsCurrent: 10}, "", "10", pidsHeader, ctx.PIDs},
-		{StatsEntry{PidsCurrent: 10, IsInvalid: true}, "", "--", pidsHeader, ctx.PIDs},
-		{StatsEntry{PidsCurrent: 10}, "windows", "--", pidsHeader, ctx.PIDs},
+		{
+			name:      "Container id",
+			stats:     StatsEntry{ID: actorID, Container: actorID},
+			expValue:  actorID,
+			expHeader: containerHeader,
+			call:      ctx.Container,
+		},
+		{
+			name:      "Container name",
+			stats:     StatsEntry{ID: actorID, Container: "a-long-container-name"},
+			expValue:  "a-long-container-name",
+			expHeader: containerHeader,
+			call:      ctx.Container,
+		},
+		{
+			name:      "ID",
+			stats:     StatsEntry{ID: actorID},
+			expValue:  actorID,
+			expHeader: formatter.ContainerIDHeader,
+			call:      ctx.ID,
+		},
+		{
+			name:      "Name",
+			stats:     StatsEntry{Name: "/container-name"},
+			expValue:  "container-name",
+			expHeader: formatter.ContainerIDHeader,
+			call:      ctx.Name,
+		},
+		{
+			name:      "Name empty",
+			stats:     StatsEntry{Name: ""},
+			expValue:  "--",
+			expHeader: formatter.ContainerIDHeader,
+			call:      ctx.Name,
+		},
+		{
+			name:      "Name prefix only",
+			stats:     StatsEntry{Name: "/"},
+			expValue:  "--",
+			expHeader: formatter.ContainerIDHeader,
+			call:      ctx.Name,
+		},
+		{
+			name:      "CPUPerc",
+			stats:     StatsEntry{CPUPercentage: 5.5},
+			expValue:  "5.50%",
+			expHeader: cpuPercHeader,
+			call:      ctx.CPUPerc,
+		},
+		{
+			name:      "CPUPerc invalid",
+			stats:     StatsEntry{CPUPercentage: 5.5, IsInvalid: true},
+			expValue:  "--",
+			expHeader: cpuPercHeader,
+			call:      ctx.CPUPerc,
+		},
+		{
+			name:      "NetIO",
+			stats:     StatsEntry{NetworkRx: 0.31, NetworkTx: 12.3},
+			expValue:  "0.31B / 12.3B",
+			expHeader: netIOHeader,
+			call:      ctx.NetIO,
+		},
+		{
+			name:      "NetIO invalid",
+			stats:     StatsEntry{NetworkRx: 0.31, NetworkTx: 12.3, IsInvalid: true},
+			expValue:  "--",
+			expHeader: netIOHeader,
+			call:      ctx.NetIO,
+		},
+		{
+			name:      "BlockIO",
+			stats:     StatsEntry{BlockRead: 0.1, BlockWrite: 2.3},
+			expValue:  "0.1B / 2.3B",
+			expHeader: blockIOHeader,
+			call:      ctx.BlockIO,
+		},
+		{
+			name:      "BlockIO invalid",
+			stats:     StatsEntry{BlockRead: 0.1, BlockWrite: 2.3, IsInvalid: true},
+			expValue:  "--",
+			expHeader: blockIOHeader,
+			call:      ctx.BlockIO,
+		},
+		{
+			name:      "MemPerc",
+			stats:     StatsEntry{MemoryPercentage: 10.2},
+			expValue:  "10.20%",
+			expHeader: memPercHeader,
+			call:      ctx.MemPerc,
+		},
+		{
+			name:      "MemPerc invalid",
+			stats:     StatsEntry{MemoryPercentage: 10.2, IsInvalid: true},
+			expValue:  "--",
+			expHeader: memPercHeader,
+			call:      ctx.MemPerc,
+		},
+		{
+			name:      "MemPerc windows",
+			stats:     StatsEntry{MemoryPercentage: 10.2},
+			osType:    "windows",
+			expValue:  "--",
+			expHeader: memPercHeader,
+			call:      ctx.MemPerc,
+		},
+		{
+			name:      "MemUsage",
+			stats:     StatsEntry{Memory: 24, MemoryLimit: 30},
+			expValue:  "24B / 30B",
+			expHeader: memUseHeader,
+			call:      ctx.MemUsage,
+		},
+		{
+			name:      "MemUsage invalid",
+			stats:     StatsEntry{Memory: 24, MemoryLimit: 30, IsInvalid: true},
+			expValue:  "-- / --",
+			expHeader: memUseHeader,
+			call:      ctx.MemUsage,
+		},
+		{
+			name:      "MemUsage windows",
+			stats:     StatsEntry{Memory: 24, MemoryLimit: 30},
+			osType:    "windows",
+			expValue:  "24B",
+			expHeader: winMemUseHeader,
+			call:      ctx.MemUsage,
+		},
+		{
+			name:      "PIDs",
+			stats:     StatsEntry{PidsCurrent: 10},
+			expValue:  "10",
+			expHeader: pidsHeader,
+			call:      ctx.PIDs,
+		},
+		{
+			name:      "PIDs invalid",
+			stats:     StatsEntry{PidsCurrent: 10, IsInvalid: true},
+			expValue:  "--",
+			expHeader: pidsHeader,
+			call:      ctx.PIDs,
+		},
+		{
+			name:      "PIDs windows",
+			stats:     StatsEntry{PidsCurrent: 10},
+			osType:    "windows",
+			expValue:  "--",
+			expHeader: pidsHeader,
+			call:      ctx.PIDs,
+		},
 	}
 
-	for _, te := range tt {
-		ctx = statsContext{s: te.stats, os: te.osType}
-		if v := te.call(); v != te.expValue {
-			t.Fatalf("Expected %q, got %q", te.expValue, v)
-		}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx = statsContext{s: tc.stats, os: tc.osType}
+			if v := tc.call(); v != tc.expValue {
+				t.Fatalf("Expected %q, got %q", tc.expValue, v)
+			}
+		})
 	}
 }
 
@@ -148,7 +284,7 @@ container2  --  --
 `,
 		},
 	}
-	stats := []StatsEntry{
+	entries := []StatsEntry{
 		{
 			Container:        "container1",
 			CPUPercentage:    20,
@@ -181,7 +317,7 @@ container2  --  --
 		t.Run(string(tc.context.Format), func(t *testing.T) {
 			var out bytes.Buffer
 			tc.context.Output = &out
-			err := statsFormatWrite(tc.context, stats, "windows", false)
+			err := statsFormatWrite(tc.context, entries, "windows", false)
 			if err != nil {
 				assert.Error(t, err, tc.expected)
 			} else {
@@ -273,45 +409,46 @@ func TestContainerStatsContextWriteWithNoStatsWindows(t *testing.T) {
 }
 
 func TestContainerStatsContextWriteTrunc(t *testing.T) {
-	var out bytes.Buffer
-
-	contexts := []struct {
+	tests := []struct {
+		doc      string
 		context  formatter.Context
 		trunc    bool
 		expected string
 	}{
 		{
-			formatter.Context{
+			doc: "non-truncated",
+			context: formatter.Context{
 				Format: "{{.ID}}",
-				Output: &out,
 			},
-			false,
-			"b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc\n",
+			expected: "b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc\n",
 		},
 		{
-			formatter.Context{
+			doc: "truncated",
+			context: formatter.Context{
 				Format: "{{.ID}}",
-				Output: &out,
 			},
-			true,
-			"b95a83497c91\n",
+			trunc:    true,
+			expected: "b95a83497c91\n",
 		},
 	}
 
-	for _, context := range contexts {
-		statsFormatWrite(context.context, []StatsEntry{{ID: "b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc"}}, "linux", context.trunc)
-		assert.Check(t, is.Equal(context.expected, out.String()))
-		// Clean buffer
-		out.Reset()
+	for _, tc := range tests {
+		t.Run(tc.doc, func(t *testing.T) {
+			var out bytes.Buffer
+			tc.context.Output = &out
+			err := statsFormatWrite(tc.context, []StatsEntry{{ID: "b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc"}}, "linux", tc.trunc)
+			assert.NilError(t, err)
+			assert.Check(t, is.Equal(tc.expected, out.String()))
+		})
 	}
 }
 
 func BenchmarkStatsFormat(b *testing.B) {
 	b.ReportAllocs()
-	stats := genStats()
+	entries := genStats()
 
 	for i := 0; i < b.N; i++ {
-		for _, s := range stats {
+		for _, s := range entries {
 			_ = s.CPUPerc()
 			_ = s.MemUsage()
 			_ = s.MemPerc()
@@ -334,9 +471,9 @@ func genStats() []statsContext {
 		NetworkTx:        987.654321,
 		PidsCurrent:      123456789,
 	}}
-	stats := make([]statsContext, 100)
-	for i := 0; i < 100; i++ {
-		stats = append(stats, entry)
+	entries := make([]statsContext, 0, 100)
+	for range 100 {
+		entries = append(entries, entry)
 	}
-	return stats
+	return entries
 }

cli/command/container/hijack.go

@@ -8,9 +8,8 @@ import (
 	"sync"
 
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/pkg/ioutils"
-	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/moby/moby/api/pkg/stdcopy"
+	"github.com/moby/moby/client"
 	"github.com/moby/term"
 	"github.com/sirupsen/logrus"
 )
@@ -19,6 +18,18 @@ import (
 // TODO: This could be moved to `pkg/term`.
 var defaultEscapeKeys = []byte{16, 17}
 
+// readCloserWrapper wraps an io.Reader, and implements an io.ReadCloser
+// It calls the given callback function when closed.
+type readCloserWrapper struct {
+	io.Reader
+	closer func() error
+}
+
+// Close calls back the passed closer function
+func (r *readCloserWrapper) Close() error {
+	return r.closer()
+}
+
 // A hijackedIOStreamer handles copying input to and output from streams to the
 // connection.
 type hijackedIOStreamer struct {
@@ -27,7 +38,7 @@ type hijackedIOStreamer struct {
 	outputStream io.Writer
 	errorStream  io.Writer
 
-	resp types.HijackedResponse
+	resp client.HijackedResponse
 
 	tty        bool
 	detachKeys string
@@ -84,12 +95,9 @@ func (h *hijackedIOStreamer) setupInput() (restore func(), err error) {
 
 	// Use sync.Once so we may call restore multiple times but ensure we
 	// only restore the terminal once.
-	var restoreOnce sync.Once
-	restore = func() {
-		restoreOnce.Do(func() {
-			_ = restoreTerminal(h.streams, h.inputStream)
-		})
-	}
+	restore = sync.OnceFunc(func() {
+		_ = restoreTerminal(h.streams, h.inputStream)
+	})
 
 	// Wrap the input to detect detach escape sequence.
 	// Use default escape keys if an invalid sequence is given.
@@ -103,7 +111,10 @@ func (h *hijackedIOStreamer) setupInput() (restore func(), err error) {
 		}
 	}
 
-	h.inputStream = ioutils.NewReadCloserWrapper(term.NewEscapeProxy(h.inputStream, escapeKeys), h.inputStream.Close)
+	h.inputStream = &readCloserWrapper{
+		Reader: term.NewEscapeProxy(h.inputStream, escapeKeys),
+		closer: h.inputStream.Close,
+	}
 
 	return restore, nil
 }

cli/command/container/inspect.go

@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.24
 
 package container
 
@@ -11,6 +11,7 @@ import (
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/cli/command/inspect"
 	flagsHelper "github.com/docker/cli/cli/flags"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
@@ -21,7 +22,7 @@ type inspectOptions struct {
 }
 
 // newInspectCommand creates a new cobra.Command for `docker container inspect`
-func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+func newInspectCommand(dockerCLI command.Cli) *cobra.Command {
 	var opts inspectOptions
 
 	cmd := &cobra.Command{
@@ -30,9 +31,10 @@ func newInspectCommand(dockerCli command.Cli) *cobra.Command {
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.refs = args
-			return runInspect(cmd.Context(), dockerCli, opts)
+			return runInspect(cmd.Context(), dockerCLI, opts)
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, true),
+		ValidArgsFunction:     completion.ContainerNames(dockerCLI, true),
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
@@ -45,6 +47,10 @@ func newInspectCommand(dockerCli command.Cli) *cobra.Command {
 func runInspect(ctx context.Context, dockerCLI command.Cli, opts inspectOptions) error {
 	apiClient := dockerCLI.Client()
 	return inspect.Inspect(dockerCLI.Out(), opts.refs, opts.format, func(ref string) (any, []byte, error) {
-		return apiClient.ContainerInspectWithRaw(ctx, ref, opts.size)
+		res, err := apiClient.ContainerInspect(ctx, ref, client.ContainerInspectOptions{Size: opts.size})
+		if err != nil {
+			return nil, nil, err
+		}
+		return &res.Container, res.Raw, nil
 	})
 }

cli/command/container/kill.go

@@ -8,6 +8,7 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
@@ -17,8 +18,8 @@ type killOptions struct {
 	containers []string
 }
 
-// NewKillCommand creates a new cobra.Command for `docker kill`
-func NewKillCommand(dockerCli command.Cli) *cobra.Command {
+// newKillCommand creates a new cobra.Command for "docker container kill"
+func newKillCommand(dockerCLI command.Cli) *cobra.Command {
 	var opts killOptions
 
 	cmd := &cobra.Command{
@@ -27,12 +28,13 @@ func NewKillCommand(dockerCli command.Cli) *cobra.Command {
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.containers = args
-			return runKill(cmd.Context(), dockerCli, &opts)
+			return runKill(cmd.Context(), dockerCLI, &opts)
 		},
 		Annotations: map[string]string{
 			"aliases": "docker container kill, docker kill",
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, false),
+		ValidArgsFunction:     completion.ContainerNames(dockerCLI, false),
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
@@ -46,7 +48,10 @@ func NewKillCommand(dockerCli command.Cli) *cobra.Command {
 func runKill(ctx context.Context, dockerCLI command.Cli, opts *killOptions) error {
 	apiClient := dockerCLI.Client()
 	errChan := parallelOperation(ctx, opts.containers, func(ctx context.Context, container string) error {
-		return apiClient.ContainerKill(ctx, container, opts.signal)
+		_, err := apiClient.ContainerKill(ctx, container, client.ContainerKillOptions{
+			Signal: opts.signal,
+		})
+		return err
 	})
 
 	var errs []error

cli/command/container/kill_test.go

@@ -8,23 +8,20 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
 
 func TestRunKill(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerKillFunc: func(
-			ctx context.Context,
-			container string,
-			signal string,
-		) error {
-			assert.Assert(t, is.Equal(signal, "STOP"))
-			return nil
+		containerKillFunc: func(ctx context.Context, container string, options client.ContainerKillOptions) (client.ContainerKillResult, error) {
+			assert.Assert(t, is.Equal(options.Signal, "STOP"))
+			return client.ContainerKillResult{}, nil
 		},
 	})
 
-	cmd := NewKillCommand(cli)
+	cmd := newKillCommand(cli)
 	cmd.SetOut(io.Discard)
 
 	cmd.SetArgs([]string{
@@ -47,16 +44,12 @@ func TestRunKill(t *testing.T) {
 
 func TestRunKillClientError(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerKillFunc: func(
-			ctx context.Context,
-			container string,
-			signal string,
-		) error {
-			return fmt.Errorf("client error for container %s", container)
+		containerKillFunc: func(ctx context.Context, container string, options client.ContainerKillOptions) (client.ContainerKillResult, error) {
+			return client.ContainerKillResult{}, fmt.Errorf("client error for container %s", container)
 		},
 	})
 
-	cmd := NewKillCommand(cli)
+	cmd := newKillCommand(cli)
 	cmd.SetOut(io.Discard)
 	cmd.SetErr(io.Discard)
 

cli/command/container/list.go

@@ -2,17 +2,16 @@ package container
 
 import (
 	"context"
+	"fmt"
 	"io"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/cli/command/formatter"
 	flagsHelper "github.com/docker/cli/cli/flags"
 	"github.com/docker/cli/opts"
 	"github.com/docker/cli/templates"
-	"github.com/docker/docker/api/types/container"
-	"github.com/pkg/errors"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
@@ -28,8 +27,8 @@ type psOptions struct {
 	filter      opts.FilterOpt
 }
 
-// NewPsCommand creates a new cobra.Command for `docker ps`
-func NewPsCommand(dockerCLI command.Cli) *cobra.Command {
+// newPsCommand creates a new cobra.Command for "docker container ps"
+func newPsCommand(dockerCLI command.Cli) *cobra.Command {
 	options := psOptions{filter: opts.NewFilterOpt()}
 
 	cmd := &cobra.Command{
@@ -44,7 +43,8 @@ func NewPsCommand(dockerCLI command.Cli) *cobra.Command {
 			"category-top": "3",
 			"aliases":      "docker container ls, docker container list, docker container ps, docker ps",
 		},
-		ValidArgsFunction: completion.NoComplete,
+		ValidArgsFunction:     cobra.NoFileCompletions,
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
@@ -62,14 +62,14 @@ func NewPsCommand(dockerCLI command.Cli) *cobra.Command {
 }
 
 func newListCommand(dockerCLI command.Cli) *cobra.Command {
-	cmd := *NewPsCommand(dockerCLI)
+	cmd := *newPsCommand(dockerCLI)
 	cmd.Aliases = []string{"ps", "list"}
 	cmd.Use = "ls [OPTIONS]"
 	return &cmd
 }
 
-func buildContainerListOptions(options *psOptions) (*container.ListOptions, error) {
-	listOptions := &container.ListOptions{
+func buildContainerListOptions(options *psOptions) (client.ContainerListOptions, error) {
+	listOptions := client.ContainerListOptions{
 		All:     options.all,
 		Limit:   options.last,
 		Size:    options.size,
@@ -82,9 +82,9 @@ func buildContainerListOptions(options *psOptions) (*container.ListOptions, erro
 
 	// always validate template when `--format` is used, for consistency
 	if len(options.format) > 0 {
-		tmpl, err := templates.NewParse("", options.format)
+		tmpl, err := templates.Parse(options.format)
 		if err != nil {
-			return nil, errors.Wrap(err, "failed to parse template")
+			return client.ContainerListOptions{}, fmt.Errorf("failed to parse template: %w", err)
 		}
 
 		optionsProcessor := formatter.NewContainerContext()
@@ -92,7 +92,7 @@ func buildContainerListOptions(options *psOptions) (*container.ListOptions, erro
 		// This shouldn't error out but swallowing the error makes it harder
 		// to track down if preProcessor issues come up.
 		if err := tmpl.Execute(io.Discard, optionsProcessor); err != nil {
-			return nil, errors.Wrap(err, "failed to execute template")
+			return client.ContainerListOptions{}, fmt.Errorf("failed to execute template: %w", err)
 		}
 
 		// if `size` was not explicitly set to false (with `--size=false`)
@@ -127,7 +127,7 @@ func runPs(ctx context.Context, dockerCLI command.Cli, options *psOptions) error
 		return err
 	}
 
-	containers, err := dockerCLI.Client().ContainerList(ctx, *listOptions)
+	res, err := dockerCLI.Client().ContainerList(ctx, listOptions)
 	if err != nil {
 		return err
 	}
@@ -137,5 +137,5 @@ func runPs(ctx context.Context, dockerCLI command.Cli, options *psOptions) error
 		Format: formatter.NewContainerFormat(options.format, options.quiet, listOptions.Size),
 		Trunc:  !options.noTrunc,
 	}
-	return formatter.ContainerWrite(containerCtx, containers)
+	return formatter.ContainerWrite(containerCtx, res.Items)
 }

cli/command/container/list_test.go

@@ -9,7 +9,8 @@ import (
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/builders"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types/container"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/client"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/golden"
@@ -25,7 +26,7 @@ func TestContainerListBuildContainerListOptions(t *testing.T) {
 		expectedAll     bool
 		expectedSize    bool
 		expectedLimit   int
-		expectedFilters map[string]string
+		expectedFilters client.Filters
 	}{
 		{
 			psOpts: &psOptions{
@@ -34,13 +35,10 @@ func TestContainerListBuildContainerListOptions(t *testing.T) {
 				last:   5,
 				filter: filters,
 			},
-			expectedAll:   true,
-			expectedSize:  true,
-			expectedLimit: 5,
-			expectedFilters: map[string]string{
-				"foo": "bar",
-				"baz": "foo",
-			},
+			expectedAll:     true,
+			expectedSize:    true,
+			expectedLimit:   5,
+			expectedFilters: make(client.Filters).Add("foo", "bar").Add("baz", "foo"),
 		},
 		{
 			psOpts: &psOptions{
@@ -49,10 +47,9 @@ func TestContainerListBuildContainerListOptions(t *testing.T) {
 				last:    -1,
 				nLatest: true,
 			},
-			expectedAll:     true,
-			expectedSize:    true,
-			expectedLimit:   1,
-			expectedFilters: make(map[string]string),
+			expectedAll:   true,
+			expectedSize:  true,
+			expectedLimit: 1,
 		},
 		{
 			psOpts: &psOptions{
@@ -63,13 +60,10 @@ func TestContainerListBuildContainerListOptions(t *testing.T) {
 				// With .Size, size should be true
 				format: "{{.Size}}",
 			},
-			expectedAll:   true,
-			expectedSize:  true,
-			expectedLimit: 5,
-			expectedFilters: map[string]string{
-				"foo": "bar",
-				"baz": "foo",
-			},
+			expectedAll:     true,
+			expectedSize:    true,
+			expectedLimit:   5,
+			expectedFilters: make(client.Filters).Add("foo", "bar").Add("baz", "foo"),
 		},
 		{
 			psOpts: &psOptions{
@@ -80,13 +74,10 @@ func TestContainerListBuildContainerListOptions(t *testing.T) {
 				// With .Size, size should be true
 				format: "{{.Size}} {{.CreatedAt}} {{upper .Networks}}",
 			},
-			expectedAll:   true,
-			expectedSize:  true,
-			expectedLimit: 5,
-			expectedFilters: map[string]string{
-				"foo": "bar",
-				"baz": "foo",
-			},
+			expectedAll:     true,
+			expectedSize:    true,
+			expectedLimit:   5,
+			expectedFilters: make(client.Filters).Add("foo", "bar").Add("baz", "foo"),
 		},
 		{
 			psOpts: &psOptions{
@@ -97,13 +88,10 @@ func TestContainerListBuildContainerListOptions(t *testing.T) {
 				// Without .Size, size should be false
 				format: "{{.CreatedAt}} {{.Networks}}",
 			},
-			expectedAll:   true,
-			expectedSize:  false,
-			expectedLimit: 5,
-			expectedFilters: map[string]string{
-				"foo": "bar",
-				"baz": "foo",
-			},
+			expectedAll:     true,
+			expectedSize:    false,
+			expectedLimit:   5,
+			expectedFilters: make(client.Filters).Add("foo", "bar").Add("baz", "foo"),
 		},
 	}
 
@@ -114,21 +102,14 @@ func TestContainerListBuildContainerListOptions(t *testing.T) {
 		assert.Check(t, is.Equal(c.expectedAll, options.All))
 		assert.Check(t, is.Equal(c.expectedSize, options.Size))
 		assert.Check(t, is.Equal(c.expectedLimit, options.Limit))
-		assert.Check(t, is.Equal(len(c.expectedFilters), options.Filters.Len()))
-
-		for k, v := range c.expectedFilters {
-			f := options.Filters
-			if !f.ExactMatch(k, v) {
-				t.Fatalf("Expected filter with key %s to be %s but got %s", k, v, f.Get(k))
-			}
-		}
+		assert.Check(t, is.DeepEqual(c.expectedFilters, options.Filters))
 	}
 }
 
 func TestContainerListErrors(t *testing.T) {
 	testCases := []struct {
 		flags             map[string]string
-		containerListFunc func(container.ListOptions) ([]container.Summary, error)
+		containerListFunc func(client.ContainerListOptions) (client.ContainerListResult, error)
 		expectedError     string
 	}{
 		{
@@ -144,8 +125,8 @@ func TestContainerListErrors(t *testing.T) {
 			expectedError: `wrong number of args for join`,
 		},
 		{
-			containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
-				return nil, errors.New("error listing containers")
+			containerListFunc: func(_ client.ContainerListOptions) (client.ContainerListResult, error) {
+				return client.ContainerListResult{}, errors.New("error listing containers")
 			},
 			expectedError: "error listing containers",
 		},
@@ -168,13 +149,15 @@ func TestContainerListErrors(t *testing.T) {
 
 func TestContainerListWithoutFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
-			return []container.Summary{
-				*builders.Container("c1"),
-				*builders.Container("c2", builders.WithName("foo")),
-				*builders.Container("c3", builders.WithPort(80, 80, builders.TCP), builders.WithPort(81, 81, builders.TCP), builders.WithPort(82, 82, builders.TCP)),
-				*builders.Container("c4", builders.WithPort(81, 81, builders.UDP)),
-				*builders.Container("c5", builders.WithPort(82, 82, builders.IP("8.8.8.8"), builders.TCP)),
+		containerListFunc: func(_ client.ContainerListOptions) (client.ContainerListResult, error) {
+			return client.ContainerListResult{
+				Items: []container.Summary{
+					*builders.Container("c1"),
+					*builders.Container("c2", builders.WithName("foo")),
+					*builders.Container("c3", builders.WithPort(80, 80, builders.TCP), builders.WithPort(81, 81, builders.TCP), builders.WithPort(82, 82, builders.TCP)),
+					*builders.Container("c4", builders.WithPort(81, 81, builders.UDP)),
+					*builders.Container("c5", builders.WithPort(82, 82, builders.IP("8.8.8.8"), builders.TCP)),
+				},
 			}, nil
 		},
 	})
@@ -188,10 +171,12 @@ func TestContainerListWithoutFormat(t *testing.T) {
 
 func TestContainerListNoTrunc(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
-			return []container.Summary{
-				*builders.Container("c1"),
-				*builders.Container("c2", builders.WithName("foo/bar")),
+		containerListFunc: func(_ client.ContainerListOptions) (client.ContainerListResult, error) {
+			return client.ContainerListResult{
+				Items: []container.Summary{
+					*builders.Container("c1"),
+					*builders.Container("c2", builders.WithName("foo/bar")),
+				},
 			}, nil
 		},
 	})
@@ -207,10 +192,12 @@ func TestContainerListNoTrunc(t *testing.T) {
 // Test for GitHub issue docker/docker#21772
 func TestContainerListNamesMultipleTime(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
-			return []container.Summary{
-				*builders.Container("c1"),
-				*builders.Container("c2", builders.WithName("foo/bar")),
+		containerListFunc: func(_ client.ContainerListOptions) (client.ContainerListResult, error) {
+			return client.ContainerListResult{
+				Items: []container.Summary{
+					*builders.Container("c1"),
+					*builders.Container("c2", builders.WithName("foo/bar")),
+				},
 			}, nil
 		},
 	})
@@ -226,10 +213,12 @@ func TestContainerListNamesMultipleTime(t *testing.T) {
 // Test for GitHub issue docker/docker#30291
 func TestContainerListFormatTemplateWithArg(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
-			return []container.Summary{
-				*builders.Container("c1", builders.WithLabel("some.label", "value")),
-				*builders.Container("c2", builders.WithName("foo/bar"), builders.WithLabel("foo", "bar")),
+		containerListFunc: func(_ client.ContainerListOptions) (client.ContainerListResult, error) {
+			return client.ContainerListResult{
+				Items: []container.Summary{
+					*builders.Container("c1", builders.WithLabel("some.label", "value")),
+					*builders.Container("c2", builders.WithName("foo/bar"), builders.WithLabel("foo", "bar")),
+				},
 			}, nil
 		},
 	})
@@ -279,9 +268,9 @@ func TestContainerListFormatSizeSetsOption(t *testing.T) {
 	for _, tc := range tests {
 		t.Run(tc.doc, func(t *testing.T) {
 			cli := test.NewFakeCli(&fakeClient{
-				containerListFunc: func(options container.ListOptions) ([]container.Summary, error) {
+				containerListFunc: func(options client.ContainerListOptions) (client.ContainerListResult, error) {
 					assert.Check(t, is.Equal(options.Size, tc.sizeExpected))
-					return []container.Summary{}, nil
+					return client.ContainerListResult{}, nil
 				},
 			})
 			cmd := newListCommand(cli)
@@ -299,10 +288,12 @@ func TestContainerListFormatSizeSetsOption(t *testing.T) {
 
 func TestContainerListWithConfigFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
-			return []container.Summary{
-				*builders.Container("c1", builders.WithLabel("some.label", "value"), builders.WithSize(10700000)),
-				*builders.Container("c2", builders.WithName("foo/bar"), builders.WithLabel("foo", "bar"), builders.WithSize(3200000)),
+		containerListFunc: func(_ client.ContainerListOptions) (client.ContainerListResult, error) {
+			return client.ContainerListResult{
+				Items: []container.Summary{
+					*builders.Container("c1", builders.WithLabel("some.label", "value"), builders.WithSize(10700000)),
+					*builders.Container("c2", builders.WithName("foo/bar"), builders.WithLabel("foo", "bar"), builders.WithSize(3200000)),
+				},
 			}, nil
 		},
 	})
@@ -319,10 +310,12 @@ func TestContainerListWithConfigFormat(t *testing.T) {
 
 func TestContainerListWithFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(_ container.ListOptions) ([]container.Summary, error) {
-			return []container.Summary{
-				*builders.Container("c1", builders.WithLabel("some.label", "value")),
-				*builders.Container("c2", builders.WithName("foo/bar"), builders.WithLabel("foo", "bar")),
+		containerListFunc: func(_ client.ContainerListOptions) (client.ContainerListResult, error) {
+			return client.ContainerListResult{
+				Items: []container.Summary{
+					*builders.Container("c1", builders.WithLabel("some.label", "value")),
+					*builders.Container("c2", builders.WithName("foo/bar"), builders.WithLabel("foo", "bar")),
+				},
 			}, nil
 		},
 	})

cli/command/container/logs.go

@@ -7,8 +7,8 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/moby/moby/api/pkg/stdcopy"
+	"github.com/moby/moby/client"
 	"github.com/spf13/cobra"
 )
 
@@ -23,8 +23,8 @@ type logsOptions struct {
 	container string
 }
 
-// NewLogsCommand creates a new cobra.Command for `docker logs`
-func NewLogsCommand(dockerCli command.Cli) *cobra.Command {
+// newLogsCommand creates a new cobra.Command for "docker container logs"
+func newLogsCommand(dockerCLI command.Cli) *cobra.Command {
 	var opts logsOptions
 
 	cmd := &cobra.Command{
@@ -33,12 +33,13 @@ func NewLogsCommand(dockerCli command.Cli) *cobra.Command {
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.container = args[0]
-			return runLogs(cmd.Context(), dockerCli, &opts)
+			return runLogs(cmd.Context(), dockerCLI, &opts)
 		},
 		Annotations: map[string]string{
 			"aliases": "docker container logs, docker logs",
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, true),
+		ValidArgsFunction:     completion.ContainerNames(dockerCLI, true),
+		DisableFlagsInUseLine: true,
 	}
 
 	flags := cmd.Flags()
@@ -53,12 +54,12 @@ func NewLogsCommand(dockerCli command.Cli) *cobra.Command {
 }
 
 func runLogs(ctx context.Context, dockerCli command.Cli, opts *logsOptions) error {
-	c, err := dockerCli.Client().ContainerInspect(ctx, opts.container)
+	c, err := dockerCli.Client().ContainerInspect(ctx, opts.container, client.ContainerInspectOptions{})
 	if err != nil {
 		return err
 	}
 
-	responseBody, err := dockerCli.Client().ContainerLogs(ctx, c.ID, container.LogsOptions{
+	resp, err := dockerCli.Client().ContainerLogs(ctx, c.Container.ID, client.ContainerLogsOptions{
 		ShowStdout: true,
 		ShowStderr: true,
 		Since:      opts.since,
@@ -71,12 +72,12 @@ func runLogs(ctx context.Context, dockerCli command.Cli, opts *logsOptions) erro
 	if err != nil {
 		return err
 	}
-	defer responseBody.Close()
+	defer func() { _ = resp.Close() }()
 
-	if c.Config.Tty {
-		_, err = io.Copy(dockerCli.Out(), responseBody)
+	if c.Container.Config.Tty {
+		_, err = io.Copy(dockerCli.Out(), resp)
 	} else {
-		_, err = stdcopy.StdCopy(dockerCli.Out(), dockerCli.Err(), responseBody)
+		_, err = stdcopy.StdCopy(dockerCli.Out(), dockerCli.Err(), resp)
 	}
 	return err
 }