Merge pull request #4126 from thaJeztah/23.0_backport_align_go_ver

[23.0 backport] Dockerfile: align go version

.github/workflows/build.yml

@@ -9,7 +9,7 @@ on:
   push:
     branches:
       - 'master'
-      - '[0-9]+.[0-9]{2}'
+      - '[0-9]+.[0-9]+'
     tags:
       - 'v*'
   pull_request:

.github/workflows/e2e.yml

@@ -9,7 +9,7 @@ on:
   push:
     branches:
       - 'master'
-      - '[0-9]+.[0-9]{2}'
+      - '[0-9]+.[0-9]+'
     tags:
       - 'v*'
   pull_request:

.github/workflows/test.yml

@@ -9,7 +9,7 @@ on:
   push:
     branches:
       - 'master'
-      - '[0-9]+.[0-9]{2}'
+      - '[0-9]+.[0-9]+'
     tags:
       - 'v*'
   pull_request:

.github/workflows/validate.yml

@@ -9,7 +9,7 @@ on:
   push:
     branches:
       - 'master'
-      - '[0-9]+.[0-9]{2}'
+      - '[0-9]+.[0-9]+'
     tags:
       - 'v*'
   pull_request:

Dockerfile

@@ -1,12 +1,12 @@
 # syntax=docker/dockerfile:1
 
 ARG BASE_VARIANT=alpine
-ARG GO_VERSION=1.19.5
+ARG GO_VERSION=1.19.7
 ARG ALPINE_VERSION=3.16
 ARG XX_VERSION=1.1.1
 ARG GOVERSIONINFO_VERSION=v1.3.0
 ARG GOTESTSUM_VERSION=v1.8.2
-ARG BUILDX_VERSION=0.9.1
+ARG BUILDX_VERSION=0.10.4
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 

cli/command/container/list.go

@@ -17,14 +17,15 @@ import (
 )
 
 type psOptions struct {
-	quiet   bool
-	size    bool
-	all     bool
-	noTrunc bool
-	nLatest bool
-	last    int
-	format  string
-	filter  opts.FilterOpt
+	quiet       bool
+	size        bool
+	sizeChanged bool
+	all         bool
+	noTrunc     bool
+	nLatest     bool
+	last        int
+	format      string
+	filter      opts.FilterOpt
 }
 
 // NewPsCommand creates a new cobra.Command for `docker ps`
@@ -36,6 +37,7 @@ func NewPsCommand(dockerCli command.Cli) *cobra.Command {
 		Short: "List containers",
 		Args:  cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			options.sizeChanged = cmd.Flags().Changed("size")
 			return runPs(dockerCli, &options)
 		},
 		Annotations: map[string]string{
@@ -78,13 +80,8 @@ func buildContainerListOptions(opts *psOptions) (*types.ContainerListOptions, er
 		options.Limit = 1
 	}
 
-	if !opts.quiet && !options.Size && len(opts.format) > 0 {
-		// The --size option isn't set, but .Size may be used in the template.
-		// Parse and execute the given template to detect if the .Size field is
-		// used. If it is, then automatically enable the --size option. See #24696
-		//
-		// Only requesting container size information when needed is an optimization,
-		// because calculating the size is a costly operation.
+	// always validate template when `--format` is used, for consistency
+	if len(opts.format) > 0 {
 		tmpl, err := templates.NewParse("", opts.format)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to parse template")
@@ -98,8 +95,19 @@ func buildContainerListOptions(opts *psOptions) (*types.ContainerListOptions, er
 			return nil, errors.Wrap(err, "failed to execute template")
 		}
 
-		if _, ok := optionsProcessor.FieldsUsed["Size"]; ok {
-			options.Size = true
+		// if `size` was not explicitly set to false (with `--size=false`)
+		// and `--quiet` is not set, request size if the template requires it
+		if !opts.quiet && !options.Size && !opts.sizeChanged {
+			// The --size option isn't set, but .Size may be used in the template.
+			// Parse and execute the given template to detect if the .Size field is
+			// used. If it is, then automatically enable the --size option. See #24696
+			//
+			// Only requesting container size information when needed is an optimization,
+			// because calculating the size is a costly operation.
+
+			if _, ok := optionsProcessor.FieldsUsed["Size"]; ok {
+				options.Size = true
+			}
 		}
 	}
 

cli/command/container/list_test.go

@@ -231,15 +231,56 @@ func TestContainerListFormatTemplateWithArg(t *testing.T) {
 }
 
 func TestContainerListFormatSizeSetsOption(t *testing.T) {
-	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(options types.ContainerListOptions) ([]types.Container, error) {
-			assert.Check(t, options.Size)
-			return []types.Container{}, nil
+	tests := []struct {
+		doc, format, sizeFlag string
+		sizeExpected          bool
+	}{
+		{
+			doc:          "detect with all fields",
+			format:       `{{json .}}`,
+			sizeExpected: true,
 		},
-	})
-	cmd := newListCommand(cli)
-	cmd.Flags().Set("format", `{{.Size}}`)
-	assert.NilError(t, cmd.Execute())
+		{
+			doc:          "detect with explicit field",
+			format:       `{{.Size}}`,
+			sizeExpected: true,
+		},
+		{
+			doc:          "detect no size",
+			format:       `{{.Names}}`,
+			sizeExpected: false,
+		},
+		{
+			doc:          "override enable",
+			format:       `{{.Names}}`,
+			sizeFlag:     "true",
+			sizeExpected: true,
+		},
+		{
+			doc:          "override disable",
+			format:       `{{.Size}}`,
+			sizeFlag:     "false",
+			sizeExpected: false,
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.doc, func(t *testing.T) {
+			cli := test.NewFakeCli(&fakeClient{
+				containerListFunc: func(options types.ContainerListOptions) ([]types.Container, error) {
+					assert.Check(t, is.Equal(options.Size, tc.sizeExpected))
+					return []types.Container{}, nil
+				},
+			})
+			cmd := newListCommand(cli)
+			cmd.Flags().Set("format", tc.format)
+			if tc.sizeFlag != "" {
+				cmd.Flags().Set("size", tc.sizeFlag)
+			}
+			assert.NilError(t, cmd.Execute())
+		})
+	}
 }
 
 func TestContainerListWithConfigFormat(t *testing.T) {

cli/command/container/run.go

@@ -308,7 +308,8 @@ func runStartContainerErr(err error) error {
 		strings.Contains(trimmedErr, "no such file or directory") ||
 		strings.Contains(trimmedErr, "system cannot find the file specified") {
 		statusError = cli.StatusError{StatusCode: 127}
-	} else if strings.Contains(trimmedErr, syscall.EACCES.Error()) {
+	} else if strings.Contains(trimmedErr, syscall.EACCES.Error()) ||
+		strings.Contains(trimmedErr, syscall.EISDIR.Error()) {
 		statusError = cli.StatusError{StatusCode: 126}
 	}
 

cli/command/formatter/image.go

@@ -27,6 +27,9 @@ type ImageContext struct {
 }
 
 func isDangling(image types.ImageSummary) bool {
+	if len(image.RepoTags) == 0 && len(image.RepoDigests) == 0 {
+		return true
+	}
 	return len(image.RepoTags) == 1 && image.RepoTags[0] == "<none>:<none>" && len(image.RepoDigests) == 1 && image.RepoDigests[0] == "<none>@<none>"
 }
 

cli/command/image/client_test.go

@@ -91,7 +91,7 @@ func (cli *fakeClient) ImageList(ctx context.Context, options types.ImageListOpt
 	if cli.imageListFunc != nil {
 		return cli.imageListFunc(options)
 	}
-	return []types.ImageSummary{{}}, nil
+	return []types.ImageSummary{}, nil
 }
 
 func (cli *fakeClient) ImageInspectWithRaw(_ context.Context, image string) (types.ImageInspect, []byte, error) {

cli/command/image/list_test.go

@@ -30,7 +30,7 @@ func TestNewImagesCommandErrors(t *testing.T) {
 			name:          "failed-list",
 			expectedError: "something went wrong",
 			imageListFunc: func(options types.ImageListOptions) ([]types.ImageSummary, error) {
-				return []types.ImageSummary{{}}, errors.Errorf("something went wrong")
+				return []types.ImageSummary{}, errors.Errorf("something went wrong")
 			},
 		},
 	}
@@ -66,7 +66,7 @@ func TestNewImagesCommandSuccess(t *testing.T) {
 			args: []string{"image"},
 			imageListFunc: func(options types.ImageListOptions) ([]types.ImageSummary, error) {
 				assert.Check(t, is.Equal("image", options.Filters.Get("reference")[0]))
-				return []types.ImageSummary{{}}, nil
+				return []types.ImageSummary{}, nil
 			},
 		},
 		{
@@ -74,7 +74,7 @@ func TestNewImagesCommandSuccess(t *testing.T) {
 			args: []string{"--filter", "name=value"},
 			imageListFunc: func(options types.ImageListOptions) ([]types.ImageSummary, error) {
 				assert.Check(t, is.Equal("value", options.Filters.Get("name")[0]))
-				return []types.ImageSummary{{}}, nil
+				return []types.ImageSummary{}, nil
 			},
 		},
 	}

cli/command/registry.go

@@ -21,8 +21,9 @@ import (
 	"github.com/pkg/errors"
 )
 
-// ElectAuthServer returns the default registry to use
-// Deprecated: use registry.IndexServer instead
+// ElectAuthServer returns the default registry to use.
+//
+// Deprecated: use [registry.IndexServer] instead.
 func ElectAuthServer(_ context.Context, _ Cli) string {
 	return registry.IndexServer
 }

cli/command/registry_test.go

@@ -6,16 +6,13 @@ import (
 	"fmt"
 	"testing"
 
-	"gotest.tools/v3/assert"
-	is "gotest.tools/v3/assert/cmp"
-
-	// Prevents a circular import with "github.com/docker/cli/internal/test"
-
-	. "github.com/docker/cli/cli/command"
+	. "github.com/docker/cli/cli/command" // Prevents a circular import with "github.com/docker/cli/internal/test"
 	configtypes "github.com/docker/cli/cli/config/types"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )
 
 type fakeClient struct {

cli/command/stack/loader/loader.go

@@ -5,6 +5,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"runtime"
 	"sort"
 	"strings"
 
@@ -104,9 +105,22 @@ func GetConfigDetails(composefiles []string, stdin io.Reader) (composetypes.Conf
 func buildEnvironment(env []string) (map[string]string, error) {
 	result := make(map[string]string, len(env))
 	for _, s := range env {
+		if runtime.GOOS == "windows" && len(s) > 0 {
+			// cmd.exe can have special environment variables which names start with "=".
+			// They are only there for MS-DOS compatibility and we should ignore them.
+			// See TestBuildEnvironment for examples.
+			//
+			// https://ss64.com/nt/syntax-variables.html
+			// https://devblogs.microsoft.com/oldnewthing/20100506-00/?p=14133
+			// https://github.com/docker/cli/issues/4078
+			if s[0] == '=' {
+				continue
+			}
+		}
+
 		k, v, ok := strings.Cut(s, "=")
 		if !ok || k == "" {
-			return result, errors.Errorf("unexpected environment %q", s)
+			return result, errors.Errorf("unexpected environment variable '%s'", s)
 		}
 		// value may be set, but empty if "s" is like "K=", not "K".
 		result[k] = v

cli/command/stack/loader/loader_test.go

@@ -3,6 +3,7 @@ package loader
 import (
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"
 
@@ -45,3 +46,34 @@ services:
 	assert.Check(t, is.Equal("3.0", details.ConfigFiles[0].Config["version"]))
 	assert.Check(t, is.Len(details.Environment, len(os.Environ())))
 }
+
+func TestBuildEnvironment(t *testing.T) {
+	inputEnv := []string{
+		"LEGIT_VAR=LEGIT_VALUE",
+		"EMPTY_VARIABLE=",
+	}
+
+	if runtime.GOOS == "windows" {
+		inputEnv = []string{
+			"LEGIT_VAR=LEGIT_VALUE",
+
+			// cmd.exe has some special environment variables which start with "=".
+			// These should be ignored as they're only there for MS-DOS compatibility.
+			"=ExitCode=00000041",
+			"=ExitCodeAscii=A",
+			`=C:=C:\some\dir`,
+			`=D:=D:\some\different\dir`,
+			`=X:=X:\`,
+			`=::=::\`,
+
+			"EMPTY_VARIABLE=",
+		}
+	}
+
+	env, err := buildEnvironment(inputEnv)
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Len(env, 2))
+	assert.Check(t, is.Equal("LEGIT_VALUE", env["LEGIT_VAR"]))
+	assert.Check(t, is.Equal("", env["EMPTY_VARIABLE"]))
+}

cli/context/store/metadatastore.go

@@ -2,12 +2,14 @@ package store
 
 import (
 	"encoding/json"
+	"fmt"
 	"os"
 	"path/filepath"
 	"reflect"
 	"sort"
 
 	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/ioutils"
 	"github.com/fvbommel/sortorder"
 	"github.com/pkg/errors"
 )
@@ -35,7 +37,7 @@ func (s *metadataStore) createOrUpdate(meta Metadata) error {
 	if err != nil {
 		return err
 	}
-	return os.WriteFile(filepath.Join(contextDir, metaFile), bytes, 0o644)
+	return ioutils.AtomicWriteFile(filepath.Join(contextDir, metaFile), bytes, 0o644)
 }
 
 func parseTypedOrMap(payload []byte, getter TypeGetter) (interface{}, error) {
@@ -65,7 +67,8 @@ func (s *metadataStore) get(name string) (Metadata, error) {
 }
 
 func (s *metadataStore) getByID(id contextdir) (Metadata, error) {
-	bytes, err := os.ReadFile(filepath.Join(s.contextDir(id), metaFile))
+	fileName := filepath.Join(s.contextDir(id), metaFile)
+	bytes, err := os.ReadFile(fileName)
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			return Metadata{}, errdefs.NotFound(errors.Wrap(err, "context not found"))
@@ -77,15 +80,15 @@ func (s *metadataStore) getByID(id contextdir) (Metadata, error) {
 		Endpoints: make(map[string]interface{}),
 	}
 	if err := json.Unmarshal(bytes, &untyped); err != nil {
-		return Metadata{}, err
+		return Metadata{}, fmt.Errorf("parsing %s: %v", fileName, err)
 	}
 	r.Name = untyped.Name
 	if r.Metadata, err = parseTypedOrMap(untyped.Metadata, s.config.contextType); err != nil {
-		return Metadata{}, err
+		return Metadata{}, fmt.Errorf("parsing %s: %v", fileName, err)
 	}
 	for k, v := range untyped.Endpoints {
 		if r.Endpoints[k], err = parseTypedOrMap(v, s.config.endpointTypes[k]); err != nil {
-			return Metadata{}, err
+			return Metadata{}, fmt.Errorf("parsing %s: %v", fileName, err)
 		}
 	}
 	return r, err

cli/context/store/store_test.go

@@ -7,9 +7,11 @@ import (
 	"bytes"
 	"crypto/rand"
 	"encoding/json"
+	"fmt"
 	"io"
 	"os"
 	"path"
+	"path/filepath"
 	"testing"
 
 	"github.com/docker/docker/errdefs"
@@ -230,3 +232,28 @@ func TestImportZipInvalid(t *testing.T) {
 	err = Import("zipInvalid", s, r)
 	assert.ErrorContains(t, err, "unexpected context file")
 }
+
+func TestCorruptMetadata(t *testing.T) {
+	tempDir := t.TempDir()
+	s := New(tempDir, testCfg)
+	err := s.CreateOrUpdate(
+		Metadata{
+			Endpoints: map[string]interface{}{
+				"ep1": endpoint{Foo: "bar"},
+			},
+			Metadata: context{Bar: "baz"},
+			Name:     "source",
+		})
+	assert.NilError(t, err)
+
+	// Simulate the meta.json file getting corrupted
+	// by some external process.
+	contextDir := s.meta.contextDir(contextdirOf("source"))
+	contextFile := filepath.Join(contextDir, metaFile)
+	err = os.WriteFile(contextFile, nil, 0o600)
+	assert.NilError(t, err)
+
+	// Assert that the error message gives the user some clue where to look.
+	_, err = s.GetMetadata("source")
+	assert.ErrorContains(t, err, fmt.Sprintf("parsing %s: unexpected end of JSON input", contextFile))
+}

cli/context/store/tlsstore.go

@@ -5,6 +5,7 @@ import (
 	"path/filepath"
 
 	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/ioutils"
 	"github.com/pkg/errors"
 )
 
@@ -31,7 +32,7 @@ func (s *tlsStore) createOrUpdate(name, endpointName, filename string, data []by
 	if err := os.MkdirAll(endpointDir, 0o700); err != nil {
 		return err
 	}
-	return os.WriteFile(filepath.Join(endpointDir, filename), data, 0o600)
+	return ioutils.AtomicWriteFile(filepath.Join(endpointDir, filename), data, 0o600)
 }
 
 func (s *tlsStore) getData(name, endpointName, filename string) ([]byte, error) {

contrib/completion/bash/docker

@@ -1142,6 +1142,29 @@ __docker_complete_user_group() {
 	fi
 }
 
+DOCKER_PLUGINS_PATH=$(docker info --format '{{range .ClientInfo.Plugins}}{{.Path}}:{{end}}')
+
+__docker_complete_plugin() {
+	local path=$1
+	local completionCommand="__completeNoDesc"
+	local resultArray=($path $completionCommand)
+	for value in "${words[@]:2}"; do
+		if [ -z "$value" ]; then
+			resultArray+=( "''" )
+		else
+			resultArray+=( "$value" )
+		fi
+	done
+	local result=$(eval "${resultArray[*]}" 2> /dev/null | grep -v '^:[0-9]*$')
+
+	# if result empty, just use filename completion as fallback
+	if [ -z "$result" ]; then
+		_filedir
+	else
+		COMPREPLY=( $(compgen -W "${result}" -- "${current-}") )
+	fi
+}
+
 _docker_docker() {
 	# global options that may appear after the docker command
 	local boolean_options="
@@ -5395,23 +5418,6 @@ _docker_wait() {
 	_docker_container_wait
 }
 
-COMPOSE_PLUGIN_PATH=$(docker info --format '{{range .ClientInfo.Plugins}}{{if eq .Name "compose"}}{{.Path}}{{end}}{{end}}')
-
-_docker_compose() {
-	local completionCommand="__completeNoDesc"
-	local resultArray=($COMPOSE_PLUGIN_PATH $completionCommand compose)
-	for value in "${words[@]:2}"; do
-		if [ -z "$value" ]; then
-			resultArray+=( "''" )
-		else
-			resultArray+=( "$value" )
-		fi
-	done
-	local result=$(eval "${resultArray[*]}" 2> /dev/null | grep -v '^:[0-9]*$')
-
-	COMPREPLY=( $(compgen -W "${result}" -- "$current") )
-}
-
 _docker() {
 	local previous_extglob_setting=$(shopt -p extglob)
 	shopt -s extglob
@@ -5481,11 +5487,16 @@ _docker() {
 		wait
 	)
 
+	# Create completion functions for all registered plugins
 	local known_plugin_commands=()
-
-	if [ -f "$COMPOSE_PLUGIN_PATH" ] ; then
-		known_plugin_commands+=("compose")
-	fi
+	local plugin_name=""
+	for plugin_path in ${DOCKER_PLUGINS_PATH//:/ }; do
+		plugin_name=$(basename "$plugin_path" | sed 's/ *$//')
+		plugin_name=${plugin_name#docker-}
+		plugin_name=${plugin_name%%.*}
+		eval "_docker_${plugin_name}() { __docker_complete_plugin \"${plugin_path}\"; }"
+		known_plugin_commands+=(${plugin_name})
+	done
 
 	local experimental_server_commands=(
 		checkpoint

docker-bake.hcl

@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-    default = "1.19.5"
+    default = "1.19.7"
 }
 variable "VERSION" {
     default = ""
@@ -52,7 +52,7 @@ target "binary" {
     platforms = ["local"]
     output = ["build"]
     args = {
-        BASE_VARIANT = USE_GLIBC != "" ? "bullseye" : "alpine"
+        BASE_VARIANT = USE_GLIBC == "1" ? "bullseye" : "alpine"
         VERSION = VERSION
         PACKAGER_NAME = PACKAGER_NAME
         GO_STRIP = STRIP_TARGET
@@ -72,7 +72,7 @@ target "plugins" {
     platforms = ["local"]
     output = ["build"]
     args = {
-        BASE_VARIANT = USE_GLIBC != "" ? "bullseye" : "alpine"
+        BASE_VARIANT = USE_GLIBC == "1" ? "bullseye" : "alpine"
         VERSION = VERSION
         GO_STRIP = STRIP_TARGET
     }
@@ -155,7 +155,13 @@ target "e2e-image" {
     output = ["type=docker"]
     tags = ["${IMAGE_NAME}"]
     args = {
-        BASE_VARIANT = USE_GLIBC != "" ? "bullseye" : "alpine"
+        BASE_VARIANT = USE_GLIBC == "1" ? "bullseye" : "alpine"
         VERSION = VERSION
     }
 }
+
+target "e2e-gencerts" {
+    inherits = ["_common"]
+    dockerfile = "./e2e/testdata/Dockerfile.gencerts"
+    output = ["./e2e/testdata"]
+}

dockerfiles/Dockerfile.dev

@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.19.5
+ARG GO_VERSION=1.19.7
 ARG ALPINE_VERSION=3.16
 
-ARG BUILDX_VERSION=0.9.1
+ARG BUILDX_VERSION=0.10.4
 FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx
 
 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang

dockerfiles/Dockerfile.lint

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.19.5
+ARG GO_VERSION=1.19.7
 ARG ALPINE_VERSION=3.16
 ARG GOLANGCI_LINT_VERSION=v1.49.0
 

dockerfiles/Dockerfile.vendor

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.19.4
+ARG GO_VERSION=1.19.7
 ARG ALPINE_VERSION=3.16
 ARG MODOUTDATED_VERSION=v0.8.0
 

docs/deprecated.md

@@ -50,6 +50,7 @@ The table below provides an overview of the current status of deprecated feature
 
 | Status     | Feature                                                                                                                            | Deprecated | Remove  |
 |------------|------------------------------------------------------------------------------------------------------------------------------------|------------|---------|
+| Deprecated | [Buildkit build information](#buildkit-build-information)                                                                          | v23.0.0    | v23.1.0 |
 | Deprecated | [Legacy builder for Linux images](#legacy-builder-for-linux-images)                                                                | v23.0.0    | -       |
 | Deprecated | [Legacy builder fallback](#legacy-builder-fallback)                                                                                | v23.0.0    | -       |
 | Removed    | [Btrfs storage driver on CentOS 7 and RHEL 7](#btrfs-storage-driver-on-centos-7-and-rhel-7)                                        | v20.10     | v23.0.0 |
@@ -104,6 +105,17 @@ The table below provides an overview of the current status of deprecated feature
 | Removed    | [`--run` flag on `docker commit`](#--run-flag-on-docker-commit)                                                                    | v0.10      | v1.13   |
 | Removed    | [Three arguments form in `docker import`](#three-arguments-form-in-docker-import)                                                  | v0.6.7     | v1.12   |
 
+### Buildkit build information
+
+**Deprecated in Release: v23.0.0**
+
+[Build information](https://github.com/moby/buildkit/blob/v0.11/docs/buildinfo.md)
+structures have been introduced in [BuildKit v0.10.0](https://github.com/moby/buildkit/releases/tag/v0.10.0)
+and are generated with build metadata that allows you to see all the sources
+(images, git repositories) that were used by the build with their exact
+versions and also the configuration that was passed to the build. This
+information is also embedded into the image configuration if one is generated.
+
 ### Legacy builder for Linux images
 
 **Deprecated in Release: v23.0.0**

docs/reference/commandline/dockerd.md

@@ -295,57 +295,11 @@ $ docker -H tcp://127.0.0.1:2375 pull ubuntu
 On Linux, the Docker daemon has support for several different image layer storage
 drivers: `aufs`, `devicemapper`, `btrfs`, `zfs`, `overlay`, `overlay2`, and `fuse-overlayfs`.
 
-The `aufs` driver is the oldest, but is based on a Linux kernel patch-set that
-is unlikely to be merged into the main kernel. These are also known to cause
-some serious kernel crashes. However `aufs` allows containers to share
-executable and shared library memory, so is a useful choice when running
-thousands of containers with the same program or libraries.
+`overlay2` is the preferred storage driver for all currently supported Linux distributions,
+and is selected by default. Unless users have a strong reason to prefer another storage driver,
+`overlay2` should be used.
 
-The `devicemapper` driver uses thin provisioning and Copy on Write (CoW)
-snapshots. For each devicemapper graph location – typically
-`/var/lib/docker/devicemapper` – a thin pool is created based on two block
-devices, one for data and one for metadata. By default, these block devices
-are created automatically by using loopback mounts of automatically created
-sparse files. Refer to [Devicemapper options](#devicemapper-options) below
-for a way how to customize this setup.
-[~jpetazzo/Resizing Docker containers with the Device Mapper plugin](https://jpetazzo.github.io/2014/01/29/docker-device-mapper-resize/)
-article explains how to tune your existing setup without the use of options.
-
-The `btrfs` driver is very fast for `docker build` - but like `devicemapper`
-does not share executable memory between devices. Use
-`dockerd --storage-driver btrfs --data-root /mnt/btrfs_partition`.
-
-The `zfs` driver is probably not as fast as `btrfs` but has a longer track record
-on stability. Thanks to `Single Copy ARC` shared blocks between clones will be
-cached only once. Use `dockerd -s zfs`. To select a different zfs filesystem
-set `zfs.fsname` option as described in [ZFS options](#zfs-options).
-
-The `overlay` is a very fast union filesystem. It is now merged in the main
-Linux kernel as of [3.18.0](https://lkml.org/lkml/2014/10/26/137). `overlay`
-also supports page cache sharing, this means multiple containers accessing
-the same file can share a single page cache entry (or entries), it makes
-`overlay` as efficient with memory as `aufs` driver. Call `dockerd -s overlay`
-to use it.
-
-The `overlay2` uses the same fast union filesystem but takes advantage of
-[additional features](https://lkml.org/lkml/2015/2/11/106) added in Linux
-kernel 4.0 to avoid excessive inode consumption. Call `dockerd -s overlay2`
-to use it.
-
-> **Note**
->
-> The `overlay` storage driver can cause excessive inode consumption (especially
-> as the number of images grows). We recommend using the `overlay2` storage
-> driver instead.
-
-
-> **Note**
->
-> Both `overlay` and `overlay2` are currently unsupported on `btrfs`
-> or any Copy on Write filesystem and should only be used over `ext4` partitions.
-
-The `fuse-overlayfs` driver is similar to `overlay2` but works in userspace.
-The `fuse-overlayfs` driver is expected to be used for [Rootless mode](https://docs.docker.com/engine/security/rootless/).
+You can find out more about storage drivers and how to select one in [Select a storage driver](https://docs.docker.com/storage/storagedriver/select-storage-driver/).
 
 On Windows, the Docker daemon only supports the `windowsfilter` storage driver.
 

docs/reference/commandline/stats.md

@@ -95,16 +95,16 @@ $ docker stats nginx --no-stream --format "{{ json . }}"
 Running `docker stats` with customized format on all (Running and Stopped) containers.
 
 ```console
-$ docker stats --all --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}" fervent_panini 5acfcb1b4fd1 drunk_visvesvaraya big_heisenberg
+$ docker stats --all --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}" fervent_panini 5acfcb1b4fd1 humble_visvesvaraya big_heisenberg
 
 CONTAINER                CPU %               MEM USAGE / LIMIT
 fervent_panini           0.00%               56KiB / 15.57GiB
 5acfcb1b4fd1             0.07%               32.86MiB / 15.57GiB
-drunk_visvesvaraya       0.00%               0B / 0B
+humble_visvesvaraya      0.00%               0B / 0B
 big_heisenberg           0.00%               0B / 0B
 ```
 
-`drunk_visvesvaraya` and `big_heisenberg` are stopped containers in the above example.
+`humble_visvesvaraya` and `big_heisenberg` are stopped containers in the above example.
 
 Running `docker stats` on all running containers against a Windows daemon.
 

e2e/testdata/Dockerfile.gencerts

@@ -0,0 +1,19 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION=1.19.7
+
+FROM golang:${GO_VERSION}-alpine AS generated
+RUN go install github.com/dmcgowan/quicktls@master
+WORKDIR /tmp/gencerts/notary
+RUN --mount=type=bind,source=e2e/testdata/notary,target=/tmp/gencerts/notary,rw <<EOT
+  set -eu
+  mkdir -p ../notary-evil /out
+  quicktls -exp 87600h -org=Docker -with-san notary-server notaryserver evil-notary-server evilnotaryserver localhost 127.0.0.1
+  cat ca.pem >> notary-server.cert
+  mv ca.pem root-ca.cert
+  cp notary-server.cert notary-server.key root-ca.cert ../notary-evil
+  cp -r /tmp/gencerts/notary* /out/
+EOT
+
+FROM scratch
+COPY --from=generated /out /

e2e/testdata/gen-certs.sh

@@ -1,12 +0,0 @@
-#!/usr/bin/env sh
-set -eu
-
-# This script is used to generate the test-certificates in the notary-server and
-# evil-notary-server directories. Run this script to update the certificates if
-# they expire.
-GO111MODULE=off go get -u github.com/dmcgowan/quicktls
-cd notary
-quicktls -org=Docker -with-san notary-server notaryserver evil-notary-server evilnotaryserver localhost 127.0.0.1
-cat ca.pem >> notary-server.cert
-mv ca.pem root-ca.cert
-cp notary-server.cert notary-server.key root-ca.cert ../notary-evil/

e2e/testdata/notary-evil/notary-server.cert

@@ -1,38 +1,40 @@
 -----BEGIN CERTIFICATE-----
-MIIDVDCCAjygAwIBAgIQQReeTsMMrsG9juzWS8eAjjANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
-bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKA
-wO8S9Ux/e4TMOsTkPtCPfpFU+6l6z72uzrFhCNWb0lrTG7hcxwhP6sIesevTOM24
-GCyvzh+9SMTtdBmSQty4JNElqg9sB6r1tLTeTHo7lMiSiINftctoI1kYg9ni+IO9
-DVBSb9gQf9dDoizat9VhpbLNm3QXkQSeE9cumen6Pz+fcEtB7lFtIYxEEv/L7+VY
-QOvhtg0RXiRzfmtSGwFL+FZ9PBz4LOvPnPOLCMQewhR+6cAkO7Jch0ZMjCe8zXXw
-h8meeIedoevHt0opsr4HHikvr6llwlhWHL+E7zwTPO10xLGd/RIQGGhs8dXhzp1V
-lw/oe2VJoIFSOaGjRFcCAwEAAaN/MH0wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
-/wQCMAAwXQYDVR0RBFYwVIINbm90YXJ5LXNlcnZlcoIMbm90YXJ5c2VydmVyghJl
-dmlsLW5vdGFyeS1zZXJ2ZXKCEGV2aWxub3RhcnlzZXJ2ZXKCCWxvY2FsaG9zdIcE
-fwAAATANBgkqhkiG9w0BAQsFAAOCAQEAgwkZpp4s6reZWs9QatF/x9qWWXIXJzYh
-6BgzHL3s7UgeZSs0XhgfHYy6SO94ENpbzPADZwue/NjwNXmp7TLjbyUPjSo1DDt7
-OLG8bQ/hbcPKgMzirTZT36CEsetIBYmfyn39h+ZEIJ30J996/Tgq+X9sG7An2wq3
-/btn+C/BiMUgGnNxZ8p4n+uJCUKA95uVugdLjeioA+19HgQzrLSkeZUR/wsesq5F
-iP9k8va2oU3l3MsF079NpfIDl2gtIgXFYWPhyaJCaa+b8irjdoPnhDBuC5p77AWl
-UTPw/6ENKMMd1Pze6HLpBJAkPP8hTlULKgvuF0pWuGOejipkAKlOBQ==
+MIIDdzCCAl+gAwIBAgIQTujwx+1xxXeI5AbzAQ379TANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
+bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPhZ
+pU7DRK/2nwbTu+kVYhU/XARDleVSiLrQ5RMR1Cz2xC4LWkOEVSj4aCBo85O66JAx
+p+WRVwoVEU2rdkK3k4983Xr34+7q5Hv4hmwlg6I7QLRRJapEgK5G5RB/9aQntolx
+h5E0KaoF4PJP25y4FHCUr4td4QyitaICsCpuOAN6XgmE9sM9TBf+AEjTSxwwvgEz
+DqHvyovl7pA+pQP2oTKBrf6KN8hHDOXmm9gd8ST9yKLrsYWhqExLLPnAD4lQEcKZ
+29g+iTd4eNoJUXctpuY+3IpqBcQSLq35mNKBP/FQco6g3q26/cB4zWGxTr3jGJqs
+ms8qdFLGZ2KiBCt+oDMCAwEAAaOBoTCBnjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
+AQH/BAIwADAfBgNVHSMEGDAWgBTxYMNqgy2wkgmPZL/+bTCTQo6ulTBdBgNVHREE
+VjBUgg1ub3Rhcnktc2VydmVyggxub3RhcnlzZXJ2ZXKCEmV2aWwtbm90YXJ5LXNl
+cnZlcoIQZXZpbG5vdGFyeXNlcnZlcoIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
+DQEBCwUAA4IBAQCDMjuZnNINFfqstFwhEEvAgWbjYW26ZQxhQffaqDlbMIQkWoXj
+8inld9bma9Mf5i/GAkUwFqCnEHD4LQ6vDgfAgL+pSOv9VI5SBEuk/gLqvIBUeIRu
+uHo1jWtll2Fr7eDLVdD4mPRPFC7V6mv6sFa9EN4tBN8eheQxHJvzwnnU7X28prfI
+/hWnwPWScVvttqBSsq1h2CUpVu2zGVToeCJ9xl4r/NyDtM5TyMgz7RLrer0p8NSu
+4Qp4ZXtxHDLduWcyMUHLGTprW05yjj9UVq89xfaCOqFSpx5i4oxotYm1PoOacHmN
+RMp9vaYMAmopoxIEYX6fDg5T3sQ5cidZJEvU
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIC8TCCAdmgAwIBAgIQBHJBPhWngTmnMShFTm17rTANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
-RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5E3t9TSkfFXu
-VJooMBa2sNfX98MPMJoEzG+LEEe42XEegrfrq2VQ5Nb7VdM9hEi65GJgELsXRgc5
-s88C6hmgnnfD7CLb8UsbCTHgVE7SFrUuuwHaDq0gcx3PiVThm2eGbGh70tpFYEfP
-onWqyoUS90gvc5ZeKwRKXLoEQ1fhWSNSurrr6tY4AtVOdbYuAHepJcQW/rYk+i4a
-7E46UBaM0IucYTiX34a6aZtNulRdgNTDmyIBDrFnmBW+BIKQmY/7lIDSBE0QDKZJ
-+yx5TWzJeCiqqPn7rK8jaUlTNeBUCVAyD6PylOf9S8njAlAynFEz5mm+fpRB077Y
-8vTHsvhqMQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAgibOJ8rfqzjb97ToIJq9VPDQyEqCYV3RHR04
-UqdcAK5DMjcVRPtf6e2vGNP4bbY41GM/HW9aMqTL+9Iiuj/pLwe4Az0Ro/IzoXMt
-yyNqzUpNLfDFAwfMOPLrcBG7gvc/iK6lF1crelPYoaoOptwux+4/PT4nKRKlq3A6
-C1k5CjKnHUOEccBEjBL/2pvaqhuQTupA/iy8InerD2TN1ew9qk0URStMF/cif/2R
-lN68Zl+zAkuypzXbxK4LlheFP3CaNuXf1DDaDsmxAgVyWrrSI7a2Nl+AiLTogxCt
-YnxxdSL6x4tS8aOkrFHAoyb7Oog+285fHoTKiF3e4zjUE/+uXQ==
+MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
+RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
+uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
+wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
+9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
+5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
+VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
+QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
+ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
+DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
+SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
+1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
+PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
+sK8jZi441ojEJ7OaggGPheO3mCU=
 -----END CERTIFICATE-----

e2e/testdata/notary-evil/notary-server.key

@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAooDA7xL1TH97hMw6xOQ+0I9+kVT7qXrPva7OsWEI1ZvSWtMb
-uFzHCE/qwh6x69M4zbgYLK/OH71IxO10GZJC3Lgk0SWqD2wHqvW0tN5MejuUyJKI
-g1+1y2gjWRiD2eL4g70NUFJv2BB/10OiLNq31WGlss2bdBeRBJ4T1y6Z6fo/P59w
-S0HuUW0hjEQS/8vv5VhA6+G2DRFeJHN+a1IbAUv4Vn08HPgs68+c84sIxB7CFH7p
-wCQ7slyHRkyMJ7zNdfCHyZ54h52h68e3SimyvgceKS+vqWXCWFYcv4TvPBM87XTE
-sZ39EhAYaGzx1eHOnVWXD+h7ZUmggVI5oaNEVwIDAQABAoIBAB+xmO+H9Qu8eWzH
-IFcyZQXsVrUlrAe8CjRmma2CzWRMBdTtA6ULg04duB2wOudRxOxqkVx11W/fTQgL
-f+9U1XGTAKtB+08StNQlI99609OrNzN/UNy+mAhaATrpSx395JZdEvGtgl7TqPtl
-F4ZECkK1zsl2zHDx/7i01A3N6vr1IiK1UU0sdQqqrYdWXm+ozJpRuYj8AMU3JN79
-aVDFy7cM68UZRVHp0os2SXrmTLE6Li0L0Gp55371iAbv7NQAzyhH/U2HRwSMYTSY
-aRqr3VQqI7Frf0QHtHtcUP0idGa/KXMRKzSIbGFCUNV2XxXs+c7+xFylRZuJ1DBp
-oawlYNECgYEAwc8+2034McwM0zMTTdIA+WhrDVSEFDpv4S9LjFzOl09J+LVHe6Mj
-am1bKu99PWzmNnvBrnDPOfEI3VxkIJW59omjPecXsie6/XNfG2U0Yvd4B4Aq5mSW
-+YSqH1FlQ3qqcjj/zTj+A3nfBNyn80I16AsbZVO4jijMrDsleLk+NjMCgYEA1qXI
-hyj+i96/WxYEofgDMlmM3nUWN3Ll3M9MEfpX1+B13XYWqOYpG/WGk7gxDVKtUkqh
-KbgnLtdglQjz10iD1nXpmMPzrVfEFZwlhUfrBGOXJIdOt2nCoxzMd/k13xVqjOS2
-X4sja+vvgJVwYm5q+YS3gNutx1Om5gyeEjoCLU0CgYEAoGhJW/WCcKS0ELF7TrN7
-fvG/eL70ulFLfBNK8hd2HaHQVXqkeV4i19k+1aB2Bbr2Jy3ytdBEk249qgjoDlge
-HED6zSdRY3CiwVcV5nSzER5FR9/6ocmrc0UsENOrflgubm9iuJZtFq9tuHZww1OP
-jkhzGkBaxb5a+EnTz8FyDiUCgYBgVXVDG+XqFmVhVudrXejpXwF3EauP5TQ+vpaQ
-dv+XtniPlSEkWm/WyYHFqGPza8i35yCfnbOQNT92g9cUJspspOzbEA68HGi3niXE
-xHs4tA2waj2s2X1uQU2PBrzjyzPP2hHznXmfRPtvhSI0OwQtyh+laHJ8xBFirAUB
-fyFc/QKBgFWXXq2W/m3m1zsshn0QtxsC/sIxDdLseGq5sUi5Xy7R0fXqhKAW6xfj
-pnHcAe4yKT6ymnfBQ8xdKURuZJWMql8R0b1lSJb7A9P9ZxTD7FjW7ilyzbdFMr7F
-CTRZcz33sHTWD2TOqpDsia9gbQythGmySv4WVJ5W8H7gFY/2/h2W
+MIIEpAIBAAKCAQEA+FmlTsNEr/afBtO76RViFT9cBEOV5VKIutDlExHULPbELgta
+Q4RVKPhoIGjzk7rokDGn5ZFXChURTat2QreTj3zdevfj7urke/iGbCWDojtAtFEl
+qkSArkblEH/1pCe2iXGHkTQpqgXg8k/bnLgUcJSvi13hDKK1ogKwKm44A3peCYT2
+wz1MF/4ASNNLHDC+ATMOoe/Ki+XukD6lA/ahMoGt/oo3yEcM5eab2B3xJP3Iouux
+haGoTEss+cAPiVARwpnb2D6JN3h42glRdy2m5j7cimoFxBIurfmY0oE/8VByjqDe
+rbr9wHjNYbFOveMYmqyazyp0UsZnYqIEK36gMwIDAQABAoIBAQDy7W2f763+mbTQ
+zshepQX+Vq3BlgLIAMWyR6fr0WLEYNVhXMV8ibNrkiD4ovCwLwJSGeBr1JFZUWZN
+nUze0gdLMg7LvDN/ftDk2yNSIhfy1xbhywaW2M8uqjZiv2genKIXK7A6PtYKdBmn
+rKnbUMzdmvNj1f7Ph1E4Gn0L5ChybJDJrq6wQjuTdZ6RmkGkbid0L+47Uv+6xBm9
+hgBPVXd8auQAYGmyXZwvfga5ZjfRMI4wvWkvjOAQcJtxxgOnLT1KDjYV+L70PWul
+bYoKX0sNkFEP9tOq2pD9XVBuTVQxcYeztv0Vz+kG66Ju1KKCAnUYFhRt055zZLfm
+WDYlWm0BAoGBAPvGW9LvzwCDE9QUcR46nG1ZihheJyGKwWVK+ZjYkUU9nLbrIpOD
+/jmihoHHhKBC6YOfHHY73LtZ22fgXEu6ivDzZtTxBErXbdRpEKktJebRK7gPkfsB
+PNQ8CRd/DxRC/JuVFR76OPsbZWhXCaeC7PRdyAtvU9toT1jIQf+a4OhBAoGBAPyE
+kxEoNO1KhWtgByUlsPzvq9PaTjwW/LpmEoo0FBUhYRPxYzVuYrE0BBflDR6JcMRR
+oE9CXYGjtVPB44gT7pHVP09f3Ugrxk7X+t8wy3PWUTaTprmmEGqF0TzfdH4oQz0Y
+v1khwuIu6rRlddGEiCKldXxn+gJy9E70yO4bm4tzAoGAL/XFIBVWVT6i1E9gjOWV
+Tq8zwxiMU7Ney7DQgvEeGxZ1d9Kqr3cBQnFXNfmPpgeY+92fSlZ04atoRA1VB4ft
+V6DGAeI3cxo+bavl5JQZGDLYJSOyJyJBOByHjtZBRRbNj8WCVHhNymeZlZqe2C30
+fUgwBx2Z172y/7KF/+680QECgYEA1GhUKQ9wDdYsiliZSgb9bJXSLH8qZeNULRrl
+J3mNFwUf2p2mvPAgdjxx4QOb2H716z1aIrGJZB4nzc9/LBzQBb2h5ouV4DpqMjH8
+5bbuvH6fi9ABY5Irpt7vVUwFeoU1ofPqKPh8LLQYWywpQddAiBwzyjTQGTVHCg9f
+4OI6Ib8CgYAptl24MGOc6BminKgsux+vNS9X1WwIADiHDyWBPHeQgLX8bYegswq9
+/6uGXJQgdFBhfLuoTBBN0ia/0QQhDezzrqnERddciuL2zxFxEETdpIuxm4lhieX7
+9LqnFcjxM4sLCg4SDSRX+nburiCnLDQiaBzhARooMJO48luTZUiWYQ==
 -----END RSA PRIVATE KEY-----

e2e/testdata/notary-evil/root-ca.cert

@@ -1,18 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIC8TCCAdmgAwIBAgIQBHJBPhWngTmnMShFTm17rTANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
-RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5E3t9TSkfFXu
-VJooMBa2sNfX98MPMJoEzG+LEEe42XEegrfrq2VQ5Nb7VdM9hEi65GJgELsXRgc5
-s88C6hmgnnfD7CLb8UsbCTHgVE7SFrUuuwHaDq0gcx3PiVThm2eGbGh70tpFYEfP
-onWqyoUS90gvc5ZeKwRKXLoEQ1fhWSNSurrr6tY4AtVOdbYuAHepJcQW/rYk+i4a
-7E46UBaM0IucYTiX34a6aZtNulRdgNTDmyIBDrFnmBW+BIKQmY/7lIDSBE0QDKZJ
-+yx5TWzJeCiqqPn7rK8jaUlTNeBUCVAyD6PylOf9S8njAlAynFEz5mm+fpRB077Y
-8vTHsvhqMQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAgibOJ8rfqzjb97ToIJq9VPDQyEqCYV3RHR04
-UqdcAK5DMjcVRPtf6e2vGNP4bbY41GM/HW9aMqTL+9Iiuj/pLwe4Az0Ro/IzoXMt
-yyNqzUpNLfDFAwfMOPLrcBG7gvc/iK6lF1crelPYoaoOptwux+4/PT4nKRKlq3A6
-C1k5CjKnHUOEccBEjBL/2pvaqhuQTupA/iy8InerD2TN1ew9qk0URStMF/cif/2R
-lN68Zl+zAkuypzXbxK4LlheFP3CaNuXf1DDaDsmxAgVyWrrSI7a2Nl+AiLTogxCt
-YnxxdSL6x4tS8aOkrFHAoyb7Oog+285fHoTKiF3e4zjUE/+uXQ==
+MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
+RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
+uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
+wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
+9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
+5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
+VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
+QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
+ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
+DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
+SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
+1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
+PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
+sK8jZi441ojEJ7OaggGPheO3mCU=
 -----END CERTIFICATE-----

e2e/testdata/notary/notary-server.cert

@@ -1,38 +1,40 @@
 -----BEGIN CERTIFICATE-----
-MIIDVDCCAjygAwIBAgIQQReeTsMMrsG9juzWS8eAjjANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
-bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKA
-wO8S9Ux/e4TMOsTkPtCPfpFU+6l6z72uzrFhCNWb0lrTG7hcxwhP6sIesevTOM24
-GCyvzh+9SMTtdBmSQty4JNElqg9sB6r1tLTeTHo7lMiSiINftctoI1kYg9ni+IO9
-DVBSb9gQf9dDoizat9VhpbLNm3QXkQSeE9cumen6Pz+fcEtB7lFtIYxEEv/L7+VY
-QOvhtg0RXiRzfmtSGwFL+FZ9PBz4LOvPnPOLCMQewhR+6cAkO7Jch0ZMjCe8zXXw
-h8meeIedoevHt0opsr4HHikvr6llwlhWHL+E7zwTPO10xLGd/RIQGGhs8dXhzp1V
-lw/oe2VJoIFSOaGjRFcCAwEAAaN/MH0wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
-/wQCMAAwXQYDVR0RBFYwVIINbm90YXJ5LXNlcnZlcoIMbm90YXJ5c2VydmVyghJl
-dmlsLW5vdGFyeS1zZXJ2ZXKCEGV2aWxub3RhcnlzZXJ2ZXKCCWxvY2FsaG9zdIcE
-fwAAATANBgkqhkiG9w0BAQsFAAOCAQEAgwkZpp4s6reZWs9QatF/x9qWWXIXJzYh
-6BgzHL3s7UgeZSs0XhgfHYy6SO94ENpbzPADZwue/NjwNXmp7TLjbyUPjSo1DDt7
-OLG8bQ/hbcPKgMzirTZT36CEsetIBYmfyn39h+ZEIJ30J996/Tgq+X9sG7An2wq3
-/btn+C/BiMUgGnNxZ8p4n+uJCUKA95uVugdLjeioA+19HgQzrLSkeZUR/wsesq5F
-iP9k8va2oU3l3MsF079NpfIDl2gtIgXFYWPhyaJCaa+b8irjdoPnhDBuC5p77AWl
-UTPw/6ENKMMd1Pze6HLpBJAkPP8hTlULKgvuF0pWuGOejipkAKlOBQ==
+MIIDdzCCAl+gAwIBAgIQTujwx+1xxXeI5AbzAQ379TANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
+bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPhZ
+pU7DRK/2nwbTu+kVYhU/XARDleVSiLrQ5RMR1Cz2xC4LWkOEVSj4aCBo85O66JAx
+p+WRVwoVEU2rdkK3k4983Xr34+7q5Hv4hmwlg6I7QLRRJapEgK5G5RB/9aQntolx
+h5E0KaoF4PJP25y4FHCUr4td4QyitaICsCpuOAN6XgmE9sM9TBf+AEjTSxwwvgEz
+DqHvyovl7pA+pQP2oTKBrf6KN8hHDOXmm9gd8ST9yKLrsYWhqExLLPnAD4lQEcKZ
+29g+iTd4eNoJUXctpuY+3IpqBcQSLq35mNKBP/FQco6g3q26/cB4zWGxTr3jGJqs
+ms8qdFLGZ2KiBCt+oDMCAwEAAaOBoTCBnjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
+AQH/BAIwADAfBgNVHSMEGDAWgBTxYMNqgy2wkgmPZL/+bTCTQo6ulTBdBgNVHREE
+VjBUgg1ub3Rhcnktc2VydmVyggxub3RhcnlzZXJ2ZXKCEmV2aWwtbm90YXJ5LXNl
+cnZlcoIQZXZpbG5vdGFyeXNlcnZlcoIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
+DQEBCwUAA4IBAQCDMjuZnNINFfqstFwhEEvAgWbjYW26ZQxhQffaqDlbMIQkWoXj
+8inld9bma9Mf5i/GAkUwFqCnEHD4LQ6vDgfAgL+pSOv9VI5SBEuk/gLqvIBUeIRu
+uHo1jWtll2Fr7eDLVdD4mPRPFC7V6mv6sFa9EN4tBN8eheQxHJvzwnnU7X28prfI
+/hWnwPWScVvttqBSsq1h2CUpVu2zGVToeCJ9xl4r/NyDtM5TyMgz7RLrer0p8NSu
+4Qp4ZXtxHDLduWcyMUHLGTprW05yjj9UVq89xfaCOqFSpx5i4oxotYm1PoOacHmN
+RMp9vaYMAmopoxIEYX6fDg5T3sQ5cidZJEvU
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIC8TCCAdmgAwIBAgIQBHJBPhWngTmnMShFTm17rTANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
-RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5E3t9TSkfFXu
-VJooMBa2sNfX98MPMJoEzG+LEEe42XEegrfrq2VQ5Nb7VdM9hEi65GJgELsXRgc5
-s88C6hmgnnfD7CLb8UsbCTHgVE7SFrUuuwHaDq0gcx3PiVThm2eGbGh70tpFYEfP
-onWqyoUS90gvc5ZeKwRKXLoEQ1fhWSNSurrr6tY4AtVOdbYuAHepJcQW/rYk+i4a
-7E46UBaM0IucYTiX34a6aZtNulRdgNTDmyIBDrFnmBW+BIKQmY/7lIDSBE0QDKZJ
-+yx5TWzJeCiqqPn7rK8jaUlTNeBUCVAyD6PylOf9S8njAlAynFEz5mm+fpRB077Y
-8vTHsvhqMQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAgibOJ8rfqzjb97ToIJq9VPDQyEqCYV3RHR04
-UqdcAK5DMjcVRPtf6e2vGNP4bbY41GM/HW9aMqTL+9Iiuj/pLwe4Az0Ro/IzoXMt
-yyNqzUpNLfDFAwfMOPLrcBG7gvc/iK6lF1crelPYoaoOptwux+4/PT4nKRKlq3A6
-C1k5CjKnHUOEccBEjBL/2pvaqhuQTupA/iy8InerD2TN1ew9qk0URStMF/cif/2R
-lN68Zl+zAkuypzXbxK4LlheFP3CaNuXf1DDaDsmxAgVyWrrSI7a2Nl+AiLTogxCt
-YnxxdSL6x4tS8aOkrFHAoyb7Oog+285fHoTKiF3e4zjUE/+uXQ==
+MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
+RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
+uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
+wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
+9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
+5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
+VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
+QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
+ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
+DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
+SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
+1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
+PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
+sK8jZi441ojEJ7OaggGPheO3mCU=
 -----END CERTIFICATE-----

e2e/testdata/notary/notary-server.key

@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAooDA7xL1TH97hMw6xOQ+0I9+kVT7qXrPva7OsWEI1ZvSWtMb
-uFzHCE/qwh6x69M4zbgYLK/OH71IxO10GZJC3Lgk0SWqD2wHqvW0tN5MejuUyJKI
-g1+1y2gjWRiD2eL4g70NUFJv2BB/10OiLNq31WGlss2bdBeRBJ4T1y6Z6fo/P59w
-S0HuUW0hjEQS/8vv5VhA6+G2DRFeJHN+a1IbAUv4Vn08HPgs68+c84sIxB7CFH7p
-wCQ7slyHRkyMJ7zNdfCHyZ54h52h68e3SimyvgceKS+vqWXCWFYcv4TvPBM87XTE
-sZ39EhAYaGzx1eHOnVWXD+h7ZUmggVI5oaNEVwIDAQABAoIBAB+xmO+H9Qu8eWzH
-IFcyZQXsVrUlrAe8CjRmma2CzWRMBdTtA6ULg04duB2wOudRxOxqkVx11W/fTQgL
-f+9U1XGTAKtB+08StNQlI99609OrNzN/UNy+mAhaATrpSx395JZdEvGtgl7TqPtl
-F4ZECkK1zsl2zHDx/7i01A3N6vr1IiK1UU0sdQqqrYdWXm+ozJpRuYj8AMU3JN79
-aVDFy7cM68UZRVHp0os2SXrmTLE6Li0L0Gp55371iAbv7NQAzyhH/U2HRwSMYTSY
-aRqr3VQqI7Frf0QHtHtcUP0idGa/KXMRKzSIbGFCUNV2XxXs+c7+xFylRZuJ1DBp
-oawlYNECgYEAwc8+2034McwM0zMTTdIA+WhrDVSEFDpv4S9LjFzOl09J+LVHe6Mj
-am1bKu99PWzmNnvBrnDPOfEI3VxkIJW59omjPecXsie6/XNfG2U0Yvd4B4Aq5mSW
-+YSqH1FlQ3qqcjj/zTj+A3nfBNyn80I16AsbZVO4jijMrDsleLk+NjMCgYEA1qXI
-hyj+i96/WxYEofgDMlmM3nUWN3Ll3M9MEfpX1+B13XYWqOYpG/WGk7gxDVKtUkqh
-KbgnLtdglQjz10iD1nXpmMPzrVfEFZwlhUfrBGOXJIdOt2nCoxzMd/k13xVqjOS2
-X4sja+vvgJVwYm5q+YS3gNutx1Om5gyeEjoCLU0CgYEAoGhJW/WCcKS0ELF7TrN7
-fvG/eL70ulFLfBNK8hd2HaHQVXqkeV4i19k+1aB2Bbr2Jy3ytdBEk249qgjoDlge
-HED6zSdRY3CiwVcV5nSzER5FR9/6ocmrc0UsENOrflgubm9iuJZtFq9tuHZww1OP
-jkhzGkBaxb5a+EnTz8FyDiUCgYBgVXVDG+XqFmVhVudrXejpXwF3EauP5TQ+vpaQ
-dv+XtniPlSEkWm/WyYHFqGPza8i35yCfnbOQNT92g9cUJspspOzbEA68HGi3niXE
-xHs4tA2waj2s2X1uQU2PBrzjyzPP2hHznXmfRPtvhSI0OwQtyh+laHJ8xBFirAUB
-fyFc/QKBgFWXXq2W/m3m1zsshn0QtxsC/sIxDdLseGq5sUi5Xy7R0fXqhKAW6xfj
-pnHcAe4yKT6ymnfBQ8xdKURuZJWMql8R0b1lSJb7A9P9ZxTD7FjW7ilyzbdFMr7F
-CTRZcz33sHTWD2TOqpDsia9gbQythGmySv4WVJ5W8H7gFY/2/h2W
+MIIEpAIBAAKCAQEA+FmlTsNEr/afBtO76RViFT9cBEOV5VKIutDlExHULPbELgta
+Q4RVKPhoIGjzk7rokDGn5ZFXChURTat2QreTj3zdevfj7urke/iGbCWDojtAtFEl
+qkSArkblEH/1pCe2iXGHkTQpqgXg8k/bnLgUcJSvi13hDKK1ogKwKm44A3peCYT2
+wz1MF/4ASNNLHDC+ATMOoe/Ki+XukD6lA/ahMoGt/oo3yEcM5eab2B3xJP3Iouux
+haGoTEss+cAPiVARwpnb2D6JN3h42glRdy2m5j7cimoFxBIurfmY0oE/8VByjqDe
+rbr9wHjNYbFOveMYmqyazyp0UsZnYqIEK36gMwIDAQABAoIBAQDy7W2f763+mbTQ
+zshepQX+Vq3BlgLIAMWyR6fr0WLEYNVhXMV8ibNrkiD4ovCwLwJSGeBr1JFZUWZN
+nUze0gdLMg7LvDN/ftDk2yNSIhfy1xbhywaW2M8uqjZiv2genKIXK7A6PtYKdBmn
+rKnbUMzdmvNj1f7Ph1E4Gn0L5ChybJDJrq6wQjuTdZ6RmkGkbid0L+47Uv+6xBm9
+hgBPVXd8auQAYGmyXZwvfga5ZjfRMI4wvWkvjOAQcJtxxgOnLT1KDjYV+L70PWul
+bYoKX0sNkFEP9tOq2pD9XVBuTVQxcYeztv0Vz+kG66Ju1KKCAnUYFhRt055zZLfm
+WDYlWm0BAoGBAPvGW9LvzwCDE9QUcR46nG1ZihheJyGKwWVK+ZjYkUU9nLbrIpOD
+/jmihoHHhKBC6YOfHHY73LtZ22fgXEu6ivDzZtTxBErXbdRpEKktJebRK7gPkfsB
+PNQ8CRd/DxRC/JuVFR76OPsbZWhXCaeC7PRdyAtvU9toT1jIQf+a4OhBAoGBAPyE
+kxEoNO1KhWtgByUlsPzvq9PaTjwW/LpmEoo0FBUhYRPxYzVuYrE0BBflDR6JcMRR
+oE9CXYGjtVPB44gT7pHVP09f3Ugrxk7X+t8wy3PWUTaTprmmEGqF0TzfdH4oQz0Y
+v1khwuIu6rRlddGEiCKldXxn+gJy9E70yO4bm4tzAoGAL/XFIBVWVT6i1E9gjOWV
+Tq8zwxiMU7Ney7DQgvEeGxZ1d9Kqr3cBQnFXNfmPpgeY+92fSlZ04atoRA1VB4ft
+V6DGAeI3cxo+bavl5JQZGDLYJSOyJyJBOByHjtZBRRbNj8WCVHhNymeZlZqe2C30
+fUgwBx2Z172y/7KF/+680QECgYEA1GhUKQ9wDdYsiliZSgb9bJXSLH8qZeNULRrl
+J3mNFwUf2p2mvPAgdjxx4QOb2H716z1aIrGJZB4nzc9/LBzQBb2h5ouV4DpqMjH8
+5bbuvH6fi9ABY5Irpt7vVUwFeoU1ofPqKPh8LLQYWywpQddAiBwzyjTQGTVHCg9f
+4OI6Ib8CgYAptl24MGOc6BminKgsux+vNS9X1WwIADiHDyWBPHeQgLX8bYegswq9
+/6uGXJQgdFBhfLuoTBBN0ia/0QQhDezzrqnERddciuL2zxFxEETdpIuxm4lhieX7
+9LqnFcjxM4sLCg4SDSRX+nburiCnLDQiaBzhARooMJO48luTZUiWYQ==
 -----END RSA PRIVATE KEY-----

e2e/testdata/notary/root-ca.cert

@@ -1,18 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIC8TCCAdmgAwIBAgIQBHJBPhWngTmnMShFTm17rTANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
-RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5E3t9TSkfFXu
-VJooMBa2sNfX98MPMJoEzG+LEEe42XEegrfrq2VQ5Nb7VdM9hEi65GJgELsXRgc5
-s88C6hmgnnfD7CLb8UsbCTHgVE7SFrUuuwHaDq0gcx3PiVThm2eGbGh70tpFYEfP
-onWqyoUS90gvc5ZeKwRKXLoEQ1fhWSNSurrr6tY4AtVOdbYuAHepJcQW/rYk+i4a
-7E46UBaM0IucYTiX34a6aZtNulRdgNTDmyIBDrFnmBW+BIKQmY/7lIDSBE0QDKZJ
-+yx5TWzJeCiqqPn7rK8jaUlTNeBUCVAyD6PylOf9S8njAlAynFEz5mm+fpRB077Y
-8vTHsvhqMQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAgibOJ8rfqzjb97ToIJq9VPDQyEqCYV3RHR04
-UqdcAK5DMjcVRPtf6e2vGNP4bbY41GM/HW9aMqTL+9Iiuj/pLwe4Az0Ro/IzoXMt
-yyNqzUpNLfDFAwfMOPLrcBG7gvc/iK6lF1crelPYoaoOptwux+4/PT4nKRKlq3A6
-C1k5CjKnHUOEccBEjBL/2pvaqhuQTupA/iy8InerD2TN1ew9qk0URStMF/cif/2R
-lN68Zl+zAkuypzXbxK4LlheFP3CaNuXf1DDaDsmxAgVyWrrSI7a2Nl+AiLTogxCt
-YnxxdSL6x4tS8aOkrFHAoyb7Oog+285fHoTKiF3e4zjUE/+uXQ==
+MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
+RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
+uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
+wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
+9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
+5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
+VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
+QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
+ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
+DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
+SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
+1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
+PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
+sK8jZi441ojEJ7OaggGPheO3mCU=
 -----END CERTIFICATE-----

opts/throttledevice.go

@@ -31,7 +31,7 @@ func ValidateThrottleBpsDevice(val string) (*blkiodev.ThrottleDevice, error) {
 	}
 
 	return &blkiodev.ThrottleDevice{
-		Path: v,
+		Path: k,
 		Rate: uint64(rate),
 	}, nil
 }

vendor.mod

@@ -7,10 +7,10 @@ module github.com/docker/cli
 go 1.18
 
 require (
-	github.com/containerd/containerd v1.6.15
+	github.com/containerd/containerd v1.6.16
 	github.com/creack/pty v1.1.11
 	github.com/docker/distribution v2.8.1+incompatible
-	github.com/docker/docker v23.0.0-rc.3+incompatible
+	github.com/docker/docker v23.0.0+incompatible
 	github.com/docker/docker-credential-helpers v0.7.0
 	github.com/docker/go-connections v0.4.0
 	github.com/docker/go-units v0.5.0

vendor.sum

@@ -84,8 +84,8 @@ github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h
 github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
 github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
 github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
-github.com/containerd/containerd v1.6.15 h1:4wWexxzLNHNE46aIETc6ge4TofO550v+BlLoANrbses=
-github.com/containerd/containerd v1.6.15/go.mod h1:U2NnBPIhzJDm59xF7xB2MMHnKtggpZ+phKg8o2TKj2c=
+github.com/containerd/containerd v1.6.16 h1:0H5xH6ABsN7XTrxIAKxFpBkFCBtrZ/OSORhCpUnHjrc=
+github.com/containerd/containerd v1.6.16/go.mod h1:1RdCUu95+gc2v9t3IL+zIlpClSmew7/0YS8O5eQZrOw=
 github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
@@ -101,8 +101,8 @@ github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xb
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68=
 github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v23.0.0-rc.3+incompatible h1:97RCXK7nxN1YPlqb3z0+AoTE3rql4ck1CG5p9tlRD2o=
-github.com/docker/docker v23.0.0-rc.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v23.0.0+incompatible h1:L6c28tNyqZ4/ub9AZC9d5QUuunoHHfEH4/Ue+h/E5nE=
+github.com/docker/docker v23.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=

vendor/github.com/docker/docker/client/container_wait.go

@@ -1,14 +1,19 @@
 package client // import "github.com/docker/docker/client"
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
+	"io"
 	"net/url"
 
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/versions"
 )
 
+const containerWaitErrorMsgLimit = 2 * 1024 /* Max: 2KiB */
+
 // ContainerWait waits until the specified container is in a certain state
 // indicated by the given condition, either "not-running" (default),
 // "next-exit", or "removed".
@@ -46,9 +51,23 @@ func (cli *Client) ContainerWait(ctx context.Context, containerID string, condit
 
 	go func() {
 		defer ensureReaderClosed(resp)
+
+		body := resp.body
+		responseText := bytes.NewBuffer(nil)
+		stream := io.TeeReader(body, responseText)
+
 		var res container.WaitResponse
-		if err := json.NewDecoder(resp.body).Decode(&res); err != nil {
-			errC <- err
+		if err := json.NewDecoder(stream).Decode(&res); err != nil {
+			// NOTE(nicks): The /wait API does not work well with HTTP proxies.
+			// At any time, the proxy could cut off the response stream.
+			//
+			// But because the HTTP status has already been written, the proxy's
+			// only option is to write a plaintext error message.
+			//
+			// If there's a JSON parsing error, read the real error message
+			// off the body and send it to the client.
+			_, _ = io.ReadAll(io.LimitReader(stream, containerWaitErrorMsgLimit))
+			errC <- errors.New(responseText.String())
 			return
 		}
 

vendor/modules.txt

@@ -12,7 +12,7 @@ github.com/beorn7/perks/quantile
 # github.com/cespare/xxhash/v2 v2.1.2
 ## explicit; go 1.11
 github.com/cespare/xxhash/v2
-# github.com/containerd/containerd v1.6.15
+# github.com/containerd/containerd v1.6.16
 ## explicit; go 1.17
 github.com/containerd/containerd/errdefs
 github.com/containerd/containerd/log
@@ -40,7 +40,7 @@ github.com/docker/distribution/registry/client/transport
 github.com/docker/distribution/registry/storage/cache
 github.com/docker/distribution/registry/storage/cache/memory
 github.com/docker/distribution/uuid
-# github.com/docker/docker v23.0.0-rc.3+incompatible
+# github.com/docker/docker v23.0.0+incompatible
 ## explicit
 github.com/docker/docker/api
 github.com/docker/docker/api/types