Merge pull request #4629 from thaJeztah/24.0_update_engine

[24.0] vendor: github.com/docker/docker v24.0.6

.github/workflows/build.yml

@@ -22,7 +22,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Create matrix
         id: platforms
@@ -50,7 +50,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       -
@@ -93,7 +93,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Create matrix
         id: platforms
@@ -115,7 +115,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2

.github/workflows/codeql-analysis.yml

@@ -19,7 +19,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 2
       -

.github/workflows/e2e.yml

@@ -36,7 +36,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Update daemon.json
         run: |

.github/workflows/test.yml

@@ -20,7 +20,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
@@ -56,14 +56,14 @@ jobs:
           git config --system core.eol lf
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: ${{ env.GOPATH }}/src/github.com/docker/cli
       -
         name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: 1.20.4
+          go-version: 1.20.10
       -
         name: Test
         run: |

.github/workflows/validate.yml

@@ -28,7 +28,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Run
         uses: docker/bake-action@v3
@@ -41,7 +41,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Generate
         shell: 'script --return --quiet --command "bash {0}"'
@@ -67,7 +67,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Run
         shell: 'script --return --quiet --command "bash {0}"'

.golangci.yml

@@ -32,12 +32,11 @@ run:
 
 linters-settings:
   depguard:
-    list-type: blacklist
-    include-go-root: true
-    packages:
-      # The io/ioutil package has been deprecated.
-      # https://go.dev/doc/go1.16#ioutil
-      - io/ioutil
+    rules:
+      main:
+        deny:
+          - pkg: io/ioutil
+            desc: The io/ioutil package has been deprecated, see https://go.dev/doc/go1.16#ioutil
   gocyclo:
     min-complexity: 16
   govet:
@@ -117,7 +116,10 @@ issues:
     - text: "package-comments: should have a package comment"
       linters:
         - revive
-
+    # FIXME temporarily suppress these (see https://github.com/gotestyourself/gotest.tools/issues/272)
+    - text: "SA1019: (assert|cmp|is)\\.ErrorType is deprecated"
+      linters:
+        - staticcheck
     # Exclude some linters from running on tests files.
     - path: _test\.go
       linters:

CONTRIBUTING.md

@@ -192,7 +192,7 @@ For more details, see the [MAINTAINERS](MAINTAINERS) page.
 The sign-off is a simple line at the end of the explanation for the patch. Your
 signature certifies that you wrote the patch or otherwise have the right to pass
 it on as an open-source patch. The rules are pretty simple: if you can certify
-the below (from [developercertificate.org](http://developercertificate.org/)):
+the below (from [developercertificate.org](https://developercertificate.org):
 
 ```
 Developer Certificate of Origin
@@ -336,9 +336,8 @@ The rules:
 1. All code should be formatted with `gofumpt` (preferred) or `gofmt -s`.
 2. All code should pass the default levels of
    [`golint`](https://github.com/golang/lint).
-3. All code should follow the guidelines covered in [Effective
-   Go](http://golang.org/doc/effective_go.html) and [Go Code Review
-   Comments](https://github.com/golang/go/wiki/CodeReviewComments).
+3. All code should follow the guidelines covered in [Effective Go](https://go.dev/doc/effective_go)
+   and [Go Code Review Comments](https://github.com/golang/go/wiki/CodeReviewComments).
 4. Comment the code. Tell us the why, the history and the context.
 5. Document _all_ declarations and methods, even private ones. Declare
    expectations, caveats and anything else that may be important. If a type
@@ -360,6 +359,6 @@ The rules:
     guidelines. Since you've read all the rules, you now know that.
 
 If you are having trouble getting into the mood of idiomatic Go, we recommend
-reading through [Effective Go](https://golang.org/doc/effective_go.html). The
-[Go Blog](https://blog.golang.org) is also a great resource. Drinking the
+reading through [Effective Go](https://go.dev/doc/effective_go). The
+[Go Blog](https://go.dev/blog/) is also a great resource. Drinking the
 kool-aid is a lot easier than going thirsty.

Dockerfile

@@ -1,17 +1,19 @@
 # syntax=docker/dockerfile:1
 
 ARG BASE_VARIANT=alpine
-ARG GO_VERSION=1.20.4
-ARG ALPINE_VERSION=3.16
-ARG XX_VERSION=1.1.1
+ARG GO_VERSION=1.20.10
+ARG ALPINE_VERSION=3.17
+ARG XX_VERSION=1.2.1
 ARG GOVERSIONINFO_VERSION=v1.3.0
-ARG GOTESTSUM_VERSION=v1.8.2
-ARG BUILDX_VERSION=0.10.4
+ARG GOTESTSUM_VERSION=v1.10.0
+ARG BUILDX_VERSION=0.11.2
+ARG COMPOSE_VERSION=v2.22.0
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build-base-alpine
-COPY --from=xx / /
+ENV GOTOOLCHAIN=local
+COPY --link --from=xx / /
 RUN apk add --no-cache bash clang lld llvm file git
 WORKDIR /go/src/github.com/docker/cli
 
@@ -21,7 +23,8 @@ ARG TARGETPLATFORM
 RUN xx-apk add --no-cache musl-dev gcc
 
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-bullseye AS build-base-bullseye
-COPY --from=xx / /
+ENV GOTOOLCHAIN=local
+COPY --link --from=xx / /
 RUN apt-get update && apt-get install --no-install-recommends -y bash clang lld llvm file
 WORKDIR /go/src/github.com/docker/cli
 
@@ -40,13 +43,13 @@ FROM build-base-${BASE_VARIANT} AS goversioninfo
 ARG GOVERSIONINFO_VERSION
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
-    GOBIN=/out GO111MODULE=on go install "github.com/josephspurrier/goversioninfo/cmd/goversioninfo@${GOVERSIONINFO_VERSION}"
+    GOBIN=/out GO111MODULE=on CGO_ENABLED=0 go install "github.com/josephspurrier/goversioninfo/cmd/goversioninfo@${GOVERSIONINFO_VERSION}"
 
 FROM build-base-${BASE_VARIANT} AS gotestsum
 ARG GOTESTSUM_VERSION
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
-    GOBIN=/out GO111MODULE=on go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
+    GOBIN=/out GO111MODULE=on CGO_ENABLED=0 go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
     && /out/gotestsum --version
 
 FROM build-${BASE_VARIANT} AS build
@@ -62,7 +65,7 @@ ARG CGO_ENABLED
 ARG VERSION
 # PACKAGER_NAME sets the company that produced the windows binary
 ARG PACKAGER_NAME
-COPY --from=goversioninfo /out/goversioninfo /usr/bin/goversioninfo
+COPY --link --from=goversioninfo /out/goversioninfo /usr/bin/goversioninfo
 # in bullseye arm64 target does not link with lld so configure it to use ld instead
 RUN [ ! -f /etc/alpine-release ] && xx-info is-cross && [ "$(xx-info arch)" = "arm64" ] && XX_CC_PREFER_LINKER=ld xx-clang --setup-target-triple || true
 RUN --mount=type=bind,target=.,ro \
@@ -76,7 +79,7 @@ RUN --mount=type=bind,target=.,ro \
     xx-verify $([ "$GO_LINKMODE" = "static" ] && echo "--static") /out/docker
 
 FROM build-${BASE_VARIANT} AS test
-COPY --from=gotestsum /out/gotestsum /usr/bin/gotestsum
+COPY --link --from=gotestsum /out/gotestsum /usr/bin/gotestsum
 ENV GO111MODULE=auto
 RUN --mount=type=bind,target=.,rw \
     --mount=type=cache,target=/root/.cache \
@@ -98,32 +101,31 @@ RUN --mount=ro --mount=type=cache,target=/root/.cache \
     TARGET=/out ./scripts/build/plugins e2e/cli-plugins/plugins/*
 
 FROM build-base-alpine AS e2e-base-alpine
-RUN apk add --no-cache build-base curl docker-compose openssl openssh-client
+RUN apk add --no-cache build-base curl openssl openssh-client
 
 FROM build-base-bullseye AS e2e-base-bullseye
 RUN apt-get update && apt-get install -y build-essential curl openssl openssh-client
-ARG COMPOSE_VERSION=1.29.2
-RUN curl -fsSL https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose && \
-    chmod +x /usr/local/bin/docker-compose
 
-FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx
+FROM docker/buildx-bin:${BUILDX_VERSION}   AS buildx
+FROM docker/compose-bin:${COMPOSE_VERSION} AS compose
 
 FROM e2e-base-${BASE_VARIANT} AS e2e
 ARG NOTARY_VERSION=v0.6.1
 ADD --chmod=0755 https://github.com/theupdateframework/notary/releases/download/${NOTARY_VERSION}/notary-Linux-amd64 /usr/local/bin/notary
-COPY e2e/testdata/notary/root-ca.cert /usr/share/ca-certificates/notary.cert
+COPY --link e2e/testdata/notary/root-ca.cert /usr/share/ca-certificates/notary.cert
 RUN echo 'notary.cert' >> /etc/ca-certificates.conf && update-ca-certificates
-COPY --from=gotestsum /out/gotestsum /usr/bin/gotestsum
-COPY --from=build /out ./build/
-COPY --from=build-plugins /out ./build/
-COPY --from=buildx /buildx /usr/libexec/docker/cli-plugins/docker-buildx
-COPY . .
+COPY --link --from=gotestsum /out/gotestsum /usr/bin/gotestsum
+COPY --link --from=build /out ./build/
+COPY --link --from=build-plugins /out ./build/
+COPY --link --from=buildx  /buildx         /usr/libexec/docker/cli-plugins/docker-buildx
+COPY --link --from=compose /docker-compose /usr/libexec/docker/cli-plugins/docker-compose
+COPY --link . .
 ENV DOCKER_BUILDKIT=1
 ENV PATH=/go/src/github.com/docker/cli/build:$PATH
 CMD ./scripts/test/e2e/entry
 
 FROM build-base-${BASE_VARIANT} AS dev
-COPY . .
+COPY --link . .
 
 FROM scratch AS plugins
 COPY --from=build-plugins /out .

cli-plugins/manager/metadata.go

@@ -23,6 +23,7 @@ type Metadata struct {
 	// URL is a pointer to the plugin's homepage.
 	URL string `json:",omitempty"`
 	// Experimental specifies whether the plugin is experimental.
+	//
 	// Deprecated: experimental features are now always enabled in the CLI
 	Experimental bool `json:",omitempty"`
 }

cli/command/cli.go

@@ -8,7 +8,6 @@ import (
 	"path/filepath"
 	"runtime"
 	"strconv"
-	"strings"
 	"sync"
 	"time"
 
@@ -327,13 +326,8 @@ func (cli *DockerCli) getInitTimeout() time.Duration {
 
 func (cli *DockerCli) initializeFromClient() {
 	ctx := context.Background()
-	if !strings.HasPrefix(cli.dockerEndpoint.Host, "ssh://") {
-		// @FIXME context.WithTimeout doesn't work with connhelper / ssh connections
-		// time="2020-04-10T10:16:26Z" level=warning msg="commandConn.CloseWrite: commandconn: failed to wait: signal: killed"
-		var cancel func()
-		ctx, cancel = context.WithTimeout(ctx, cli.getInitTimeout())
-		defer cancel()
-	}
+	ctx, cancel := context.WithTimeout(ctx, cli.getInitTimeout())
+	defer cancel()
 
 	ping, err := cli.client.Ping(ctx)
 	if err != nil {
@@ -381,7 +375,7 @@ func (cli *DockerCli) ContextStore() store.Store {
 // the "default" context is used if:
 //
 //   - The "--host" option is set
-//   - The "DOCKER_HOST" ([DefaultContextName]) environment variable is set
+//   - The "DOCKER_HOST" ([client.EnvOverrideHost]) environment variable is set
 //     to a non-empty value.
 //
 // In these cases, the default context is used, which uses the host as

cli/command/container/opts.go

@@ -354,7 +354,10 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 	volumes := copts.volumes.GetMap()
 	// add any bind targets to the list of container volumes
 	for bind := range copts.volumes.GetMap() {
-		parsed, _ := loader.ParseVolume(bind)
+		parsed, err := loader.ParseVolume(bind)
+		if err != nil {
+			return nil, err
+		}
 
 		if parsed.Source != "" {
 			toBind := bind

cli/command/context/use_test.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/docker/cli/cli/command"
@@ -13,7 +14,6 @@ import (
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/cli/flags"
 	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/pkg/homedir"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -57,7 +57,11 @@ func TestUseDefaultWithoutConfigFile(t *testing.T) {
 	// the _default_ configuration file. If we specify a custom configuration
 	// file, the CLI produces an error if the file doesn't exist.
 	tmpHomeDir := t.TempDir()
-	t.Setenv(homedir.Key(), tmpHomeDir)
+	if runtime.GOOS == "windows" {
+		t.Setenv("USERPROFILE", tmpHomeDir)
+	} else {
+		t.Setenv("HOME", tmpHomeDir)
+	}
 	configDir := filepath.Join(tmpHomeDir, ".docker")
 	configFilePath := filepath.Join(configDir, "config.json")
 

cli/command/events_utils.go

@@ -3,28 +3,28 @@ package command
 import (
 	"sync"
 
-	eventtypes "github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/events"
 	"github.com/sirupsen/logrus"
 )
 
 // EventHandler is abstract interface for user to customize
 // own handle functions of each type of events
 type EventHandler interface {
-	Handle(action string, h func(eventtypes.Message))
-	Watch(c <-chan eventtypes.Message)
+	Handle(action string, h func(events.Message))
+	Watch(c <-chan events.Message)
 }
 
 // InitEventHandler initializes and returns an EventHandler
 func InitEventHandler() EventHandler {
-	return &eventHandler{handlers: make(map[string]func(eventtypes.Message))}
+	return &eventHandler{handlers: make(map[string]func(events.Message))}
 }
 
 type eventHandler struct {
-	handlers map[string]func(eventtypes.Message)
+	handlers map[string]func(events.Message)
 	mu       sync.Mutex
 }
 
-func (w *eventHandler) Handle(action string, h func(eventtypes.Message)) {
+func (w *eventHandler) Handle(action string, h func(events.Message)) {
 	w.mu.Lock()
 	w.handlers[action] = h
 	w.mu.Unlock()
@@ -33,7 +33,7 @@ func (w *eventHandler) Handle(action string, h func(eventtypes.Message)) {
 // Watch ranges over the passed in event chan and processes the events based on the
 // handlers created for a given action.
 // To stop watching, close the event chan.
-func (w *eventHandler) Watch(c <-chan eventtypes.Message) {
+func (w *eventHandler) Watch(c <-chan events.Message) {
 	for e := range c {
 		w.mu.Lock()
 		h, exists := w.handlers[e.Action]

cli/command/image/build.go

@@ -128,7 +128,7 @@ func NewBuildCommand(dockerCli command.Cli) *cobra.Command {
 	flags.Int64Var(&options.cpuQuota, "cpu-quota", 0, "Limit the CPU CFS (Completely Fair Scheduler) quota")
 	flags.StringVar(&options.cpuSetCpus, "cpuset-cpus", "", "CPUs in which to allow execution (0-3, 0,1)")
 	flags.StringVar(&options.cpuSetMems, "cpuset-mems", "", "MEMs in which to allow execution (0-3, 0,1)")
-	flags.StringVar(&options.cgroupParent, "cgroup-parent", "", "Optional parent cgroup for the container")
+	flags.StringVar(&options.cgroupParent, "cgroup-parent", "", `Set the parent cgroup for the "RUN" instructions during build`)
 	flags.StringVar(&options.isolation, "isolation", "", "Container isolation technology")
 	flags.Var(&options.labels, "label", "Set metadata for an image")
 	flags.BoolVar(&options.noCache, "no-cache", false, "Do not use cache when building the image")

cli/command/image/build/dockerignore.go

@@ -1,11 +1,12 @@
 package build
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 
-	"github.com/moby/buildkit/frontend/dockerfile/dockerignore"
 	"github.com/moby/patternmatcher"
+	"github.com/moby/patternmatcher/ignorefile"
 )
 
 // ReadDockerignore reads the .dockerignore file in the context directory and
@@ -22,7 +23,11 @@ func ReadDockerignore(contextDir string) ([]string, error) {
 	}
 	defer f.Close()
 
-	return dockerignore.ReadAll(f)
+	patterns, err := ignorefile.ReadAll(f)
+	if err != nil {
+		return nil, fmt.Errorf("error reading .dockerignore: %w", err)
+	}
+	return patterns, nil
 }
 
 // TrimBuildFilesFromExcludes removes the named Dockerfile and .dockerignore from

cli/command/image/history_test.go

@@ -11,7 +11,6 @@ import (
 	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	"gotest.tools/v3/golden"
-	"gotest.tools/v3/skip"
 )
 
 func TestNewHistoryCommandErrors(t *testing.T) {
@@ -43,13 +42,7 @@ func TestNewHistoryCommandErrors(t *testing.T) {
 	}
 }
 
-func notUTCTimezone() bool {
-	now := time.Now()
-	return now != now.UTC()
-}
-
 func TestNewHistoryCommandSuccess(t *testing.T) {
-	skip.If(t, notUTCTimezone, "expected output requires UTC timezone")
 	testCases := []struct {
 		name             string
 		args             []string
@@ -62,6 +55,7 @@ func TestNewHistoryCommandSuccess(t *testing.T) {
 				return []image.HistoryResponseItem{{
 					ID:      "1234567890123456789",
 					Created: time.Now().Unix(),
+					Comment: "none",
 				}}, nil
 			},
 		},
@@ -93,13 +87,19 @@ func TestNewHistoryCommandSuccess(t *testing.T) {
 		},
 	}
 	for _, tc := range testCases {
-		cli := test.NewFakeCli(&fakeClient{imageHistoryFunc: tc.imageHistoryFunc})
-		cmd := NewHistoryCommand(cli)
-		cmd.SetOut(io.Discard)
-		cmd.SetArgs(tc.args)
-		err := cmd.Execute()
-		assert.NilError(t, err)
-		actual := cli.OutBuffer().String()
-		golden.Assert(t, actual, fmt.Sprintf("history-command-success.%s.golden", tc.name))
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			// Set to UTC timezone as timestamps in output are
+			// printed in the current timezone
+			t.Setenv("TZ", "UTC")
+			cli := test.NewFakeCli(&fakeClient{imageHistoryFunc: tc.imageHistoryFunc})
+			cmd := NewHistoryCommand(cli)
+			cmd.SetOut(io.Discard)
+			cmd.SetArgs(tc.args)
+			err := cmd.Execute()
+			assert.NilError(t, err)
+			actual := cli.OutBuffer().String()
+			golden.Assert(t, actual, fmt.Sprintf("history-command-success.%s.golden", tc.name))
+		})
 	}
 }

cli/command/image/testdata/history-command-success.non-human.golden

@@ -1,2 +1,2 @@
-IMAGE               CREATED AT             CREATED BY          SIZE                COMMENT
-abcdef              2017-01-01T12:00:03Z   rose                0                   new history item!
+IMAGE     CREATED AT             CREATED BY   SIZE      COMMENT
+abcdef    2017-01-01T12:00:03Z   rose         0         new history item!

cli/command/image/testdata/history-command-success.simple.golden

@@ -1,2 +1,2 @@
-IMAGE               CREATED                  CREATED BY          SIZE                COMMENT
-123456789012        Less than a second ago                       0B                  
+IMAGE          CREATED                  CREATED BY   SIZE      COMMENT
+123456789012   Less than a second ago                0B        none

cli/command/manifest/util.go

@@ -16,7 +16,7 @@ type osArch struct {
 
 // Remove any unsupported os/arch combo
 // list of valid os/arch values (see "Optional Environment Variables" section
-// of https://golang.org/doc/install/source
+// of https://go.dev/doc/install/source
 // Added linux/s390x as we know System z support already exists
 // Keep in sync with _docker_manifest_annotate in contrib/completion/bash/docker
 var validOSArches = map[osArch]bool{

cli/command/registry.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	configtypes "github.com/docker/cli/cli/config/types"
+	"github.com/docker/cli/cli/hints"
 	"github.com/docker/cli/cli/streams"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
@@ -19,6 +20,10 @@ import (
 	"github.com/pkg/errors"
 )
 
+const patSuggest = "You can log in with your password or a Personal Access " +
+	"Token (PAT). Using a limited-scope PAT grants better security and is required " +
+	"for organizations using SSO. Learn more at https://docs.docker.com/go/access-tokens/"
+
 // EncodeAuthToBase64 serializes the auth configuration as JSON base64 payload.
 //
 // Deprecated: use [registrytypes.EncodeAuthConfig] instead.
@@ -113,7 +118,11 @@ func ConfigureAuth(cli Cli, flUser, flPassword string, authconfig *registrytypes
 	if flUser = strings.TrimSpace(flUser); flUser == "" {
 		if isDefaultRegistry {
 			// if this is a default registry (docker hub), then display the following message.
-			fmt.Fprintln(cli.Out(), "Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.")
+			fmt.Fprintln(cli.Out(), "Log in with your Docker ID or email address to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com/ to create one.")
+			if hints.Enabled() {
+				fmt.Fprintln(cli.Out(), patSuggest)
+				fmt.Fprintln(cli.Out())
+			}
 		}
 		promptWithDefault(cli.Out(), "Username", authconfig.Username)
 		var err error

cli/command/service/opts.go

@@ -1001,7 +1001,7 @@ const (
 	flagTTY                     = "tty"
 	flagUpdateDelay             = "update-delay"
 	flagUpdateFailureAction     = "update-failure-action"
-	flagUpdateMaxFailureRatio   = "update-max-failure-ratio"
+	flagUpdateMaxFailureRatio   = "update-max-failure-ratio" // #nosec G101 -- ignoring: Potential hardcoded credentials (gosec)
 	flagUpdateMonitor           = "update-monitor"
 	flagUpdateOrder             = "update-order"
 	flagUpdateParallelism       = "update-parallelism"

cli/command/system/client_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/client"
 )
 
@@ -12,6 +13,7 @@ type fakeClient struct {
 
 	version       string
 	serverVersion func(ctx context.Context) (types.Version, error)
+	eventsFn      func(context.Context, types.EventsOptions) (<-chan events.Message, <-chan error)
 }
 
 func (cli *fakeClient) ServerVersion(ctx context.Context) (types.Version, error) {
@@ -21,3 +23,7 @@ func (cli *fakeClient) ServerVersion(ctx context.Context) (types.Version, error)
 func (cli *fakeClient) ClientVersion() string {
 	return cli.version
 }
+
+func (cli *fakeClient) Events(ctx context.Context, opts types.EventsOptions) (<-chan events.Message, <-chan error) {
+	return cli.eventsFn(ctx, opts)
+}

cli/command/system/events.go

@@ -12,10 +12,12 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
+	"github.com/docker/cli/cli/command/formatter"
+	flagsHelper "github.com/docker/cli/cli/flags"
 	"github.com/docker/cli/opts"
 	"github.com/docker/cli/templates"
 	"github.com/docker/docker/api/types"
-	eventtypes "github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/events"
 	"github.com/spf13/cobra"
 )
 
@@ -47,7 +49,7 @@ func NewEventsCommand(dockerCli command.Cli) *cobra.Command {
 	flags.StringVar(&options.since, "since", "", "Show all events created since timestamp")
 	flags.StringVar(&options.until, "until", "", "Stream events until this timestamp")
 	flags.VarP(&options.filter, "filter", "f", "Filter output based on conditions provided")
-	flags.StringVar(&options.format, "format", "", "Format the output using the given Go template")
+	flags.StringVar(&options.format, "format", "", flagsHelper.InspectFormatHelp) // using the same flag description as "inspect" commands for now.
 
 	return cmd
 }
@@ -60,21 +62,19 @@ func runEvents(dockerCli command.Cli, options *eventsOptions) error {
 			Status:     "Error parsing format: " + err.Error(),
 		}
 	}
-	eventOptions := types.EventsOptions{
+	ctx, cancel := context.WithCancel(context.Background())
+	evts, errs := dockerCli.Client().Events(ctx, types.EventsOptions{
 		Since:   options.since,
 		Until:   options.until,
 		Filters: options.filter.Value(),
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	events, errs := dockerCli.Client().Events(ctx, eventOptions)
+	})
 	defer cancel()
 
 	out := dockerCli.Out()
 
 	for {
 		select {
-		case event := <-events:
+		case event := <-evts:
 			if err := handleEvent(out, event, tmpl); err != nil {
 				return err
 			}
@@ -87,7 +87,7 @@ func runEvents(dockerCli command.Cli, options *eventsOptions) error {
 	}
 }
 
-func handleEvent(out io.Writer, event eventtypes.Message, tmpl *template.Template) error {
+func handleEvent(out io.Writer, event events.Message, tmpl *template.Template) error {
 	if tmpl == nil {
 		return prettyPrintEvent(out, event)
 	}
@@ -96,16 +96,19 @@ func handleEvent(out io.Writer, event eventtypes.Message, tmpl *template.Templat
 }
 
 func makeTemplate(format string) (*template.Template, error) {
-	if format == "" {
+	switch format {
+	case "":
 		return nil, nil
+	case formatter.JSONFormatKey:
+		format = formatter.JSONFormat
 	}
 	tmpl, err := templates.Parse(format)
 	if err != nil {
 		return tmpl, err
 	}
-	// we execute the template for an empty message, so as to validate
-	// a bad template like "{{.badFieldString}}"
-	return tmpl, tmpl.Execute(io.Discard, &eventtypes.Message{})
+	// execute the template on an empty message to validate a bad
+	// template like "{{.badFieldString}}"
+	return tmpl, tmpl.Execute(io.Discard, &events.Message{})
 }
 
 // rfc3339NanoFixed is similar to time.RFC3339Nano, except it pads nanoseconds
@@ -115,7 +118,7 @@ const rfc3339NanoFixed = "2006-01-02T15:04:05.000000000Z07:00"
 // prettyPrintEvent prints all types of event information.
 // Each output includes the event type, actor id, name and action.
 // Actor attributes are printed at the end if the actor has any.
-func prettyPrintEvent(out io.Writer, event eventtypes.Message) error {
+func prettyPrintEvent(out io.Writer, event events.Message) error {
 	if event.TimeNano != 0 {
 		fmt.Fprintf(out, "%s ", time.Unix(0, event.TimeNano).Format(rfc3339NanoFixed))
 	} else if event.Time != 0 {
@@ -141,7 +144,7 @@ func prettyPrintEvent(out io.Writer, event eventtypes.Message) error {
 	return nil
 }
 
-func formatEvent(out io.Writer, event eventtypes.Message, tmpl *template.Template) error {
+func formatEvent(out io.Writer, event events.Message, tmpl *template.Template) error {
 	defer out.Write([]byte{'\n'})
 	return tmpl.Execute(out, event)
 }

cli/command/system/events_test.go

@@ -0,0 +1,83 @@
+package system
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/events"
+	"gotest.tools/v3/assert"
+	"gotest.tools/v3/golden"
+)
+
+func TestEventsFormat(t *testing.T) {
+	var evts []events.Message
+	for i, action := range []string{"create", "start", "attach", "die"} {
+		evts = append(evts, events.Message{
+			Status: action,
+			ID:     "abc123",
+			From:   "ubuntu:latest",
+			Type:   events.ContainerEventType,
+			Action: action,
+			Actor: events.Actor{
+				ID:         "abc123",
+				Attributes: map[string]string{"image": "ubuntu:latest"},
+			},
+			Scope:    "local",
+			Time:     int64(time.Second) * int64(i+1),
+			TimeNano: int64(time.Second) * int64(i+1),
+		})
+	}
+	tests := []struct {
+		name, format string
+	}{
+		{
+			name: "default",
+		},
+		{
+			name:   "json",
+			format: "json",
+		},
+		{
+			name:   "json template",
+			format: "{{ json . }}",
+		},
+		{
+			name:   "json action",
+			format: "{{ json .Action }}",
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			// Set to UTC timezone as timestamps in output are
+			// printed in the current timezone
+			t.Setenv("TZ", "UTC")
+			cli := test.NewFakeCli(&fakeClient{eventsFn: func(context.Context, types.EventsOptions) (<-chan events.Message, <-chan error) {
+				messages := make(chan events.Message)
+				errs := make(chan error, 1)
+				go func() {
+					for _, msg := range evts {
+						messages <- msg
+					}
+					errs <- io.EOF
+				}()
+				return messages, errs
+			}})
+			cmd := NewEventsCommand(cli)
+			if tc.format != "" {
+				cmd.Flags().Set("format", tc.format)
+			}
+			assert.Check(t, cmd.Execute())
+			out := cli.OutBuffer().String()
+			assert.Check(t, golden.String(out, fmt.Sprintf("docker-events-%s.golden", strings.ReplaceAll(tc.name, " ", "-"))))
+			cli.OutBuffer().Reset()
+		})
+	}
+}

cli/command/system/info.go

@@ -313,7 +313,12 @@ func prettyPrintServerInfo(streams command.Streams, info *info) []error {
 	fprintln(output, " Docker Root Dir:", info.DockerRootDir)
 	fprintln(output, " Debug Mode:", info.Debug)
 
-	if info.Debug {
+	// The daemon collects this information regardless if "debug" is
+	// enabled. Print the debugging information if either the daemon,
+	// or the client has debug enabled. We should probably improve this
+	// logic and print any of these if set (but some special rules are
+	// needed for file-descriptors, which may use "-1".
+	if info.Debug || debug.IsEnabled() {
 		fprintln(output, "  File Descriptors:", info.NFd)
 		fprintln(output, "  Goroutines:", info.NGoroutines)
 		fprintln(output, "  System Time:", info.SystemTime)

cli/command/system/prune.go

@@ -48,7 +48,7 @@ func newPruneCommand(dockerCli command.Cli) *cobra.Command {
 	flags := cmd.Flags()
 	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
 	flags.BoolVarP(&options.all, "all", "a", false, "Remove all unused images not just dangling ones")
-	flags.BoolVar(&options.pruneVolumes, "volumes", false, "Prune volumes")
+	flags.BoolVar(&options.pruneVolumes, "volumes", false, "Prune anonymous volumes")
 	flags.Var(&options.filter, "filter", `Provide filter values (e.g. "label=<key>=<value>")`)
 	// "filter" flag is available in 1.28 (docker 17.04) and up
 	flags.SetAnnotation("filter", "version", []string{"1.28"})
@@ -114,7 +114,7 @@ func confirmationMessage(dockerCli command.Cli, options pruneOptions) string {
 		"all networks not used by at least one container",
 	}
 	if options.pruneVolumes {
-		warnings = append(warnings, "all volumes not used by at least one container")
+		warnings = append(warnings, "all anonymous volumes not used by at least one container")
 	}
 	if options.all {
 		warnings = append(warnings, "all images without at least one container associated to them")

cli/command/system/testdata/docker-events-default.golden

@@ -0,0 +1,4 @@
+1970-01-01T00:00:01.000000000Z container create abc123 (image=ubuntu:latest)
+1970-01-01T00:00:02.000000000Z container start abc123 (image=ubuntu:latest)
+1970-01-01T00:00:03.000000000Z container attach abc123 (image=ubuntu:latest)
+1970-01-01T00:00:04.000000000Z container die abc123 (image=ubuntu:latest)

cli/command/system/testdata/docker-events-json-action.golden

@@ -0,0 +1,4 @@
+"create"
+"start"
+"attach"
+"die"

cli/command/system/testdata/docker-events-json-template.golden

@@ -0,0 +1,4 @@
+{"status":"create","id":"abc123","from":"ubuntu:latest","Type":"container","Action":"create","Actor":{"ID":"abc123","Attributes":{"image":"ubuntu:latest"}},"scope":"local","time":1000000000,"timeNano":1000000000}
+{"status":"start","id":"abc123","from":"ubuntu:latest","Type":"container","Action":"start","Actor":{"ID":"abc123","Attributes":{"image":"ubuntu:latest"}},"scope":"local","time":2000000000,"timeNano":2000000000}
+{"status":"attach","id":"abc123","from":"ubuntu:latest","Type":"container","Action":"attach","Actor":{"ID":"abc123","Attributes":{"image":"ubuntu:latest"}},"scope":"local","time":3000000000,"timeNano":3000000000}
+{"status":"die","id":"abc123","from":"ubuntu:latest","Type":"container","Action":"die","Actor":{"ID":"abc123","Attributes":{"image":"ubuntu:latest"}},"scope":"local","time":4000000000,"timeNano":4000000000}

cli/command/system/testdata/docker-events-json.golden

@@ -0,0 +1,4 @@
+{"status":"create","id":"abc123","from":"ubuntu:latest","Type":"container","Action":"create","Actor":{"ID":"abc123","Attributes":{"image":"ubuntu:latest"}},"scope":"local","time":1000000000,"timeNano":1000000000}
+{"status":"start","id":"abc123","from":"ubuntu:latest","Type":"container","Action":"start","Actor":{"ID":"abc123","Attributes":{"image":"ubuntu:latest"}},"scope":"local","time":2000000000,"timeNano":2000000000}
+{"status":"attach","id":"abc123","from":"ubuntu:latest","Type":"container","Action":"attach","Actor":{"ID":"abc123","Attributes":{"image":"ubuntu:latest"}},"scope":"local","time":3000000000,"timeNano":3000000000}
+{"status":"die","id":"abc123","from":"ubuntu:latest","Type":"container","Action":"die","Actor":{"ID":"abc123","Attributes":{"image":"ubuntu:latest"}},"scope":"local","time":4000000000,"timeNano":4000000000}

cli/command/volume/prune.go

@@ -27,7 +27,7 @@ func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
 
 	cmd := &cobra.Command{
 		Use:   "prune [OPTIONS]",
-		Short: "Remove all unused local volumes",
+		Short: "Remove unused local volumes",
 		Args:  cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			spaceReclaimed, output, err := runPrune(dockerCli, options)

cli/compose/loader/volume_test.go

@@ -223,3 +223,8 @@ func TestParseVolumeInvalidSections(t *testing.T) {
 	_, err := ParseVolume("/foo::rw")
 	assert.ErrorContains(t, err, "invalid spec")
 }
+
+func TestParseVolumeWithEmptySource(t *testing.T) {
+	_, err := ParseVolume(":/vol")
+	assert.ErrorContains(t, err, "empty section between colons")
+}

cli/config/configfile/file.go

@@ -94,6 +94,9 @@ func (configFile *ConfigFile) ContainsAuth() bool {
 
 // GetAuthConfigs returns the mapping of repo to auth configuration
 func (configFile *ConfigFile) GetAuthConfigs() map[string]types.AuthConfig {
+	if configFile.AuthConfigs == nil {
+		configFile.AuthConfigs = make(map[string]types.AuthConfig)
+	}
 	return configFile.AuthConfigs
 }
 

cli/config/credentials/file_store.go

@@ -52,7 +52,8 @@ func (c *fileStore) GetAll() (map[string]types.AuthConfig, error) {
 
 // Store saves the given credentials in the file store.
 func (c *fileStore) Store(authConfig types.AuthConfig) error {
-	c.file.GetAuthConfigs()[authConfig.ServerAddress] = authConfig
+	authConfigs := c.file.GetAuthConfigs()
+	authConfigs[authConfig.ServerAddress] = authConfig
 	return c.file.Save()
 }
 

cli/connhelper/commandconn/commandconn.go

@@ -23,6 +23,7 @@ import (
 	"runtime"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"syscall"
 	"time"
 
@@ -64,81 +65,68 @@ func New(_ context.Context, cmd string, args ...string) (net.Conn, error) {
 
 // commandConn implements net.Conn
 type commandConn struct {
-	cmd           *exec.Cmd
-	cmdExited     bool
-	cmdWaitErr    error
-	cmdMutex      sync.Mutex
-	stdin         io.WriteCloser
-	stdout        io.ReadCloser
-	stderrMu      sync.Mutex
-	stderr        bytes.Buffer
-	stdioClosedMu sync.Mutex // for stdinClosed and stdoutClosed
-	stdinClosed   bool
-	stdoutClosed  bool
-	localAddr     net.Addr
-	remoteAddr    net.Addr
+	cmdMutex     sync.Mutex // for cmd, cmdWaitErr
+	cmd          *exec.Cmd
+	cmdWaitErr   error
+	cmdExited    atomic.Bool
+	stdin        io.WriteCloser
+	stdout       io.ReadCloser
+	stderrMu     sync.Mutex // for stderr
+	stderr       bytes.Buffer
+	stdinClosed  atomic.Bool
+	stdoutClosed atomic.Bool
+	closing      atomic.Bool
+	localAddr    net.Addr
+	remoteAddr   net.Addr
 }
 
-// killIfStdioClosed kills the cmd if both stdin and stdout are closed.
-func (c *commandConn) killIfStdioClosed() error {
-	c.stdioClosedMu.Lock()
-	stdioClosed := c.stdoutClosed && c.stdinClosed
-	c.stdioClosedMu.Unlock()
-	if !stdioClosed {
-		return nil
+// kill terminates the process. On Windows it kills the process directly,
+// whereas on other platforms, a SIGTERM is sent, before forcefully terminating
+// the process after 3 seconds.
+func (c *commandConn) kill() {
+	if c.cmdExited.Load() {
+		return
 	}
-	return c.kill()
-}
-
-// killAndWait tries sending SIGTERM to the process before sending SIGKILL.
-func killAndWait(cmd *exec.Cmd) error {
+	c.cmdMutex.Lock()
 	var werr error
 	if runtime.GOOS != "windows" {
 		werrCh := make(chan error)
-		go func() { werrCh <- cmd.Wait() }()
-		cmd.Process.Signal(syscall.SIGTERM)
+		go func() { werrCh <- c.cmd.Wait() }()
+		_ = c.cmd.Process.Signal(syscall.SIGTERM)
 		select {
 		case werr = <-werrCh:
 		case <-time.After(3 * time.Second):
-			cmd.Process.Kill()
+			_ = c.cmd.Process.Kill()
 			werr = <-werrCh
 		}
 	} else {
-		cmd.Process.Kill()
-		werr = cmd.Wait()
-	}
-	return werr
-}
-
-// kill returns nil if the command terminated, regardless to the exit status.
-func (c *commandConn) kill() error {
-	var werr error
-	c.cmdMutex.Lock()
-	if c.cmdExited {
-		werr = c.cmdWaitErr
-	} else {
-		werr = killAndWait(c.cmd)
-		c.cmdWaitErr = werr
-		c.cmdExited = true
+		_ = c.cmd.Process.Kill()
+		werr = c.cmd.Wait()
 	}
+	c.cmdWaitErr = werr
 	c.cmdMutex.Unlock()
-	if werr == nil {
-		return nil
-	}
-	wExitErr, ok := werr.(*exec.ExitError)
-	if ok {
-		if wExitErr.ProcessState.Exited() {
-			return nil
-		}
-	}
-	return errors.Wrapf(werr, "commandconn: failed to wait")
+	c.cmdExited.Store(true)
 }
 
-func (c *commandConn) onEOF(eof error) error {
-	// when we got EOF, the command is going to be terminated
-	var werr error
+// handleEOF handles io.EOF errors while reading or writing from the underlying
+// command pipes.
+//
+// When we've received an EOF we expect that the command will
+// be terminated soon. As such, we call Wait() on the command
+// and return EOF or the error depending on whether the command
+// exited with an error.
+//
+// If Wait() does not return within 10s, an error is returned
+func (c *commandConn) handleEOF(err error) error {
+	if err != io.EOF {
+		return err
+	}
+
 	c.cmdMutex.Lock()
-	if c.cmdExited {
+	defer c.cmdMutex.Unlock()
+
+	var werr error
+	if c.cmdExited.Load() {
 		werr = c.cmdWaitErr
 	} else {
 		werrCh := make(chan error)
@@ -146,18 +134,17 @@ func (c *commandConn) onEOF(eof error) error {
 		select {
 		case werr = <-werrCh:
 			c.cmdWaitErr = werr
-			c.cmdExited = true
+			c.cmdExited.Store(true)
 		case <-time.After(10 * time.Second):
-			c.cmdMutex.Unlock()
 			c.stderrMu.Lock()
 			stderr := c.stderr.String()
 			c.stderrMu.Unlock()
-			return errors.Errorf("command %v did not exit after %v: stderr=%q", c.cmd.Args, eof, stderr)
+			return errors.Errorf("command %v did not exit after %v: stderr=%q", c.cmd.Args, err, stderr)
 		}
 	}
-	c.cmdMutex.Unlock()
+
 	if werr == nil {
-		return eof
+		return err
 	}
 	c.stderrMu.Lock()
 	stderr := c.stderr.String()
@@ -166,71 +153,86 @@ func (c *commandConn) onEOF(eof error) error {
 }
 
 func ignorableCloseError(err error) bool {
-	errS := err.Error()
-	ss := []string{
-		os.ErrClosed.Error(),
-	}
-	for _, s := range ss {
-		if strings.Contains(errS, s) {
-			return true
-		}
-	}
-	return false
-}
-
-func (c *commandConn) CloseRead() error {
-	// NOTE: maybe already closed here
-	if err := c.stdout.Close(); err != nil && !ignorableCloseError(err) {
-		logrus.Warnf("commandConn.CloseRead: %v", err)
-	}
-	c.stdioClosedMu.Lock()
-	c.stdoutClosed = true
-	c.stdioClosedMu.Unlock()
-	if err := c.killIfStdioClosed(); err != nil {
-		logrus.Warnf("commandConn.CloseRead: %v", err)
-	}
-	return nil
+	return strings.Contains(err.Error(), os.ErrClosed.Error())
 }
 
 func (c *commandConn) Read(p []byte) (int, error) {
 	n, err := c.stdout.Read(p)
-	if err == io.EOF {
-		err = c.onEOF(err)
+	// check after the call to Read, since
+	// it is blocking, and while waiting on it
+	// Close might get called
+	if c.closing.Load() {
+		// If we're currently closing the connection
+		// we don't want to call onEOF
+		return n, err
 	}
-	return n, err
-}
 
-func (c *commandConn) CloseWrite() error {
-	// NOTE: maybe already closed here
-	if err := c.stdin.Close(); err != nil && !ignorableCloseError(err) {
-		logrus.Warnf("commandConn.CloseWrite: %v", err)
-	}
-	c.stdioClosedMu.Lock()
-	c.stdinClosed = true
-	c.stdioClosedMu.Unlock()
-	if err := c.killIfStdioClosed(); err != nil {
-		logrus.Warnf("commandConn.CloseWrite: %v", err)
-	}
-	return nil
+	return n, c.handleEOF(err)
 }
 
 func (c *commandConn) Write(p []byte) (int, error) {
 	n, err := c.stdin.Write(p)
-	if err == io.EOF {
-		err = c.onEOF(err)
+	// check after the call to Write, since
+	// it is blocking, and while waiting on it
+	// Close might get called
+	if c.closing.Load() {
+		// If we're currently closing the connection
+		// we don't want to call onEOF
+		return n, err
 	}
-	return n, err
+
+	return n, c.handleEOF(err)
 }
 
+// CloseRead allows commandConn to implement halfCloser
+func (c *commandConn) CloseRead() error {
+	// NOTE: maybe already closed here
+	if err := c.stdout.Close(); err != nil && !ignorableCloseError(err) {
+		return err
+	}
+	c.stdoutClosed.Store(true)
+
+	if c.stdinClosed.Load() {
+		c.kill()
+	}
+
+	return nil
+}
+
+// CloseWrite allows commandConn to implement halfCloser
+func (c *commandConn) CloseWrite() error {
+	// NOTE: maybe already closed here
+	if err := c.stdin.Close(); err != nil && !ignorableCloseError(err) {
+		return err
+	}
+	c.stdinClosed.Store(true)
+
+	if c.stdoutClosed.Load() {
+		c.kill()
+	}
+	return nil
+}
+
+// Close is the net.Conn func that gets called
+// by the transport when a dial is cancelled
+// due to it's context timing out. Any blocked
+// Read or Write calls will be unblocked and
+// return errors. It will block until the underlying
+// command has terminated.
 func (c *commandConn) Close() error {
-	var err error
-	if err = c.CloseRead(); err != nil {
+	c.closing.Store(true)
+	defer c.closing.Store(false)
+
+	if err := c.CloseRead(); err != nil {
 		logrus.Warnf("commandConn.Close: CloseRead: %v", err)
+		return err
 	}
-	if err = c.CloseWrite(); err != nil {
+	if err := c.CloseWrite(); err != nil {
 		logrus.Warnf("commandConn.Close: CloseWrite: %v", err)
+		return err
 	}
-	return err
+
+	return nil
 }
 
 func (c *commandConn) LocalAddr() net.Addr {

cli/connhelper/commandconn/commandconn_unix_test.go

@@ -6,8 +6,11 @@ package commandconn
 import (
 	"context"
 	"io"
+	"io/fs"
 	"testing"
+	"time"
 
+	"github.com/docker/docker/pkg/process"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -43,3 +46,170 @@ func TestEOFWithoutError(t *testing.T) {
 	assert.Check(t, is.Equal(0, n))
 	assert.Check(t, is.Equal(io.EOF, err))
 }
+
+func TestCloseRunningCommand(t *testing.T) {
+	cmd := "sh"
+	args := []string{"-c", "while true; sleep 1; done"}
+
+	done := make(chan struct{})
+	defer close(done)
+
+	go func() {
+		c, err := New(context.TODO(), cmd, args...)
+		assert.NilError(t, err)
+		cmdConn := c.(*commandConn)
+		assert.Check(t, process.Alive(cmdConn.cmd.Process.Pid))
+
+		n, err := c.Write([]byte("hello"))
+		assert.Check(t, is.Equal(len("hello"), n))
+		assert.NilError(t, err)
+		assert.Check(t, process.Alive(cmdConn.cmd.Process.Pid))
+
+		err = cmdConn.Close()
+		assert.NilError(t, err)
+		assert.Check(t, !process.Alive(cmdConn.cmd.Process.Pid))
+		done <- struct{}{}
+	}()
+
+	select {
+	case <-time.After(5 * time.Second):
+		t.Error("test did not finish in time")
+	case <-done:
+		break
+	}
+}
+
+func TestCloseTwice(t *testing.T) {
+	cmd := "sh"
+	args := []string{"-c", "echo hello; sleep 1; exit 0"}
+
+	done := make(chan struct{})
+	go func() {
+		c, err := New(context.TODO(), cmd, args...)
+		assert.NilError(t, err)
+		cmdConn := c.(*commandConn)
+		assert.Check(t, process.Alive(cmdConn.cmd.Process.Pid))
+
+		b := make([]byte, 32)
+		n, err := c.Read(b)
+		assert.Check(t, is.Equal(len("hello\n"), n))
+		assert.NilError(t, err)
+
+		err = cmdConn.Close()
+		assert.NilError(t, err)
+		assert.Check(t, !process.Alive(cmdConn.cmd.Process.Pid))
+
+		err = cmdConn.Close()
+		assert.NilError(t, err)
+		assert.Check(t, !process.Alive(cmdConn.cmd.Process.Pid))
+		done <- struct{}{}
+	}()
+
+	select {
+	case <-time.After(10 * time.Second):
+		t.Error("test did not finish in time")
+	case <-done:
+		break
+	}
+}
+
+func TestEOFTimeout(t *testing.T) {
+	cmd := "sh"
+	args := []string{"-c", "sleep 20"}
+
+	done := make(chan struct{})
+	go func() {
+		c, err := New(context.TODO(), cmd, args...)
+		assert.NilError(t, err)
+		cmdConn := c.(*commandConn)
+		assert.Check(t, process.Alive(cmdConn.cmd.Process.Pid))
+
+		cmdConn.stdout = mockStdoutEOF{}
+
+		b := make([]byte, 32)
+		n, err := c.Read(b)
+		assert.Check(t, is.Equal(0, n))
+		assert.ErrorContains(t, err, "did not exit after EOF")
+
+		done <- struct{}{}
+	}()
+
+	// after receiving an EOF, we try to kill the command
+	// if it doesn't exit after 10s, we throw an error
+	select {
+	case <-time.After(12 * time.Second):
+		t.Error("test did not finish in time")
+	case <-done:
+		break
+	}
+}
+
+type mockStdoutEOF struct{}
+
+func (mockStdoutEOF) Read(_ []byte) (int, error) {
+	return 0, io.EOF
+}
+
+func (mockStdoutEOF) Close() error {
+	return nil
+}
+
+func TestCloseWhileWriting(t *testing.T) {
+	cmd := "sh"
+	args := []string{"-c", "while true; sleep 1; done"}
+
+	c, err := New(context.TODO(), cmd, args...)
+	assert.NilError(t, err)
+	cmdConn := c.(*commandConn)
+	assert.Check(t, process.Alive(cmdConn.cmd.Process.Pid))
+
+	writeErrC := make(chan error)
+	go func() {
+		for {
+			n, err := c.Write([]byte("hello"))
+			if err != nil {
+				writeErrC <- err
+				return
+			}
+			assert.Equal(t, n, len("hello"))
+		}
+	}()
+
+	err = c.Close()
+	assert.NilError(t, err)
+	assert.Check(t, !process.Alive(cmdConn.cmd.Process.Pid))
+
+	writeErr := <-writeErrC
+	assert.ErrorContains(t, writeErr, "file already closed")
+	assert.Check(t, is.ErrorIs(writeErr, fs.ErrClosed))
+}
+
+func TestCloseWhileReading(t *testing.T) {
+	cmd := "sh"
+	args := []string{"-c", "while true; sleep 1; done"}
+
+	c, err := New(context.TODO(), cmd, args...)
+	assert.NilError(t, err)
+	cmdConn := c.(*commandConn)
+	assert.Check(t, process.Alive(cmdConn.cmd.Process.Pid))
+
+	readErrC := make(chan error)
+	go func() {
+		for {
+			b := make([]byte, 32)
+			n, err := c.Read(b)
+			if err != nil {
+				readErrC <- err
+				return
+			}
+			assert.Check(t, is.Equal(0, n))
+		}
+	}()
+
+	err = cmdConn.Close()
+	assert.NilError(t, err)
+	assert.Check(t, !process.Alive(cmdConn.cmd.Process.Pid))
+
+	readErr := <-readErrC
+	assert.Check(t, is.ErrorIs(readErr, fs.ErrClosed))
+}

cli/connhelper/connhelper.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"net"
 	"net/url"
+	"strings"
 
 	"github.com/docker/cli/cli/connhelper/commandconn"
 	"github.com/docker/cli/cli/connhelper/ssh"
@@ -51,6 +52,7 @@ func getConnectionHelper(daemonURL string, sshFlags []string) (*ConnectionHelper
 				if sp.Path != "" {
 					args = append(args, "--host", "unix://"+sp.Path)
 				}
+				sshFlags = addSSHTimeout(sshFlags)
 				args = append(args, "system", "dial-stdio")
 				return commandconn.New(ctx, "ssh", append(sshFlags, sp.Args(args...)...)...)
 			},
@@ -71,3 +73,10 @@ func GetCommandConnectionHelper(cmd string, flags ...string) (*ConnectionHelper,
 		Host: "http://docker.example.com",
 	}, nil
 }
+
+func addSSHTimeout(sshFlags []string) []string {
+	if !strings.Contains(strings.Join(sshFlags, ""), "ConnectTimeout") {
+		sshFlags = append(sshFlags, "-o ConnectTimeout=30")
+	}
+	return sshFlags
+}

cli/connhelper/connhelper_test.go

@@ -0,0 +1,31 @@
+package connhelper
+
+import (
+	"testing"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestSSHFlags(t *testing.T) {
+	testCases := []struct {
+		in  []string
+		out []string
+	}{
+		{
+			in:  []string{},
+			out: []string{"-o ConnectTimeout=30"},
+		},
+		{
+			in:  []string{"option", "-o anotherOption"},
+			out: []string{"option", "-o anotherOption", "-o ConnectTimeout=30"},
+		},
+		{
+			in:  []string{"-o ConnectTimeout=5", "anotherOption"},
+			out: []string{"-o ConnectTimeout=5", "anotherOption"},
+		},
+	}
+
+	for _, tc := range testCases {
+		assert.DeepEqual(t, addSSHTimeout(tc.in), tc.out)
+	}
+}

cli/flags/options.go

@@ -83,7 +83,7 @@ func (o *ClientOptions) InstallFlags(flags *pflag.FlagSet) {
 
 	// opts.ValidateHost is not used here, so as to allow connection helpers
 	hostOpt := opts.NewNamedListOptsRef("hosts", &o.Hosts, nil)
-	flags.VarP(hostOpt, "host", "H", "Daemon socket(s) to connect to")
+	flags.VarP(hostOpt, "host", "H", "Daemon socket to connect to")
 	flags.StringVarP(&o.Context, "context", "c", "",
 		`Name of the context to use to connect to the daemon (overrides `+client.EnvOverrideHost+` env var and default context set with "docker context use")`)
 }

cli/hints/hints.go

@@ -0,0 +1,18 @@
+package hints
+
+import (
+	"os"
+	"strconv"
+)
+
+// Enabled returns whether cli hints are enabled or not
+func Enabled() bool {
+	if v := os.Getenv("DOCKER_CLI_HINTS"); v != "" {
+		enabled, err := strconv.ParseBool(v)
+		if err != nil {
+			return true
+		}
+		return enabled
+	}
+	return true
+}

cli/registry/client/client.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	manifesttypes "github.com/docker/cli/cli/manifest/types"
+	"github.com/docker/cli/cli/trust"
 	"github.com/docker/distribution"
 	"github.com/docker/distribution/reference"
 	distributionclient "github.com/docker/distribution/registry/client"
@@ -77,6 +78,7 @@ func (c *client) MountBlob(ctx context.Context, sourceRef reference.Canonical, t
 	if err != nil {
 		return err
 	}
+	repoEndpoint.actions = trust.ActionsPushAndPull
 	repo, err := c.getRepositoryForReference(ctx, targetRef, repoEndpoint)
 	if err != nil {
 		return err
@@ -102,6 +104,7 @@ func (c *client) PutManifest(ctx context.Context, ref reference.Named, manifest
 		return digest.Digest(""), err
 	}
 
+	repoEndpoint.actions = trust.ActionsPushAndPull
 	repo, err := c.getRepositoryForReference(ctx, ref, repoEndpoint)
 	if err != nil {
 		return digest.Digest(""), err
@@ -151,7 +154,9 @@ func (c *client) getHTTPTransportForRepoEndpoint(ctx context.Context, repoEndpoi
 		c.authConfigResolver(ctx, repoEndpoint.info.Index),
 		repoEndpoint.endpoint,
 		repoEndpoint.Name(),
-		c.userAgent)
+		c.userAgent,
+		repoEndpoint.actions,
+	)
 	return httpTransport, errors.Wrap(err, "failed to configure transport")
 }
 

cli/registry/client/endpoint.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/docker/cli/cli/trust"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/distribution/registry/client/auth"
 	"github.com/docker/distribution/registry/client/transport"
@@ -17,6 +18,7 @@ import (
 type repositoryEndpoint struct {
 	info     *registry.RepositoryInfo
 	endpoint registry.APIEndpoint
+	actions  []string
 }
 
 // Name returns the repository name
@@ -74,7 +76,7 @@ func getDefaultEndpointFromRepoInfo(repoInfo *registry.RepositoryInfo) (registry
 }
 
 // getHTTPTransport builds a transport for use in communicating with a registry
-func getHTTPTransport(authConfig registrytypes.AuthConfig, endpoint registry.APIEndpoint, repoName string, userAgent string) (http.RoundTripper, error) {
+func getHTTPTransport(authConfig registrytypes.AuthConfig, endpoint registry.APIEndpoint, repoName, userAgent string, actions []string) (http.RoundTripper, error) {
 	// get the http transport, this will be used in a client to upload manifest
 	base := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
@@ -98,8 +100,11 @@ func getHTTPTransport(authConfig registrytypes.AuthConfig, endpoint registry.API
 		passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken}
 		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler))
 	} else {
+		if len(actions) == 0 {
+			actions = trust.ActionsPullOnly
+		}
 		creds := registry.NewStaticCredentialStore(&authConfig)
-		tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, "push", "pull")
+		tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...)
 		basicHandler := auth.NewBasicHandler(creds)
 		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
 	}

cli/registry/client/fetcher.go

@@ -202,7 +202,8 @@ func pullManifestList(ctx context.Context, ref reference.Named, repo distributio
 		}
 
 		// Replace platform from config
-		imageManifest.Descriptor.Platform = types.OCIPlatform(&manifestDescriptor.Platform)
+		p := manifestDescriptor.Platform
+		imageManifest.Descriptor.Platform = types.OCIPlatform(&p)
 
 		infos = append(infos, imageManifest)
 	}
@@ -242,11 +243,6 @@ func (c *client) iterateEndpoints(ctx context.Context, namedRef reference.Named,
 
 	confirmedTLSRegistries := make(map[string]bool)
 	for _, endpoint := range endpoints {
-		if endpoint.Version == registry.APIVersion1 {
-			logrus.Debugf("skipping v1 endpoint %s", endpoint.URL)
-			continue
-		}
-
 		if endpoint.URL.Scheme != "https" {
 			if _, confirmedTLS := confirmedTLSRegistries[endpoint.URL.Host]; confirmedTLS {
 				logrus.Debugf("skipping non-TLS endpoint %s for host/port that appears to use TLS", endpoint.URL)

cmd/docker/docker.go

@@ -402,14 +402,22 @@ func areFlagsSupported(cmd *cobra.Command, details versionDetails) error {
 	errs := []string{}
 
 	cmd.Flags().VisitAll(func(f *pflag.Flag) {
-		if !f.Changed {
+		if !f.Changed || len(f.Annotations) == 0 {
 			return
 		}
-		if !isVersionSupported(f, details.CurrentVersion()) {
+		// Important: in the code below, calls to "details.CurrentVersion()" and
+		// "details.ServerInfo()" are deliberately executed inline to make them
+		// be executed "lazily". This is to prevent making a connection with the
+		// daemon to perform a "ping" (even for flags that do not require a
+		// daemon connection).
+		//
+		// See commit b39739123b845f872549e91be184cc583f5b387c for details.
+
+		if _, ok := f.Annotations["version"]; ok && !isVersionSupported(f, details.CurrentVersion()) {
 			errs = append(errs, fmt.Sprintf(`"--%s" requires API version %s, but the Docker daemon API version is %s`, f.Name, getFlagAnnotation(f, "version"), details.CurrentVersion()))
 			return
 		}
-		if !isOSTypeSupported(f, details.ServerInfo().OSType) {
+		if _, ok := f.Annotations["ostype"]; ok && !isOSTypeSupported(f, details.ServerInfo().OSType) {
 			errs = append(errs, fmt.Sprintf(
 				`"--%s" is only supported on a Docker daemon running on %s, but the Docker daemon is running on %s`,
 				f.Name,

contrib/completion/bash/docker

@@ -1142,7 +1142,10 @@ __docker_complete_user_group() {
 	fi
 }
 
-DOCKER_PLUGINS_PATH=$(docker info --format '{{range .ClientInfo.Plugins}}{{.Path}}:{{end}}')
+__docker_plugins_path() {
+	local docker_plugins_path=$(docker info --format '{{range .ClientInfo.Plugins}}{{.Path}}:{{end}}')
+	echo "${docker_plugins_path//:/ }"
+}
 
 __docker_complete_plugin() {
 	local path=$1
@@ -2649,7 +2652,7 @@ _docker_daemon() {
 			return
 			;;
 		--storage-driver|-s)
-			COMPREPLY=( $( compgen -W "aufs btrfs overlay2 vfs zfs" -- "$(echo "$cur" | tr '[:upper:]' '[:lower:]')" ) )
+			COMPREPLY=( $( compgen -W "btrfs overlay2 vfs zfs" -- "$(echo "$cur" | tr '[:upper:]' '[:lower:]')" ) )
 			return
 			;;
 		--storage-opt)
@@ -5504,7 +5507,7 @@ _docker() {
 	# Create completion functions for all registered plugins
 	local known_plugin_commands=()
 	local plugin_name=""
-	for plugin_path in ${DOCKER_PLUGINS_PATH//:/ }; do
+	for plugin_path in $(__docker_plugins_path); do
 		plugin_name=$(basename "$plugin_path" | sed 's/ *$//')
 		plugin_name=${plugin_name#docker-}
 		plugin_name=${plugin_name%%.*}

contrib/completion/zsh/_docker

@@ -2777,7 +2777,7 @@ __docker_subcommand() {
                 "($help)--raw-logs[Full timestamps without ANSI coloring]" \
                 "($help)*--registry-mirror=[Preferred registry mirror]:registry mirror: " \
                 "($help)--seccomp-profile=[Path to seccomp profile]:path:_files -g \"*.json\"" \
-                "($help -s --storage-driver)"{-s=,--storage-driver=}"[Storage driver to use]:driver:(aufs btrfs devicemapper overlay overlay2 vfs zfs)" \
+                "($help -s --storage-driver)"{-s=,--storage-driver=}"[Storage driver to use]:driver:(btrfs devicemapper overlay2 vfs zfs)" \
                 "($help)--selinux-enabled[Enable selinux support]" \
                 "($help)--shutdown-timeout=[Set the shutdown timeout value in seconds]:time: " \
                 "($help)*--storage-opt=[Storage driver options]:storage driver options: " \

docker-bake.hcl

@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-    default = "1.20.4"
+    default = "1.20.10"
 }
 variable "VERSION" {
     default = ""

dockerfiles/Dockerfile.authors

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG ALPINE_VERSION=3.16
+ARG ALPINE_VERSION=3.17
 
 FROM alpine:${ALPINE_VERSION} AS gen
 RUN apk add --no-cache bash git

dockerfiles/Dockerfile.dev

@@ -1,13 +1,14 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.20.4
-ARG ALPINE_VERSION=3.16
+ARG GO_VERSION=1.20.10
+ARG ALPINE_VERSION=3.17
 
-ARG BUILDX_VERSION=0.10.4
+ARG BUILDX_VERSION=0.11.2
 FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx
 
 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang
-ENV  CGO_ENABLED=0
+ENV GOTOOLCHAIN=local
+ENV CGO_ENABLED=0
 
 FROM golang AS gofumpt
 ARG GOFUMPT_VERSION=v0.4.0
@@ -18,7 +19,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     && gofumpt --version
 
 FROM golang AS gotestsum
-ARG GOTESTSUM_VERSION=v1.8.2
+ARG GOTESTSUM_VERSION=v1.10.0
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
     --mount=type=tmpfs,target=/go/src/ \
@@ -48,11 +49,11 @@ CMD bash
 ENV DISABLE_WARN_OUTSIDE_CONTAINER=1
 ENV PATH=$PATH:/go/src/github.com/docker/cli/build
 
-COPY --from=buildx          /buildx /usr/libexec/docker/cli-plugins/docker-buildx
-COPY --from=gofumpt         /go/bin/* /go/bin/
-COPY --from=gotestsum       /go/bin/* /go/bin/
-COPY --from=goversioninfo   /go/bin/* /go/bin/
+COPY --link --from=buildx          /buildx /usr/libexec/docker/cli-plugins/docker-buildx
+COPY --link --from=gofumpt         /go/bin/* /go/bin/
+COPY --link --from=gotestsum       /go/bin/* /go/bin/
+COPY --link --from=goversioninfo   /go/bin/* /go/bin/
 
 WORKDIR /go/src/github.com/docker/cli
 ENV GO111MODULE=auto
-COPY . .
+COPY --link . .

dockerfiles/Dockerfile.lint

@@ -1,17 +1,18 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.20.4
-ARG ALPINE_VERSION=3.16
-ARG GOLANGCI_LINT_VERSION=v1.52.2
+ARG GO_VERSION=1.20.10
+ARG ALPINE_VERSION=3.17
+ARG GOLANGCI_LINT_VERSION=v1.54.2
 
 FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint
 
 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS lint
+ENV GOTOOLCHAIN=local
 ENV GO111MODULE=off
 ENV CGO_ENABLED=0
 ENV GOGC=75
 WORKDIR /go/src/github.com/docker/cli
-COPY --from=golangci-lint /usr/bin/golangci-lint /usr/bin/golangci-lint
+COPY --link --from=golangci-lint /usr/bin/golangci-lint /usr/bin/golangci-lint
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
         golangci-lint run

dockerfiles/Dockerfile.vendor

@@ -1,15 +1,16 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.20.4
-ARG ALPINE_VERSION=3.16
+ARG GO_VERSION=1.20.10
+ARG ALPINE_VERSION=3.17
 ARG MODOUTDATED_VERSION=v0.8.0
 
 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base
+ENV GOTOOLCHAIN=local
 RUN apk add --no-cache bash git rsync
 WORKDIR /src
 
 FROM base AS vendored
-ENV GOPROXY=direct
+ENV GOPROXY=https://proxy.golang.org|direct
 RUN --mount=target=/context \
     --mount=target=.,type=tmpfs  \
     --mount=target=/go/pkg/mod,type=cache <<EOT

docs/deprecated.md

@@ -48,68 +48,68 @@ The table below provides an overview of the current status of deprecated feature
   alternatives. In such cases, a warning may be printed, and users should not rely
   on this feature.
 
-| Status     | Feature                                                                                                                            | Deprecated | Remove  |
-|------------|------------------------------------------------------------------------------------------------------------------------------------|------------|---------|
-| Deprecated | [OOM-score adjust for the daemon](#oom-score-adjust-for-the-daemon)                                                                | v24.0.0    | v25.0.0 |
-| Removed    | [Buildkit build information](#buildkit-build-information)                                                                          | v23.0.0    | v24.0.0 |
-| Deprecated | [Legacy builder for Linux images](#legacy-builder-for-linux-images)                                                                | v23.0.0    | -       |
-| Deprecated | [Legacy builder fallback](#legacy-builder-fallback)                                                                                | v23.0.0    | -       |
-| Removed    | [Btrfs storage driver on CentOS 7 and RHEL 7](#btrfs-storage-driver-on-centos-7-and-rhel-7)                                        | v20.10     | v23.0.0 |
-| Removed    | [Support for encrypted TLS private keys](#support-for-encrypted-tls-private-keys)                                                  | v20.10     | v23.0.0 |
-| Removed    | [Kubernetes stack and context support](#kubernetes-stack-and-context-support)                                                      | v20.10     | v23.0.0 |
-| Deprecated | [Pulling images from non-compliant image registries](#pulling-images-from-non-compliant-image-registries)                          | v20.10     | -       |
-| Removed    | [Linux containers on Windows (LCOW)](#linux-containers-on-windows-lcow-experimental)                                               | v20.10     | v23.0.0 |
-| Deprecated | [BLKIO weight options with cgroups v1](#blkio-weight-options-with-cgroups-v1)                                                      | v20.10     | -       |
-| Removed    | [Kernel memory limit](#kernel-memory-limit)                                                                                        | v20.10     | v23.0.0 |
-| Removed    | [Classic Swarm and overlay networks using external key/value stores](#classic-swarm-and-overlay-networks-using-cluster-store)      | v20.10     | v23.0.0 |
-| Removed    | [Support for the legacy `~/.dockercfg` configuration file for authentication](#support-for-legacy-dockercfg-configuration-files)   | v20.10     | v23.0.0 |
-| Deprecated | [CLI plugins support](#cli-plugins-support)                                                                                        | v20.10     | -       |
-| Deprecated | [Dockerfile legacy `ENV name value` syntax](#dockerfile-legacy-env-name-value-syntax)                                              | v20.10     | -       |
-| Removed    | [`docker build --stream` flag (experimental)](#docker-build---stream-flag-experimental)                                            | v20.10     | v20.10  |
-| Deprecated | [`fluentd-async-connect` log opt](#fluentd-async-connect-log-opt)                                                                  | v20.10     | -       |
-| Removed    | [Configuration options for experimental CLI features](#configuration-options-for-experimental-cli-features)                        | v19.03     | v23.0.0 |
-| Deprecated | [Pushing and pulling with image manifest v2 schema 1](#pushing-and-pulling-with-image-manifest-v2-schema-1)                        | v19.03     | v20.10  |
-| Removed    | [`docker engine` subcommands](#docker-engine-subcommands)                                                                          | v19.03     | v20.10  |
-| Removed    | [Top-level `docker deploy` subcommand (experimental)](#top-level-docker-deploy-subcommand-experimental)                            | v19.03     | v20.10  |
-| Removed    | [`docker stack deploy` using "dab" files (experimental)](#docker-stack-deploy-using-dab-files-experimental)                        | v19.03     | v20.10  |
-| Removed    | [Support for the `overlay2.override_kernel_check` storage option](#support-for-the-overlay2override_kernel_check-storage-option)   | v19.03     | v24.0.0 |
-| Removed    | [AuFS storage driver](#aufs-storage-driver)                                                                                        | v19.03     | v24.0.0 |
-| Removed    | [Legacy "overlay" storage driver](#legacy-overlay-storage-driver)                                                                  | v18.09     | v24.0.0 |
-| Disabled   | [Device mapper storage driver](#device-mapper-storage-driver)                                                                      | v18.09     | -       |
-| Removed    | [Use of reserved namespaces in engine labels](#use-of-reserved-namespaces-in-engine-labels)                                        | v18.06     | v20.10  |
-| Removed    | [`--disable-legacy-registry` override daemon option](#--disable-legacy-registry-override-daemon-option)                            | v17.12     | v19.03  |
-| Removed    | [Interacting with V1 registries](#interacting-with-v1-registries)                                                                  | v17.06     | v17.12  |
-| Removed    | [Asynchronous `service create` and `service update` as default](#asynchronous-service-create-and-service-update-as-default)        | v17.05     | v17.10  |
-| Removed    | [`-g` and `--graph` flags on `dockerd`](#-g-and---graph-flags-on-dockerd)                                                          | v17.05     | -       |
-| Deprecated | [Top-level network properties in NetworkSettings](#top-level-network-properties-in-networksettings)                                | v1.13      | v17.12  |
-| Removed    | [`filter` param for `/images/json` endpoint](#filter-param-for-imagesjson-endpoint)                                                | v1.13      | v20.10  |
-| Removed    | [`repository:shortid` image references](#repositoryshortid-image-references)                                                       | v1.13      | v17.12  |
-| Removed    | [`docker daemon` subcommand](#docker-daemon-subcommand)                                                                            | v1.13      | v17.12  |
-| Removed    | [Duplicate keys with conflicting values in engine labels](#duplicate-keys-with-conflicting-values-in-engine-labels)                | v1.13      | v17.12  |
-| Deprecated | [`MAINTAINER` in Dockerfile](#maintainer-in-dockerfile)                                                                            | v1.13      | -       |
-| Deprecated | [API calls without a version](#api-calls-without-a-version)                                                                        | v1.13      | v17.12  |
-| Removed    | [Backing filesystem without `d_type` support for overlay/overlay2](#backing-filesystem-without-d_type-support-for-overlayoverlay2) | v1.13      | v17.12  |
-| Removed    | [`--automated` and `--stars` flags on `docker search`](#--automated-and---stars-flags-on-docker-search)                            | v1.12      | v20.10  |
-| Deprecated | [`-h` shorthand for `--help`](#-h-shorthand-for---help)                                                                            | v1.12      | v17.09  |
-| Removed    | [`-e` and `--email` flags on `docker login`](#-e-and---email-flags-on-docker-login)                                                | v1.11      | v17.06  |
-| Deprecated | [Separator (`:`) of `--security-opt` flag on `docker run`](#separator--of---security-opt-flag-on-docker-run)                       | v1.11      | v17.06  |
-| Deprecated | [Ambiguous event fields in API](#ambiguous-event-fields-in-api)                                                                    | v1.10      | -       |
-| Removed    | [`-f` flag on `docker tag`](#-f-flag-on-docker-tag)                                                                                | v1.10      | v1.12   |
-| Removed    | [HostConfig at API container start](#hostconfig-at-api-container-start)                                                            | v1.10      | v1.12   |
-| Removed    | [`--before` and `--since` flags on `docker ps`](#--before-and---since-flags-on-docker-ps)                                          | v1.10      | v1.12   |
-| Removed    | [Driver-specific log tags](#driver-specific-log-tags)                                                                              | v1.9       | v1.12   |
-| Removed    | [Docker Content Trust `ENV` passphrase variables name change](#docker-content-trust-env-passphrase-variables-name-change)          | v1.9       | v1.12   |
-| Removed    | [`/containers/(id or name)/copy` endpoint](#containersid-or-namecopy-endpoint)                                                     | v1.8       | v1.12   |
-| Removed    | [LXC built-in exec driver](#lxc-built-in-exec-driver)                                                                              | v1.8       | v1.10   |
-| Removed    | [Old Command Line Options](#old-command-line-options)                                                                              | v1.8       | v1.10   |
-| Removed    | [`--api-enable-cors` flag on `dockerd`](#--api-enable-cors-flag-on-dockerd)                                                        | v1.6       | v17.09  |
-| Removed    | [`--run` flag on `docker commit`](#--run-flag-on-docker-commit)                                                                    | v0.10      | v1.13   |
-| Removed    | [Three arguments form in `docker import`](#three-arguments-form-in-docker-import)                                                  | v0.6.7     | v1.12   |
+| Status     | Feature                                                                                                                            | Deprecated | Remove |
+|------------|------------------------------------------------------------------------------------------------------------------------------------|------------|--------|
+| Deprecated | [OOM-score adjust for the daemon](#oom-score-adjust-for-the-daemon)                                                                | v24.0      | v25.0  |
+| Removed    | [Buildkit build information](#buildkit-build-information)                                                                          | v23.0      | v24.0  |
+| Deprecated | [Legacy builder for Linux images](#legacy-builder-for-linux-images)                                                                | v23.0      | -      |
+| Deprecated | [Legacy builder fallback](#legacy-builder-fallback)                                                                                | v23.0      | -      |
+| Removed    | [Btrfs storage driver on CentOS 7 and RHEL 7](#btrfs-storage-driver-on-centos-7-and-rhel-7)                                        | v20.10     | v23.0  |
+| Removed    | [Support for encrypted TLS private keys](#support-for-encrypted-tls-private-keys)                                                  | v20.10     | v23.0  |
+| Removed    | [Kubernetes stack and context support](#kubernetes-stack-and-context-support)                                                      | v20.10     | v23.0  |
+| Deprecated | [Pulling images from non-compliant image registries](#pulling-images-from-non-compliant-image-registries)                          | v20.10     | -      |
+| Removed    | [Linux containers on Windows (LCOW)](#linux-containers-on-windows-lcow-experimental)                                               | v20.10     | v23.0  |
+| Deprecated | [BLKIO weight options with cgroups v1](#blkio-weight-options-with-cgroups-v1)                                                      | v20.10     | -      |
+| Removed    | [Kernel memory limit](#kernel-memory-limit)                                                                                        | v20.10     | v23.0  |
+| Removed    | [Classic Swarm and overlay networks using external key/value stores](#classic-swarm-and-overlay-networks-using-cluster-store)      | v20.10     | v23.0  |
+| Removed    | [Support for the legacy `~/.dockercfg` configuration file for authentication](#support-for-legacy-dockercfg-configuration-files)   | v20.10     | v23.0  |
+| Deprecated | [CLI plugins support](#cli-plugins-support)                                                                                        | v20.10     | -      |
+| Deprecated | [Dockerfile legacy `ENV name value` syntax](#dockerfile-legacy-env-name-value-syntax)                                              | v20.10     | -      |
+| Removed    | [`docker build --stream` flag (experimental)](#docker-build---stream-flag-experimental)                                            | v20.10     | v20.10 |
+| Deprecated | [`fluentd-async-connect` log opt](#fluentd-async-connect-log-opt)                                                                  | v20.10     | -      |
+| Removed    | [Configuration options for experimental CLI features](#configuration-options-for-experimental-cli-features)                        | v19.03     | v23.0  |
+| Deprecated | [Pushing and pulling with image manifest v2 schema 1](#pushing-and-pulling-with-image-manifest-v2-schema-1)                        | v19.03     | v20.10 |
+| Removed    | [`docker engine` subcommands](#docker-engine-subcommands)                                                                          | v19.03     | v20.10 |
+| Removed    | [Top-level `docker deploy` subcommand (experimental)](#top-level-docker-deploy-subcommand-experimental)                            | v19.03     | v20.10 |
+| Removed    | [`docker stack deploy` using "dab" files (experimental)](#docker-stack-deploy-using-dab-files-experimental)                        | v19.03     | v20.10 |
+| Removed    | [Support for the `overlay2.override_kernel_check` storage option](#support-for-the-overlay2override_kernel_check-storage-option)   | v19.03     | v24.0  |
+| Removed    | [AuFS storage driver](#aufs-storage-driver)                                                                                        | v19.03     | v24.0  |
+| Removed    | [Legacy "overlay" storage driver](#legacy-overlay-storage-driver)                                                                  | v18.09     | v24.0  |
+| Disabled   | [Device mapper storage driver](#device-mapper-storage-driver)                                                                      | v18.09     | -      |
+| Removed    | [Use of reserved namespaces in engine labels](#use-of-reserved-namespaces-in-engine-labels)                                        | v18.06     | v20.10 |
+| Removed    | [`--disable-legacy-registry` override daemon option](#--disable-legacy-registry-override-daemon-option)                            | v17.12     | v19.03 |
+| Removed    | [Interacting with V1 registries](#interacting-with-v1-registries)                                                                  | v17.06     | v17.12 |
+| Removed    | [Asynchronous `service create` and `service update` as default](#asynchronous-service-create-and-service-update-as-default)        | v17.05     | v17.10 |
+| Removed    | [`-g` and `--graph` flags on `dockerd`](#-g-and---graph-flags-on-dockerd)                                                          | v17.05     | -      |
+| Deprecated | [Top-level network properties in NetworkSettings](#top-level-network-properties-in-networksettings)                                | v1.13      | v17.12 |
+| Removed    | [`filter` param for `/images/json` endpoint](#filter-param-for-imagesjson-endpoint)                                                | v1.13      | v20.10 |
+| Removed    | [`repository:shortid` image references](#repositoryshortid-image-references)                                                       | v1.13      | v17.12 |
+| Removed    | [`docker daemon` subcommand](#docker-daemon-subcommand)                                                                            | v1.13      | v17.12 |
+| Removed    | [Duplicate keys with conflicting values in engine labels](#duplicate-keys-with-conflicting-values-in-engine-labels)                | v1.13      | v17.12 |
+| Deprecated | [`MAINTAINER` in Dockerfile](#maintainer-in-dockerfile)                                                                            | v1.13      | -      |
+| Deprecated | [API calls without a version](#api-calls-without-a-version)                                                                        | v1.13      | v17.12 |
+| Removed    | [Backing filesystem without `d_type` support for overlay/overlay2](#backing-filesystem-without-d_type-support-for-overlayoverlay2) | v1.13      | v17.12 |
+| Removed    | [`--automated` and `--stars` flags on `docker search`](#--automated-and---stars-flags-on-docker-search)                            | v1.12      | v20.10 |
+| Deprecated | [`-h` shorthand for `--help`](#-h-shorthand-for---help)                                                                            | v1.12      | v17.09 |
+| Removed    | [`-e` and `--email` flags on `docker login`](#-e-and---email-flags-on-docker-login)                                                | v1.11      | v17.06 |
+| Deprecated | [Separator (`:`) of `--security-opt` flag on `docker run`](#separator--of---security-opt-flag-on-docker-run)                       | v1.11      | v17.06 |
+| Deprecated | [Ambiguous event fields in API](#ambiguous-event-fields-in-api)                                                                    | v1.10      | -      |
+| Removed    | [`-f` flag on `docker tag`](#-f-flag-on-docker-tag)                                                                                | v1.10      | v1.12  |
+| Removed    | [HostConfig at API container start](#hostconfig-at-api-container-start)                                                            | v1.10      | v1.12  |
+| Removed    | [`--before` and `--since` flags on `docker ps`](#--before-and---since-flags-on-docker-ps)                                          | v1.10      | v1.12  |
+| Removed    | [Driver-specific log tags](#driver-specific-log-tags)                                                                              | v1.9       | v1.12  |
+| Removed    | [Docker Content Trust `ENV` passphrase variables name change](#docker-content-trust-env-passphrase-variables-name-change)          | v1.9       | v1.12  |
+| Removed    | [`/containers/(id or name)/copy` endpoint](#containersid-or-namecopy-endpoint)                                                     | v1.8       | v1.12  |
+| Removed    | [LXC built-in exec driver](#lxc-built-in-exec-driver)                                                                              | v1.8       | v1.10  |
+| Removed    | [Old Command Line Options](#old-command-line-options)                                                                              | v1.8       | v1.10  |
+| Removed    | [`--api-enable-cors` flag on `dockerd`](#--api-enable-cors-flag-on-dockerd)                                                        | v1.6       | v17.09 |
+| Removed    | [`--run` flag on `docker commit`](#--run-flag-on-docker-commit)                                                                    | v0.10      | v1.13  |
+| Removed    | [Three arguments form in `docker import`](#three-arguments-form-in-docker-import)                                                  | v0.6.7     | v1.12  |
 
 ### OOM-score adjust for the daemon
 
-**Deprecated in Release: v24.0.0**
-**Target For Removal In Release: v25.0.0**
+**Deprecated in Release: v24.0**
+**Target For Removal In Release: v25.0**
 
 The `oom-score-adjust` option was added to prevent the daemon from being
 OOM-killed before other processes. This option was mostly added as a
@@ -128,8 +128,8 @@ the daemon.
 
 ### Buildkit build information
 
-**Deprecated in Release: v23.0.0**
-**Removed in Release: v24.0.0**
+**Deprecated in Release: v23.0**
+**Removed in Release: v24.0**
 
 [Build information](https://github.com/moby/buildkit/blob/v0.11/docs/buildinfo.md)
 structures have been introduced in [BuildKit v0.10.0](https://github.com/moby/buildkit/releases/tag/v0.10.0)
@@ -140,9 +140,9 @@ information is also embedded into the image configuration if one is generated.
 
 ### Legacy builder for Linux images
 
-**Deprecated in Release: v23.0.0**
+**Deprecated in Release: v23.0**
 
-Docker v23.0.0 now uses BuildKit by default to build Linux images, and uses the
+Docker v23.0 now uses BuildKit by default to build Linux images, and uses the
 [Buildx](https://docs.docker.com/buildx/working-with-buildx/) CLI component for
 `docker build`. With this change, `docker build` now exposes all advanced features
 that BuildKit provides and which were previously only available through the
@@ -171,14 +171,14 @@ you to report issues in the [BuildKit issue tracker on GitHub](https://github.co
 
 ### Legacy builder fallback 
 
-**Deprecated in Release: v23.0.0**
+**Deprecated in Release: v23.0**
 
-[Docker v23.0.0 now uses BuildKit by default to build Linux images](#legacy-builder-for-linux-images),
+[Docker v23.0 now uses BuildKit by default to build Linux images](#legacy-builder-for-linux-images),
 which requires the Buildx component to build images with BuildKit. There may be
 situations where the Buildx component is not available, and BuildKit cannot be
 used.
 
-To provide a smooth transition to BuildKit as the default builder, Docker v23.0.0
+To provide a smooth transition to BuildKit as the default builder, Docker v23.0
 has an automatic fallback for some situations, or produces an error to assist
 users to resolve the problem.
 
@@ -217,7 +217,7 @@ be possible in a future release.
 
 ### Btrfs storage driver on CentOS 7 and RHEL 7
 
-**Removed in Release: v23.0.0**
+**Removed in Release: v23.0**
 
 The `btrfs` storage driver on CentOS and RHEL was provided as a technology preview
 by CentOS and RHEL, but has been deprecated since the [Red Hat Enterprise Linux 7.4 release](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/ch-btrfs),
@@ -231,7 +231,7 @@ of Docker will no longer provide this driver.
 
 **Deprecated in Release: v20.10**
 
-**Removed in Release: v23.0.0**
+**Removed in Release: v23.0**
 
 Use of encrypted TLS private keys has been deprecated, and has been removed.
 Golang has deprecated support for legacy PEM encryption (as specified in
@@ -246,7 +246,7 @@ to decrypt the private key, and store it un-encrypted to continue using it.
 ### Kubernetes stack and context support
 
 **Deprecated in Release: v20.10**
-**Removed in Release: v23.0.0**
+**Removed in Release: v23.0**
 
 Following the deprecation of [Compose on Kubernetes](https://github.com/docker/compose-on-kubernetes),
 support for Kubernetes in the `stack` and `context` commands has been removed from
@@ -307,7 +307,7 @@ major release.
 ### Linux containers on Windows (LCOW) (experimental)
 
 **Deprecated in Release: v20.10**
-**Removed in Release: v23.0.0**
+**Removed in Release: v23.0**
 
 The experimental feature to run Linux containers on Windows (LCOW) was introduced
 as a technical preview in Docker 17.09. While many enhancements were made after
@@ -330,7 +330,7 @@ When using cgroups v2, the `--blkio-weight` options are implemented using
 ### Kernel memory limit
 
 **Deprecated in Release: v20.10**
-**Removed in Release: v23.0.0**
+**Removed in Release: v23.0**
 
 Specifying kernel memory limit (`docker run --kernel-memory`) is no longer supported
 because the [Linux kernel deprecated `kmem.limit_in_bytes` in v5.4](https://github.com/torvalds/linux/commit/0158115f702b0ba208ab0b5adf44cae99b3ebcc7).
@@ -358,7 +358,7 @@ take no effect.
 ### Classic Swarm and overlay networks using cluster store
 
 **Deprecated in Release: v20.10**
-**Removed in Release: v23.0.0**
+**Removed in Release: v23.0**
 
 Standalone ("classic") Swarm has been deprecated, and with that the use of overlay
 networks using an external key/value store. The corresponding`--cluster-advertise`,
@@ -367,7 +367,7 @@ networks using an external key/value store. The corresponding`--cluster-advertis
 ### Support for legacy `~/.dockercfg` configuration files
 
 **Deprecated in Release: v20.10**
-**Removed in Release: v23.0.0**
+**Removed in Release: v23.0**
 
 The docker CLI up until v1.7.0 used the `~/.dockercfg` file to store credentials
 after authenticating to a registry (`docker login`). Docker v1.7.0 replaced this
@@ -387,13 +387,13 @@ notifying the user that the legacy file is present, but ignored.
 
 **Deprecated in Release: v19.03**
 
-**Removed in Release: v23.0.0**
+**Removed in Release: v23.0**
 
 The `DOCKER_CLI_EXPERIMENTAL` environment variable and the corresponding `experimental`
 field in the CLI configuration file are deprecated. Experimental features are
 enabled by default, and these configuration options are no longer functional.
 
-Starting with v23.0.0, the Docker CLI no longer prints `Experimental` for the client
+Starting with v23.0, the Docker CLI no longer prints `Experimental` for the client
 in the output of `docker version`, and the field has been removed from the JSON
 format.
 
@@ -515,7 +515,7 @@ using compose files.
 ### Support for the `overlay2.override_kernel_check` storage option
 
 **Deprecated in Release: v19.03**
-**Removed in Release: v24.0.0**
+**Removed in Release: v24.0**
 
 This daemon configuration option disabled the Linux kernel version check used
 to detect if the kernel supported OverlayFS with multiple lower dirs, which is
@@ -526,14 +526,14 @@ option was no longer used.
 ### AuFS storage driver
 
 **Deprecated in Release: v19.03**
-**Removed in Release: v24.0.0**
+**Removed in Release: v24.0**
 
-The `aufs` storage driver is deprecated in favor of `overlay2`, and will
-be removed in a future release. Users of the `aufs` storage driver are
-recommended to migrate to a different storage driver, such as `overlay2`, which
-is now the default storage driver.
+The `aufs` storage driver is deprecated in favor of `overlay2`, and has been
+removed in a Docker Engine v24.0. Users of the `aufs` storage driver must
+migrate to a different storage driver, such as `overlay2`, before upgrading
+to Docker Engine v24.0.
 
-The `aufs` storage driver facilitates running Docker on distros that have no
+The `aufs` storage driver facilitated running Docker on distros that have no
 support for OverlayFS, such as Ubuntu 14.04 LTS, which originally shipped with
 a 3.14 kernel.
 
@@ -542,62 +542,26 @@ is available to all supported distros (as they are either on kernel 4.x, or have
 support for multiple lowerdirs backported), there is no reason to continue
 maintenance of the `aufs` storage driver.
 
-#### Disabled by default in v23.0.0
-
-Docker already prevented deprecated storage drivers from being automatically
-selected on new installations, but continued to use these drivers when upgrading
-existing installations. Starting with the v23.0.0 release, the Docker Engine will
-fail to start if a deprecated storage driver is used (see [moby#43378](https://github.com/moby/moby/pull/43378):
-
-```console
-failed to start daemon: error initializing graphdriver: prior storage driver
-aufs is deprecated and will be removed in a future release; update the the daemon
-configuration and explicitly choose this storage driver to continue using it;
-visit https://docs.docker.com/go/storage-driver/ for more information.
-```
-
-To continue using the storage driver, update the daemon configuration to use
-explicitly use the given storage driver. Users are encouraged to migrate to 
-different storage driver.
-
 ### Legacy overlay storage driver
 
 **Deprecated in Release: v18.09**
-**Removed in Release: v24.0.0**
+**Removed in Release: v24.0**
 
 The `overlay` storage driver is deprecated in favor of the `overlay2` storage
 driver, which has all the benefits of `overlay`, without its limitations (excessive
-inode consumption). The legacy `overlay` storage driver will be removed in a future
-release. Users of the `overlay` storage driver should migrate to the `overlay2`
-storage driver.
+inode consumption). The legacy `overlay` storage driver has been removed in 
+Docker Engine v24.0. Users of the `overlay` storage driver should migrate to the
+`overlay2` storage driver before upgrading to Docker Engine v24.0.
 
 The legacy `overlay` storage driver allowed using overlayFS-backed filesystems
 on pre 4.x kernels. Now that all supported distributions are able to run `overlay2`
 (as they are either on kernel 4.x, or have support for multiple lowerdirs
 backported), there is no reason to keep maintaining the `overlay` storage driver.
 
-#### Disabled by default in v23.0.0
-
-Docker already prevented deprecated storage drivers from being automatically
-selected on new installations, but continued to use these drivers when upgrading
-existing installations. Starting with the v23.0.0 release, the Docker Engine will
-fail to start if a deprecated storage driver is used (see [moby#43378](https://github.com/moby/moby/pull/43378):
-
-```console
-failed to start daemon: error initializing graphdriver: prior storage driver
-overlay is deprecated and will be removed in a future release; update the the daemon
-configuration and explicitly choose this storage driver to continue using it;
-visit https://docs.docker.com/go/storage-driver/ for more information.
-```
-
-To continue using the storage driver, update the daemon configuration to use
-explicitly use the given storage driver. Users are encouraged to migrate to
-different storage driver.
-
 ### Device mapper storage driver
 
 **Deprecated in Release: v18.09**
-**Disabled by default in Release: v23.0.0**
+**Disabled by default in Release: v23.0**
 
 The `devicemapper` storage driver is deprecated in favor of `overlay2`, and will
 be removed in a future release. Users of the `devicemapper` storage driver are
@@ -605,17 +569,17 @@ recommended to migrate to a different storage driver, such as `overlay2`, which
 is now the default storage driver.
 
 The `devicemapper` storage driver facilitates running Docker on older (3.x) kernels
-that have no support for other storage drivers (such as overlay2, or AUFS).
+that have no support for other storage drivers (such as overlay2, or btrfs).
 
 Now that support for `overlay2` is added to all supported distros (as they are
 either on kernel 4.x, or have support for multiple lowerdirs backported), there
 is no reason to continue maintenance of the `devicemapper` storage driver.
 
-#### Disabled by default in v23.0.0
+#### Disabled by default in v23.0
 
 Docker already prevented deprecated storage drivers from being automatically
 selected on new installations, but continued to use these drivers when upgrading
-existing installations. Starting with the v23.0.0 release, the Docker Engine will
+existing installations. Starting with the v23.0 release, the Docker Engine will
 fail to start if a deprecated storage driver is used (see [moby#43378](https://github.com/moby/moby/pull/43378):
 
 ```console
@@ -691,12 +655,12 @@ and `docker service scale` in Docker 17.10.
 
 **Deprecated In Release: v17.05**
 
-**Removed In Release: v23.0.0**
+**Removed In Release: v23.0**
 
 The `-g` or `--graph` flag for the `dockerd` or `docker daemon` command was
 used to indicate the directory in which to store persistent data and resource
 configuration and has been replaced with the more descriptive `--data-root`
-flag. These flags were deprecated and hidden in v17.05, and removed in v23.0.0.
+flag. These flags were deprecated and hidden in v17.05, and removed in v23.0.
 
 ### Top-level network properties in NetworkSettings
 
@@ -774,7 +738,7 @@ The overlay and overlay2 storage driver does not work as expected if the backing
 filesystem does not support `d_type`. For example, XFS does not support `d_type`
 if it is formatted with the `ftype=0` option.
 
-Support for these setups has been removed, and Docker v23.0.0 and up now fails to
+Support for these setups has been removed, and Docker v23.0 and up now fails to
 start when attempting to use the `overlay2` or `overlay` storage driver on a
 backing filesystem without `d_type` support.
 

docs/extend/plugins_graphdriver.md

@@ -25,7 +25,7 @@ advisory: experimental
 
 Docker graph driver plugins enable admins to use an external/out-of-process
 graph driver for use with Docker engine. This is an alternative to using the
-built-in storage drivers, such as aufs/overlay/devicemapper/btrfs.
+built-in storage drivers, such as overlay2.
 
 You need to install and enable the plugin and then restart the Docker daemon
 before using the plugin. See the following example for the correct ordering

docs/reference/commandline/attach.md

@@ -9,11 +9,11 @@ Attach local standard input, output, and error streams to a running container
 
 ### Options
 
-| Name            | Type     | Default | Description                                         |
-|:----------------|:---------|:--------|:----------------------------------------------------|
-| `--detach-keys` | `string` |         | Override the key sequence for detaching a container |
-| `--no-stdin`    |          |         | Do not attach STDIN                                 |
-| `--sig-proxy`   |          |         | Proxy all received signals to the process           |
+| Name                            | Type     | Default | Description                                         |
+|:--------------------------------|:---------|:--------|:----------------------------------------------------|
+| [`--detach-keys`](#detach-keys) | `string` |         | Override the key sequence for detaching a container |
+| `--no-stdin`                    |          |         | Do not attach STDIN                                 |
+| `--sig-proxy`                   |          |         | Proxy all received signals to the process           |
 
 
 <!---MARKER_GEN_END-->
@@ -56,30 +56,6 @@ performance critical applications that generate a lot of output in the
 foreground over a slow client connection. Instead, users should use the
 `docker logs` command to get access to the logs.
 
-### Override the detach sequence
-
-If you want, you can configure an override the Docker key sequence for detach.
-This is useful if the Docker default sequence conflicts with key sequence you
-use for other applications. There are two ways to define your own detach key
-sequence, as a per-container override or as a configuration property on  your
-entire configuration.
-
-To override the sequence for an individual container, use the
-`--detach-keys="<sequence>"` flag with the `docker attach` command. The format of
-the `<sequence>` is either a letter [a-Z], or the `ctrl-` combined with any of
-the following:
-
-* `a-z` (a single lowercase alpha character )
-* `@` (at sign)
-* `[` (left bracket)
-* `\\` (two backward slashes)
-*  `_` (underscore)
-* `^` (caret)
-
-These `a`, `ctrl-a`, `X`, or `ctrl-\\` values are all examples of valid key
-sequences. To configure a different configuration default key sequence for all
-containers, see [**Configuration file** section](cli.md#configuration-files).
-
 ## Examples
 
 ### Attach to and detach from a running container
@@ -168,3 +144,27 @@ $ docker ps -a --filter name=test
 CONTAINER ID   IMAGE     COMMAND     CREATED              STATUS                       PORTS     NAMES
 a2fe3fd886db   alpine    "/bin/sh"   About a minute ago   Exited (13) 40 seconds ago             test
 ```
+
+### <a name="detach-keys"></a> Override the detach sequence (--detach-keys)
+
+Use the `--detach-keys` option to override the Docker key sequence for detach.
+This is useful if the Docker default sequence conflicts with key sequence you
+use for other applications. There are two ways to define your own detach key
+sequence, as a per-container override or as a configuration property on  your
+entire configuration.
+
+To override the sequence for an individual container, use the
+`--detach-keys="<sequence>"` flag with the `docker attach` command. The format of
+the `<sequence>` is either a letter [a-Z], or the `ctrl-` combined with any of
+the following:
+
+* `a-z` (a single lowercase alpha character )
+* `@` (at sign)
+* `[` (left bracket)
+* `\\` (two backward slashes)
+*  `_` (underscore)
+* `^` (caret)
+
+These `a`, `ctrl-a`, `X`, or `ctrl-\\` values are all examples of valid key
+sequences. To configure a different configuration default key sequence for all
+containers, see [**Configuration file** section](cli.md#configuration-files).

docs/reference/commandline/build.md

@@ -14,7 +14,7 @@ Build an image from a Dockerfile
 | [`--add-host`](#add-host)           | `list`        |           | Add a custom host-to-IP mapping (`host:ip`)                       |
 | [`--build-arg`](#build-arg)         | `list`        |           | Set build-time variables                                          |
 | [`--cache-from`](#cache-from)       | `stringSlice` |           | Images to consider as cache sources                               |
-| [`--cgroup-parent`](#cgroup-parent) | `string`      |           | Optional parent cgroup for the container                          |
+| [`--cgroup-parent`](#cgroup-parent) | `string`      |           | Set the parent cgroup for the `RUN` instructions during build     |
 | `--compress`                        |               |           | Compress the build context using gzip                             |
 | `--cpu-period`                      | `int64`       | `0`       | Limit the CPU CFS (Completely Fair Scheduler) period              |
 | `--cpu-quota`                       | `int64`       | `0`       | Limit the CPU CFS (Completely Fair Scheduler) quota               |
@@ -458,7 +458,17 @@ You can add other hosts into a container's `/etc/hosts` file by using one or
 more `--add-host` flags. This example adds a static address for a host named
 `docker`:
 
-    $ docker build --add-host=docker:10.180.0.1 .
+```console
+$ docker build --add-host docker:10.180.0.1 .
+```
+
+If you need your build to connect to services running on the host, you can use
+the special `host-gateway` value for `--add-host`. In the following example,
+build containers resolve `host.docker.internal` to the host's gateway IP.
+
+```console
+$ docker build --add-host host.docker.internal:host-gateway .
+```
 
 ### <a name="target"></a> Specifying target build stage (--target)
 

docs/reference/commandline/builder_build.md

@@ -14,7 +14,7 @@ Build an image from a Dockerfile
 | `--add-host`              | `list`        |           | Add a custom host-to-IP mapping (`host:ip`)                       |
 | `--build-arg`             | `list`        |           | Set build-time variables                                          |
 | `--cache-from`            | `stringSlice` |           | Images to consider as cache sources                               |
-| `--cgroup-parent`         | `string`      |           | Optional parent cgroup for the container                          |
+| `--cgroup-parent`         | `string`      |           | Set the parent cgroup for the `RUN` instructions during build     |
 | `--compress`              |               |           | Compress the build context using gzip                             |
 | `--cpu-period`            | `int64`       | `0`       | Limit the CPU CFS (Completely Fair Scheduler) period              |
 | `--cpu-quota`             | `int64`       | `0`       | Limit the CPU CFS (Completely Fair Scheduler) quota               |

docs/reference/commandline/cli.md

@@ -92,18 +92,18 @@ The base command for the Docker CLI.
 
 ### Options
 
-| Name                | Type     | Default                  | Description                                                                                                                           |
-|:--------------------|:---------|:-------------------------|:--------------------------------------------------------------------------------------------------------------------------------------|
-| `--config`          | `string` | `/root/.docker`          | Location of client config files                                                                                                       |
-| `-c`, `--context`   | `string` |                          | Name of the context to use to connect to the daemon (overrides DOCKER_HOST env var and default context set with `docker context use`) |
-| `-D`, `--debug`     |          |                          | Enable debug mode                                                                                                                     |
-| `-H`, `--host`      | `list`   |                          | Daemon socket(s) to connect to                                                                                                        |
-| `-l`, `--log-level` | `string` | `info`                   | Set the logging level (`debug`, `info`, `warn`, `error`, `fatal`)                                                                     |
-| `--tls`             |          |                          | Use TLS; implied by --tlsverify                                                                                                       |
-| `--tlscacert`       | `string` | `/root/.docker/ca.pem`   | Trust certs signed only by this CA                                                                                                    |
-| `--tlscert`         | `string` | `/root/.docker/cert.pem` | Path to TLS certificate file                                                                                                          |
-| `--tlskey`          | `string` | `/root/.docker/key.pem`  | Path to TLS key file                                                                                                                  |
-| `--tlsverify`       |          |                          | Use TLS and verify the remote                                                                                                         |
+| Name                             | Type     | Default                  | Description                                                                                                                           |
+|:---------------------------------|:---------|:-------------------------|:--------------------------------------------------------------------------------------------------------------------------------------|
+| `--config`                       | `string` | `/root/.docker`          | Location of client config files                                                                                                       |
+| `-c`, `--context`                | `string` |                          | Name of the context to use to connect to the daemon (overrides DOCKER_HOST env var and default context set with `docker context use`) |
+| `-D`, `--debug`                  |          |                          | Enable debug mode                                                                                                                     |
+| [`-H`](#host), [`--host`](#host) | `list`   |                          | Daemon socket to connect to                                                                                                           |
+| `-l`, `--log-level`              | `string` | `info`                   | Set the logging level (`debug`, `info`, `warn`, `error`, `fatal`)                                                                     |
+| `--tls`                          |          |                          | Use TLS; implied by --tlsverify                                                                                                       |
+| `--tlscacert`                    | `string` | `/root/.docker/ca.pem`   | Trust certs signed only by this CA                                                                                                    |
+| `--tlscert`                      | `string` | `/root/.docker/cert.pem` | Path to TLS certificate file                                                                                                          |
+| `--tlskey`                       | `string` | `/root/.docker/key.pem`  | Path to TLS key file                                                                                                                  |
+| `--tlsverify`                    |          |                          | Use TLS and verify the remote                                                                                                         |
 
 
 <!---MARKER_GEN_END-->
@@ -134,6 +134,7 @@ line:
 | `DOCKER_DEFAULT_PLATFORM`     | Default platform for commands that take the `--platform` flag.                                                                                                                                                                                               |
 | `DOCKER_HIDE_LEGACY_COMMANDS` | When set, Docker hides "legacy" top-level commands (such as `docker rm`, and `docker pull`) in `docker help` output, and only `Management commands` per object-type (e.g., `docker container`) are printed. This may become the default in a future release. |
 | `DOCKER_HOST`                 | Daemon socket to connect to.                                                                                                                                                                                                                                 |
+| `DOCKER_TLS`                  | Enable TLS for connections made by the `docker` CLI (equivalent of the `--tls` command-line option). Set to a non-empty value to enable TLS. Note that TLS is enabled automatically if any of the other TLS options are set.                                 |
 | `DOCKER_TLS_VERIFY`           | When set Docker uses TLS and verifies the remote. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md)                                                                                                                      |
 | `BUILDKIT_PROGRESS`           | Set type of progress output (`auto`, `plain`, `tty`) when [building](build.md) with [BuildKit backend](https://docs.docker.com/build/buildkit/). Use plain to show container output (default `auto`).                                                        |
 
@@ -240,7 +241,7 @@ credential store. When this property is set, `docker login` will attempt to
 store credentials in the binary specified by `docker-credential-<value>` which
 is visible on `$PATH`. If this property is not set, credentials will be stored
 in the `auths` property of the config. For more information, see the
-[**Credentials store** section in the `docker login` documentation](login.md#credentials-store)
+[**Credential stores** section in the `docker login` documentation](login.md#credential-stores)
 
 The property `credHelpers` specifies a set of credential helpers to use
 preferentially over `credsStore` or `auths` when storing and retrieving
@@ -378,6 +379,56 @@ list of root Certificate Authorities.
 
 ## Examples
 
+### <a name="host"></a> Specify daemon host (-H, --host)
+
+You can use the `-H`, `--host` flag to specify a socket to use when you invoke
+a `docker` command. You can use the following protocols:
+
+| Scheme                                 | Description               | Example                          |
+|----------------------------------------|---------------------------|----------------------------------|
+| `unix://[<path>]`                      | Unix socket (Linux only)  | `unix:///var/run/docker.sock`    |
+| `tcp://[<IP or host>[:port]]`          | TCP connection            | `tcp://174.17.0.1:2376`          |
+| `ssh://[username@]<IP or host>[:port]` | SSH connection            | `ssh://user@192.168.64.5`        |
+| `npipe://[<name>]`                     | Named pipe (Windows only) | `npipe:////./pipe/docker_engine` |
+
+If you don't specify the `-H` flag, and you're not using a custom
+[context](https://docs.docker.com/engine/context/working-with-contexts),
+commands use the following default sockets:
+
+- `unix:///var/run/docker.sock` on macOS and Linux
+- `npipe:////./pipe/docker_engine` on Windows
+
+To achieve a similar effect without having to specify the `-H` flag for every
+command, you could also [create a context](context_create.md),
+or alternatively, use the
+[`DOCKER_HOST` environment variable](#environment-variables).
+
+For more information about the `-H` flag, see
+[Daemon socket option](dockerd.md#daemon-socket-option).
+
+#### Using TCP sockets
+
+The following example shows how to invoke `docker ps` over TCP, to a remote
+daemon with IP address `174.17.0.1`, listening on port `2376`:
+
+```console
+$ docker -H tcp://174.17.0.1:2376 ps
+```
+
+> **Note**
+>
+> By convention, the Docker daemon uses port `2376` for secure TLS connections,
+> and port `2375` for insecure, non-TLS connections.
+
+#### Using SSH sockets
+
+When you use SSH invoke a command on a remote daemon, the request gets forwarded
+to the `/var/run/docker.sock` Unix socket on the SSH host.
+
+```console
+$ docker -H ssh://user@192.168.64.5 ps
+```
+
 ### Display help text
 
 To list the help on any command just execute the command, followed by the

docs/reference/commandline/config_inspect.md

@@ -20,7 +20,7 @@ Inspects the specified config.
 By default, this renders all results in a JSON array. If a format is specified,
 the given template will be executed for each result.
 
-Go's [text/template](https://golang.org/pkg/text/template/) package
+Go's [text/template](https://pkg.go.dev/text/template) package
 describes all the details of the format.
 
 For detailed information about using configs, refer to [store configuration data using Docker Configs](https://docs.docker.com/engine/swarm/configs/).

docs/reference/commandline/dockerd.md

@@ -323,7 +323,7 @@ $ docker -H tcp://127.0.0.1:2375 pull ubuntu
 ### Daemon storage-driver
 
 On Linux, the Docker daemon has support for several different image layer storage
-drivers: `aufs`, `devicemapper`, `btrfs`, `zfs`, `overlay`, `overlay2`, and `fuse-overlayfs`.
+drivers: `overlay2`, `fuse-overlayfs`, `btrfs`, `zfs`, and `devicemapper`.
 
 `overlay2` is the preferred storage driver for all currently supported Linux distributions,
 and is selected by default. Unless users have a strong reason to prefer another storage driver,
@@ -828,36 +828,197 @@ Defaults to 20G.
 C:\> dockerd --storage-opt size=40G
 ```
 
-### Docker runtime execution options
+### Runtime options
 
 The Docker daemon relies on a
 [OCI](https://github.com/opencontainers/runtime-spec) compliant runtime
 (invoked via the `containerd` daemon) as its interface to the Linux
 kernel `namespaces`, `cgroups`, and `SELinux`.
 
-By default, the Docker daemon automatically starts `containerd`. If you want to
-control `containerd` startup, manually start `containerd` and pass the path to
-the `containerd` socket using the `--containerd` flag. For example:
+#### Configure container runtimes
+
+By default, the Docker daemon uses runc as a container runtime.
+You can configure the daemon to add additional runtimes.
+
+containerd shims installed on `PATH` can be used directly, without the need
+to edit the daemon's configuration. For example, if you install the Kata
+Containers shim (`containerd-shim-kata-v2`) on `PATH`, then you can select that
+runtime with `docker run` without having to edit the daemon's configuration:
 
 ```console
-$ sudo dockerd --containerd /var/run/dev/docker-containerd.sock
+$ docker run --runtime io.containerd.kata.v2
 ```
 
-Runtimes can be registered with the daemon either via the
-configuration file or using the `--add-runtime` command line argument.
+Container runtimes that don't implement containerd shims, or containerd shims
+installed outside of `PATH`, must be registered with the daemon, either via the
+configuration file or using the `--add-runtime` command line flag.
 
-The following is an example adding 2 runtimes via the configuration:
+For examples on how to use other container runtimes, see
+[Alternative container runtimes](https://docs.docker.com/engine/alternative-runtimes/)
+
+##### Configure runtimes using `daemon.json`
+
+To register and configure container runtimes using the daemon's configuration
+file, add the runtimes as entries under `runtimes`:
 
 ```json
 {
-  "default-runtime": "runc",
   "runtimes": {
-    "custom": {
-      "path": "/usr/local/bin/my-runc-replacement",
-      "runtimeArgs": [
-        "--debug"
-      ]
+    "<runtime>": {}
+  }
+}
+```
+
+The key of the entry (`<runtime>` in the previous example) represents the name
+of the runtime. This is the name that you reference when you run a container,
+using `docker run --runtime <runtime>`.
+
+The runtime entry contains an object specifying the configuration for your
+runtime. The properties of the object depends on what kind of runtime you're
+looking to register:
+
+- If the runtime implements its own containerd shim, the object shall contain
+  a `runtimeType` field and an optional `options` field.
+
+  ```json
+  {
+    "runtimes": {
+      "<runtime>": {
+        "runtimeType": "<name-or-path>",
+        "options": {}
+      }
+    }
+  }
+  ```
+
+  See [Configure shims](#configure-containerd-shims).
+
+- If the runtime is designed to be a drop-in replacement for runc,
+  the object contains a `path` field, and an optional `runtimeArgs` field.
+
+  ```json
+  {
+    "runtimes": {
+      "<runtime>": {
+        "path": "/path/to/bin",
+        "runtimeArgs": ["...args"]
+      }
+    }
+  }
+  ```
+
+  See [Configure runc drop-in replacements](#configure-runc-drop-in-replacements).
+
+After changing the runtimes configuration in the configuration file,
+you must reload or restart the daemon for changes to take effect:
+
+```console
+$ sudo systemctl reload dockerd
+```
+
+##### Configure containerd shims
+
+If the runtime that you want to register implements a containerd shim,
+or if you want to register a runtime which uses the runc shim,
+use the following format for the runtime entry:
+
+```json
+{
+  "runtimes": {
+    "<runtime>": {
+      "runtimeType": "<name-or-path>",
+      "options": {}
+    }
+  }
+}
+```
+
+`runtimeType` refers to either:
+
+- A fully qualified name of a containerd shim.
+
+  The fully qualified name of a shim is the same as the `runtime_type` used to
+  register the runtime in containerd's CRI configuration.
+  For example, `io.containerd.runsc.v1`.
+
+- The path of a containerd shim binary.
+
+  This option is useful if you installed the containerd shim binary outside of
+  `PATH`.
+
+`options` is optional. It lets you specify the runtime configuration that you
+want to use for the shim. The configuration parameters that you can specify in
+`options` depends on the runtime you're registering. For most shims,
+the supported configuration options are `TypeUrl` and `ConfigPath`.
+For example:
+
+```json
+{
+  "runtimes": {
+    "gvisor": {
+      "runtimeType": "io.containerd.runsc.v1",
+      "options": {
+        "TypeUrl": "io.containerd.runsc.v1.options",
+        "ConfigPath": "/etc/containerd/runsc.toml",
+      }
+    }
+  }
+}
+```
+
+You can configure multiple runtimes using the same runtimeType. For example:
+
+```json
+{
+  "runtimes": {
+    "gvisor-foo": {
+      "runtimeType": "io.containerd.runsc.v1",
+      "options": {
+        "TypeUrl": "io.containerd.runsc.v1.options",
+        "ConfigPath": "/etc/containerd/runsc-foo.toml"
+      }
     },
+    "gvisor-bar": {
+      "runtimeType": "io.containerd.runsc.v1",
+      "options": {
+        "TypeUrl": "io.containerd.runsc.v1.options",
+        "ConfigPath": "/etc/containerd/runsc-bar.toml"
+      }
+    }
+  }
+}
+```
+
+The `options` field takes a special set of configuration parameters when used
+with `"runtimeType": "io.containerd.runc.v2"`. For more information about runc
+parameters, refer to the runc configuration section in
+[CRI Plugin Config Guide](https://github.com/containerd/containerd/blob/v1.7.2/docs/cri/config.md#full-configuration).
+
+##### Configure runc drop-in replacements
+
+If the runtime that you want to register can act as a drop-in replacement for
+runc, you can register the runtime either using the daemon configuration file, 
+or using the `--add-runtime` flag for the `dockerd` cli.
+
+When you use the configuration file, the entry uses the following format:
+
+```json
+{
+  "runtimes": {
+    "<runtime>": {
+      "path": "/path/to/binary",
+      "runtimeArgs": ["...args"]
+    }
+  }
+}
+```
+
+Where `path` is either the absolute path to the runtime executable, or the name
+of an executable installed on `PATH`:
+
+```json
+{
+  "runtimes": {
     "runc": {
       "path": "runc"
     }
@@ -865,24 +1026,58 @@ The following is an example adding 2 runtimes via the configuration:
 }
 ```
 
-This is the same example via the command line:
+And `runtimeArgs` lets you optionally pass additional arguments to the runtime.
+Entries with this format use the containerd runc shim to invoke a custom
+runtime binary.
+
+When you use the `--add-runtime` CLI flag, use the following format:
 
 ```console
-$ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
+$ sudo dockerd --add-runtime <runtime>=<path>
 ```
 
-> **Note**
->
-> Defining runtime arguments via the command line is not supported.
+Defining runtime arguments via the command line is not supported.
 
-#### Options for the runtime
+For an example configuration for a runc drop-in replacment, see
+[Alternative container runtimes > youki](https://docs.docker.com/engine/alternative-runtimes/#youki)
 
-You can configure the runtime using options specified
-with the `--exec-opt` flag. All the flag's options have the `native` prefix. A
-single `native.cgroupdriver` option is available.
+##### Configure the default container runtime
 
-The `native.cgroupdriver` option specifies the management of the container's
-cgroups. You can only specify `cgroupfs` or `systemd`. If you specify
+You can specify either the name of a fully qualified containerd runtime shim,
+or the name of a registered runtime. You can specify the default runtime either
+using the daemon configuration file, or using the `--default-runtime` flag for
+the `dockerd` cli.
+
+When you use the configuration file, the entry uses the following format:
+
+```json
+{
+  "default-runtime": "io.containerd.runsc.v1"
+}
+```
+
+When you use the `--default-runtime` CLI flag, use the following format:
+
+```console
+$ dockerd --default-runtime io.containerd.runsc.v1
+```
+
+#### Run containerd standalone
+
+By default, the Docker daemon automatically starts `containerd`. If you want to
+control `containerd` startup, manually start `containerd` and pass the path to
+the `containerd` socket using the `--containerd` flag. For example:
+
+```console
+$ sudo dockerd --containerd /run/containerd/containerd.sock
+```
+
+#### Configure cgroup driver
+
+You can configure how the runtime should manage container cgroups, using the
+`--exec-opt native.cgroupdriver` CLI flag.
+
+You can only specify `cgroupfs` or `systemd`. If you specify
 `systemd` and it is not available, the system errors out. If you omit the
 `native.cgroupdriver` option,` cgroupfs` is used on cgroup v1 hosts, `systemd`
 is used on cgroup v2 hosts with systemd available.
@@ -895,16 +1090,19 @@ $ sudo dockerd --exec-opt native.cgroupdriver=systemd
 
 Setting this option applies to all containers the daemon launches.
 
-Also Windows Container makes use of `--exec-opt` for special purpose. Docker user
-can specify default container isolation technology with this, for example:
+#### Configure container isolation technology (Windows)
+
+For Windows containers, you can specify the default container isolation
+technology to use, using the `--exec-opt isolation` flag. 
+
+The following example makes `hyperv` the default isolation technology:
 
 ```console
 > dockerd --exec-opt isolation=hyperv
 ```
 
-Will make `hyperv` the default isolation technology on Windows. If no isolation
-value is specified on daemon start, on Windows client, the default is
-`hyperv`, and on Windows server, the default is `process`.
+If no isolation value is specified on daemon start, on Windows client,
+the default is `hyperv`, and on Windows server, the default is `process`.
 
 ### Daemon DNS options
 
@@ -1067,6 +1265,25 @@ the host.
 For details about how to use this feature, as well as limitations, see
 [Isolate containers with a user namespace](https://docs.docker.com/engine/security/userns-remap/).
 
+### Configure host gateway IP
+
+The Docker daemon supports a special `host-gateway` value for the `--add-host`
+flag for the `docker run` and `docker build` commands. This value resolves to
+the host's gateway IP and lets containers connect to services running on the
+host.
+
+By default, `host-gateway` resolves to the IP address of the default bridge.
+You can configure this to resolve to a different IP using the `--host-gateway-ip`
+flag for the dockerd command line interface, or the `host-gateway-ip` key in
+the daemon configuration file.
+
+```console
+$ dockerd --host-gateway-ip 192.0.2.0
+$ docker run -it --add-host host.docker.internal:host-gateway \
+  busybox ping host.docker.internal 
+PING host.docker.internal (192.0.2.0): 56 data bytes
+```
+
 ### Miscellaneous options
 
 IP masquerading uses address translation to allow containers without a public
@@ -1252,9 +1469,11 @@ This is a full example of the allowed configuration options on Linux:
   "fixed-cidr-v6": "",
   "group": "",
   "hosts": [],
-  "http-proxy": "http://proxy.example.com:80",
-  "https-proxy": "https://proxy.example.com:443",
-  "no-proxy": "*.test.example.com,.example.org",
+  "proxies": {
+    "http-proxy": "http://proxy.example.com:80",
+    "https-proxy": "https://proxy.example.com:443",
+    "no-proxy": "*.test.example.com,.example.org",
+  },
   "icc": false,
   "init": false,
   "init-path": "/usr/libexec/docker-init",

docs/reference/commandline/events.md

@@ -9,12 +9,12 @@ Get real time events from the server
 
 ### Options
 
-| Name                                   | Type     | Default | Description                                   |
-|:---------------------------------------|:---------|:--------|:----------------------------------------------|
-| [`-f`](#filter), [`--filter`](#filter) | `filter` |         | Filter output based on conditions provided    |
-| [`--format`](#format)                  | `string` |         | Format the output using the given Go template |
-| [`--since`](#since)                    | `string` |         | Show all events created since timestamp       |
-| `--until`                              | `string` |         | Stream events until this timestamp            |
+| Name                                   | Type     | Default | Description                                                                                                                                                                                                                                                        |
+|:---------------------------------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [`-f`](#filter), [`--filter`](#filter) | `filter` |         | Filter output based on conditions provided                                                                                                                                                                                                                         |
+| [`--format`](#format)                  | `string` |         | Format output using a custom template:<br>'json':             Print in JSON format<br>'TEMPLATE':         Print output using the given Go template.<br>Refer to https://docs.docker.com/go/formatting/ for more information about formatting output with templates |
+| [`--since`](#since)                    | `string` |         | Show all events created since timestamp                                                                                                                                                                                                                            |
+| `--until`                              | `string` |         | Stream events until this timestamp                                                                                                                                                                                                                                 |
 
 
 <!---MARKER_GEN_END-->
@@ -194,7 +194,7 @@ The currently supported filters are:
 
 If a format (`--format`) is specified, the given template will be executed
 instead of the default
-format. Go's [text/template](https://golang.org/pkg/text/template/) package
+format. Go's [text/template](https://pkg.go.dev/text/template) package
 describes all the details of the format.
 
 If a format is set to `{{json .}}`, the events are streamed as valid JSON
@@ -401,8 +401,11 @@ Type=container  Status=destroy  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299
 
 #### Format as JSON
 
+To list events in JSON format, use the `json` directive, which is the equivalent
+of `--format '{{ json . }}`.
+
 ```console
-$ docker events --format '{{json .}}'
+$ docker events --format json
 
 {"status":"create","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..
 {"status":"attach","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..
@@ -410,3 +413,5 @@ $ docker events --format '{{json .}}'
 {"status":"start","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f42..
 {"status":"resize","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..
 ```
+
+.

docs/reference/commandline/image_build.md

@@ -14,7 +14,7 @@ Build an image from a Dockerfile
 | `--add-host`              | `list`        |           | Add a custom host-to-IP mapping (`host:ip`)                       |
 | `--build-arg`             | `list`        |           | Set build-time variables                                          |
 | `--cache-from`            | `stringSlice` |           | Images to consider as cache sources                               |
-| `--cgroup-parent`         | `string`      |           | Optional parent cgroup for the container                          |
+| `--cgroup-parent`         | `string`      |           | Set the parent cgroup for the `RUN` instructions during build     |
 | `--compress`              |               |           | Compress the build context using gzip                             |
 | `--cpu-period`            | `int64`       | `0`       | Limit the CPU CFS (Completely Fair Scheduler) period              |
 | `--cpu-quota`             | `int64`       | `0`       | Limit the CPU CFS (Completely Fair Scheduler) quota               |

docs/reference/commandline/index.md

@@ -101,7 +101,7 @@ read the [`dockerd`](dockerd.md) reference page.
 | [volume create](volume_create.md)   | Creates a new volume where containers can consume and store data |
 | [volume inspect](volume_inspect.md) | Display information about a volume                               |
 | [volume ls](volume_ls.md)           | Lists all the volumes Docker knows about                         |
-| [volume prune](volume_prune.md)     | Remove all unused local volumes                                  |
+| [volume prune](volume_prune.md)     | Remove unused local volumes                                      |
 | [volume rm](volume_rm.md)           | Remove one or more volumes                                       |
 
 ### Swarm node commands

docs/reference/commandline/info.md

@@ -24,7 +24,7 @@ The number of images shown is the number of unique images. The same image tagged
 under different names is counted only once.
 
 If a format is specified, the given template will be executed instead of the
-default format. Go's [text/template](https://golang.org/pkg/text/template/) package
+default format. Go's [text/template](https://pkg.go.dev/text/template) package
 describes all the details of the format.
 
 Depending on the storage driver in use, additional information can be shown, such

docs/reference/commandline/inspect.md

@@ -24,7 +24,7 @@ By default, `docker inspect` will render results in a JSON array.
 
 If a format is specified, the given template will be executed for each result.
 
-Go's [text/template](https://golang.org/pkg/text/template/) package describes
+Go's [text/template](https://pkg.go.dev/text/template) package describes
 all the details of the format.
 
 ### <a name="type"></a> Specify target type (--type)

docs/reference/commandline/login.md

@@ -56,27 +56,28 @@ credentials.  When you log in, the command stores credentials in
 `$HOME/.docker/config.json` on Linux or `%USERPROFILE%/.docker/config.json` on
 Windows, via the procedure described below.
 
-### Credentials store
+### Credential stores
 
-The Docker Engine can keep user credentials in an external credentials store,
+The Docker Engine can keep user credentials in an external credential store,
 such as the native keychain of the operating system. Using an external store
 is more secure than storing credentials in the Docker configuration file.
 
-To use a credentials store, you need an external helper program to interact
+To use a credential store, you need an external helper program to interact
 with a specific keychain or external store. Docker requires the helper
 program to be in the client's host `$PATH`.
 
-This is the list of currently available credentials helpers and where
-you can download them from:
+You can download the helpers from the `docker-credential-helpers`
+[releases page](https://github.com/docker/docker-credential-helpers/releases).
+Helpers are available for the following credential stores:
 
-- D-Bus Secret Service: https://github.com/docker/docker-credential-helpers/releases
-- Apple macOS keychain: https://github.com/docker/docker-credential-helpers/releases
-- Microsoft Windows Credential Manager: https://github.com/docker/docker-credential-helpers/releases
-- [pass](https://www.passwordstore.org/): https://github.com/docker/docker-credential-helpers/releases
+- D-Bus Secret Service
+- Apple macOS keychain
+- Microsoft Windows Credential Manager
+- [pass](https://www.passwordstore.org/)
 
-#### Configure the credentials store
+#### Configure the credential store
 
-You need to specify the credentials store in `$HOME/.docker/config.json`
+You need to specify the credential store in `$HOME/.docker/config.json`
 to tell the docker engine to use it. The value of the config property should be
 the suffix of the program to use (i.e. everything after `docker-credential-`).
 For example, to use `docker-credential-osxkeychain`:

docs/reference/commandline/logs.md

@@ -34,7 +34,7 @@ the container's `STDOUT` and `STDERR`.
 Passing a negative number or a non-integer to `--tail` is invalid and the
 value is set to `all` in that case.
 
-The `docker logs --timestamps` command will add an [RFC3339Nano timestamp](https://golang.org/pkg/time/#pkg-constants)
+The `docker logs --timestamps` command will add an [RFC3339Nano timestamp](https://pkg.go.dev/time#RFC3339Nano)
 , for example `2014-09-16T06:17:46.000000000Z`, to each
 log entry. To ensure that the timestamps are aligned the
 nano-second part of the timestamp will be padded with zero when necessary.

docs/reference/commandline/network_inspect.md

@@ -41,7 +41,7 @@ node are shown.
 
 You can specify an alternate format to execute a given
 template for each result. Go's
-[text/template](https://golang.org/pkg/text/template/) package describes all the
+[text/template](https://pkg.go.dev/text/template) package describes all the
 details of the format.
 
 ```console

docs/reference/commandline/node_inspect.md

@@ -18,7 +18,7 @@ Display detailed information on one or more nodes
 Returns information about a node. By default, this command renders all results
 in a JSON array. You can specify an alternate format to execute a
 given template for each result. Go's
-[text/template](https://golang.org/pkg/text/template/) package describes all the
+[text/template](https://pkg.go.dev/text/template) package describes all the
 details of the format.
 
 > **Note**

docs/reference/commandline/ps.md

@@ -32,9 +32,9 @@ Running `docker ps --no-trunc` showing 2 linked containers.
 ```console
 $ docker ps --no-trunc
 
-CONTAINER ID        IMAGE                        COMMAND                CREATED              STATUS              PORTS               NAMES
-4c01db0b339c        ubuntu:22.04                 bash                   17 seconds ago       Up 16 seconds       3300-3310/tcp       webapp
-d7886598dbe2        crosbymichael/redis:latest   /redis-server --dir    33 minutes ago       Up 33 minutes       6379/tcp            redis,webapp/db
+CONTAINER ID                                                     IMAGE                        COMMAND                CREATED              STATUS              PORTS               NAMES
+ca5534a51dd04bbcebe9b23ba05f389466cf0c190f1f8f182d7eea92a9671d00 ubuntu:22.04                 bash                   17 seconds ago       Up 16 seconds       3300-3310/tcp       webapp
+9ca9747b233100676a48cc7806131586213fa5dab86dd1972d6a8732e3a84a4d crosbymichael/redis:latest   /redis-server --dir    33 minutes ago       Up 33 minutes       6379/tcp            redis,webapp/db
 ```
 
 ### <a name="all"></a> Show both running and stopped containers (-a, --all)
@@ -174,9 +174,19 @@ Any of these events result in a `137` status:
 
 #### status
 
-The `status` filter matches containers by status. You can filter using
-`created`, `restarting`, `running`, `removing`, `paused`, `exited` and `dead`. For example,
-to filter for `running` containers:
+The `status` filter matches containers by status. The possible values for the container status are:
+
+| Status       | Description                                                                                                                                                                                     |
+| :----------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `created`    | A container that has never been started.                                                                                                                                                        |
+| `running`    | A running container, started by either `docker start` or `docker run`.                                                                                                                          |
+| `paused`     | A paused container. See `docker pause`.                                                                                                                                                         |
+| `restarting` | A container which is starting due to the designated restart policy for that container.                                                                                                          |
+| `exited`     | A container which is no longer running. For example, the process inside the container completed or the container was stopped using the `docker stop` command.                                   |
+| `removing`   | A container which is in the process of being removed. See `docker rm`.                                                                                                                          |
+| `dead`       | A "defunct" container; for example, a container that was only partially removed because resources were kept busy by an external process. `dead` containers cannot be (re)started, only removed. |
+
+For example, to filter for `running` containers:
 
 ```console
 $ docker ps --filter status=running

docs/reference/commandline/run.md

@@ -32,7 +32,7 @@ Create and run a new container from an image
 | `--cpuset-cpus`                               | `string`      |           | CPUs in which to allow execution (0-3, 0,1)                                                                                                                                                                                                                                                                      |
 | `--cpuset-mems`                               | `string`      |           | MEMs in which to allow execution (0-3, 0,1)                                                                                                                                                                                                                                                                      |
 | `-d`, `--detach`                              |               |           | Run container in background and print container ID                                                                                                                                                                                                                                                               |
-| `--detach-keys`                               | `string`      |           | Override the key sequence for detaching a container                                                                                                                                                                                                                                                              |
+| [`--detach-keys`](#detach-keys)               | `string`      |           | Override the key sequence for detaching a container                                                                                                                                                                                                                                                              |
 | [`--device`](#device)                         | `list`        |           | Add a host device to the container                                                                                                                                                                                                                                                                               |
 | [`--device-cgroup-rule`](#device-cgroup-rule) | `list`        |           | Add a rule to the cgroup allowed devices list                                                                                                                                                                                                                                                                    |
 | `--device-read-bps`                           | `list`        |           | Limit read rate (bytes per second) from a device                                                                                                                                                                                                                                                                 |
@@ -485,10 +485,12 @@ $ docker run -itd --network=my-net busybox
 ```
 
 You can also choose the IP addresses for the container with `--ip` and `--ip6`
-flags when you start the container on a user-defined network.
+flags when you start the container on a user-defined network. To assign a
+static IP to containers, you must specify subnet block for the network.
 
 ```console
-$ docker run -itd --network=my-net --ip=10.10.9.75 busybox
+$ docker network create --subnet 192.0.2.0/24 my-net
+$ docker run -itd --network=my-net --ip=192.0.2.69 busybox
 ```
 
 If you want to add a running container to a network use the `docker network connect` subcommand.
@@ -569,6 +571,30 @@ retrieve the container's ID once the container has finished running.
 
 See also [the `docker cp` command](cp.md).
 
+### <a name="detach-keys"></a> Override the detach sequence (--detach-keys)
+
+Use the `--detach-keys` option to override the Docker key sequence for detach.
+This is useful if the Docker default sequence conflicts with key sequence you
+use for other applications. There are two ways to define your own detach key
+sequence, as a per-container override or as a configuration property on  your
+entire configuration.
+
+To override the sequence for an individual container, use the
+`--detach-keys="<sequence>"` flag with the `docker attach` command. The format of
+the `<sequence>` is either a letter [a-Z], or the `ctrl-` combined with any of
+the following:
+
+* `a-z` (a single lowercase alpha character )
+* `@` (at sign)
+* `[` (left bracket)
+* `\\` (two backward slashes)
+*  `_` (underscore)
+* `^` (caret)
+
+These `a`, `ctrl-a`, `X`, or `ctrl-\\` values are all examples of valid key
+sequences. To configure a different configuration default key sequence for all
+containers, see [**Configuration file** section](cli.md#configuration-files).
+
 ### <a name="device"></a> Add host device to container (--device)
 
 ```console
@@ -733,24 +759,28 @@ PING docker (93.184.216.34): 56 data bytes
 round-trip min/avg/max = 92.209/92.495/93.052 ms
 ```
 
-Sometimes you need to connect to the Docker host from within your
-container. To enable this, pass the Docker host's IP address to
-the container using the `--add-host` flag. To find the host's address,
-use the `ip addr show` command.
+The `--add-host` flag supports a special `host-gateway` value that resolves to
+the internal IP address of the host. This is useful when you want containers to
+connect to services running on the host machine.
 
-The flags you pass to `ip addr show` depend on whether you are
-using IPv4 or IPv6 networking in your containers. Use the following
-flags for IPv4 address retrieval for a network device named `eth0`:
+It's conventional to use `host.docker.internal` as the hostname referring to
+`host-gateway`. Docker Desktop automatically resolves this hostname, see
+[Explore networking features](https://docs.docker.com/desktop/networking/#i-want-to-connect-from-a-container-to-a-service-on-the-host).
+
+The following example shows how the special `host-gateway` value works. The
+example runs an HTTP server that serves a file from host to container over the
+`host.docker.internal` hostname, which resolves to the host's internal IP.
 
 ```console
-$ HOSTIP=`ip -4 addr show scope global dev eth0 | grep inet | awk '{print $2}' | cut -d / -f 1 | sed -n 1p`
-$ docker run  --add-host=docker:${HOSTIP} --rm -it debian
+$ echo "hello from host!" > ./hello
+$ python3 -m http.server 8000
+Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
+$ docker run \
+  --add-host host.docker.internal:host-gateway \
+  curlimages/curl -s host.docker.internal:8000/hello
+hello from host!
 ```
 
-For IPv6 use the `-6` flag instead of the `-4` flag. For other network
-devices, replace `eth0` with the correct device name (for example `docker0`
-for the bridge device).
-
 ### <a name="ulimit"></a> Set ulimits in container (--ulimit)
 
 Since setting `ulimit` settings in a container requires extra privileges not
@@ -948,4 +978,4 @@ The `docker run` command is equivalent to the following API calls:
   - If that call returns a 404 (image not found), and depending on the `--pull` option ("always", "missing", "never") the call can trigger a `docker pull <image>`.
 - `/containers/create` again after pulling the image.
 - `/containers/(id)/start` to start the container.
-- `/containers/(id)/attach` to attach to the container when starting with the `-it` flags for interactive containers.
+- `/containers/(id)/attach` to attach to the container when starting with the `-it` flags for interactive containers.

docs/reference/commandline/secret_inspect.md

@@ -20,7 +20,7 @@ Inspects the specified secret.
 By default, this renders all results in a JSON array. If a format is specified,
 the given template will be executed for each result.
 
-Go's [text/template](https://golang.org/pkg/text/template/) package
+Go's [text/template](https://pkg.go.dev/text/template) package
 describes all the details of the format.
 
 For detailed information about using secrets, refer to [manage sensitive data with Docker secrets](https://docs.docker.com/engine/swarm/secrets/).

docs/reference/commandline/service_create.md

@@ -916,7 +916,7 @@ $ docker service create \
 The swarm extends my-network to each node running the service.
 
 Containers on the same network can access each other using
-[service discovery](https://docs.docker.com/network/overlay/#container-discovery).
+[service discovery](https://docs.docker.com/network/drivers/overlay/#container-discovery).
 
 Long form syntax of `--network` allows to specify list of aliases and driver options:
 `--network name=my-network,alias=web1,driver-opt=field1=value1`
@@ -1013,7 +1013,7 @@ registry value must be located in:
 ### Create services using templates
 
 You can use templates for some flags of `service create`, using the syntax
-provided by the Go's [text/template](https://golang.org/pkg/text/template/) package.
+provided by the Go's [text/template](https://pkg.go.dev/text/template) package.
 
 The supported flags are the following :
 

docs/reference/commandline/service_inspect.md

@@ -20,7 +20,7 @@ Inspects the specified service.
 By default, this renders all results in a JSON array. If a format is specified,
 the given template will be executed for each result.
 
-Go's [text/template](https://golang.org/pkg/text/template/) package
+Go's [text/template](https://pkg.go.dev/text/template) package
 describes all the details of the format.
 
 > **Note**

docs/reference/commandline/service_logs.md

@@ -50,7 +50,7 @@ the service's `STDOUT` and `STDERR`.
 Passing a negative number or a non-integer to `--tail` is invalid and the
 value is set to `all` in that case.
 
-The `docker service logs --timestamps` command will add an [RFC3339Nano timestamp](https://golang.org/pkg/time/#pkg-constants)
+The `docker service logs --timestamps` command will add an [RFC3339Nano timestamp](https://pkg.go.dev/time#RFC3339Nano)
 , for example `2014-09-16T06:17:46.000000000Z`, to each
 log entry. To ensure that the timestamps are aligned the
 nano-second part of the timestamp will be padded with zero when necessary.

docs/reference/commandline/system.md

@@ -5,13 +5,12 @@ Manage Docker
 
 ### Subcommands
 
-| Name                                 | Description                                                                      |
-|:-------------------------------------|:---------------------------------------------------------------------------------|
-| [`df`](system_df.md)                 | Show docker disk usage                                                           |
-| [`dial-stdio`](system_dial-stdio.md) | Proxy the stdio stream to the daemon connection. Should not be invoked manually. |
-| [`events`](system_events.md)         | Get real time events from the server                                             |
-| [`info`](system_info.md)             | Display system-wide information                                                  |
-| [`prune`](system_prune.md)           | Remove unused data                                                               |
+| Name                         | Description                          |
+|:-----------------------------|:-------------------------------------|
+| [`df`](system_df.md)         | Show docker disk usage               |
+| [`events`](system_events.md) | Get real time events from the server |
+| [`info`](system_info.md)     | Display system-wide information      |
+| [`prune`](system_prune.md)   | Remove unused data                   |
 
 
 

docs/reference/commandline/system_events.md

@@ -9,12 +9,12 @@ Get real time events from the server
 
 ### Options
 
-| Name                                   | Type     | Default | Description                                   |
-|:---------------------------------------|:---------|:--------|:----------------------------------------------|
-| [`-f`](#filter), [`--filter`](#filter) | `filter` |         | Filter output based on conditions provided    |
-| [`--format`](#format)                  | `string` |         | Format the output using the given Go template |
-| `--since`                              | `string` |         | Show all events created since timestamp       |
-| `--until`                              | `string` |         | Stream events until this timestamp            |
+| Name                                   | Type     | Default | Description                                                                                                                                                                                                                                                        |
+|:---------------------------------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [`-f`](#filter), [`--filter`](#filter) | `filter` |         | Filter output based on conditions provided                                                                                                                                                                                                                         |
+| [`--format`](#format)                  | `string` |         | Format output using a custom template:<br>'json':             Print in JSON format<br>'TEMPLATE':         Print output using the given Go template.<br>Refer to https://docs.docker.com/go/formatting/ for more information about formatting output with templates |
+| `--since`                              | `string` |         | Show all events created since timestamp                                                                                                                                                                                                                            |
+| `--until`                              | `string` |         | Stream events until this timestamp                                                                                                                                                                                                                                 |
 
 
 <!---MARKER_GEN_END-->
@@ -308,7 +308,7 @@ $ docker system events --filter 'type=plugin'
 ### <a name="format"></a> Format the output (--format)
 
 If a format (`--format`) is specified, the given template will be executed
-instead of the default format. Go's [text/template](https://golang.org/pkg/text/template/)
+instead of the default format. Go's [text/template](https://pkg.go.dev/text/template)
 package describes all the details of the format.
 
 ```console

docs/reference/commandline/system_prune.md

@@ -10,7 +10,7 @@ Remove unused data
 | `-a`, `--all`         |          |         | Remove all unused images not just dangling ones    |
 | [`--filter`](#filter) | `filter` |         | Provide filter values (e.g. `label=<key>=<value>`) |
 | `-f`, `--force`       |          |         | Do not prompt for confirmation                     |
-| `--volumes`           |          |         | Prune volumes                                      |
+| `--volumes`           |          |         | Prune anonymous volumes                            |
 
 
 <!---MARKER_GEN_END-->
@@ -50,7 +50,7 @@ Total reclaimed space: 1.84kB
 
 By default, volumes are not removed to prevent important data from being
 deleted if there is currently no container using the volume. Use the `--volumes`
-flag when running the command to prune volumes as well:
+flag when running the command to prune anonymous volumes as well:
 
 ```console
 $ docker system prune -a --volumes
@@ -58,7 +58,7 @@ $ docker system prune -a --volumes
 WARNING! This will remove:
         - all stopped containers
         - all networks not used by at least one container
-        - all volumes not used by at least one container
+        - all anonymous volumes not used by at least one container
         - all images without at least one container associated to them
         - all build cache
 Are you sure you want to continue? [y/N] y

docs/reference/commandline/tag.md

@@ -12,27 +12,45 @@ Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
 
 ## Description
 
-An image name is made up of slash-separated name components, optionally prefixed
-by a registry hostname. The hostname must comply with standard DNS rules, but
-may not contain underscores. If a hostname is present, it may optionally be
-followed by a port number in the format `:8080`. If not present, the command
-uses Docker's public registry located at `registry-1.docker.io` by default. Name
-components may contain lowercase letters, digits and separators. A separator
-is defined as a period, one or two underscores, or one or more hyphens. A name
-component may not start or end with a separator.
+A full image name has the following format and components:
 
-A tag name must be valid ASCII and may contain lowercase and uppercase letters,
-digits, underscores, periods and hyphens. A tag name may not start with a
-period or a hyphen and may contain a maximum of 128 characters.
+`[HOST[:PORT_NUMBER]/]PATH`
 
-You can group your images together using names and tags, and then upload them
-to [*Share images on Docker Hub*](https://docs.docker.com/get-started/part3/).
+- `HOST`: The optional registry hostname specifies where the image is located.
+The hostname must comply with standard DNS rules, but may not contain
+underscores. If the hostname is not specified, the command uses Docker's public
+registry at `registry-1.docker.io` by default. Note that `docker.io` is the
+canonical reference for Docker's public registry.
+- `PORT_NUMBER`: If a hostname is present, it may optionally be followed by a
+registry port number in the format `:8080`.
+- `PATH`: The path consists of slash-separated components. Each
+component may contain lowercase letters, digits and separators. A separator is
+defined as a period, one or two underscores, or one or more hyphens. A component
+may not start or end with a separator. While the
+[OCI Distribution Specification](https://github.com/opencontainers/distribution-spec)
+supports more than two slash-separated components, most registries only support
+two slash-separated components. For Docker's public registry, the path format is
+as follows:
+  - `[NAMESPACE/]REPOSITORY`: The first, optional component is typically a
+user's or an organization's namespace. The second, mandatory component is the
+repository name. When the namespace is not present, Docker uses `library`
+as the default namespace.
+
+After the image name, the optional `TAG` is a custom, human-readable manifest
+identifier that is typically a specific version or variant of an image. The tag
+must be valid ASCII and can contain lowercase and uppercase letters, digits,
+underscores, periods, and hyphens. It cannot start with a period or hyphen and
+must be no longer than 128 characters. If the tag is not specified, the command uses `latest` by default.
+
+You can group your images together using names and tags, and then
+[push](https://docs.docker.com/engine/reference/commandline/push) them to a
+registry.
 
 ## Examples
 
 ### Tag an image referenced by ID
 
-To tag a local image with ID "0e5574283393" into the "fedora" repository with
+To tag a local image with ID "0e5574283393" as "fedora/httpd" with the tag
 "version1.0":
 
 ```console
@@ -41,8 +59,7 @@ $ docker tag 0e5574283393 fedora/httpd:version1.0
 
 ### Tag an image referenced by Name
 
-To tag a local image with name "httpd" into the "fedora" repository with
-"version1.0":
+To tag a local image "httpd" as "fedora/httpd" with the tag "version1.0":
 
 ```console
 $ docker tag httpd fedora/httpd:version1.0
@@ -53,18 +70,18 @@ existing local version `httpd:latest`.
 
 ### Tag an image referenced by Name and Tag
 
-To tag a local image with name "httpd" and tag "test" into the "fedora"
-repository with "version1.0.test":
+To tag a local image with the name "httpd" and the tag "test" as "fedora/httpd"
+with the tag "version1.0.test":
 
 ```console
 $ docker tag httpd:test fedora/httpd:version1.0.test
 ```
 
-### Tag an image for a private repository
+### Tag an image for a private registry
 
-To push an image to a private registry and not the central Docker
-registry you must tag it with the registry hostname and port (if needed).
+To push an image to a private registry and not the public Docker registry you
+must include the registry hostname and port (if needed).
 
 ```console
 $ docker tag 0e5574283393 myregistryhost:5000/fedora/httpd:version1.0
-```
+```

docs/reference/commandline/volume.md

@@ -10,7 +10,7 @@ Manage volumes
 | [`create`](volume_create.md)   | Create a volume                                     |
 | [`inspect`](volume_inspect.md) | Display detailed information on one or more volumes |
 | [`ls`](volume_ls.md)           | List volumes                                        |
-| [`prune`](volume_prune.md)     | Remove all unused local volumes                     |
+| [`prune`](volume_prune.md)     | Remove unused local volumes                         |
 | [`rm`](volume_rm.md)           | Remove one or more volumes                          |
 | [`update`](volume_update.md)   | Update a volume (cluster volumes only)              |
 

docs/reference/commandline/volume_inspect.md

@@ -17,7 +17,7 @@ Display detailed information on one or more volumes
 Returns information about a volume. By default, this command renders all results
 in a JSON array. You can specify an alternate format to execute a
 given template for each result. Go's
-[text/template](https://golang.org/pkg/text/template/) package describes all the
+[text/template](https://pkg.go.dev/text/template) package describes all the
 details of the format.
 
 ## Examples

docs/reference/commandline/volume_prune.md

@@ -1,7 +1,7 @@
 # volume prune
 
 <!---MARKER_GEN_START-->
-Remove all unused local volumes
+Remove unused local volumes
 
 ### Options
 

docs/reference/glossary.md

@@ -16,21 +16,10 @@ keywords: "glossary, docker, terms, definitions"
 
 A list of terms used around the Docker project.
 
-## aufs
-
-aufs (advanced multi layered unification filesystem) is a Linux [filesystem](#filesystem) that
-Docker supports as a storage backend. It implements the
-[union mount](https://en.wikipedia.org/wiki/Union_mount) for Linux file systems.
-
 ## base image
 
 An image that has no parent is a **base image**.
 
-## boot2docker
-
-[boot2docker](https://boot2docker.io/) is a lightweight Linux distribution made
-specifically to run Docker containers. The boot2docker management tool for Mac and Windows was deprecated and replaced by [`docker-machine`](#machine) which you can install with the Docker Toolbox.
-
 ## bridge
 
 In terms of generic networking, a bridge is a Link Layer device which forwards
@@ -183,7 +172,7 @@ and assign them locations for efficient storage and retrieval.
 
 Examples :
 
-- Linux : ext4, aufs, btrfs, zfs
+- Linux : ext4, btrfs, zfs
 - Windows : NTFS
 - macOS : HFS+
 
@@ -214,15 +203,6 @@ links provide a legacy interface to connect Docker containers running on the
 same host to each other without exposing the hosts' network ports. Use the
 Docker networks feature instead.
 
-## Machine
-
-[Machine](https://github.com/docker/machine) is a Docker tool which
-makes it really easy to create Docker hosts on  your computer, on
-cloud providers and inside your own data center. It creates servers,
-installs Docker on them, then configures the Docker client to talk to them.
-
-*Also known as : docker-machine*
-
 ## node
 
 A [node](https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/) is a physical or virtual
@@ -328,38 +308,18 @@ containers.
 
 ![services diagram](https://docs.docker.com/engine/swarm/images/services-diagram.png)
 
-## Toolbox
-
-[Docker Toolbox](https://docs.docker.com/toolbox/overview/) is a legacy
-installer for Mac and Windows users. It uses Oracle VirtualBox for
-virtualization.
-
-For Macs running OS X El Capitan 10.11 and newer macOS releases, [Docker for
-Mac](https://docs.docker.com/docker-for-mac/) is the better solution.
-
-For Windows 10 systems that support Microsoft Hyper-V (Professional, Enterprise
-and Education), [Docker for
-Windows](https://docs.docker.com/docker-for-windows/) is the better solution.
-
 ## Union file system
 
-Union file systems implement a [union
-mount](https://en.wikipedia.org/wiki/Union_mount) and operate by creating
+Union file systems implement a [union mount](https://en.wikipedia.org/wiki/Union_mount) and operate by creating
 layers. Docker uses union file systems in conjunction with
 [copy-on-write](#copy-on-write) techniques to provide the building blocks for
 containers, making them very lightweight and fast.
 
-For more on Docker and union file systems, see [Docker and AUFS in
-practice](https://docs.docker.com/engine/userguide/storagedriver/aufs-driver/),
-[Docker and Btrfs in
-practice](https://docs.docker.com/engine/userguide/storagedriver/btrfs-driver/),
-and [Docker and OverlayFS in
-practice](https://docs.docker.com/engine/userguide/storagedriver/overlayfs-driver/)
+For more on Docker and union file systems, see [OverlayFS storage driver](https://docs.docker.com/storage/storagedriver/overlayfs-driver/),
+and [Btrfs storage driver](https://docs.docker.com/storage/storagedriver/btrfs-driver/).
 
 Example implementations of union file systems are
-[UnionFS](https://en.wikipedia.org/wiki/UnionFS),
-[AUFS](https://en.wikipedia.org/wiki/Aufs), and
-[Btrfs](https://btrfs.wiki.kernel.org/index.php/Main_Page).
+[UnionFS](https://en.wikipedia.org/wiki/UnionFS), and [Btrfs](https://btrfs.wiki.kernel.org/index.php/Main_Page).
 
 ## virtual machine
 

docs/reference/run.md

@@ -672,7 +672,7 @@ the container exits**, you can add the `--rm` flag:
 > ```console
 > $ docker run --rm -v /foo -v awesome:/bar busybox top
 > ```
-> 
+>
 > the volume for `/foo` will be removed, but the volume for `/bar` will not.
 > Volumes inherited via `--volumes-from` will be removed with the same logic: if
 > the original volume was specified with a name it will **not** be removed.
@@ -1418,7 +1418,7 @@ container's logging driver. The following options are supported:
 | `fluentd`    | Fluentd logging driver for Docker. Writes log messages to `fluentd` (forward input).                                           |
 | `awslogs`    | Amazon CloudWatch Logs logging driver for Docker. Writes log messages to Amazon CloudWatch Logs.                               |
 | `splunk`     | Splunk logging driver for Docker. Writes log messages to `splunk` using Event Http Collector.                                  |
-| `etwlogs`    | Event Tracing for Windows (ETW) events. Writes log messages as Event Tracing for Windows (ETW) events. Only Windows platforms. |                                                  
+| `etwlogs`    | Event Tracing for Windows (ETW) events. Writes log messages as Event Tracing for Windows (ETW) events. Only Windows platforms. |
 | `gcplogs`    | Google Cloud Platform (GCP) Logging. Writes log messages to Google Cloud Platform (GCP) Logging.                               |
 | `logentries` | Rapid7 Logentries. Writes log messages to Rapid7 Logentries.                                                                   |
 

e2e/compose-env.connhelper-ssh.yaml

@@ -1,5 +1,3 @@
-version: '2.1'
-
 services:
   engine:
       build:

e2e/compose-env.experimental.yaml

@@ -1,6 +1,3 @@
-version: '2.1'
-
 services:
   engine:
       command: ["--insecure-registry=registry:5000", "--experimental"]
-

e2e/compose-env.yaml

@@ -1,5 +1,3 @@
-version: '2.1'
-
 services:
   registry:
     image: 'registry:2'
@@ -25,4 +23,3 @@ services:
       ports:
         - 4444:4443
       command: ['notary-server', '-config=/fixtures/notary-config.json']
-

e2e/container/create_test.go

@@ -101,3 +101,19 @@ func TestTrustedCreateFromBadTrustServer(t *testing.T) {
 		Err:      "could not rotate trust to a new trusted root",
 	})
 }
+
+func TestCreateWithEmptySourceVolume(t *testing.T) {
+	icmd.RunCmd(icmd.Command("docker", "create", "-v", ":/volume", fixtures.AlpineImage)).
+		Assert(t, icmd.Expected{
+			ExitCode: 125,
+			Err:      "empty section between colons",
+		})
+}
+
+func TestCreateWithEmptyVolumeSpec(t *testing.T) {
+	icmd.RunCmd(icmd.Command("docker", "create", "-v", "", fixtures.AlpineImage)).
+		Assert(t, icmd.Expected{
+			ExitCode: 125,
+			Err:      "invalid empty volume spec",
+		})
+}

e2e/internal/fixtures/fixtures.go

@@ -17,11 +17,11 @@ const (
 	// AlpineImage is an image in the test registry
 	AlpineImage = "registry:5000/alpine:frozen"
 	// AlpineSha is the sha of the alpine image
-	AlpineSha = "e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501"
+	AlpineSha = "e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501" // #nosec G101 -- ignoring: Potential hardcoded credentials (gosec)
 	// BusyboxImage is an image in the test registry
 	BusyboxImage = "registry:5000/busybox:frozen"
 	// BusyboxSha is the sha of the busybox image
-	BusyboxSha = "030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af"
+	BusyboxSha = "030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af" // #nosec G101 -- ignoring: Potential hardcoded credentials (gosec)
 )
 
 // SetupConfigFile creates a config.json file for testing

e2e/testdata/Dockerfile.gencerts

@@ -1,8 +1,9 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.20.4
+ARG GO_VERSION=1.20.10
 
 FROM golang:${GO_VERSION}-alpine AS generated
+ENV GOTOOLCHAIN=local
 RUN go install github.com/dmcgowan/quicktls@master
 WORKDIR /tmp/gencerts/notary
 RUN --mount=type=bind,source=e2e/testdata/notary,target=/tmp/gencerts/notary,rw <<EOT

man/docker-build.1.md

@@ -8,7 +8,7 @@ docker-build - Build an image from a Dockerfile
 [**--add-host**[=*[]*]]
 [**--build-arg**[=*[]*]]
 [**--cache-from**[=*[]*]]
-[**--cpu-shares**[=*0*]]
+[**-c**|**--cpu-shares**[=*0*]]
 [**--cgroup-parent**[=*CGROUP-PARENT*]]
 [**--help**]
 [**--iidfile**[=*CIDFILE*]]
@@ -153,7 +153,7 @@ In Linux, default is **bridge**.
   Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes.
   If you omit the size entirely, the system uses `64m`.
 
-**--cpu-shares** *0*
+**-c**, **--cpu-shares** *0*
   CPU shares (relative weight).
 
   By default, all containers get the same proportion of CPU cycles.
@@ -166,7 +166,7 @@ In Linux, default is **bridge**.
   You can change this proportion by adjusting the container's CPU share
   weighting relative to the weighting of all other running containers.
 
-  To modify the proportion from the default of 1024, use the **--cpu-shares**
+  To modify the proportion from the default of 1024, use the **-c** or **--cpu-shares**
   flag to set the weighting to 2 or higher.
 
       Container   CPU share    Flag

man/docker-run.1.md

@@ -10,7 +10,7 @@ docker-run - Create and run a new container from an image
 [**--annotation**[=*[]*]]
 [**--blkio-weight**[=*[BLKIO-WEIGHT]*]]
 [**--blkio-weight-device**[=*[]*]]
-[**--cpu-shares**[=*0*]]
+[**-c**|**--cpu-shares**[=*0*]]
 [**--cap-add**[=*[]*]]
 [**--cap-drop**[=*[]*]]
 [**--cgroupns**[=*[]*]]
@@ -137,14 +137,14 @@ option can be set multiple times.
 **--blkio-weight-device**=[]
    Block IO weight (relative device weight, format: `DEVICE_NAME:WEIGHT`).
 
-**--cpu-shares**=*0*
+**-c**, **--cpu-shares**=*0*
    CPU shares (relative weight)
 
    By default, all containers get the same proportion of CPU cycles. This proportion
 can be modified by changing the container's CPU share weighting relative
 to the weighting of all other running containers.
 
-To modify the proportion from the default of 1024, use the **--cpu-shares**
+To modify the proportion from the default of 1024, use the **-c** or **--cpu-shares**
 flag to set the weighting to 2 or higher.
 
 The proportion will only apply when CPU-intensive processes are running.

man/go.mod

@@ -7,7 +7,7 @@ go 1.16
 
 //require (
 //	github.com/docker/cli v0.0.0+incompatible
-//	github.com/cpuguy83/go-md2man/v2 v2.0.1
+//	github.com/cpuguy83/go-md2man/v2 v2.0.3
 //	github.com/spf13/cobra v1.2.1
 //	github.com/spf13/pflag v1.0.5
 //)

man/src/container/attach.md

@@ -13,9 +13,29 @@ file. See **config-json(5)** for documentation on using a configuration file.
 It is forbidden to redirect the standard input of a **docker attach** command while
 attaching to a TTY-enabled container (i.e., launched with `-i` and `-t`).
 
-# Override the detach sequence
+# EXAMPLES
 
-If you want, you can configure an override the Docker key sequence for detach.
+## Attaching to a container
+
+In this example the top command is run inside a container from an ubuntu image,
+in detached mode, then attaches to it, and then terminates the container
+with `CTRL-c`:
+
+    $ docker run -d --name topdemo ubuntu:20.04 /usr/bin/top -b
+    $ docker attach topdemo
+    top - 00:07:01 up  4:54,  0 users,  load average: 0.83, 0.91, 0.82
+    Tasks:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
+    %Cpu(s):  2.3 us,  1.6 sy,  0.0 ni, 95.9 id,  0.0 wa,  0.1 hi,  0.1 si,  0.0 st
+    MiB Mem :  15846.2 total,   5729.2 free,   2592.5 used,   7524.4 buff/cache
+    MiB Swap:  16384.0 total,  16384.0 free,      0.0 used.  12097.3 avail Mem 
+    
+        PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
+          1 root      20   0    5976   3256   2828 R   0.0   0.0   0:00.04 top
+    ^C
+
+## Override the detach sequence
+
+Use the **--detach-keys** option to override the Docker key sequence for detach.
 This is useful if the Docker default sequence conflicts with key sequence you
 use for other applications. There are two ways to define your own detach key
 sequence, as a per-container override or as a configuration property on  your
@@ -37,22 +57,3 @@ These **a**, **ctrl-a**, **X**, or **ctrl-\\** values are all examples of valid
 sequences. To configure a different configuration default key sequence for all
 containers, see **docker(1)**.
 
-# EXAMPLES
-
-## Attaching to a container
-
-In this example the top command is run inside a container from an ubuntu image,
-in detached mode, then attaches to it, and then terminates the container
-with `CTRL-c`:
-
-    $ docker run -d --name topdemo ubuntu:20.04 /usr/bin/top -b
-    $ docker attach topdemo
-    top - 00:07:01 up  4:54,  0 users,  load average: 0.83, 0.91, 0.82
-    Tasks:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
-    %Cpu(s):  2.3 us,  1.6 sy,  0.0 ni, 95.9 id,  0.0 wa,  0.1 hi,  0.1 si,  0.0 st
-    MiB Mem :  15846.2 total,   5729.2 free,   2592.5 used,   7524.4 buff/cache
-    MiB Swap:  16384.0 total,  16384.0 free,      0.0 used.  12097.3 avail Mem 
-    
-        PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
-          1 root      20   0    5976   3256   2828 R   0.0   0.0   0:00.04 top
-    ^C

man/src/container/exec.md

@@ -9,7 +9,7 @@ container is unpaused, and then run
 # CAPABILITIES
 
 `privileged` gives the process extended
-[Linux capabilities](http://man7.org/linux/man-pages/man7/capabilities.7.html)
+[Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html)
 when running in a container. 
 
 Without this flag, the process run by `docker exec` in a running container has

man/src/inspect.md

@@ -80,7 +80,7 @@ To get information on a container use its ID or instance name:
     "LogPath": "/var/lib/docker/containers/d2cc496561d6d520cbc0236b4ba88c362c446a7619992123f11c809cded25b47/d2cc496561d6d520cbc0236b4ba88c362c446a7619992123f11c809cded25b47-json.log",
     "Name": "/adoring_wozniak",
     "RestartCount": 0,
-    "Driver": "devicemapper",
+    "Driver": "overlay2",
     "MountLabel": "",
     "ProcessLabel": "",
     "Mounts": [
@@ -89,7 +89,7 @@ To get information on a container use its ID or instance name:
         "Destination": "/data",
         "Mode": "ro,Z",
         "RW": false
-	"Propagation": ""
+        "Propagation": ""
       }
     ],
     "AppArmorProfile": "",
@@ -136,12 +136,13 @@ To get information on a container use its ID or instance name:
         "CgroupParent": ""
     },
     "GraphDriver": {
-        "Name": "devicemapper",
         "Data": {
-            "DeviceId": "5",
-            "DeviceName": "docker-253:1-2763198-d2cc496561d6d520cbc0236b4ba88c362c446a7619992123f11c809cded25b47",
-            "DeviceSize": "171798691840"
-        }
+            "LowerDir": "/var/lib/docker/overlay2/44b1d1f04db6b1b73a86f9a62678673bf5d16d9a6b62c13e859aa34a99cce5ea/diff:/var/lib/docker/overlay2/ef637181eb13e30e84b7382183364ed7fd7ff7be22d8bb87049e36b75fb89a86/diff:/var/lib/docker/overlay2/64fb0f850b1289cd09cbc3b077cab2c0f59a4f540c67f997b094fc3652b9b0d6/diff:/var/lib/docker/overlay2/68c4d1411addc2b2bd07e900ca3a059c9c5f9fa2607efd87d8d715a0080ed242/diff",
+            "MergedDir": "/var/lib/docker/overlay2/c7846fe68c6f18247ab9b8672114dde9f506bc164081a895c465716eeb10f2bc/merged",
+            "UpperDir": "/var/lib/docker/overlay2/c7846fe68c6f18247ab9b8672114dde9f506bc164081a895c465716eeb10f2bc/diff",
+            "WorkDir": "/var/lib/docker/overlay2/c7846fe68c6f18247ab9b8672114dde9f506bc164081a895c465716eeb10f2bc/work"
+        },
+        "Name": "overlay2"
     },
     "Config": {
         "Hostname": "d2cc496561d6",
@@ -192,7 +193,7 @@ output:
       80/tcp -> 80
 
 You can get more information about how to write a Go template from:
-https://golang.org/pkg/text/template/.
+https://pkg.go.dev/text/template.
 
 ## Getting size information on a container
 
@@ -275,12 +276,12 @@ about the image:
     "Size": 186507296,
     "VirtualSize": 186507296,
     "GraphDriver": {
-        "Name": "devicemapper",
         "Data": {
-            "DeviceId": "3",
-            "DeviceName": "docker-253:1-2763198-ded7cd95e059788f2586a51c275a4f151653779d6a7f4dad77c2bd34601d94e4",
-            "DeviceSize": "171798691840"
-        }
+            "LowerDir": "/var/lib/docker/overlay2/44b1d1f04db6b1b73a86f9a62678673bf5d16d9a6b62c13e859aa34a99cce5ea/diff:/var/lib/docker/overlay2/ef637181eb13e30e84b7382183364ed7fd7ff7be22d8bb87049e36b75fb89a86/diff:/var/lib/docker/overlay2/64fb0f850b1289cd09cbc3b077cab2c0f59a4f540c67f997b094fc3652b9b0d6/diff:/var/lib/docker/overlay2/68c4d1411addc2b2bd07e900ca3a059c9c5f9fa2607efd87d8d715a0080ed242/diff",
+            "MergedDir": "/var/lib/docker/overlay2/c7846fe68c6f18247ab9b8672114dde9f506bc164081a895c465716eeb10f2bc/merged",
+            "UpperDir": "/var/lib/docker/overlay2/c7846fe68c6f18247ab9b8672114dde9f506bc164081a895c465716eeb10f2bc/diff",
+            "WorkDir": "/var/lib/docker/overlay2/c7846fe68c6f18247ab9b8672114dde9f506bc164081a895c465716eeb10f2bc/work"
+        },
+        "Name": "overlay2"
     }
-    }
-    ]
+    }]

man/src/network/inspect.md

@@ -11,7 +11,7 @@ bda12f8922785d1f160be70736f26c1e331ab8aaf8ed8d56728508f2e2fd4727
 The `network inspect` command shows the containers, by id, in its
 results. You can specify an alternate format to execute a given
 template for each result. Go's
-[text/template](http://golang.org/pkg/text/template/) package
+[text/template](https://pkg.go.dev/text/template) package
 describes all the details of the format.
 
 ```console

man/src/system/events.md

@@ -85,7 +85,7 @@ details of the format.
     Type=container  Status=destroy  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
 
 If a format is set to `{{json .}}`, the events are streamed as valid JSON
-Lines. For information about JSON Lines, please refer to http://jsonlines.org/ .
+Lines. For information about JSON Lines, please refer to https://jsonlines.org .
 
     # docker events --format '{{json .}}'
     {"status":"create","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..

man/src/volume/inspect.md

@@ -1,4 +1,4 @@
 Returns information about one or more volumes. By default, this command renders
 all results in a JSON array. You can specify an alternate format to execute a
-given template is executed for each result. Go's https://golang.org/pkg/text/template/
+given template is executed for each result. Go's https://pkg.go.dev/text/template
 package describes all the details of the format.

scripts/docs/generate-man.sh

@@ -2,7 +2,7 @@
 
 set -eu
 
-: "${MD2MAN_VERSION=v2.0.1}"
+: "${MD2MAN_VERSION=v2.0.3}"
 
 export GO111MODULE=auto
 

scripts/docs/generate-md.sh

@@ -2,7 +2,7 @@
 
 set -eu
 
-: "${CLI_DOCS_TOOL_VERSION=v0.5.1}"
+: "${CLI_DOCS_TOOL_VERSION=v0.6.0}"
 
 export GO111MODULE=auto