Merge pull request #3979 from thaJeztah/20.10_backport_docs_ps_size

[20.10 backport Fix section docker ps --size

.golangci.yml

@@ -5,12 +5,10 @@ linters:
     - dogsled
     - gocyclo
     - goimports
-    - golint
     - gosec
     - gosimple
     - govet
     - ineffassign
-    - interfacer
     - lll
     - megacheck
     - misspell
@@ -21,6 +19,7 @@ linters:
     - unconvert
     - unparam
     - unused
+    - revive
     - varcheck
 
   disable:
@@ -54,30 +53,65 @@ issues:
     - parameter .* always receives
 
   exclude-rules:
-    # These are copied from the default exclude rules, except for "ineffective break statement"
-    # and GoDoc checks.
-    # https://github.com/golangci/golangci-lint/blob/0cc87df732aaf1d5ad9ce9ca538d38d916918b36/pkg/config/config.go#L36
-    - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked"
+    # We prefer to use an "exclude-list" so that new "default" exclusions are not
+    # automatically inherited. We can decide whether or not to follow upstream
+    # defaults when updating golang-ci-lint versions.
+    # Unfortunately, this means we have to copy the whole exclusion pattern, as
+    # (unlike the "include" option), the "exclude" option does not take exclusion
+    # ID's.
+    #
+    # These exclusion patterns are copied from the default excluses at:
+    # https://github.com/golangci/golangci-lint/blob/v1.44.0/pkg/config/issues.go#L10-L104
+
+    # EXC0001
+    - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*print(f|ln)?|os\\.(Un)?Setenv). is not checked"
       linters:
         - errcheck
+    # EXC0003
     - text: "func name will be used as test\\.Test.* by other packages, and that stutters; consider calling this"
       linters:
-        - golint
-    - text: "G103: Use of unsafe calls should be audited"
+        - revive
+    # EXC0006
+    - text: "Use of unsafe calls should be audited"
       linters:
         - gosec
-    - text: "G104: Errors unhandled"
+    # EXC0007
+    - text: "Subprocess launch(ed with variable|ing should be audited)"
       linters:
         - gosec
-    - text: "G204: Subprocess launch(ed with (variable|function call)|ing should be audited)"
+    # EXC0008
+    # TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close" (gosec)
+    - text: "(G104|G307)"
       linters:
         - gosec
-    - text: "(G301|G302): (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
+    # EXC0009
+    - text: "(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
       linters:
         - gosec
-    - text: "G304: Potential file inclusion via variable"
+    # EXC0010
+    - text: "Potential file inclusion via variable"
       linters:
         - gosec
-    - text: "(G201|G202): SQL string (formatting|concatenation)"
+
+    # Looks like the match in "EXC0007" above doesn't catch this one
+    # TODO: consider upstreaming this to golangci-lint's default exclusion rules
+    - text: "G204: Subprocess launched with a potential tainted input or cmd arguments"
       linters:
         - gosec
+    # Looks like the match in "EXC0009" above doesn't catch this one
+    # TODO: consider upstreaming this to golangci-lint's default exclusion rules
+    - text: "G306: Expect WriteFile permissions to be 0600 or less"
+      linters:
+        - gosec
+
+    # Exclude some linters from running on tests files.
+    - path: _test\.go
+      linters:
+        - errcheck
+        - gosec
+
+  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
+  max-issues-per-linter: 0
+
+  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
+  max-same-issues: 0

Dockerfile

@@ -1,12 +1,13 @@
-# syntax=docker/dockerfile:1.3
+# syntax=docker/dockerfile:1
 
 ARG BASE_VARIANT=alpine
-ARG GO_VERSION=1.17.11
+ARG GO_VERSION=1.18.10
+ARG ALPINE_VERSION=3.16
 ARG XX_VERSION=1.1.0
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${BASE_VARIANT} AS build-base-alpine
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build-base-alpine
 COPY --from=xx / /
 RUN apk add --no-cache clang lld llvm file git
 WORKDIR /go/src/github.com/docker/cli

appveyor.yml

@@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli
 
 environment:
   GOPATH: c:\gopath
-  GOVERSION: 1.17.11
+  GOVERSION: 1.18.10
   DEPVERSION: v0.4.1
 
 install:

cli/cobra.go

@@ -210,9 +210,13 @@ func isExperimental(cmd *cobra.Command) bool {
 }
 
 func additionalHelp(cmd *cobra.Command) string {
-	if additionalHelp, ok := cmd.Annotations["additionalHelp"]; ok {
+	if msg, ok := cmd.Annotations["additionalHelp"]; ok {
+		out := cmd.OutOrStderr()
+		if _, isTerminal := term.GetFdInfo(out); !isTerminal {
+			return msg
+		}
 		style := aec.EmptyBuilder.Bold().ANSI
-		return style.Apply(additionalHelp)
+		return style.Apply(msg)
 	}
 	return ""
 }
@@ -379,6 +383,7 @@ Run '{{.CommandPath}} COMMAND --help' for more information on a command.
 {{- if hasAdditionalHelp .}}
 
 {{ additionalHelp . }}
+
 {{- end}}
 `
 

cli/command/config/formatter_test.go

@@ -19,13 +19,11 @@ func TestConfigContextFormatWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{formatter.Context{Format: NewFormat("table", false)},

cli/command/config/inspect_test.go

@@ -36,7 +36,7 @@ func TestConfigInspectErrors(t *testing.T) {
 			flags: map[string]string{
 				"format": "{{invalid format}}",
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 		{
 			args: []string{"foo", "bar"},

cli/command/container/create.go

@@ -155,7 +155,7 @@ func (cid *cidFile) Close() error {
 		return nil
 	}
 	if err := os.Remove(cid.path); err != nil {
-		return errors.Errorf("failed to remove the CID file '%s': %s \n", cid.path, err)
+		return errors.Wrapf(err, "failed to remove the CID file '%s'", cid.path)
 	}
 
 	return nil
@@ -166,7 +166,7 @@ func (cid *cidFile) Write(id string) error {
 		return nil
 	}
 	if _, err := cid.file.Write([]byte(id)); err != nil {
-		return errors.Errorf("Failed to write the container ID to the file: %s", err)
+		return errors.Wrap(err, "failed to write the container ID to the file")
 	}
 	cid.written = true
 	return nil
@@ -177,12 +177,12 @@ func newCIDFile(path string) (*cidFile, error) {
 		return &cidFile{}, nil
 	}
 	if _, err := os.Stat(path); err == nil {
-		return nil, errors.Errorf("Container ID file found, make sure the other container isn't running or delete %s", path)
+		return nil, errors.Errorf("container ID file found, make sure the other container isn't running or delete %s", path)
 	}
 
 	f, err := os.Create(path)
 	if err != nil {
-		return nil, errors.Errorf("Failed to create the container ID file: %s", err)
+		return nil, errors.Wrap(err, "failed to create the container ID file")
 	}
 
 	return &cidFile{path: path, file: f}, nil

cli/command/container/create_test.go

@@ -39,7 +39,7 @@ func TestNewCIDFileWhenFileAlreadyExists(t *testing.T) {
 	defer tempfile.Remove()
 
 	_, err := newCIDFile(tempfile.Path())
-	assert.ErrorContains(t, err, "Container ID file found")
+	assert.ErrorContains(t, err, "container ID file found")
 }
 
 func TestCIDFileCloseWithNoWrite(t *testing.T) {

cli/command/container/formatter_stats.go

@@ -181,14 +181,14 @@ func (c *statsContext) ID() string {
 
 func (c *statsContext) CPUPerc() string {
 	if c.s.IsInvalid {
-		return fmt.Sprintf("--")
+		return "--"
 	}
 	return fmt.Sprintf("%.2f%%", c.s.CPUPercentage)
 }
 
 func (c *statsContext) MemUsage() string {
 	if c.s.IsInvalid {
-		return fmt.Sprintf("-- / --")
+		return "-- / --"
 	}
 	if c.os == winOSType {
 		return units.BytesSize(c.s.Memory)
@@ -198,28 +198,28 @@ func (c *statsContext) MemUsage() string {
 
 func (c *statsContext) MemPerc() string {
 	if c.s.IsInvalid || c.os == winOSType {
-		return fmt.Sprintf("--")
+		return "--"
 	}
 	return fmt.Sprintf("%.2f%%", c.s.MemoryPercentage)
 }
 
 func (c *statsContext) NetIO() string {
 	if c.s.IsInvalid {
-		return fmt.Sprintf("--")
+		return "--"
 	}
 	return fmt.Sprintf("%s / %s", units.HumanSizeWithPrecision(c.s.NetworkRx, 3), units.HumanSizeWithPrecision(c.s.NetworkTx, 3))
 }
 
 func (c *statsContext) BlockIO() string {
 	if c.s.IsInvalid {
-		return fmt.Sprintf("--")
+		return "--"
 	}
 	return fmt.Sprintf("%s / %s", units.HumanSizeWithPrecision(c.s.BlockRead, 3), units.HumanSizeWithPrecision(c.s.BlockWrite, 3))
 }
 
 func (c *statsContext) PIDs() string {
 	if c.s.IsInvalid || c.os == winOSType {
-		return fmt.Sprintf("--")
+		return "--"
 	}
 	return fmt.Sprintf("%d", c.s.PidsCurrent)
 }

cli/command/container/formatter_stats_test.go

@@ -54,13 +54,11 @@ func TestContainerStatsContextWrite(t *testing.T) {
 	}{
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		{
 			formatter.Context{Format: "table {{.MemUsage}}"},

cli/command/container/rm_test.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"sort"
+	"sync"
 	"testing"
 
 	"github.com/docker/cli/internal/test"
@@ -14,33 +15,46 @@ import (
 )
 
 func TestRemoveForce(t *testing.T) {
-	var removed []string
+	for _, tc := range []struct {
+		name        string
+		args        []string
+		expectedErr string
+	}{
+		{name: "without force", args: []string{"nosuchcontainer", "mycontainer"}, expectedErr: "no such container"},
+		{name: "with force", args: []string{"--force", "nosuchcontainer", "mycontainer"}, expectedErr: ""},
+	} {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			var removed []string
+			mutex := new(sync.Mutex)
 
-	cli := test.NewFakeCli(&fakeClient{
-		containerRemoveFunc: func(ctx context.Context, container string, options types.ContainerRemoveOptions) error {
-			removed = append(removed, container)
-			if container == "nosuchcontainer" {
-				return errdefs.NotFound(fmt.Errorf("Error: No such container: " + container))
+			cli := test.NewFakeCli(&fakeClient{
+				containerRemoveFunc: func(ctx context.Context, container string, options types.ContainerRemoveOptions) error {
+					// containerRemoveFunc is called in parallel for each container
+					// by the remove command so append must be synchronized.
+					mutex.Lock()
+					removed = append(removed, container)
+					mutex.Unlock()
+
+					if container == "nosuchcontainer" {
+						return errdefs.NotFound(fmt.Errorf("Error: no such container: " + container))
+					}
+					return nil
+				},
+				Version: "1.36",
+			})
+			cmd := NewRmCommand(cli)
+			cmd.SetOut(ioutil.Discard)
+			cmd.SetArgs(tc.args)
+
+			err := cmd.Execute()
+			if tc.expectedErr != "" {
+				assert.ErrorContains(t, err, tc.expectedErr)
+			} else {
+				assert.NilError(t, err)
 			}
-			return nil
-		},
-		Version: "1.36",
-	})
-	cmd := NewRmCommand(cli)
-	cmd.SetOut(ioutil.Discard)
-
-	t.Run("without force", func(t *testing.T) {
-		cmd.SetArgs([]string{"nosuchcontainer", "mycontainer"})
-		removed = []string{}
-		assert.ErrorContains(t, cmd.Execute(), "No such container")
-		sort.Strings(removed)
-		assert.DeepEqual(t, removed, []string{"mycontainer", "nosuchcontainer"})
-	})
-	t.Run("with force", func(t *testing.T) {
-		cmd.SetArgs([]string{"--force", "nosuchcontainer", "mycontainer"})
-		removed = []string{}
-		assert.NilError(t, cmd.Execute())
-		sort.Strings(removed)
-		assert.DeepEqual(t, removed, []string{"mycontainer", "nosuchcontainer"})
-	})
+			sort.Strings(removed)
+			assert.DeepEqual(t, removed, []string{"mycontainer", "nosuchcontainer"})
+		})
+	}
 }

cli/command/formatter/container_test.go

@@ -130,13 +130,11 @@ func TestContainerContextWrite(t *testing.T) {
 		// Errors
 		{
 			Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table Format
 		{

cli/command/formatter/disk_usage_test.go

@@ -61,8 +61,7 @@ CACHE ID   CACHE TYPE   SIZE      CREATED   LAST USED   USAGE     SHARED
 					Format: "{{InvalidFunction}}",
 				},
 			},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			DiskUsageContext{
@@ -70,8 +69,7 @@ CACHE ID   CACHE TYPE   SIZE      CREATED   LAST USED   USAGE     SHARED
 					Format: "{{nil}}",
 				},
 			},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table Format
 		{

cli/command/formatter/formatter.go

@@ -64,7 +64,7 @@ func (c *Context) preFormat() {
 func (c *Context) parseFormat() (*template.Template, error) {
 	tmpl, err := templates.Parse(c.finalFormat)
 	if err != nil {
-		return tmpl, errors.Errorf("Template parsing error: %v\n", err)
+		return tmpl, errors.Wrap(err, "template parsing error")
 	}
 	return tmpl, err
 }
@@ -85,7 +85,7 @@ func (c *Context) postFormat(tmpl *template.Template, subContext SubContext) {
 
 func (c *Context) contextFormat(tmpl *template.Template, subContext SubContext) error {
 	if err := tmpl.Execute(c.buffer, subContext); err != nil {
-		return errors.Errorf("Template parsing error: %v\n", err)
+		return errors.Wrap(err, "template parsing error")
 	}
 	if c.Format.IsTable() && c.header != nil {
 		c.header = subContext.FullHeader()

cli/command/formatter/image_test.go

@@ -119,8 +119,7 @@ func TestImageContextWrite(t *testing.T) {
 					Format: "{{InvalidFunction}}",
 				},
 			},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			ImageContext{
@@ -128,8 +127,7 @@ func TestImageContextWrite(t *testing.T) {
 					Format: "{{nil}}",
 				},
 			},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table Format
 		{

cli/command/formatter/volume_test.go

@@ -62,13 +62,11 @@ func TestVolumeContextWrite(t *testing.T) {
 		// Errors
 		{
 			Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{

cli/command/image/build.go

@@ -297,7 +297,7 @@ func runBuild(dockerCli command.Cli, options buildOptions) error {
 		}
 
 		if err := build.ValidateContextDirectory(contextDir, excludes); err != nil {
-			return errors.Errorf("error checking context: '%s'.", err)
+			return errors.Wrap(err, "error checking context")
 		}
 
 		// And canonicalize dockerfile name to a platform-independent one

cli/command/inspect/inspector.go

@@ -44,7 +44,7 @@ func NewTemplateInspectorFromString(out io.Writer, tmplStr string) (Inspector, e
 
 	tmpl, err := templates.Parse(tmplStr)
 	if err != nil {
-		return nil, errors.Errorf("Template parsing error: %s", err)
+		return nil, errors.Errorf("template parsing error: %s", err)
 	}
 	return NewTemplateInspector(out, tmpl), nil
 }
@@ -94,7 +94,7 @@ func (i *TemplateInspector) Inspect(typedElement interface{}, rawElement []byte)
 	buffer := new(bytes.Buffer)
 	if err := i.tmpl.Execute(buffer, typedElement); err != nil {
 		if rawElement == nil {
-			return errors.Errorf("Template parsing error: %v", err)
+			return errors.Errorf("template parsing error: %v", err)
 		}
 		return i.tryRawInspectFallback(rawElement)
 	}
@@ -118,7 +118,7 @@ func (i *TemplateInspector) tryRawInspectFallback(rawElement []byte) error {
 
 	tmplMissingKey := i.tmpl.Option("missingkey=error")
 	if rawErr := tmplMissingKey.Execute(buffer, raw); rawErr != nil {
-		return errors.Errorf("Template parsing error: %v", rawErr)
+		return errors.Errorf("template parsing error: %v", rawErr)
 	}
 
 	i.buffer.Write(buffer.Bytes())

cli/command/inspect/inspector_test.go

@@ -62,7 +62,7 @@ func TestTemplateInspectorTemplateError(t *testing.T) {
 		t.Fatal("Expected error got nil")
 	}
 
-	if !strings.HasPrefix(err.Error(), "Template parsing error") {
+	if !strings.HasPrefix(err.Error(), "template parsing error") {
 		t.Fatalf("Expected template error, got %v", err)
 	}
 }
@@ -98,7 +98,7 @@ func TestTemplateInspectorRawFallbackError(t *testing.T) {
 		t.Fatal("Expected error got nil")
 	}
 
-	if !strings.HasPrefix(err.Error(), "Template parsing error") {
+	if !strings.HasPrefix(err.Error(), "template parsing error") {
 		t.Fatalf("Expected template error, got %v", err)
 	}
 }

cli/command/network/formatter_test.go

@@ -79,13 +79,11 @@ func TestNetworkContextWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{

cli/command/node/formatter_test.go

@@ -62,15 +62,13 @@ func TestNodeContextWrite(t *testing.T) {
 
 		// Errors
 		{
-			context: formatter.Context{Format: "{{InvalidFunction}}"},
-			expected: `Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			context:     formatter.Context{Format: "{{InvalidFunction}}"},
+			expected:    `template parsing error: template: :1: function "InvalidFunction" not defined`,
 			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
 		},
 		{
-			context: formatter.Context{Format: "{{nil}}"},
-			expected: `Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			context:     formatter.Context{Format: "{{nil}}"},
+			expected:    `template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
 		},
 		// Table format

cli/command/plugin/formatter_test.go

@@ -59,13 +59,11 @@ func TestPluginContextWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{

cli/command/plugin/inspect_test.go

@@ -61,7 +61,7 @@ func TestInspectErrors(t *testing.T) {
 			flags: map[string]string{
 				"format": "{{invalid format}}",
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 	}
 

cli/command/plugin/list_test.go

@@ -41,7 +41,7 @@ func TestListErrors(t *testing.T) {
 			flags: map[string]string{
 				"format": "{{invalid format}}",
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 	}
 

cli/command/registry/formatter_search_test.go

@@ -112,13 +112,11 @@ func TestSearchContextWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{

cli/command/secret/formatter_test.go

@@ -19,13 +19,11 @@ func TestSecretContextFormatWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{formatter.Context{Format: NewFormat("table", false)},

cli/command/secret/inspect_test.go

@@ -36,7 +36,7 @@ func TestSecretInspectErrors(t *testing.T) {
 			flags: map[string]string{
 				"format": "{{invalid format}}",
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 		{
 			args: []string{"foo", "bar"},

cli/command/service/formatter_test.go

@@ -29,13 +29,11 @@ func TestServiceContextWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{

cli/command/service/opts.go

@@ -914,7 +914,7 @@ func addServiceFlags(flags *pflag.FlagSet, opts *serviceOptions, defaultFlagValu
 }
 
 const (
-	flagCredentialSpec          = "credential-spec"
+	flagCredentialSpec          = "credential-spec" //nolint:gosec // ignore G101: Potential hardcoded credentials
 	flagPlacementPref           = "placement-pref"
 	flagPlacementPrefAdd        = "placement-pref-add"
 	flagPlacementPrefRemove     = "placement-pref-rm"

cli/command/stack/formatter/formatter_test.go

@@ -16,13 +16,11 @@ func TestStackContextWrite(t *testing.T) {
 		// Errors
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table format
 		{

cli/command/stack/list_test.go

@@ -33,7 +33,7 @@ func TestListErrors(t *testing.T) {
 			flags: map[string]string{
 				"format": "{{invalid format}}",
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 		{
 			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {

cli/command/stack/loader/loader.go

@@ -28,6 +28,7 @@ func LoadComposefile(dockerCli command.Cli, opts options.Deploy) (*composetypes.
 	config, err := loader.Load(configDetails)
 	if err != nil {
 		if fpe, ok := err.(*loader.ForbiddenPropertiesError); ok {
+			//nolint:revive // ignore capitalization error; this error is intentionally formatted multi-line
 			return nil, errors.Errorf("Compose file contains unsupported options:\n\n%s\n",
 				propertyWarnings(fpe.Properties))
 		}

cli/command/stack/services_test.go

@@ -62,7 +62,7 @@ func TestStackServicesErrors(t *testing.T) {
 			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
 				return []swarm.Service{*Service()}, nil
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 	}
 

cli/command/system/info.go

@@ -506,7 +506,7 @@ func formatInfo(dockerCli command.Cli, info info, format string) error {
 	tmpl, err := templates.Parse(format)
 	if err != nil {
 		return cli.StatusError{StatusCode: 64,
-			Status: "Template parsing error: " + err.Error()}
+			Status: "template parsing error: " + err.Error()}
 	}
 	err = tmpl.Execute(dockerCli.Out(), info)
 	dockerCli.Out().Write([]byte{'\n'})

cli/command/system/info_test.go

@@ -394,7 +394,7 @@ func TestFormatInfo(t *testing.T) {
 		{
 			doc:           "syntax",
 			template:      "{{}",
-			expectedError: `Status: Template parsing error: template: :1: unexpected "}" in command, Code: 64`,
+			expectedError: `Status: template parsing error: template: :1: unexpected "}" in command, Code: 64`,
 		},
 		{
 			doc:           "syntax",

cli/command/system/version.go

@@ -235,7 +235,7 @@ func newVersionTemplate(templateFormat string) (*template.Template, error) {
 	tmpl := templates.New("version").Funcs(template.FuncMap{"getDetailsOrder": getDetailsOrder})
 	tmpl, err := tmpl.Parse(templateFormat)
 
-	return tmpl, errors.Wrap(err, "Template parsing error")
+	return tmpl, errors.Wrap(err, "template parsing error")
 }
 
 func getDetailsOrder(v types.ComponentVersion) []string {

cli/command/task/formatter_test.go

@@ -20,13 +20,11 @@ func TestTaskContextWrite(t *testing.T) {
 	}{
 		{
 			formatter.Context{Format: "{{InvalidFunction}}"},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{Format: "{{nil}}"},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		{
 			formatter.Context{Format: NewTaskFormat("table", true)},

cli/command/trust/formatter_test.go

@@ -95,15 +95,13 @@ func TestTrustTagContextWrite(t *testing.T) {
 			formatter.Context{
 				Format: "{{InvalidFunction}}",
 			},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{
 				Format: "{{nil}}",
 			},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table Format
 		{
@@ -191,15 +189,13 @@ func TestSignerInfoContextWrite(t *testing.T) {
 			formatter.Context{
 				Format: "{{InvalidFunction}}",
 			},
-			`Template parsing error: template: :1: function "InvalidFunction" not defined
-`,
+			`template parsing error: template: :1: function "InvalidFunction" not defined`,
 		},
 		{
 			formatter.Context{
 				Format: "{{nil}}",
 			},
-			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
-`,
+			`template parsing error: template: :1:2: executing "" at <nil>: nil is not a command`,
 		},
 		// Table Format
 		{

cli/command/volume/create.go

@@ -32,7 +32,7 @@ func newCreateCommand(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if len(args) == 1 {
 				if options.name != "" {
-					return errors.Errorf("Conflicting options: either specify --name or provide positional arg, not both\n")
+					return errors.Errorf("conflicting options: either specify --name or provide positional arg, not both")
 				}
 				options.name = args[0]
 			}

cli/command/volume/create_test.go

@@ -26,7 +26,7 @@ func TestVolumeCreateErrors(t *testing.T) {
 			flags: map[string]string{
 				"name": "volumeName",
 			},
-			expectedError: "Conflicting options: either specify --name or provide positional arg, not both",
+			expectedError: "conflicting options: either specify --name or provide positional arg, not both",
 		},
 		{
 			args:          []string{"too", "many"},

cli/command/volume/inspect_test.go

@@ -35,7 +35,7 @@ func TestVolumeInspectErrors(t *testing.T) {
 			flags: map[string]string{
 				"format": "{{invalid format}}",
 			},
-			expectedError: "Template parsing error",
+			expectedError: "template parsing error",
 		},
 		{
 			args: []string{"foo", "bar"},

cli/compose/interpolation/interpolation.go

@@ -99,7 +99,7 @@ func newPathError(path Path, err error) error {
 		return nil
 	case *template.InvalidTemplateError:
 		return errors.Errorf(
-			"invalid interpolation format for %s: %#v. You may need to escape any $ with another $.",
+			"invalid interpolation format for %s: %#v; you may need to escape any $ with another $",
 			path, err.Template)
 	default:
 		return errors.Wrapf(err, "error while interpolating %s", path)

cli/compose/interpolation/interpolation_test.go

@@ -58,7 +58,7 @@ func TestInvalidInterpolation(t *testing.T) {
 		},
 	}
 	_, err := Interpolate(services, Options{LookupValue: defaultMapping})
-	assert.Error(t, err, `invalid interpolation format for servicea.image: "${". You may need to escape any $ with another $.`)
+	assert.Error(t, err, `invalid interpolation format for servicea.image: "${"; you may need to escape any $ with another $`)
 }
 
 func TestInterpolateWithDefaults(t *testing.T) {

cli/config/credentials/native_store.go

@@ -7,7 +7,7 @@ import (
 )
 
 const (
-	remoteCredentialsPrefix = "docker-credential-"
+	remoteCredentialsPrefix = "docker-credential-" //nolint:gosec // ignore G101: Potential hardcoded credentials
 	tokenUsername           = "<token>"
 )
 

contrib/completion/bash/docker

@@ -1954,6 +1954,7 @@ _docker_container_run_and_create() {
 		--oom-score-adj
 		--pid
 		--pids-limit
+		--platform
 		--publish -p
 		--pull
 		--restart
@@ -1981,9 +1982,6 @@ _docker_container_run_and_create() {
 		--io-maxiops
 		--isolation
 	"
-	__docker_server_is_experimental && options_with_args+="
-		--platform
-	"
 
 	local boolean_options="
 		--disable-content-trust=false
@@ -2831,6 +2829,7 @@ _docker_image_build() {
 		--memory -m
 		--memory-swap
 		--network
+		--platform
 		--shm-size
 		--tag -t
 		--target
@@ -2851,9 +2850,6 @@ _docker_image_build() {
 	"
 
 	if __docker_server_is_experimental ; then
-		options_with_args+="
-			--platform
-		"
 		boolean_options+="
 			--squash
 		"
@@ -2862,7 +2858,6 @@ _docker_image_build() {
 	if [ "$DOCKER_BUILDKIT" = "1" ] ; then
 		options_with_args+="
 			--output -o
-			--platform
 			--progress
 			--secret
 			--ssh
@@ -2993,8 +2988,7 @@ _docker_image_import() {
 
 	case "$cur" in
 		-*)
-			local options="--change -c --help --message -m"
-			__docker_server_is_experimental && options+=" --platform"
+			local options="--change -c --help --message -m --platform"
 			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
 			;;
 		*)
@@ -3102,9 +3096,7 @@ _docker_image_pull() {
 
 	case "$cur" in
 		-*)
-			local options="--all-tags -a --disable-content-trust=false --help --quiet -q"
-			__docker_server_is_experimental && options+=" --platform"
-
+			local options="--all-tags -a --disable-content-trust=false --help --platform --quiet -q"
 			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
 			;;
 		*)
@@ -5485,6 +5477,23 @@ _docker_wait() {
 	_docker_container_wait
 }
 
+COMPOSE_PLUGIN_PATH=$(docker info --format '{{range .ClientInfo.Plugins}}{{if eq .Name "compose"}}{{.Path}}{{end}}{{end}}')
+
+_docker_compose() {
+	local completionCommand="__completeNoDesc"
+	local resultArray=($COMPOSE_PLUGIN_PATH $completionCommand compose)
+	for value in "${words[@]:2}"; do
+		if [ -z "$value" ]; then
+			resultArray+=( "''" )
+		else
+			resultArray+=( "$value" )
+		fi
+	done
+	local result=$(eval "${resultArray[*]}" 2> /dev/null | grep -v '^:[0-9]*$')
+
+	COMPREPLY=( $(compgen -W "${result}" -- "$current") )
+}
+
 _docker() {
 	local previous_extglob_setting=$(shopt -p extglob)
 	shopt -s extglob
@@ -5554,11 +5563,17 @@ _docker() {
 		wait
 	)
 
+	local known_plugin_commands=()
+
+	if [ -f "$COMPOSE_PLUGIN_PATH" ] ; then
+		known_plugin_commands+=("compose")
+	fi
+
 	local experimental_server_commands=(
 		checkpoint
 	)
 
-	local commands=(${management_commands[*]} ${top_level_commands[*]})
+	local commands=(${management_commands[*]} ${top_level_commands[*]} ${known_plugin_commands[*]})
 	[ -z "$DOCKER_HIDE_LEGACY_COMMANDS" ] && commands+=(${legacy_commands[*]})
 
 	# These options are valid as global options for all client commands

contrib/completion/zsh/_docker

@@ -2771,8 +2771,8 @@ __docker_subcommand() {
                 "($help)--live-restore[Enable live restore of docker when containers are still running]" \
                 "($help)--log-driver=[Default driver for container logs]:logging driver:__docker_complete_log_drivers" \
                 "($help)*--log-opt=[Default log driver options for containers]:log driver options:__docker_complete_log_options" \
-                "($help)--max-concurrent-downloads[Set the max concurrent downloads for each pull]" \
-                "($help)--max-concurrent-uploads[Set the max concurrent uploads for each push]" \
+                "($help)--max-concurrent-downloads[Set the max concurrent downloads]" \
+                "($help)--max-concurrent-uploads[Set the max concurrent uploads]" \
                 "($help)--max-download-attempts[Set the max download attempts for each pull]" \
                 "($help)--mtu=[Network MTU]:mtu:(0 576 1420 1500 9000)" \
                 "($help)--oom-score-adjust=[Set the oom_score_adj for the daemon]:oom-score:(-500)" \
@@ -3094,6 +3094,7 @@ _docker() {
     _arguments $(__docker_arguments) -C \
         "(: -)"{-h,--help}"[Print usage]" \
         "($help)--config[Location of client config files]:path:_directories" \
+        "($help -c --context)"{-c=,--context=}"[Execute the command in a docker context]:context:__docker_complete_contexts" \
         "($help -D --debug)"{-D,--debug}"[Enable debug mode]" \
         "($help -H --host)"{-H=,--host=}"[tcp://host:port to bind/connect to]:host: " \
         "($help -l --log-level)"{-l=,--log-level=}"[Logging level]:level:(debug info warn error fatal)" \
@@ -3109,7 +3110,8 @@ _docker() {
 
     local host=${opt_args[-H]}${opt_args[--host]}
     local config=${opt_args[--config]}
-    local docker_options="${host:+--host $host} ${config:+--config $config}"
+    local context=${opt_args[-c]}${opt_args[--context]}
+    local docker_options="${host:+--host $host} ${config:+--config $config} ${context:+--context $context} "
 
     case $state in
         (command)

docker-bake.hcl

@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-    default = "1.17.11"
+    default = "1.18.10"
 }
 variable "VERSION" {
     default = ""

dockerfiles/Dockerfile.binary-native

@@ -1,4 +1,4 @@
-ARG GO_VERSION=1.17.11
+ARG GO_VERSION=1.18.10
 
 FROM    golang:${GO_VERSION}-alpine
 

dockerfiles/Dockerfile.dev

@@ -1,8 +1,9 @@
-# syntax=docker/dockerfile:1.3
+# syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.17.11
+ARG GO_VERSION=1.18.10
+ARG ALPINE_VERSION=3.16
 
-FROM golang:${GO_VERSION}-alpine AS golang
+FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang
 ENV  CGO_ENABLED=0
 
 FROM golang AS esc
@@ -13,7 +14,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     GO111MODULE=on go install github.com/mjibson/esc@${ESC_VERSION}
 
 FROM golang AS gotestsum
-ARG GOTESTSUM_VERSION=v0.4.0
+ARG GOTESTSUM_VERSION=v1.8.2
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
     --mount=type=tmpfs,target=/go/src/ \

dockerfiles/Dockerfile.e2e

@@ -1,4 +1,4 @@
-ARG GO_VERSION=1.17.11
+ARG GO_VERSION=1.18.10
 
 # Use Debian based image as docker-compose requires glibc.
 FROM golang:${GO_VERSION}-buster
@@ -18,7 +18,7 @@ ARG NOTARY_VERSION=v0.6.1
 RUN curl -fsSL https://github.com/theupdateframework/notary/releases/download/${NOTARY_VERSION}/notary-Linux-amd64 -o /usr/local/bin/notary \
     && chmod +x /usr/local/bin/notary
 
-ARG GOTESTSUM_VERSION=0.4.0
+ARG GOTESTSUM_VERSION=1.8.2
 RUN curl -fsSL https://github.com/gotestyourself/gotestsum/releases/download/v${GOTESTSUM_VERSION}/gotestsum_${GOTESTSUM_VERSION}_linux_amd64.tar.gz -o gotestsum.tar.gz \
     && tar -xf gotestsum.tar.gz gotestsum \
     && mv gotestsum /usr/local/bin/gotestsum \

dockerfiles/Dockerfile.lint

@@ -1,18 +1,19 @@
-# syntax=docker/dockerfile:1.3
+# syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.17.11
-ARG GOLANGCI_LINTER_SHA="v1.21.0"
+ARG GO_VERSION=1.18.10
+ARG ALPINE_VERSION=3.16
+ARG GOLANGCI_LINT_VERSION=v1.45.2
 
-FROM    golang:${GO_VERSION}-alpine AS build
+FROM    golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build
 ENV     CGO_ENABLED=0
 RUN     apk add --no-cache git
-ARG     GOLANGCI_LINTER_SHA
+ARG     GOLANGCI_LINT_VERSION
 ARG     GO111MODULE=on
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
-        go get github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINTER_SHA}
+        go install github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}
 
-FROM    golang:${GO_VERSION}-alpine AS lint
+FROM    golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS lint
 ENV     GO111MODULE=off
 ENV     CGO_ENABLED=0
 ENV     DISABLE_WARN_OUTSIDE_CONTAINER=1

docs/deprecated.md

@@ -50,6 +50,7 @@ The table below provides an overview of the current status of deprecated feature
 
 | Status     | Feature                                                                                                                            | Deprecated | Remove |
 |------------|------------------------------------------------------------------------------------------------------------------------------------|------------|--------|
+| Deprecated | [Btrfs storage driver on CentOS 7 and RHEL 7](#btrfs-storage-driver-on-centos-7-and-rhel-7)                                        | v20.10     | -      |
 | Deprecated | [Support for encrypted TLS private keys](#support-for-encrypted-tls-private-keys)                                                  | v20.10     | -      |
 | Deprecated | [Kubernetes stack and context support](#kubernetes-stack-and-context-support)                                                      | v20.10     | -      |
 | Deprecated | [Pulling images from non-compliant image registries](#pulling-images-from-non-compliant-image-registries)                          | v20.10     | -      |
@@ -67,6 +68,7 @@ The table below provides an overview of the current status of deprecated feature
 | Removed    | [`docker engine` subcommands](#docker-engine-subcommands)                                                                          | v19.03     | v20.10 |
 | Removed    | [Top-level `docker deploy` subcommand (experimental)](#top-level-docker-deploy-subcommand-experimental)                            | v19.03     | v20.10 |
 | Removed    | [`docker stack deploy` using "dab" files (experimental)](#docker-stack-deploy-using-dab-files-experimental)                        | v19.03     | v20.10 |
+| Disabled   | [Support for the `overlay2.override_kernel_check` storage option](#support-for-the-overlay2override_kernel_check-storage-option)   | v19.03     | -      |
 | Deprecated | [AuFS storage driver](#aufs-storage-driver)                                                                                        | v19.03     | -      |
 | Deprecated | [Legacy "overlay" storage driver](#legacy-overlay-storage-driver)                                                                  | v18.09     | -      |
 | Deprecated | [Device mapper storage driver](#device-mapper-storage-driver)                                                                      | v18.09     | -      |
@@ -100,6 +102,21 @@ The table below provides an overview of the current status of deprecated feature
 | Removed    | [`--run` flag on `docker commit`](#--run-flag-on-docker-commit)                                                                    | v0.10      | v1.13  |
 | Removed    | [Three arguments form in `docker import`](#three-arguments-form-in-docker-import)                                                  | v0.6.7     | v1.12  |
 
+
+### Btrfs storage driver on CentOS 7 and RHEL 7
+
+**Deprecated in Release: v20.10.0**
+
+**Target For Removal In Release: v23.0.0**
+
+The `btrfs` storage driver on CentOS and RHEL was provided as a technology preview
+by CentOS and RHEL, but has been deprecated since the [Red Hat Enterprise Linux 7.4 release](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/ch-btrfs),
+and removed in CentOS 8 and RHEL 8. Users of the `btrfs` storage driver on CentOS
+are recommended to migrate to a different storage driver, such as `overlay2`, which
+is now the default storage driver. Docker 23.0 continues to provide the `btrfs`
+storage driver to allow users to migrate to an alternative driver. The next release
+of Docker will no longer provide this driver.
+
 ### Support for encrypted TLS private keys
 
 **Deprecated in Release: v20.10**
@@ -323,6 +340,19 @@ format, support for the DAB file format and the top-level docker deploy command
 (hidden by default in 19.03), will be removed, in favour of `docker stack deploy`
 using compose files.
 
+### Support for the `overlay2.override_kernel_check` storage option
+
+**Deprecated in Release: v19.03**
+**Disabled in Release: v19.03**
+
+This daemon configuration option disabled the Linux kernel version check used
+to detect if the kernel supported OverlayFS with multiple lower dirs, which is
+required for the overlay2 storage driver. Starting with Docker v19.03.7, the
+detection was improved to no longer depend on the kernel _version_, so this
+option was no longer used.
+
+Docker v22.06 logs a warning in the daemon logs if this option is set, and
+users should remove this option from their daemon configuration.
 
 ### AuFS storage driver
 

docs/extend/config.md

@@ -1,5 +1,5 @@
 ---
-description: "How develop and use a plugin with the managed plugin system"
+description: "How to develop and use a plugin with the managed plugin system"
 keywords: "API, Usage, plugins, documentation, developer"
 ---
 
@@ -15,17 +15,14 @@ keywords: "API, Usage, plugins, documentation, developer"
 
 # Plugin Config Version 1 of Plugin V2
 
-This document outlines the format of the V0 plugin configuration. The plugin
-config described herein was introduced in the Docker daemon in the [v1.12.0
-release](https://github.com/docker/docker/commit/f37117045c5398fd3dca8016ea8ca0cb47e7312b).
+This document outlines the format of the V0 plugin configuration.
 
 Plugin configs describe the various constituents of a docker plugin. Plugin
 configs can be serialized to JSON format with the following media types:
 
-Config Type  | Media Type
-------------- | -------------
-config  | "application/vnd.docker.plugin.v1+json"
-
+| Config Type | Media Type                              |
+|-------------|-----------------------------------------|
+| config      | "application/vnd.docker.plugin.v1+json" |
 
 ## *Config* Field Descriptions
 

docs/extend/index.md

@@ -14,9 +14,9 @@ keywords: "API, Usage, plugins, documentation, developer"
 
 # Docker Engine managed plugin system
 
-* [Installing and using a plugin](index.md#installing-and-using-a-plugin)
-* [Developing a plugin](index.md#developing-a-plugin)
-* [Debugging plugins](index.md#debugging-plugins)
+- [Installing and using a plugin](index.md#installing-and-using-a-plugin)
+- [Developing a plugin](index.md#developing-a-plugin)
+- [Debugging plugins](index.md#debugging-plugins)
 
 Docker Engine's plugin system allows you to install, start, stop, and remove
 plugins using Docker Engine.
@@ -70,7 +70,7 @@ enabled, and use it to create a volume.
 
     - It needs access to the `host` network.
     - It needs the `CAP_SYS_ADMIN` capability, which allows the plugin to run
-    the `mount` command.
+      the `mount` command.
 
 2.  Check that the plugin is enabled in the output of `docker plugin ls`.
 
@@ -115,6 +115,7 @@ enabled, and use it to create a volume.
     ```
 
 6.  Remove the volume `sshvolume`
+
     ```console
     $ docker volume rm sshvolume
 
@@ -126,15 +127,15 @@ remove it, use the `docker plugin remove` command. For other available
 commands and options, see the
 [command line reference](https://docs.docker.com/engine/reference/commandline/cli/).
 
-
 ## Developing a plugin
 
 #### The rootfs directory
+
 The `rootfs` directory represents the root filesystem of the plugin. In this
 example, it was created from a Dockerfile:
 
->**Note:** The `/run/docker/plugins` directory is mandatory inside of the
-plugin's filesystem for docker to communicate with the plugin.
+> **Note:** The `/run/docker/plugins` directory is mandatory inside of the
+> plugin's filesystem for docker to communicate with the plugin.
 
 ```console
 $ git clone https://github.com/vieux/docker-volume-sshfs
@@ -155,19 +156,19 @@ Consider the following `config.json` file.
 
 ```json
 {
-	"description": "sshFS plugin for Docker",
-	"documentation": "https://docs.docker.com/engine/extend/plugins/",
-	"entrypoint": ["/docker-volume-sshfs"],
-	"network": {
-		   "type": "host"
-		   },
-	"interface" : {
-		   "types": ["docker.volumedriver/1.0"],
-		   "socket": "sshfs.sock"
-	},
-	"linux": {
-		"capabilities": ["CAP_SYS_ADMIN"]
-	}
+  "description": "sshFS plugin for Docker",
+  "documentation": "https://docs.docker.com/engine/extend/plugins/",
+  "entrypoint": ["/docker-volume-sshfs"],
+  "network": {
+    "type": "host"
+  },
+  "interface": {
+    "types": ["docker.volumedriver/1.0"],
+    "socket": "sshfs.sock"
+  },
+  "linux": {
+    "capabilities": ["CAP_SYS_ADMIN"]
+  }
 }
 ```
 
@@ -187,7 +188,6 @@ After that the plugin `<plugin-name>` will show up in `docker plugin ls`.
 Plugins can be pushed to remote registries with
 `docker plugin push <plugin-name>`.
 
-
 ## Debugging plugins
 
 Stdout of a plugin is redirected to dockerd logs. Such entries have a
@@ -226,7 +226,7 @@ plugins. This is specifically useful to collect plugin logs if they are
 redirected to a file.
 
 ```console
-$ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins list
+$ sudo runc --root /run/docker/runtime-runc/plugins.moby list
 
 ID                                                                 PID         STATUS      BUNDLE                                                                                                                                       CREATED                          OWNER
 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25   15806       running     /run/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby-plugins/93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25   2018-02-08T21:40:08.621358213Z   root
@@ -235,14 +235,14 @@ c5bb4b90941efcaccca999439ed06d6a6affdde7081bb34dc84126b57b3e793d   14984       r
 ```
 
 ```console
-$ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins exec 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 cat /var/log/plugin.log
+$ sudo runc --root /run/docker/runtime-runc/plugins.moby exec 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 cat /var/log/plugin.log
 ```
 
 If the plugin has a built-in shell, then exec into the plugin can be done as
 follows:
 
 ```console
-$ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins exec -t 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 sh
+$ sudo runc --root /run/docker/runtime-runc/plugins.moby exec -t 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 sh
 ```
 
 #### Using curl to debug plugin socket issues.
@@ -253,7 +253,6 @@ docker host to volume and network plugins using curl 7.47.0 to ensure that
 the plugin is listening on the said socket. For a well functioning plugin,
 these basic requests should work. Note that plugin sockets are available on the host under `/var/run/docker/plugins/<pluginID>`
 
-
 ```console
 $ curl -H "Content-Type: application/json" -XPOST -d '{}' --unix-socket /var/run/docker/plugins/e8a37ba56fc879c991f7d7921901723c64df6b42b87e6a0b055771ecf8477a6d/plugin.sock http:/VolumeDriver.List
 

docs/reference/builder.md

@@ -1060,7 +1060,7 @@ If an environment variable is only needed during build, and not in the final
 image, consider setting a value for a single command instead:
 
 ```dockerfile
-RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y ...
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y ...
 ```
  
 Or using [`ARG`](#arg), which is not persisted in the final image:

docs/reference/commandline/attach.md

@@ -45,12 +45,12 @@ a container and leave it running using the `CTRL-p CTRL-q` key sequence.
 > so.
 
 It is forbidden to redirect the standard input of a `docker attach` command
-while attaching to a tty-enabled container (i.e.: launched with `-t`).
+while attaching to a TTY-enabled container (using the `-i` and `-t` options).
 
-While a client is connected to container's stdio using `docker attach`, Docker
-uses a ~1MB memory buffer to maximize the throughput of the application. If
-this buffer is filled, the speed of the API connection will start to have an
-effect on the process output writing speed. This is similar to other
+While a client is connected to container's `stdio` using `docker attach`, Docker
+uses a ~1MB memory buffer to maximize the throughput of the application.
+Once this buffer is full, the speed of the API connection is affected, and so
+this impacts the output process' writing speed. This is similar to other
 applications like SSH. Because of this, it is not recommended to run
 performance critical applications that generate a lot of output in the
 foreground over a slow client connection. Instead, users should use the
@@ -84,45 +84,68 @@ containers, see [**Configuration file** section](cli.md#configuration-files).
 
 ### Attach to and detach from a running container
 
+The following example starts an ubuntu container running `top` in detached mode,
+then attaches to the container;
+
 ```console
-$ docker run -d --name topdemo ubuntu /usr/bin/top -b
+$ docker run -d --name topdemo ubuntu:22.04 /usr/bin/top -b
 
 $ docker attach topdemo
 
-top - 02:05:52 up  3:05,  0 users,  load average: 0.01, 0.02, 0.05
+top - 12:27:44 up 3 days, 21:54,  0 users,  load average: 0.00, 0.00, 0.00
 Tasks:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
-Cpu(s):  0.1%us,  0.2%sy,  0.0%ni, 99.7%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
-Mem:    373572k total,   355560k used,    18012k free,    27872k buffers
-Swap:   786428k total,        0k used,   786428k free,   221740k cached
+%Cpu(s):  0.1 us,  0.1 sy,  0.0 ni, 99.8 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
+MiB Mem :   3934.3 total,    770.1 free,    674.2 used,   2490.1 buff/cache
+MiB Swap:   1024.0 total,    839.3 free,    184.7 used.   2814.0 avail Mem
 
-PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
- 1 root      20   0 17200 1116  912 R    0  0.3   0:00.03 top
+  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
+    1 root      20   0    7180   2896   2568 R   0.0   0.1   0:00.02 top
+```
 
- top - 02:05:55 up  3:05,  0 users,  load average: 0.01, 0.02, 0.05
- Tasks:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
- Cpu(s):  0.0%us,  0.2%sy,  0.0%ni, 99.8%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
- Mem:    373572k total,   355244k used,    18328k free,    27872k buffers
- Swap:   786428k total,        0k used,   786428k free,   221776k cached
+As the container was started without the `-i`, and `-t` options, signals are
+forwarded to the attached process, which means that the default `CTRL-p CTRL-q`
+detach key sequence produces no effect, but pressing `CTRL-c` terminates the
+container:
 
-   PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
-       1 root      20   0 17208 1144  932 R    0  0.3   0:00.03 top
+```console
+<...>
+  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
+    1 root      20   0    7180   2896   2568 R   0.0   0.1   0:00.02 top^P^Q
+^C
 
+$ docker ps -a --filter name=topdemo
 
- top - 02:05:58 up  3:06,  0 users,  load average: 0.01, 0.02, 0.05
- Tasks:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
- Cpu(s):  0.2%us,  0.3%sy,  0.0%ni, 99.5%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
- Mem:    373572k total,   355780k used,    17792k free,    27880k buffers
- Swap:   786428k total,        0k used,   786428k free,   221776k cached
+CONTAINER ID   IMAGE          COMMAND             CREATED              STATUS                          PORTS     NAMES
+4cf0d0ebb079   ubuntu:22.04   "/usr/bin/top -b"   About a minute ago   Exited (0) About a minute ago             topdemo
+```
 
- PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
-      1 root      20   0 17208 1144  932 R    0  0.3   0:00.03 top
-^C$
+Repeating the example above, but this time with the `-i` and `-t` options set;
 
-$ echo $?
-0
-$ docker ps -a | grep topdemo
+```console
+$ docker run -dit --name topdemo2 ubuntu:22.04 /usr/bin/top -b
+```
 
-7998ac8581f9        ubuntu:14.04        "/usr/bin/top -b"   38 seconds ago      Exited (0) 21 seconds ago                          topdemo
+Now, when attaching to the container, and pressing the `CTRL-p CTRL-q` ("read
+escape sequence"), the Docker CLI is handling the detach sequence, and the
+`attach` command is detached from the container. Checking the container's status
+with `docker ps` shows that the container is still running in the background:
+
+```console
+$ docker attach topdemo2
+
+top - 12:44:32 up 3 days, 22:11,  0 users,  load average: 0.00, 0.00, 0.00
+Tasks:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
+%Cpu(s): 50.0 us,  0.0 sy,  0.0 ni, 50.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
+MiB Mem :   3934.3 total,    770.6 free,    672.4 used,   2491.4 buff/cache
+MiB Swap:   1024.0 total,    839.3 free,    184.7 used.   2815.8 avail Mem
+
+  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
+    1 root      20   0    7180   2776   2452 R   0.0   0.1   0:00.02 topread escape sequence
+
+$ docker ps -a --filter name=topdemo2
+
+CONTAINER ID   IMAGE          COMMAND             CREATED         STATUS         PORTS     NAMES
+b1661dce0fc2   ubuntu:22.04   "/usr/bin/top -b"   2 minutes ago   Up 2 minutes             topdemo2
 ```
 
 ### Get the exit code of the container's command
@@ -131,18 +154,17 @@ And in this second example, you can see the exit code returned by the `bash`
 process is returned by the `docker attach` command to its caller too:
 
 ```console
-$ docker run --name test -d -it debian
+$ docker run --name test -dit alpine
 275c44472aebd77c926d4527885bb09f2f6db21d878c75f0a1c212c03d3bcfab
 
 $ docker attach test
-root@f38c87f2a42d:/# exit 13
-
-exit
+/# exit 13
 
 $ echo $?
 13
 
-$ docker ps -a | grep test
+$ docker ps -a --filter name=test
 
-275c44472aeb        debian:7            "/bin/bash"         26 seconds ago      Exited (13) 17 seconds ago                         test
+CONTAINER ID   IMAGE     COMMAND     CREATED              STATUS                       PORTS     NAMES
+a2fe3fd886db   alpine    "/bin/sh"   About a minute ago   Exited (13) 40 seconds ago             test
 ```

docs/reference/commandline/build.md

@@ -323,16 +323,16 @@ directory from the context. Its effect can be seen in the changed size of the
 uploaded context. The builder reference contains detailed information on
 [creating a .dockerignore file](../builder.md#dockerignore-file).
 
-When using the [BuildKit backend](../builder.md#buildkit), `docker build` searches
-for a `.dockerignore` file relative to the Dockerfile name. For example, running
-`docker build -f myapp.Dockerfile .` will first look for an ignore file named
-`myapp.Dockerfile.dockerignore`. If such a file is not found, the `.dockerignore`
-file is used if present. Using a Dockerfile based `.dockerignore` is useful if a
-project contains multiple Dockerfiles that expect to ignore different sets of
-files.
+When using the [BuildKit backend](https://docs.docker.com/build/buildkit/),
+`docker build` searches for a `.dockerignore` file relative to the Dockerfile
+name. For example, running `docker build -f myapp.Dockerfile .` will first look
+for an ignore file named `myapp.Dockerfile.dockerignore`. If such a file is not
+found, the `.dockerignore` file is used if present. Using a Dockerfile based
+`.dockerignore` is useful if a project contains multiple Dockerfiles that
+expect to ignore different sets of files.
 
 
-### Tag an image (-t)
+### <a name="tag"></a> Tag an image (-t, --tag)
 
 ```console
 $ docker build -t vieux/apache:2.0 .
@@ -352,7 +352,7 @@ For example, to tag an image both as `whenry/fedora-jboss:latest` and
 $ docker build -t whenry/fedora-jboss:latest -t whenry/fedora-jboss:v2.1 .
 ```
 
-### Specify a Dockerfile (-f)
+### <a name="file"></a> Specify a Dockerfile (-f, --file)
 
 ```console
 $ docker build -f Dockerfile.debug .
@@ -399,17 +399,17 @@ the command line.
 > repeatable builds on remote Docker hosts. This is also the reason why
 > `ADD ../file` does not work.
 
-### Use a custom parent cgroup (--cgroup-parent)
+### <a name="cgroup-parent"></a> Use a custom parent cgroup (--cgroup-parent)
 
 When `docker build` is run with the `--cgroup-parent` option the containers
 used in the build will be run with the [corresponding `docker run` flag](../run.md#specify-custom-cgroups).
 
-### Set ulimits in container (--ulimit)
+### <a name="ulimit"></a> Set ulimits in container (--ulimit)
 
 Using the `--ulimit` option with `docker build` will cause each build step's
-container to be started using those [`--ulimit` flag values](run.md#set-ulimits-in-container---ulimit).
+container to be started using those [`--ulimit` flag values](run.md#ulimit).
 
-### Set build-time variables (--build-arg)
+### <a name="build-arg"></a> Set build-time variables (--build-arg)
 
 You can use `ENV` instructions in a Dockerfile to define variable
 values. These values persist in the built image. However, often
@@ -444,16 +444,16 @@ $ export HTTP_PROXY=http://10.20.30.2:1234
 $ docker build --build-arg HTTP_PROXY .
 ```
 
-This is similar to how `docker run -e` works. Refer to the [`docker run` documentation](https://docs.docker.com/engine/reference/commandline/run/#set-environment-variables--e---env---env-file)
+This is similar to how `docker run -e` works. Refer to the [`docker run` documentation](run.md#env)
 for more information.
 
-### Optional security options (--security-opt)
+### <a name="security-opt"></a> Optional security options (--security-opt)
 
 This flag is only supported on a daemon running on Windows, and only supports
 the `credentialspec` option. The `credentialspec` must be in the format
 `file://spec.txt` or `registry://keyname`.
 
-### Specify isolation technology for container (--isolation)
+### <a name="isolation"></a> Specify isolation technology for container (--isolation)
 
 This option is useful in situations where you are running Docker containers on
 Windows. The `--isolation=<value>` option sets a container's isolation
@@ -469,7 +469,7 @@ Linux namespaces. On Microsoft Windows, you can specify these values:
 
 Specifying the `--isolation` flag without a value is the same as setting `--isolation="default"`.
 
-### Add entries to container hosts file (--add-host)
+### <a name="add-host"></a> Add entries to container hosts file (--add-host)
 
 You can add other hosts into a container's `/etc/hosts` file by using one or
 more `--add-host` flags. This example adds a static address for a host named
@@ -477,7 +477,7 @@ more `--add-host` flags. This example adds a static address for a host named
 
     $ docker build --add-host=docker:10.180.0.1 .
 
-### Specifying target build stage (--target)
+### <a name="target"></a> Specifying target build stage (--target)
 
 When building a Dockerfile with multiple build stages, `--target` can be used to
 specify an intermediate build stage by name as a final stage for the resulting
@@ -495,7 +495,14 @@ FROM alpine AS production-env
 $ docker build -t mybuildimage --target build-env .
 ```
 
-### Custom build outputs
+### <a name="output"></a> Custom build outputs (--output)
+
+> **Note**
+>
+> This feature requires the BuildKit backend. You can either
+> [enable BuildKit](https://docs.docker.com/build/buildkit/#getting-started) or
+> use the [buildx](https://github.com/docker/buildx) plugin which provides more
+> output type options.
 
 By default, a local container image is created from the build result. The
 `--output` (or `-o`) flag allows you to override this behavior, and a specify a
@@ -582,13 +589,14 @@ $ ls ./out
 vndr
 ```
 
+### <a name="cache-from"></a> Specifying external cache sources (--cache-from)
+
 > **Note**
 >
 > This feature requires the BuildKit backend. You can either
-> [enable BuildKit](../builder.md#buildkit) or use the [buildx](https://github.com/docker/buildx)
-> plugin which provides more output type options.
-
-### Specifying external cache sources
+> [enable BuildKit](https://docs.docker.com/build/buildkit/#getting-started) or
+> use the [buildx](https://github.com/docker/buildx) plugin. The previous
+> builder has limited support for reusing cache from pre-pulled images.
 
 In addition to local build cache, the builder can reuse the cache generated from
 previous builds with the `--cache-from` flag pointing to an image in the registry.
@@ -624,14 +632,7 @@ On another machine:
 $ docker build --cache-from myname/myapp .
 ```
 
-> **Note**
->
-> This feature requires the BuildKit backend. You can either
-> [enable BuildKit](../builder.md#buildkit) or use the [buildx](https://github.com/docker/buildx)
-> plugin. The previous builder has limited support for reusing cache from
-> pre-pulled images.
-
-### Squash an image's layers (--squash) (experimental)
+### <a name="squash"></a> Squash an image's layers (--squash) (experimental)
 
 #### Overview
 

docs/reference/commandline/cli.md

@@ -78,7 +78,7 @@ line:
 | `DOCKER_HOST`                 | Daemon socket to connect to.                                                                                                          |
 | `DOCKER_STACK_ORCHESTRATOR`   | Configure the default orchestrator to use when using `docker stack` management commands.                                              |
 | `DOCKER_TLS_VERIFY`           | When set Docker uses TLS and verifies the remote. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md) |
-| `BUILDKIT_PROGRESS`           | Set type of progress output (`auto`, `plain`, `tty`) when [building](build.md) with [BuildKit backend](../builder.md#buildkit). Use plain to show container output (default `auto`). |
+| `BUILDKIT_PROGRESS`           | Set type of progress output (`auto`, `plain`, `tty`) when [building](build.md) with [BuildKit backend](https://docs.docker.com/build/buildkit/). Use plain to show container output (default `auto`). |
 
 Because Docker is developed using Go, you can also use any environment
 variables used by the Go runtime. In particular, you may find these useful:
@@ -154,17 +154,17 @@ different location.
 These fields allow you to customize the default output format for some commands
 if no `--format` flag is provided.
 
-| Property               | Description                                                                                                                                                                                                                         |
-|:-----------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `configFormat`         | Custom default format for `docker config ls` output. Refer to the [**format the output** section in the `docker config ls` documentation](config_ls.md#format-the-output) for a list of supported formatting directives.            |
-| `imagesFormat`         | Custom default format for `docker images` / `docker image ls` output. Refer to the [**format the output** section in the `docker images` documentation](images.md#format-the-output) for a list of supported formatting directives. |
-| `nodesFormat`          | Custom default format for `docker node ls` output. Refer to the [**formatting** section in the `docker node ls` documentation](node_ls.md#formatting) for a list of supported formatting directives.                                |
-| `pluginsFormat`        | Custom default format for `docker plugin ls` output. Refer to the [**formatting** section in the `docker plugin ls` documentation](plugin_ls.md#formatting) for a list of supported formatting directives.                          |
-| `psFormat`             | Custom default format for `docker ps` / `docker container ps` output. Refer to the [**formatting** section in the `docker ps` documentation](ps.md#formatting) for a list of supported formatting directives.                       |
-| `secretFormat`         | Custom default format for `docker secret ls` output. Refer to the [**format the output** section in the `docker secret ls` documentation](secret_ls.md#format-the-output) for a list of supported formatting directives.            |
-| `serviceInspectFormat` | Custom default format for `docker service inspect` output. Refer to the [**formatting** section in the `docker service inspect` documentation](service_inspect.md#formatting) for a list of supported formatting directives.        |
-| `servicesFormat`       | Custom default format for `docker service ls` output. Refer to the [**formatting** section in the `docker service ls` documentation](service_ls.md#formatting) for a list of supported formatting directives.                       |
-| `statsFormat`          | Custom default format for `docker stats` output. Refer to the [**formatting** section in the `docker stats` documentation](stats.md#formatting) for a list of supported formatting directives.                                      |
+| Property               | Description                                                                                                                                                                                                              |
+|:-----------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `configFormat`         | Custom default format for `docker config ls` output. Refer to the [**format the output** section in the `docker config ls` documentation](config_ls.md#format) for a list of supported formatting directives.            |
+| `imagesFormat`         | Custom default format for `docker images` / `docker image ls` output. Refer to the [**format the output** section in the `docker images` documentation](images.md#format) for a list of supported formatting directives. |
+| `nodesFormat`          | Custom default format for `docker node ls` output. Refer to the [**formatting** section in the `docker node ls` documentation](node_ls.md#format) for a list of supported formatting directives.                         |
+| `pluginsFormat`        | Custom default format for `docker plugin ls` output. Refer to the [**formatting** section in the `docker plugin ls` documentation](plugin_ls.md#format) for a list of supported formatting directives.                   |
+| `psFormat`             | Custom default format for `docker ps` / `docker container ps` output. Refer to the [**formatting** section in the `docker ps` documentation](ps.md#format) for a list of supported formatting directives.                |
+| `secretFormat`         | Custom default format for `docker secret ls` output. Refer to the [**format the output** section in the `docker secret ls` documentation](secret_ls.md#format) for a list of supported formatting directives.            |
+| `serviceInspectFormat` | Custom default format for `docker service inspect` output. Refer to the [**formatting** section in the `docker service inspect` documentation](service_inspect.md#format) for a list of supported formatting directives. |
+| `servicesFormat`       | Custom default format for `docker service ls` output. Refer to the [**formatting** section in the `docker service ls` documentation](service_ls.md#format) for a list of supported formatting directives.                |
+| `statsFormat`          | Custom default format for `docker stats` output. Refer to the [**formatting** section in the `docker stats` documentation](stats.md#format) for a list of supported formatting directives.                               |
 
 
 ### Custom HTTP headers

docs/reference/commandline/commit.md

@@ -47,8 +47,8 @@ created.  Supported `Dockerfile` instructions:
 $ docker ps
 
 CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS              NAMES
-c3f279d17e0a        ubuntu:12.04        /bin/bash           7 days ago          Up 25 hours                            desperate_dubinsky
-197387f1b436        ubuntu:12.04        /bin/bash           7 days ago          Up 25 hours                            focused_hamilton
+c3f279d17e0a        ubuntu:22.04        /bin/bash           7 days ago          Up 25 hours                            desperate_dubinsky
+197387f1b436        ubuntu:22.04        /bin/bash           7 days ago          Up 25 hours                            focused_hamilton
 
 $ docker commit c3f279d17e0a  svendowideit/testimage:version3
 
@@ -60,14 +60,14 @@ REPOSITORY                        TAG                 ID                  CREATE
 svendowideit/testimage            version3            f5283438590d        16 seconds ago      335.7 MB
 ```
 
-### Commit a container with new configurations
+### <a name="change"></a> Commit a container with new configurations (--change)
 
 ```console
 $ docker ps
 
 CONTAINER ID       IMAGE               COMMAND             CREATED             STATUS              PORTS              NAMES
-c3f279d17e0a        ubuntu:12.04        /bin/bash           7 days ago          Up 25 hours                            desperate_dubinsky
-197387f1b436        ubuntu:12.04        /bin/bash           7 days ago          Up 25 hours                            focused_hamilton
+c3f279d17e0a       ubuntu:22.04        /bin/bash           7 days ago          Up 25 hours                            desperate_dubinsky
+197387f1b436       ubuntu:22.04        /bin/bash           7 days ago          Up 25 hours                            focused_hamilton
 
 $ docker inspect -f "{{ .Config.Env }}" c3f279d17e0a
 
@@ -88,8 +88,8 @@ $ docker inspect -f "{{ .Config.Env }}" f5283438590d
 $ docker ps
 
 CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS              NAMES
-c3f279d17e0a        ubuntu:12.04        /bin/bash           7 days ago          Up 25 hours                            desperate_dubinsky
-197387f1b436        ubuntu:12.04        /bin/bash           7 days ago          Up 25 hours                            focused_hamilton
+c3f279d17e0a        ubuntu:22.04        /bin/bash           7 days ago          Up 25 hours                            desperate_dubinsky
+197387f1b436        ubuntu:22.04        /bin/bash           7 days ago          Up 25 hours                            focused_hamilton
 
 $ docker commit --change='CMD ["apachectl", "-DFOREGROUND"]' -c "EXPOSE 80" c3f279d17e0a  svendowideit/testimage:version4
 
@@ -103,6 +103,6 @@ $ docker ps
 
 CONTAINER ID        IMAGE               COMMAND                 CREATED             STATUS              PORTS              NAMES
 89373736e2e7        testimage:version4  "apachectl -DFOREGROU"  3 seconds ago       Up 2 seconds        80/tcp             distracted_fermat
-c3f279d17e0a        ubuntu:12.04        /bin/bash               7 days ago          Up 25 hours                            desperate_dubinsky
-197387f1b436        ubuntu:12.04        /bin/bash               7 days ago          Up 25 hours                            focused_hamilton
+c3f279d17e0a        ubuntu:22.04        /bin/bash               7 days ago          Up 25 hours                            desperate_dubinsky
+197387f1b436        ubuntu:22.04        /bin/bash               7 days ago          Up 25 hours                            focused_hamilton
 ```

docs/reference/commandline/config_create.md

@@ -57,7 +57,7 @@ ID                          NAME                CREATED             UPDATED
 dg426haahpi5ezmkkj5kyl3sn   my_config           7 seconds ago       7 seconds ago
 ```
 
-### Create a config with labels
+### <a name="label"></a> Create a config with labels (-l, --label)
 
 ```console
 $ docker config create \

docs/reference/commandline/config_inspect.md

@@ -77,7 +77,7 @@ The output is in JSON format, for example:
 ]
 ```
 
-### Formatting
+### <a name="format"></a> Format the output (--format)
 
 You can use the --format option to obtain specific information about a
 config. The following example command outputs the creation time of the

docs/reference/commandline/config_ls.md

@@ -45,7 +45,7 @@ ID                          NAME                        CREATED             UPDA
 mem02h8n73mybpgqjf0kfi1n0   test_config                 3 seconds ago       3 seconds ago
 ```
 
-### Filtering
+### <a name="filter"></a> Filtering (-f, --filter)
 
 The filtering flag (`-f` or `--filter`) format is a `key=value` pair. If there is more
 than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
@@ -105,7 +105,7 @@ ID                          NAME                        CREATED             UPDA
 mem02h8n73mybpgqjf0kfi1n0   test_config                 About an hour ago   About an hour ago
 ```
 
-### Format the output
+### <a name="format"></a> Format the output (--format)
 
 The formatting option (`--format`) pretty prints configs output
 using a Go template.

docs/reference/commandline/container_prune.md

@@ -37,7 +37,7 @@ f98f9c2aa1eaf727e4ec9c0283bc7d4aa4762fbdba7f26191f26c97f64090360
 Total reclaimed space: 212 B
 ```
 
-### Filtering
+### <a name="filter"></a> Filtering (--filter)
 
 The filtering flag (`--filter`) format is of "key=value". If there is more
 than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)

docs/reference/commandline/context_create.md

@@ -69,7 +69,7 @@ $ docker context create \
     my-context
 ```
 
-### Create a context based on an existing context
+### <a name="from"></a> Create a context based on an existing context (--from)
 
 Use the `--from=<context-name>` option to create a new context from
 an existing context. The example below creates a new context named `my-context`

docs/reference/commandline/cp.md

@@ -112,7 +112,7 @@ $ docker cp CONTAINER:/var/logs/app.log - | tar x -O | grep "ERROR"
 ### Corner cases
 
 It is not possible to copy certain system files such as resources under
-`/proc`, `/sys`, `/dev`, [tmpfs](run.md#mount-tmpfs---tmpfs), and mounts created by
+`/proc`, `/sys`, `/dev`, [tmpfs](run.md#tmpfs), and mounts created by
 the user in the container. However, you can still copy such files by manually
 running `tar` in `docker exec`. Both of the following examples do the same thing
 in different ways (consider `SRC_PATH` and `DEST_PATH` are directories):

docs/reference/commandline/dockerd.md

@@ -77,8 +77,8 @@ Options:
       --log-driver string                     Default driver for container logs (default "json-file")
   -l, --log-level string                      Set the logging level ("debug"|"info"|"warn"|"error"|"fatal") (default "info")
       --log-opt map                           Default log driver options for containers (default map[])
-      --max-concurrent-downloads int          Set the max concurrent downloads for each pull (default 3)
-      --max-concurrent-uploads int            Set the max concurrent uploads for each push (default 5)
+      --max-concurrent-downloads int          Set the max concurrent downloads (default 3)
+      --max-concurrent-uploads int            Set the max concurrent uploads (default 5)
       --max-download-attempts int             Set the max download attempts for each pull (default 5)
       --metrics-addr string                   Set default address and port to serve the metrics api on
       --mtu int                               Set the containers network MTU
@@ -820,20 +820,11 @@ $ sudo dockerd -s btrfs --storage-opt btrfs.min_space=10G
 
 #### Overlay2 options
 
-##### `overlay2.override_kernel_check`
-
-Overrides the Linux kernel version check allowing overlay2. Support for
-specifying multiple lower directories needed by overlay2 was added to the
-Linux kernel in 4.0.0. However, some older kernel versions may be patched
-to add multiple lower directory support for OverlayFS. This option should
-only be used after verifying this support exists in the kernel. Applying
-this option on a kernel without this support will cause failures on mount.
-
 ##### `overlay2.size`
 
 Sets the default max size of the container. It is supported only when the
 backing fs is `xfs` and mounted with `pquota` mount option. Under these
-conditions the user can pass any size less then the backing fs size.
+conditions the user can pass any size less than the backing fs size.
 
 ###### Example
 

docs/reference/commandline/events.md

@@ -141,7 +141,7 @@ Docker configs report the following events:
 
 ### Limiting, filtering, and formatting the output
 
-#### Limit events by time
+#### <a name="since"></a> Limit events by time (--since, --until)
 
 The `--since` and `--until` parameters can be Unix timestamps, date formatted
 timestamps, or Go duration strings (e.g. `10m`, `1h30m`) computed
@@ -159,7 +159,7 @@ fraction of a second no more than nine digits long.
 Only the last 1000 log events are returned. You can use filters to further limit
 the number of events returned.
 
-#### Filtering
+#### <a name="filter"></a> Filtering (--filter)
 
 The filtering flag (`-f` or `--filter`) format is of "key=value". If you would
 like to use multiple filters, pass multiple flags (e.g.,
@@ -190,7 +190,7 @@ The currently supported filters are:
 * type (`type=<container or image or volume or network or daemon or plugin or service or node or secret or config>`)
 * volume (`volume=<name>`)
 
-#### Format
+#### <a name="format"></a> Format the output (--format)
 
 If a format (`--format`) is specified, the given template will be executed
 instead of the default
@@ -340,8 +340,8 @@ $ docker events --filter 'type=network'
 
 $ docker events --filter 'container=container_1' --filter 'container=container_2'
 
-2014-09-03T15:49:29.999999999Z07:00 container die 4386fb97867d (image=ubuntu-1:14.04)
-2014-05-10T17:42:14.999999999Z07:00 container stop 4386fb97867d (image=ubuntu-1:14.04)
+2014-09-03T15:49:29.999999999Z07:00 container die 4386fb97867d (image=ubuntu:22.04)
+2014-05-10T17:42:14.999999999Z07:00 container stop 4386fb97867d (image=ubuntu:22.04)
 2014-05-10T17:42:14.999999999Z07:00 container die 7805c1d35632 (imager=redis:2.8)
 2014-09-03T15:49:29.999999999Z07:00 container stop 7805c1d35632 (image=redis:2.8)
 

docs/reference/commandline/exec.md

@@ -32,13 +32,13 @@ The command started using `docker exec` only runs while the container's primary
 process (`PID 1`) is running, and it is not restarted if the container is
 restarted.
 
-COMMAND will run in the default directory of the container. If the
-underlying image has a custom directory specified with the WORKDIR directive
-in its Dockerfile, this will be used instead.
+COMMAND runs in the default directory of the container. If the underlying image
+has a custom directory specified with the WORKDIR directive in its Dockerfile,
+this directory is used instead.
 
-COMMAND should be an executable, a chained or a quoted command
-will not work. Example: `docker exec -ti my_container "echo a && echo b"` will
-not work, but `docker exec -ti my_container sh -c "echo a && echo b"` will.
+COMMAND must be an executable. A chained or a quoted command does not work.
+For example, `docker exec -it my_container sh -c "echo a && echo b"` works,
+work, but `docker exec -it my_container "echo a && echo b"` does not.
 
 ## Examples
 
@@ -47,70 +47,91 @@ not work, but `docker exec -ti my_container sh -c "echo a && echo b"` will.
 First, start a container.
 
 ```console
-$ docker run --name ubuntu_bash --rm -i -t ubuntu bash
+$ docker run --name mycontainer -d -i -t alpine /bin/sh
 ```
 
-This will create a container named `ubuntu_bash` and start a Bash session.
+This creates and starts a container named `mycontainer` from an `alpine` image
+with an `sh` shell as its main process. The `-d` option (shorthand for `--detach`)
+sets the container to run in the background, in detached mode, with a pseudo-TTY
+attached (`-t`). The `-i` option is set to keep `STDIN` attached (`-i`), which
+prevents the `sh` process from exiting immediately.
 
 Next, execute a command on the container.
 
 ```console
-$ docker exec -d ubuntu_bash touch /tmp/execWorks
+$ docker exec -d mycontainer touch /tmp/execWorks
 ```
 
-This will create a new file `/tmp/execWorks` inside the running container
-`ubuntu_bash`, in the background.
+This creates a new file `/tmp/execWorks` inside the running container
+`mycontainer`, in the background.
 
-Next, execute an interactive `bash` shell on the container.
+Next, execute an interactive `sh` shell on the container.
 
 ```console
-$ docker exec -it ubuntu_bash bash
+$ docker exec -it mycontainer sh
 ```
 
-This will create a new Bash session in the container `ubuntu_bash`.
+This starts a new shell session in the container `mycontainer`.
 
-Next, set an environment variable in the current bash session.
+### <a name="env"></a> Set environment variables for the exec process (--env, -e)
+
+Next, set environment variables in the current bash session.
+
+By default, the `docker exec` command, inherits the environment variables that
+are set at the time the container is created. Use the `--env` (or the `-e` shorthand)
+to override global environment variables, or to set additional environment variables
+for the process started by `docker exec`.
+
+The example below creates a new shell session in the container `mycontainer` with
+environment variables `$VAR_A` and `$VAR_B` set to "1" and "2" respectively.
+These environment variables are only valid for the `sh` process started by that
+`docker exec` command, and are not available to other processes running inside
+the container.
 
 ```console
-$ docker exec -it -e VAR=1 ubuntu_bash bash
+$ docker exec -e VAR_A=1 -e VAR_B=2 mycontainer env
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+HOSTNAME=f64a4851eb71
+VAR_A=1
+VAR_B=2
+HOME=/root
 ```
 
-This will create a new Bash session in the container `ubuntu_bash` with environment
-variable `$VAR` set to "1". Note that this environment variable will only be valid
-on the current Bash session.
+### <a name="workdir"></a> Set the working directory for the exec process (--workdir, -w)
 
-By default `docker exec` command runs in the same working directory set when container was created.
+By default `docker exec` command runs in the same working directory set when 
+the container was created.
 
 ```console
-$ docker exec -it ubuntu_bash pwd
+$ docker exec -it mycontainer pwd
 /
 ```
 
-You can select working directory for the command to execute into
+You can specify an alternative working directory for the command to execute 
+using the `--workdir` option (or the `-w` shorthand):
 
 ```console
-$ docker exec -it -w /root ubuntu_bash pwd
+$ docker exec -it -w /root mycontainer pwd
 /root
 ```
 
 
 ### Try to run `docker exec` on a paused container
 
-If the container is paused, then the `docker exec` command will fail with an error:
+If the container is paused, then the `docker exec` command fails with an error:
 
 ```console
-$ docker pause test
-
-test
+$ docker pause mycontainer
+mycontainer
 
 $ docker ps
 
-CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                   PORTS               NAMES
-1ae3b36715d2        ubuntu:latest       "bash"              17 seconds ago      Up 16 seconds (Paused)                       test
+CONTAINER ID   IMAGE     COMMAND     CREATED          STATUS                   PORTS     NAMES
+482efdf39fac   alpine    "/bin/sh"   17 seconds ago   Up 16 seconds (Paused)             mycontainer
 
-$ docker exec test ls
+$ docker exec mycontainer sh
 
-FATA[0000] Error response from daemon: Container test is paused, unpause the container before exec
+Error response from daemon: Container mycontainer is paused, unpause the container before exec
 
 $ echo $?
 1

docs/reference/commandline/export.md

@@ -23,7 +23,7 @@ with the container. If a volume is mounted on top of an existing directory in
 the container, `docker export` will export the contents of the *underlying*
 directory, not the contents of the volume.
 
-Refer to [Backup, restore, or migrate data volumes](https://docs.docker.com/storage/volumes/#backup-restore-or-migrate-data-volumes)
+Refer to [Backup, restore, or migrate data volumes](https://docs.docker.com/storage/volumes/#back-up-restore-or-migrate-data-volumes)
 in the user guide for examples on exporting data in a volume.
 
 ## Examples

docs/reference/commandline/history.md

@@ -47,7 +47,7 @@ c69cab00d6ef        5 months ago        /bin/sh -c #(nop) MAINTAINER Lokesh Mand
 511136ea3c5a        19 months ago                                                       0 B                 Imported from -
 ```
 
-### Format the output
+### <a name="format"></a> Format the output (--format)
 
 The formatting option (`--format`) will pretty-prints history output
 using a Go template.

docs/reference/commandline/image_prune.md

@@ -59,7 +59,7 @@ deleted: sha256:2c675ee9ed53425e31a13e3390bf3f539bf8637000e4bcfbb85ee03ef4d910a1
 Total reclaimed space: 16.43 MB
 ```
 
-### Filtering
+### <a name="filter"></a> Filtering (--filter)
 
 The filtering flag (`--filter`) format is of "key=value". If there is more
 than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)

docs/reference/commandline/images.md

@@ -103,7 +103,7 @@ $ docker images java:0
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
 ```
 
-### List the full length image IDs
+### <a name="no-trunc"></a> List the full length image IDs (--no-trunc)
 
 ```console
 $ docker images --no-trunc
@@ -120,7 +120,7 @@ tryout                        latest              sha256:2629d1fa0b81b222fca6337
 <none>                        <none>              sha256:5ed6274db6ceb2397844896966ea239290555e74ef307030ebb01ff91b1914df   24 hours ago        1.089 GB
 ```
 
-### List image digests
+### <a name="digests"></a> List image digests (--digests)
 
 Images that use the v2 or later format have a content-addressable identifier
 called a `digest`. As long as the input used to generate the image is
@@ -138,7 +138,7 @@ output includes the image digest. You can `pull` using a digest value. You can
 also reference by digest in `create`, `run`, and `rmi` commands, as well as the
 `FROM` image reference in a Dockerfile.
 
-### Filtering
+### <a name="filter"></a> Filtering (--filter)
 
 The filtering flag (`-f` or `--filter`) format is of "key=value". If there is more
 than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
@@ -286,7 +286,7 @@ busybox             uclibc              e02e811dd08f        5 weeks ago
 busybox             glibc               21c16b6787c6        5 weeks ago         4.19 MB
 ```
 
-### Format the output
+### <a name="format"></a> Format the output (--format)
 
 The formatting option (`--format`) will pretty print container output
 using a Go template.

docs/reference/commandline/info.md

@@ -40,9 +40,9 @@ available on the volume where `/var/lib/docker` is mounted.
 
 ### Show output
 
-The example below shows the output for a daemon running on Red Hat Enterprise Linux,
-using the `devicemapper` storage driver. As can be seen in the output, additional
-information about the `devicemapper` storage driver is shown:
+The example below shows the output for a daemon running on Ubuntu Linux,
+using the `overlay2` storage driver. As can be seen in the output, additional
+information about the `overlay2` storage driver is shown:
 
 ```console
 $ docker info
@@ -50,6 +50,16 @@ $ docker info
 Client:
  Context:    default
  Debug Mode: false
+ Plugins:
+  buildx: Docker Buildx (Docker Inc.)
+    Version:  v0.8.2
+    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
+  compose: Docker Compose (Docker Inc.)
+    Version:  v2.6.0
+    Path:     /usr/libexec/docker/cli-plugins/docker-compose
+  scan: Docker Scan (Docker Inc.)
+    Version:  v0.17.0
+    Path:     /usr/libexec/docker/cli-plugins/docker-scan
 
 Server:
  Containers: 14
@@ -57,142 +67,52 @@ Server:
   Paused: 1
   Stopped: 10
  Images: 52
- Server Version: 1.10.3
- Storage Driver: devicemapper
-  Pool Name: docker-202:2-25583803-pool
-  Pool Blocksize: 65.54 kB
-  Base Device Size: 10.74 GB
-  Backing Filesystem: xfs
-  Data file: /dev/loop0
-  Metadata file: /dev/loop1
-  Data Space Used: 1.68 GB
-  Data Space Total: 107.4 GB
-  Data Space Available: 7.548 GB
-  Metadata Space Used: 2.322 MB
-  Metadata Space Total: 2.147 GB
-  Metadata Space Available: 2.145 GB
-  Udev Sync Supported: true
-  Deferred Removal Enabled: false
-  Deferred Deletion Enabled: false
-  Deferred Deleted Device Count: 0
-  Data loop file: /var/lib/docker/devicemapper/devicemapper/data
-  Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
-  Library Version: 1.02.107-RHEL7 (2015-12-01)
- Execution Driver: native-0.2
+ Server Version: 22.06.0
+ Storage Driver: overlay2
+  Backing Filesystem: extfs
+  Supports d_type: true
+  Using metacopy: false
+  Native Overlay Diff: true
+  userxattr: false
  Logging Driver: json-file
+ Cgroup Driver: systemd
+ Cgroup Version: 2
  Plugins:
   Volume: local
-  Network: null host bridge
- Kernel Version: 3.10.0-327.el7.x86_64
- Operating System: Red Hat Enterprise Linux Server 7.2 (Maipo)
+  Network: bridge host ipvlan macvlan null overlay
+  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
+ Swarm: inactive
+ Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
+ Default Runtime: runc
+ Init Binary: docker-init
+ containerd version: 212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
+ runc version: v1.1.1-0-g52de29d
+ init version: de40ad0
+ Security Options:
+  apparmor
+  seccomp
+   Profile: builtin
+  cgroupns
+ Kernel Version: 5.15.0-25-generic
+ Operating System: Ubuntu 22.04 LTS
  OSType: linux
  Architecture: x86_64
  CPUs: 1
  Total Memory: 991.7 MiB
  Name: ip-172-30-0-91.ec2.internal
- ID: I54V:OLXT:HVMM:TPKO:JPHQ:CQCD:JNLC:O3BZ:4ZVJ:43XJ:PFHZ:6N2S
+ ID: 4cee4408-10d2-4e17-891c-a41736ac4536
  Docker Root Dir: /var/lib/docker
  Debug Mode: false
  Username: gordontheturtle
  Registry: https://index.docker.io/v1/
+ Experimental: false
  Insecure registries:
   myinsecurehost:5000
   127.0.0.0/8
-```
-
-### Show debugging output
-
-Here is a sample output for a daemon running on Ubuntu, using the overlay2
-storage driver and a node that is part of a 2-node swarm:
-
-```console
-$ docker --debug info
-
-Client:
- Context:    default
- Debug Mode: true
-
-Server:
- Containers: 14
-  Running: 3
-  Paused: 1
-  Stopped: 10
- Images: 52
- Server Version: 1.13.0
- Storage Driver: overlay2
-  Backing Filesystem: extfs
-  Supports d_type: true
-  Native Overlay Diff: false
- Logging Driver: json-file
- Cgroup Driver: cgroupfs
- Plugins:
-  Volume: local
-  Network: bridge host macvlan null overlay
- Swarm: active
-  NodeID: rdjq45w1op418waxlairloqbm
-  Is Manager: true
-  ClusterID: te8kdyw33n36fqiz74bfjeixd
-  Managers: 1
-  Nodes: 2
-  Orchestration:
-   Task History Retention Limit: 5
-  Raft:
-   Snapshot Interval: 10000
-   Number of Old Snapshots to Retain: 0
-   Heartbeat Tick: 1
-   Election Tick: 3
-  Dispatcher:
-   Heartbeat Period: 5 seconds
-  CA Configuration:
-   Expiry Duration: 3 months
-  Root Rotation In Progress: false
-  Node Address: 172.16.66.128 172.16.66.129
-  Manager Addresses:
-   172.16.66.128:2477
- Runtimes: runc
- Default Runtime: runc
- Init Binary: docker-init
- containerd version: 8517738ba4b82aff5662c97ca4627e7e4d03b531
- runc version: ac031b5bf1cc92239461125f4c1ffb760522bbf2
- init version: N/A (expected: v0.13.0)
- Security Options:
-  apparmor
-  seccomp
-   Profile: default
- Kernel Version: 4.4.0-31-generic
- Operating System: Ubuntu 16.04.1 LTS
- OSType: linux
- Architecture: x86_64
- CPUs: 2
- Total Memory: 1.937 GiB
- Name: ubuntu
- ID: H52R:7ZR6:EIIA:76JG:ORIY:BVKF:GSFU:HNPG:B5MK:APSC:SZ3Q:N326
- Docker Root Dir: /var/lib/docker
- Debug Mode: true
-  File Descriptors: 30
-  Goroutines: 123
-  System Time: 2016-11-12T17:24:37.955404361-08:00
-  EventsListeners: 0
- Http Proxy: http://test:test@proxy.example.com:8080
- Https Proxy: https://test:test@proxy.example.com:8080
- No Proxy: localhost,127.0.0.1,docker-registry.somecorporation.com
- Registry: https://index.docker.io/v1/
- WARNING: No swap limit support
- Labels:
-  storage=ssd
-  staging=true
- Experimental: false
- Insecure Registries:
-  127.0.0.0/8
- Registry Mirrors:
-   http://192.168.1.2/
-   http://registry-mirror.example.com:5000/
  Live Restore Enabled: false
 ```
 
-The global `-D` option causes all `docker` commands to output debug information.
-
-### Format the output
+### <a name="format"></a> Format the output (--format)
 
 You can also specify the output format:
 
@@ -204,13 +124,18 @@ $ docker info --format '{{json .}}'
 
 ### Run `docker info` on Windows
 
-Here is a sample output for a daemon running on Windows Server 2016:
+Here is a sample output for a daemon running on Windows Server:
 
 ```console
-E:\docker>docker info
+C:\> docker info
+
 Client:
  Context:    default
  Debug Mode: false
+ Plugins:
+  buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
+  compose: Docker Compose (Docker Inc., v2.6.0)
+  scan: Docker Scan (Docker Inc., v0.17.0)
 
 Server:
  Containers: 1
@@ -218,27 +143,29 @@ Server:
   Paused: 0
   Stopped: 1
  Images: 17
- Server Version: 1.13.0
+ Server Version: 20.10.16
  Storage Driver: windowsfilter
-  Windows:
  Logging Driver: json-file
  Plugins:
   Volume: local
-  Network: nat null overlay
+  Network: ics internal l2bridge l2tunnel nat null overlay private transparent
+  Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog
  Swarm: inactive
  Default Isolation: process
- Kernel Version: 10.0 14393 (14393.206.amd64fre.rs1_release.160912-1937)
- Operating System: Windows Server 2016 Datacenter
+ Kernel Version: 10.0 20348 (20348.1.amd64fre.fe_release.210507-1500)
+ Operating System: Microsoft Windows Server Version 21H2 (OS Build 20348.707)
  OSType: windows
  Architecture: x86_64
  CPUs: 8
  Total Memory: 3.999 GiB
  Name: WIN-V0V70C0LU5P
- ID: NYMS:B5VK:UMSL:FVDZ:EWB5:FKVK:LPFL:FJMQ:H6FT:BZJ6:L2TD:XH62
- Docker Root Dir: C:\control
+ ID: 2880d38d-464e-4d01-91bd-c76f33ba3981
+ Docker Root Dir: C:\ProgramData\docker
  Debug Mode: false
  Registry: https://index.docker.io/v1/
+ Experimental: true
  Insecure Registries:
+  myregistry:5000
   127.0.0.0/8
  Registry Mirrors:
    http://192.168.1.2/

docs/reference/commandline/inspect.md

@@ -25,19 +25,19 @@ Docker inspect provides detailed information on constructs controlled by Docker.
 
 By default, `docker inspect` will render results in a JSON array.
 
-## Request a custom response format (--format)
+### <a name="format"></a> Format the output (--format)
 
 If a format is specified, the given template will be executed for each result.
 
-Go's [text/template](https://golang.org/pkg/text/template/) package
-describes all the details of the format.
+Go's [text/template](https://golang.org/pkg/text/template/) package describes
+all the details of the format.
 
-## Specify target type (--type)
+### <a name="type"></a> Specify target type (--type)
 
 `--type container|image|node|network|secret|service|volume|task|plugin`
 
-The `docker inspect` command matches any type of object by either ID or name.
-In some cases multiple type of objects (for example, a container and a volume)
+The `docker inspect` command matches any type of object by either ID or name. In
+some cases multiple type of objects (for example, a container and a volume)
 exist with the same name, making the result ambiguous.
 
 To restrict `docker inspect` to a specific type of object, use the `--type`
@@ -49,6 +49,35 @@ The following example inspects a _volume_ named "myvolume"
 $ docker inspect --type=volume myvolume
 ```
 
+### <a name="size"></a> Inspect the size of a container (-s, --size)
+
+The `--size`, or short-form `-s`, option adds two additional fields to the
+`docker inspect` output. This option only works for containers. The container
+doesn't have to be running, it also works for stopped containers.
+
+```console
+$ docker inspect --size mycontainer
+```
+
+The output includes the full output of a regular `docker inspect` command, with
+the following additional fields:
+
+- `SizeRootFs`: the total size of all the files in the container, in bytes.
+- `SizeRw`: the size of the files that have been created or changed in the
+  container, compared to it's image, in bytes.
+
+```console
+$ docker run --name database -d redis
+3b2cbf074c99db4a0cad35966a9e24d7bc277f5565c17233386589029b7db273
+$ docker inspect --size database -f '{{ .SizeRootFs }}'
+123125760
+$ docker inspect --size database -f '{{ .SizeRw }}'
+8192
+$ docker exec database fallocate -l 1000 /newfile
+$ docker inspect --size database -f '{{ .SizeRw }}'
+12288
+```
+
 ## Examples
 
 ### Get an instance's IP address
@@ -80,8 +109,7 @@ $ docker inspect --format='{{.Config.Image}}' $INSTANCE_ID
 
 ### List all port bindings
 
-You can loop over arrays and maps in the results to produce simple text
-output:
+You can loop over arrays and maps in the results to produce simple text output:
 
 ```console
 $ docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}} {{$p}} -> {{(index $conf 0).HostPort}} {{end}}' $INSTANCE_ID
@@ -89,13 +117,12 @@ $ docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}} {{$p}}
 
 ### Find a specific port mapping
 
-The `.Field` syntax doesn't work when the field name begins with a
-number, but the template language's `index` function does. The
-`.NetworkSettings.Ports` section contains a map of the internal port
-mappings to a list of external address/port objects. To grab just the
-numeric public port, you use `index` to find the specific port map, and
-then `index` 0 contains the first object inside of that. Then we ask for
-the `HostPort` field to get the public address.
+The `.Field` syntax doesn't work when the field name begins with a number, but
+the template language's `index` function does. The `.NetworkSettings.Ports`
+section contains a map of the internal port mappings to a list of external
+address/port objects. To grab just the numeric public port, you use `index` to
+find the specific port map, and then `index` 0 contains the first object inside
+of that. Then we ask for the `HostPort` field to get the public address.
 
 ```console
 $ docker inspect --format='{{(index (index .NetworkSettings.Ports "8787/tcp") 0).HostPort}}' $INSTANCE_ID
@@ -103,10 +130,9 @@ $ docker inspect --format='{{(index (index .NetworkSettings.Ports "8787/tcp") 0)
 
 ### Get a subsection in JSON format
 
-If you request a field which is itself a structure containing other
-fields, by default you get a Go-style dump of the inner values.
-Docker adds a template function, `json`, which can be applied to get
-results in JSON format.
+If you request a field which is itself a structure containing other fields, by
+default you get a Go-style dump of the inner values. Docker adds a template
+function, `json`, which can be applied to get results in JSON format.
 
 ```console
 $ docker inspect --format='{{json .Config}}' $INSTANCE_ID

docs/reference/commandline/kill.md

@@ -51,7 +51,7 @@ The following example sends the default `SIGKILL` signal to the container named
 $ docker kill my_container
 ```
 
-### Send a custom signal to a container
+### <a name="signal"></a> Send a custom signal to a container (--signal)
 
 The following example sends a `SIGHUP` signal to the container named
 `my_container`:

docs/reference/commandline/load.md

@@ -30,18 +30,25 @@ bzip2, or xz) from a file or STDIN. It restores both images and tags.
 $ docker image ls
 
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+```
 
+### Load images from STDIN
+
+```console
 $ docker load < busybox.tar.gz
 
 Loaded image: busybox:latest
 $ docker images
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
 busybox             latest              769b9341d937        7 weeks ago         2.489 MB
+```
 
+### <a name="input"></a> Load images from a file (--input)
+
+```console
 $ docker load --input fedora.tar
 
 Loaded image: fedora:rawhide
-
 Loaded image: fedora:20
 
 $ docker images

docs/reference/commandline/login.md

@@ -34,7 +34,7 @@ adding the server name.
 $ docker login localhost:8080
 ```
 
-### Provide a password using STDIN
+### <a name="password-stdin"></a> Provide a password using STDIN (--password-stdin)
 
 To run the `docker login` command non-interactively, you can set the
 `--password-stdin` flag to provide a password through `STDIN`. Using

docs/reference/commandline/logs.md

@@ -25,11 +25,6 @@ Options:
 
 The `docker logs` command batch-retrieves logs present at the time of execution.
 
-> **Note**
->
-> This command is only functional for containers that are started with the
-> `json-file` or `journald` logging driver.
-
 For more information about selecting and configuring logging drivers, refer to
 [Configure logging drivers](https://docs.docker.com/config/containers/logging/configure/).
 
@@ -63,7 +58,7 @@ fraction of a second no more than nine digits long. You can combine the
 
 ## Examples
 
-### Retrieve logs until a specific point in time
+### <a name="until"></a> Retrieve logs until a specific point in time (--until)
 
 In order to retrieve logs before a specific point in time, run:
 

docs/reference/commandline/network_connect.md

@@ -43,7 +43,7 @@ container and immediately connect it to a network.
 $ docker run -itd --network=multi-host-network busybox
 ```
 
-### Specify the IP address a container will use on a given network
+### <a name="ip"></a> Specify the IP address a container will use on a given network (--ip)
 
 You can specify the IP address you want to be assigned to the container's interface.
 
@@ -51,7 +51,7 @@ You can specify the IP address you want to be assigned to the container's interf
 $ docker network connect --ip 10.10.36.122 multi-host-network container2
 ```
 
-### Use the legacy `--link` option
+### <a name="link"></a> Use the legacy `--link` option (--link)
 
 You can use `--link` option to link another container with a preferred alias
 
@@ -59,7 +59,7 @@ You can use `--link` option to link another container with a preferred alias
 $ docker network connect --link container1:c1 multi-host-network container2
 ```
 
-### Create a network alias for a container
+### <a name="alias"></a> Create a network alias for a container (--alias)
 
 `--alias` option can be used to resolve the container by another name in the network
 being connected to.

docs/reference/commandline/network_create.md

@@ -197,14 +197,14 @@ $ docker network create \
     simple-network
 ```
 
-### Network internal mode
+### <a name="internal"></a> Network internal mode (--internal)
 
 By default, when you connect a container to an `overlay` network, Docker also
 connects a bridge network to it to provide external connectivity. If you want
 to create an externally isolated `overlay` network, you can specify the
 `--internal` option.
 
-### Network ingress mode
+### <a name="ingress"></a> Network ingress mode (--ingress)
 
 You can create the network which will be used to provide the routing-mesh in the
 swarm cluster. You do so by specifying `--ingress` when creating the network. Only

docs/reference/commandline/network_inspect.md

@@ -204,7 +204,7 @@ The output is in JSON format, for example:
 ]
 ```
 
-### Using `verbose` option for `network inspect`
+### <a name="verbose"></a> View detailed information of a network (--verbose)
 
 `docker network inspect --verbose` for swarm mode overlay networks shows service-specific
 details such as the service's VIP and port mappings. It also shows IPs of service tasks,

docs/reference/commandline/network_ls.md

@@ -52,7 +52,7 @@ c288470c46f6c8949c5f7e5099b5b7947b07eabe8d9a27d79a9cbf111adcbf47   host
 63d1ff1f77b07ca51070a8c227e962238358bd310bde1529cf62e6c307ade161   dev                 bridge           local
 ```
 
-### Filtering
+### <a name="filter"></a> Filtering (--filter)
 
 The filtering flag (`-f` or `--filter`) format is a `key=value` pair. If there
 is more than one filter, then pass multiple flags (e.g. `--filter "foo=bar" --filter "bif=baz"`).
@@ -197,7 +197,7 @@ $ docker network rm `docker network ls --filter type=custom -q`
 A warning will be issued when trying to remove a network that has containers
 attached.
 
-### Formatting
+### <a name="format"></a> Format the output (--format)
 
 The formatting options (`--format`) pretty-prints networks output
 using a Go template.

docs/reference/commandline/network_prune.md

@@ -34,7 +34,7 @@ n1
 n2
 ```
 
-### Filtering
+### <a name="filter"></a> Filtering (--filter)
 
 The filtering flag (`--filter`) format is of "key=value". If there is more
 than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)

docs/reference/commandline/node_inspect.md

@@ -111,7 +111,7 @@ $ docker node inspect swarm-manager
 ]
 ```
 
-### Specify an output format
+### <a name="format"></a> Format the output (--format)
 
 ```console
 $ docker node inspect --format '{{ .ManagerStatus.Leader }}' self

docs/reference/commandline/node_ls.md

@@ -24,7 +24,7 @@ Options:
 ## Description
 
 Lists all the nodes that the Docker Swarm manager knows about. You can filter
-using the `-f` or `--filter` flag. Refer to the [filtering](#filtering) section
+using the `-f` or `--filter` flag. Refer to the [filtering](#filter) section
 for more information about available filter options.
 
 > **Note**
@@ -52,7 +52,7 @@ e216jshn25ckzbvmwlnh5jr3g *  swarm-manager1  Ready   Active        Leader
 > `e216jshn25ckzbvmwlnh5jr3g *`) means this node is the current docker daemon.
 
 
-### Filtering
+### <a name="filter"></a> Filtering (--filter)
 
 The filtering flag (`-f` or `--filter`) format is of "key=value". If there is more
 than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
@@ -170,7 +170,7 @@ ID                           HOSTNAME        STATUS  AVAILABILITY  MANAGER STATU
 e216jshn25ckzbvmwlnh5jr3g *  swarm-manager1  Ready   Active        Leader
 ```
 
-### Formatting
+### <a name="format"></a> Format the output (--format)
 
 The formatting options (`--format`) pretty-prints nodes output
 using a Go template.

docs/reference/commandline/node_ps.md

@@ -24,7 +24,7 @@ Options:
 ## Description
 
 Lists all the tasks on a Node that Docker knows about. You can filter using the
-`-f` or `--filter` flag. Refer to the [filtering](#filtering) section for more
+`-f` or `--filter` flag. Refer to the [filtering](#filter) section for more
 information about available filter options.
 
 > **Note**
@@ -47,7 +47,7 @@ redis.9.dkkual96p4bb3s6b10r7coxxt   redis:3.0.6  swarm-manager1  Running
 redis.10.0tgctg8h8cech4w0k0gwrmr23  redis:3.0.6  swarm-manager1  Running        Running 5 seconds
 ```
 
-### Filtering
+### <a name="filter"></a> Filtering (--filter)
 
 The filtering flag (`-f` or `--filter`) format is of "key=value". If there is more
 than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
@@ -108,7 +108,7 @@ redis.7.bg8c07zzg87di2mufeq51a2qp  redis:3.0.6  swarm-manager1  Running        R
 The `desired-state` filter can take the values `running`, `shutdown`, or `accepted`.
 
 
-### Formatting
+### <a name="format"></a> Format the output (--format)
 
 The formatting options (`--format`) pretty-prints tasks output
 using a Go template.

docs/reference/commandline/node_rm.md

@@ -52,7 +52,7 @@ Error response from daemon: rpc error: code = 9 desc = node swarm-node-03 is not
 down and can't be removed
 ```
 
-### Forcibly remove an inaccessible node from a swarm
+### <a name="force"></a> Forcibly remove an inaccessible node from a swarm (--force)
 
 If you lose access to a worker node or need to shut it down because it has been
 compromised or is not behaving as expected, you can use the `--force` option.

docs/reference/commandline/node_update.md

@@ -32,7 +32,7 @@ Update metadata about a node, such as its availability, labels, or roles.
 
 ## Examples
 
-### Add label metadata to a node
+### <a name="label-add"></a> Add label metadata to a node (--label-add)
 
 Add metadata to a swarm node using node labels. You can specify a node label as
 a key with an empty value:

docs/reference/commandline/plugin_inspect.md

@@ -142,7 +142,7 @@ Output is in JSON format (output below is formatted for readability):
 ```
 
 
-### Formatting the output
+### <a name="format"></a> Format the output (--format)
 
 ```console
 $ docker plugin inspect -f '{{.Id}}' tiborvass/sample-volume-plugin:latest

docs/reference/commandline/plugin_ls.md

@@ -27,7 +27,7 @@ Options:
 Lists all the plugins that are currently installed. You can install plugins
 using the [`docker plugin install`](plugin_install.md) command.
 You can also filter using the `-f` or `--filter` flag.
-Refer to the [filtering](#filtering) section for more information about available filter options.
+Refer to the [filtering](#filter) section for more information about available filter options.
 
 ## Examples
 
@@ -38,7 +38,7 @@ ID            NAME                                    DESCRIPTION
 69553ca1d123  tiborvass/sample-volume-plugin:latest   A test plugin for Docker   true
 ```
 
-### Filtering
+### <a name="filter"></a> Filtering (--filter)
 
 The filtering flag (`-f` or `--filter`) format is of "key=value". If there is more
 than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
@@ -68,7 +68,7 @@ $ docker plugin ls --filter enabled=true
 ID                  NAME                DESCRIPTION         ENABLED
 ```
 
-### Formatting
+### <a name="format"></a> Format the output (--format)
 
 The formatting options (`--format`) pretty-prints plugins output
 using a Go template.

docs/reference/commandline/ps.md

@@ -41,7 +41,7 @@ Options:
 
 ## Examples
 
-### Prevent truncating output
+### <a name="no-trunc"></a> Do not truncate output (--no-trunc)
 
 Running `docker ps --no-trunc` showing 2 linked containers.
 
@@ -49,14 +49,14 @@ Running `docker ps --no-trunc` showing 2 linked containers.
 $ docker ps
 
 CONTAINER ID        IMAGE                        COMMAND                CREATED              STATUS              PORTS               NAMES
-4c01db0b339c        ubuntu:12.04                 bash                   17 seconds ago       Up 16 seconds       3300-3310/tcp       webapp
+4c01db0b339c        ubuntu:22.04                 bash                   17 seconds ago       Up 16 seconds       3300-3310/tcp       webapp
 d7886598dbe2        crosbymichael/redis:latest   /redis-server --dir    33 minutes ago       Up 33 minutes       6379/tcp            redis,webapp/db
 ```
 
-### Show both running and stopped containers
+### <a name="all"></a> Show both running and stopped containers (-a, --all)
 
 The `docker ps` command only shows running containers by default. To see all
-containers, use the `-a` (or `--all`) flag:
+containers, use the `--all` (or `-a`) flag:
 
 ```console
 $ docker ps -a
@@ -66,14 +66,14 @@ $ docker ps -a
 container that exposes TCP ports `100, 101, 102` displays `100-102/tcp` in
 the `PORTS` column.
 
-### Show disk usage by container
+### <a name="size"></a> Show disk usage by container (--size)
 
-The `docker ps -s` command displays two different on-disk-sizes for each container:
+The `docker ps --size` (or `-s`) command displays two different on-disk-sizes for each container:
 
 ```console
-$ docker ps -s
+$ docker ps --size
 
-CONTAINER ID   IMAGE          COMMAND                  CREATED        STATUS       PORTS   NAMES        SIZE                                                                                      SIZE
+CONTAINER ID   IMAGE          COMMAND                  CREATED        STATUS       PORTS   NAMES        SIZE
 e90b8831a4b8   nginx          "/bin/bash -c 'mkdir "   11 weeks ago   Up 4 hours           my_nginx     35.58 kB (virtual 109.2 MB)
 00c6131c5e30   telegraf:1.5   "/entrypoint.sh"         11 weeks ago   Up 11 weeks          my_telegraf  0 B (virtual 209.5 MB)
 ```
@@ -83,9 +83,9 @@ e90b8831a4b8   nginx          "/bin/bash -c 'mkdir "   11 weeks ago   Up 4 hours
 For more information, refer to the [container size on disk](https://docs.docker.com/storage/storagedriver/#container-size-on-disk) section.
 
 
-### Filtering
+### <a name="filter"></a> Filtering (--filter)
 
-The filtering flag (`-f` or `--filter`) format is a `key=value` pair. If there is more
+The `--filter` (or `-f`) flag format is a `key=value` pair. If there is more
 than one filter, then pass multiple flags (e.g. `--filter "foo=bar" --filter "bif=baz"`)
 
 The currently supported filters are:
@@ -246,13 +246,13 @@ CONTAINER ID        IMAGE               COMMAND             CREATED
 919e1179bdb8        ubuntu-c1           "top"               About a minute ago   Up About a minute                       admiring_lovelace
 ```
 
-Match containers based on the `ubuntu` version `12.04.5` image:
+Match containers based on the `ubuntu` version `22.04` image:
 
 ```console
-$ docker ps --filter ancestor=ubuntu:12.04.5
+$ docker ps --filter ancestor=ubuntu:22.04
 
 CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS               NAMES
-82a598284012        ubuntu:12.04.5      "top"               3 minutes ago        Up 3 minutes                            sleepy_bose
+82a598284012        ubuntu:22.04        "top"               3 minutes ago        Up 3 minutes                            sleepy_bose
 ```
 
 The following matches containers based on the layer `d0e008c6cf02` or an image
@@ -262,7 +262,7 @@ that have this layer in its layer stack.
 $ docker ps --filter ancestor=d0e008c6cf02
 
 CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS               NAMES
-82a598284012        ubuntu:12.04.5      "top"               3 minutes ago        Up 3 minutes                            sleepy_bose
+82a598284012        ubuntu:22.04        "top"               3 minutes ago        Up 3 minutes                            sleepy_bose
 ```
 
 #### Create time
@@ -394,7 +394,7 @@ $ docker ps --filter publish=80/udp
 CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
 ```
 
-### Formatting
+### <a name="format"></a> Format the output (--format)
 
 The formatting option (`--format`) pretty-prints container output using a Go
 template.

docs/reference/commandline/pull.md

@@ -50,36 +50,36 @@ this via the `--max-concurrent-downloads` daemon option. See the
 ### Pull an image from Docker Hub
 
 To download a particular image, or set of images (i.e., a repository), use
-`docker pull`. If no tag is provided, Docker Engine uses the `:latest` tag as a
-default. This command pulls the `debian:latest` image:
+`docker image pull` (or the `docker pull` shorthand). If no tag is provided,
+Docker Engine uses the `:latest` tag as a default. This example pulls the
+`debian:latest` image:
 
 ```console
-$ docker pull debian
+$ docker image pull debian
 
 Using default tag: latest
 latest: Pulling from library/debian
-fdd5d7827f33: Pull complete
-a3ed95caeb02: Pull complete
-Digest: sha256:e7d38b3517548a1c71e41bffe9c8ae6d6d29546ce46bf62159837aad072c90aa
+e756f3fdd6a3: Pull complete
+Digest: sha256:3f1d6c17773a45c97bd8f158d665c9709d7b29ed7917ac934086ad96f92e4510
 Status: Downloaded newer image for debian:latest
+docker.io/library/debian:latest
 ```
 
 Docker images can consist of multiple layers. In the example above, the image
-consists of two layers; `fdd5d7827f33` and `a3ed95caeb02`.
+consists of a single layer; `e756f3fdd6a3`.
 
-Layers can be reused by images. For example, the `debian:jessie` image shares
-both layers with `debian:latest`. Pulling the `debian:jessie` image therefore
-only pulls its metadata, but not its layers, because all layers are already
-present locally:
+Layers can be reused by images. For example, the `debian:bullseye` image shares
+its layer with the `debian:latest`. Pulling the `debian:bullseye` image therefore
+only pulls its metadata, but not its layers, because the layer is already present
+locally:
 
 ```console
-$ docker pull debian:jessie
+$ docker image pull debian:bullseye
 
-jessie: Pulling from library/debian
-fdd5d7827f33: Already exists
-a3ed95caeb02: Already exists
-Digest: sha256:a9c958be96d7d40df920e7041608f2f017af81800ca5ad23e327bc402626b58e
-Status: Downloaded newer image for debian:jessie
+bullseye: Pulling from library/debian
+Digest: sha256:3f1d6c17773a45c97bd8f158d665c9709d7b29ed7917ac934086ad96f92e4510
+Status: Downloaded newer image for debian:bullseye
+docker.io/library/debian:bullseye
 ```
 
 To see which images are present locally, use the [`docker images`](images.md)
@@ -88,17 +88,16 @@ command:
 ```console
 $ docker images
 
-REPOSITORY   TAG      IMAGE ID        CREATED      SIZE
-debian       jessie   f50f9524513f    5 days ago   125.1 MB
-debian       latest   f50f9524513f    5 days ago   125.1 MB
+REPOSITORY   TAG        IMAGE ID       CREATED        SIZE
+debian       bullseye   4eacea30377a   8 days ago     124MB
+debian       latest     4eacea30377a   8 days ago     124MB
 ```
 
 Docker uses a content-addressable image store, and the image ID is a SHA256
 digest covering the image's configuration and layers. In the example above,
-`debian:jessie` and `debian:latest` have the same image ID because they are
-actually the *same* image tagged with different names. Because they are the
-same image, their layers are stored only once and do not consume extra disk
-space.
+`debian:bullseye` and `debian:latest` have the same image ID because they are
+the *same* image tagged with different names. Because they are the same image,
+their layers are stored only once and do not consume extra disk space.
 
 For more information about images, layers, and the content-addressable store,
 refer to [understand images, containers, and storage drivers](https://docs.docker.com/storage/storagedriver/).
@@ -109,8 +108,8 @@ refer to [understand images, containers, and storage drivers](https://docs.docke
 So far, you've pulled images by their name (and "tag"). Using names and tags is
 a convenient way to work with images. When using tags, you can `docker pull` an
 image again to make sure you have the most up-to-date version of that image.
-For example, `docker pull ubuntu:20.04` pulls the latest version of the Ubuntu
-20.04 image.
+For example, `docker pull ubuntu:22.04` pulls the latest version of the Ubuntu
+22.04 image.
 
 In some cases you don't want images to be updated to newer versions, but prefer
 to use a fixed version of an image. Docker enables you to pull an image by its
@@ -119,23 +118,23 @@ of an image to pull. Doing so, allows you to "pin" an image to that version,
 and guarantee that the image you're using is always the same.
 
 To know the digest of an image, pull the image first. Let's pull the latest
-`ubuntu:20.04` image from Docker Hub:
+`ubuntu:22.04` image from Docker Hub:
 
 ```console
-$ docker pull ubuntu:20.04
+$ docker pull ubuntu:22.04
 
-20.04: Pulling from library/ubuntu
-16ec32c2132b: Pull complete
-Digest: sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3
-Status: Downloaded newer image for ubuntu:20.04
-docker.io/library/ubuntu:20.04
+22.04: Pulling from library/ubuntu
+125a6e411906: Pull complete
+Digest: sha256:26c68657ccce2cb0a31b330cb0be2b5e108d467f641c62e13ab40cbec258c68d
+Status: Downloaded newer image for ubuntu:22.04
+docker.io/library/ubuntu:22.04
 ```
 
 Docker prints the digest of the image after the pull has finished. In the example
 above, the digest of the image is:
 
 ```console
-sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3
+sha256:26c68657ccce2cb0a31b330cb0be2b5e108d467f641c62e13ab40cbec258c68d
 ```
 
 Docker also prints the digest of an image when *pushing* to a registry. This
@@ -145,25 +144,25 @@ A digest takes the place of the tag when pulling an image, for example, to
 pull the above image by digest, run the following command:
 
 ```console
-$ docker pull ubuntu@sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3
+$ docker pull ubuntu@sha256:26c68657ccce2cb0a31b330cb0be2b5e108d467f641c62e13ab40cbec258c68d
 
-docker.io/library/ubuntu@sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3: Pulling from library/ubuntu
-Digest: sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3
-Status: Image is up to date for ubuntu@sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3
-docker.io/library/ubuntu@sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3
+docker.io/library/ubuntu@sha256:26c68657ccce2cb0a31b330cb0be2b5e108d467f641c62e13ab40cbec258c68d: Pulling from library/ubuntu
+Digest: sha256:26c68657ccce2cb0a31b330cb0be2b5e108d467f641c62e13ab40cbec258c68d
+Status: Image is up to date for ubuntu@sha256:26c68657ccce2cb0a31b330cb0be2b5e108d467f641c62e13ab40cbec258c68d
+docker.io/library/ubuntu@sha256:26c68657ccce2cb0a31b330cb0be2b5e108d467f641c62e13ab40cbec258c68d
 ```
 
 Digest can also be used in the `FROM` of a Dockerfile, for example:
 
 ```dockerfile
-FROM ubuntu@sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3
+FROM ubuntu@sha256:26c68657ccce2cb0a31b330cb0be2b5e108d467f641c62e13ab40cbec258c68d
 LABEL org.opencontainers.image.authors="some maintainer <maintainer@example.com>"
 ```
 
 > **Note**
 >
 > Using this feature "pins" an image to a specific version in time.
-> Docker will therefore not pull updated versions of an image, which may include
+> Docker does therefore not pull updated versions of an image, which may include
 > security updates. If you want to pull an updated image, you need to change the
 > digest accordingly.
 
@@ -179,7 +178,7 @@ The following command pulls the `testing/test-image` image from a local registry
 listening on port 5000 (`myregistry.local:5000`):
 
 ```console
-$ docker pull myregistry.local:5000/testing/test-image
+$ docker image pull myregistry.local:5000/testing/test-image
 ```
 
 Registry credentials are managed by [docker login](login.md).
@@ -189,39 +188,41 @@ registry is allowed to be accessed over an insecure connection. Refer to the
 [insecure registries](dockerd.md#insecure-registries) section for more information.
 
 
-### Pull a repository with multiple images
+### <a name="all-tags"></a> Pull a repository with multiple images (-a, --all-tags)
 
 By default, `docker pull` pulls a *single* image from the registry. A repository
 can contain multiple images. To pull all images from a repository, provide the
 `-a` (or `--all-tags`) option when using `docker pull`.
 
-This command pulls all images from the `fedora` repository:
+This command pulls all images from the `ubuntu` repository:
 
 ```console
-$ docker pull --all-tags fedora
+$ docker image pull --all-tags ubuntu
 
-Pulling repository fedora
+Pulling repository ubuntu
 ad57ef8d78d7: Download complete
 105182bb5e8b: Download complete
 511136ea3c5a: Download complete
 73bd853d2ea5: Download complete
 ....
 
-Status: Downloaded newer image for fedora
+Status: Downloaded newer image for ubuntu
 ```
 
-After the pull has completed use the `docker images` command to see the
-images that were pulled. The example below shows all the `fedora` images
-that are present locally:
+After the pull has completed use the `docker image ls` command (or the `docker images`
+shorthand) to see the images that were pulled. The example below shows all the
+`ubuntu` images that are present locally:
 
 ```console
-$ docker images fedora
-
-REPOSITORY   TAG         IMAGE ID        CREATED      SIZE
-fedora       rawhide     ad57ef8d78d7    5 days ago   359.3 MB
-fedora       20          105182bb5e8b    5 days ago   372.7 MB
-fedora       heisenbug   105182bb5e8b    5 days ago   372.7 MB
-fedora       latest      105182bb5e8b    5 days ago   372.7 MB
+$ docker image ls --filter reference=ubuntu
+REPOSITORY   TAG       IMAGE ID       CREATED        SIZE
+ubuntu       18.04     c6ad7e71ba7d   5 weeks ago    63.2MB
+ubuntu       bionic    c6ad7e71ba7d   5 weeks ago    63.2MB
+ubuntu       22.04     5ccefbfc0416   2 months ago   78MB
+ubuntu       focal     ff0fea8310f3   2 months ago   72.8MB
+ubuntu       latest    ff0fea8310f3   2 months ago   72.8MB
+ubuntu       jammy     41ba606c8ab9   3 months ago   79MB
+ubuntu       20.04     ba6acccedd29   7 months ago   72.8MB
 ```
 
 ### Cancel a pull
@@ -230,18 +231,15 @@ Killing the `docker pull` process, for example by pressing `CTRL-c` while it is
 running in a terminal, will terminate the pull operation.
 
 ```console
-$ docker pull fedora
+$ docker pull ubuntu
 
 Using default tag: latest
-latest: Pulling from library/fedora
+latest: Pulling from library/ubuntu
 a3ed95caeb02: Pulling fs layer
 236608c7b546: Pulling fs layer
 ^C
 ```
 
-> **Note**
->
-> The Engine terminates a pull operation when the connection between the Docker
-> Engine daemon and the Docker Engine client initiating the pull is lost. If the
-> connection with the Engine daemon is lost for other reasons than a manual
-> interaction, the pull is also aborted.
+The Engine terminates a pull operation when the connection between the daemon
+and the client (initiating the pull) is cut or lost for any reason or the
+command is manually terminated.

docs/reference/commandline/push.md

@@ -74,7 +74,7 @@ $ docker image ls
 You should see both `rhel-httpd` and `registry-host:5000/myadmin/rhel-httpd`
 listed.
 
-### Push all tags of an image
+### <a name="all-tags"></a> Push all tags of an image (-a, --all-tags)
 
 Use the `-a` (or `--all-tags`) option to push all tags of a local image.
 

docs/reference/commandline/rm.md

@@ -30,7 +30,7 @@ $ docker rm /redis
 /redis
 ```
 
-### Remove a link specified with `--link` on the default bridge network
+### <a name="link"></a> Remove a link specified with `--link` on the default bridge network (--link)
 
 This removes the underlying link between `/webapp` and the `/redis`
 containers on the default bridge network, removing all network communication
@@ -43,7 +43,7 @@ $ docker rm --link /webapp/redis
 /webapp/redis
 ```
 
-### Force-remove a running container
+### <a name="force"></a> Force-remove a running container (--force)
 
 This command force-removes a running container.
 
@@ -86,10 +86,10 @@ Or, using the `xargs` Linux utility;
 $ docker ps --filter status=exited -q | xargs docker rm
 ```
 
-### Remove a container and its volumes
+### <a name="volumes"></a> Remove a container and its volumes (-v, --volumes)
 
 ```console
-$ docker rm -v redis
+$ docker rm --volumes redis
 redis
 ```
 

docs/reference/commandline/run.md

@@ -153,14 +153,11 @@ specified image, and then `starts` it using the specified command. That is,
 previous changes intact using `docker start`. See `docker ps -a` to view a list
 of all containers.
 
-The `docker run` command can be used in combination with `docker commit` to
-[*change the command that a container runs*](commit.md). There is additional detailed information about `docker run` in the [Docker run reference](../run.md).
-
 For information on connecting a container to a network, see the ["*Docker network overview*"](https://docs.docker.com/network/).
 
 ## Examples
 
-### Assign name and allocate pseudo-TTY (--name, -it)
+### <a name="name"></a> Assign name and allocate pseudo-TTY (--name, -it)
 
 ```console
 $ docker run --name test -it debian
@@ -179,7 +176,7 @@ In the example, the `bash` shell is quit by entering
 `exit 13`. This exit code is passed on to the caller of
 `docker run`, and is recorded in the `test` container's metadata.
 
-### Capture container ID (--cidfile)
+### <a name="cidfile"></a> Capture container ID (--cidfile)
 
 ```console
 $ docker run --cidfile /tmp/docker_test.cid ubuntu echo "test"
@@ -190,7 +187,7 @@ flag makes Docker attempt to create a new file and write the container ID to it.
 If the file exists already, Docker will return an error. Docker will close this
 file when `docker run` exits.
 
-### Full container capabilities (--privileged)
+### <a name="privileged"></a> Full container capabilities (--privileged)
 
 ```console
 $ docker run -t -i --rm ubuntu bash
@@ -215,7 +212,7 @@ lifts all the limitations enforced by the `device` cgroup controller. In other
 words, the container can then do almost everything that the host can do. This
 flag exists to allow special use-cases, like running Docker within Docker.
 
-### Set working directory (-w)
+### <a name="workdir"></a> Set working directory (-w, --workdir)
 
 ```console
 $ docker  run -w /path/to/dir/ -i -t  ubuntu pwd
@@ -224,22 +221,22 @@ $ docker  run -w /path/to/dir/ -i -t  ubuntu pwd
 The `-w` lets the command being executed inside directory given, here
 `/path/to/dir/`. If the path does not exist it is created inside the container.
 
-### Set storage driver options per container
+### <a name="storage-opt"></a> Set storage driver options per container (--storage-opt)
 
 ```console
 $ docker run -it --storage-opt size=120G fedora /bin/bash
 ```
 
-This (size) will allow to set the container rootfs size to 120G at creation time.
+This (size) will allow to set the container filesystem size to 120G at creation time.
 This option is only available for the `devicemapper`, `btrfs`, `overlay2`,
 `windowsfilter` and `zfs` graph drivers.
 For the `devicemapper`, `btrfs`, `windowsfilter` and `zfs` graph drivers,
 user cannot pass a size less than the Default BaseFS Size.
 For the `overlay2` storage driver, the size option is only available if the
-backing fs is `xfs` and mounted with the `pquota` mount option.
-Under these conditions, user can pass any size less than the backing fs size.
+backing filesystem is `xfs` and mounted with the `pquota` mount option.
+Under these conditions, user can pass any size less than the backing filesystem size.
 
-### Mount tmpfs (--tmpfs)
+### <a name="tmpfs"></a> Mount tmpfs (--tmpfs)
 
 ```console
 $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image
@@ -248,7 +245,7 @@ $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image
 The `--tmpfs` flag mounts an empty tmpfs into the container with the `rw`,
 `noexec`, `nosuid`, `size=65536k` options.
 
-### Mount volume (-v, --read-only)
+### <a name="volume"></a> Mount volume (-v, --read-only)
 
 ```console
 $ docker  run  -v `pwd`:`pwd` -w `pwd` -i -t  ubuntu pwd
@@ -282,8 +279,8 @@ specified volumes for the container.
 $ docker run -t -i -v /var/run/docker.sock:/var/run/docker.sock -v /path/to/static-docker-binary:/usr/bin/docker busybox sh
 ```
 
-By bind-mounting the docker unix socket and statically linked docker
-binary (refer to [get the linux binary](https://docs.docker.com/engine/install/binaries/#install-static-binaries)),
+By bind-mounting the Docker Unix socket and statically linked Docker
+binary (refer to [get the Linux binary](https://docs.docker.com/engine/install/binaries/#install-static-binaries)),
 you give the container the full access to create and manipulate the host's
 Docker daemon.
 
@@ -314,7 +311,7 @@ docker run -v c:\foo:c:\existing-directory-with-contents ...
 For in-depth information about volumes, refer to [manage data in containers](https://docs.docker.com/storage/volumes/)
 
 
-### Add bind mounts or volumes using the --mount flag
+### <a name="mount"></a> Add bind mounts or volumes using the --mount flag
 
 The `--mount` flag allows you to mount volumes, host-directories and `tmpfs`
 mounts in a container.
@@ -322,7 +319,7 @@ mounts in a container.
 The `--mount` flag supports most options that are supported by the `-v` or the
 `--volume` flag, but uses a different syntax. For in-depth information on the
 `--mount` flag, and a comparison between `--volume` and `--mount`, refer to
-the [service create command reference](service_create.md#add-bind-mounts-volumes-or-memory-filesystems).
+[Bind mounts](https://docs.docker.com/storage/bind-mounts/).
 
 Even though there is no plan to deprecate `--volume`, usage of `--mount` is recommended.
 
@@ -336,7 +333,7 @@ $ docker run --read-only --mount type=volume,target=/icanwrite busybox touch /ic
 $ docker run -t -i --mount type=bind,src=/data,dst=/data busybox sh
 ```
 
-### Publish or expose port (-p, --expose)
+### <a name="publish"></a> Publish or expose port (-p, --expose)
 
 ```console
 $ docker run -p 127.0.0.1:80:8080/tcp ubuntu bash
@@ -374,7 +371,7 @@ The `--pull` flag can take one of these values:
 
 When creating (and running) a container from an image, the daemon checks if the
 image exists in the local image cache. If the image is missing, an error is
-returned to the cli, allowing it to initiate a pull.
+returned to the CLI, allowing it to initiate a pull.
 
 The default (`missing`) is to only pull the image if it is not present in the
 daemon's image cache. This default allows you to run images that only exist
@@ -401,7 +398,7 @@ $ docker run --pull=never hello-world
 docker: Error response from daemon: No such image: hello-world:latest.
 ```
 
-### Set environment variables (-e, --env, --env-file)
+### <a name="env"></a> Set environment variables (-e, --env, --env-file)
 
 ```console
 $ docker run -e MYVAR1 --env MYVAR2=foo --env-file ./env.list ubuntu bash
@@ -452,7 +449,7 @@ VAR2=value2
 USER=jonzeolla
 ```
 
-### Set metadata on container (-l, --label, --label-file)
+### <a name="label"></a> Set metadata on container (-l, --label, --label-file)
 
 A label is a `key=value` pair that applies metadata to a container. To label a container with two labels:
 
@@ -494,12 +491,14 @@ For additional information on working with labels, see [*Labels - custom
 metadata in Docker*](https://docs.docker.com/config/labels-custom-metadata/) in
 the Docker User Guide.
 
-### Connect a container to a network (--network)
+### <a name="network"></a> Connect a container to a network (--network)
 
 When you start a container use the `--network` flag to connect it to a network.
-This adds the `busybox` container to the `my-net` network.
+The following commands create a network named `my-net`, and adds a `busybox` container
+to the `my-net` network.
 
 ```console
+$ docker network create my-net
 $ docker run -itd --network=my-net busybox
 ```
 
@@ -520,14 +519,14 @@ from different Engines can also communicate in this way.
 
 > **Note**
 >
-> Service discovery is unavailable on the default bridge network. Containers can
-> communicate via their IP addresses by default. To communicate by name, they
-> must be linked.
+> The default bridge network only allow containers to communicate with each other using
+> internal IP addresses. User-created bridge networks provide DNS resolution between
+> containers using container names.
 
 You can disconnect a container from a network using the `docker network
 disconnect` command.
 
-### Mount volumes from container (--volumes-from)
+### <a name="volumes-from"></a> Mount volumes from container (--volumes-from)
 
 ```console
 $ docker run --volumes-from 777f7dc92da7 --volumes-from ba8c0c54f0f2:ro -i -t ubuntu pwd
@@ -553,11 +552,11 @@ content label. Shared volume labels allow all containers to read/write content.
 The `Z` option tells Docker to label the content with a private unshared label.
 Only the current container can use a private volume.
 
-### Attach to STDIN/STDOUT/STDERR (-a)
+### <a name="attach"></a> Attach to STDIN/STDOUT/STDERR (-a, --attach)
 
-The `-a` flag tells `docker run` to bind to the container's `STDIN`, `STDOUT`
-or `STDERR`. This makes it possible to manipulate the output and input as
-needed.
+The `--attach` (or `-a`) flag tells `docker run` to bind to the container's
+`STDIN`, `STDOUT` or `STDERR`. This makes it possible to manipulate the output
+and input as needed.
 
 ```console
 $ echo "test" | docker run -i -a stdin ubuntu cat -
@@ -578,23 +577,26 @@ still store what's been written to `STDERR` and `STDOUT`.
 $ cat somefile | docker run -i -a stdin mybuilder dobuild
 ```
 
-This is how piping a file into a container could be done for a build.
+This is a way of using `--attach` to pipe a build file into a container.
 The container's ID will be printed after the build is done and the build
 logs could be retrieved using `docker logs`. This is
 useful if you need to pipe a file or something else into a container and
 retrieve the container's ID once the container has finished running.
 
-### Add host device to container (--device)
+See also [the `docker cp` command](cp.md).
+
+### <a name="device"></a> Add host device to container (--device)
 
 ```console
-$ docker run --device=/dev/sdc:/dev/xvdc \
-             --device=/dev/sdd --device=/dev/zero:/dev/nulo \
-             -i -t \
-             ubuntu ls -l /dev/{xvdc,sdd,nulo}
+$ docker run -it --rm \
+    --device=/dev/sdc:/dev/xvdc \
+    --device=/dev/sdd \
+    --device=/dev/zero:/dev/foobar \
+    ubuntu ls -l /dev/{xvdc,sdd,foobar}
 
 brw-rw---- 1 root disk 8, 2 Feb  9 16:05 /dev/xvdc
 brw-rw---- 1 root disk 8, 3 Feb  9 16:05 /dev/sdd
-crw-rw-rw- 1 root root 1, 5 Feb  9 16:05 /dev/nulo
+crw-rw-rw- 1 root root 1, 5 Feb  9 16:05 /dev/foobar
 ```
 
 It is often necessary to directly expose devices to a container. The `--device`
@@ -676,14 +678,14 @@ the required device when it is added.
 > **Note**: initially present devices still need to be explicitly added to the
 > `docker run` / `docker create` command.
 
-### Access an NVIDIA GPU
+### <a name="gpus"></a> Access an NVIDIA GPU
 
 The `--gpus` flag allows you to access NVIDIA GPU resources. First you need to
 install [nvidia-container-runtime](https://nvidia.github.io/nvidia-container-runtime/).
 Visit [Specify a container's resources](https://docs.docker.com/config/containers/resource_constraints/)
 for more information.
 
-To use `--gpus`, specify which GPUs (or all) to use. If no value is provied, all
+To use `--gpus`, specify which GPUs (or all) to use. If no value is provided, all
 available GPUs are used. The example below exposes all available GPUs.
 
 ```console
@@ -703,7 +705,7 @@ The example below exposes the first and third GPUs.
 $ docker run -it --rm --gpus '"device=0,2"' nvidia-smi
 ```
 
-### Restart policies (--restart)
+### <a name="restart"></a> Restart policies (--restart)
 
 Use Docker's `--restart` to specify a container's *restart policy*. A restart
 policy controls whether the Docker daemon restarts a container after exit.
@@ -727,7 +729,7 @@ More detailed information on restart policies can be found in the
 [Restart Policies (--restart)](../run.md#restart-policies---restart)
 section of the Docker run reference page.
 
-### Add entries to container hosts file (--add-host)
+### <a name="add-host"></a> Add entries to container hosts file (--add-host)
 
 You can add other hosts into a container's `/etc/hosts` file by using one or
 more `--add-host` flags. This example adds a static address for a host named
@@ -765,7 +767,7 @@ For IPv6 use the `-6` flag instead of the `-4` flag. For other network
 devices, replace `eth0` with the correct device name (for example `docker0`
 for the bridge device).
 
-### Set ulimits in container (--ulimit)
+### <a name="ulimit"></a> Set ulimits in container (--ulimit)
 
 Since setting `ulimit` settings in a container requires extra privileges not
 available in the default container, you can set these using the `--ulimit` flag.
@@ -794,7 +796,7 @@ Docker doesn't perform any byte conversion. Take this into account when setting
 #### For `nproc` usage
 
 Be careful setting `nproc` with the `ulimit` flag as `nproc` is designed by Linux to set the
-maximum number of processes available to a user, not to a container.  For example, start four
+maximum number of processes available to a user, not to a container. For example, start four
 containers with `daemon` user:
 
 ```console
@@ -811,7 +813,7 @@ The 4th container fails and reports "[8] System error: resource temporarily unav
 This fails because the caller set `nproc=3` resulting in the first three containers using up
 the three processes quota set for the `daemon` user.
 
-### Stop container with signal (--stop-signal)
+### <a name="stop-signal"></a> Stop container with signal (--stop-signal)
 
 The `--stop-signal` flag sets the system call signal that will be sent to the
 container to exit. This signal can be a signal name in the format `SIG<NAME>`,
@@ -820,12 +822,12 @@ kernel's syscall table, for instance `9`.
 
 The default is `SIGTERM` if not specified.
 
-### Optional security options (--security-opt)
+### <a name="security-opt"></a> Optional security options (--security-opt)
 
 On Windows, this flag can be used to specify the `credentialspec` option.
 The `credentialspec` must be in the format `file://spec.txt` or `registry://keyname`.
 
-### Stop container with timeout (--stop-timeout)
+### <a name="stop-timeout"></a> Stop container with timeout (--stop-timeout)
 
 The `--stop-timeout` flag sets the number of seconds to wait for the container
 to stop after sending the pre-defined (see `--stop-signal`) system call signal.
@@ -838,7 +840,7 @@ wait indefinitely for the container to exit.
 The default is determined by the daemon, and is 10 seconds for Linux containers,
 and 30 seconds for Windows containers.
 
-### Specify isolation technology for container (--isolation)
+### <a name="isolation"></a> Specify isolation technology for container (--isolation)
 
 This option is useful in situations where you are running Docker containers on
 Windows. The `--isolation=<value>` option sets a container's isolation technology.
@@ -859,8 +861,8 @@ On Windows, `--isolation` can take one of these values:
 | `hyperv`  | Hyper-V hypervisor partition-based isolation.                                              |
 
 The default isolation on Windows server operating systems is `process`, and `hyperv`
-on Windows client operating systems, such as Windows 10. Process isolation is more
-performant, but requires the image to
+on Windows client operating systems, such as Windows 10. Process isolation has better
+performance, but requires that the image and host use the same kernel version.
 
 On Windows server, assuming the default configuration, these commands are equivalent
 and result in `process` isolation:
@@ -881,7 +883,7 @@ PS C:\> docker run -d --isolation default microsoft/nanoserver powershell echo h
 PS C:\> docker run -d --isolation hyperv microsoft/nanoserver powershell echo hyperv
 ```
 
-### Specify hard limits on memory available to containers (-m, --memory)
+### <a name="memory"></a> Specify hard limits on memory available to containers (-m, --memory)
 
 These parameters always set an upper limit on the memory available to the container. On Linux, this
 is set on the cgroup and applications in a container can query it at `/sys/fs/cgroup/memory/memory.limit_in_bytes`.
@@ -919,7 +921,7 @@ On Windows, this will affect containers differently depending on what type of is
     ```
 
 
-### Configure namespaced kernel parameters (sysctls) at runtime
+### <a name="sysctl"></a> Configure namespaced kernel parameters (sysctls) at runtime (--sysctl)
 
 The `--sysctl` sets namespaced kernel parameters (sysctls) in the
 container. For example, to turn on IP forwarding in the containers

docs/reference/commandline/search.md

@@ -63,7 +63,7 @@ scottabernethy/busybox
 marclop/busybox-solr
 ```
 
-### Display non-truncated description (--no-trunc)
+### <a name="no-trunc"></a> Display non-truncated description (--no-trunc)
 
 This example displays images with a name containing 'busybox',
 at least 3 stars and the description isn't truncated in the output:
@@ -77,12 +77,12 @@ progrium/busybox
 radial/busyboxplus   Full-chain, Internet enabled, busybox made from scratch. Comes in git and cURL flavors.   8                    [OK]
 ```
 
-### Limit search results (--limit)
+### <a name="limit"></a> Limit search results (--limit)
 
 The flag `--limit` is the maximum number of results returned by a search. This value could
 be in the range between 1 and 100. The default value of `--limit` is 25.
 
-### Filtering
+### <a name="filter"></a> Filtering (--filter)
 
 The filtering flag (`-f` or `--filter`) format is a `key=value` pair. If there is more
 than one filter, then pass multiple flags (e.g. `--filter is-automated=true --filter stars=3`)
@@ -132,7 +132,7 @@ NAME      DESCRIPTION           STARS     OFFICIAL   AUTOMATED
 busybox   Busybox base image.   325       [OK]
 ```
 
-### Format the output
+### <a name="format"></a> Format the output (--format)
 
 The formatting option (`--format`) pretty-prints search output
 using a Go template.

docs/reference/commandline/secret_create.md

@@ -57,7 +57,7 @@ ID                          NAME                CREATED             UPDATED
 dg426haahpi5ezmkkj5kyl3sn   my_secret           7 seconds ago       7 seconds ago
 ```
 
-### Create a secret with labels
+### <a name="label"></a> Create a secret with labels (--label)
 
 ```console
 $ docker secret create \

docs/reference/commandline/secret_inspect.md

@@ -76,7 +76,7 @@ The output is in JSON format, for example:
 ]
 ```
 
-### Formatting
+### <a name="format"></a> Format the output (--format)
 
 You can use the --format option to obtain specific information about a
 secret. The following example command outputs the creation time of the

docs/reference/commandline/secret_ls.md

@@ -45,7 +45,7 @@ ID                          NAME                        CREATED             UPDA
 mem02h8n73mybpgqjf0kfi1n0   test_secret                 3 seconds ago       3 seconds ago
 ```
 
-### Filtering
+### <a name="filter"></a> Filtering (--filter)
 
 The filtering flag (`-f` or `--filter`) format is a `key=value` pair. If there is more
 than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
@@ -105,7 +105,7 @@ ID                          NAME                        CREATED             UPDA
 mem02h8n73mybpgqjf0kfi1n0   test_secret                 About an hour ago   About an hour ago
 ```
 
-### Format the output
+### <a name="format"></a> Format the output (--format)
 
 The formatting option (`--format`) pretty prints secrets output
 using a Go template.

docs/reference/commandline/service_create.md

@@ -117,7 +117,7 @@ dmu1ept4cxcf  redis   replicated  1/1       redis:3.0.6
 a8q9dasaafud  redis2  global      1/1       redis:3.0.6
 ```
 
-#### Create a service using an image on a private registry
+#### <a name="with-registry-auth"></a> Create a service using an image on a private registry (--with-registry-auth)
 
 If your image is available on a private registry which requires login, use the
 `--with-registry-auth` flag with `docker service create`, after logging in. If
@@ -137,7 +137,7 @@ This passes the login token from your local client to the swarm nodes where the
 service is deployed, using the encrypted WAL logs. With this information, the
 nodes are able to log into the registry and pull the image.
 
-### Create a service with 5 replica tasks (--replicas)
+### <a name="replicas"></a> Create a service with 5 replica tasks (--replicas)
 
 Use the `--replicas` flag to set the number of replica tasks for a replicated
 service. The following command creates a `redis` service with `5` replica tasks:
@@ -173,7 +173,7 @@ ID            NAME   MODE        REPLICAS  IMAGE
 4cdgfyky7ozw  redis  replicated  5/5       redis:3.0.7
 ```
 
-### Create a service with secrets
+### <a name="secret"></a> Create a service with secrets (--secret)
 
 Use the `--secret` flag to give a container access to a
 [secret](secret_create.md).
@@ -205,7 +205,7 @@ in the container. If a target is specified, that is used as the filename. In the
 example above, two files are created: `/run/secrets/ssh` and
 `/run/secrets/app` for each of the secret targets specified.
 
-### Create a service with configs
+### <a name="config"></a> Create a service with configs (--config)
 
 Use the `--config` flag to give a container access to a
 [config](config_create.md).
@@ -234,7 +234,7 @@ Configs are located in `/` in the container if no target is specified. If no
 target is specified, the name of the config is used as the name of the file in
 the container. If a target is specified, that is used as the filename.
 
-### Create a service with a rolling update policy
+### <a name="update-delay"></a> Create a service with a rolling update policy
 
 ```console
 $ docker service create \
@@ -250,7 +250,7 @@ maximum of 2 tasks at a time, with `10s` between updates. For more information,
 refer to the [rolling updates
 tutorial](https://docs.docker.com/engine/swarm/swarm-tutorial/rolling-update/).
 
-### Set environment variables (-e, --env)
+### <a name="env"></a> Set environment variables (-e, --env)
 
 This sets an environment variable for all tasks in a service. For example:
 
@@ -274,7 +274,7 @@ $ docker service create \
   redis:3.0.6
 ```
 
-### Create a service with specific hostname (--hostname)
+### <a name="hostname"></a> Create a service with specific hostname (--hostname)
 
 This option sets the docker service containers hostname to a specific string.
 For example:
@@ -283,7 +283,7 @@ For example:
 $ docker service create --name redis --hostname myredis redis:3.0.6
 ```
 
-### Set metadata on a service (-l, --label)
+### <a name="label"></a> Set metadata on a service (-l, --label)
 
 A label is a `key=value` pair that applies metadata to a service. To label a
 service with two labels:
@@ -291,7 +291,7 @@ service with two labels:
 ```console
 $ docker service create \
   --name redis_2 \
-  --label com.example.foo="bar"
+  --label com.example.foo="bar" \
   --label bar=baz \
   redis:3.0.6
 ```
@@ -299,7 +299,7 @@ $ docker service create \
 For more information about labels, refer to [apply custom
 metadata](https://docs.docker.com/config/labels-custom-metadata/).
 
-### Add bind mounts, volumes or memory filesystems
+### <a name="mount"></a> Add bind mounts, volumes or memory filesystems (--mount)
 
 Docker supports three different kinds of mounts, which allow containers to read
 from or write to files or directories, either on the host operating system, or
@@ -662,7 +662,7 @@ $ docker service create \
  redis:3.0.6
 ```
 
-### Specify service constraints (--constraint)
+### <a name="constraint"></a> Specify service constraints (--constraint)
 
 You can limit the set of nodes where a task can be scheduled by defining
 constraint expressions. Constraint expressions can either use a _match_ (`==`)
@@ -678,7 +678,7 @@ follows:
 | `node.platform.os`   | Node operating system          | `node.platform.os==windows`                   |
 | `node.platform.arch` | Node architecture              | `node.platform.arch==x86_64`                  |
 | `node.labels`        | User-defined node labels       | `node.labels.security==high`                  |
-| `engine.labels`      | Docker Engine's labels         | `engine.labels.operatingsystem==ubuntu-14.04` |
+| `engine.labels`      | Docker Engine's labels         | `engine.labels.operatingsystem==ubuntu-22.04` |
 
 `engine.labels` apply to Docker Engine labels like operating system, drivers,
 etc. Swarm administrators add `node.labels` for operational purposes by using
@@ -729,7 +729,7 @@ ID                  NAME     MODE         REPLICAS   IMAGE               PORTS
 b6lww17hrr4e        web      replicated   1/1        nginx:alpine
 ```
 
-### Specify service placement preferences (--placement-pref)
+### <a name="placement-pref"></a> Specify service placement preferences (--placement-pref)
 
 You can set up the service to divide tasks evenly over different categories of
 nodes. One example of where this can be useful is to balance tasks over a set
@@ -800,7 +800,7 @@ appends a new placement preference after all existing placement preferences.
 `--placement-pref-rm` removes an existing placement preference that matches the
 argument.
 
-### Specify memory requirements and constraints for a service (--reserve-memory and --limit-memory)
+### <a name="reserve-memory"></a> Specify memory requirements and constraints for a service (--reserve-memory and --limit-memory)
 
 If your service needs a minimum amount of memory in order to run correctly,
 you can use `--reserve-memory` to specify that the service should only be
@@ -868,7 +868,7 @@ On Linux, you can also limit a service's overall memory footprint on a given
 host at the level of the host operating system, using `cgroups` or other
 relevant operating system tools.
 
-### Specify maximum replicas per node (--replicas-max-per-node)
+### <a name="replicas-max-per-node"></a> Specify maximum replicas per node (--replicas-max-per-node)
 
 Use the `--replicas-max-per-node` flag to set the maximum number of replica tasks that can run on a node.
 The following command creates a nginx service with 2 replica tasks but only one replica task per node.
@@ -888,7 +888,7 @@ $ docker service create \
   nginx
 ```
 
-### Attach a service to an existing network (--network)
+### <a name="network"></a> Attach a service to an existing network (--network)
 
 You can use overlay networks to connect one or more services within the swarm.
 
@@ -925,7 +925,7 @@ Containers on the same network can access each other using
 Long form syntax of `--network` allows to specify list of aliases and driver options:
 `--network name=my-network,alias=web1,driver-opt=field1=value1`
 
-### Publish service ports externally to the swarm (-p, --publish)
+### <a name="publish"></a> Publish service ports externally to the swarm (-p, --publish)
 
 You can publish service ports to make them available externally to the swarm
 using the `--publish` flag. The `--publish` flag can take two different styles
@@ -996,7 +996,7 @@ on a node can only be bound once. You can only set the publication mode using
 the long syntax. For more information refer to
 [Use swarm mode routing mesh](https://docs.docker.com/engine/swarm/ingress/).
 
-### Provide credential specs for managed service accounts (Windows only)
+### <a name="credentials-spec"></a> Provide credential specs for managed service accounts (--credentials-spec)
 
 This option is only used for services using Windows containers. The
 `--credential-spec` must be in the format `file://<filename>` or
@@ -1091,7 +1091,7 @@ $ docker inspect --format="{{.Config.Hostname}}" 2e7a8a9c4da2-wo41w8hg8qanxwjwsg
 x3ti0erg11rjpg64m75kej2mz-hosttempl
 ```
 
-### Specify isolation mode (Windows)
+### <a name="isolation"></a> Specify isolation mode on Windows (--isolation)
 
 By default, tasks scheduled on Windows nodes are run using the default isolation mode
 configured for this particular node. To force a specific isolation mode, you can use
@@ -1106,7 +1106,7 @@ Supported isolation modes on Windows are:
 - `process`: use process isolation (Windows server only)
 - `hyperv`: use Hyper-V isolation
 
-### Create services requesting Generic Resources
+### <a name="generic-resources"></a> Create services requesting Generic Resources (--generic-resources)
 
 You can narrow the kind of nodes your task can land on through the using the
 `--generic-resource` flag (if the nodes advertise these resources):