Merge pull request #4950 from vvoland/vendor-docker-26.0.0-rc3-dev

vendor: github.com/docker/docker 330d777c53fb (v26.0.0-rc3-dev)
2024-03-19 14:40:12 +01:00 · 2024-03-19 14:31:41 +01:00 · 2024-03-19 11:00:31 +01:00 · 2024-03-18 12:29:42 +01:00 · 2024-03-18 12:24:26 +01:00 · 2024-03-18 12:14:10 +01:00
577 changed files with 18623 additions and 11508 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -1,19 +0,0 @@
-# This is a dummy CircleCI config file to avoid GitHub status failures reported
-# on branches that don't use CircleCI. This file should be deleted when all
-# branches are no longer dependent on CircleCI.
-version: 2
-
-jobs:
-  dummy:
-    docker:
-      - image: busybox
-    steps:
-      - run:
-          name: "dummy"
-          command: echo "dummy job"
-
-workflows:
-  version: 2
-  ci:
-    jobs:
-      - dummy
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -4,6 +4,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+env:
+  VERSION: ${{ github.ref }}
+
 on:
  workflow_dispatch:
  push:
@ -16,7 +19,7 @@ on:

 jobs:
  prepare:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    outputs:
      matrix: ${{ steps.platforms.outputs.matrix }}
    steps:
@ -34,7 +37,7 @@ jobs:
          echo ${{ steps.platforms.outputs.matrix }}

  build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    needs:
      - prepare
    strategy:
@ -86,8 +89,52 @@ jobs:
          path: /tmp/out/*
          if-no-files-found: error

+  bin-image:
+    runs-on: ubuntu-22.04
+    if: ${{ github.event_name != 'pull_request' && github.repository == 'docker/cli' }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: dockereng/cli-bin
+          tags: |
+            type=semver,pattern={{version}}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha
+      -
+        name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_CLIBIN_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_CLIBIN_TOKEN }}
+      -
+        name: Build and push image
+        uses: docker/bake-action@v4
+        with:
+          files: |
+            ./docker-bake.hcl
+            ${{ steps.meta.outputs.bake-file }}
+          targets: bin-image-cross
+          push: ${{ github.event_name != 'pull_request' }}
+          set: |
+            *.cache-from=type=gha,scope=bin-image
+            *.cache-to=type=gha,scope=bin-image,mode=max
+
  prepare-plugins:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    outputs:
      matrix: ${{ steps.platforms.outputs.matrix }}
    steps:
@ -105,7 +152,7 @@ jobs:
          echo ${{ steps.platforms.outputs.matrix }}

  plugins:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    needs:
      - prepare-plugins
    strategy:
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -26,6 +26,8 @@ jobs:
  codeql:
    runs-on: 'ubuntu-latest'
    timeout-minutes: 360
+    env:
+      DISABLE_WARN_OUTSIDE_CONTAINER: '1'
    permissions:
      actions: read
      contents: read
@ -52,6 +54,16 @@ jobs:
        uses: github/codeql-action/init@v3
        with:
          languages: go
+      # CodeQL 2.16.4's auto-build added support for multi-module repositories,
+      # and is trying to be smart by searching for modules in every directory,
+      # including vendor directories. If no module is found, it's creating one
+      # which is ... not what we want, so let's give it a "go.mod".
+      # see: https://github.com/docker/cli/pull/4944#issuecomment-2002034698
+      -
+        name: Create go.mod
+        run: |
+          ln -s vendor.mod go.mod
+          ln -s vendor.sum go.sum
      -
        name: Autobuild
        uses: github/codeql-action/autobuild@v3
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@ -16,7 +16,7 @@ on:

 jobs:
  e2e:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
@ -28,11 +28,11 @@ jobs:
          - alpine
          - debian
        engine-version:
-#          - 20.10-dind # FIXME: Fails on 20.10
-          - stable-dind # TODO: Use 20.10-dind, stable-dind is deprecated
-        include:
-          - target: non-experimental
-            engine-version: 19.03-dind
+          - 25.0  # latest
+          - 24.0  # latest - 1
+          - 23.0  # mirantis lts
+          # TODO(krissetto) 19.03 needs a look, doesn't work ubuntu 22.04 (cgroup errors). 
+          # we could have a separate job that tests it against ubuntu 20.04
    steps:
      -
        name: Checkout
@ -55,10 +55,11 @@ jobs:
          make -f docker.Makefile test-e2e-${{ matrix.target }}
        env:
          BASE_VARIANT: ${{ matrix.base }}
-          E2E_ENGINE_VERSION: ${{ matrix.engine-version }}
+          ENGINE_VERSION: ${{ matrix.engine-version }}
          TESTFLAGS: -coverprofile=/tmp/coverage/coverage.txt
      -
        name: Send to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
        with:
          file: ./build/coverage/coverage.txt
+          token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -16,7 +16,7 @@ on:

 jobs:
  ctn:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
      -
        name: Checkout
@ -31,9 +31,10 @@ jobs:
          targets: test-coverage
      -
        name: Send to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
        with:
          file: ./build/coverage/coverage.txt
+          token: ${{ secrets.CODECOV_TOKEN }}

  host:
    runs-on: ${{ matrix.os }}
@ -45,7 +46,7 @@ jobs:
      fail-fast: false
      matrix:
        os:
-          - macos-11
+          - macos-12
 #          - windows-2022 # FIXME: some tests are failing on the Windows runner, as well as on Appveyor since June 24, 2018: https://ci.appveyor.com/project/docker/cli/history
    steps:
      -
@ -63,7 +64,7 @@ jobs:
        name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: 1.21.5
+          go-version: 1.21.8
      -
        name: Test
        run: |
@ -73,7 +74,8 @@ jobs:
        shell: bash
      -
        name: Send to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
        with:
          file: /tmp/coverage.txt
          working-directory: ${{ env.GOPATH }}/src/github.com/docker/cli
+          token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@ -16,7 +16,7 @@ on:

 jobs:
  validate:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
@ -37,7 +37,7 @@ jobs:

  # check that the generated Markdown and the checked-in files match
  validate-md:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
      -
        name: Checkout
@ -57,7 +57,7 @@ jobs:
          fi

  validate-make:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
--- a/11
+++ b/11
@ -4,12 +4,12 @@ ARG BASE_VARIANT=alpine
 ARG ALPINE_VERSION=3.18
 ARG BASE_DEBIAN_DISTRO=bookworm

-ARG GO_VERSION=1.21.5
-ARG XX_VERSION=1.2.1
+ARG GO_VERSION=1.21.8
+ARG XX_VERSION=1.4.0
 ARG GOVERSIONINFO_VERSION=v1.3.0
 ARG GOTESTSUM_VERSION=v1.10.0
-ARG BUILDX_VERSION=0.12.0
-ARG COMPOSE_VERSION=v2.22.0
+ARG BUILDX_VERSION=0.12.1
+ARG COMPOSE_VERSION=v2.24.3

 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx

@ -123,5 +123,8 @@ COPY --link . .
 FROM scratch AS plugins
 COPY --from=build-plugins /out .

+FROM scratch AS bin-image
+COPY --from=build /out/docker /docker
+
 FROM scratch AS binary
 COPY --from=build /out .
--- a/2
+++ b/2
@ -52,7 +52,7 @@ shellcheck: ## run shellcheck validation
 .PHONY: fmt
 fmt: ## run gofumpt (if present) or gofmt
 	@if command -v gofumpt > /dev/null; then \
-		gofumpt -w -d -lang=1.19 . ; \
+		gofumpt -w -d -lang=1.21 . ; \
 	else \
 		go list -f {{.Dir}} ./... | xargs gofmt -w -s -d ; \
 	fi
--- a/cli-plugins/examples/helloworld/main.go
+++ b/cli-plugins/examples/helloworld/main.go
@ -45,8 +45,8 @@ func main() {
 		}

 		var (
-			who, context  string
-			preRun, debug bool
+			who, optContext string
+			preRun, debug   bool
 		)
 		cmd := &cobra.Command{
 			Use:   "helloworld",
@ -65,7 +65,7 @@ func main() {
 					fmt.Fprintf(dockerCli.Err(), "Plugin debug mode enabled")
 				}

-				switch context {
+				switch optContext {
 				case "Christmas":
 					fmt.Fprintf(dockerCli.Out(), "Merry Christmas!\n")
 					return nil
@ -92,7 +92,7 @@ func main() {
 		// These are intended to deliberately clash with the CLIs own top
 		// level arguments.
 		flags.BoolVarP(&debug, "debug", "D", false, "Enable debug")
-		flags.StringVarP(&context, "context", "c", "", "Is it Christmas?")
+		flags.StringVarP(&optContext, "context", "c", "", "Is it Christmas?")

 		cmd.AddCommand(goodbye, apiversion, exitStatus2)
 		return cmd
--- a/cli-plugins/manager/cobra.go
+++ b/cli-plugins/manager/cobra.go
@ -2,11 +2,14 @@ package manager

 import (
 	"fmt"
+	"net/url"
 	"os"
+	"strings"
 	"sync"

 	"github.com/docker/cli/cli/command"
 	"github.com/spf13/cobra"
+	"go.opentelemetry.io/otel/attribute"
 )

 const (
@ -30,6 +33,10 @@ const (
 	// is, one which failed it's candidate test) and contains the
 	// reason for the failure.
 	CommandAnnotationPluginInvalid = "com.docker.cli.plugin-invalid"
+
+	// CommandAnnotationPluginCommandPath is added to overwrite the
+	// command path for a plugin invocation.
+	CommandAnnotationPluginCommandPath = "com.docker.cli.plugin.command_path"
 )

 var pluginCommandStubsOnce sync.Once
@ -98,3 +105,44 @@ func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err e
 	})
 	return err
 }
+
+const (
+	dockerCliAttributePrefix = attribute.Key("docker.cli")
+
+	cobraCommandPath = attribute.Key("cobra.command_path")
+)
+
+func getPluginResourceAttributes(cmd *cobra.Command, plugin Plugin) attribute.Set {
+	commandPath := cmd.Annotations[CommandAnnotationPluginCommandPath]
+	if commandPath == "" {
+		commandPath = fmt.Sprintf("%s %s", cmd.CommandPath(), plugin.Name)
+	}
+
+	attrSet := attribute.NewSet(
+		cobraCommandPath.String(commandPath),
+	)
+
+	kvs := make([]attribute.KeyValue, 0, attrSet.Len())
+	for iter := attrSet.Iter(); iter.Next(); {
+		attr := iter.Attribute()
+		kvs = append(kvs, attribute.KeyValue{
+			Key:   dockerCliAttributePrefix + "." + attr.Key,
+			Value: attr.Value,
+		})
+	}
+	return attribute.NewSet(kvs...)
+}
+
+func appendPluginResourceAttributesEnvvar(env []string, cmd *cobra.Command, plugin Plugin) []string {
+	if attrs := getPluginResourceAttributes(cmd, plugin); attrs.Len() > 0 {
+		// values in environment variables need to be in baggage format
+		// otel/baggage package can be used after update to v1.22, currently it encodes incorrectly
+		attrsSlice := make([]string, attrs.Len())
+		for iter := attrs.Iter(); iter.Next(); {
+			i, v := iter.IndexedAttribute()
+			attrsSlice[i] = string(v.Key) + "=" + url.PathEscape(v.Value.AsString())
+		}
+		env = append(env, ResourceAttributesEnvvar+"="+strings.Join(attrsSlice, ","))
+	}
+	return env
+}
--- a/cli-plugins/manager/manager.go
+++ b/cli-plugins/manager/manager.go
@ -11,16 +11,23 @@ import (

 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
 	"github.com/fvbommel/sortorder"
 	"github.com/spf13/cobra"
 	"golang.org/x/sync/errgroup"
 )

-// ReexecEnvvar is the name of an ennvar which is set to the command
-// used to originally invoke the docker CLI when executing a
-// plugin. Assuming $PATH and $CWD remain unchanged this should allow
-// the plugin to re-execute the original CLI.
-const ReexecEnvvar = "DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND"
+const (
+	// ReexecEnvvar is the name of an ennvar which is set to the command
+	// used to originally invoke the docker CLI when executing a
+	// plugin. Assuming $PATH and $CWD remain unchanged this should allow
+	// the plugin to re-execute the original CLI.
+	ReexecEnvvar = "DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND"
+
+	// ResourceAttributesEnvvar is the name of the envvar that includes additional
+	// resource attributes for OTEL.
+	ResourceAttributesEnvvar = "OTEL_RESOURCE_ATTRIBUTES"
+)

 // errPluginNotFound is the error returned when a plugin could not be found.
 type errPluginNotFound string
@ -42,10 +49,10 @@ func IsNotFound(err error) bool {
 	return ok
 }

-func getPluginDirs(dockerCli command.Cli) ([]string, error) {
+func getPluginDirs(cfg *configfile.ConfigFile) ([]string, error) {
 	var pluginDirs []string

-	if cfg := dockerCli.ConfigFile(); cfg != nil {
+	if cfg != nil {
 		pluginDirs = append(pluginDirs, cfg.CLIPluginsExtraDirs...)
 	}
 	pluginDir, err := config.Path("cli-plugins")
@ -108,7 +115,7 @@ func listPluginCandidates(dirs []string) (map[string][]string, error) {

 // GetPlugin returns a plugin on the system by its name
 func GetPlugin(name string, dockerCli command.Cli, rootcmd *cobra.Command) (*Plugin, error) {
-	pluginDirs, err := getPluginDirs(dockerCli)
+	pluginDirs, err := getPluginDirs(dockerCli.ConfigFile())
 	if err != nil {
 		return nil, err
 	}
@ -138,7 +145,7 @@ func GetPlugin(name string, dockerCli command.Cli, rootcmd *cobra.Command) (*Plu

 // ListPlugins produces a list of the plugins available on the system
 func ListPlugins(dockerCli command.Cli, rootcmd *cobra.Command) ([]Plugin, error) {
-	pluginDirs, err := getPluginDirs(dockerCli)
+	pluginDirs, err := getPluginDirs(dockerCli.ConfigFile())
 	if err != nil {
 		return nil, err
 	}
@ -198,7 +205,7 @@ func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command
 		return nil, errPluginNotFound(name)
 	}
 	exename := addExeSuffix(NamePrefix + name)
-	pluginDirs, err := getPluginDirs(dockerCli)
+	pluginDirs, err := getPluginDirs(dockerCli.ConfigFile())
 	if err != nil {
 		return nil, err
 	}
@ -235,6 +242,7 @@ func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command

 		cmd.Env = os.Environ()
 		cmd.Env = append(cmd.Env, ReexecEnvvar+"="+os.Args[0])
+		cmd.Env = appendPluginResourceAttributesEnvvar(cmd.Env, rootcmd, plugin)

 		return cmd, nil
 	}
--- a/cli-plugins/manager/manager_test.go
+++ b/cli-plugins/manager/manager_test.go
@ -149,7 +149,7 @@ func TestGetPluginDirs(t *testing.T) {
 	expected := append([]string{pluginDir}, defaultSystemPluginDirs...)

 	var pluginDirs []string
-	pluginDirs, err = getPluginDirs(cli)
+	pluginDirs, err = getPluginDirs(cli.ConfigFile())
 	assert.Equal(t, strings.Join(expected, ":"), strings.Join(pluginDirs, ":"))
 	assert.NilError(t, err)

@ -160,7 +160,7 @@ func TestGetPluginDirs(t *testing.T) {
 	cli.SetConfigFile(&configfile.ConfigFile{
 		CLIPluginsExtraDirs: extras,
 	})
-	pluginDirs, err = getPluginDirs(cli)
+	pluginDirs, err = getPluginDirs(cli.ConfigFile())
 	assert.DeepEqual(t, expected, pluginDirs)
 	assert.NilError(t, err)
 }
--- a/cli-plugins/plugin/plugin.go
+++ b/cli-plugins/plugin/plugin.go
@ -3,26 +3,19 @@ package plugin
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
-	"io"
-	"net"
 	"os"
 	"sync"

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli-plugins/socket"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/connhelper"
 	"github.com/docker/docker/client"
 	"github.com/spf13/cobra"
 )

-// CLIPluginSocketEnvKey is used to pass the plugin being
-// executed the abstract socket name it should listen on to know
-// when the CLI has exited.
-const CLIPluginSocketEnvKey = "DOCKER_CLI_PLUGIN_SOCKET"
-
 // PersistentPreRunE must be called by any plugin command (or
 // subcommand) which uses the cobra `PersistentPreRun*` hook. Plugins
 // which do not make use of `PersistentPreRun*` do not need to call
@ -33,38 +26,6 @@ const CLIPluginSocketEnvKey = "DOCKER_CLI_PLUGIN_SOCKET"
 // called.
 var PersistentPreRunE func(*cobra.Command, []string) error

-// closeOnCLISocketClose connects to the socket specified
-// by the DOCKER_CLI_PLUGIN_SOCKET env var, if present, and attempts
-// to read from it until it receives an EOF, which signals that
-// the CLI is going to exit and the plugin should also exit.
-func closeOnCLISocketClose(cancel func()) {
-	socketAddr, ok := os.LookupEnv(CLIPluginSocketEnvKey)
-	if !ok {
-		// if a plugin compiled against a more recent version of docker/cli
-		// is executed by an older CLI binary, ignore missing environment
-		// variable and behave as usual
-		return
-	}
-	addr, err := net.ResolveUnixAddr("unix", socketAddr)
-	if err != nil {
-		return
-	}
-	cliCloseConn, err := net.DialUnix("unix", nil, addr)
-	if err != nil {
-		return
-	}
-
-	go func() {
-		b := make([]byte, 1)
-		for {
-			_, err := cliCloseConn.Read(b)
-			if errors.Is(err, io.EOF) {
-				cancel()
-			}
-		}
-	}()
-}
-
 // RunPlugin executes the specified plugin command
 func RunPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager.Metadata) error {
 	tcmd := newPluginCommand(dockerCli, plugin, meta)
@ -81,7 +42,8 @@ func RunPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager
 			}
 			ctx, cancel := context.WithCancel(cmdContext)
 			cmd.SetContext(ctx)
-			closeOnCLISocketClose(cancel)
+			// Set up the context to cancel based on signalling via CLI socket.
+			socket.ConnectAndWait(cancel)

 			var opts []command.CLIOption
 			if os.Getenv("DOCKER_CLI_PLUGIN_USE_DIAL_STDIO") != "" {
--- a/cli-plugins/socket/socket.go
+++ b/cli-plugins/socket/socket.go
@ -0,0 +1,80 @@
+package socket
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"errors"
+	"io"
+	"net"
+	"os"
+)
+
+// EnvKey represents the well-known environment variable used to pass the plugin being
+// executed the socket name it should listen on to coordinate with the host CLI.
+const EnvKey = "DOCKER_CLI_PLUGIN_SOCKET"
+
+// SetupConn sets up a Unix socket listener, establishes a goroutine to handle connections
+// and update the conn pointer, and returns the listener for the socket (which the caller
+// is responsible for closing when it's no longer needed).
+func SetupConn(conn **net.UnixConn) (*net.UnixListener, error) {
+	listener, err := listen("docker_cli_" + randomID())
+	if err != nil {
+		return nil, err
+	}
+
+	accept(listener, conn)
+
+	return listener, nil
+}
+
+func randomID() string {
+	b := make([]byte, 16)
+	if _, err := rand.Read(b); err != nil {
+		panic(err) // This shouldn't happen
+	}
+	return hex.EncodeToString(b)
+}
+
+func accept(listener *net.UnixListener, conn **net.UnixConn) {
+	go func() {
+		for {
+			// ignore error here, if we failed to accept a connection,
+			// conn is nil and we fallback to previous behavior
+			*conn, _ = listener.AcceptUnix()
+			// perform any platform-specific actions on accept (e.g. unlink non-abstract sockets)
+			onAccept(*conn, listener)
+		}
+	}()
+}
+
+// ConnectAndWait connects to the socket passed via well-known env var,
+// if present, and attempts to read from it until it receives an EOF, at which
+// point cb is called.
+func ConnectAndWait(cb func()) {
+	socketAddr, ok := os.LookupEnv(EnvKey)
+	if !ok {
+		// if a plugin compiled against a more recent version of docker/cli
+		// is executed by an older CLI binary, ignore missing environment
+		// variable and behave as usual
+		return
+	}
+	addr, err := net.ResolveUnixAddr("unix", socketAddr)
+	if err != nil {
+		return
+	}
+	conn, err := net.DialUnix("unix", nil, addr)
+	if err != nil {
+		return
+	}
+
+	go func() {
+		b := make([]byte, 1)
+		for {
+			_, err := conn.Read(b)
+			if errors.Is(err, io.EOF) {
+				cb()
+				return
+			}
+		}
+	}()
+}
--- a/cli-plugins/socket/socket_darwin.go
+++ b/cli-plugins/socket/socket_darwin.go
@ -0,0 +1,19 @@
+package socket
+
+import (
+	"net"
+	"os"
+	"path/filepath"
+	"syscall"
+)
+
+func listen(socketname string) (*net.UnixListener, error) {
+	return net.ListenUnix("unix", &net.UnixAddr{
+		Name: filepath.Join(os.TempDir(), socketname),
+		Net:  "unix",
+	})
+}
+
+func onAccept(conn *net.UnixConn, listener *net.UnixListener) {
+	syscall.Unlink(listener.Addr().String())
+}
--- a/cli-plugins/socket/socket_nodarwin.go
+++ b/cli-plugins/socket/socket_nodarwin.go
@ -0,0 +1,20 @@
+//go:build !darwin && !openbsd
+
+package socket
+
+import (
+	"net"
+)
+
+func listen(socketname string) (*net.UnixListener, error) {
+	return net.ListenUnix("unix", &net.UnixAddr{
+		Name: "@" + socketname,
+		Net:  "unix",
+	})
+}
+
+func onAccept(conn *net.UnixConn, listener *net.UnixListener) {
+	// do nothing
+	// while on darwin and OpenBSD we would unlink here;
+	// on non-darwin the socket is abstract and not present on the filesystem
+}
--- a/cli-plugins/socket/socket_openbsd.go
+++ b/cli-plugins/socket/socket_openbsd.go
@ -0,0 +1,19 @@
+package socket
+
+import (
+	"net"
+	"os"
+	"path/filepath"
+	"syscall"
+)
+
+func listen(socketname string) (*net.UnixListener, error) {
+	return net.ListenUnix("unix", &net.UnixAddr{
+		Name: filepath.Join(os.TempDir(), socketname),
+		Net:  "unix",
+	})
+}
+
+func onAccept(conn *net.UnixConn, listener *net.UnixListener) {
+	syscall.Unlink(listener.Addr().String())
+}
--- a/cli-plugins/socket/socket_test.go
+++ b/cli-plugins/socket/socket_test.go
@ -0,0 +1,133 @@
+package socket
+
+import (
+	"io/fs"
+	"net"
+	"os"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+
+	"gotest.tools/v3/assert"
+	"gotest.tools/v3/poll"
+)
+
+func TestSetupConn(t *testing.T) {
+	t.Run("updates conn when connected", func(t *testing.T) {
+		var conn *net.UnixConn
+		listener, err := SetupConn(&conn)
+		assert.NilError(t, err)
+		assert.Check(t, listener != nil, "returned nil listener but no error")
+		addr, err := net.ResolveUnixAddr("unix", listener.Addr().String())
+		assert.NilError(t, err, "failed to resolve listener address")
+
+		_, err = net.DialUnix("unix", nil, addr)
+		assert.NilError(t, err, "failed to dial returned listener")
+
+		pollConnNotNil(t, &conn)
+	})
+
+	t.Run("allows reconnects", func(t *testing.T) {
+		var conn *net.UnixConn
+		listener, err := SetupConn(&conn)
+		assert.NilError(t, err)
+		assert.Check(t, listener != nil, "returned nil listener but no error")
+		addr, err := net.ResolveUnixAddr("unix", listener.Addr().String())
+		assert.NilError(t, err, "failed to resolve listener address")
+
+		otherConn, err := net.DialUnix("unix", nil, addr)
+		assert.NilError(t, err, "failed to dial returned listener")
+
+		otherConn.Close()
+
+		_, err = net.DialUnix("unix", nil, addr)
+		assert.NilError(t, err, "failed to redial listener")
+	})
+
+	t.Run("does not leak sockets to local directory", func(t *testing.T) {
+		var conn *net.UnixConn
+		listener, err := SetupConn(&conn)
+		assert.NilError(t, err)
+		assert.Check(t, listener != nil, "returned nil listener but no error")
+		checkDirNoPluginSocket(t)
+
+		addr, err := net.ResolveUnixAddr("unix", listener.Addr().String())
+		assert.NilError(t, err, "failed to resolve listener address")
+		_, err = net.DialUnix("unix", nil, addr)
+		assert.NilError(t, err, "failed to dial returned listener")
+		checkDirNoPluginSocket(t)
+	})
+}
+
+func checkDirNoPluginSocket(t *testing.T) {
+	t.Helper()
+
+	files, err := os.ReadDir(".")
+	assert.NilError(t, err, "failed to list files in dir to check for leaked sockets")
+
+	for _, f := range files {
+		info, err := f.Info()
+		assert.NilError(t, err, "failed to check file info")
+		// check for a socket with `docker_cli_` in the name (from `SetupConn()`)
+		if strings.Contains(f.Name(), "docker_cli_") && info.Mode().Type() == fs.ModeSocket {
+			t.Fatal("found socket in a local directory")
+		}
+	}
+}
+
+func TestConnectAndWait(t *testing.T) {
+	t.Run("calls cancel func on EOF", func(t *testing.T) {
+		var conn *net.UnixConn
+		listener, err := SetupConn(&conn)
+		assert.NilError(t, err, "failed to setup listener")
+
+		done := make(chan struct{})
+		t.Setenv(EnvKey, listener.Addr().String())
+		cancelFunc := func() {
+			done <- struct{}{}
+		}
+		ConnectAndWait(cancelFunc)
+		pollConnNotNil(t, &conn)
+		conn.Close()
+
+		select {
+		case <-done:
+		case <-time.After(10 * time.Millisecond):
+			t.Fatal("cancel function not closed after 10ms")
+		}
+	})
+
+	// TODO: this test cannot be executed with `t.Parallel()`, due to
+	// relying on goroutine numbers to ensure correct behaviour
+	t.Run("connect goroutine exits after EOF", func(t *testing.T) {
+		var conn *net.UnixConn
+		listener, err := SetupConn(&conn)
+		assert.NilError(t, err, "failed to setup listener")
+		t.Setenv(EnvKey, listener.Addr().String())
+		numGoroutines := runtime.NumGoroutine()
+
+		ConnectAndWait(func() {})
+		assert.Equal(t, runtime.NumGoroutine(), numGoroutines+1)
+
+		pollConnNotNil(t, &conn)
+		conn.Close()
+		poll.WaitOn(t, func(t poll.LogT) poll.Result {
+			if runtime.NumGoroutine() > numGoroutines+1 {
+				return poll.Continue("waiting for connect goroutine to exit")
+			}
+			return poll.Success()
+		}, poll.WithDelay(1*time.Millisecond), poll.WithTimeout(10*time.Millisecond))
+	})
+}
+
+func pollConnNotNil(t *testing.T, conn **net.UnixConn) {
+	t.Helper()
+
+	poll.WaitOn(t, func(t poll.LogT) poll.Result {
+		if *conn == nil {
+			return poll.Continue("waiting for conn to not be nil")
+		}
+		return poll.Success()
+	}, poll.WithDelay(1*time.Millisecond), poll.WithTimeout(10*time.Millisecond))
+}
--- a/cli/cobra.go
+++ b/cli/cobra.go
@ -470,7 +470,7 @@ Common Commands:
 Management Commands:

 {{- range managementSubCommands . }}
-  {{rpad (decoratedName .) (add .NamePadding 1)}}{{.Short}}{{ if isPlugin .}} {{vendorAndVersion .}}{{ end}}
+  {{rpad (decoratedName .) (add .NamePadding 1)}}{{.Short}}
 {{- end}}

 {{- end}}
@ -479,7 +479,7 @@ Management Commands:
 Swarm Commands:

 {{- range orchestratorSubCommands . }}
-  {{rpad (decoratedName .) (add .NamePadding 1)}}{{.Short}}{{ if isPlugin .}} {{vendorAndVersion .}}{{ end}}
+  {{rpad (decoratedName .) (add .NamePadding 1)}}{{.Short}}
 {{- end}}

 {{- end}}
--- a/cli/command/builder/client_test.go
+++ b/cli/command/builder/client_test.go
@ -0,0 +1,20 @@
+package builder
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	builderPruneFunc func(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error)
+}
+
+func (c *fakeClient) BuildCachePrune(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error) {
+	if c.builderPruneFunc != nil {
+		return c.builderPruneFunc(ctx, opts)
+	}
+	return nil, nil
+}
--- a/cli/command/builder/prune.go
+++ b/cli/command/builder/prune.go
@ -66,8 +66,10 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 	if options.all {
 		warning = allCacheWarning
 	}
-	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), warning) {
-		return 0, "", nil
+	if !options.force {
+		if r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning); !r || err != nil {
+			return 0, "", err
+		}
 	}

 	report, err := dockerCli.Client().BuildCachePrune(ctx, types.BuildCachePruneOptions{
--- a/cli/command/builder/prune_test.go
+++ b/cli/command/builder/prune_test.go
@ -0,0 +1,28 @@
+package builder
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"gotest.tools/v3/assert"
+)
+
+func TestBuilderPromptTermination(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	cli := test.NewFakeCli(&fakeClient{
+		builderPruneFunc: func(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error) {
+			return nil, errors.New("fakeClient builderPruneFunc should not be called")
+		},
+	})
+	cmd := NewPruneCommand(cli)
+	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
+		t.Helper()
+		assert.ErrorIs(t, err, command.ErrPromptTerminated)
+	})
+}
--- a/cli/command/checkpoint/create.go
+++ b/cli/command/checkpoint/create.go
@ -35,7 +35,7 @@ func newCreateCommand(dockerCli command.Cli) *cobra.Command {

 	flags := cmd.Flags()
 	flags.BoolVar(&opts.leaveRunning, "leave-running", false, "Leave the container running after checkpoint")
-	flags.StringVarP(&opts.checkpointDir, "checkpoint-dir", "", "", "Use a custom checkpoint storage directory")
+	flags.StringVar(&opts.checkpointDir, "checkpoint-dir", "", "Use a custom checkpoint storage directory")

 	return cmd
 }
--- a/cli/command/checkpoint/list.go
+++ b/cli/command/checkpoint/list.go
@ -30,7 +30,7 @@ func newListCommand(dockerCli command.Cli) *cobra.Command {
 	}

 	flags := cmd.Flags()
-	flags.StringVarP(&opts.checkpointDir, "checkpoint-dir", "", "", "Use a custom checkpoint storage directory")
+	flags.StringVar(&opts.checkpointDir, "checkpoint-dir", "", "Use a custom checkpoint storage directory")

 	return cmd
 }
--- a/cli/command/checkpoint/remove.go
+++ b/cli/command/checkpoint/remove.go
@ -27,7 +27,7 @@ func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
 	}

 	flags := cmd.Flags()
-	flags.StringVarP(&opts.checkpointDir, "checkpoint-dir", "", "", "Use a custom checkpoint storage directory")
+	flags.StringVar(&opts.checkpointDir, "checkpoint-dir", "", "Use a custom checkpoint storage directory")

 	return cmd
 }
--- a/cli/command/cli_options.go
+++ b/cli/command/cli_options.go
@ -11,19 +11,11 @@ import (
 	"github.com/moby/term"
 )

-// CLIOption applies a modification on a DockerCli.
+// CLIOption is a functional argument to apply options to a [DockerCli]. These
+// options can be passed to [NewDockerCli] to initialize a new CLI, or
+// applied with [DockerCli.Initialize] or [DockerCli.Apply].
 type CLIOption func(cli *DockerCli) error

-// DockerCliOption applies a modification on a DockerCli.
-//
-// Deprecated: use [CLIOption] instead.
-type DockerCliOption = CLIOption
-
-// InitializeOpt is the type of the functional options passed to DockerCli.Initialize
-//
-// Deprecated: use [CLIOption] instead.
-type InitializeOpt = CLIOption
-
 // WithStandardStreams sets a cli in, out and err streams with the standard streams.
 func WithStandardStreams() CLIOption {
 	return func(cli *DockerCli) error {
--- a/cli/command/completion/functions.go
+++ b/cli/command/completion/functions.go
@ -7,6 +7,7 @@ import (
 	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/volume"
 	"github.com/spf13/cobra"
 )
@ -17,7 +18,7 @@ type ValidArgsFn func(cmd *cobra.Command, args []string, toComplete string) ([]s
 // ImageNames offers completion for images present within the local store
 func ImageNames(dockerCli command.Cli) ValidArgsFn {
 	return func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-		list, err := dockerCli.Client().ImageList(cmd.Context(), types.ImageListOptions{})
+		list, err := dockerCli.Client().ImageList(cmd.Context(), image.ListOptions{})
 		if err != nil {
 			return nil, cobra.ShellCompDirectiveError
 		}
--- a/cli/command/config/ls.go
+++ b/cli/command/config/ls.go
@ -38,7 +38,7 @@ func newConfigListCommand(dockerCli command.Cli) *cobra.Command {

 	flags := cmd.Flags()
 	flags.BoolVarP(&listOpts.Quiet, "quiet", "q", false, "Only display IDs")
-	flags.StringVarP(&listOpts.Format, "format", "", "", flagsHelper.FormatHelp)
+	flags.StringVar(&listOpts.Format, "format", "", flagsHelper.FormatHelp)
 	flags.VarP(&listOpts.Filter, "filter", "f", "Filter output based on conditions provided")

 	return cmd
--- a/cli/command/container/attach.go
+++ b/cli/command/container/attach.go
@ -43,22 +43,21 @@ func inspectContainerAndCheckState(ctx context.Context, apiClient client.APIClie
 }

 // NewAttachCommand creates a new cobra.Command for `docker attach`
-func NewAttachCommand(dockerCli command.Cli) *cobra.Command {
+func NewAttachCommand(dockerCLI command.Cli) *cobra.Command {
 	var opts AttachOptions
-	var ctr string

 	cmd := &cobra.Command{
 		Use:   "attach [OPTIONS] CONTAINER",
 		Short: "Attach local standard input, output, and error streams to a running container",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			ctr = args[0]
-			return RunAttach(cmd.Context(), dockerCli, ctr, &opts)
+			containerID := args[0]
+			return RunAttach(cmd.Context(), dockerCLI, containerID, &opts)
 		},
 		Annotations: map[string]string{
 			"aliases": "docker container attach, docker attach",
 		},
-		ValidArgsFunction: completion.ContainerNames(dockerCli, false, func(ctr types.Container) bool {
+		ValidArgsFunction: completion.ContainerNames(dockerCLI, false, func(ctr types.Container) bool {
 			return ctr.State != "paused"
 		}),
 	}
@ -71,13 +70,13 @@ func NewAttachCommand(dockerCli command.Cli) *cobra.Command {
 }

 // RunAttach executes an `attach` command
-func RunAttach(ctx context.Context, dockerCLI command.Cli, target string, opts *AttachOptions) error {
+func RunAttach(ctx context.Context, dockerCLI command.Cli, containerID string, opts *AttachOptions) error {
 	apiClient := dockerCLI.Client()

 	// request channel to wait for client
-	resultC, errC := apiClient.ContainerWait(ctx, target, "")
+	resultC, errC := apiClient.ContainerWait(ctx, containerID, "")

-	c, err := inspectContainerAndCheckState(ctx, apiClient, target)
+	c, err := inspectContainerAndCheckState(ctx, apiClient, containerID)
 	if err != nil {
 		return err
 	}
@ -106,11 +105,11 @@ func RunAttach(ctx context.Context, dockerCLI command.Cli, target string, opts *

 	if opts.Proxy && !c.Config.Tty {
 		sigc := notifyAllSignals()
-		go ForwardAllSignals(ctx, apiClient, target, sigc)
+		go ForwardAllSignals(ctx, apiClient, containerID, sigc)
 		defer signal.StopCatch(sigc)
 	}

-	resp, errAttach := apiClient.ContainerAttach(ctx, target, options)
+	resp, errAttach := apiClient.ContainerAttach(ctx, containerID, options)
 	if errAttach != nil {
 		return errAttach
 	}
@ -124,13 +123,13 @@ func RunAttach(ctx context.Context, dockerCLI command.Cli, target string, opts *
 	// the container and not exit.
 	//
 	// Recheck the container's state to avoid attach block.
-	_, err = inspectContainerAndCheckState(ctx, apiClient, target)
+	_, err = inspectContainerAndCheckState(ctx, apiClient, containerID)
 	if err != nil {
 		return err
 	}

 	if c.Config.Tty && dockerCLI.Out().IsTerminal() {
-		resizeTTY(ctx, dockerCLI, target)
+		resizeTTY(ctx, dockerCLI, containerID)
 	}

 	streamer := hijackedIOStreamer{
--- a/cli/command/container/client_test.go
+++ b/cli/command/container/client_test.go
@ -6,6 +6,8 @@ import (

 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/system"
 	"github.com/docker/docker/client"
@ -23,7 +25,7 @@ type fakeClient struct {
 		platform *specs.Platform,
 		containerName string) (container.CreateResponse, error)
 	containerStartFunc      func(containerID string, options container.StartOptions) error
-	imageCreateFunc         func(parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error)
+	imageCreateFunc         func(parentReference string, options image.CreateOptions) (io.ReadCloser, error)
 	infoFunc                func() (system.Info, error)
 	containerStatPathFunc   func(containerID, path string) (types.ContainerPathStat, error)
 	containerCopyFromFunc   func(containerID, srcPath string) (io.ReadCloser, types.ContainerPathStat, error)
@ -34,6 +36,7 @@ type fakeClient struct {
 	containerExecResizeFunc func(id string, options container.ResizeOptions) error
 	containerRemoveFunc     func(ctx context.Context, containerID string, options container.RemoveOptions) error
 	containerKillFunc       func(ctx context.Context, containerID, signal string) error
+	containerPruneFunc      func(ctx context.Context, pruneFilters filters.Args) (types.ContainersPruneReport, error)
 	Version                 string
 }

@ -90,7 +93,7 @@ func (f *fakeClient) ContainerRemove(ctx context.Context, containerID string, op
 	return nil
 }

-func (f *fakeClient) ImageCreate(_ context.Context, parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error) {
+func (f *fakeClient) ImageCreate(_ context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error) {
 	if f.imageCreateFunc != nil {
 		return f.imageCreateFunc(parentReference, options)
 	}
@ -163,3 +166,10 @@ func (f *fakeClient) ContainerKill(ctx context.Context, containerID, signal stri
 	}
 	return nil
 }
+
+func (f *fakeClient) ContainersPrune(ctx context.Context, pruneFilters filters.Args) (types.ContainersPruneReport, error) {
+	if f.containerPruneFunc != nil {
+		return f.containerPruneFunc(ctx, pruneFilters)
+	}
+	return types.ContainersPruneReport{}, nil
+}
--- a/cli/command/container/create.go
+++ b/cli/command/container/create.go
@ -15,8 +15,8 @@ import (
 	"github.com/docker/cli/cli/command/image"
 	"github.com/docker/cli/cli/streams"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
+	imagetypes "github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/pkg/jsonmessage"
@ -119,7 +119,7 @@ func pullImage(ctx context.Context, dockerCli command.Cli, img string, options *
 		return err
 	}

-	responseBody, err := dockerCli.Client().ImageCreate(ctx, img, types.ImageCreateOptions{
+	responseBody, err := dockerCli.Client().ImageCreate(ctx, img, imagetypes.CreateOptions{
 		RegistryAuth: encodedAuth,
 		Platform:     options.platform,
 	})
--- a/cli/command/container/create_test.go
+++ b/cli/command/container/create_test.go
@ -15,8 +15,8 @@ import (
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/notary"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/system"
 	"github.com/google/go-cmp/cmp"
@ -134,7 +134,7 @@ func TestCreateContainerImagePullPolicy(t *testing.T) {
 						return container.CreateResponse{ID: containerID}, nil
 					}
 				},
-				imageCreateFunc: func(parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error) {
+				imageCreateFunc: func(parentReference string, options image.CreateOptions) (io.ReadCloser, error) {
 					defer func() { pullCounter++ }()
 					return io.NopCloser(strings.NewReader("")), nil
 				},
--- a/cli/command/container/exec.go
+++ b/cli/command/container/exec.go
@ -66,12 +66,12 @@ func NewExecCommand(dockerCli command.Cli) *cobra.Command {
 	flags := cmd.Flags()
 	flags.SetInterspersed(false)

-	flags.StringVarP(&options.DetachKeys, "detach-keys", "", "", "Override the key sequence for detaching a container")
+	flags.StringVar(&options.DetachKeys, "detach-keys", "", "Override the key sequence for detaching a container")
 	flags.BoolVarP(&options.Interactive, "interactive", "i", false, "Keep STDIN open even if not attached")
 	flags.BoolVarP(&options.TTY, "tty", "t", false, "Allocate a pseudo-TTY")
 	flags.BoolVarP(&options.Detach, "detach", "d", false, "Detached mode: run command in the background")
 	flags.StringVarP(&options.User, "user", "u", "", `Username or UID (format: "<name|uid>[:<group|gid>]")`)
-	flags.BoolVarP(&options.Privileged, "privileged", "", false, "Give extended privileges to the command")
+	flags.BoolVar(&options.Privileged, "privileged", false, "Give extended privileges to the command")
 	flags.VarP(&options.Env, "env", "e", "Set environment variables")
 	flags.SetAnnotation("env", "version", []string{"1.25"})
 	flags.Var(&options.EnvFile, "env-file", "Read in a file of environment variables")
--- a/cli/command/container/list.go
+++ b/cli/command/container/list.go
@ -55,7 +55,7 @@ func NewPsCommand(dockerCLI command.Cli) *cobra.Command {
 	flags.BoolVar(&options.noTrunc, "no-trunc", false, "Don't truncate output")
 	flags.BoolVarP(&options.nLatest, "latest", "l", false, "Show the latest created container (includes all states)")
 	flags.IntVarP(&options.last, "last", "n", -1, "Show n last created containers (includes all states)")
-	flags.StringVarP(&options.format, "format", "", "", flagsHelper.FormatHelp)
+	flags.StringVar(&options.format, "format", "", flagsHelper.FormatHelp)
 	flags.VarP(&options.filter, "filter", "f", "Filter output based on conditions provided")

 	return cmd
--- a/cli/command/container/opts.go
+++ b/cli/command/container/opts.go
@ -28,6 +28,20 @@ import (
 	cdi "tags.cncf.io/container-device-interface/pkg/parser"
 )

+const (
+	// TODO(thaJeztah): define these in the API-types, or query available defaults
+	//  from the daemon, or require "local" profiles to be an absolute path or
+	//  relative paths starting with "./". The daemon-config has consts for this
+	//  but we don't want to import that package:
+	//  https://github.com/moby/moby/blob/v23.0.0/daemon/config/config.go#L63-L67
+
+	// seccompProfileDefault is the built-in default seccomp profile.
+	seccompProfileDefault = "builtin"
+	// seccompProfileUnconfined is a special profile name for seccomp to use an
+	// "unconfined" seccomp profile.
+	seccompProfileUnconfined = "unconfined"
+)
+
 var deviceCgroupRuleRegexp = regexp.MustCompile(`^[acb] ([0-9]+|\*):([0-9]+|\*) [rwm]{1,3}$`)

 // containerOptions is a data object with all the options for creating a container
@ -914,16 +928,23 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) {
 			// "no-new-privileges" is the only option that does not require a value.
 			return securityOpts, errors.Errorf("Invalid --security-opt: %q", opt)
 		}
-		if k == "seccomp" && v != "unconfined" {
-			f, err := os.ReadFile(v)
-			if err != nil {
-				return securityOpts, errors.Errorf("opening seccomp profile (%s) failed: %v", v, err)
+		if k == "seccomp" {
+			switch v {
+			case seccompProfileDefault, seccompProfileUnconfined:
+				// known special names for built-in profiles, nothing to do.
+			default:
+				// value may be a filename, in which case we send the profile's
+				// content if it's valid JSON.
+				f, err := os.ReadFile(v)
+				if err != nil {
+					return securityOpts, errors.Errorf("opening seccomp profile (%s) failed: %v", v, err)
+				}
+				b := bytes.NewBuffer(nil)
+				if err := json.Compact(b, f); err != nil {
+					return securityOpts, errors.Errorf("compacting json for seccomp profile (%s) failed: %v", v, err)
+				}
+				securityOpts[key] = fmt.Sprintf("seccomp=%s", b.Bytes())
 			}
-			b := bytes.NewBuffer(nil)
-			if err := json.Compact(b, f); err != nil {
-				return securityOpts, errors.Errorf("compacting json for seccomp profile (%s) failed: %v", v, err)
-			}
-			securityOpts[key] = fmt.Sprintf("seccomp=%s", b.Bytes())
 		}
 	}

--- a/cli/command/container/prune.go
+++ b/cli/command/container/prune.go
@ -53,8 +53,10 @@ Are you sure you want to continue?`
 func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions) (spaceReclaimed uint64, output string, err error) {
 	pruneFilters := command.PruneFilters(dockerCli, options.filter.Value())

-	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), warning) {
-		return 0, "", nil
+	if !options.force {
+		if r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning); !r || err != nil {
+			return 0, "", err
+		}
 	}

 	report, err := dockerCli.Client().ContainersPrune(ctx, pruneFilters)
--- a/cli/command/container/prune_test.go
+++ b/cli/command/container/prune_test.go
@ -0,0 +1,29 @@
+package container
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/pkg/errors"
+	"gotest.tools/v3/assert"
+)
+
+func TestContainerPrunePromptTermination(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	cli := test.NewFakeCli(&fakeClient{
+		containerPruneFunc: func(ctx context.Context, pruneFilters filters.Args) (types.ContainersPruneReport, error) {
+			return types.ContainersPruneReport{}, errors.New("fakeClient containerPruneFunc should not be called")
+		},
+	})
+	cmd := NewPruneCommand(cli)
+	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
+		t.Helper()
+		assert.ErrorIs(t, err, command.ErrPromptTerminated)
+	})
+}
--- a/cli/command/container/start.go
+++ b/cli/command/container/start.go
@ -28,13 +28,6 @@ type StartOptions struct {
 	Containers []string
 }

-// NewStartOptions creates a new StartOptions.
-//
-// Deprecated: create a new [StartOptions] directly.
-func NewStartOptions() StartOptions {
-	return StartOptions{}
-}
-
 // NewStartCommand creates a new cobra.Command for `docker start`
 func NewStartCommand(dockerCli command.Cli) *cobra.Command {
 	var opts StartOptions
--- a/cli/command/container/stats.go
+++ b/cli/command/container/stats.go
@ -18,6 +18,7 @@ import (
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )

@ -106,15 +107,6 @@ var acceptedStatsFilters = map[string]bool{
 func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions) error {
 	apiClient := dockerCLI.Client()

-	// Get the daemonOSType if not set already
-	if daemonOSType == "" {
-		sv, err := apiClient.ServerVersion(ctx)
-		if err != nil {
-			return err
-		}
-		daemonOSType = sv.Os
-	}
-
 	// waitFirst is a WaitGroup to wait first stat data's reach for each container
 	waitFirst := &sync.WaitGroup{}
 	// closeChan is a non-buffered channel used to collect errors from goroutines.
@ -138,9 +130,9 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 			return err
 		}

-		eh := command.InitEventHandler()
+		eh := newEventHandler()
 		if options.All {
-			eh.Handle(events.ActionCreate, func(e events.Message) {
+			eh.setHandler(events.ActionCreate, func(e events.Message) {
 				s := NewStats(e.Actor.ID[:12])
 				if cStats.add(s) {
 					waitFirst.Add(1)
@ -149,7 +141,7 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 			})
 		}

-		eh.Handle(events.ActionStart, func(e events.Message) {
+		eh.setHandler(events.ActionStart, func(e events.Message) {
 			s := NewStats(e.Actor.ID[:12])
 			if cStats.add(s) {
 				waitFirst.Add(1)
@ -158,7 +150,7 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 		})

 		if !options.All {
-			eh.Handle(events.ActionDie, func(e events.Message) {
+			eh.setHandler(events.ActionDie, func(e events.Message) {
 				cStats.remove(e.Actor.ID[:12])
 			})
 		}
@ -195,7 +187,7 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 		}

 		eventChan := make(chan events.Message)
-		go eh.Watch(eventChan)
+		go eh.watch(eventChan)
 		stopped := make(chan struct{})
 		go monitorContainerEvents(started, eventChan, stopped)
 		defer close(stopped)
@ -267,6 +259,12 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 			format = formatter.TableFormatKey
 		}
 	}
+	if daemonOSType == "" {
+		// Get the daemonOSType if not set already. The daemonOSType variable
+		// should already be set when collecting stats as part of "collect()",
+		// so we unlikely hit this code in practice.
+		daemonOSType = dockerCLI.ServerInfo().OSType
+	}
 	statsCtx := formatter.Context{
 		Output: dockerCLI.Out(),
 		Format: NewStatsFormat(format, daemonOSType),
@ -316,3 +314,31 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 	}
 	return err
 }
+
+// newEventHandler initializes and returns an eventHandler
+func newEventHandler() *eventHandler {
+	return &eventHandler{handlers: make(map[events.Action]func(events.Message))}
+}
+
+// eventHandler allows for registering specific events to setHandler.
+type eventHandler struct {
+	handlers map[events.Action]func(events.Message)
+}
+
+func (eh *eventHandler) setHandler(action events.Action, handler func(events.Message)) {
+	eh.handlers[action] = handler
+}
+
+// watch ranges over the passed in event chan and processes the events based on the
+// handlers created for a given action.
+// To stop watching, close the event chan.
+func (eh *eventHandler) watch(c <-chan events.Message) {
+	for e := range c {
+		h, exists := eh.handlers[e.Action]
+		if !exists {
+			continue
+		}
+		logrus.Debugf("event handler: received event: %v", e)
+		go h(e)
+	}
+}
--- a/cli/command/events_utils.go
+++ b/cli/command/events_utils.go
@ -9,12 +9,16 @@ import (

 // EventHandler is abstract interface for user to customize
 // own handle functions of each type of events
+//
+// Deprecated: EventHandler is no longer used, and will be removed in the next release.
 type EventHandler interface {
 	Handle(action events.Action, h func(events.Message))
 	Watch(c <-chan events.Message)
 }

 // InitEventHandler initializes and returns an EventHandler
+//
+// Deprecated: InitEventHandler is no longer used, and will be removed in the next release.
 func InitEventHandler() EventHandler {
 	return &eventHandler{handlers: make(map[events.Action]func(events.Message))}
 }
--- a/cli/command/image/build/context.go
+++ b/cli/command/image/build/context.go
@ -234,7 +234,8 @@ func GetContextFromURL(out io.Writer, remoteURL, dockerfileName string) (io.Read
 // getWithStatusError does an http.Get() and returns an error if the
 // status code is 4xx or 5xx.
 func getWithStatusError(url string) (resp *http.Response, err error) {
-	if resp, err = http.Get(url); err != nil { //nolint:gosec // Ignore G107: Potential HTTP request made with variable url
+	//#nosec G107 -- Ignore G107: Potential HTTP request made with variable url
+	if resp, err = http.Get(url); err != nil {
 		return nil, err
 	}
 	if resp.StatusCode < http.StatusBadRequest {
--- a/cli/command/image/build/context_test.go
+++ b/cli/command/image/build/context_test.go
@ -129,7 +129,6 @@ func TestGetContextFromReaderString(t *testing.T) {
 	tarReader := tar.NewReader(tarArchive)

 	_, err = tarReader.Next()
-
 	if err != nil {
 		t.Fatalf("Error when reading tar archive: %s", err)
 	}
--- a/cli/command/image/client_test.go
+++ b/cli/command/image/client_test.go
@ -17,15 +17,15 @@ type fakeClient struct {
 	client.Client
 	imageTagFunc     func(string, string) error
 	imageSaveFunc    func(images []string) (io.ReadCloser, error)
-	imageRemoveFunc  func(image string, options types.ImageRemoveOptions) ([]image.DeleteResponse, error)
-	imagePushFunc    func(ref string, options types.ImagePushOptions) (io.ReadCloser, error)
+	imageRemoveFunc  func(image string, options image.RemoveOptions) ([]image.DeleteResponse, error)
+	imagePushFunc    func(ref string, options image.PushOptions) (io.ReadCloser, error)
 	infoFunc         func() (system.Info, error)
-	imagePullFunc    func(ref string, options types.ImagePullOptions) (io.ReadCloser, error)
+	imagePullFunc    func(ref string, options image.PullOptions) (io.ReadCloser, error)
 	imagesPruneFunc  func(pruneFilter filters.Args) (types.ImagesPruneReport, error)
 	imageLoadFunc    func(input io.Reader, quiet bool) (types.ImageLoadResponse, error)
-	imageListFunc    func(options types.ImageListOptions) ([]image.Summary, error)
+	imageListFunc    func(options image.ListOptions) ([]image.Summary, error)
 	imageInspectFunc func(image string) (types.ImageInspect, []byte, error)
-	imageImportFunc  func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error)
+	imageImportFunc  func(source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error)
 	imageHistoryFunc func(image string) ([]image.HistoryResponseItem, error)
 	imageBuildFunc   func(context.Context, io.Reader, types.ImageBuildOptions) (types.ImageBuildResponse, error)
 }
@ -45,7 +45,7 @@ func (cli *fakeClient) ImageSave(_ context.Context, images []string) (io.ReadClo
 }

 func (cli *fakeClient) ImageRemove(_ context.Context, img string,
-	options types.ImageRemoveOptions,
+	options image.RemoveOptions,
 ) ([]image.DeleteResponse, error) {
 	if cli.imageRemoveFunc != nil {
 		return cli.imageRemoveFunc(img, options)
@ -53,7 +53,7 @@ func (cli *fakeClient) ImageRemove(_ context.Context, img string,
 	return []image.DeleteResponse{}, nil
 }

-func (cli *fakeClient) ImagePush(_ context.Context, ref string, options types.ImagePushOptions) (io.ReadCloser, error) {
+func (cli *fakeClient) ImagePush(_ context.Context, ref string, options image.PushOptions) (io.ReadCloser, error) {
 	if cli.imagePushFunc != nil {
 		return cli.imagePushFunc(ref, options)
 	}
@ -67,7 +67,7 @@ func (cli *fakeClient) Info(_ context.Context) (system.Info, error) {
 	return system.Info{}, nil
 }

-func (cli *fakeClient) ImagePull(_ context.Context, ref string, options types.ImagePullOptions) (io.ReadCloser, error) {
+func (cli *fakeClient) ImagePull(_ context.Context, ref string, options image.PullOptions) (io.ReadCloser, error) {
 	if cli.imagePullFunc != nil {
 		cli.imagePullFunc(ref, options)
 	}
@ -88,7 +88,7 @@ func (cli *fakeClient) ImageLoad(_ context.Context, input io.Reader, quiet bool)
 	return types.ImageLoadResponse{}, nil
 }

-func (cli *fakeClient) ImageList(_ context.Context, options types.ImageListOptions) ([]image.Summary, error) {
+func (cli *fakeClient) ImageList(_ context.Context, options image.ListOptions) ([]image.Summary, error) {
 	if cli.imageListFunc != nil {
 		return cli.imageListFunc(options)
 	}
@ -103,7 +103,7 @@ func (cli *fakeClient) ImageInspectWithRaw(_ context.Context, img string) (types
 }

 func (cli *fakeClient) ImageImport(_ context.Context, source types.ImageImportSource, ref string,
-	options types.ImageImportOptions,
+	options image.ImportOptions,
 ) (io.ReadCloser, error) {
 	if cli.imageImportFunc != nil {
 		return cli.imageImportFunc(source, ref, options)
--- a/cli/command/image/import.go
+++ b/cli/command/image/import.go
@ -9,6 +9,7 @@ import (
 	"github.com/docker/cli/cli/command"
 	dockeropts "github.com/docker/cli/opts"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/spf13/cobra"
 )
@ -78,7 +79,7 @@ func runImport(ctx context.Context, dockerCli command.Cli, options importOptions
 		}
 	}

-	responseBody, err := dockerCli.Client().ImageImport(ctx, source, options.reference, types.ImageImportOptions{
+	responseBody, err := dockerCli.Client().ImageImport(ctx, source, options.reference, image.ImportOptions{
 		Message:  options.message,
 		Changes:  options.changes.GetAll(),
 		Platform: options.platform,
--- a/cli/command/image/import_test.go
+++ b/cli/command/image/import_test.go
@ -7,6 +7,7 @@ import (

 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@ -17,7 +18,7 @@ func TestNewImportCommandErrors(t *testing.T) {
 		name            string
 		args            []string
 		expectedError   string
-		imageImportFunc func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error)
+		imageImportFunc func(source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error)
 	}{
 		{
 			name:          "wrong-args",
@ -28,7 +29,7 @@ func TestNewImportCommandErrors(t *testing.T) {
 			name:          "import-failed",
 			args:          []string{"testdata/import-command-success.input.txt"},
 			expectedError: "something went wrong",
-			imageImportFunc: func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
+			imageImportFunc: func(source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error) {
 				return nil, errors.Errorf("something went wrong")
 			},
 		},
@ -52,7 +53,7 @@ func TestNewImportCommandSuccess(t *testing.T) {
 	testCases := []struct {
 		name            string
 		args            []string
-		imageImportFunc func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error)
+		imageImportFunc func(source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error)
 	}{
 		{
 			name: "simple",
@ -65,7 +66,7 @@ func TestNewImportCommandSuccess(t *testing.T) {
 		{
 			name: "double",
 			args: []string{"-", "image:local"},
-			imageImportFunc: func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
+			imageImportFunc: func(source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error) {
 				assert.Check(t, is.Equal("image:local", ref))
 				return io.NopCloser(strings.NewReader("")), nil
 			},
@ -73,7 +74,7 @@ func TestNewImportCommandSuccess(t *testing.T) {
 		{
 			name: "message",
 			args: []string{"--message", "test message", "-"},
-			imageImportFunc: func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
+			imageImportFunc: func(source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error) {
 				assert.Check(t, is.Equal("test message", options.Message))
 				return io.NopCloser(strings.NewReader("")), nil
 			},
@ -81,7 +82,7 @@ func TestNewImportCommandSuccess(t *testing.T) {
 		{
 			name: "change",
 			args: []string{"--change", "ENV DEBUG=true", "-"},
-			imageImportFunc: func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
+			imageImportFunc: func(source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error) {
 				assert.Check(t, is.Equal("ENV DEBUG=true", options.Changes[0]))
 				return io.NopCloser(strings.NewReader("")), nil
 			},
@ -89,7 +90,7 @@ func TestNewImportCommandSuccess(t *testing.T) {
 		{
 			name: "change legacy syntax",
 			args: []string{"--change", "ENV DEBUG true", "-"},
-			imageImportFunc: func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
+			imageImportFunc: func(source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error) {
 				assert.Check(t, is.Equal("ENV DEBUG true", options.Changes[0]))
 				return io.NopCloser(strings.NewReader("")), nil
 			},
--- a/cli/command/image/list.go
+++ b/cli/command/image/list.go
@ -2,13 +2,15 @@ package image

 import (
 	"context"
+	"fmt"
+	"io"

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/formatter"
 	flagsHelper "github.com/docker/cli/cli/flags"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 	"github.com/spf13/cobra"
 )

@ -21,10 +23,11 @@ type imagesOptions struct {
 	showDigests bool
 	format      string
 	filter      opts.FilterOpt
+	calledAs    string
 }

 // NewImagesCommand creates a new `docker images` command
-func NewImagesCommand(dockerCli command.Cli) *cobra.Command {
+func NewImagesCommand(dockerCLI command.Cli) *cobra.Command {
 	options := imagesOptions{filter: opts.NewFilterOpt()}

 	cmd := &cobra.Command{
@ -35,7 +38,11 @@ func NewImagesCommand(dockerCli command.Cli) *cobra.Command {
 			if len(args) > 0 {
 				options.matchName = args[0]
 			}
-			return runImages(cmd.Context(), dockerCli, options)
+			// Pass through how the command was invoked. We use this to print
+			// warnings when an ambiguous argument was passed when using the
+			// legacy (top-level) "docker images" subcommand.
+			options.calledAs = cmd.CalledAs()
+			return runImages(cmd.Context(), dockerCLI, options)
 		},
 		Annotations: map[string]string{
 			"category-top": "7",
@ -55,33 +62,31 @@ func NewImagesCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }

-func newListCommand(dockerCli command.Cli) *cobra.Command {
-	cmd := *NewImagesCommand(dockerCli)
+func newListCommand(dockerCLI command.Cli) *cobra.Command {
+	cmd := *NewImagesCommand(dockerCLI)
 	cmd.Aliases = []string{"list"}
 	cmd.Use = "ls [OPTIONS] [REPOSITORY[:TAG]]"
 	return &cmd
 }

-func runImages(ctx context.Context, dockerCli command.Cli, options imagesOptions) error {
+func runImages(ctx context.Context, dockerCLI command.Cli, options imagesOptions) error {
 	filters := options.filter.Value()
 	if options.matchName != "" {
 		filters.Add("reference", options.matchName)
 	}

-	listOptions := types.ImageListOptions{
+	images, err := dockerCLI.Client().ImageList(ctx, image.ListOptions{
 		All:     options.all,
 		Filters: filters,
-	}
-
-	images, err := dockerCli.Client().ImageList(ctx, listOptions)
+	})
 	if err != nil {
 		return err
 	}

 	format := options.format
 	if len(format) == 0 {
-		if len(dockerCli.ConfigFile().ImagesFormat) > 0 && !options.quiet {
-			format = dockerCli.ConfigFile().ImagesFormat
+		if len(dockerCLI.ConfigFile().ImagesFormat) > 0 && !options.quiet {
+			format = dockerCLI.ConfigFile().ImagesFormat
 		} else {
 			format = formatter.TableFormatKey
 		}
@ -89,11 +94,50 @@ func runImages(ctx context.Context, dockerCli command.Cli, options imagesOptions

 	imageCtx := formatter.ImageContext{
 		Context: formatter.Context{
-			Output: dockerCli.Out(),
+			Output: dockerCLI.Out(),
 			Format: formatter.NewImageFormat(format, options.quiet, options.showDigests),
 			Trunc:  !options.noTrunc,
 		},
 		Digest: options.showDigests,
 	}
-	return formatter.ImageWrite(imageCtx, images)
+	if err := formatter.ImageWrite(imageCtx, images); err != nil {
+		return err
+	}
+	if options.matchName != "" && len(images) == 0 && options.calledAs == "images" {
+		printAmbiguousHint(dockerCLI.Err(), options.matchName)
+	}
+	return nil
+}
+
+// printAmbiguousHint prints an informational warning if the provided filter
+// argument is ambiguous.
+//
+// The "docker images" top-level subcommand predates the "docker <object> <verb>"
+// convention (e.g. "docker image ls"), but accepts a positional argument to
+// search/filter images by name (globbing). It's common for users to accidentally
+// mistake these commands, and to use (e.g.) "docker images ls", expecting
+// to see all images, but ending up with an empty list because no image named
+// "ls" was found.
+//
+// Disallowing these search-terms would be a breaking change, but we can print
+// and informational message to help the users correct their mistake.
+func printAmbiguousHint(stdErr io.Writer, matchName string) {
+	switch matchName {
+	// List of subcommands for "docker image" and their aliases (see "docker image --help"):
+	case "build",
+		"history",
+		"import",
+		"inspect",
+		"list",
+		"load",
+		"ls",
+		"prune",
+		"pull",
+		"push",
+		"rm",
+		"save",
+		"tag":
+
+		_, _ = fmt.Fprintf(stdErr, "\nNo images found matching %q: did you mean \"docker image %[1]s\"?\n", matchName)
+	}
 }
--- a/cli/command/image/list_test.go
+++ b/cli/command/image/list_test.go
@ -7,7 +7,6 @@ import (

 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/image"
 	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
@ -20,7 +19,7 @@ func TestNewImagesCommandErrors(t *testing.T) {
 		name          string
 		args          []string
 		expectedError string
-		imageListFunc func(options types.ImageListOptions) ([]image.Summary, error)
+		imageListFunc func(options image.ListOptions) ([]image.Summary, error)
 	}{
 		{
 			name:          "wrong-args",
@ -30,7 +29,7 @@ func TestNewImagesCommandErrors(t *testing.T) {
 		{
 			name:          "failed-list",
 			expectedError: "something went wrong",
-			imageListFunc: func(options types.ImageListOptions) ([]image.Summary, error) {
+			imageListFunc: func(options image.ListOptions) ([]image.Summary, error) {
 				return []image.Summary{}, errors.Errorf("something went wrong")
 			},
 		},
@ -48,7 +47,7 @@ func TestNewImagesCommandSuccess(t *testing.T) {
 		name          string
 		args          []string
 		imageFormat   string
-		imageListFunc func(options types.ImageListOptions) ([]image.Summary, error)
+		imageListFunc func(options image.ListOptions) ([]image.Summary, error)
 	}{
 		{
 			name: "simple",
@ -65,7 +64,7 @@ func TestNewImagesCommandSuccess(t *testing.T) {
 		{
 			name: "match-name",
 			args: []string{"image"},
-			imageListFunc: func(options types.ImageListOptions) ([]image.Summary, error) {
+			imageListFunc: func(options image.ListOptions) ([]image.Summary, error) {
 				assert.Check(t, is.Equal("image", options.Filters.Get("reference")[0]))
 				return []image.Summary{}, nil
 			},
@ -73,7 +72,7 @@ func TestNewImagesCommandSuccess(t *testing.T) {
 		{
 			name: "filters",
 			args: []string{"--filter", "name=value"},
-			imageListFunc: func(options types.ImageListOptions) ([]image.Summary, error) {
+			imageListFunc: func(options image.ListOptions) ([]image.Summary, error) {
 				assert.Check(t, is.Equal("value", options.Filters.Get("name")[0]))
 				return []image.Summary{}, nil
 			},
@ -96,3 +95,17 @@ func TestNewListCommandAlias(t *testing.T) {
 	assert.Check(t, cmd.HasAlias("list"))
 	assert.Check(t, !cmd.HasAlias("other"))
 }
+
+func TestNewListCommandAmbiguous(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cmd := NewImagesCommand(cli)
+	cmd.SetOut(io.Discard)
+
+	// Set the Use field to mimic that the command was called as "docker images",
+	// not "docker image ls".
+	cmd.Use = "images"
+	cmd.SetArgs([]string{"ls"})
+	err := cmd.Execute()
+	assert.NilError(t, err)
+	golden.Assert(t, cli.ErrBuffer().String(), "list-command-ambiguous.golden")
+}
--- a/cli/command/image/prune.go
+++ b/cli/command/image/prune.go
@ -67,8 +67,10 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 	if options.all {
 		warning = allImageWarning
 	}
-	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), warning) {
-		return 0, "", nil
+	if !options.force {
+		if r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning); !r || err != nil {
+			return 0, "", err
+		}
 	}

 	report, err := dockerCli.Client().ImagesPrune(ctx, pruneFilters)
--- a/cli/command/image/prune_test.go
+++ b/cli/command/image/prune_test.go
@ -1,10 +1,12 @@
 package image

 import (
+	"context"
 	"fmt"
 	"io"
 	"testing"

+	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
@ -101,3 +103,19 @@ func TestNewPruneCommandSuccess(t *testing.T) {
 		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("prune-command-success.%s.golden", tc.name))
 	}
 }
+
+func TestPrunePromptTermination(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	cli := test.NewFakeCli(&fakeClient{
+		imagesPruneFunc: func(pruneFilter filters.Args) (types.ImagesPruneReport, error) {
+			return types.ImagesPruneReport{}, errors.New("fakeClient imagesPruneFunc should not be called")
+		},
+	})
+	cmd := NewPruneCommand(cli)
+	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
+		t.Helper()
+		assert.ErrorIs(t, err, command.ErrPromptTerminated)
+	})
+}
--- a/cli/command/image/pull_test.go
+++ b/cli/command/image/pull_test.go
@ -8,7 +8,7 @@ import (

 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/notary"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/golden"
@ -69,7 +69,7 @@ func TestNewPullCommandSuccess(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		cli := test.NewFakeCli(&fakeClient{
-			imagePullFunc: func(ref string, options types.ImagePullOptions) (io.ReadCloser, error) {
+			imagePullFunc: func(ref string, options image.PullOptions) (io.ReadCloser, error) {
 				assert.Check(t, is.Equal(tc.expectedTag, ref), tc.name)
 				return io.NopCloser(strings.NewReader("")), nil
 			},
@ -111,7 +111,7 @@ func TestNewPullCommandWithContentTrustErrors(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		cli := test.NewFakeCli(&fakeClient{
-			imagePullFunc: func(ref string, options types.ImagePullOptions) (io.ReadCloser, error) {
+			imagePullFunc: func(ref string, options image.PullOptions) (io.ReadCloser, error) {
 				return io.NopCloser(strings.NewReader("")), fmt.Errorf("shouldn't try to pull image")
 			},
 		}, test.EnableContentTrust)
--- a/cli/command/image/push.go
+++ b/cli/command/image/push.go
@ -10,7 +10,7 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/cli/streams"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 	registrytypes "github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/docker/docker/registry"
@ -80,7 +80,7 @@ func RunPush(ctx context.Context, dockerCli command.Cli, opts pushOptions) error
 		return err
 	}
 	requestPrivilege := command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, "push")
-	options := types.ImagePushOptions{
+	options := image.PushOptions{
 		All:           opts.all,
 		RegistryAuth:  encodedAuth,
 		PrivilegeFunc: requestPrivilege,
--- a/cli/command/image/push_test.go
+++ b/cli/command/image/push_test.go
@ -6,7 +6,7 @@ import (
 	"testing"

 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 )
@ -16,7 +16,7 @@ func TestNewPushCommandErrors(t *testing.T) {
 		name          string
 		args          []string
 		expectedError string
-		imagePushFunc func(ref string, options types.ImagePushOptions) (io.ReadCloser, error)
+		imagePushFunc func(ref string, options image.PushOptions) (io.ReadCloser, error)
 	}{
 		{
 			name:          "wrong-args",
@ -32,7 +32,7 @@ func TestNewPushCommandErrors(t *testing.T) {
 			name:          "push-failed",
 			args:          []string{"image:repo"},
 			expectedError: "Failed to push",
-			imagePushFunc: func(ref string, options types.ImagePushOptions) (io.ReadCloser, error) {
+			imagePushFunc: func(ref string, options image.PushOptions) (io.ReadCloser, error) {
 				return io.NopCloser(strings.NewReader("")), errors.Errorf("Failed to push")
 			},
 		},
@ -67,7 +67,7 @@ func TestNewPushCommandSuccess(t *testing.T) {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			cli := test.NewFakeCli(&fakeClient{
-				imagePushFunc: func(ref string, options types.ImagePushOptions) (io.ReadCloser, error) {
+				imagePushFunc: func(ref string, options image.PushOptions) (io.ReadCloser, error) {
 					return io.NopCloser(strings.NewReader("")), nil
 				},
 			})
--- a/cli/command/image/remove.go
+++ b/cli/command/image/remove.go
@ -7,7 +7,7 @@ import (

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/errdefs"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@ -52,7 +52,7 @@ func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
 func runRemove(ctx context.Context, dockerCli command.Cli, opts removeOptions, images []string) error {
 	client := dockerCli.Client()

-	options := types.ImageRemoveOptions{
+	options := image.RemoveOptions{
 		Force:         opts.force,
 		PruneChildren: !opts.noPrune,
 	}
--- a/cli/command/image/remove_test.go
+++ b/cli/command/image/remove_test.go
@ -6,7 +6,6 @@ import (
 	"testing"

 	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/image"
 	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
@ -36,7 +35,7 @@ func TestNewRemoveCommandErrors(t *testing.T) {
 		name            string
 		args            []string
 		expectedError   string
-		imageRemoveFunc func(img string, options types.ImageRemoveOptions) ([]image.DeleteResponse, error)
+		imageRemoveFunc func(img string, options image.RemoveOptions) ([]image.DeleteResponse, error)
 	}{
 		{
 			name:          "wrong args",
@ -46,7 +45,7 @@ func TestNewRemoveCommandErrors(t *testing.T) {
 			name:          "ImageRemove fail with force option",
 			args:          []string{"-f", "image1"},
 			expectedError: "error removing image",
-			imageRemoveFunc: func(img string, options types.ImageRemoveOptions) ([]image.DeleteResponse, error) {
+			imageRemoveFunc: func(img string, options image.RemoveOptions) ([]image.DeleteResponse, error) {
 				assert.Check(t, is.Equal("image1", img))
 				return []image.DeleteResponse{}, errors.Errorf("error removing image")
 			},
@ -55,7 +54,7 @@ func TestNewRemoveCommandErrors(t *testing.T) {
 			name:          "ImageRemove fail",
 			args:          []string{"arg1"},
 			expectedError: "error removing image",
-			imageRemoveFunc: func(img string, options types.ImageRemoveOptions) ([]image.DeleteResponse, error) {
+			imageRemoveFunc: func(img string, options image.RemoveOptions) ([]image.DeleteResponse, error) {
 				assert.Check(t, !options.Force)
 				assert.Check(t, options.PruneChildren)
 				return []image.DeleteResponse{}, errors.Errorf("error removing image")
@ -78,13 +77,13 @@ func TestNewRemoveCommandSuccess(t *testing.T) {
 	testCases := []struct {
 		name            string
 		args            []string
-		imageRemoveFunc func(img string, options types.ImageRemoveOptions) ([]image.DeleteResponse, error)
+		imageRemoveFunc func(img string, options image.RemoveOptions) ([]image.DeleteResponse, error)
 		expectedStderr  string
 	}{
 		{
 			name: "Image Deleted",
 			args: []string{"image1"},
-			imageRemoveFunc: func(img string, options types.ImageRemoveOptions) ([]image.DeleteResponse, error) {
+			imageRemoveFunc: func(img string, options image.RemoveOptions) ([]image.DeleteResponse, error) {
 				assert.Check(t, is.Equal("image1", img))
 				return []image.DeleteResponse{{Deleted: img}}, nil
 			},
@ -92,7 +91,7 @@ func TestNewRemoveCommandSuccess(t *testing.T) {
 		{
 			name: "Image not found with force option",
 			args: []string{"-f", "image1"},
-			imageRemoveFunc: func(img string, options types.ImageRemoveOptions) ([]image.DeleteResponse, error) {
+			imageRemoveFunc: func(img string, options image.RemoveOptions) ([]image.DeleteResponse, error) {
 				assert.Check(t, is.Equal("image1", img))
 				assert.Check(t, is.Equal(true, options.Force))
 				return []image.DeleteResponse{}, notFound{"image1"}
@ -103,7 +102,7 @@ func TestNewRemoveCommandSuccess(t *testing.T) {
 		{
 			name: "Image Untagged",
 			args: []string{"image1"},
-			imageRemoveFunc: func(img string, options types.ImageRemoveOptions) ([]image.DeleteResponse, error) {
+			imageRemoveFunc: func(img string, options image.RemoveOptions) ([]image.DeleteResponse, error) {
 				assert.Check(t, is.Equal("image1", img))
 				return []image.DeleteResponse{{Untagged: img}}, nil
 			},
@ -111,7 +110,7 @@ func TestNewRemoveCommandSuccess(t *testing.T) {
 		{
 			name: "Image Deleted and Untagged",
 			args: []string{"image1", "image2"},
-			imageRemoveFunc: func(img string, options types.ImageRemoveOptions) ([]image.DeleteResponse, error) {
+			imageRemoveFunc: func(img string, options image.RemoveOptions) ([]image.DeleteResponse, error) {
 				if img == "image1" {
 					return []image.DeleteResponse{{Untagged: img}}, nil
 				}
--- a/cli/command/image/testdata/inspect-command-success.simple-many.golden
+++ b/cli/command/image/testdata/inspect-command-success.simple-many.golden
@ -5,9 +5,6 @@
        "RepoDigests": null,
        "Parent": "",
        "Comment": "",
-        "Created": "",
-        "Container": "",
-        "ContainerConfig": null,
        "DockerVersion": "",
        "Author": "",
        "Config": null,
@ -29,9 +26,6 @@
        "RepoDigests": null,
        "Parent": "",
        "Comment": "",
-        "Created": "",
-        "Container": "",
-        "ContainerConfig": null,
        "DockerVersion": "",
        "Author": "",
        "Config": null,
--- a/cli/command/image/testdata/inspect-command-success.simple.golden
+++ b/cli/command/image/testdata/inspect-command-success.simple.golden
@ -5,9 +5,6 @@
        "RepoDigests": null,
        "Parent": "",
        "Comment": "",
-        "Created": "",
-        "Container": "",
-        "ContainerConfig": null,
        "DockerVersion": "",
        "Author": "",
        "Config": null,
--- a/cli/command/image/testdata/list-command-ambiguous.golden
+++ b/cli/command/image/testdata/list-command-ambiguous.golden
@ -0,0 +1,2 @@
+
+No images found matching "ls": did you mean "docker image ls"?
--- a/cli/command/image/trust.go
+++ b/cli/command/image/trust.go
@ -13,6 +13,7 @@ import (
 	"github.com/docker/cli/cli/streams"
 	"github.com/docker/cli/cli/trust"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 	registrytypes "github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/docker/docker/registry"
@ -30,7 +31,7 @@ type target struct {
 }

 // TrustedPush handles content trust pushing of an image
-func TrustedPush(ctx context.Context, cli command.Cli, repoInfo *registry.RepositoryInfo, ref reference.Named, authConfig registrytypes.AuthConfig, options types.ImagePushOptions) error {
+func TrustedPush(ctx context.Context, cli command.Cli, repoInfo *registry.RepositoryInfo, ref reference.Named, authConfig registrytypes.AuthConfig, options image.PushOptions) error {
 	responseBody, err := cli.Client().ImagePush(ctx, reference.FamiliarString(ref), options)
 	if err != nil {
 		return err
@ -267,7 +268,7 @@ func imagePullPrivileged(ctx context.Context, cli command.Cli, imgRefAndAuth tru
 		return err
 	}
 	requestPrivilege := command.RegistryAuthenticationPrivilegedFunc(cli, imgRefAndAuth.RepoInfo().Index, "pull")
-	responseBody, err := cli.Client().ImagePull(ctx, reference.FamiliarString(imgRefAndAuth.Reference()), types.ImagePullOptions{
+	responseBody, err := cli.Client().ImagePull(ctx, reference.FamiliarString(imgRefAndAuth.Reference()), image.PullOptions{
 		RegistryAuth:  encodedAuth,
 		PrivilegeFunc: requestPrivilege,
 		All:           opts.all,
--- a/cli/command/network/client_test.go
+++ b/cli/command/network/client_test.go
@ -4,6 +4,7 @@ import (
 	"context"

 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/client"
 )
@ -15,6 +16,8 @@ type fakeClient struct {
 	networkDisconnectFunc func(ctx context.Context, networkID, container string, force bool) error
 	networkRemoveFunc     func(ctx context.Context, networkID string) error
 	networkListFunc       func(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error)
+	networkPruneFunc      func(ctx context.Context, pruneFilters filters.Args) (types.NetworksPruneReport, error)
+	networkInspectFunc    func(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, []byte, error)
 }

 func (c *fakeClient) NetworkCreate(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error) {
@ -52,6 +55,16 @@ func (c *fakeClient) NetworkRemove(ctx context.Context, networkID string) error
 	return nil
 }

-func (c *fakeClient) NetworkInspectWithRaw(context.Context, string, types.NetworkInspectOptions) (types.NetworkResource, []byte, error) {
+func (c *fakeClient) NetworkInspectWithRaw(ctx context.Context, networkID string, opts types.NetworkInspectOptions) (types.NetworkResource, []byte, error) {
+	if c.networkInspectFunc != nil {
+		return c.networkInspectFunc(ctx, networkID, opts)
+	}
 	return types.NetworkResource{}, nil, nil
 }
+
+func (c *fakeClient) NetworksPrune(ctx context.Context, pruneFilter filters.Args) (types.NetworksPruneReport, error) {
+	if c.networkPruneFunc != nil {
+		return c.networkPruneFunc(ctx, pruneFilter)
+	}
+	return types.NetworksPruneReport{}, nil
+}
--- a/cli/command/network/prune.go
+++ b/cli/command/network/prune.go
@ -49,8 +49,10 @@ Are you sure you want to continue?`
 func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions) (output string, err error) {
 	pruneFilters := command.PruneFilters(dockerCli, options.filter.Value())

-	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), warning) {
-		return "", nil
+	if !options.force {
+		if r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning); !r || err != nil {
+			return "", err
+		}
 	}

 	report, err := dockerCli.Client().NetworksPrune(ctx, pruneFilters)
--- a/cli/command/network/prune_test.go
+++ b/cli/command/network/prune_test.go
@ -0,0 +1,29 @@
+package network
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/pkg/errors"
+	"gotest.tools/v3/assert"
+)
+
+func TestNetworkPrunePromptTermination(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	cli := test.NewFakeCli(&fakeClient{
+		networkPruneFunc: func(ctx context.Context, pruneFilters filters.Args) (types.NetworksPruneReport, error) {
+			return types.NetworksPruneReport{}, errors.New("fakeClient networkPruneFunc should not be called")
+		},
+	})
+	cmd := NewPruneCommand(cli)
+	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
+		t.Helper()
+		assert.ErrorIs(t, err, command.ErrPromptTerminated)
+	})
+}
--- a/cli/command/network/remove.go
+++ b/cli/command/network/remove.go
@ -46,10 +46,15 @@ func runRemove(ctx context.Context, dockerCli command.Cli, networks []string, op
 	status := 0

 	for _, name := range networks {
-		if nw, _, err := client.NetworkInspectWithRaw(ctx, name, types.NetworkInspectOptions{}); err == nil &&
-			nw.Ingress &&
-			!command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), ingressWarning) {
-			continue
+		nw, _, err := client.NetworkInspectWithRaw(ctx, name, types.NetworkInspectOptions{})
+		if err == nil && nw.Ingress {
+			r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), ingressWarning)
+			if err != nil {
+				return err
+			}
+			if !r {
+				continue
+			}
 		}
 		if err := client.NetworkRemove(ctx, name); err != nil {
 			if opts.force && errdefs.IsNotFound(err) {
--- a/cli/command/network/remove_test.go
+++ b/cli/command/network/remove_test.go
@ -5,7 +5,9 @@ import (
 	"io"
 	"testing"

+	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/errdefs"
 	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
@ -94,3 +96,27 @@ func TestNetworkRemoveForce(t *testing.T) {
 		})
 	}
 }
+
+func TestNetworkRemovePromptTermination(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	cli := test.NewFakeCli(&fakeClient{
+		networkRemoveFunc: func(ctx context.Context, networkID string) error {
+			return errors.New("fakeClient networkRemoveFunc should not be called")
+		},
+		networkInspectFunc: func(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, []byte, error) {
+			return types.NetworkResource{
+				ID:      "existing-network",
+				Name:    "existing-network",
+				Ingress: true,
+			}, nil, nil
+		},
+	})
+	cmd := newRemoveCommand(cli)
+	cmd.SetArgs([]string{"existing-network"})
+	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
+		t.Helper()
+		assert.ErrorIs(t, err, command.ErrPromptTerminated)
+	})
+}
--- a/cli/command/plugin/client_test.go
+++ b/cli/command/plugin/client_test.go
@ -19,6 +19,7 @@ type fakeClient struct {
 	pluginInstallFunc func(name string, options types.PluginInstallOptions) (io.ReadCloser, error)
 	pluginListFunc    func(filter filters.Args) (types.PluginsListResponse, error)
 	pluginInspectFunc func(name string) (*types.Plugin, []byte, error)
+	pluginUpgradeFunc func(name string, options types.PluginInstallOptions) (io.ReadCloser, error)
 }

 func (c *fakeClient) PluginCreate(_ context.Context, createContext io.Reader, createOptions types.PluginCreateOptions) error {
@ -75,3 +76,10 @@ func (c *fakeClient) PluginInspectWithRaw(_ context.Context, name string) (*type
 func (c *fakeClient) Info(context.Context) (system.Info, error) {
 	return system.Info{}, nil
 }
+
+func (c *fakeClient) PluginUpgrade(ctx context.Context, name string, options types.PluginInstallOptions) (io.ReadCloser, error) {
+	if c.pluginUpgradeFunc != nil {
+		return c.pluginUpgradeFunc(name, options)
+	}
+	return nil, nil
+}
--- a/cli/command/plugin/create.go
+++ b/cli/command/plugin/create.go
@ -114,7 +114,6 @@ func runCreate(ctx context.Context, dockerCli command.Cli, options pluginCreateO
 	createCtx, err = archive.TarWithOptions(absContextDir, &archive.TarOptions{
 		Compression: compression,
 	})
-
 	if err != nil {
 		return err
 	}
--- a/cli/command/plugin/install.go
+++ b/cli/command/plugin/install.go
@ -142,6 +142,7 @@ func acceptPrivileges(dockerCli command.Cli, name string) func(privileges types.
 		for _, privilege := range privileges {
 			fmt.Fprintf(dockerCli.Out(), " - %s: %v\n", privilege.Name, privilege.Value)
 		}
-		return command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), "Do you grant the above permissions?"), nil
+		ctx := context.TODO()
+		return command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), "Do you grant the above permissions?")
 	}
 }
--- a/cli/command/plugin/testdata/plugin-upgrade-terminate.golden
+++ b/cli/command/plugin/testdata/plugin-upgrade-terminate.golden
@ -0,0 +1,2 @@
+Upgrading plugin foo/bar from localhost:5000/foo/bar:v0.1.0 to localhost:5000/foo/bar:v1.0.0
+Plugin images do not match, are you sure? [y/N] 
--- a/cli/command/plugin/upgrade.go
+++ b/cli/command/plugin/upgrade.go
@ -63,7 +63,10 @@ func runUpgrade(ctx context.Context, dockerCli command.Cli, opts pluginOptions)

 	fmt.Fprintf(dockerCli.Out(), "Upgrading plugin %s from %s to %s\n", p.Name, reference.FamiliarString(old), reference.FamiliarString(remote))
 	if !opts.skipRemoteCheck && remote.String() != old.String() {
-		if !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), "Plugin images do not match, are you sure?") {
+		if r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), "Plugin images do not match, are you sure?"); !r || err != nil {
+			if err != nil {
+				return errors.Wrap(err, "canceling upgrade request")
+			}
 			return errors.New("canceling upgrade request")
 		}
 	}
--- a/cli/command/plugin/upgrade_test.go
+++ b/cli/command/plugin/upgrade_test.go
@ -0,0 +1,42 @@
+package plugin
+
+import (
+	"context"
+	"io"
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/v3/assert"
+	"gotest.tools/v3/golden"
+)
+
+func TestUpgradePromptTermination(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	cli := test.NewFakeCli(&fakeClient{
+		pluginUpgradeFunc: func(name string, options types.PluginInstallOptions) (io.ReadCloser, error) {
+			return nil, errors.New("should not be called")
+		},
+		pluginInspectFunc: func(name string) (*types.Plugin, []byte, error) {
+			return &types.Plugin{
+				ID:              "5724e2c8652da337ab2eedd19fc6fc0ec908e4bd907c7421bf6a8dfc70c4c078",
+				Name:            "foo/bar",
+				Enabled:         false,
+				PluginReference: "localhost:5000/foo/bar:v0.1.0",
+			}, []byte{}, nil
+		},
+	})
+	cmd := newUpgradeCommand(cli)
+	// need to set a remote address that does not match the plugin
+	// reference sent by the `pluginInspectFunc`
+	cmd.SetArgs([]string{"foo/bar", "localhost:5000/foo/bar:v1.0.0"})
+	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
+		t.Helper()
+		assert.ErrorIs(t, err, command.ErrPromptTerminated)
+	})
+	golden.Assert(t, cli.OutBuffer().String(), "plugin-upgrade-terminate.golden")
+}
--- a/cli/command/registry/login.go
+++ b/cli/command/registry/login.go
@ -55,7 +55,7 @@ func NewLoginCommand(dockerCli command.Cli) *cobra.Command {

 	flags.StringVarP(&opts.user, "username", "u", "", "Username")
 	flags.StringVarP(&opts.password, "password", "p", "", "Password")
-	flags.BoolVarP(&opts.passwordStdin, "password-stdin", "", false, "Take the password from stdin")
+	flags.BoolVar(&opts.passwordStdin, "password-stdin", false, "Take the password from stdin")

 	return cmd
 }
--- a/cli/command/secret/ls.go
+++ b/cli/command/secret/ls.go
@ -38,7 +38,7 @@ func newSecretListCommand(dockerCli command.Cli) *cobra.Command {

 	flags := cmd.Flags()
 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Only display IDs")
-	flags.StringVarP(&options.format, "format", "", "", flagsHelper.FormatHelp)
+	flags.StringVar(&options.format, "format", "", flagsHelper.FormatHelp)
 	flags.VarP(&options.filter, "filter", "f", "Filter output based on conditions provided")

 	return cmd
--- a/cli/command/service/create.go
+++ b/cli/command/service/create.go
@ -137,7 +137,7 @@ func runCreate(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet,
 		return nil
 	}

-	return waitOnService(ctx, dockerCli, response.ID, opts.quiet)
+	return WaitOnService(ctx, dockerCli, response.ID, opts.quiet)
 }

 // setConfigs does double duty: it both sets the ConfigReferences of the
--- a/cli/command/service/helpers.go
+++ b/cli/command/service/helpers.go
@ -9,9 +9,9 @@ import (
 	"github.com/docker/docker/pkg/jsonmessage"
 )

-// waitOnService waits for the service to converge. It outputs a progress bar,
+// WaitOnService waits for the service to converge. It outputs a progress bar,
 // if appropriate based on the CLI flags.
-func waitOnService(ctx context.Context, dockerCli command.Cli, serviceID string, quiet bool) error {
+func WaitOnService(ctx context.Context, dockerCli command.Cli, serviceID string, quiet bool) error {
 	errChan := make(chan error, 1)
 	pipeReader, pipeWriter := io.Pipe()

--- a/cli/command/service/progress/progress.go
+++ b/cli/command/service/progress/progress.go
@ -143,7 +143,7 @@ func ServiceProgress(ctx context.Context, apiClient client.APIClient, serviceID
 		if converged && time.Since(convergedAt) >= monitor {
 			progressOut.WriteProgress(progress.Progress{
 				ID:     "verify",
-				Action: "Service converged",
+				Action: fmt.Sprintf("Service %s converged", serviceID),
 			})
 			if message != nil {
 				progressOut.WriteProgress(*message)
--- a/cli/command/service/rollback.go
+++ b/cli/command/service/rollback.go
@ -62,5 +62,5 @@ func runRollback(ctx context.Context, dockerCli command.Cli, options *serviceOpt
 		return nil
 	}

-	return waitOnService(ctx, dockerCli, serviceID, options.quiet)
+	return WaitOnService(ctx, dockerCli, serviceID, options.quiet)
 }
--- a/cli/command/service/scale.go
+++ b/cli/command/service/scale.go
@ -80,7 +80,7 @@ func runScale(ctx context.Context, dockerCli command.Cli, options *scaleOptions,
 	if len(serviceIDs) > 0 {
 		if !options.detach && versions.GreaterThanOrEqualTo(dockerCli.Client().ClientVersion(), "1.29") {
 			for _, serviceID := range serviceIDs {
-				if err := waitOnService(ctx, dockerCli, serviceID, false); err != nil {
+				if err := WaitOnService(ctx, dockerCli, serviceID, false); err != nil {
 					errs = append(errs, fmt.Sprintf("%s: %v", serviceID, err))
 				}
 			}
--- a/cli/command/service/update.go
+++ b/cli/command/service/update.go
@ -249,7 +249,7 @@ func runUpdate(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet,
 		return nil
 	}

-	return waitOnService(ctx, dockerCli, serviceID, options.quiet)
+	return WaitOnService(ctx, dockerCli, serviceID, options.quiet)
 }

 //nolint:gocyclo
--- a/cli/command/stack/deploy.go
+++ b/cli/command/stack/deploy.go
@ -26,7 +26,7 @@ func newDeployCommand(dockerCli command.Cli) *cobra.Command {
 			if err != nil {
 				return err
 			}
-			return swarm.RunDeploy(cmd.Context(), dockerCli, opts, config)
+			return swarm.RunDeploy(cmd.Context(), dockerCli, cmd.Flags(), &opts, config)
 		},
 		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 			return completeNames(dockerCli)(cmd, args, toComplete)
@ -42,5 +42,7 @@ func newDeployCommand(dockerCli command.Cli) *cobra.Command {
 	flags.StringVar(&opts.ResolveImage, "resolve-image", swarm.ResolveImageAlways,
 		`Query the registry to resolve image digest and supported platforms ("`+swarm.ResolveImageAlways+`", "`+swarm.ResolveImageChanged+`", "`+swarm.ResolveImageNever+`")`)
 	flags.SetAnnotation("resolve-image", "version", []string{"1.30"})
+	flags.BoolVarP(&opts.Detach, "detach", "d", true, "Exit immediately instead of waiting for the stack services to converge")
+	flags.BoolVarP(&opts.Quiet, "quiet", "q", false, "Suppress progress output")
 	return cmd
 }
--- a/cli/command/stack/options/opts.go
+++ b/cli/command/stack/options/opts.go
@ -9,6 +9,8 @@ type Deploy struct {
 	ResolveImage     string
 	SendRegistryAuth bool
 	Prune            bool
+	Detach           bool
+	Quiet            bool
 }

 // Config holds docker stack config options
@ -36,6 +38,7 @@ type PS struct {
 // Remove holds docker stack remove options
 type Remove struct {
 	Namespaces []string
+	Detach     bool
 }

 // Services holds docker stack services options
--- a/cli/command/stack/remove.go
+++ b/cli/command/stack/remove.go
@ -27,5 +27,8 @@ func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
 			return completeNames(dockerCli)(cmd, args, toComplete)
 		},
 	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&opts.Detach, "detach", "d", true, "Do not wait for stack removal")
 	return cmd
 }
--- a/cli/command/stack/swarm/common.go
+++ b/cli/command/stack/swarm/common.go
@ -44,3 +44,7 @@ func getStackSecrets(ctx context.Context, apiclient client.APIClient, namespace
 func getStackConfigs(ctx context.Context, apiclient client.APIClient, namespace string) ([]swarm.Config, error) {
 	return apiclient.ConfigList(ctx, types.ConfigListOptions{Filters: getStackFilter(namespace)})
 }
+
+func getStackTasks(ctx context.Context, apiclient client.APIClient, namespace string) ([]swarm.Task, error) {
+	return apiclient.TaskList(ctx, types.TaskListOptions{Filters: getStackFilter(namespace)})
+}
--- a/cli/command/stack/swarm/deploy.go
+++ b/cli/command/stack/swarm/deploy.go
@ -11,6 +11,7 @@ import (
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/pkg/errors"
+	"github.com/spf13/pflag"
 )

 // Resolve image constants
@ -22,8 +23,8 @@ const (
 )

 // RunDeploy is the swarm implementation of docker stack deploy
-func RunDeploy(ctx context.Context, dockerCli command.Cli, opts options.Deploy, cfg *composetypes.Config) error {
-	if err := validateResolveImageFlag(&opts); err != nil {
+func RunDeploy(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet, opts *options.Deploy, cfg *composetypes.Config) error {
+	if err := validateResolveImageFlag(opts); err != nil {
 		return err
 	}
 	// client side image resolution should not be done when the supported
@ -32,6 +33,11 @@ func RunDeploy(ctx context.Context, dockerCli command.Cli, opts options.Deploy,
 		opts.ResolveImage = ResolveImageNever
 	}

+	if opts.Detach && !flags.Changed("detach") {
+		fmt.Fprintln(dockerCli.Err(), "Since --detach=false was not specified, tasks will be created in the background.\n"+
+			"In a future release, --detach=false will become the default.")
+	}
+
 	return deployCompose(ctx, dockerCli, opts, cfg)
 }

--- a/cli/command/stack/swarm/deploy_composefile.go
+++ b/cli/command/stack/swarm/deploy_composefile.go
@ -2,9 +2,11 @@ package swarm

 import (
 	"context"
+	"errors"
 	"fmt"

 	"github.com/docker/cli/cli/command"
+	servicecli "github.com/docker/cli/cli/command/service"
 	"github.com/docker/cli/cli/command/stack/options"
 	"github.com/docker/cli/cli/compose/convert"
 	composetypes "github.com/docker/cli/cli/compose/types"
@ -13,10 +15,9 @@ import (
 	"github.com/docker/docker/api/types/swarm"
 	apiclient "github.com/docker/docker/client"
 	"github.com/docker/docker/errdefs"
-	"github.com/pkg/errors"
 )

-func deployCompose(ctx context.Context, dockerCli command.Cli, opts options.Deploy, config *composetypes.Config) error {
+func deployCompose(ctx context.Context, dockerCli command.Cli, opts *options.Deploy, config *composetypes.Config) error {
 	if err := checkDaemonIsSwarmManager(ctx, dockerCli); err != nil {
 		return err
 	}
@ -60,7 +61,17 @@ func deployCompose(ctx context.Context, dockerCli command.Cli, opts options.Depl
 	if err != nil {
 		return err
 	}
-	return deployServices(ctx, dockerCli, services, namespace, opts.SendRegistryAuth, opts.ResolveImage)
+
+	serviceIDs, err := deployServices(ctx, dockerCli, services, namespace, opts.SendRegistryAuth, opts.ResolveImage)
+	if err != nil {
+		return err
+	}
+
+	if opts.Detach {
+		return nil
+	}
+
+	return waitOnServices(ctx, dockerCli, serviceIDs, opts.Quiet)
 }

 func getServicesDeclaredNetworks(serviceConfigs []composetypes.ServiceConfig) map[string]struct{} {
@ -87,11 +98,11 @@ func validateExternalNetworks(ctx context.Context, client apiclient.NetworkAPICl
 		network, err := client.NetworkInspect(ctx, networkName, types.NetworkInspectOptions{})
 		switch {
 		case errdefs.IsNotFound(err):
-			return errors.Errorf("network %q is declared as external, but could not be found. You need to create a swarm-scoped network before the stack is deployed", networkName)
+			return fmt.Errorf("network %q is declared as external, but could not be found. You need to create a swarm-scoped network before the stack is deployed", networkName)
 		case err != nil:
 			return err
 		case network.Scope != "swarm":
-			return errors.Errorf("network %q is declared as external, but it is not in the right scope: %q instead of \"swarm\"", networkName, network.Scope)
+			return fmt.Errorf("network %q is declared as external, but it is not in the right scope: %q instead of \"swarm\"", networkName, network.Scope)
 		}
 	}
 	return nil
@ -106,13 +117,13 @@ func createSecrets(ctx context.Context, dockerCli command.Cli, secrets []swarm.S
 		case err == nil:
 			// secret already exists, then we update that
 			if err := client.SecretUpdate(ctx, secret.ID, secret.Meta.Version, secretSpec); err != nil {
-				return errors.Wrapf(err, "failed to update secret %s", secretSpec.Name)
+				return fmt.Errorf("failed to update secret %s: %w", secretSpec.Name, err)
 			}
 		case errdefs.IsNotFound(err):
 			// secret does not exist, then we create a new one.
 			fmt.Fprintf(dockerCli.Out(), "Creating secret %s\n", secretSpec.Name)
 			if _, err := client.SecretCreate(ctx, secretSpec); err != nil {
-				return errors.Wrapf(err, "failed to create secret %s", secretSpec.Name)
+				return fmt.Errorf("failed to create secret %s: %w", secretSpec.Name, err)
 			}
 		default:
 			return err
@ -130,13 +141,13 @@ func createConfigs(ctx context.Context, dockerCli command.Cli, configs []swarm.C
 		case err == nil:
 			// config already exists, then we update that
 			if err := client.ConfigUpdate(ctx, config.ID, config.Meta.Version, configSpec); err != nil {
-				return errors.Wrapf(err, "failed to update config %s", configSpec.Name)
+				return fmt.Errorf("failed to update config %s: %w", configSpec.Name, err)
 			}
 		case errdefs.IsNotFound(err):
 			// config does not exist, then we create a new one.
 			fmt.Fprintf(dockerCli.Out(), "Creating config %s\n", configSpec.Name)
 			if _, err := client.ConfigCreate(ctx, configSpec); err != nil {
-				return errors.Wrapf(err, "failed to create config %s", configSpec.Name)
+				return fmt.Errorf("failed to create config %s: %w", configSpec.Name, err)
 			}
 		default:
 			return err
@ -169,19 +180,19 @@ func createNetworks(ctx context.Context, dockerCli command.Cli, namespace conver

 		fmt.Fprintf(dockerCli.Out(), "Creating network %s\n", name)
 		if _, err := client.NetworkCreate(ctx, name, createOpts); err != nil {
-			return errors.Wrapf(err, "failed to create network %s", name)
+			return fmt.Errorf("failed to create network %s: %w", name, err)
 		}
 	}
 	return nil
 }

-func deployServices(ctx context.Context, dockerCli command.Cli, services map[string]swarm.ServiceSpec, namespace convert.Namespace, sendAuth bool, resolveImage string) error {
+func deployServices(ctx context.Context, dockerCli command.Cli, services map[string]swarm.ServiceSpec, namespace convert.Namespace, sendAuth bool, resolveImage string) ([]string, error) {
 	apiClient := dockerCli.Client()
 	out := dockerCli.Out()

 	existingServices, err := getStackServices(ctx, apiClient, namespace.Name())
 	if err != nil {
-		return err
+		return nil, err
 	}

 	existingServiceMap := make(map[string]swarm.Service)
@ -189,6 +200,8 @@ func deployServices(ctx context.Context, dockerCli command.Cli, services map[str
 		existingServiceMap[service.Spec.Name] = service
 	}

+	var serviceIDs []string
+
 	for internalName, serviceSpec := range services {
 		var (
 			name        = namespace.Scope(internalName)
@ -200,7 +213,7 @@ func deployServices(ctx context.Context, dockerCli command.Cli, services map[str
 			// Retrieve encoded auth token from the image reference
 			encodedAuth, err = command.RetrieveAuthTokenFromImage(dockerCli.ConfigFile(), image)
 			if err != nil {
-				return err
+				return nil, err
 			}
 		}

@ -241,12 +254,14 @@ func deployServices(ctx context.Context, dockerCli command.Cli, services map[str

 			response, err := apiClient.ServiceUpdate(ctx, service.ID, service.Version, serviceSpec, updateOpts)
 			if err != nil {
-				return errors.Wrapf(err, "failed to update service %s", name)
+				return nil, fmt.Errorf("failed to update service %s: %w", name, err)
 			}

 			for _, warning := range response.Warnings {
 				fmt.Fprintln(dockerCli.Err(), warning)
 			}
+
+			serviceIDs = append(serviceIDs, service.ID)
 		} else {
 			fmt.Fprintf(out, "Creating service %s\n", name)

@ -257,10 +272,29 @@ func deployServices(ctx context.Context, dockerCli command.Cli, services map[str
 				createOpts.QueryRegistry = true
 			}

-			if _, err := apiClient.ServiceCreate(ctx, serviceSpec, createOpts); err != nil {
-				return errors.Wrapf(err, "failed to create service %s", name)
+			response, err := apiClient.ServiceCreate(ctx, serviceSpec, createOpts)
+			if err != nil {
+				return nil, fmt.Errorf("failed to create service %s: %w", name, err)
 			}
+
+			serviceIDs = append(serviceIDs, response.ID)
 		}
 	}
+
+	return serviceIDs, nil
+}
+
+func waitOnServices(ctx context.Context, dockerCli command.Cli, serviceIDs []string, quiet bool) error {
+	var errs []error
+	for _, serviceID := range serviceIDs {
+		if err := servicecli.WaitOnService(ctx, dockerCli, serviceID, quiet); err != nil {
+			errs = append(errs, fmt.Errorf("%s: %w", serviceID, err))
+		}
+	}
+
+	if len(errs) > 0 {
+		return errors.Join(errs...)
+	}
+
 	return nil
 }
--- a/cli/command/stack/swarm/deploy_test.go
+++ b/cli/command/stack/swarm/deploy_test.go
@ -99,7 +99,7 @@ func TestServiceUpdateResolveImageChanged(t *testing.T) {
 					},
 				},
 			}
-			err := deployServices(ctx, client, spec, namespace, false, ResolveImageChanged)
+			_, err := deployServices(ctx, client, spec, namespace, false, ResolveImageChanged)
 			assert.NilError(t, err)
 			assert.Check(t, is.Equal(receivedOptions.QueryRegistry, tc.expectedQueryRegistry))
 			assert.Check(t, is.Equal(receivedService.TaskTemplate.ContainerSpec.Image, tc.expectedImage))
--- a/cli/command/stack/swarm/remove.go
+++ b/cli/command/stack/swarm/remove.go
@ -11,6 +11,7 @@ import (
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/versions"
+	apiclient "github.com/docker/docker/client"
 	"github.com/pkg/errors"
 )

@ -58,6 +59,14 @@ func RunRemove(ctx context.Context, dockerCli command.Cli, opts options.Remove)

 		if hasError {
 			errs = append(errs, fmt.Sprintf("Failed to remove some resources from stack: %s", namespace))
+			continue
+		}
+
+		if !opts.Detach {
+			err = waitOnTasks(ctx, client, namespace)
+			if err != nil {
+				errs = append(errs, fmt.Sprintf("Failed to wait on tasks of stack: %s: %s", namespace, err))
+			}
 		}
 	}

@ -137,3 +146,45 @@ func removeConfigs(
 	}
 	return hasError
 }
+
+var numberedStates = map[swarm.TaskState]int64{
+	swarm.TaskStateNew:       1,
+	swarm.TaskStateAllocated: 2,
+	swarm.TaskStatePending:   3,
+	swarm.TaskStateAssigned:  4,
+	swarm.TaskStateAccepted:  5,
+	swarm.TaskStatePreparing: 6,
+	swarm.TaskStateReady:     7,
+	swarm.TaskStateStarting:  8,
+	swarm.TaskStateRunning:   9,
+	swarm.TaskStateComplete:  10,
+	swarm.TaskStateShutdown:  11,
+	swarm.TaskStateFailed:    12,
+	swarm.TaskStateRejected:  13,
+}
+
+func terminalState(state swarm.TaskState) bool {
+	return numberedStates[state] > numberedStates[swarm.TaskStateRunning]
+}
+
+func waitOnTasks(ctx context.Context, client apiclient.APIClient, namespace string) error {
+	terminalStatesReached := 0
+	for {
+		tasks, err := getStackTasks(ctx, client, namespace)
+		if err != nil {
+			return fmt.Errorf("failed to get tasks: %w", err)
+		}
+
+		for _, task := range tasks {
+			if terminalState(task.Status.State) {
+				terminalStatesReached++
+				break
+			}
+		}
+
+		if terminalStatesReached == len(tasks) {
+			break
+		}
+	}
+	return nil
+}
--- a/cli/command/swarm/ipnet_slice_test.go
+++ b/cli/command/swarm/ipnet_slice_test.go
@ -20,7 +20,7 @@ func equalCIDR(c1 net.IPNet, c2 net.IPNet) bool {

 func setUpIPNetFlagSet(ipsp *[]net.IPNet) *pflag.FlagSet {
 	f := pflag.NewFlagSet("test", pflag.ContinueOnError)
-	f.VarP(newIPNetSliceValue([]net.IPNet{}, ipsp), "cidrs", "", "Command separated list!")
+	f.Var(newIPNetSliceValue([]net.IPNet{}, ipsp), "cidrs", "Command separated list!")
 	return f
 }

--- a/cli/command/system/client_test.go
+++ b/cli/command/system/client_test.go
@ -5,15 +5,18 @@ import (

 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/client"
 )

 type fakeClient struct {
 	client.Client

-	version       string
-	serverVersion func(ctx context.Context) (types.Version, error)
-	eventsFn      func(context.Context, types.EventsOptions) (<-chan events.Message, <-chan error)
+	version            string
+	serverVersion      func(ctx context.Context) (types.Version, error)
+	eventsFn           func(context.Context, types.EventsOptions) (<-chan events.Message, <-chan error)
+	containerPruneFunc func(ctx context.Context, pruneFilters filters.Args) (types.ContainersPruneReport, error)
+	networkPruneFunc   func(ctx context.Context, pruneFilter filters.Args) (types.NetworksPruneReport, error)
 }

 func (cli *fakeClient) ServerVersion(ctx context.Context) (types.Version, error) {
@ -27,3 +30,17 @@ func (cli *fakeClient) ClientVersion() string {
 func (cli *fakeClient) Events(ctx context.Context, opts types.EventsOptions) (<-chan events.Message, <-chan error) {
 	return cli.eventsFn(ctx, opts)
 }
+
+func (cli *fakeClient) ContainersPrune(ctx context.Context, pruneFilters filters.Args) (types.ContainersPruneReport, error) {
+	if cli.containerPruneFunc != nil {
+		return cli.containerPruneFunc(ctx, pruneFilters)
+	}
+	return types.ContainersPruneReport{}, nil
+}
+
+func (cli *fakeClient) NetworksPrune(ctx context.Context, pruneFilter filters.Args) (types.NetworksPruneReport, error) {
+	if cli.networkPruneFunc != nil {
+		return cli.networkPruneFunc(ctx, pruneFilter)
+	}
+	return types.NetworksPruneReport{}, nil
+}
--- a/cli/command/system/info.go
+++ b/cli/command/system/info.go
@ -21,7 +21,6 @@ import (
 	"github.com/docker/cli/templates"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/system"
-	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/registry"
 	"github.com/docker/go-units"
 	"github.com/spf13/cobra"
@ -380,7 +379,10 @@ func prettyPrintServerInfo(streams command.Streams, info *dockerInfo) []error {
 	}

 	fprintln(output)
-	printServerWarnings(streams.Err(), info)
+	for _, w := range info.Warnings {
+		fprintln(streams.Err(), w)
+	}
+
 	return errs
 }

@ -454,84 +456,6 @@ func printSwarmInfo(output io.Writer, info system.Info) {
 	}
 }

-func printServerWarnings(stdErr io.Writer, info *dockerInfo) {
-	if versions.LessThan(info.ClientInfo.APIVersion, "1.42") {
-		printSecurityOptionsWarnings(stdErr, *info.Info)
-	}
-	if len(info.Warnings) > 0 {
-		fprintln(stdErr, strings.Join(info.Warnings, "\n"))
-		return
-	}
-	// daemon didn't return warnings. Fallback to old behavior
-	printServerWarningsLegacy(stdErr, *info.Info)
-}
-
-// printSecurityOptionsWarnings prints warnings based on the security options
-// returned by the daemon.
-//
-// Deprecated: warnings are now generated by the daemon, and returned in
-// info.Warnings. This function is used to provide backward compatibility with
-// daemons that do not provide these warnings. No new warnings should be added
-// here.
-func printSecurityOptionsWarnings(stdErr io.Writer, info system.Info) {
-	if info.OSType == "windows" {
-		return
-	}
-	kvs, _ := system.DecodeSecurityOptions(info.SecurityOptions)
-	for _, so := range kvs {
-		if so.Name != "seccomp" {
-			continue
-		}
-		for _, o := range so.Options {
-			if o.Key == "profile" && o.Value != "default" && o.Value != "builtin" {
-				_, _ = fmt.Fprintln(stdErr, "WARNING: You're not using the default seccomp profile")
-			}
-		}
-	}
-}
-
-// printServerWarningsLegacy generates warnings based on information returned by the daemon.
-//
-// Deprecated: warnings are now generated by the daemon, and returned in
-// info.Warnings. This function is used to provide backward compatibility with
-// daemons that do not provide these warnings. No new warnings should be added
-// here.
-func printServerWarningsLegacy(stdErr io.Writer, info system.Info) {
-	if info.OSType == "windows" {
-		return
-	}
-	if !info.MemoryLimit {
-		fprintln(stdErr, "WARNING: No memory limit support")
-	}
-	if !info.SwapLimit {
-		fprintln(stdErr, "WARNING: No swap limit support")
-	}
-	if !info.OomKillDisable && info.CgroupVersion != "2" {
-		fprintln(stdErr, "WARNING: No oom kill disable support")
-	}
-	if !info.CPUCfsQuota {
-		fprintln(stdErr, "WARNING: No cpu cfs quota support")
-	}
-	if !info.CPUCfsPeriod {
-		fprintln(stdErr, "WARNING: No cpu cfs period support")
-	}
-	if !info.CPUShares {
-		fprintln(stdErr, "WARNING: No cpu shares support")
-	}
-	if !info.CPUSet {
-		fprintln(stdErr, "WARNING: No cpuset support")
-	}
-	if !info.IPv4Forwarding {
-		fprintln(stdErr, "WARNING: IPv4 forwarding is disabled")
-	}
-	if !info.BridgeNfIptables {
-		fprintln(stdErr, "WARNING: bridge-nf-call-iptables is disabled")
-	}
-	if !info.BridgeNfIP6tables {
-		fprintln(stdErr, "WARNING: bridge-nf-call-ip6tables is disabled")
-	}
-}
-
 func formatInfo(output io.Writer, info dockerInfo, format string) error {
 	if format == formatter.JSONFormatKey {
 		format = formatter.JSONFormat
--- a/cli/command/system/info_test.go
+++ b/cli/command/system/info_test.go
@ -333,23 +333,6 @@ func TestPrettyPrintInfo(t *testing.T) {
 			prettyGolden: "docker-info-with-swarm",
 			jsonGolden:   "docker-info-with-swarm",
 		},
-		{
-			doc: "info with legacy warnings",
-			dockerInfo: dockerInfo{
-				Info: &infoWithWarningsLinux,
-				ClientInfo: &clientInfo{
-					clientVersion: clientVersion{
-						Platform: &platformInfo{Name: "Docker Engine - Community"},
-						Version:  "24.0.0",
-						Context:  "default",
-					},
-					Debug: true,
-				},
-			},
-			prettyGolden:   "docker-info-no-swarm",
-			warningsGolden: "docker-info-warnings",
-			jsonGolden:     "docker-info-legacy-warnings",
-		},
 		{
 			doc: "info with daemon warnings",
 			dockerInfo: dockerInfo{
--- a/cli/command/system/prune.go
+++ b/cli/command/system/prune.go
@ -74,8 +74,10 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 	if options.pruneVolumes && options.filter.Value().Contains("until") {
 		return fmt.Errorf(`ERROR: The "until" filter is not supported with "--volumes"`)
 	}
-	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), confirmationMessage(dockerCli, options)) {
-		return nil
+	if !options.force {
+		if r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), confirmationMessage(dockerCli, options)); !r || err != nil {
+			return err
+		}
 	}
 	pruneFuncs := []func(ctx context.Context, dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error){
 		container.RunPrune,
--- a/cli/command/system/prune_test.go
+++ b/cli/command/system/prune_test.go
@ -1,10 +1,15 @@
 package system

 import (
+	"context"
 	"testing"

+	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@ -49,3 +54,23 @@ func TestPrunePromptFilters(t *testing.T) {
 Are you sure you want to continue? [y/N] `
 	assert.Check(t, is.Equal(expected, cli.OutBuffer().String()))
 }
+
+func TestSystemPrunePromptTermination(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	cli := test.NewFakeCli(&fakeClient{
+		containerPruneFunc: func(ctx context.Context, pruneFilters filters.Args) (types.ContainersPruneReport, error) {
+			return types.ContainersPruneReport{}, errors.New("fakeClient containerPruneFunc should not be called")
+		},
+		networkPruneFunc: func(ctx context.Context, pruneFilters filters.Args) (types.NetworksPruneReport, error) {
+			return types.NetworksPruneReport{}, errors.New("fakeClient networkPruneFunc should not be called")
+		},
+	})
+
+	cmd := newPruneCommand(cli)
+	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
+		t.Helper()
+		assert.ErrorIs(t, err, command.ErrPromptTerminated)
+	})
+}
--- a/cli/command/system/testdata/docker-info-legacy-warnings.json.golden
+++ b/cli/command/system/testdata/docker-info-legacy-warnings.json.golden
@ -1 +0,0 @@
-{"ID":"EKHL:QDUU:QZ7U:MKGD:VDXK:S27Q:GIPU:24B7:R7VT:DGN6:QCSF:2UBX","Containers":0,"ContainersRunning":0,"ContainersPaused":0,"ContainersStopped":0,"Images":0,"Driver":"overlay2","DriverStatus":[["Backing Filesystem","extfs"],["Supports d_type","true"],["Using metacopy","false"],["Native Overlay Diff","true"]],"Plugins":{"Volume":["local"],"Network":["bridge","host","macvlan","null","overlay"],"Authorization":null,"Log":["awslogs","fluentd","gcplogs","gelf","journald","json-file","splunk","syslog"]},"MemoryLimit":false,"SwapLimit":false,"CpuCfsPeriod":false,"CpuCfsQuota":false,"CPUShares":false,"CPUSet":false,"PidsLimit":false,"IPv4Forwarding":false,"BridgeNfIptables":false,"BridgeNfIp6tables":false,"Debug":true,"NFd":33,"OomKillDisable":false,"NGoroutines":135,"SystemTime":"2017-08-24T17:44:34.077811894Z","LoggingDriver":"json-file","CgroupDriver":"cgroupfs","NEventsListener":0,"KernelVersion":"4.4.0-87-generic","OperatingSystem":"Ubuntu 16.04.3 LTS","OSVersion":"","OSType":"linux","Architecture":"x86_64","IndexServerAddress":"https://index.docker.io/v1/","RegistryConfig":{"AllowNondistributableArtifactsCIDRs":null,"AllowNondistributableArtifactsHostnames":null,"InsecureRegistryCIDRs":["127.0.0.0/8"],"IndexConfigs":{"docker.io":{"Name":"docker.io","Mirrors":null,"Secure":true,"Official":true}},"Mirrors":null},"NCPU":2,"MemTotal":2097356800,"GenericResources":null,"DockerRootDir":"/var/lib/docker","HttpProxy":"","HttpsProxy":"","NoProxy":"","Name":"system-sample","Labels":["provider=digitalocean"],"ExperimentalBuild":false,"ServerVersion":"17.06.1-ce","Runtimes":{"runc":{"path":"docker-runc"}},"DefaultRuntime":"runc","Swarm":{"NodeID":"","NodeAddr":"","LocalNodeState":"inactive","ControlAvailable":false,"Error":"","RemoteManagers":null},"LiveRestoreEnabled":false,"Isolation":"","InitBinary":"docker-init","ContainerdCommit":{"ID":"6e23458c129b551d5c9871e5174f6b1b7f6d1170","Expected":"6e23458c129b551d5c9871e5174f6b1b7f6d1170"},"RuncCommit":{"ID":"810190ceaa507aa2727d7ae6f4790c76ec150bd2","Expected":"810190ceaa507aa2727d7ae6f4790c76ec150bd2"},"InitCommit":{"ID":"949e6fa","Expected":"949e6fa"},"SecurityOptions":["name=apparmor","name=seccomp,profile=default"],"DefaultAddressPools":[{"Base":"10.123.0.0/16","Size":24}],"CDISpecDirs":["/etc/cdi","/var/run/cdi"],"Warnings":null,"ClientInfo":{"Debug":true,"Platform":{"Name":"Docker Engine - Community"},"Version":"24.0.0","Context":"default","Plugins":[],"Warnings":null}}
--- a/cli/command/trust/inspect_pretty_test.go
+++ b/cli/command/trust/inspect_pretty_test.go
@ -11,6 +11,7 @@ import (
 	"github.com/docker/cli/internal/test"
 	notaryfake "github.com/docker/cli/internal/test/notary"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/system"
 	apiclient "github.com/docker/docker/client"
 	"github.com/theupdateframework/notary"
@ -36,7 +37,7 @@ func (c *fakeClient) ImageInspectWithRaw(context.Context, string) (types.ImageIn
 	return types.ImageInspect{}, []byte{}, nil
 }

-func (c *fakeClient) ImagePush(context.Context, string, types.ImagePushOptions) (io.ReadCloser, error) {
+func (c *fakeClient) ImagePush(context.Context, string, image.PushOptions) (io.ReadCloser, error) {
 	return &utils.NoopCloser{Reader: bytes.NewBuffer([]byte{})}, nil
 }

--- a/cli/command/trust/revoke.go
+++ b/cli/command/trust/revoke.go
@ -3,7 +3,6 @@ package trust
 import (
 	"context"
 	"fmt"
-	"os"

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
@ -44,7 +43,11 @@ func revokeTrust(ctx context.Context, dockerCLI command.Cli, remote string, opti
 		return fmt.Errorf("cannot use a digest reference for IMAGE:TAG")
 	}
 	if imgRefAndAuth.Tag() == "" && !options.forceYes {
-		deleteRemote := command.PromptForConfirmation(os.Stdin, dockerCLI.Out(), fmt.Sprintf("Please confirm you would like to delete all signature data for %s?", remote))
+		deleteRemote, err := command.PromptForConfirmation(ctx, dockerCLI.In(), dockerCLI.Out(), fmt.Sprintf("Please confirm you would like to delete all signature data for %s?", remote))
+		if err != nil {
+			fmt.Fprintf(dockerCLI.Out(), "\nAborting action.\n")
+			return errors.Wrap(err, "aborting action")
+		}
 		if !deleteRemote {
 			fmt.Fprintf(dockerCLI.Out(), "\nAborting action.\n")
 			return nil
--- a/cli/command/trust/revoke_test.go
+++ b/cli/command/trust/revoke_test.go
@ -1,9 +1,11 @@
 package trust

 import (
+	"context"
 	"io"
 	"testing"

+	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/trust"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/notary"
@ -12,6 +14,7 @@ import (
 	"github.com/theupdateframework/notary/trustpinning"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
+	"gotest.tools/v3/golden"
 )

 func TestTrustRevokeCommandErrors(t *testing.T) {
@ -148,3 +151,18 @@ func TestGetSignableRolesForTargetAndRemoveError(t *testing.T) {
 	err = getSignableRolesForTargetAndRemove(target, notaryRepo)
 	assert.Error(t, err, "client is offline")
 }
+
+func TestRevokeTrustPromptTermination(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	cli := test.NewFakeCli(&fakeClient{})
+	cmd := newRevokeCommand(cli)
+	cmd.SetArgs([]string{"example/trust-demo"})
+	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
+		t.Helper()
+		assert.ErrorIs(t, err, command.ErrPromptTerminated)
+	})
+	assert.Equal(t, cli.ErrBuffer().String(), "")
+	golden.Assert(t, cli.OutBuffer().String(), "trust-revoke-prompt-termination.golden")
+}
--- a/cli/command/trust/sign.go
+++ b/cli/command/trust/sign.go
@ -12,7 +12,7 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/image"
 	"github.com/docker/cli/cli/trust"
-	"github.com/docker/docker/api/types"
+	imagetypes "github.com/docker/docker/api/types/image"
 	registrytypes "github.com/docker/docker/api/types/registry"
 	apiclient "github.com/docker/docker/client"
 	"github.com/pkg/errors"
@ -98,7 +98,7 @@ func runSignImage(ctx context.Context, dockerCLI command.Cli, options signOption
 			if err != nil {
 				return err
 			}
-			options := types.ImagePushOptions{
+			options := imagetypes.PushOptions{
 				RegistryAuth:  encodedAuth,
 				PrivilegeFunc: requestPrivilege,
 			}
--- a/cli/command/trust/signer_remove.go
+++ b/cli/command/trust/signer_remove.go
@ -3,7 +3,6 @@ package trust
 import (
 	"context"
 	"fmt"
-	"os"
 	"strings"

 	"github.com/docker/cli/cli"
@ -76,6 +75,22 @@ func isLastSignerForReleases(roleWithSig data.Role, allRoles []client.RoleWithSi
 	return counter < releasesRoleWithSigs.Threshold, nil
 }

+func maybePromptForSignerRemoval(ctx context.Context, dockerCLI command.Cli, repoName, signerName string, isLastSigner, forceYes bool) (bool, error) {
+	if isLastSigner && !forceYes {
+		message := fmt.Sprintf("The signer \"%s\" signed the last released version of %s. "+
+			"Removing this signer will make %s unpullable. "+
+			"Are you sure you want to continue?",
+			signerName, repoName, repoName,
+		)
+		removeSigner, err := command.PromptForConfirmation(ctx, dockerCLI.In(), dockerCLI.Out(), message)
+		if err != nil {
+			return false, err
+		}
+		return removeSigner, nil
+	}
+	return false, nil
+}
+
 // removeSingleSigner attempts to remove a single signer and returns whether signer removal happened.
 // The signer not being removed doesn't necessarily raise an error e.g. user choosing "No" when prompted for confirmation.
 func removeSingleSigner(ctx context.Context, dockerCLI command.Cli, repoName, signerName string, forceYes bool) (bool, error) {
@ -110,28 +125,26 @@ func removeSingleSigner(ctx context.Context, dockerCLI command.Cli, repoName, si
 	if err != nil {
 		return false, err
 	}
-	if ok, err := isLastSignerForReleases(role, allRoles); ok && !forceYes {
-		removeSigner := command.PromptForConfirmation(os.Stdin, dockerCLI.Out(), fmt.Sprintf("The signer \"%s\" signed the last released version of %s. "+
-			"Removing this signer will make %s unpullable. "+
-			"Are you sure you want to continue?",
-			signerName, repoName, repoName,
-		))

-		if !removeSigner {
-			fmt.Fprintf(dockerCLI.Out(), "\nAborting action.\n")
-			return false, nil
-		}
-	} else if err != nil {
-		return false, err
-	}
-	if err = notaryRepo.RemoveDelegationKeys(releasesRoleTUFName, role.KeyIDs); err != nil {
-		return false, err
-	}
-	if err = notaryRepo.RemoveDelegationRole(signerDelegation); err != nil {
+	isLastSigner, err := isLastSignerForReleases(role, allRoles)
+	if err != nil {
 		return false, err
 	}

-	if err = notaryRepo.Publish(); err != nil {
+	ok, err := maybePromptForSignerRemoval(ctx, dockerCLI, repoName, signerName, isLastSigner, forceYes)
+	if err != nil || !ok {
+		fmt.Fprintf(dockerCLI.Out(), "\nAborting action.\n")
+		return false, err
+	}
+
+	if err := notaryRepo.RemoveDelegationKeys(releasesRoleTUFName, role.KeyIDs); err != nil {
+		return false, err
+	}
+	if err := notaryRepo.RemoveDelegationRole(signerDelegation); err != nil {
+		return false, err
+	}
+
+	if err := notaryRepo.Publish(); err != nil {
 		return false, err
 	}

--- a/cli/command/trust/signer_remove_test.go
+++ b/cli/command/trust/signer_remove_test.go
@ -111,7 +111,8 @@ func TestIsLastSignerForReleases(t *testing.T) {
 	releaserole.Name = releasesRoleTUFName
 	releaserole.Threshold = 1
 	allrole := []client.RoleWithSignatures{releaserole}
-	lastsigner, _ := isLastSignerForReleases(role, allrole)
+	lastsigner, err := isLastSignerForReleases(role, allrole)
+	assert.Error(t, err, "all signed tags are currently revoked, use docker trust sign to fix")
 	assert.Check(t, is.Equal(false, lastsigner))

 	role.KeyIDs = []string{"deadbeef"}
@ -120,13 +121,15 @@ func TestIsLastSignerForReleases(t *testing.T) {
 	releaserole.Signatures = []data.Signature{sig}
 	releaserole.Threshold = 1
 	allrole = []client.RoleWithSignatures{releaserole}
-	lastsigner, _ = isLastSignerForReleases(role, allrole)
+	lastsigner, err = isLastSignerForReleases(role, allrole)
+	assert.NilError(t, err)
 	assert.Check(t, is.Equal(true, lastsigner))

 	sig.KeyID = "8badf00d"
 	releaserole.Signatures = []data.Signature{sig}
 	releaserole.Threshold = 1
 	allrole = []client.RoleWithSignatures{releaserole}
-	lastsigner, _ = isLastSignerForReleases(role, allrole)
+	lastsigner, err = isLastSignerForReleases(role, allrole)
+	assert.NilError(t, err)
 	assert.Check(t, is.Equal(false, lastsigner))
 }
--- a/cli/command/trust/testdata/trust-revoke-prompt-termination.golden
+++ b/cli/command/trust/testdata/trust-revoke-prompt-termination.golden
@ -0,0 +1,2 @@
+Please confirm you would like to delete all signature data for example/trust-demo? [y/N] 
+Aborting action.
--- a/cli/command/utils.go
+++ b/cli/command/utils.go
@ -5,12 +5,15 @@ package command

 import (
 	"bufio"
+	"context"
 	"fmt"
 	"io"
 	"os"
+	"os/signal"
 	"path/filepath"
 	"runtime"
 	"strings"
+	"syscall"

 	"github.com/docker/cli/cli/streams"
 	"github.com/docker/docker/api/types/filters"
@ -72,12 +75,21 @@ func PrettyPrint(i any) string {
 	}
 }

-// PromptForConfirmation requests and checks confirmation from user.
-// This will display the provided message followed by ' [y/N] '. If
-// the user input 'y' or 'Y' it returns true other false.  If no
-// message is provided "Are you sure you want to proceed? [y/N] "
-// will be used instead.
-func PromptForConfirmation(ins io.Reader, outs io.Writer, message string) bool {
+type PromptError error
+
+var ErrPromptTerminated = PromptError(errors.New("prompt terminated"))
+
+// PromptForConfirmation requests and checks confirmation from the user.
+// This will display the provided message followed by ' [y/N] '. If the user
+// input 'y' or 'Y' it returns true otherwise false. If no message is provided,
+// "Are you sure you want to proceed? [y/N] " will be used instead.
+//
+// If the user terminates the CLI with SIGINT or SIGTERM while the prompt is
+// active, the prompt will return false with an ErrPromptTerminated error.
+// When the prompt returns an error, the caller should propagate the error up
+// the stack and close the io.Reader used for the prompt which will prevent the
+// background goroutine from blocking indefinitely.
+func PromptForConfirmation(ctx context.Context, ins io.Reader, outs io.Writer, message string) (bool, error) {
 	if message == "" {
 		message = "Are you sure you want to proceed?"
 	}
@ -90,9 +102,31 @@ func PromptForConfirmation(ins io.Reader, outs io.Writer, message string) bool {
 		ins = streams.NewIn(os.Stdin)
 	}

-	reader := bufio.NewReader(ins)
-	answer, _, _ := reader.ReadLine()
-	return strings.ToLower(string(answer)) == "y"
+	result := make(chan bool)
+
+	// Catch the termination signal and exit the prompt gracefully.
+	// The caller is responsible for properly handling the termination.
+	notifyCtx, notifyCancel := signal.NotifyContext(ctx, syscall.SIGINT, syscall.SIGTERM)
+	defer notifyCancel()
+
+	go func() {
+		var res bool
+		scanner := bufio.NewScanner(ins)
+		if scanner.Scan() {
+			answer := strings.TrimSpace(scanner.Text())
+			if strings.EqualFold(answer, "y") {
+				res = true
+			}
+		}
+		result <- res
+	}()
+
+	select {
+	case <-notifyCtx.Done():
+		return false, ErrPromptTerminated
+	case r := <-result:
+		return r, nil
+	}
 }

 // PruneFilters returns consolidated prune filters obtained from config.json and cli
--- a/Show More
+++ b/Show More
				`@ -0,0 +1,2 @@`

				`No images found matching "ls": did you mean "docker image ls"?`
				`@ -1 +0,0 @@`
				{"ID":"EKHL:QDUU:QZ7U:MKGD:VDXK:S27Q:GIPU:24B7:R7VT:DGN6:QCSF:2UBX","Containers":0,"ContainersRunning":0,"ContainersPaused":0,"ContainersStopped":0,"Images":0,"Driver":"overlay2","DriverStatus":[["Backing Filesystem","extfs"],["Supports d_type","true"],["Using metacopy","false"],["Native Overlay Diff","true"]],"Plugins":{"Volume":["local"],"Network":["bridge","host","macvlan","null","overlay"],"Authorization":null,"Log":["awslogs","fluentd","gcplogs","gelf","journald","json-file","splunk","syslog"]},"MemoryLimit":false,"SwapLimit":false,"CpuCfsPeriod":false,"CpuCfsQuota":false,"CPUShares":false,"CPUSet":false,"PidsLimit":false,"IPv4Forwarding":false,"BridgeNfIptables":false,"BridgeNfIp6tables":false,"Debug":true,"NFd":33,"OomKillDisable":false,"NGoroutines":135,"SystemTime":"2017-08-24T17:44:34.077811894Z","LoggingDriver":"json-file","CgroupDriver":"cgroupfs","NEventsListener":0,"KernelVersion":"4.4.0-87-generic","OperatingSystem":"Ubuntu 16.04.3 LTS","OSVersion":"","OSType":"linux","Architecture":"x86_64","IndexServerAddress":"https://index.docker.io/v1/","RegistryConfig":{"AllowNondistributableArtifactsCIDRs":null,"AllowNondistributableArtifactsHostnames":null,"InsecureRegistryCIDRs":["127.0.0.0/8"],"IndexConfigs":{"docker.io":{"Name":"docker.io","Mirrors":null,"Secure":true,"Official":true}},"Mirrors":null},"NCPU":2,"MemTotal":2097356800,"GenericResources":null,"DockerRootDir":"/var/lib/docker","HttpProxy":"","HttpsProxy":"","NoProxy":"","Name":"system-sample","Labels":["provider=digitalocean"],"ExperimentalBuild":false,"ServerVersion":"17.06.1-ce","Runtimes":{"runc":{"path":"docker-runc"}},"DefaultRuntime":"runc","Swarm":{"NodeID":"","NodeAddr":"","LocalNodeState":"inactive","ControlAvailable":false,"Error":"","RemoteManagers":null},"LiveRestoreEnabled":false,"Isolation":"","InitBinary":"docker-init","ContainerdCommit":{"ID":"6e23458c129b551d5c9871e5174f6b1b7f6d1170","Expected":"6e23458c129b551d5c9871e5174f6b1b7f6d1170"},"RuncCommit":{"ID":"810190ceaa507aa2727d7ae6f4790c76ec150bd2","Expected":"810190ceaa507aa2727d7ae6f4790c76ec150bd2"},"InitCommit":{"ID":"949e6fa","Expected":"949e6fa"},"SecurityOptions":["name=apparmor","name=seccomp,profile=default"],"DefaultAddressPools":[{"Base":"10.123.0.0/16","Size":24}],"CDISpecDirs":["/etc/cdi","/var/run/cdi"],"Warnings":null,"ClientInfo":{"Debug":true,"Platform":{"Name":"Docker Engine - Community"},"Version":"24.0.0","Context":"default","Plugins":[],"Warnings":null}}