Merge pull request #5116 from thaJeztah/26.1_update_engine

[26.1]  vendor: github.com/docker/docker de5c9cf0b96e (v26.1.4-dev)

.github/PULL_REQUEST_TEMPLATE.md

@@ -22,9 +22,13 @@ Please provide the following information:
 **- Description for the changelog**
 <!--
 Write a short (one line) summary that describes the changes in this
-pull request for inclusion in the changelog:
+pull request for inclusion in the changelog.
+It must be placed inside the below triple backticks section:
 -->
+```markdown changelog
 
 
+```
+
 **- A picture of a cute animal (not mandatory but encouraged)**
 

.github/workflows/build.yml

@@ -77,13 +77,13 @@ jobs:
           platformPair=${platform//\//-}
           tar -cvzf "/tmp/out/docker-${platformPair}.tar.gz" .
           if [ -z "${{ matrix.use_glibc }}" ]; then
-            echo "ARTIFACT_NAME=${{ matrix.target }}" >> $GITHUB_ENV
+            echo "ARTIFACT_NAME=${{ matrix.target }}-${platformPair}" >> $GITHUB_ENV
           else
-            echo "ARTIFACT_NAME=${{ matrix.target }}-glibc" >> $GITHUB_ENV
+            echo "ARTIFACT_NAME=${{ matrix.target }}-${platformPair}-glibc" >> $GITHUB_ENV
           fi
       -
         name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ env.ARTIFACT_NAME }}
           path: /tmp/out/*

.github/workflows/codeql.yml

@@ -26,6 +26,8 @@ jobs:
   codeql:
     runs-on: 'ubuntu-latest'
     timeout-minutes: 360
+    env:
+      DISABLE_WARN_OUTSIDE_CONTAINER: '1'
     permissions:
       actions: read
       contents: read
@@ -52,6 +54,16 @@ jobs:
         uses: github/codeql-action/init@v3
         with:
           languages: go
+      # CodeQL 2.16.4's auto-build added support for multi-module repositories,
+      # and is trying to be smart by searching for modules in every directory,
+      # including vendor directories. If no module is found, it's creating one
+      # which is ... not what we want, so let's give it a "go.mod".
+      # see: https://github.com/docker/cli/pull/4944#issuecomment-2002034698
+      -
+        name: Create go.mod
+        run: |
+          ln -s vendor.mod go.mod
+          ln -s vendor.sum go.sum
       -
         name: Autobuild
         uses: github/codeql-action/autobuild@v3

.github/workflows/test.yml

@@ -64,7 +64,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.21.8
+          go-version: 1.21.11
       -
         name: Test
         run: |

.github/workflows/validate-pr.yml

@@ -0,0 +1,62 @@
+name: validate-pr
+
+on:
+  pull_request:
+    types: [opened, edited, labeled, unlabeled]
+
+jobs:
+  check-area-label:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Missing `area/` label
+        if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
+        run: |
+          echo "::error::Every PR with an 'impact/*' label should also have an 'area/*' label"
+          exit 1
+      - name: OK
+        run: exit 0
+
+  check-changelog:
+    if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/')
+    runs-on: ubuntu-20.04
+    env:
+      PR_BODY: |
+        ${{ github.event.pull_request.body }}
+    steps:
+      - name: Check changelog description
+        run: |
+          # Extract the `markdown changelog` note code block
+          block=$(echo -n "$PR_BODY" | tr -d '\r' | awk '/^```markdown changelog$/{flag=1;next}/^```$/{flag=0}flag')
+
+          # Strip empty lines
+          desc=$(echo "$block" |  awk NF)
+
+          if [ -z "$desc" ]; then
+            echo "::error::Changelog section is empty. Please provide a description for the changelog."
+            exit 1
+          fi
+
+          len=$(echo -n "$desc" | wc -c)
+          if [[ $len -le 6 ]]; then
+            echo "::error::Description looks too short: $desc"
+            exit 1
+          fi
+
+          echo "This PR will be included in the release notes with the following note:"
+          echo "$desc"
+
+  check-pr-branch:
+    runs-on: ubuntu-20.04
+    env:
+      PR_TITLE: ${{ github.event.pull_request.title }}
+    steps:
+      # Backports or PR that target a release branch directly should mention the target branch in the title, for example:
+      # [X.Y backport] Some change that needs backporting to X.Y
+      # [X.Y] Change directly targeting the X.Y branch
+      - name: Get branch from PR title
+        id: title_branch
+        run: echo "$PR_TITLE" | sed -n 's/^\[\([0-9]*\.[0-9]*\)[^]]*\].*/branch=\1/p' >> $GITHUB_OUTPUT
+
+      - name: Check release branch
+        if: github.event.pull_request.base.ref != steps.title_branch.outputs.branch && !(github.event.pull_request.base.ref == 'master' && steps.title_branch.outputs.branch == '')
+        run: echo "::error::PR title suggests targetting the ${{ steps.title_branch.outputs.branch }} branch, but is opened against ${{ github.event.pull_request.base.ref }}" && exit 1

CONTRIBUTING.md

@@ -84,7 +84,7 @@ use for simple changes](https://docs.docker.com/opensource/workflow/make-a-contr
   <tr>
     <td>Community Slack</td>
     <td>
-      The Docker Community has a dedicated Slack chat to discuss features and issues.  You can sign-up <a href="https://dockr.ly/slack" target="_blank">with this link</a>.
+      The Docker Community has a dedicated Slack chat to discuss features and issues.  You can sign-up <a href="https://dockr.ly/comm-slack" target="_blank">with this link</a>.
     </td>
   </tr>
   <tr>

Dockerfile

@@ -1,11 +1,11 @@
 # syntax=docker/dockerfile:1
 
 ARG BASE_VARIANT=alpine
-ARG ALPINE_VERSION=3.18
+ARG ALPINE_VERSION=3.20
 ARG BASE_DEBIAN_DISTRO=bookworm
 
-ARG GO_VERSION=1.21.8
-ARG XX_VERSION=1.2.1
+ARG GO_VERSION=1.21.11
+ARG XX_VERSION=1.4.0
 ARG GOVERSIONINFO_VERSION=v1.3.0
 ARG GOTESTSUM_VERSION=v1.10.0
 ARG BUILDX_VERSION=0.12.1
@@ -123,8 +123,14 @@ COPY --link . .
 FROM scratch AS plugins
 COPY --from=build-plugins /out .
 
-FROM scratch AS bin-image
+FROM scratch AS bin-image-linux
 COPY --from=build /out/docker /docker
+FROM scratch AS bin-image-darwin
+COPY --from=build /out/docker /docker
+FROM scratch AS bin-image-windows
+COPY --from=build /out/docker /docker.exe
+
+FROM bin-image-${TARGETOS} AS bin-image
 
 FROM scratch AS binary
 COPY --from=build /out .

Makefile

@@ -52,7 +52,7 @@ shellcheck: ## run shellcheck validation
 .PHONY: fmt
 fmt: ## run gofumpt (if present) or gofmt
 	@if command -v gofumpt > /dev/null; then \
-		gofumpt -w -d -lang=1.19 . ; \
+		gofumpt -w -d -lang=1.21 . ; \
 	else \
 		go list -f {{.Dir}} ./... | xargs gofmt -w -s -d ; \
 	fi

cli-plugins/hooks/printer.go

@@ -0,0 +1,18 @@
+package hooks
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/morikuni/aec"
+)
+
+func PrintNextSteps(out io.Writer, messages []string) {
+	if len(messages) == 0 {
+		return
+	}
+	fmt.Fprintln(out, aec.Bold.Apply("\nWhat's next:"))
+	for _, n := range messages {
+		_, _ = fmt.Fprintf(out, "    %s\n", n)
+	}
+}

cli-plugins/hooks/printer_test.go

@@ -0,0 +1,38 @@
+package hooks
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/morikuni/aec"
+	"gotest.tools/v3/assert"
+)
+
+func TestPrintHookMessages(t *testing.T) {
+	testCases := []struct {
+		messages       []string
+		expectedOutput string
+	}{
+		{
+			messages:       []string{},
+			expectedOutput: "",
+		},
+		{
+			messages: []string{"Bork!"},
+			expectedOutput: aec.Bold.Apply("\nWhat's next:") + "\n" +
+				"    Bork!\n",
+		},
+		{
+			messages: []string{"Foo", "bar"},
+			expectedOutput: aec.Bold.Apply("\nWhat's next:") + "\n" +
+				"    Foo\n" +
+				"    bar\n",
+		},
+	}
+
+	for _, tc := range testCases {
+		w := bytes.Buffer{}
+		PrintNextSteps(&w, tc.messages)
+		assert.Equal(t, w.String(), tc.expectedOutput)
+	}
+}

cli-plugins/hooks/template.go

@@ -0,0 +1,116 @@
+package hooks
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+	"text/template"
+
+	"github.com/spf13/cobra"
+)
+
+type HookType int
+
+const (
+	NextSteps = iota
+)
+
+// HookMessage represents a plugin hook response. Plugins
+// declaring support for CLI hooks need to print a json
+// representation of this type when their hook subcommand
+// is invoked.
+type HookMessage struct {
+	Type     HookType
+	Template string
+}
+
+// TemplateReplaceSubcommandName returns a hook template string
+// that will be replaced by the CLI subcommand being executed
+//
+// Example:
+//
+// "you ran the subcommand: " + TemplateReplaceSubcommandName()
+//
+// when being executed after the command:
+// `docker run --name "my-container" alpine`
+// will result in the message:
+// `you ran the subcommand: run`
+func TemplateReplaceSubcommandName() string {
+	return hookTemplateCommandName
+}
+
+// TemplateReplaceFlagValue returns a hook template string
+// that will be replaced by the flags value.
+//
+// Example:
+//
+// "you ran a container named: " + TemplateReplaceFlagValue("name")
+//
+// when being executed after the command:
+// `docker run --name "my-container" alpine`
+// will result in the message:
+// `you ran a container named: my-container`
+func TemplateReplaceFlagValue(flag string) string {
+	return fmt.Sprintf(hookTemplateFlagValue, flag)
+}
+
+// TemplateReplaceArg takes an index i and returns a hook
+// template string that the CLI will replace the template with
+// the ith argument, after processing the passed flags.
+//
+// Example:
+//
+// "run this image with `docker run " + TemplateReplaceArg(0) + "`"
+//
+// when being executed after the command:
+// `docker pull alpine`
+// will result in the message:
+// "Run this image with `docker run alpine`"
+func TemplateReplaceArg(i int) string {
+	return fmt.Sprintf(hookTemplateArg, strconv.Itoa(i))
+}
+
+func ParseTemplate(hookTemplate string, cmd *cobra.Command) ([]string, error) {
+	tmpl := template.New("").Funcs(commandFunctions)
+	tmpl, err := tmpl.Parse(hookTemplate)
+	if err != nil {
+		return nil, err
+	}
+	b := bytes.Buffer{}
+	err = tmpl.Execute(&b, cmd)
+	if err != nil {
+		return nil, err
+	}
+	return strings.Split(b.String(), "\n"), nil
+}
+
+var ErrHookTemplateParse = errors.New("failed to parse hook template")
+
+const (
+	hookTemplateCommandName = "{{.Name}}"
+	hookTemplateFlagValue   = `{{flag . "%s"}}`
+	hookTemplateArg         = "{{arg . %s}}"
+)
+
+var commandFunctions = template.FuncMap{
+	"flag": getFlagValue,
+	"arg":  getArgValue,
+}
+
+func getFlagValue(cmd *cobra.Command, flag string) (string, error) {
+	cmdFlag := cmd.Flag(flag)
+	if cmdFlag == nil {
+		return "", ErrHookTemplateParse
+	}
+	return cmdFlag.Value.String(), nil
+}
+
+func getArgValue(cmd *cobra.Command, i int) (string, error) {
+	flags := cmd.Flags()
+	if flags == nil {
+		return "", ErrHookTemplateParse
+	}
+	return flags.Arg(i), nil
+}

cli-plugins/hooks/template_test.go

@@ -0,0 +1,86 @@
+package hooks
+
+import (
+	"testing"
+
+	"github.com/spf13/cobra"
+	"gotest.tools/v3/assert"
+)
+
+func TestParseTemplate(t *testing.T) {
+	type testFlag struct {
+		name  string
+		value string
+	}
+	testCases := []struct {
+		template       string
+		flags          []testFlag
+		args           []string
+		expectedOutput []string
+	}{
+		{
+			template:       "",
+			expectedOutput: []string{""},
+		},
+		{
+			template:       "a plain template message",
+			expectedOutput: []string{"a plain template message"},
+		},
+		{
+			template: TemplateReplaceFlagValue("tag"),
+			flags: []testFlag{
+				{
+					name:  "tag",
+					value: "my-tag",
+				},
+			},
+			expectedOutput: []string{"my-tag"},
+		},
+		{
+			template: TemplateReplaceFlagValue("test-one") + " " + TemplateReplaceFlagValue("test2"),
+			flags: []testFlag{
+				{
+					name:  "test-one",
+					value: "value",
+				},
+				{
+					name:  "test2",
+					value: "value2",
+				},
+			},
+			expectedOutput: []string{"value value2"},
+		},
+		{
+			template:       TemplateReplaceArg(0) + " " + TemplateReplaceArg(1),
+			args:           []string{"zero", "one"},
+			expectedOutput: []string{"zero one"},
+		},
+		{
+			template:       "You just pulled " + TemplateReplaceArg(0),
+			args:           []string{"alpine"},
+			expectedOutput: []string{"You just pulled alpine"},
+		},
+		{
+			template:       "one line\nanother line!",
+			expectedOutput: []string{"one line", "another line!"},
+		},
+	}
+
+	for _, tc := range testCases {
+		testCmd := &cobra.Command{
+			Use:  "pull",
+			Args: cobra.ExactArgs(len(tc.args)),
+		}
+		for _, f := range tc.flags {
+			_ = testCmd.Flags().String(f.name, "", "")
+			err := testCmd.Flag(f.name).Value.Set(f.value)
+			assert.NilError(t, err)
+		}
+		err := testCmd.Flags().Parse(tc.args)
+		assert.NilError(t, err)
+
+		out, err := ParseTemplate(tc.template, testCmd)
+		assert.NilError(t, err)
+		assert.DeepEqual(t, out, tc.expectedOutput)
+	}
+}

cli-plugins/manager/error.go

@@ -41,6 +41,9 @@ func (e *pluginError) MarshalText() (text []byte, err error) {
 // wrapAsPluginError wraps an error in a pluginError with an
 // additional message, analogous to errors.Wrapf.
 func wrapAsPluginError(err error, msg string) error {
+	if err == nil {
+		return nil
+	}
 	return &pluginError{cause: errors.Wrap(err, msg)}
 }
 

cli-plugins/manager/hooks.go

@@ -0,0 +1,191 @@
+package manager
+
+import (
+	"encoding/json"
+	"strings"
+
+	"github.com/docker/cli/cli-plugins/hooks"
+	"github.com/docker/cli/cli/command"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+// HookPluginData is the type representing the information
+// that plugins declaring support for hooks get passed when
+// being invoked following a CLI command execution.
+type HookPluginData struct {
+	// RootCmd is a string representing the matching hook configuration
+	// which is currently being invoked. If a hook for `docker context` is
+	// configured and the user executes `docker context ls`, the plugin will
+	// be invoked with `context`.
+	RootCmd      string
+	Flags        map[string]string
+	CommandError string
+}
+
+// RunCLICommandHooks is the entrypoint into the hooks execution flow after
+// a main CLI command was executed. It calls the hook subcommand for all
+// present CLI plugins that declare support for hooks in their metadata and
+// parses/prints their responses.
+func RunCLICommandHooks(dockerCli command.Cli, rootCmd, subCommand *cobra.Command, cmdErrorMessage string) {
+	commandName := strings.TrimPrefix(subCommand.CommandPath(), rootCmd.Name()+" ")
+	flags := getCommandFlags(subCommand)
+
+	runHooks(dockerCli, rootCmd, subCommand, commandName, flags, cmdErrorMessage)
+}
+
+// RunPluginHooks is the entrypoint for the hooks execution flow
+// after a plugin command was just executed by the CLI.
+func RunPluginHooks(dockerCli command.Cli, rootCmd, subCommand *cobra.Command, args []string) {
+	commandName := strings.Join(args, " ")
+	flags := getNaiveFlags(args)
+
+	runHooks(dockerCli, rootCmd, subCommand, commandName, flags, "")
+}
+
+func runHooks(dockerCli command.Cli, rootCmd, subCommand *cobra.Command, invokedCommand string, flags map[string]string, cmdErrorMessage string) {
+	nextSteps := invokeAndCollectHooks(dockerCli, rootCmd, subCommand, invokedCommand, flags, cmdErrorMessage)
+
+	hooks.PrintNextSteps(dockerCli.Err(), nextSteps)
+}
+
+func invokeAndCollectHooks(dockerCli command.Cli, rootCmd, subCmd *cobra.Command, subCmdStr string, flags map[string]string, cmdErrorMessage string) []string {
+	pluginsCfg := dockerCli.ConfigFile().Plugins
+	if pluginsCfg == nil {
+		return nil
+	}
+
+	nextSteps := make([]string, 0, len(pluginsCfg))
+	for pluginName, cfg := range pluginsCfg {
+		match, ok := pluginMatch(cfg, subCmdStr)
+		if !ok {
+			continue
+		}
+
+		p, err := GetPlugin(pluginName, dockerCli, rootCmd)
+		if err != nil {
+			continue
+		}
+
+		hookReturn, err := p.RunHook(HookPluginData{
+			RootCmd:      match,
+			Flags:        flags,
+			CommandError: cmdErrorMessage,
+		})
+		if err != nil {
+			// skip misbehaving plugins, but don't halt execution
+			continue
+		}
+
+		var hookMessageData hooks.HookMessage
+		err = json.Unmarshal(hookReturn, &hookMessageData)
+		if err != nil {
+			continue
+		}
+
+		// currently the only hook type
+		if hookMessageData.Type != hooks.NextSteps {
+			continue
+		}
+
+		processedHook, err := hooks.ParseTemplate(hookMessageData.Template, subCmd)
+		if err != nil {
+			continue
+		}
+
+		var appended bool
+		nextSteps, appended = appendNextSteps(nextSteps, processedHook)
+		if !appended {
+			logrus.Debugf("Plugin %s responded with an empty hook message %q. Ignoring.", pluginName, string(hookReturn))
+		}
+	}
+	return nextSteps
+}
+
+// appendNextSteps appends the processed hook output to the nextSteps slice.
+// If the processed hook output is empty, it is not appended.
+// Empty lines are not stripped if there's at least one non-empty line.
+func appendNextSteps(nextSteps []string, processed []string) ([]string, bool) {
+	empty := true
+	for _, l := range processed {
+		if strings.TrimSpace(l) != "" {
+			empty = false
+			break
+		}
+	}
+
+	if empty {
+		return nextSteps, false
+	}
+
+	return append(nextSteps, processed...), true
+}
+
+// pluginMatch takes a plugin configuration and a string representing the
+// command being executed (such as 'image ls' – the root 'docker' is omitted)
+// and, if the configuration includes a hook for the invoked command, returns
+// the configured hook string.
+func pluginMatch(pluginCfg map[string]string, subCmd string) (string, bool) {
+	configuredPluginHooks, ok := pluginCfg["hooks"]
+	if !ok || configuredPluginHooks == "" {
+		return "", false
+	}
+
+	commands := strings.Split(configuredPluginHooks, ",")
+	for _, hookCmd := range commands {
+		if hookMatch(hookCmd, subCmd) {
+			return hookCmd, true
+		}
+	}
+
+	return "", false
+}
+
+func hookMatch(hookCmd, subCmd string) bool {
+	hookCmdTokens := strings.Split(hookCmd, " ")
+	subCmdTokens := strings.Split(subCmd, " ")
+
+	if len(hookCmdTokens) > len(subCmdTokens) {
+		return false
+	}
+
+	for i, v := range hookCmdTokens {
+		if v != subCmdTokens[i] {
+			return false
+		}
+	}
+
+	return true
+}
+
+func getCommandFlags(cmd *cobra.Command) map[string]string {
+	flags := make(map[string]string)
+	cmd.Flags().Visit(func(f *pflag.Flag) {
+		var fValue string
+		if f.Value.Type() == "bool" {
+			fValue = f.Value.String()
+		}
+		flags[f.Name] = fValue
+	})
+	return flags
+}
+
+// getNaiveFlags string-matches argv and parses them into a map.
+// This is used when calling hooks after a plugin command, since
+// in this case we can't rely on the cobra command tree to parse
+// flags in this case. In this case, no values are ever passed,
+// since we don't have enough information to process them.
+func getNaiveFlags(args []string) map[string]string {
+	flags := make(map[string]string)
+	for _, arg := range args {
+		if strings.HasPrefix(arg, "--") {
+			flags[arg[2:]] = ""
+			continue
+		}
+		if strings.HasPrefix(arg, "-") {
+			flags[arg[1:]] = ""
+		}
+	}
+	return flags
+}

cli-plugins/manager/hooks_test.go

@@ -0,0 +1,143 @@
+package manager
+
+import (
+	"testing"
+
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestGetNaiveFlags(t *testing.T) {
+	testCases := []struct {
+		args          []string
+		expectedFlags map[string]string
+	}{
+		{
+			args:          []string{"docker"},
+			expectedFlags: map[string]string{},
+		},
+		{
+			args: []string{"docker", "build", "-q", "--file", "test.Dockerfile", "."},
+			expectedFlags: map[string]string{
+				"q":    "",
+				"file": "",
+			},
+		},
+		{
+			args: []string{"docker", "--context", "a-context", "pull", "-q", "--progress", "auto", "alpine"},
+			expectedFlags: map[string]string{
+				"context":  "",
+				"q":        "",
+				"progress": "",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		assert.DeepEqual(t, getNaiveFlags(tc.args), tc.expectedFlags)
+	}
+}
+
+func TestPluginMatch(t *testing.T) {
+	testCases := []struct {
+		commandString string
+		pluginConfig  map[string]string
+		expectedMatch string
+		expectedOk    bool
+	}{
+		{
+			commandString: "image ls",
+			pluginConfig: map[string]string{
+				"hooks": "image",
+			},
+			expectedMatch: "image",
+			expectedOk:    true,
+		},
+		{
+			commandString: "context ls",
+			pluginConfig: map[string]string{
+				"hooks": "build",
+			},
+			expectedMatch: "",
+			expectedOk:    false,
+		},
+		{
+			commandString: "context ls",
+			pluginConfig: map[string]string{
+				"hooks": "context ls",
+			},
+			expectedMatch: "context ls",
+			expectedOk:    true,
+		},
+		{
+			commandString: "image ls",
+			pluginConfig: map[string]string{
+				"hooks": "image ls,image",
+			},
+			expectedMatch: "image ls",
+			expectedOk:    true,
+		},
+		{
+			commandString: "image ls",
+			pluginConfig: map[string]string{
+				"hooks": "",
+			},
+			expectedMatch: "",
+			expectedOk:    false,
+		},
+		{
+			commandString: "image inspect",
+			pluginConfig: map[string]string{
+				"hooks": "image i",
+			},
+			expectedMatch: "",
+			expectedOk:    false,
+		},
+		{
+			commandString: "image inspect",
+			pluginConfig: map[string]string{
+				"hooks": "image",
+			},
+			expectedMatch: "image",
+			expectedOk:    true,
+		},
+	}
+
+	for _, tc := range testCases {
+		match, ok := pluginMatch(tc.pluginConfig, tc.commandString)
+		assert.Equal(t, ok, tc.expectedOk)
+		assert.Equal(t, match, tc.expectedMatch)
+	}
+}
+
+func TestAppendNextSteps(t *testing.T) {
+	testCases := []struct {
+		processed   []string
+		expectedOut []string
+	}{
+		{
+			processed:   []string{},
+			expectedOut: []string{},
+		},
+		{
+			processed:   []string{"", ""},
+			expectedOut: []string{},
+		},
+		{
+			processed:   []string{"Some hint", "", "Some other hint"},
+			expectedOut: []string{"Some hint", "", "Some other hint"},
+		},
+		{
+			processed:   []string{"Hint 1", "Hint 2"},
+			expectedOut: []string{"Hint 1", "Hint 2"},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run("", func(t *testing.T) {
+			got, appended := appendNextSteps([]string{}, tc.processed)
+			assert.Check(t, is.DeepEqual(got, tc.expectedOut))
+			assert.Check(t, is.Equal(appended, len(got) > 0))
+		})
+	}
+}

cli-plugins/manager/manager.go

@@ -240,8 +240,7 @@ func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
 
-		cmd.Env = os.Environ()
-		cmd.Env = append(cmd.Env, ReexecEnvvar+"="+os.Args[0])
+		cmd.Env = append(cmd.Environ(), ReexecEnvvar+"="+os.Args[0])
 		cmd.Env = appendPluginResourceAttributesEnvvar(cmd.Env, rootcmd, plugin)
 
 		return cmd, nil

cli-plugins/manager/metadata.go

@@ -8,6 +8,11 @@ const (
 	// which must be supported by every plugin and returns the
 	// plugin metadata.
 	MetadataSubcommandName = "docker-cli-plugin-metadata"
+
+	// HookSubcommandName is the name of the plugin subcommand
+	// which must be implemented by plugins declaring support
+	// for hooks in their metadata.
+	HookSubcommandName = "docker-cli-plugin-hooks"
 )
 
 // Metadata provided by the plugin.

cli-plugins/manager/plugin.go

@@ -2,6 +2,8 @@ package manager
 
 import (
 	"encoding/json"
+	"os"
+	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strings"
@@ -100,3 +102,22 @@ func newPlugin(c Candidate, cmds []*cobra.Command) (Plugin, error) {
 	}
 	return p, nil
 }
+
+// RunHook executes the plugin's hooks command
+// and returns its unprocessed output.
+func (p *Plugin) RunHook(hookData HookPluginData) ([]byte, error) {
+	hDataBytes, err := json.Marshal(hookData)
+	if err != nil {
+		return nil, wrapAsPluginError(err, "failed to marshall hook data")
+	}
+
+	pCmd := exec.Command(p.Path, p.Name, HookSubcommandName, string(hDataBytes))
+	pCmd.Env = os.Environ()
+	pCmd.Env = append(pCmd.Env, ReexecEnvvar+"="+os.Args[0])
+	hookCmdOutput, err := pCmd.Output()
+	if err != nil {
+		return nil, wrapAsPluginError(err, "failed to execute plugin hook subcommand")
+	}
+
+	return hookCmdOutput, nil
+}

cli-plugins/plugin/plugin.go

@@ -12,15 +12,17 @@ import (
 	"github.com/docker/cli/cli-plugins/socket"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/connhelper"
+	"github.com/docker/cli/cli/debug"
 	"github.com/docker/docker/client"
 	"github.com/spf13/cobra"
+	"go.opentelemetry.io/otel"
 )
 
 // PersistentPreRunE must be called by any plugin command (or
 // subcommand) which uses the cobra `PersistentPreRun*` hook. Plugins
 // which do not make use of `PersistentPreRun*` do not need to call
 // this (although it remains safe to do so). Plugins are recommended
-// to use `PersistenPreRunE` to enable the error to be
+// to use `PersistentPreRunE` to enable the error to be
 // returned. Should not be called outside of a command's
 // PersistentPreRunE hook and must not be run unless Run has been
 // called.
@@ -50,6 +52,24 @@ func RunPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager
 				opts = append(opts, withPluginClientConn(plugin.Name()))
 			}
 			err = tcmd.Initialize(opts...)
+			ogRunE := cmd.RunE
+			if ogRunE == nil {
+				ogRun := cmd.Run
+				// necessary because error will always be nil here
+				// see: https://github.com/golangci/golangci-lint/issues/1379
+				//nolint:unparam
+				ogRunE = func(cmd *cobra.Command, args []string) error {
+					ogRun(cmd, args)
+					return nil
+				}
+				cmd.Run = nil
+			}
+			cmd.RunE = func(cmd *cobra.Command, args []string) error {
+				stopInstrumentation := dockerCli.StartInstrumentation(cmd)
+				err := ogRunE(cmd, args)
+				stopInstrumentation(err)
+				return err
+			}
 		})
 		return err
 	}
@@ -66,6 +86,8 @@ func RunPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager
 
 // Run is the top-level entry point to the CLI plugin framework. It should be called from your plugin's `main()` function.
 func Run(makeCmd func(command.Cli) *cobra.Command, meta manager.Metadata) {
+	otel.SetErrorHandler(debug.OTELErrorHandler)
+
 	dockerCli, err := command.NewDockerCli()
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err)

cli-plugins/socket/socket.go

@@ -7,24 +7,114 @@ import (
 	"io"
 	"net"
 	"os"
+	"runtime"
+	"sync"
 )
 
-// EnvKey represents the well-known environment variable used to pass the plugin being
-// executed the socket name it should listen on to coordinate with the host CLI.
+// EnvKey represents the well-known environment variable used to pass the
+// plugin being executed the socket name it should listen on to coordinate with
+// the host CLI.
 const EnvKey = "DOCKER_CLI_PLUGIN_SOCKET"
 
-// SetupConn sets up a Unix socket listener, establishes a goroutine to handle connections
-// and update the conn pointer, and returns the listener for the socket (which the caller
-// is responsible for closing when it's no longer needed).
-func SetupConn(conn **net.UnixConn) (*net.UnixListener, error) {
-	listener, err := listen("docker_cli_" + randomID())
+// NewPluginServer creates a plugin server that listens on a new Unix domain
+// socket. h is called for each new connection to the socket in a goroutine.
+func NewPluginServer(h func(net.Conn)) (*PluginServer, error) {
+	// Listen on a Unix socket, with the address being platform-dependent.
+	// When a non-abstract address is used, Go will unlink(2) the socket
+	// for us once the listener is closed, as documented in
+	// [net.UnixListener.SetUnlinkOnClose].
+	l, err := net.ListenUnix("unix", &net.UnixAddr{
+		Name: socketName("docker_cli_" + randomID()),
+		Net:  "unix",
+	})
 	if err != nil {
 		return nil, err
 	}
 
-	accept(listener, conn)
+	if h == nil {
+		h = func(net.Conn) {}
+	}
 
-	return listener, nil
+	pl := &PluginServer{
+		l: l,
+		h: h,
+	}
+
+	go func() {
+		defer pl.Close()
+		for {
+			err := pl.accept()
+			if err != nil {
+				return
+			}
+		}
+	}()
+
+	return pl, nil
+}
+
+type PluginServer struct {
+	mu     sync.Mutex
+	conns  []net.Conn
+	l      *net.UnixListener
+	h      func(net.Conn)
+	closed bool
+}
+
+func (pl *PluginServer) accept() error {
+	conn, err := pl.l.Accept()
+	if err != nil {
+		return err
+	}
+
+	pl.mu.Lock()
+	defer pl.mu.Unlock()
+
+	if pl.closed {
+		// Handle potential race between Close and accept.
+		conn.Close()
+		return errors.New("plugin server is closed")
+	}
+
+	pl.conns = append(pl.conns, conn)
+
+	go pl.h(conn)
+	return nil
+}
+
+// Addr returns the [net.Addr] of the underlying [net.Listener].
+func (pl *PluginServer) Addr() net.Addr {
+	return pl.l.Addr()
+}
+
+// Close ensures that the server is no longer accepting new connections and
+// closes all existing connections. Existing connections will receive [io.EOF].
+//
+// The error value is that of the underlying [net.Listner.Close] call.
+func (pl *PluginServer) Close() error {
+	// Close connections first to ensure the connections get io.EOF instead
+	// of a connection reset.
+	pl.closeAllConns()
+
+	// Try to ensure that any active connections have a chance to receive
+	// io.EOF.
+	runtime.Gosched()
+
+	return pl.l.Close()
+}
+
+func (pl *PluginServer) closeAllConns() {
+	pl.mu.Lock()
+	defer pl.mu.Unlock()
+
+	// Prevent new connections from being accepted.
+	pl.closed = true
+
+	for _, conn := range pl.conns {
+		conn.Close()
+	}
+
+	pl.conns = nil
 }
 
 func randomID() string {
@@ -35,18 +125,6 @@ func randomID() string {
 	return hex.EncodeToString(b)
 }
 
-func accept(listener *net.UnixListener, conn **net.UnixConn) {
-	go func() {
-		for {
-			// ignore error here, if we failed to accept a connection,
-			// conn is nil and we fallback to previous behavior
-			*conn, _ = listener.AcceptUnix()
-			// perform any platform-specific actions on accept (e.g. unlink non-abstract sockets)
-			onAccept(*conn, listener)
-		}
-	}()
-}
-
 // ConnectAndWait connects to the socket passed via well-known env var,
 // if present, and attempts to read from it until it receives an EOF, at which
 // point cb is called.

cli-plugins/socket/socket_abstract.go

@@ -0,0 +1,9 @@
+//go:build windows || linux
+
+package socket
+
+func socketName(basename string) string {
+	// Address of an abstract socket -- this socket can be opened by name,
+	// but is not present in the filesystem.
+	return "@" + basename
+}

cli-plugins/socket/socket_darwin.go

@@ -1,19 +0,0 @@
-package socket
-
-import (
-	"net"
-	"os"
-	"path/filepath"
-	"syscall"
-)
-
-func listen(socketname string) (*net.UnixListener, error) {
-	return net.ListenUnix("unix", &net.UnixAddr{
-		Name: filepath.Join(os.TempDir(), socketname),
-		Net:  "unix",
-	})
-}
-
-func onAccept(conn *net.UnixConn, listener *net.UnixListener) {
-	syscall.Unlink(listener.Addr().String())
-}

cli-plugins/socket/socket_noabstract.go

@@ -0,0 +1,14 @@
+//go:build !windows && !linux
+
+package socket
+
+import (
+	"os"
+	"path/filepath"
+)
+
+func socketName(basename string) string {
+	// Because abstract sockets are unavailable, use a socket path in the
+	// system temporary directory.
+	return filepath.Join(os.TempDir(), basename)
+}

cli-plugins/socket/socket_nodarwin.go

@@ -1,20 +0,0 @@
-//go:build !darwin && !openbsd
-
-package socket
-
-import (
-	"net"
-)
-
-func listen(socketname string) (*net.UnixListener, error) {
-	return net.ListenUnix("unix", &net.UnixAddr{
-		Name: "@" + socketname,
-		Net:  "unix",
-	})
-}
-
-func onAccept(conn *net.UnixConn, listener *net.UnixListener) {
-	// do nothing
-	// while on darwin and OpenBSD we would unlink here;
-	// on non-darwin the socket is abstract and not present on the filesystem
-}

cli-plugins/socket/socket_openbsd.go

@@ -1,19 +0,0 @@
-package socket
-
-import (
-	"net"
-	"os"
-	"path/filepath"
-	"syscall"
-)
-
-func listen(socketname string) (*net.UnixListener, error) {
-	return net.ListenUnix("unix", &net.UnixAddr{
-		Name: filepath.Join(os.TempDir(), socketname),
-		Net:  "unix",
-	})
-}
-
-func onAccept(conn *net.UnixConn, listener *net.UnixListener) {
-	syscall.Unlink(listener.Addr().String())
-}

cli-plugins/socket/socket_test.go

@@ -1,11 +1,14 @@
 package socket
 
 import (
+	"errors"
+	"io"
 	"io/fs"
 	"net"
 	"os"
 	"runtime"
 	"strings"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -13,54 +16,110 @@ import (
 	"gotest.tools/v3/poll"
 )
 
-func TestSetupConn(t *testing.T) {
-	t.Run("updates conn when connected", func(t *testing.T) {
-		var conn *net.UnixConn
-		listener, err := SetupConn(&conn)
+func TestPluginServer(t *testing.T) {
+	t.Run("connection closes with EOF when server closes", func(t *testing.T) {
+		called := make(chan struct{})
+		srv, err := NewPluginServer(func(_ net.Conn) { close(called) })
 		assert.NilError(t, err)
-		assert.Check(t, listener != nil, "returned nil listener but no error")
-		addr, err := net.ResolveUnixAddr("unix", listener.Addr().String())
-		assert.NilError(t, err, "failed to resolve listener address")
+		assert.Assert(t, srv != nil, "returned nil server but no error")
 
-		_, err = net.DialUnix("unix", nil, addr)
-		assert.NilError(t, err, "failed to dial returned listener")
+		addr, err := net.ResolveUnixAddr("unix", srv.Addr().String())
+		assert.NilError(t, err, "failed to resolve server address")
 
-		pollConnNotNil(t, &conn)
+		conn, err := net.DialUnix("unix", nil, addr)
+		assert.NilError(t, err, "failed to dial returned server")
+		defer conn.Close()
+
+		done := make(chan error, 1)
+		go func() {
+			_, err := conn.Read(make([]byte, 1))
+			done <- err
+		}()
+
+		select {
+		case <-called:
+		case <-time.After(10 * time.Millisecond):
+			t.Fatal("handler not called")
+		}
+
+		srv.Close()
+
+		select {
+		case err := <-done:
+			if !errors.Is(err, io.EOF) {
+				t.Fatalf("exepcted EOF error, got: %v", err)
+			}
+		case <-time.After(10 * time.Millisecond):
+		}
 	})
 
 	t.Run("allows reconnects", func(t *testing.T) {
-		var conn *net.UnixConn
-		listener, err := SetupConn(&conn)
+		var calls int32
+		h := func(_ net.Conn) {
+			atomic.AddInt32(&calls, 1)
+		}
+
+		srv, err := NewPluginServer(h)
 		assert.NilError(t, err)
-		assert.Check(t, listener != nil, "returned nil listener but no error")
-		addr, err := net.ResolveUnixAddr("unix", listener.Addr().String())
-		assert.NilError(t, err, "failed to resolve listener address")
+		defer srv.Close()
+
+		assert.Check(t, srv.Addr() != nil, "returned nil addr but no error")
+
+		addr, err := net.ResolveUnixAddr("unix", srv.Addr().String())
+		assert.NilError(t, err, "failed to resolve server address")
+
+		waitForCalls := func(n int) {
+			poll.WaitOn(t, func(t poll.LogT) poll.Result {
+				if atomic.LoadInt32(&calls) == int32(n) {
+					return poll.Success()
+				}
+				return poll.Continue("waiting for handler to be called")
+			})
+		}
 
 		otherConn, err := net.DialUnix("unix", nil, addr)
-		assert.NilError(t, err, "failed to dial returned listener")
-
+		assert.NilError(t, err, "failed to dial returned server")
 		otherConn.Close()
+		waitForCalls(1)
 
-		_, err = net.DialUnix("unix", nil, addr)
-		assert.NilError(t, err, "failed to redial listener")
+		conn, err := net.DialUnix("unix", nil, addr)
+		assert.NilError(t, err, "failed to redial server")
+		defer conn.Close()
+		waitForCalls(2)
+
+		// and again but don't close the existing connection
+		conn2, err := net.DialUnix("unix", nil, addr)
+		assert.NilError(t, err, "failed to redial server")
+		defer conn2.Close()
+		waitForCalls(3)
+
+		srv.Close()
+
+		// now make sure we get EOF on the existing connections
+		buf := make([]byte, 1)
+		_, err = conn.Read(buf)
+		assert.ErrorIs(t, err, io.EOF, "expected EOF error, got: %v", err)
+
+		_, err = conn2.Read(buf)
+		assert.ErrorIs(t, err, io.EOF, "expected EOF error, got: %v", err)
 	})
 
 	t.Run("does not leak sockets to local directory", func(t *testing.T) {
-		var conn *net.UnixConn
-		listener, err := SetupConn(&conn)
+		srv, err := NewPluginServer(nil)
 		assert.NilError(t, err)
-		assert.Check(t, listener != nil, "returned nil listener but no error")
-		checkDirNoPluginSocket(t)
+		assert.Check(t, srv != nil, "returned nil server but no error")
+		checkDirNoNewPluginServer(t)
+
+		addr, err := net.ResolveUnixAddr("unix", srv.Addr().String())
+		assert.NilError(t, err, "failed to resolve server address")
 
-		addr, err := net.ResolveUnixAddr("unix", listener.Addr().String())
-		assert.NilError(t, err, "failed to resolve listener address")
 		_, err = net.DialUnix("unix", nil, addr)
-		assert.NilError(t, err, "failed to dial returned listener")
-		checkDirNoPluginSocket(t)
+		assert.NilError(t, err, "failed to dial returned server")
+		checkDirNoNewPluginServer(t)
 	})
 }
 
-func checkDirNoPluginSocket(t *testing.T) {
+func checkDirNoNewPluginServer(t *testing.T) {
 	t.Helper()
 
 	files, err := os.ReadDir(".")
@@ -78,18 +137,24 @@ func checkDirNoPluginSocket(t *testing.T) {
 
 func TestConnectAndWait(t *testing.T) {
 	t.Run("calls cancel func on EOF", func(t *testing.T) {
-		var conn *net.UnixConn
-		listener, err := SetupConn(&conn)
-		assert.NilError(t, err, "failed to setup listener")
+		srv, err := NewPluginServer(nil)
+		assert.NilError(t, err, "failed to setup server")
+		defer srv.Close()
 
 		done := make(chan struct{})
-		t.Setenv(EnvKey, listener.Addr().String())
+		t.Setenv(EnvKey, srv.Addr().String())
 		cancelFunc := func() {
 			done <- struct{}{}
 		}
 		ConnectAndWait(cancelFunc)
-		pollConnNotNil(t, &conn)
-		conn.Close()
+
+		select {
+		case <-done:
+			t.Fatal("unexpectedly done")
+		default:
+		}
+
+		srv.Close()
 
 		select {
 		case <-done:
@@ -101,17 +166,19 @@ func TestConnectAndWait(t *testing.T) {
 	// TODO: this test cannot be executed with `t.Parallel()`, due to
 	// relying on goroutine numbers to ensure correct behaviour
 	t.Run("connect goroutine exits after EOF", func(t *testing.T) {
-		var conn *net.UnixConn
-		listener, err := SetupConn(&conn)
-		assert.NilError(t, err, "failed to setup listener")
-		t.Setenv(EnvKey, listener.Addr().String())
+		srv, err := NewPluginServer(nil)
+		assert.NilError(t, err, "failed to setup server")
+
+		defer srv.Close()
+
+		t.Setenv(EnvKey, srv.Addr().String())
 		numGoroutines := runtime.NumGoroutine()
 
 		ConnectAndWait(func() {})
 		assert.Equal(t, runtime.NumGoroutine(), numGoroutines+1)
 
-		pollConnNotNil(t, &conn)
-		conn.Close()
+		srv.Close()
+
 		poll.WaitOn(t, func(t poll.LogT) poll.Result {
 			if runtime.NumGoroutine() > numGoroutines+1 {
 				return poll.Continue("waiting for connect goroutine to exit")
@@ -120,14 +187,3 @@ func TestConnectAndWait(t *testing.T) {
 		}, poll.WithDelay(1*time.Millisecond), poll.WithTimeout(10*time.Millisecond))
 	})
 }
-
-func pollConnNotNil(t *testing.T, conn **net.UnixConn) {
-	t.Helper()
-
-	poll.WaitOn(t, func(t poll.LogT) poll.Result {
-		if *conn == nil {
-			return poll.Continue("waiting for conn to not be nil")
-		}
-		return poll.Success()
-	}, poll.WithDelay(1*time.Millisecond), poll.WithTimeout(10*time.Millisecond))
-}

cli/command/builder/prune.go

@@ -2,6 +2,7 @@ package builder
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 
@@ -10,6 +11,7 @@ import (
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/opts"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/errdefs"
 	units "github.com/docker/go-units"
 	"github.com/spf13/cobra"
 )
@@ -67,9 +69,13 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 		warning = allCacheWarning
 	}
 	if !options.force {
-		if r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning); !r || err != nil {
+		r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning)
+		if err != nil {
 			return 0, "", err
 		}
+		if !r {
+			return 0, "", errdefs.Cancelled(errors.New("builder prune has been cancelled"))
+		}
 	}
 
 	report, err := dockerCli.Client().BuildCachePrune(ctx, types.BuildCachePruneOptions{

cli/command/builder/prune_test.go

@@ -5,10 +5,8 @@ import (
 	"errors"
 	"testing"
 
-	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
-	"gotest.tools/v3/assert"
 )
 
 func TestBuilderPromptTermination(t *testing.T) {
@@ -21,8 +19,5 @@ func TestBuilderPromptTermination(t *testing.T) {
 		},
 	})
 	cmd := NewPruneCommand(cli)
-	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
-		t.Helper()
-		assert.ErrorIs(t, err, command.ErrPromptTerminated)
-	})
+	test.TerminatePrompt(ctx, t, cmd, cli)
 }

cli/command/cli.go

@@ -65,6 +65,7 @@ type Cli interface {
 	ContextStore() store.Store
 	CurrentContext() string
 	DockerEndpoint() docker.Endpoint
+	TelemetryClient
 }
 
 // DockerCli is an instance the docker command line client.
@@ -85,6 +86,7 @@ type DockerCli struct {
 	dockerEndpoint     docker.Endpoint
 	contextStoreConfig store.Config
 	initTimeout        time.Duration
+	res                telemetryResource
 
 	// baseCtx is the base context used for internal operations. In the future
 	// this may be replaced by explicitly passing a context to functions that
@@ -187,6 +189,36 @@ func (cli *DockerCli) BuildKitEnabled() (bool, error) {
 	return cli.ServerInfo().OSType != "windows", nil
 }
 
+// HooksEnabled returns whether plugin hooks are enabled.
+func (cli *DockerCli) HooksEnabled() bool {
+	// legacy support DOCKER_CLI_HINTS env var
+	if v := os.Getenv("DOCKER_CLI_HINTS"); v != "" {
+		enabled, err := strconv.ParseBool(v)
+		if err != nil {
+			return false
+		}
+		return enabled
+	}
+	// use DOCKER_CLI_HOOKS env var value if set and not empty
+	if v := os.Getenv("DOCKER_CLI_HOOKS"); v != "" {
+		enabled, err := strconv.ParseBool(v)
+		if err != nil {
+			return false
+		}
+		return enabled
+	}
+	featuresMap := cli.ConfigFile().Features
+	if v, ok := featuresMap["hooks"]; ok {
+		enabled, err := strconv.ParseBool(v)
+		if err != nil {
+			return false
+		}
+		return enabled
+	}
+	// default to false
+	return false
+}
+
 // ManifestStore returns a store for local manifests
 func (cli *DockerCli) ManifestStore() manifeststore.Store {
 	// TODO: support override default location from config file
@@ -241,6 +273,11 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption)
 			return ResolveDefaultContext(cli.options, cli.contextStoreConfig)
 		},
 	}
+
+	// TODO(krissetto): pass ctx to the funcs instead of using this
+	cli.createGlobalMeterProvider(cli.baseCtx)
+	cli.createGlobalTracerProvider(cli.baseCtx)
+
 	return nil
 }
 

cli/command/cli_test.go

@@ -307,3 +307,56 @@ func TestInitializeShouldAlwaysCreateTheContextStore(t *testing.T) {
 	})))
 	assert.Check(t, cli.ContextStore() != nil)
 }
+
+func TestHooksEnabled(t *testing.T) {
+	t.Run("disabled by default", func(t *testing.T) {
+		cli, err := NewDockerCli()
+		assert.NilError(t, err)
+
+		assert.Check(t, !cli.HooksEnabled())
+	})
+
+	t.Run("enabled in configFile", func(t *testing.T) {
+		configFile := `{
+    "features": {
+      "hooks": "true"
+    }}`
+		dir := fs.NewDir(t, "", fs.WithFile("config.json", configFile))
+		defer dir.Remove()
+		cli, err := NewDockerCli()
+		assert.NilError(t, err)
+		config.SetDir(dir.Path())
+
+		assert.Check(t, cli.HooksEnabled())
+	})
+
+	t.Run("env var overrides configFile", func(t *testing.T) {
+		configFile := `{
+    "features": {
+      "hooks": "true"
+    }}`
+		t.Setenv("DOCKER_CLI_HOOKS", "false")
+		dir := fs.NewDir(t, "", fs.WithFile("config.json", configFile))
+		defer dir.Remove()
+		cli, err := NewDockerCli()
+		assert.NilError(t, err)
+		config.SetDir(dir.Path())
+
+		assert.Check(t, !cli.HooksEnabled())
+	})
+
+	t.Run("legacy env var overrides configFile", func(t *testing.T) {
+		configFile := `{
+    "features": {
+      "hooks": "true"
+    }}`
+		t.Setenv("DOCKER_CLI_HINTS", "false")
+		dir := fs.NewDir(t, "", fs.WithFile("config.json", configFile))
+		defer dir.Remove()
+		cli, err := NewDockerCli()
+		assert.NilError(t, err)
+		config.SetDir(dir.Path())
+
+		assert.Check(t, !cli.HooksEnabled())
+	})
+}

cli/command/container/create.go

@@ -7,7 +7,7 @@ import (
 	"os"
 	"regexp"
 
-	"github.com/containerd/containerd/platforms"
+	"github.com/containerd/platforms"
 	"github.com/distribution/reference"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
@@ -239,7 +239,7 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 	if options.platform != "" && versions.GreaterThanOrEqualTo(dockerCli.Client().ClientVersion(), "1.41") {
 		p, err := platforms.Parse(options.platform)
 		if err != nil {
-			return "", errors.Wrap(err, "error parsing specified platform")
+			return "", errors.Wrap(errdefs.InvalidParameter(err), "error parsing specified platform")
 		}
 		platform = &p
 	}

cli/command/container/prune.go

@@ -8,7 +8,9 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/opts"
+	"github.com/docker/docker/errdefs"
 	units "github.com/docker/go-units"
+	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -54,9 +56,13 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 	pruneFilters := command.PruneFilters(dockerCli, options.filter.Value())
 
 	if !options.force {
-		if r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning); !r || err != nil {
+		r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning)
+		if err != nil {
 			return 0, "", err
 		}
+		if !r {
+			return 0, "", errdefs.Cancelled(errors.New("container prune has been cancelled"))
+		}
 	}
 
 	report, err := dockerCli.Client().ContainersPrune(ctx, pruneFilters)

cli/command/container/prune_test.go

@@ -4,12 +4,10 @@ import (
 	"context"
 	"testing"
 
-	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/pkg/errors"
-	"gotest.tools/v3/assert"
 )
 
 func TestContainerPrunePromptTermination(t *testing.T) {
@@ -22,8 +20,5 @@ func TestContainerPrunePromptTermination(t *testing.T) {
 		},
 	})
 	cmd := NewPruneCommand(cli)
-	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
-		t.Helper()
-		assert.ErrorIs(t, err, command.ErrPromptTerminated)
-	})
+	test.TerminatePrompt(ctx, t, cmd, cli)
 }

cli/command/container/run.go

@@ -186,7 +186,11 @@ func runContainer(ctx context.Context, dockerCli command.Cli, runOpts *runOption
 		defer closeFn()
 	}
 
-	statusChan := waitExitOrRemoved(ctx, apiClient, containerID, copts.autoRemove)
+	// New context here because we don't to cancel waiting on container exit/remove
+	// when we cancel attach, etc.
+	statusCtx, cancelStatusCtx := context.WithCancel(context.WithoutCancel(ctx))
+	defer cancelStatusCtx()
+	statusChan := waitExitOrRemoved(statusCtx, apiClient, containerID, copts.autoRemove)
 
 	// start the container
 	if err := apiClient.ContainerStart(ctx, containerID, container.StartOptions{}); err != nil {

cli/command/container/stats.go

@@ -18,6 +18,7 @@ import (
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
 
@@ -106,15 +107,6 @@ var acceptedStatsFilters = map[string]bool{
 func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions) error {
 	apiClient := dockerCLI.Client()
 
-	// Get the daemonOSType if not set already
-	if daemonOSType == "" {
-		sv, err := apiClient.ServerVersion(ctx)
-		if err != nil {
-			return err
-		}
-		daemonOSType = sv.Os
-	}
-
 	// waitFirst is a WaitGroup to wait first stat data's reach for each container
 	waitFirst := &sync.WaitGroup{}
 	// closeChan is a non-buffered channel used to collect errors from goroutines.
@@ -138,9 +130,9 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 			return err
 		}
 
-		eh := command.InitEventHandler()
+		eh := newEventHandler()
 		if options.All {
-			eh.Handle(events.ActionCreate, func(e events.Message) {
+			eh.setHandler(events.ActionCreate, func(e events.Message) {
 				s := NewStats(e.Actor.ID[:12])
 				if cStats.add(s) {
 					waitFirst.Add(1)
@@ -149,7 +141,7 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 			})
 		}
 
-		eh.Handle(events.ActionStart, func(e events.Message) {
+		eh.setHandler(events.ActionStart, func(e events.Message) {
 			s := NewStats(e.Actor.ID[:12])
 			if cStats.add(s) {
 				waitFirst.Add(1)
@@ -158,7 +150,7 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 		})
 
 		if !options.All {
-			eh.Handle(events.ActionDie, func(e events.Message) {
+			eh.setHandler(events.ActionDie, func(e events.Message) {
 				cStats.remove(e.Actor.ID[:12])
 			})
 		}
@@ -195,7 +187,7 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 		}
 
 		eventChan := make(chan events.Message)
-		go eh.Watch(eventChan)
+		go eh.watch(eventChan)
 		stopped := make(chan struct{})
 		go monitorContainerEvents(started, eventChan, stopped)
 		defer close(stopped)
@@ -267,6 +259,12 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 			format = formatter.TableFormatKey
 		}
 	}
+	if daemonOSType == "" {
+		// Get the daemonOSType if not set already. The daemonOSType variable
+		// should already be set when collecting stats as part of "collect()",
+		// so we unlikely hit this code in practice.
+		daemonOSType = dockerCLI.ServerInfo().OSType
+	}
 	statsCtx := formatter.Context{
 		Output: dockerCLI.Out(),
 		Format: NewStatsFormat(format, daemonOSType),
@@ -316,3 +314,31 @@ func RunStats(ctx context.Context, dockerCLI command.Cli, options *StatsOptions)
 	}
 	return err
 }
+
+// newEventHandler initializes and returns an eventHandler
+func newEventHandler() *eventHandler {
+	return &eventHandler{handlers: make(map[events.Action]func(events.Message))}
+}
+
+// eventHandler allows for registering specific events to setHandler.
+type eventHandler struct {
+	handlers map[events.Action]func(events.Message)
+}
+
+func (eh *eventHandler) setHandler(action events.Action, handler func(events.Message)) {
+	eh.handlers[action] = handler
+}
+
+// watch ranges over the passed in event chan and processes the events based on the
+// handlers created for a given action.
+// To stop watching, close the event chan.
+func (eh *eventHandler) watch(c <-chan events.Message) {
+	for e := range c {
+		h, exists := eh.handlers[e.Action]
+		if !exists {
+			continue
+		}
+		logrus.Debugf("event handler: received event: %v", e)
+		go h(e)
+	}
+}

cli/command/container/utils.go

@@ -2,6 +2,7 @@ package container
 
 import (
 	"context"
+	"errors"
 	"strconv"
 
 	"github.com/docker/docker/api/types"
@@ -35,7 +36,10 @@ func waitExitOrRemoved(ctx context.Context, apiClient client.APIClient, containe
 
 	statusC := make(chan int)
 	go func() {
+		defer close(statusC)
 		select {
+		case <-ctx.Done():
+			return
 		case result := <-resultC:
 			if result.Error != nil {
 				logrus.Errorf("Error waiting for container: %v", result.Error.Message)
@@ -44,6 +48,9 @@ func waitExitOrRemoved(ctx context.Context, apiClient client.APIClient, containe
 				statusC <- int(result.StatusCode)
 			}
 		case err := <-errC:
+			if errors.Is(err, context.Canceled) {
+				return
+			}
 			logrus.Errorf("error waiting for container: %v", err)
 			statusC <- 125
 		}

cli/command/context/create.go

@@ -24,6 +24,10 @@ type CreateOptions struct {
 	Description string
 	Docker      map[string]string
 	From        string
+
+	// Additional Metadata to store in the context. This option is not
+	// currently exposed to the user.
+	metaData map[string]any
 }
 
 func longCreateDescription() string {
@@ -94,7 +98,8 @@ func createNewContext(contextStore store.ReaderWriter, o *CreateOptions) error {
 			docker.DockerEndpoint: dockerEP,
 		},
 		Metadata: command.DockerContext{
-			Description: o.Description,
+			Description:      o.Description,
+			AdditionalFields: o.metaData,
 		},
 		Name: o.Name,
 	}

cli/command/context/export-import_test.go

@@ -8,14 +8,18 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/streams"
 	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )
 
 func TestExportImportWithFile(t *testing.T) {
 	contextFile := filepath.Join(t.TempDir(), "exported")
 	cli := makeFakeCli(t)
-	createTestContext(t, cli, "test")
+	createTestContext(t, cli, "test", map[string]any{
+		"MyCustomMetadata": t.Name(),
+	})
 	cli.ErrBuffer().Reset()
 	assert.NilError(t, RunExport(cli, &ExportOptions{
 		ContextName: "test",
@@ -29,18 +33,26 @@ func TestExportImportWithFile(t *testing.T) {
 	assert.NilError(t, err)
 	context2, err := cli.ContextStore().GetMetadata("test2")
 	assert.NilError(t, err)
-	assert.DeepEqual(t, context1.Endpoints, context2.Endpoints)
-	assert.DeepEqual(t, context1.Metadata, context2.Metadata)
-	assert.Equal(t, "test", context1.Name)
-	assert.Equal(t, "test2", context2.Name)
 
-	assert.Equal(t, "test2\n", cli.OutBuffer().String())
-	assert.Equal(t, "Successfully imported context \"test2\"\n", cli.ErrBuffer().String())
+	assert.Check(t, is.DeepEqual(context1.Metadata, command.DockerContext{
+		Description:      "description of test",
+		AdditionalFields: map[string]any{"MyCustomMetadata": t.Name()},
+	}))
+
+	assert.Check(t, is.DeepEqual(context1.Endpoints, context2.Endpoints))
+	assert.Check(t, is.DeepEqual(context1.Metadata, context2.Metadata))
+	assert.Check(t, is.Equal("test", context1.Name))
+	assert.Check(t, is.Equal("test2", context2.Name))
+
+	assert.Check(t, is.Equal("test2\n", cli.OutBuffer().String()))
+	assert.Check(t, is.Equal("Successfully imported context \"test2\"\n", cli.ErrBuffer().String()))
 }
 
 func TestExportImportPipe(t *testing.T) {
 	cli := makeFakeCli(t)
-	createTestContext(t, cli, "test")
+	createTestContext(t, cli, "test", map[string]any{
+		"MyCustomMetadata": t.Name(),
+	})
 	cli.ErrBuffer().Reset()
 	cli.OutBuffer().Reset()
 	assert.NilError(t, RunExport(cli, &ExportOptions{
@@ -56,13 +68,19 @@ func TestExportImportPipe(t *testing.T) {
 	assert.NilError(t, err)
 	context2, err := cli.ContextStore().GetMetadata("test2")
 	assert.NilError(t, err)
-	assert.DeepEqual(t, context1.Endpoints, context2.Endpoints)
-	assert.DeepEqual(t, context1.Metadata, context2.Metadata)
-	assert.Equal(t, "test", context1.Name)
-	assert.Equal(t, "test2", context2.Name)
 
-	assert.Equal(t, "test2\n", cli.OutBuffer().String())
-	assert.Equal(t, "Successfully imported context \"test2\"\n", cli.ErrBuffer().String())
+	assert.Check(t, is.DeepEqual(context1.Metadata, command.DockerContext{
+		Description:      "description of test",
+		AdditionalFields: map[string]any{"MyCustomMetadata": t.Name()},
+	}))
+
+	assert.Check(t, is.DeepEqual(context1.Endpoints, context2.Endpoints))
+	assert.Check(t, is.DeepEqual(context1.Metadata, context2.Metadata))
+	assert.Check(t, is.Equal("test", context1.Name))
+	assert.Check(t, is.Equal("test2", context2.Name))
+
+	assert.Check(t, is.Equal("test2\n", cli.OutBuffer().String()))
+	assert.Check(t, is.Equal("Successfully imported context \"test2\"\n", cli.ErrBuffer().String()))
 }
 
 func TestExportExistingFile(t *testing.T) {

cli/command/context/inspect_test.go

@@ -10,7 +10,9 @@ import (
 
 func TestInspect(t *testing.T) {
 	cli := makeFakeCli(t)
-	createTestContext(t, cli, "current")
+	createTestContext(t, cli, "current", map[string]any{
+		"MyCustomMetadata": "MyCustomMetadataValue",
+	})
 	cli.OutBuffer().Reset()
 	assert.NilError(t, runInspect(cli, inspectOptions{
 		refs: []string{"current"},

cli/command/context/list.go

@@ -66,6 +66,8 @@ func runList(dockerCli command.Cli, opts *listOptions) error {
 				Name:    rawMeta.Name,
 				Current: isCurrent,
 				Error:   err.Error(),
+
+				ContextType: getContextType(nil, opts.format),
 			})
 			continue
 		}
@@ -80,6 +82,8 @@ func runList(dockerCli command.Cli, opts *listOptions) error {
 			Description:    meta.Description,
 			DockerEndpoint: dockerEndpoint.Host,
 			Error:          errMsg,
+
+			ContextType: getContextType(meta.AdditionalFields, opts.format),
 		}
 		contexts = append(contexts, &desc)
 	}
@@ -96,6 +100,8 @@ func runList(dockerCli command.Cli, opts *listOptions) error {
 			Name:    curContext,
 			Current: true,
 			Error:   errMsg,
+
+			ContextType: getContextType(nil, opts.format),
 		})
 	}
 	sort.Slice(contexts, func(i, j int) bool {
@@ -111,6 +117,30 @@ func runList(dockerCli command.Cli, opts *listOptions) error {
 	return nil
 }
 
+// getContextType sets the LegacyContextType field for compatibility with
+// Visual Studio, which depends on this field from the "cloud integration"
+// wrapper.
+//
+// https://github.com/docker/compose-cli/blob/c156ce6da4c2b317174d42daf1b019efa87e9f92/api/context/store/contextmetadata.go#L28-L34
+// https://github.com/docker/compose-cli/blob/c156ce6da4c2b317174d42daf1b019efa87e9f92/api/context/store/store.go#L34-L51
+//
+// TODO(thaJeztah): remove this and [ClientContext.ContextType] once Visual Studio is updated to no longer depend on this.
+func getContextType(meta map[string]any, format string) string {
+	if format != formatter.JSONFormat && format != formatter.JSONFormatKey {
+		// We only need the ContextType field when formatting as JSON,
+		// which is the format-string used by Visual Studio to detect the
+		// context-type.
+		return ""
+	}
+	if ct, ok := meta["Type"]; ok {
+		// If the context on-disk has a context-type (ecs, aci), return it.
+		return ct.(string)
+	}
+
+	// Use the default context-type.
+	return "moby"
+}
+
 func format(dockerCli command.Cli, opts *listOptions, contexts []*formatter.ClientContext) error {
 	contextCtx := formatter.Context{
 		Output: dockerCli.Out(),

cli/command/context/list_test.go

@@ -4,36 +4,70 @@ import (
 	"testing"
 
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
 	"gotest.tools/v3/assert"
 	"gotest.tools/v3/golden"
 )
 
-func createTestContext(t *testing.T, cli command.Cli, name string) {
+func createTestContexts(t *testing.T, cli command.Cli, name ...string) {
+	t.Helper()
+	for _, n := range name {
+		createTestContext(t, cli, n, nil)
+	}
+}
+
+func createTestContext(t *testing.T, cli command.Cli, name string, metaData map[string]any) {
 	t.Helper()
 
 	err := RunCreate(cli, &CreateOptions{
 		Name:        name,
 		Description: "description of " + name,
 		Docker:      map[string]string{keyHost: "https://someswarmserver.example.com"},
+
+		metaData: metaData,
 	})
 	assert.NilError(t, err)
 }
 
 func TestList(t *testing.T) {
 	cli := makeFakeCli(t)
-	createTestContext(t, cli, "current")
-	createTestContext(t, cli, "other")
-	createTestContext(t, cli, "unset")
+	createTestContexts(t, cli, "current", "other", "unset")
 	cli.SetCurrentContext("current")
 	cli.OutBuffer().Reset()
 	assert.NilError(t, runList(cli, &listOptions{}))
 	golden.Assert(t, cli.OutBuffer().String(), "list.golden")
 }
 
+func TestListJSON(t *testing.T) {
+	cli := makeFakeCli(t)
+	createTestContext(t, cli, "current", nil)
+	createTestContext(t, cli, "context1", map[string]any{"Type": "aci"})
+	createTestContext(t, cli, "context2", map[string]any{"Type": "ecs"})
+	createTestContext(t, cli, "context3", map[string]any{"Type": "moby"})
+	cli.SetCurrentContext("current")
+
+	t.Run("format={{json .}}", func(t *testing.T) {
+		cli.OutBuffer().Reset()
+		assert.NilError(t, runList(cli, &listOptions{format: formatter.JSONFormat}))
+		golden.Assert(t, cli.OutBuffer().String(), "list-json.golden")
+	})
+
+	t.Run("format=json", func(t *testing.T) {
+		cli.OutBuffer().Reset()
+		assert.NilError(t, runList(cli, &listOptions{format: formatter.JSONFormatKey}))
+		golden.Assert(t, cli.OutBuffer().String(), "list-json.golden")
+	})
+
+	t.Run("format={{ json .Name }}", func(t *testing.T) {
+		cli.OutBuffer().Reset()
+		assert.NilError(t, runList(cli, &listOptions{format: `{{ json .Name }}`}))
+		golden.Assert(t, cli.OutBuffer().String(), "list-json-name.golden")
+	})
+}
+
 func TestListQuiet(t *testing.T) {
 	cli := makeFakeCli(t)
-	createTestContext(t, cli, "current")
-	createTestContext(t, cli, "other")
+	createTestContexts(t, cli, "current", "other")
 	cli.SetCurrentContext("current")
 	cli.OutBuffer().Reset()
 	assert.NilError(t, runList(cli, &listOptions{quiet: true}))

cli/command/context/remove_test.go

@@ -13,8 +13,7 @@ import (
 
 func TestRemove(t *testing.T) {
 	cli := makeFakeCli(t)
-	createTestContext(t, cli, "current")
-	createTestContext(t, cli, "other")
+	createTestContexts(t, cli, "current", "other")
 	assert.NilError(t, RunRemove(cli, RemoveOptions{}, []string{"other"}))
 	_, err := cli.ContextStore().GetMetadata("current")
 	assert.NilError(t, err)
@@ -24,8 +23,7 @@ func TestRemove(t *testing.T) {
 
 func TestRemoveNotAContext(t *testing.T) {
 	cli := makeFakeCli(t)
-	createTestContext(t, cli, "current")
-	createTestContext(t, cli, "other")
+	createTestContexts(t, cli, "current", "other")
 	err := RunRemove(cli, RemoveOptions{}, []string{"not-a-context"})
 	assert.ErrorContains(t, err, `context "not-a-context" does not exist`)
 
@@ -35,8 +33,7 @@ func TestRemoveNotAContext(t *testing.T) {
 
 func TestRemoveCurrent(t *testing.T) {
 	cli := makeFakeCli(t)
-	createTestContext(t, cli, "current")
-	createTestContext(t, cli, "other")
+	createTestContexts(t, cli, "current", "other")
 	cli.SetCurrentContext("current")
 	err := RunRemove(cli, RemoveOptions{}, []string{"current"})
 	assert.ErrorContains(t, err, `context "current" is in use, set -f flag to force remove`)
@@ -50,8 +47,7 @@ func TestRemoveCurrentForce(t *testing.T) {
 	assert.NilError(t, testCfg.Save())
 
 	cli := makeFakeCli(t, withCliConfig(testCfg))
-	createTestContext(t, cli, "current")
-	createTestContext(t, cli, "other")
+	createTestContexts(t, cli, "current", "other")
 	cli.SetCurrentContext("current")
 	assert.NilError(t, RunRemove(cli, RemoveOptions{Force: true}, []string{"current"}))
 	reloadedConfig, err := config.Load(configDir)
@@ -61,7 +57,7 @@ func TestRemoveCurrentForce(t *testing.T) {
 
 func TestRemoveDefault(t *testing.T) {
 	cli := makeFakeCli(t)
-	createTestContext(t, cli, "other")
+	createTestContext(t, cli, "other", nil)
 	cli.SetCurrentContext("current")
 	err := RunRemove(cli, RemoveOptions{}, []string{"default"})
 	assert.ErrorContains(t, err, `default: context "default" cannot be removed`)

cli/command/context/show_test.go

@@ -8,7 +8,7 @@ import (
 
 func TestShow(t *testing.T) {
 	cli := makeFakeCli(t)
-	createTestContext(t, cli, "current")
+	createTestContext(t, cli, "current", nil)
 	cli.SetCurrentContext("current")
 
 	cli.OutBuffer().Reset()

cli/command/context/testdata/inspect.golden

@@ -2,7 +2,8 @@
     {
         "Name": "current",
         "Metadata": {
-            "Description": "description of current"
+            "Description": "description of current",
+            "MyCustomMetadata": "MyCustomMetadataValue"
         },
         "Endpoints": {
             "docker": {

cli/command/context/testdata/list-json-name.golden

@@ -0,0 +1,5 @@
+"context1"
+"context2"
+"context3"
+"current"
+"default"

cli/command/context/testdata/list-json.golden

@@ -0,0 +1,5 @@
+{"Name":"context1","Description":"description of context1","DockerEndpoint":"https://someswarmserver.example.com","Current":false,"Error":"","ContextType":"aci"}
+{"Name":"context2","Description":"description of context2","DockerEndpoint":"https://someswarmserver.example.com","Current":false,"Error":"","ContextType":"ecs"}
+{"Name":"context3","Description":"description of context3","DockerEndpoint":"https://someswarmserver.example.com","Current":false,"Error":"","ContextType":"moby"}
+{"Name":"current","Description":"description of current","DockerEndpoint":"https://someswarmserver.example.com","Current":true,"Error":"","ContextType":"moby"}
+{"Name":"default","Description":"Current DOCKER_HOST based configuration","DockerEndpoint":"unix:///var/run/docker.sock","Current":false,"Error":"","ContextType":"moby"}

cli/command/context/update_test.go

@@ -6,7 +6,7 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/context/docker"
 	"gotest.tools/v3/assert"
-	"gotest.tools/v3/assert/cmp"
+	is "gotest.tools/v3/assert/cmp"
 )
 
 func TestUpdateDescriptionOnly(t *testing.T) {
@@ -34,7 +34,7 @@ func TestUpdateDescriptionOnly(t *testing.T) {
 
 func TestUpdateDockerOnly(t *testing.T) {
 	cli := makeFakeCli(t)
-	createTestContext(t, cli, "test")
+	createTestContext(t, cli, "test", nil)
 	assert.NilError(t, RunUpdate(cli, &UpdateOptions{
 		Name: "test",
 		Docker: map[string]string{
@@ -46,7 +46,7 @@ func TestUpdateDockerOnly(t *testing.T) {
 	dc, err := command.GetDockerContext(c)
 	assert.NilError(t, err)
 	assert.Equal(t, dc.Description, "description of test")
-	assert.Check(t, cmp.Contains(c.Endpoints, docker.DockerEndpoint))
+	assert.Check(t, is.Contains(c.Endpoints, docker.DockerEndpoint))
 	assert.Equal(t, c.Endpoints[docker.DockerEndpoint].(docker.EndpointMeta).Host, "tcp://some-host")
 }
 

cli/command/events_utils.go

@@ -9,12 +9,16 @@ import (
 
 // EventHandler is abstract interface for user to customize
 // own handle functions of each type of events
+//
+// Deprecated: EventHandler is no longer used, and will be removed in the next release.
 type EventHandler interface {
 	Handle(action events.Action, h func(events.Message))
 	Watch(c <-chan events.Message)
 }
 
 // InitEventHandler initializes and returns an EventHandler
+//
+// Deprecated: InitEventHandler is no longer used, and will be removed in the next release.
 func InitEventHandler() EventHandler {
 	return &eventHandler{handlers: make(map[events.Action]func(events.Message))}
 }

cli/command/formatter/context.go

@@ -1,5 +1,7 @@
 package formatter
 
+import "encoding/json"
+
 const (
 	// ClientContextTableFormat is the default client context format.
 	ClientContextTableFormat = "table {{.Name}}{{if .Current}} *{{end}}\t{{.Description}}\t{{.DockerEndpoint}}\t{{.Error}}"
@@ -28,6 +30,13 @@ type ClientContext struct {
 	DockerEndpoint string
 	Current        bool
 	Error          string
+
+	// ContextType is a temporary field for compatibility with
+	// Visual Studio, which depends on this from the "cloud integration"
+	// wrapper.
+	//
+	// Deprecated: this type is only for backward-compatibility. Do not use.
+	ContextType string `json:"ContextType,omitempty"`
 }
 
 // ClientContextWrite writes formatted contexts using the Context
@@ -60,6 +69,13 @@ func newClientContextContext() *clientContextContext {
 }
 
 func (c *clientContextContext) MarshalJSON() ([]byte, error) {
+	if c.c.ContextType != "" {
+		// We only have ContextType set for plain "json" or "{{json .}}" formatting,
+		// so we should be able to just use the default json.Marshal with no
+		// special handling.
+		return json.Marshal(c.c)
+	}
+	// FIXME(thaJeztah): why do we need a special marshal function here?
 	return MarshalJSON(c)
 }
 

cli/command/image/build/context_test.go

@@ -129,7 +129,6 @@ func TestGetContextFromReaderString(t *testing.T) {
 	tarReader := tar.NewReader(tarArchive)
 
 	_, err = tarReader.Next()
-
 	if err != nil {
 		t.Fatalf("Error when reading tar archive: %s", err)
 	}

cli/command/image/prune.go

@@ -10,7 +10,9 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/opts"
+	"github.com/docker/docker/errdefs"
 	units "github.com/docker/go-units"
+	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -68,9 +70,13 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 		warning = allImageWarning
 	}
 	if !options.force {
-		if r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning); !r || err != nil {
+		r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning)
+		if err != nil {
 			return 0, "", err
 		}
+		if !r {
+			return 0, "", errdefs.Cancelled(errors.New("image prune has been cancelled"))
+		}
 	}
 
 	report, err := dockerCli.Client().ImagesPrune(ctx, pruneFilters)

cli/command/image/prune_test.go

@@ -4,9 +4,10 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"strings"
 	"testing"
 
-	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/streams"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
@@ -94,13 +95,18 @@ func TestNewPruneCommandSuccess(t *testing.T) {
 		},
 	}
 	for _, tc := range testCases {
-		cli := test.NewFakeCli(&fakeClient{imagesPruneFunc: tc.imagesPruneFunc})
-		cmd := NewPruneCommand(cli)
-		cmd.SetOut(io.Discard)
-		cmd.SetArgs(tc.args)
-		err := cmd.Execute()
-		assert.NilError(t, err)
-		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("prune-command-success.%s.golden", tc.name))
+		t.Run(tc.name, func(t *testing.T) {
+			cli := test.NewFakeCli(&fakeClient{imagesPruneFunc: tc.imagesPruneFunc})
+			// when prompted, answer "Y" to confirm the prune.
+			// will not be prompted if --force is used.
+			cli.SetIn(streams.NewIn(io.NopCloser(strings.NewReader("Y\n"))))
+			cmd := NewPruneCommand(cli)
+			cmd.SetOut(io.Discard)
+			cmd.SetArgs(tc.args)
+			err := cmd.Execute()
+			assert.NilError(t, err)
+			golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("prune-command-success.%s.golden", tc.name))
+		})
 	}
 }
 
@@ -114,8 +120,5 @@ func TestPrunePromptTermination(t *testing.T) {
 		},
 	})
 	cmd := NewPruneCommand(cli)
-	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
-		t.Helper()
-		assert.ErrorIs(t, err, command.ErrPromptTerminated)
-	})
+	test.TerminatePrompt(ctx, t, cmd, cli)
 }

cli/command/image/testdata/inspect-command-success.simple-many.golden

@@ -5,8 +5,6 @@
         "RepoDigests": null,
         "Parent": "",
         "Comment": "",
-        "Container": "",
-        "ContainerConfig": null,
         "DockerVersion": "",
         "Author": "",
         "Config": null,
@@ -28,8 +26,6 @@
         "RepoDigests": null,
         "Parent": "",
         "Comment": "",
-        "Container": "",
-        "ContainerConfig": null,
         "DockerVersion": "",
         "Author": "",
         "Config": null,

cli/command/image/testdata/inspect-command-success.simple.golden

@@ -5,8 +5,6 @@
         "RepoDigests": null,
         "Parent": "",
         "Comment": "",
-        "Container": "",
-        "ContainerConfig": null,
         "DockerVersion": "",
         "Author": "",
         "Config": null,

cli/command/network/prune.go

@@ -7,6 +7,8 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/opts"
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -50,9 +52,13 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 	pruneFilters := command.PruneFilters(dockerCli, options.filter.Value())
 
 	if !options.force {
-		if r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning); !r || err != nil {
+		r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning)
+		if err != nil {
 			return "", err
 		}
+		if !r {
+			return "", errdefs.Cancelled(errors.New("network prune cancelled has been cancelled"))
+		}
 	}
 
 	report, err := dockerCli.Client().NetworksPrune(ctx, pruneFilters)

cli/command/network/prune_test.go

@@ -4,12 +4,10 @@ import (
 	"context"
 	"testing"
 
-	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/pkg/errors"
-	"gotest.tools/v3/assert"
 )
 
 func TestNetworkPrunePromptTermination(t *testing.T) {
@@ -22,8 +20,5 @@ func TestNetworkPrunePromptTermination(t *testing.T) {
 		},
 	})
 	cmd := NewPruneCommand(cli)
-	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
-		t.Helper()
-		assert.ErrorIs(t, err, command.ErrPromptTerminated)
-	})
+	test.TerminatePrompt(ctx, t, cmd, cli)
 }

cli/command/network/remove_test.go

@@ -5,7 +5,6 @@ import (
 	"io"
 	"testing"
 
-	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/errdefs"
@@ -115,8 +114,5 @@ func TestNetworkRemovePromptTermination(t *testing.T) {
 	})
 	cmd := newRemoveCommand(cli)
 	cmd.SetArgs([]string{"existing-network"})
-	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
-		t.Helper()
-		assert.ErrorIs(t, err, command.ErrPromptTerminated)
-	})
+	test.TerminatePrompt(ctx, t, cmd, cli)
 }

cli/command/plugin/create.go

@@ -114,7 +114,6 @@ func runCreate(ctx context.Context, dockerCli command.Cli, options pluginCreateO
 	createCtx, err = archive.TarWithOptions(absContextDir, &archive.TarOptions{
 		Compression: compression,
 	})
-
 	if err != nil {
 		return err
 	}

cli/command/plugin/testdata/plugin-upgrade-terminate.golden

@@ -1,2 +1,2 @@
 Upgrading plugin foo/bar from localhost:5000/foo/bar:v0.1.0 to localhost:5000/foo/bar:v1.0.0
-Plugin images do not match, are you sure? [y/N] 
+Plugin images do not match, are you sure? [y/N] 

cli/command/plugin/upgrade.go

@@ -8,6 +8,7 @@ import (
 	"github.com/distribution/reference"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@@ -63,11 +64,12 @@ func runUpgrade(ctx context.Context, dockerCli command.Cli, opts pluginOptions)
 
 	fmt.Fprintf(dockerCli.Out(), "Upgrading plugin %s from %s to %s\n", p.Name, reference.FamiliarString(old), reference.FamiliarString(remote))
 	if !opts.skipRemoteCheck && remote.String() != old.String() {
-		if r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), "Plugin images do not match, are you sure?"); !r || err != nil {
-			if err != nil {
-				return errors.Wrap(err, "canceling upgrade request")
-			}
-			return errors.New("canceling upgrade request")
+		r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), "Plugin images do not match, are you sure?")
+		if err != nil {
+			return err
+		}
+		if !r {
+			return errdefs.Cancelled(errors.New("plugin upgrade has been cancelled"))
 		}
 	}
 

cli/command/plugin/upgrade_test.go

@@ -5,11 +5,9 @@ import (
 	"io"
 	"testing"
 
-	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/pkg/errors"
-	"gotest.tools/v3/assert"
 	"gotest.tools/v3/golden"
 )
 
@@ -34,9 +32,6 @@ func TestUpgradePromptTermination(t *testing.T) {
 	// need to set a remote address that does not match the plugin
 	// reference sent by the `pluginInspectFunc`
 	cmd.SetArgs([]string{"foo/bar", "localhost:5000/foo/bar:v1.0.0"})
-	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
-		t.Helper()
-		assert.ErrorIs(t, err, command.ErrPromptTerminated)
-	})
+	test.TerminatePrompt(ctx, t, cmd, cli)
 	golden.Assert(t, cli.OutBuffer().String(), "plugin-upgrade-terminate.golden")
 }

cli/command/system/prune.go

@@ -17,8 +17,10 @@ import (
 	"github.com/docker/cli/cli/command/volume"
 	"github.com/docker/cli/opts"
 	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/errdefs"
 	"github.com/docker/go-units"
 	"github.com/fvbommel/sortorder"
+	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
@@ -75,9 +77,13 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 		return fmt.Errorf(`ERROR: The "until" filter is not supported with "--volumes"`)
 	}
 	if !options.force {
-		if r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), confirmationMessage(dockerCli, options)); !r || err != nil {
+		r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), confirmationMessage(dockerCli, options))
+		if err != nil {
 			return err
 		}
+		if !r {
+			return errdefs.Cancelled(errors.New("system prune has been cancelled"))
+		}
 	}
 	pruneFuncs := []func(ctx context.Context, dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error){
 		container.RunPrune,

cli/command/system/prune_test.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"testing"
 
-	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
@@ -18,7 +17,7 @@ func TestPrunePromptPre131DoesNotIncludeBuildCache(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{version: "1.30"})
 	cmd := newPruneCommand(cli)
 	cmd.SetArgs([]string{})
-	assert.NilError(t, cmd.Execute())
+	assert.ErrorContains(t, cmd.Execute(), "system prune has been cancelled")
 	expected := `WARNING! This will remove:
   - all stopped containers
   - all networks not used by at least one container
@@ -36,7 +35,7 @@ func TestPrunePromptFilters(t *testing.T) {
 	cmd := newPruneCommand(cli)
 	cmd.SetArgs([]string{"--filter", "until=24h", "--filter", "label=hello-world", "--filter", "label!=foo=bar", "--filter", "label=bar=baz"})
 
-	assert.NilError(t, cmd.Execute())
+	assert.ErrorContains(t, cmd.Execute(), "system prune has been cancelled")
 	expected := `WARNING! This will remove:
   - all stopped containers
   - all networks not used by at least one container
@@ -69,8 +68,5 @@ func TestSystemPrunePromptTermination(t *testing.T) {
 	})
 
 	cmd := newPruneCommand(cli)
-	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
-		t.Helper()
-		assert.ErrorIs(t, err, command.ErrPromptTerminated)
-	})
+	test.TerminatePrompt(ctx, t, cmd, cli)
 }

cli/command/telemetry.go

@@ -0,0 +1,218 @@
+package command
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/docker/distribution/uuid"
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/metric"
+	sdkmetric "go.opentelemetry.io/otel/sdk/metric"
+	"go.opentelemetry.io/otel/sdk/metric/metricdata"
+	"go.opentelemetry.io/otel/sdk/resource"
+	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+	semconv "go.opentelemetry.io/otel/semconv/v1.21.0"
+	"go.opentelemetry.io/otel/trace"
+)
+
+const exportTimeout = 50 * time.Millisecond
+
+// TracerProvider is an extension of the trace.TracerProvider interface for CLI programs.
+type TracerProvider interface {
+	trace.TracerProvider
+	ForceFlush(ctx context.Context) error
+	Shutdown(ctx context.Context) error
+}
+
+// MeterProvider is an extension of the metric.MeterProvider interface for CLI programs.
+type MeterProvider interface {
+	metric.MeterProvider
+	ForceFlush(ctx context.Context) error
+	Shutdown(ctx context.Context) error
+}
+
+// TelemetryClient provides the methods for using OTEL tracing or metrics.
+type TelemetryClient interface {
+	// Resource returns the OTEL Resource configured with this TelemetryClient.
+	// This resource may be created lazily, but the resource should be the same
+	// each time this function is invoked.
+	Resource() *resource.Resource
+
+	// TracerProvider returns the currently initialized TracerProvider. This TracerProvider will be configured
+	// with the default tracing components for a CLI program
+	TracerProvider() trace.TracerProvider
+
+	// MeterProvider returns the currently initialized MeterProvider. This MeterProvider will be configured
+	// with the default metric components for a CLI program
+	MeterProvider() metric.MeterProvider
+}
+
+func (cli *DockerCli) Resource() *resource.Resource {
+	return cli.res.Get()
+}
+
+func (cli *DockerCli) TracerProvider() trace.TracerProvider {
+	return otel.GetTracerProvider()
+}
+
+func (cli *DockerCli) MeterProvider() metric.MeterProvider {
+	return otel.GetMeterProvider()
+}
+
+// WithResourceOptions configures additional options for the default resource. The default
+// resource will continue to include its default options.
+func WithResourceOptions(opts ...resource.Option) CLIOption {
+	return func(cli *DockerCli) error {
+		cli.res.AppendOptions(opts...)
+		return nil
+	}
+}
+
+// WithResource overwrites the default resource and prevents its creation.
+func WithResource(res *resource.Resource) CLIOption {
+	return func(cli *DockerCli) error {
+		cli.res.Set(res)
+		return nil
+	}
+}
+
+type telemetryResource struct {
+	res  *resource.Resource
+	opts []resource.Option
+	once sync.Once
+}
+
+func (r *telemetryResource) Set(res *resource.Resource) {
+	r.res = res
+}
+
+func (r *telemetryResource) Get() *resource.Resource {
+	r.once.Do(r.init)
+	return r.res
+}
+
+func (r *telemetryResource) init() {
+	if r.res != nil {
+		r.opts = nil
+		return
+	}
+
+	opts := append(defaultResourceOptions(), r.opts...)
+	res, err := resource.New(context.Background(), opts...)
+	if err != nil {
+		otel.Handle(err)
+	}
+	r.res = res
+
+	// Clear the resource options since they'll never be used again and to allow
+	// the garbage collector to retrieve that memory.
+	r.opts = nil
+}
+
+// createGlobalMeterProvider creates a new MeterProvider from the initialized DockerCli struct
+// with the given options and sets it as the global meter provider
+func (cli *DockerCli) createGlobalMeterProvider(ctx context.Context, opts ...sdkmetric.Option) {
+	allOpts := make([]sdkmetric.Option, 0, len(opts)+2)
+	allOpts = append(allOpts, sdkmetric.WithResource(cli.Resource()))
+	allOpts = append(allOpts, dockerMetricExporter(ctx, cli)...)
+	allOpts = append(allOpts, opts...)
+	mp := sdkmetric.NewMeterProvider(allOpts...)
+	otel.SetMeterProvider(mp)
+}
+
+// createGlobalTracerProvider creates a new TracerProvider from the initialized DockerCli struct
+// with the given options and sets it as the global tracer provider
+func (cli *DockerCli) createGlobalTracerProvider(ctx context.Context, opts ...sdktrace.TracerProviderOption) {
+	allOpts := make([]sdktrace.TracerProviderOption, 0, len(opts)+2)
+	allOpts = append(allOpts, sdktrace.WithResource(cli.Resource()))
+	allOpts = append(allOpts, dockerSpanExporter(ctx, cli)...)
+	allOpts = append(allOpts, opts...)
+	tp := sdktrace.NewTracerProvider(allOpts...)
+	otel.SetTracerProvider(tp)
+}
+
+func defaultResourceOptions() []resource.Option {
+	return []resource.Option{
+		resource.WithDetectors(serviceNameDetector{}),
+		resource.WithAttributes(
+			// Use a unique instance id so OTEL knows that each invocation
+			// of the CLI is its own instance. Without this, downstream
+			// OTEL processors may think the same process is restarting
+			// continuously.
+			semconv.ServiceInstanceID(uuid.Generate().String()),
+		),
+		resource.WithFromEnv(),
+		resource.WithTelemetrySDK(),
+	}
+}
+
+func (r *telemetryResource) AppendOptions(opts ...resource.Option) {
+	if r.res != nil {
+		return
+	}
+	r.opts = append(r.opts, opts...)
+}
+
+type serviceNameDetector struct{}
+
+func (serviceNameDetector) Detect(ctx context.Context) (*resource.Resource, error) {
+	return resource.StringDetector(
+		semconv.SchemaURL,
+		semconv.ServiceNameKey,
+		func() (string, error) {
+			return filepath.Base(os.Args[0]), nil
+		},
+	).Detect(ctx)
+}
+
+// cliReader is an implementation of Reader that will automatically
+// report to a designated Exporter when Shutdown is called.
+type cliReader struct {
+	sdkmetric.Reader
+	exporter sdkmetric.Exporter
+}
+
+func newCLIReader(exp sdkmetric.Exporter) sdkmetric.Reader {
+	reader := sdkmetric.NewManualReader(
+		sdkmetric.WithTemporalitySelector(deltaTemporality),
+	)
+	return &cliReader{
+		Reader:   reader,
+		exporter: exp,
+	}
+}
+
+func (r *cliReader) Shutdown(ctx context.Context) error {
+	// Place a pretty tight constraint on the actual reporting.
+	// We don't want CLI metrics to prevent the CLI from exiting
+	// so if there's some kind of issue we need to abort pretty
+	// quickly.
+	ctx, cancel := context.WithTimeout(ctx, exportTimeout)
+	defer cancel()
+
+	return r.ForceFlush(ctx)
+}
+
+func (r *cliReader) ForceFlush(ctx context.Context) error {
+	var rm metricdata.ResourceMetrics
+	if err := r.Reader.Collect(ctx, &rm); err != nil {
+		return err
+	}
+
+	return r.exporter.Export(ctx, &rm)
+}
+
+// deltaTemporality sets the Temporality of every instrument to delta.
+//
+// This isn't really needed since we create a unique resource on each invocation,
+// but it can help with cardinality concerns for downstream processors since they can
+// perform aggregation for a time interval and then discard the data once that time
+// period has passed. Cumulative temporality would imply to the downstream processor
+// that they might receive a successive point and they may unnecessarily keep state
+// they really shouldn't.
+func deltaTemporality(_ sdkmetric.InstrumentKind) metricdata.Temporality {
+	return metricdata.DeltaTemporality
+}

cli/command/telemetry_docker.go

@@ -0,0 +1,138 @@
+// FIXME(jsternberg): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.19
+
+package command
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"os"
+	"path"
+
+	"github.com/pkg/errors"
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc"
+	"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
+	sdkmetric "go.opentelemetry.io/otel/sdk/metric"
+	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+)
+
+const (
+	otelContextFieldName     string = "otel"
+	otelExporterOTLPEndpoint string = "OTEL_EXPORTER_OTLP_ENDPOINT"
+	debugEnvVarPrefix        string = "DOCKER_CLI_"
+)
+
+// dockerExporterOTLPEndpoint retrieves the OTLP endpoint used for the docker reporter
+// from the current context.
+func dockerExporterOTLPEndpoint(cli Cli) (endpoint string, secure bool) {
+	meta, err := cli.ContextStore().GetMetadata(cli.CurrentContext())
+	if err != nil {
+		otel.Handle(err)
+		return "", false
+	}
+
+	var otelCfg any
+	switch m := meta.Metadata.(type) {
+	case DockerContext:
+		otelCfg = m.AdditionalFields[otelContextFieldName]
+	case map[string]any:
+		otelCfg = m[otelContextFieldName]
+	}
+
+	if otelCfg != nil {
+		otelMap, ok := otelCfg.(map[string]any)
+		if !ok {
+			otel.Handle(errors.Errorf(
+				"unexpected type for field %q: %T (expected: %T)",
+				otelContextFieldName,
+				otelCfg,
+				otelMap,
+			))
+		}
+		// keys from https://opentelemetry.io/docs/concepts/sdk-configuration/otlp-exporter-configuration/
+		endpoint, _ = otelMap[otelExporterOTLPEndpoint].(string)
+	}
+
+	// Override with env var value if it exists AND IS SET
+	// (ignore otel defaults for this override when the key exists but is empty)
+	if override := os.Getenv(debugEnvVarPrefix + otelExporterOTLPEndpoint); override != "" {
+		endpoint = override
+	}
+
+	if endpoint == "" {
+		return "", false
+	}
+
+	// Parse the endpoint. The docker config expects the endpoint to be
+	// in the form of a URL to match the environment variable, but this
+	// option doesn't correspond directly to WithEndpoint.
+	//
+	// We pretend we're the same as the environment reader.
+	u, err := url.Parse(endpoint)
+	if err != nil {
+		otel.Handle(errors.Errorf("docker otel endpoint is invalid: %s", err))
+		return "", false
+	}
+
+	switch u.Scheme {
+	case "unix":
+		// Unix sockets are a bit weird. OTEL seems to imply they
+		// can be used as an environment variable and are handled properly,
+		// but they don't seem to be as the behavior of the environment variable
+		// is to strip the scheme from the endpoint, but the underlying implementation
+		// needs the scheme to use the correct resolver.
+		//
+		// We'll just handle this in a special way and add the unix:// back to the endpoint.
+		endpoint = fmt.Sprintf("unix://%s", path.Join(u.Host, u.Path))
+	case "https":
+		secure = true
+		fallthrough
+	case "http":
+		endpoint = path.Join(u.Host, u.Path)
+	}
+	return endpoint, secure
+}
+
+func dockerSpanExporter(ctx context.Context, cli Cli) []sdktrace.TracerProviderOption {
+	endpoint, secure := dockerExporterOTLPEndpoint(cli)
+	if endpoint == "" {
+		return nil
+	}
+
+	opts := []otlptracegrpc.Option{
+		otlptracegrpc.WithEndpoint(endpoint),
+	}
+	if !secure {
+		opts = append(opts, otlptracegrpc.WithInsecure())
+	}
+
+	exp, err := otlptracegrpc.New(ctx, opts...)
+	if err != nil {
+		otel.Handle(err)
+		return nil
+	}
+	return []sdktrace.TracerProviderOption{sdktrace.WithBatcher(exp, sdktrace.WithExportTimeout(exportTimeout))}
+}
+
+func dockerMetricExporter(ctx context.Context, cli Cli) []sdkmetric.Option {
+	endpoint, secure := dockerExporterOTLPEndpoint(cli)
+	if endpoint == "" {
+		return nil
+	}
+
+	opts := []otlpmetricgrpc.Option{
+		otlpmetricgrpc.WithEndpoint(endpoint),
+	}
+	if !secure {
+		opts = append(opts, otlpmetricgrpc.WithInsecure())
+	}
+
+	exp, err := otlpmetricgrpc.New(ctx, opts...)
+	if err != nil {
+		otel.Handle(err)
+		return nil
+	}
+	return []sdkmetric.Option{sdkmetric.WithReader(newCLIReader(exp))}
+}

cli/command/telemetry_utils.go

@@ -0,0 +1,182 @@
+package command
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/cli/version"
+	"github.com/moby/term"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/metric"
+)
+
+// BaseCommandAttributes returns an attribute.Set containing attributes to attach to metrics/traces
+func BaseCommandAttributes(cmd *cobra.Command, streams Streams) []attribute.KeyValue {
+	return append([]attribute.KeyValue{
+		attribute.String("command.name", getCommandName(cmd)),
+	}, stdioAttributes(streams)...)
+}
+
+// InstrumentCobraCommands wraps all cobra commands' RunE funcs to set a command duration metric using otel.
+//
+// Note: this should be the last func to wrap/modify the PersistentRunE/RunE funcs before command execution.
+//
+// can also be used for spans!
+func (cli *DockerCli) InstrumentCobraCommands(ctx context.Context, cmd *cobra.Command) {
+	// If PersistentPreRunE is nil, make it execute PersistentPreRun and return nil by default
+	ogPersistentPreRunE := cmd.PersistentPreRunE
+	if ogPersistentPreRunE == nil {
+		ogPersistentPreRun := cmd.PersistentPreRun
+		//nolint:unparam // necessary because error will always be nil here
+		ogPersistentPreRunE = func(cmd *cobra.Command, args []string) error {
+			ogPersistentPreRun(cmd, args)
+			return nil
+		}
+		cmd.PersistentPreRun = nil
+	}
+
+	// wrap RunE in PersistentPreRunE so that this operation gets executed on all children commands
+	cmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
+		// If RunE is nil, make it execute Run and return nil by default
+		ogRunE := cmd.RunE
+		if ogRunE == nil {
+			ogRun := cmd.Run
+			//nolint:unparam // necessary because error will always be nil here
+			ogRunE = func(cmd *cobra.Command, args []string) error {
+				ogRun(cmd, args)
+				return nil
+			}
+			cmd.Run = nil
+		}
+		cmd.RunE = func(cmd *cobra.Command, args []string) error {
+			// start the timer as the first step of every cobra command
+			stopInstrumentation := cli.StartInstrumentation(cmd)
+			cmdErr := ogRunE(cmd, args)
+			stopInstrumentation(cmdErr)
+			return cmdErr
+		}
+
+		return ogPersistentPreRunE(cmd, args)
+	}
+}
+
+// StartInstrumentation instruments CLI commands with the individual metrics and spans configured.
+// It's the main command OTel utility, and new command-related metrics should be added to it.
+// It should be called immediately before command execution, and returns a stopInstrumentation function
+// that must be called with the error resulting from the command execution.
+func (cli *DockerCli) StartInstrumentation(cmd *cobra.Command) (stopInstrumentation func(error)) {
+	baseAttrs := BaseCommandAttributes(cmd, cli)
+	return startCobraCommandTimer(cli.MeterProvider(), baseAttrs)
+}
+
+func startCobraCommandTimer(mp metric.MeterProvider, attrs []attribute.KeyValue) func(err error) {
+	meter := getDefaultMeter(mp)
+	durationCounter, _ := meter.Float64Counter(
+		"command.time",
+		metric.WithDescription("Measures the duration of the cobra command"),
+		metric.WithUnit("ms"),
+	)
+	start := time.Now()
+
+	return func(err error) {
+		// Use a new context for the export so that the command being cancelled
+		// doesn't affect the metrics, and we get metrics for cancelled commands.
+		ctx, cancel := context.WithTimeout(context.Background(), exportTimeout)
+		defer cancel()
+
+		duration := float64(time.Since(start)) / float64(time.Millisecond)
+		cmdStatusAttrs := attributesFromError(err)
+		durationCounter.Add(ctx, duration,
+			metric.WithAttributes(attrs...),
+			metric.WithAttributes(cmdStatusAttrs...),
+		)
+		if mp, ok := mp.(MeterProvider); ok {
+			mp.ForceFlush(ctx)
+		}
+	}
+}
+
+func stdioAttributes(streams Streams) []attribute.KeyValue {
+	// we don't wrap stderr, but we do wrap in/out
+	_, stderrTty := term.GetFdInfo(streams.Err())
+	return []attribute.KeyValue{
+		attribute.Bool("command.stdin.isatty", streams.In().IsTerminal()),
+		attribute.Bool("command.stdout.isatty", streams.Out().IsTerminal()),
+		attribute.Bool("command.stderr.isatty", stderrTty),
+	}
+}
+
+func attributesFromError(err error) []attribute.KeyValue {
+	attrs := []attribute.KeyValue{}
+	exitCode := 0
+	if err != nil {
+		exitCode = 1
+		if stderr, ok := err.(statusError); ok {
+			// StatusError should only be used for errors, and all errors should
+			// have a non-zero exit status, so only set this here if this value isn't 0
+			if stderr.StatusCode != 0 {
+				exitCode = stderr.StatusCode
+			}
+		}
+		attrs = append(attrs, attribute.String("command.error.type", otelErrorType(err)))
+	}
+	attrs = append(attrs, attribute.Int("command.status.code", exitCode))
+
+	return attrs
+}
+
+// otelErrorType returns an attribute for the error type based on the error category.
+func otelErrorType(err error) string {
+	name := "generic"
+	if errors.Is(err, context.Canceled) {
+		name = "canceled"
+	}
+	return name
+}
+
+// statusError reports an unsuccessful exit by a command.
+type statusError struct {
+	Status     string
+	StatusCode int
+}
+
+func (e statusError) Error() string {
+	return fmt.Sprintf("Status: %s, Code: %d", e.Status, e.StatusCode)
+}
+
+// getCommandName gets the cobra command name in the format
+// `... parentCommandName commandName` by traversing it's parent commands recursively.
+// until the root command is reached.
+//
+// Note: The root command's name is excluded. If cmd is the root cmd, return ""
+func getCommandName(cmd *cobra.Command) string {
+	fullCmdName := getFullCommandName(cmd)
+	i := strings.Index(fullCmdName, " ")
+	if i == -1 {
+		return ""
+	}
+	return fullCmdName[i+1:]
+}
+
+// getFullCommandName gets the full cobra command name in the format
+// `... parentCommandName commandName` by traversing it's parent commands recursively
+// until the root command is reached.
+func getFullCommandName(cmd *cobra.Command) string {
+	if cmd.HasParent() {
+		return fmt.Sprintf("%s %s", getFullCommandName(cmd.Parent()), cmd.Name())
+	}
+	return cmd.Name()
+}
+
+// getDefaultMeter gets the default metric.Meter for the application
+// using the given metric.MeterProvider
+func getDefaultMeter(mp metric.MeterProvider) metric.Meter {
+	return mp.Meter(
+		"github.com/docker/cli",
+		metric.WithInstrumentationVersion(version.Version),
+	)
+}

cli/command/telemetry_utils_test.go

@@ -0,0 +1,189 @@
+package command
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/cli/streams"
+	"github.com/spf13/cobra"
+	"go.opentelemetry.io/otel/attribute"
+	"gotest.tools/v3/assert"
+)
+
+func setupCobraCommands() (*cobra.Command, *cobra.Command, *cobra.Command) {
+	rootCmd := &cobra.Command{
+		Use: "root [OPTIONS] COMMAND [ARG...]",
+	}
+	childCmd := &cobra.Command{
+		Use: "child [OPTIONS] COMMAND [ARG...]",
+	}
+	grandchildCmd := &cobra.Command{
+		Use: "grandchild [OPTIONS] COMMAND [ARG...]",
+	}
+	childCmd.AddCommand(grandchildCmd)
+	rootCmd.AddCommand(childCmd)
+
+	return rootCmd, childCmd, grandchildCmd
+}
+
+func TestGetFullCommandName(t *testing.T) {
+	rootCmd, childCmd, grandchildCmd := setupCobraCommands()
+
+	t.Parallel()
+
+	for _, tc := range []struct {
+		testName string
+		cmd      *cobra.Command
+		expected string
+	}{
+		{
+			testName: "rootCmd",
+			cmd:      rootCmd,
+			expected: "root",
+		},
+		{
+			testName: "childCmd",
+			cmd:      childCmd,
+			expected: "root child",
+		},
+		{
+			testName: "grandChild",
+			cmd:      grandchildCmd,
+			expected: "root child grandchild",
+		},
+	} {
+		tc := tc
+		t.Run(tc.testName, func(t *testing.T) {
+			t.Parallel()
+			actual := getFullCommandName(tc.cmd)
+			assert.Equal(t, actual, tc.expected)
+		})
+	}
+}
+
+func TestGetCommandName(t *testing.T) {
+	rootCmd, childCmd, grandchildCmd := setupCobraCommands()
+
+	t.Parallel()
+
+	for _, tc := range []struct {
+		testName string
+		cmd      *cobra.Command
+		expected string
+	}{
+		{
+			testName: "rootCmd",
+			cmd:      rootCmd,
+			expected: "",
+		},
+		{
+			testName: "childCmd",
+			cmd:      childCmd,
+			expected: "child",
+		},
+		{
+			testName: "grandchildCmd",
+			cmd:      grandchildCmd,
+			expected: "child grandchild",
+		},
+	} {
+		tc := tc
+		t.Run(tc.testName, func(t *testing.T) {
+			t.Parallel()
+			actual := getCommandName(tc.cmd)
+			assert.Equal(t, actual, tc.expected)
+		})
+	}
+}
+
+func TestStdioAttributes(t *testing.T) {
+	outBuffer := new(bytes.Buffer)
+	errBuffer := new(bytes.Buffer)
+	t.Parallel()
+	for _, tc := range []struct {
+		test      string
+		stdinTty  bool
+		stdoutTty bool
+		// TODO(laurazard): test stderr
+		expected []attribute.KeyValue
+	}{
+		{
+			test: "",
+			expected: []attribute.KeyValue{
+				attribute.Bool("command.stdin.isatty", false),
+				attribute.Bool("command.stdout.isatty", false),
+				attribute.Bool("command.stderr.isatty", false),
+			},
+		},
+		{
+			test:      "",
+			stdinTty:  true,
+			stdoutTty: true,
+			expected: []attribute.KeyValue{
+				attribute.Bool("command.stdin.isatty", true),
+				attribute.Bool("command.stdout.isatty", true),
+				attribute.Bool("command.stderr.isatty", false),
+			},
+		},
+	} {
+		tc := tc
+		t.Run(tc.test, func(t *testing.T) {
+			t.Parallel()
+			cli := &DockerCli{
+				in:  streams.NewIn(io.NopCloser(strings.NewReader(""))),
+				out: streams.NewOut(outBuffer),
+				err: errBuffer,
+			}
+			cli.In().SetIsTerminal(tc.stdinTty)
+			cli.Out().SetIsTerminal(tc.stdoutTty)
+			actual := stdioAttributes(cli)
+
+			assert.Check(t, reflect.DeepEqual(actual, tc.expected))
+		})
+	}
+}
+
+func TestAttributesFromError(t *testing.T) {
+	t.Parallel()
+
+	for _, tc := range []struct {
+		testName string
+		err      error
+		expected []attribute.KeyValue
+	}{
+		{
+			testName: "no error",
+			err:      nil,
+			expected: []attribute.KeyValue{
+				attribute.Int("command.status.code", 0),
+			},
+		},
+		{
+			testName: "non-0 exit code",
+			err:      statusError{StatusCode: 127},
+			expected: []attribute.KeyValue{
+				attribute.String("command.error.type", "generic"),
+				attribute.Int("command.status.code", 127),
+			},
+		},
+		{
+			testName: "canceled",
+			err:      context.Canceled,
+			expected: []attribute.KeyValue{
+				attribute.String("command.error.type", "canceled"),
+				attribute.Int("command.status.code", 1),
+			},
+		},
+	} {
+		tc := tc
+		t.Run(tc.testName, func(t *testing.T) {
+			t.Parallel()
+			actual := attributesFromError(tc.err)
+			assert.Check(t, reflect.DeepEqual(actual, tc.expected))
+		})
+	}
+}

cli/command/trust/revoke.go

@@ -8,6 +8,7 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/image"
 	"github.com/docker/cli/cli/trust"
+	"github.com/docker/docker/errdefs"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"github.com/theupdateframework/notary/client"
@@ -45,12 +46,10 @@ func revokeTrust(ctx context.Context, dockerCLI command.Cli, remote string, opti
 	if imgRefAndAuth.Tag() == "" && !options.forceYes {
 		deleteRemote, err := command.PromptForConfirmation(ctx, dockerCLI.In(), dockerCLI.Out(), fmt.Sprintf("Please confirm you would like to delete all signature data for %s?", remote))
 		if err != nil {
-			fmt.Fprintf(dockerCLI.Out(), "\nAborting action.\n")
-			return errors.Wrap(err, "aborting action")
+			return err
 		}
 		if !deleteRemote {
-			fmt.Fprintf(dockerCLI.Out(), "\nAborting action.\n")
-			return nil
+			return errdefs.Cancelled(errors.New("trust revoke has been cancelled"))
 		}
 	}
 

cli/command/trust/revoke_test.go

@@ -5,7 +5,6 @@ import (
 	"io"
 	"testing"
 
-	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/trust"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/notary"
@@ -58,6 +57,8 @@ func TestTrustRevokeCommandErrors(t *testing.T) {
 }
 
 func TestTrustRevokeCommand(t *testing.T) {
+	revokeCancelledError := "trust revoke has been cancelled"
+
 	testCases := []struct {
 		doc              string
 		notaryRepository func(trust.ImageRefAndAuth, []string) (client.Repository, error)
@@ -69,7 +70,8 @@ func TestTrustRevokeCommand(t *testing.T) {
 			doc:              "OfflineErrors_Confirm",
 			notaryRepository: notary.GetOfflineNotaryRepository,
 			args:             []string{"reg-name.io/image"},
-			expectedMessage:  "Please confirm you would like to delete all signature data for reg-name.io/image? [y/N] \nAborting action.",
+			expectedMessage:  "Please confirm you would like to delete all signature data for reg-name.io/image? [y/N] ",
+			expectedErr:      revokeCancelledError,
 		},
 		{
 			doc:              "OfflineErrors_Offline",
@@ -87,7 +89,8 @@ func TestTrustRevokeCommand(t *testing.T) {
 			doc:              "UninitializedErrors_Confirm",
 			notaryRepository: notary.GetUninitializedNotaryRepository,
 			args:             []string{"reg-name.io/image"},
-			expectedMessage:  "Please confirm you would like to delete all signature data for reg-name.io/image? [y/N] \nAborting action.",
+			expectedMessage:  "Please confirm you would like to delete all signature data for reg-name.io/image? [y/N] ",
+			expectedErr:      revokeCancelledError,
 		},
 		{
 			doc:              "UninitializedErrors_NoTrustData",
@@ -105,7 +108,8 @@ func TestTrustRevokeCommand(t *testing.T) {
 			doc:              "EmptyNotaryRepo_Confirm",
 			notaryRepository: notary.GetEmptyTargetsNotaryRepository,
 			args:             []string{"reg-name.io/image"},
-			expectedMessage:  "Please confirm you would like to delete all signature data for reg-name.io/image? [y/N] \nAborting action.",
+			expectedMessage:  "Please confirm you would like to delete all signature data for reg-name.io/image? [y/N] ",
+			expectedErr:      revokeCancelledError,
 		},
 		{
 			doc:              "EmptyNotaryRepo_NoSignedTags",
@@ -123,7 +127,8 @@ func TestTrustRevokeCommand(t *testing.T) {
 			doc:              "AllSigConfirmation",
 			notaryRepository: notary.GetEmptyTargetsNotaryRepository,
 			args:             []string{"alpine"},
-			expectedMessage:  "Please confirm you would like to delete all signature data for alpine? [y/N] \nAborting action.",
+			expectedMessage:  "Please confirm you would like to delete all signature data for alpine? [y/N] ",
+			expectedErr:      revokeCancelledError,
 		},
 	}
 
@@ -136,9 +141,9 @@ func TestTrustRevokeCommand(t *testing.T) {
 			cmd.SetOut(io.Discard)
 			if tc.expectedErr != "" {
 				assert.ErrorContains(t, cmd.Execute(), tc.expectedErr)
-				return
+			} else {
+				assert.NilError(t, cmd.Execute())
 			}
-			assert.NilError(t, cmd.Execute())
 			assert.Check(t, is.Contains(cli.OutBuffer().String(), tc.expectedMessage))
 		})
 	}
@@ -159,10 +164,6 @@ func TestRevokeTrustPromptTermination(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{})
 	cmd := newRevokeCommand(cli)
 	cmd.SetArgs([]string{"example/trust-demo"})
-	test.TerminatePrompt(ctx, t, cmd, cli, func(t *testing.T, err error) {
-		t.Helper()
-		assert.ErrorIs(t, err, command.ErrPromptTerminated)
-	})
-	assert.Equal(t, cli.ErrBuffer().String(), "")
+	test.TerminatePrompt(ctx, t, cmd, cli)
 	golden.Assert(t, cli.OutBuffer().String(), "trust-revoke-prompt-termination.golden")
 }

cli/command/trust/signer_remove.go

@@ -132,10 +132,12 @@ func removeSingleSigner(ctx context.Context, dockerCLI command.Cli, repoName, si
 	}
 
 	ok, err := maybePromptForSignerRemoval(ctx, dockerCLI, repoName, signerName, isLastSigner, forceYes)
-	if err != nil || !ok {
-		fmt.Fprintf(dockerCLI.Out(), "\nAborting action.\n")
+	if err != nil {
 		return false, err
 	}
+	if !ok {
+		return false, nil
+	}
 
 	if err := notaryRepo.RemoveDelegationKeys(releasesRoleTUFName, role.KeyIDs); err != nil {
 		return false, err

cli/command/trust/testdata/trust-revoke-prompt-termination.golden

@@ -1,2 +1 @@
 Please confirm you would like to delete all signature data for example/trust-demo? [y/N] 
-Aborting action.

cli/command/utils.go

@@ -19,6 +19,7 @@ import (
 	"github.com/docker/docker/api/types/filters"
 	mounttypes "github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/errdefs"
 	"github.com/moby/sys/sequential"
 	"github.com/pkg/errors"
 	"github.com/spf13/pflag"
@@ -75,9 +76,7 @@ func PrettyPrint(i any) string {
 	}
 }
 
-type PromptError error
-
-var ErrPromptTerminated = PromptError(errors.New("prompt terminated"))
+var ErrPromptTerminated = errdefs.Cancelled(errors.New("prompt terminated"))
 
 // PromptForConfirmation requests and checks confirmation from the user.
 // This will display the provided message followed by ' [y/N] '. If the user
@@ -123,6 +122,8 @@ func PromptForConfirmation(ctx context.Context, ins io.Reader, outs io.Writer, m
 
 	select {
 	case <-notifyCtx.Done():
+		// print a newline on termination
+		_, _ = fmt.Fprintln(outs, "")
 		return false, ErrPromptTerminated
 	case r := <-result:
 		return r, nil

cli/command/utils_test.go

@@ -106,120 +106,68 @@ func TestPromptForConfirmation(t *testing.T) {
 	}()
 
 	for _, tc := range []struct {
-		desc string
-		f    func(*testing.T, context.Context, chan promptResult)
+		desc     string
+		f        func() error
+		expected promptResult
 	}{
-		{"SIGINT", func(t *testing.T, ctx context.Context, c chan promptResult) {
-			t.Helper()
-
+		{"SIGINT", func() error {
 			syscall.Kill(syscall.Getpid(), syscall.SIGINT)
-
-			select {
-			case <-ctx.Done():
-				t.Fatal("PromptForConfirmation did not return after SIGINT")
-			case r := <-c:
-				assert.Check(t, !r.result)
-				assert.ErrorContains(t, r.err, "prompt terminated")
-			}
-		}},
-		{"no", func(t *testing.T, ctx context.Context, c chan promptResult) {
-			t.Helper()
-
+			return nil
+		}, promptResult{false, command.ErrPromptTerminated}},
+		{"no", func() error {
 			_, err := fmt.Fprint(promptWriter, "n\n")
-			assert.NilError(t, err)
-
-			select {
-			case <-ctx.Done():
-				t.Fatal("PromptForConfirmation did not return after user input `n`")
-			case r := <-c:
-				assert.Check(t, !r.result)
-				assert.NilError(t, r.err)
-			}
-		}},
-		{"yes", func(t *testing.T, ctx context.Context, c chan promptResult) {
-			t.Helper()
-
+			return err
+		}, promptResult{false, nil}},
+		{"yes", func() error {
 			_, err := fmt.Fprint(promptWriter, "y\n")
-			assert.NilError(t, err)
-
-			select {
-			case <-ctx.Done():
-				t.Fatal("PromptForConfirmation did not return after user input `y`")
-			case r := <-c:
-				assert.Check(t, r.result)
-				assert.NilError(t, r.err)
-			}
-		}},
-		{"any", func(t *testing.T, ctx context.Context, c chan promptResult) {
-			t.Helper()
-
+			return err
+		}, promptResult{true, nil}},
+		{"any", func() error {
 			_, err := fmt.Fprint(promptWriter, "a\n")
-			assert.NilError(t, err)
-
-			select {
-			case <-ctx.Done():
-				t.Fatal("PromptForConfirmation did not return after user input `a`")
-			case r := <-c:
-				assert.Check(t, !r.result)
-				assert.NilError(t, r.err)
-			}
-		}},
-		{"with space", func(t *testing.T, ctx context.Context, c chan promptResult) {
-			t.Helper()
-
+			return err
+		}, promptResult{false, nil}},
+		{"with space", func() error {
 			_, err := fmt.Fprint(promptWriter, " y\n")
-			assert.NilError(t, err)
-
-			select {
-			case <-ctx.Done():
-				t.Fatal("PromptForConfirmation did not return after user input ` y`")
-			case r := <-c:
-				assert.Check(t, r.result)
-				assert.NilError(t, r.err)
-			}
-		}},
-		{"reader closed", func(t *testing.T, ctx context.Context, c chan promptResult) {
-			t.Helper()
-
-			assert.NilError(t, promptReader.Close())
-
-			select {
-			case <-ctx.Done():
-				t.Fatal("PromptForConfirmation did not return after promptReader was closed")
-			case r := <-c:
-				assert.Check(t, !r.result)
-				assert.NilError(t, r.err)
-			}
-		}},
+			return err
+		}, promptResult{true, nil}},
+		{"reader closed", func() error {
+			return promptReader.Close()
+		}, promptResult{false, nil}},
 	} {
 		t.Run("case="+tc.desc, func(t *testing.T) {
 			buf.Reset()
 			promptReader, promptWriter = io.Pipe()
 
 			wroteHook := make(chan struct{}, 1)
-			defer close(wroteHook)
 			promptOut := test.NewWriterWithHook(bufioWriter, func(p []byte) {
 				wroteHook <- struct{}{}
 			})
 
 			result := make(chan promptResult, 1)
-			defer close(result)
 			go func() {
 				r, err := command.PromptForConfirmation(ctx, promptReader, promptOut, "")
 				result <- promptResult{r, err}
 			}()
 
-			// wait for the Prompt to write to the buffer
-			pollForPromptOutput(ctx, t, wroteHook)
-			drainChannel(ctx, wroteHook)
+			select {
+			case <-time.After(100 * time.Millisecond):
+			case <-wroteHook:
+			}
 
 			assert.NilError(t, bufioWriter.Flush())
 			assert.Equal(t, strings.TrimSpace(buf.String()), "Are you sure you want to proceed? [y/N]")
 
-			resultCtx, resultCancel := context.WithTimeout(ctx, 100*time.Millisecond)
-			defer resultCancel()
+			// wait for the Prompt to write to the buffer
+			drainChannel(ctx, wroteHook)
 
-			tc.f(t, resultCtx, result)
+			assert.NilError(t, tc.f())
+
+			select {
+			case <-time.After(500 * time.Millisecond):
+				t.Fatal("timeout waiting for prompt result")
+			case r := <-result:
+				assert.Equal(t, r, tc.expected)
+			}
 		})
 	}
 }
@@ -235,20 +183,3 @@ func drainChannel(ctx context.Context, ch <-chan struct{}) {
 		}
 	}()
 }
-
-func pollForPromptOutput(ctx context.Context, t *testing.T, wroteHook <-chan struct{}) {
-	t.Helper()
-
-	ctx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
-	defer cancel()
-
-	for {
-		select {
-		case <-ctx.Done():
-			t.Fatal("Prompt output was not written to before ctx was cancelled")
-			return
-		case <-wroteHook:
-			return
-		}
-	}
-}

cli/command/volume/prune.go

@@ -32,10 +32,6 @@ func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			spaceReclaimed, output, err := runPrune(cmd.Context(), dockerCli, options)
 			if err != nil {
-				if errdefs.IsCancelled(err) {
-					fmt.Fprintln(dockerCli.Out(), output)
-					return nil
-				}
 				return err
 			}
 			if output != "" {
@@ -81,8 +77,12 @@ func runPrune(ctx context.Context, dockerCli command.Cli, options pruneOptions)
 		warning = allVolumesWarning
 	}
 	if !options.force {
-		if r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning); !r || err != nil {
-			return 0, "", errdefs.Cancelled(errors.New("user cancelled operation"))
+		r, err := command.PromptForConfirmation(ctx, dockerCli.In(), dockerCli.Out(), warning)
+		if err != nil {
+			return 0, "", err
+		}
+		if !r {
+			return 0, "", errdefs.Cancelled(errors.New("volume prune has been cancelled"))
 		}
 	}
 

cli/command/volume/prune_test.go

@@ -155,6 +155,7 @@ func TestVolumePrunePromptYes(t *testing.T) {
 
 		cli.SetIn(streams.NewIn(io.NopCloser(strings.NewReader(input))))
 		cmd := NewPruneCommand(cli)
+		cmd.SetArgs([]string{})
 		assert.NilError(t, cmd.Execute())
 		golden.Assert(t, cli.OutBuffer().String(), "volume-prune-yes.golden")
 	}
@@ -171,7 +172,8 @@ func TestVolumePrunePromptNo(t *testing.T) {
 
 		cli.SetIn(streams.NewIn(io.NopCloser(strings.NewReader(input))))
 		cmd := NewPruneCommand(cli)
-		assert.NilError(t, cmd.Execute())
+		cmd.SetArgs([]string{})
+		assert.ErrorContains(t, cmd.Execute(), "volume prune has been cancelled")
 		golden.Assert(t, cli.OutBuffer().String(), "volume-prune-no.golden")
 	}
 }
@@ -196,7 +198,7 @@ func TestVolumePrunePromptTerminate(t *testing.T) {
 	})
 
 	cmd := NewPruneCommand(cli)
-	test.TerminatePrompt(ctx, t, cmd, cli, nil)
-
+	cmd.SetArgs([]string{})
+	test.TerminatePrompt(ctx, t, cmd, cli)
 	golden.Assert(t, cli.OutBuffer().String(), "volume-prune-terminate.golden")
 }

cli/command/volume/testdata/volume-prune-no.golden

@@ -1,2 +1,2 @@
 WARNING! This will remove anonymous local volumes not used by at least one container.
-Are you sure you want to continue? [y/N] 
+Are you sure you want to continue? [y/N] 

cli/compose/convert/compose_test.go

@@ -16,6 +16,16 @@ func TestNamespaceScope(t *testing.T) {
 	assert.Check(t, is.Equal("foo_bar", scoped))
 }
 
+func TestNamespaceDescope(t *testing.T) {
+	descoped := Namespace{name: "foo"}.Descope("foo_bar")
+	assert.Check(t, is.Equal("bar", descoped))
+}
+
+func TestNamespaceName(t *testing.T) {
+	namespaceName := Namespace{name: "foo"}.Name()
+	assert.Check(t, is.Equal("foo", namespaceName))
+}
+
 func TestAddStackLabel(t *testing.T) {
 	labels := map[string]string{
 		"something": "labeled",

cli/compose/convert/service_test.go

@@ -61,6 +61,15 @@ func TestConvertEnvironment(t *testing.T) {
 	assert.Check(t, is.DeepEqual([]string{"foo=bar", "key=value"}, env))
 }
 
+func TestConvertEnvironmentWhenNilValueExists(t *testing.T) {
+	source := map[string]*string{
+		"key":            strPtr("value"),
+		"keyWithNoValue": nil,
+	}
+	env := convertEnvironment(source)
+	assert.Check(t, is.DeepEqual([]string{"key=value", "keyWithNoValue"}, env))
+}
+
 func TestConvertExtraHosts(t *testing.T) {
 	source := composetypes.HostsList{
 		"zulu:127.0.0.2",

cli/compose/convert/volume_test.go

@@ -9,6 +9,55 @@ import (
 	is "gotest.tools/v3/assert/cmp"
 )
 
+func TestVolumesWithMultipleServiceVolumeConfigs(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	serviceVolumes := []composetypes.ServiceVolumeConfig{
+		{
+			Type:   "volume",
+			Target: "/foo",
+		},
+		{
+			Type:   "volume",
+			Target: "/foo/bar",
+		},
+	}
+
+	expected := []mount.Mount{
+		{
+			Type:   "volume",
+			Target: "/foo",
+		},
+		{
+			Type:   "volume",
+			Target: "/foo/bar",
+		},
+	}
+
+	mnt, err := Volumes(serviceVolumes, volumes{}, namespace)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, mnt))
+}
+
+func TestVolumesWithMultipleServiceVolumeConfigsWithUndefinedVolumeConfig(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	serviceVolumes := []composetypes.ServiceVolumeConfig{
+		{
+			Type:   "volume",
+			Source: "foo",
+			Target: "/foo",
+		},
+		{
+			Type:   "volume",
+			Target: "/foo/bar",
+		},
+	}
+
+	_, err := Volumes(serviceVolumes, volumes{}, namespace)
+	assert.Error(t, err, "undefined volume \"foo\"")
+}
+
 func TestConvertVolumeToMountAnonymousVolume(t *testing.T) {
 	config := composetypes.ServiceVolumeConfig{
 		Type:   "volume",
@@ -104,6 +153,49 @@ func TestConvertVolumeToMountConflictingOptionsTmpfsInBind(t *testing.T) {
 	assert.Error(t, err, "tmpfs options are incompatible with type bind")
 }
 
+func TestConvertVolumeToMountConflictingOptionsClusterInVolume(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:    "volume",
+		Target:  "/target",
+		Cluster: &composetypes.ServiceVolumeCluster{},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "cluster options are incompatible with type volume")
+}
+
+func TestConvertVolumeToMountConflictingOptionsClusterInBind(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "bind",
+		Source: "/foo",
+		Target: "/target",
+		Bind: &composetypes.ServiceVolumeBind{
+			Propagation: "slave",
+		},
+		Cluster: &composetypes.ServiceVolumeCluster{},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "cluster options are incompatible with type bind")
+}
+
+func TestConvertVolumeToMountConflictingOptionsClusterInTmpfs(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "tmpfs",
+		Target: "/target",
+		Tmpfs: &composetypes.ServiceVolumeTmpfs{
+			Size: 1000,
+		},
+		Cluster: &composetypes.ServiceVolumeCluster{},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "cluster options are incompatible with type tmpfs")
+}
+
 func TestConvertVolumeToMountConflictingOptionsBindInTmpfs(t *testing.T) {
 	namespace := NewNamespace("foo")
 
@@ -132,6 +224,50 @@ func TestConvertVolumeToMountConflictingOptionsVolumeInTmpfs(t *testing.T) {
 	assert.Error(t, err, "volume options are incompatible with type tmpfs")
 }
 
+func TestHandleNpipeToMountAnonymousNpipe(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "npipe",
+		Target: "/target",
+		Volume: &composetypes.ServiceVolumeVolume{
+			NoCopy: true,
+		},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "invalid npipe source, source cannot be empty")
+}
+
+func TestHandleNpipeToMountConflictingOptionsTmpfsInNpipe(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "npipe",
+		Source: "/foo",
+		Target: "/target",
+		Tmpfs: &composetypes.ServiceVolumeTmpfs{
+			Size: 1000,
+		},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "tmpfs options are incompatible with type npipe")
+}
+
+func TestHandleNpipeToMountConflictingOptionsVolumeInNpipe(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "npipe",
+		Source: "/foo",
+		Target: "/target",
+		Volume: &composetypes.ServiceVolumeVolume{
+			NoCopy: true,
+		},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "volume options are incompatible with type npipe")
+}
+
 func TestConvertVolumeToMountNamedVolume(t *testing.T) {
 	stackVolumes := volumes{
 		"normal": composetypes.VolumeConfig{
@@ -344,6 +480,27 @@ func TestConvertTmpfsToMountVolumeWithSource(t *testing.T) {
 	assert.Error(t, err, "invalid tmpfs source, source must be empty")
 }
 
+func TestHandleNpipeToMountBind(t *testing.T) {
+	namespace := NewNamespace("foo")
+	expected := mount.Mount{
+		Type:        mount.TypeNamedPipe,
+		Source:      "/bar",
+		Target:      "/foo",
+		ReadOnly:    true,
+		BindOptions: &mount.BindOptions{Propagation: mount.PropagationShared},
+	}
+	config := composetypes.ServiceVolumeConfig{
+		Type:     "npipe",
+		Source:   "/bar",
+		Target:   "/foo",
+		ReadOnly: true,
+		Bind:     &composetypes.ServiceVolumeBind{Propagation: "shared"},
+	}
+	mnt, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, mnt))
+}
+
 func TestConvertVolumeToMountAnonymousNpipe(t *testing.T) {
 	config := composetypes.ServiceVolumeConfig{
 		Type:   "npipe",
@@ -427,3 +584,98 @@ func TestConvertVolumeMountClusterGroup(t *testing.T) {
 	assert.NilError(t, err)
 	assert.Check(t, is.DeepEqual(expected, mnt))
 }
+
+func TestHandleClusterToMountAnonymousCluster(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "cluster",
+		Target: "/target",
+		Volume: &composetypes.ServiceVolumeVolume{
+			NoCopy: true,
+		},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "invalid cluster source, source cannot be empty")
+}
+
+func TestHandleClusterToMountConflictingOptionsTmpfsInCluster(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "cluster",
+		Source: "/foo",
+		Target: "/target",
+		Tmpfs: &composetypes.ServiceVolumeTmpfs{
+			Size: 1000,
+		},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "tmpfs options are incompatible with type cluster")
+}
+
+func TestHandleClusterToMountConflictingOptionsVolumeInCluster(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "cluster",
+		Source: "/foo",
+		Target: "/target",
+		Volume: &composetypes.ServiceVolumeVolume{
+			NoCopy: true,
+		},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "volume options are incompatible with type cluster")
+}
+
+func TestHandleClusterToMountWithUndefinedVolumeConfig(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "cluster",
+		Source: "foo",
+		Target: "/srv",
+	}
+
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "undefined volume \"foo\"")
+}
+
+func TestHandleClusterToMountWithVolumeConfigName(t *testing.T) {
+	stackVolumes := volumes{
+		"foo": composetypes.VolumeConfig{
+			Name: "bar",
+		},
+	}
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "cluster",
+		Source: "foo",
+		Target: "/srv",
+	}
+
+	expected := mount.Mount{
+		Type:           mount.TypeCluster,
+		Source:         "bar",
+		Target:         "/srv",
+		ClusterOptions: &mount.ClusterOptions{},
+	}
+
+	mnt, err := convertVolumeToMount(config, stackVolumes, NewNamespace("foo"))
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, mnt))
+}
+
+func TestHandleClusterToMountBind(t *testing.T) {
+	namespace := NewNamespace("foo")
+	config := composetypes.ServiceVolumeConfig{
+		Type:     "cluster",
+		Source:   "/bar",
+		Target:   "/foo",
+		ReadOnly: true,
+		Bind:     &composetypes.ServiceVolumeBind{Propagation: "shared"},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "bind options are incompatible with type cluster")
+}

cli/config/configfile/file.go

@@ -41,6 +41,7 @@ type ConfigFile struct {
 	CLIPluginsExtraDirs  []string                     `json:"cliPluginsExtraDirs,omitempty"`
 	Plugins              map[string]map[string]string `json:"plugins,omitempty"`
 	Aliases              map[string]string            `json:"aliases,omitempty"`
+	Features             map[string]string            `json:"features,omitempty"`
 }
 
 // ProxyConfig contains proxy configuration settings

cli/debug/debug.go

@@ -4,6 +4,7 @@ import (
 	"os"
 
 	"github.com/sirupsen/logrus"
+	"go.opentelemetry.io/otel"
 )
 
 // Enable sets the DEBUG env var to true
@@ -24,3 +25,13 @@ func Disable() {
 func IsEnabled() bool {
 	return os.Getenv("DEBUG") != ""
 }
+
+// OTELErrorHandler is an error handler for OTEL that
+// uses the CLI debug package to log messages when an error
+// occurs.
+//
+// The default is to log to the debug level which is only
+// enabled when debugging is enabled.
+var OTELErrorHandler otel.ErrorHandler = otel.ErrorHandlerFunc(func(err error) {
+	logrus.WithError(err).Debug("otel error")
+})

cmd/docker/builder.go

@@ -69,7 +69,7 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st
 	}
 
 	// is this a build that should be forwarded to the builder?
-	fwargs, fwosargs, alias, forwarded := forwardBuilder(builderAlias, args, osargs)
+	fwargs, fwosargs, fwcmdpath, forwarded := forwardBuilder(builderAlias, args, osargs)
 	if !forwarded {
 		return args, osargs, nil, nil
 	}
@@ -117,33 +117,37 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st
 	}
 
 	// overwrite the command path for this plugin using the alias name.
-	cmd.Annotations[pluginmanager.CommandAnnotationPluginCommandPath] = fmt.Sprintf("%s %s", cmd.CommandPath(), alias)
+	cmd.Annotations[pluginmanager.CommandAnnotationPluginCommandPath] = strings.Join(append([]string{cmd.CommandPath()}, fwcmdpath...), " ")
 
 	return fwargs, fwosargs, envs, nil
 }
 
-func forwardBuilder(alias string, args, osargs []string) ([]string, []string, string, bool) {
-	aliases := [][2][]string{
+func forwardBuilder(alias string, args, osargs []string) ([]string, []string, []string, bool) {
+	aliases := [][3][]string{
 		{
 			{"builder"},
 			{alias},
+			{"builder"},
 		},
 		{
 			{"build"},
 			{alias, "build"},
+			{},
 		},
 		{
 			{"image", "build"},
 			{alias, "build"},
+			{"image"},
 		},
 	}
 	for _, al := range aliases {
 		if fwargs, changed := command.StringSliceReplaceAt(args, al[0], al[1], 0); changed {
 			fwosargs, _ := command.StringSliceReplaceAt(osargs, al[0], al[1], -1)
-			return fwargs, fwosargs, al[0][0], true
+			fwcmdpath := al[2]
+			return fwargs, fwosargs, fwcmdpath, true
 		}
 	}
-	return args, osargs, "", false
+	return args, osargs, nil, false
 }
 
 // hasBuilderName checks if a builder name is defined in args or env vars

cmd/docker/docker.go

@@ -1,8 +1,8 @@
 package main
 
 import (
+	"context"
 	"fmt"
-	"net"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -14,25 +14,30 @@ import (
 	"github.com/docker/cli/cli-plugins/socket"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/commands"
+	"github.com/docker/cli/cli/debug"
 	cliflags "github.com/docker/cli/cli/flags"
 	"github.com/docker/cli/cli/version"
 	platformsignals "github.com/docker/cli/cmd/docker/internal/signals"
 	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/errdefs"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	"go.opentelemetry.io/otel"
 )
 
 func main() {
-	dockerCli, err := command.NewDockerCli()
+	ctx := context.Background()
+	dockerCli, err := command.NewDockerCli(command.WithBaseContext(ctx))
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)
 	}
 	logrus.SetOutput(dockerCli.Err())
+	otel.SetErrorHandler(debug.OTELErrorHandler)
 
-	if err := runDocker(dockerCli); err != nil {
+	if err := runDocker(ctx, dockerCli); err != nil {
 		if sterr, ok := err.(cli.StatusError); ok {
 			if sterr.Status != "" {
 				fmt.Fprintln(dockerCli.Err(), sterr.Status)
@@ -44,6 +49,9 @@ func main() {
 			}
 			os.Exit(sterr.StatusCode)
 		}
+		if errdefs.IsCancelled(err) {
+			os.Exit(0)
+		}
 		fmt.Fprintln(dockerCli.Err(), err)
 		os.Exit(1)
 	}
@@ -221,38 +229,46 @@ func tryPluginRun(dockerCli command.Cli, cmd *cobra.Command, subcommand string,
 		return err
 	}
 
-	// Establish the plugin socket, adding it to the environment under a well-known key if successful.
-	var conn *net.UnixConn
-	listener, err := socket.SetupConn(&conn)
+	// Establish the plugin socket, adding it to the environment under a
+	// well-known key if successful.
+	srv, err := socket.NewPluginServer(nil)
 	if err == nil {
-		envs = append(envs, socket.EnvKey+"="+listener.Addr().String())
-		defer listener.Close()
+		plugincmd.Env = append(plugincmd.Env, socket.EnvKey+"="+srv.Addr().String())
 	}
 
-	plugincmd.Env = append(envs, plugincmd.Env...)
+	// Set additional environment variables specified by the caller.
+	plugincmd.Env = append(plugincmd.Env, envs...)
 
+	// Background signal handling logic: block on the signals channel, and
+	// notify the plugin via the PluginServer (or signal) as appropriate.
 	const exitLimit = 3
-
 	signals := make(chan os.Signal, exitLimit)
 	signal.Notify(signals, platformsignals.TerminationSignals...)
-	// signal handling goroutine: listen on signals channel, and if conn is
-	// non-nil, attempt to close it to let the plugin know to exit. Regardless
-	// of whether we successfully signal the plugin or not, after 3 SIGINTs,
-	// we send a SIGKILL to the plugin process and exit
 	go func() {
 		retries := 0
 		for range signals {
+			// If stdin is a TTY, the kernel will forward
+			// signals to the subprocess because the shared
+			// pgid makes the TTY a controlling terminal.
+			//
+			// The plugin should have it's own copy of this
+			// termination logic, and exit after 3 retries
+			// on it's own.
 			if dockerCli.Out().IsTerminal() {
-				// running attached to a terminal, so the plugin will already
-				// receive signals due to sharing a pgid with the parent CLI
 				continue
 			}
-			if conn != nil {
-				if err := conn.Close(); err != nil {
-					_, _ = fmt.Fprintf(dockerCli.Err(), "failed to signal plugin to close: %v\n", err)
-				}
-				conn = nil
-			}
+
+			// Terminate the plugin server, which will
+			// close all connections with plugin
+			// subprocesses, and signal them to exit.
+			//
+			// Repeated invocations will result in EINVAL,
+			// or EBADF; but that is fine for our purposes.
+			_ = srv.Close()
+
+			// If we're still running after 3 interruptions
+			// (SIGINT/SIGTERM), send a SIGKILL to the plugin as a
+			// final attempt to terminate, and exit.
 			retries++
 			if retries >= exitLimit {
 				_, _ = fmt.Fprintf(dockerCli.Err(), "got %d SIGTERM/SIGINTs, forcefully exiting\n", retries)
@@ -278,7 +294,8 @@ func tryPluginRun(dockerCli command.Cli, cmd *cobra.Command, subcommand string,
 	return nil
 }
 
-func runDocker(dockerCli *command.DockerCli) error {
+//nolint:gocyclo
+func runDocker(ctx context.Context, dockerCli *command.DockerCli) error {
 	tcmd := newDockerCommand(dockerCli)
 
 	cmd, args, err := tcmd.HandleGlobalFlags()
@@ -290,6 +307,15 @@ func runDocker(dockerCli *command.DockerCli) error {
 		return err
 	}
 
+	mp := dockerCli.MeterProvider()
+	if mp, ok := mp.(command.MeterProvider); ok {
+		defer mp.Shutdown(ctx)
+	} else {
+		fmt.Fprint(dockerCli.Err(), "Warning: Unexpected OTEL error, metrics may not be flushed")
+	}
+
+	dockerCli.InstrumentCobraCommands(ctx, cmd)
+
 	var envs []string
 	args, os.Args, envs, err = processAliases(dockerCli, cmd, args, os.Args)
 	if err != nil {
@@ -306,23 +332,43 @@ func runDocker(dockerCli *command.DockerCli) error {
 		}
 	}
 
+	var subCommand *cobra.Command
 	if len(args) > 0 {
 		ccmd, _, err := cmd.Find(args)
+		subCommand = ccmd
 		if err != nil || pluginmanager.IsPluginCommand(ccmd) {
 			err := tryPluginRun(dockerCli, cmd, args[0], envs)
+			if err == nil {
+				if dockerCli.HooksEnabled() && dockerCli.Out().IsTerminal() && ccmd != nil {
+					pluginmanager.RunPluginHooks(dockerCli, cmd, ccmd, args)
+				}
+				return nil
+			}
 			if !pluginmanager.IsNotFound(err) {
+				// For plugin not found we fall through to
+				// cmd.Execute() which deals with reporting
+				// "command not found" in a consistent way.
 				return err
 			}
-			// For plugin not found we fall through to
-			// cmd.Execute() which deals with reporting
-			// "command not found" in a consistent way.
 		}
 	}
 
 	// We've parsed global args already, so reset args to those
 	// which remain.
 	cmd.SetArgs(args)
-	return cmd.Execute()
+	err = cmd.Execute()
+
+	// If the command is being executed in an interactive terminal
+	// and hook are enabled, run the plugin hooks.
+	if dockerCli.HooksEnabled() && dockerCli.Out().IsTerminal() && subCommand != nil {
+		var errMessage string
+		if err != nil {
+			errMessage = err.Error()
+		}
+		pluginmanager.RunCLICommandHooks(dockerCli, cmd, subCommand, errMessage)
+	}
+
+	return err
 }
 
 type versionDetails interface {

docker-bake.hcl

@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-    default = "1.21.8"
+    default = "1.21.11"
 }
 variable "VERSION" {
     default = ""

dockerfiles/Dockerfile.authors

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG ALPINE_VERSION=3.18
+ARG ALPINE_VERSION=3.20
 
 FROM alpine:${ALPINE_VERSION} AS gen
 RUN apk add --no-cache bash git

dockerfiles/Dockerfile.dev

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.21.8
-ARG ALPINE_VERSION=3.18
+ARG GO_VERSION=1.21.11
+ARG ALPINE_VERSION=3.20
 
 ARG BUILDX_VERSION=0.12.1
 FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx
@@ -11,7 +11,7 @@ ENV GOTOOLCHAIN=local
 ENV CGO_ENABLED=0
 
 FROM golang AS gofumpt
-ARG GOFUMPT_VERSION=v0.4.0
+ARG GOFUMPT_VERSION=v0.6.0
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
     --mount=type=tmpfs,target=/go/src/ \

dockerfiles/Dockerfile.lint

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.21.8
-ARG ALPINE_VERSION=3.18
+ARG GO_VERSION=1.21.11
+ARG ALPINE_VERSION=3.20
 ARG GOLANGCI_LINT_VERSION=v1.55.2
 
 FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint

dockerfiles/Dockerfile.vendor

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.21.8
-ARG ALPINE_VERSION=3.18
+ARG GO_VERSION=1.21.11
+ARG ALPINE_VERSION=3.20
 ARG MODOUTDATED_VERSION=v0.8.0
 
 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base

docs/deprecated.md

@@ -50,8 +50,10 @@ The table below provides an overview of the current status of deprecated feature
 
 | Status     | Feature                                                                                                                            | Deprecated | Remove |
 |------------|------------------------------------------------------------------------------------------------------------------------------------|------------|--------|
+| Deprecated | [Unauthenticated TCP connections](#unauthenticated-tcp-connections)                                                                | v26.0      | v27.0  |
+| Deprecated | [`Container` and `ContainerConfig` fields in Image inspect](#container-and-containerconfig-fields-in-image-inspect)                | v25.0      | v26.0  |
 | Deprecated | [Deprecate legacy API versions](#deprecate-legacy-api-versions)                                                                    | v25.0      | v26.0  |
-| Deprecated | [Container short ID in network Aliases field](#container-short-id-in-network-aliases-field)                                        | v25.0      | v26.0  |
+| Removed    | [Container short ID in network Aliases field](#container-short-id-in-network-aliases-field)                                        | v25.0      | v26.0  |
 | Deprecated | [IsAutomated field, and "is-automated" filter on docker search](#isautomated-field-and-is-automated-filter-on-docker-search)       | v25.0      | v26.0  |
 | Removed    | [logentries logging driver](#logentries-logging-driver)                                                                            | v24.0      | v25.0  |
 | Removed    | [OOM-score adjust for the daemon](#oom-score-adjust-for-the-daemon)                                                                | v24.0      | v25.0  |
@@ -72,7 +74,7 @@ The table below provides an overview of the current status of deprecated feature
 | Removed    | [`docker build --stream` flag (experimental)](#docker-build---stream-flag-experimental)                                            | v20.10     | v20.10 |
 | Deprecated | [`fluentd-async-connect` log opt](#fluentd-async-connect-log-opt)                                                                  | v20.10     | -      |
 | Removed    | [Configuration options for experimental CLI features](#configuration-options-for-experimental-cli-features)                        | v19.03     | v23.0  |
-| Deprecated | [Pushing and pulling with image manifest v2 schema 1](#pushing-and-pulling-with-image-manifest-v2-schema-1)                        | v19.03     | v20.10 |
+| Deprecated | [Pushing and pulling with image manifest v2 schema 1](#pushing-and-pulling-with-image-manifest-v2-schema-1)                        | v19.03     | v27.0  |
 | Removed    | [`docker engine` subcommands](#docker-engine-subcommands)                                                                          | v19.03     | v20.10 |
 | Removed    | [Top-level `docker deploy` subcommand (experimental)](#top-level-docker-deploy-subcommand-experimental)                            | v19.03     | v20.10 |
 | Removed    | [`docker stack deploy` using "dab" files (experimental)](#docker-stack-deploy-using-dab-files-experimental)                        | v19.03     | v20.10 |
@@ -110,6 +112,46 @@ The table below provides an overview of the current status of deprecated feature
 | Removed    | [`--run` flag on `docker commit`](#--run-flag-on-docker-commit)                                                                    | v0.10      | v1.13  |
 | Removed    | [Three arguments form in `docker import`](#three-arguments-form-in-docker-import)                                                  | v0.6.7     | v1.12  |
 
+### Unauthenticated TCP connections
+
+**Deprecated in Release: v26.0**
+**Target For Removal In Release: v27.0**
+
+Configuring the Docker daemon to listen on a TCP address will require mandatory
+TLS verification. This change aims to ensure secure communication by preventing
+unauthorized access to the Docker daemon over potentially insecure networks.
+This mandatory TLS requirement applies to all TCP addresses except `tcp://localhost`.
+
+In version 27.0 and later, specifying `--tls=false` or `--tlsverify=false` CLI flags
+causes the daemon to fail to start if it's also configured to accept remote connections over TCP.
+This also applies to the equivalent configuration options in `daemon.json`.
+
+To facilitate remote access to the Docker daemon over TCP, you'll need to
+implement TLS verification. This secures the connection by encrypting data in
+transit and providing a mechanism for mutual authentication.
+
+For environments remote daemon access isn't required,
+we recommend binding the Docker daemon to a Unix socket.
+For daemon's where remote access is required and where TLS encryption is not feasible,
+you may want to consider using SSH as an alternative solution.
+
+For further information, assistance, and step-by-step instructions on
+configuring TLS (or SSH) for the Docker daemon, refer to
+[Protect the Docker daemon socket](https://docs.docker.com/engine/security/protect-access/).
+
+### `Container` and `ContainerConfig` fields in Image inspect
+
+**Deprecated in Release: v25.0**
+**Target For Removal In Release: v26.0**
+
+The `Container` and `ContainerConfig` fields returned by `docker inspect` are
+mostly an implementation detail of the classic (non-BuildKit) image builder.
+These fields are not portable and are empty when using the
+BuildKit-based builder (enabled by default since v23.0).
+These fields are deprecated in v25.0 and will be omitted starting from v26.0.
+If image configuration of an image is needed, you can obtain it from the
+`Config` field.
+
 ### Deprecate legacy API versions
 
 **Deprecated in Release: v25.0**
@@ -167,7 +209,7 @@ old clients, and those clients must be supported.
 ### Container short ID in network Aliases field
 
 **Deprecated in Release: v25.0**
-**Target For Remove In Release: v26.0**
+**Removed In Release: v26.0**
 
 The `Aliases` field returned by `docker inspect` contains the container short
 ID once the container is started. This behavior is deprecated in v25.0 but
@@ -558,15 +600,35 @@ for the old option will be removed in a future release.
 
 **Deprecated in Release: v19.03**
 
-**Target For Removal In Release: v20.10**
+**Disabled by default in Release: v26.0**
 
-The image manifest
-[v2 schema 1](https://github.com/docker/distribution/blob/fda42e5ef908bdba722d435ff1f330d40dfcd56c/docs/spec/manifest-v2-1.md)
-format is deprecated in favor of the
-[v2 schema 2](https://github.com/docker/distribution/blob/fda42e5ef908bdba722d435ff1f330d40dfcd56c/docs/spec/manifest-v2-2.md) format.
+**Target For Removal In Release: v27.0**
 
-If the registry you are using still supports v2 schema 1, urge their administrators to move to v2 schema 2.
+The image manifest [v2 schema 1](https://distribution.github.io/distribution/spec/deprecated-schema-v1/)
+and "Docker Image v1" formats were deprecated in favor of the
+[v2 schema 2](https://distribution.github.io/distribution/spec/manifest-v2-2/)
+and [OCI image spec](https://github.com/opencontainers/image-spec/tree/v1.1.0)
+formats.
 
+These legacy formats should no longer be used, and users are recommended to
+update images to use current formats, or to upgrade to more current images.
+Starting with Docker v26.0, pulling these images is disabled by default, and
+produces an error when attempting to pull the image:
+
+```console
+$ docker pull ubuntu:10.04
+Error response from daemon:
+[DEPRECATION NOTICE] Docker Image Format v1 and Docker Image manifest version 2, schema 1 support is disabled by default and will be removed in an upcoming release.
+Suggest the author of docker.io/library/ubuntu:10.04 to upgrade the image to the OCI Format or Docker Image manifest v2, schema 2.
+More information at https://docs.docker.com/go/deprecated-image-specs/
+```
+
+An environment variable (`DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE`) is
+added in Docker v26.0 that allows re-enabling support for these image formats
+in the daemon. This environment variable must be set to a non-empty value in
+the daemon's environment (for example, through a [systemd override file](https://docs.docker.com/config/daemon/systemd/)).
+Support for the `DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE` environment-variable
+will be removed in Docker v27.0 after which this functionality is removed permanently.
 
 ### `docker engine` subcommands
 

docs/reference/commandline/container_exec.md

@@ -16,7 +16,7 @@ Execute a command in a running container
 | [`-e`](#env), [`--env`](#env)             | `list`   |         | Set environment variables                              |
 | `--env-file`                              | `list`   |         | Read in a file of environment variables                |
 | `-i`, `--interactive`                     |          |         | Keep STDIN open even if not attached                   |
-| `--privileged`                            |          |         | Give extended privileges to the command                |
+| [`--privileged`](#privileged)             |          |         | Give extended privileges to the command                |
 | `-t`, `--tty`                             |          |         | Allocate a pseudo-TTY                                  |
 | `-u`, `--user`                            | `string` |         | Username or UID (format: `<name\|uid>[:<group\|gid>]`) |
 | [`-w`](#workdir), [`--workdir`](#workdir) | `string` |         | Working directory inside the container                 |
@@ -96,6 +96,10 @@ VAR_B=2
 HOME=/root
 ```
 
+### <a name="privileged"></a> Escalate container privileges (--privileged)
+
+See [`docker run --privileged`](container_run.md#privileged).
+
 ### <a name="workdir"></a> Set the working directory for the exec process (--workdir, -w)
 
 By default `docker exec` command runs in the same working directory set when

docs/reference/commandline/container_run.md

@@ -108,7 +108,7 @@ Create and run a new container from an image
 | [`-t`](#tty), [`--tty`](#tty)                         |               |           | Allocate a pseudo-TTY                                                                                                                                                                                                                                                                                            |
 | [`--ulimit`](#ulimit)                                 | `ulimit`      |           | Ulimit options                                                                                                                                                                                                                                                                                                   |
 | `-u`, `--user`                                        | `string`      |           | Username or UID (format: <name\|uid>[:<group\|gid>])                                                                                                                                                                                                                                                             |
-| `--userns`                                            | `string`      |           | User namespace to use                                                                                                                                                                                                                                                                                            |
+| [`--userns`](#userns)                                 | `string`      |           | User namespace to use                                                                                                                                                                                                                                                                                            |
 | [`--uts`](#uts)                                       | `string`      |           | UTS namespace to use                                                                                                                                                                                                                                                                                             |
 | [`-v`](#volume), [`--volume`](#volume)                | `list`        |           | Bind mount a volume                                                                                                                                                                                                                                                                                              |
 | `--volume-driver`                                     | `string`      |           | Optional volume driver for the container                                                                                                                                                                                                                                                                         |
@@ -271,6 +271,21 @@ container.
    strace: Process 1 attached
    ```
 
+### <a name="userns"></a> Disable namespace remapping for a container (--userns)
+
+If you enable user namespaces on the daemon,
+all containers are started with user namespaces enabled by default.
+To disable user namespace remapping for a specific container,
+you can set the `--userns` flag to `host`.
+
+```console
+docker run --userns=host hello-world
+```
+
+`host` is the only valid value for the `--userns` flag.
+
+For more information, refer to [Isolate containers with a user namespace](https://docs.docker.com/engine/security/userns-remap/).
+
 ### <a name="uts"></a> UTS settings (--uts)
 
 ```text
@@ -326,7 +341,37 @@ are broken into multiple containers, you might need to share the IPC mechanisms
 of the containers, using `"shareable"` mode for the main (i.e. "donor")
 container, and `"container:<donor-name-or-ID>"` for other containers.
 
-### <a name="privileged"></a> Full container capabilities (--privileged)
+### <a name="privileged"></a> Escalate container privileges (--privileged)
+
+The `--privileged` flag gives the following capabilities to a container:
+
+- Enables all Linux kernel capabilities
+- Disables the default seccomp profile
+- Disables the default AppArmor profile
+- Disables the SELinux process label
+- Grants access to all host devices
+- Makes `/sys` read-write
+- Makes cgroups mounts read-write
+
+In other words, the container can then do almost everything that the host can
+do. This flag exists to allow special use-cases, like running Docker within
+Docker.
+
+> **Warning**
+>
+> Use the `--privileged` flag with caution.
+> A container with `--privileged` is not a securely sandboxed process.
+> Containers in this mode can get a root shell on the host
+> and take control over the system.
+>
+> For most use cases, this flag should not be the preferred solution.
+> If your container requires escalated privileges,
+> you should prefer to explicitly grant the necessary permissions,
+> for example by adding individual kernel capabilities with `--cap-add`.
+>
+> For more information, see
+> [Runtime privilege and Linux capabilities](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities)
+{ .warning }
 
 The following example doesn't work, because by default, Docker drops most
 potentially dangerous kernel capabilities, including `CAP_SYS_ADMIN ` (which is
@@ -348,11 +393,6 @@ Filesystem      Size  Used Avail Use% Mounted on
 none            1.9G     0  1.9G   0% /mnt
 ```
 
-The `--privileged` flag gives all capabilities to the container, and it also
-lifts all the limitations enforced by the `device` cgroup controller. In other
-words, the container can then do almost everything that the host can do. This
-flag exists to allow special use-cases, like running Docker within Docker.
-
 ### <a name="workdir"></a> Set working directory (-w, --workdir)
 
 ```console
@@ -862,17 +902,19 @@ PS C:\> docker run --device=class/86E0D1E0-8089-11D0-9CE4-08003E301F73 mcr.micro
 
 > **Note**
 >
-> This is experimental feature and as such doesn't represent a stable API.
+> The CDI feature is experimental, and potentially subject to change.
+> CDI is currently only supported for Linux containers.
 
-Container Device Interface (CDI) is a
-[standardized](https://github.com/cncf-tags/container-device-interface/blob/main/SPEC.md)
-mechanism for container runtimes to create containers which are able to
-interact with third party devices.
+[Container Device Interface
+(CDI)](https://github.com/cncf-tags/container-device-interface/blob/main/SPEC.md)
+is a standardized mechanism for container runtimes to create containers which
+are able to interact with third party devices.
 
-With CDI, device configurations are defined using a JSON file. In addition to
-enabling the container to interact with the device node, it also lets you
-specify additional configuration for the device, such as kernel modules, host
-libraries, and environment variables.
+With CDI, device configurations are declaratively defined using a JSON or YAML
+file. In addition to enabling the container to interact with the device node,
+it also lets you specify additional configuration for the device, such as
+environment variables, host mounts (such as shared objects), and executable
+hooks.
 
 You can reference a CDI device with the `--device` flag using the
 fully-qualified name of the device, as shown in the following example:
@@ -884,10 +926,10 @@ $ docker run --device=vendor.com/class=device-name --rm -it ubuntu
 This starts an `ubuntu` container with access to the specified CDI device,
 `vendor.com/class=device-name`, assuming that:
 
-- A valid CDI specification (JSON file) for the requested device is available
-  on the system running the daemon, in one of the configured CDI specification
-  directories.
-- The CDI feature has been enabled on the daemon side, see [Enable CDI
+- A valid CDI specification (JSON or YAML file) for the requested device is
+  available on the system running the daemon, in one of the configured CDI
+  specification directories.
+- The CDI feature has been enabled in the daemon; see [Enable CDI
   devices](https://docs.docker.com/reference/cli/dockerd/#enable-cdi-devices).
 
 ### <a name="attach"></a> Attach to STDIN/STDOUT/STDERR (-a, --attach)
@@ -1323,6 +1365,7 @@ in the image, or `SIGTERM` if the image has no `STOPSIGNAL` defined.
 | `--security-opt="seccomp=unconfined"`     | Turn off seccomp confinement for the container                                                                                                                                                                   |
 | `--security-opt="seccomp=builtin"`        | Use the default (built-in) seccomp profile for the container. This can be used to enable seccomp for a container running on a daemon with a custom default profile set, or with seccomp disabled ("unconfined"). |
 | `--security-opt="seccomp=profile.json"`   | White-listed syscalls seccomp Json file to be used as a seccomp filter                                                                                                                                           |
+| `--security-opt="systempaths=unconfined"` | Turn off confinement for system paths (masked paths, read-only paths) for the container                                                                                                                           |
 
 The `--security-opt` flag lets you override the default labeling scheme for a
 container. Specifying the level in the following command allows you to share

docs/reference/commandline/image_build.md

@@ -69,7 +69,7 @@ user credentials, VPNs, and so forth.
 > **Note**
 >
 > If the `URL` parameter contains a fragment the system recursively clones
-> the repository and its submodules using a `git clone --recursive` command.
+> the repository and its submodules.
 
 Git URLs accept context configuration in their fragment section, separated by a
 colon (`:`).  The first part represents the reference that Git checks out,

docs/reference/commandline/network_create.md

@@ -162,7 +162,8 @@ equivalent Docker daemon flags used for docker0 bridge:
 | `com.docker.network.container_iface_prefix`      | -           | Set a custom prefix for container interfaces          |
 
 The following arguments can be passed to `docker network create` for any
-network driver, again with their approximate equivalents to `docker daemon`.
+network driver, again with their approximate equivalents to Docker daemon
+flags used for the docker0 bridge:
 
 | Argument     | Equivalent     | Description                                |
 |--------------|----------------|--------------------------------------------|
@@ -183,6 +184,12 @@ $ docker network create \
 
 ### <a name="internal"></a> Network internal mode (--internal)
 
+Containers on an internal network may communicate between each other, but not
+with any other network, as no default route is configured and firewall rules
+are set up to drop all traffic to or from other networks. Communication with
+the gateway IP  address (and thus appropriately configured host services) is
+possible, and the host may communicate with any container IP directly.
+
 By default, when you connect a container to an `overlay` network, Docker also
 connects a bridge network to it to provide external connectivity. If you want
 to create an externally isolated `overlay` network, you can specify the

docs/reference/commandline/swarm_init.md

@@ -117,6 +117,12 @@ data traffic from the management traffic of the cluster.
 
 If unspecified, the IP address or interface of the advertise address is used.
 
+Setting `--data-path-addr` does not restrict which interfaces or source IP
+addresses the VXLAN socket is bound to. Similar to `--advertise-addr`, the
+purpose of this flag is to inform other members of the swarm about which
+address to use for control plane traffic. To restrict access to the VXLAN port
+of the node, use firewall rules.
+
 ### <a name="data-path-port"></a> Configure port number for data traffic (--data-path-port)
 
 The `--data-path-port` flag allows you to configure the UDP port number to use

docs/reference/dockerd.md

@@ -530,7 +530,7 @@ For example:
       "runtimeType": "io.containerd.runsc.v1",
       "options": {
         "TypeUrl": "io.containerd.runsc.v1.options",
-        "ConfigPath": "/etc/containerd/runsc.toml",
+        "ConfigPath": "/etc/containerd/runsc.toml"
       }
     }
   }
@@ -1236,6 +1236,15 @@ The list of feature options include:
   snapshotters instead of the classic storage drivers for storing image and
   container data. For more information, see
   [containerd storage](https://docs.docker.com/storage/containerd/).
+- `windows-dns-proxy`: when set to `true`, the daemon's internal DNS resolver
+  will forward requests to external servers. Without this, most applications
+  running in the container will still be able to use secondary DNS servers
+  configured in the container itself, but `nslookup` won't be able to resolve
+  external names. The current default is `false`, it will change to `true` in
+  a future release. This option is only allowed on Windows.
+
+  > **Warning**
+  > The `windows-dns-proxy` feature flag will be removed in a future release.
 
 #### Configuration reload behavior
 
@@ -1347,7 +1356,7 @@ using the `daemon.json` file.
   "default-network-opts": {
     "bridge": {
       "com.docker.network.bridge.host_binding_ipv4": "127.0.0.1",
-      "com.docker.network.bridge.mtu": "1234"
+      "com.docker.network.driver.mtu": "1234"
     }
   }
 }
@@ -1363,7 +1372,7 @@ you create use these option configurations as defaults.
 ```console
 $ docker network create mynet
 $ docker network inspect mynet --format "{{json .Options}}"
-{"com.docker.network.bridge.host_binding_ipv4":"127.0.0.1","com.docker.network.bridge.mtu":"1234"}
+{"com.docker.network.bridge.host_binding_ipv4":"127.0.0.1","com.docker.network.driver.mtu":"1234"}
 ```
 
 Note that changing this daemon configuration doesn't affect pre-existing
@@ -1377,5 +1386,5 @@ daemon configuration. The CLI flag expects a value with the following format:
 ```console
 $ sudo dockerd \
   --default-network-opt bridge=com.docker.network.bridge.host_binding_ipv4=127.0.0.1 \
-  --default-network-opt bridge=com.docker.network.bridge.mtu=1234
+  --default-network-opt bridge=com.docker.network.driver.mtu=1234
 ```

docs/reference/run.md

@@ -7,7 +7,7 @@ title: Running containers
 ---
 
 Docker runs processes in isolated containers. A container is a process
-which runs on a host. The host may be local or remote. When an you
+which runs on a host. The host may be local or remote. When you
 execute `docker run`, the container process that runs is isolated in
 that it has its own file system, its own networking, and its own
 isolated process tree separate from the host.
@@ -813,11 +813,12 @@ by default a container is not allowed to access any devices, but a
 the documentation on [cgroups devices](https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt)).
 
 The `--privileged` flag gives all capabilities to the container. When the operator
-executes `docker run --privileged`, Docker will enable access to all devices on
-the host as well as set some configuration in AppArmor or SELinux to allow the
-container nearly all the same access to the host as processes running outside
-containers on the host. Additional information about running with `--privileged`
-is available on the [Docker Blog](https://www.docker.com/blog/docker-can-now-run-within-docker/).
+executes `docker run --privileged`, Docker enables access to all devices on
+the host, and reconfigures AppArmor or SELinux to allow the container
+nearly all the same access to the host as processes running outside
+containers on the host. Use this flag with caution.
+For more information about the `--privileged` flag, see the
+[`docker run` reference](https://docs.docker.com/reference/cli/docker/container/run/#privileged).
 
 If you want to limit access to a specific device or devices you can use
 the `--device` flag. It allows you to specify one or more devices that

e2e/container/run_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/docker/cli/e2e/internal/fixtures"
 	"github.com/docker/cli/internal/test/environment"
@@ -34,6 +35,22 @@ func TestRunAttachedFromRemoteImageAndRemove(t *testing.T) {
 	golden.Assert(t, result.Stderr(), "run-attached-from-remote-and-remove.golden")
 }
 
+// Regression test for https://github.com/docker/cli/issues/5053
+func TestRunInvalidEntrypointWithAutoremove(t *testing.T) {
+	environment.SkipIfDaemonNotLinux(t)
+
+	result := make(chan *icmd.Result)
+	go func() {
+		result <- icmd.RunCommand("docker", "run", "--rm", fixtures.AlpineImage, "invalidcommand")
+	}()
+	select {
+	case r := <-result:
+		r.Assert(t, icmd.Expected{ExitCode: 127})
+	case <-time.After(4 * time.Second):
+		t.Fatal("test took too long, shouldn't hang")
+	}
+}
+
 func TestRunWithContentTrust(t *testing.T) {
 	skip.If(t, environment.RemoteDaemon())
 

e2e/global/cli_test.go

@@ -1,14 +1,25 @@
 package global
 
 import (
+	"bufio"
+	"bytes"
+	"context"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"strings"
+	"syscall"
 	"testing"
+	"time"
 
+	"github.com/docker/cli/e2e/internal/fixtures"
+	"github.com/docker/cli/e2e/testutils"
+	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/environment"
+	"github.com/docker/docker/api/types/versions"
 	"gotest.tools/v3/assert"
 	"gotest.tools/v3/icmd"
+	"gotest.tools/v3/poll"
 	"gotest.tools/v3/skip"
 )
 
@@ -65,3 +76,185 @@ func TestTCPSchemeUsesHTTPProxyEnv(t *testing.T) {
 	assert.Equal(t, strings.TrimSpace(result.Stdout()), "99.99.9")
 	assert.Equal(t, received, "docker.acme.example.com:2376")
 }
+
+// Test that the prompt command exits with 0
+// when the user sends SIGINT/SIGTERM to the process
+func TestPromptExitCode(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	dir := fixtures.SetupConfigFile(t)
+	t.Cleanup(dir.Remove)
+
+	defaultCmdOpts := []icmd.CmdOp{
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithNotary,
+	}
+
+	testCases := []struct {
+		name string
+		run  func(t *testing.T) icmd.Cmd
+	}{
+		{
+			name: "volume prune",
+			run: func(t *testing.T) icmd.Cmd {
+				t.Helper()
+				return icmd.Command("docker", "volume", "prune")
+			},
+		},
+		{
+			name: "network prune",
+			run: func(t *testing.T) icmd.Cmd {
+				t.Helper()
+				return icmd.Command("docker", "network", "prune")
+			},
+		},
+		{
+			name: "container prune",
+			run: func(t *testing.T) icmd.Cmd {
+				t.Helper()
+				return icmd.Command("docker", "container", "prune")
+			},
+		},
+		{
+			name: "image prune",
+			run: func(t *testing.T) icmd.Cmd {
+				t.Helper()
+				return icmd.Command("docker", "image", "prune")
+			},
+		},
+		{
+			name: "system prune",
+			run: func(t *testing.T) icmd.Cmd {
+				t.Helper()
+				return icmd.Command("docker", "system", "prune")
+			},
+		},
+		{
+			name: "revoke trust",
+			run: func(t *testing.T) icmd.Cmd {
+				t.Helper()
+				return icmd.Command("docker", "trust", "revoke", "example/trust-demo")
+			},
+		},
+		{
+			name: "plugin install",
+			run: func(t *testing.T) icmd.Cmd {
+				t.Helper()
+				skip.If(t, versions.LessThan(environment.DaemonAPIVersion(t), "1.44"))
+
+				pluginDir := testutils.SetupPlugin(t, ctx)
+				t.Cleanup(pluginDir.Remove)
+
+				plugin := "registry:5000/plugin-content-trust-install:latest"
+
+				icmd.RunCommand("docker", "plugin", "create", plugin, pluginDir.Path()).Assert(t, icmd.Success)
+				icmd.RunCmd(icmd.Command("docker", "plugin", "push", plugin), defaultCmdOpts...).Assert(t, icmd.Success)
+				icmd.RunCmd(icmd.Command("docker", "plugin", "rm", "-f", plugin), defaultCmdOpts...).Assert(t, icmd.Success)
+				return icmd.Command("docker", "plugin", "install", plugin)
+			},
+		},
+		{
+			name: "plugin upgrade",
+			run: func(t *testing.T) icmd.Cmd {
+				t.Helper()
+				skip.If(t, versions.LessThan(environment.DaemonAPIVersion(t), "1.44"))
+
+				pluginLatestDir := testutils.SetupPlugin(t, ctx)
+				t.Cleanup(pluginLatestDir.Remove)
+				pluginNextDir := testutils.SetupPlugin(t, ctx)
+				t.Cleanup(pluginNextDir.Remove)
+
+				plugin := "registry:5000/plugin-content-trust-upgrade"
+
+				icmd.RunCommand("docker", "plugin", "create", plugin+":latest", pluginLatestDir.Path()).Assert(t, icmd.Success)
+				icmd.RunCommand("docker", "plugin", "create", plugin+":next", pluginNextDir.Path()).Assert(t, icmd.Success)
+				icmd.RunCmd(icmd.Command("docker", "plugin", "push", plugin+":latest"), defaultCmdOpts...).Assert(t, icmd.Success)
+				icmd.RunCmd(icmd.Command("docker", "plugin", "push", plugin+":next"), defaultCmdOpts...).Assert(t, icmd.Success)
+				icmd.RunCmd(icmd.Command("docker", "plugin", "rm", "-f", plugin+":latest"), defaultCmdOpts...).Assert(t, icmd.Success)
+				icmd.RunCmd(icmd.Command("docker", "plugin", "rm", "-f", plugin+":next"), defaultCmdOpts...).Assert(t, icmd.Success)
+				icmd.RunCmd(icmd.Command("docker", "plugin", "install", "--disable", "--grant-all-permissions", plugin+":latest"), defaultCmdOpts...).Assert(t, icmd.Success)
+				return icmd.Command("docker", "plugin", "upgrade", plugin+":latest", plugin+":next")
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run("case="+tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			buf := new(bytes.Buffer)
+			bufioWriter := bufio.NewWriter(buf)
+
+			writeDone := make(chan struct{})
+			w := test.NewWriterWithHook(bufioWriter, func(p []byte) {
+				writeDone <- struct{}{}
+			})
+
+			drainChCtx, drainChCtxCancel := context.WithCancel(ctx)
+			t.Cleanup(drainChCtxCancel)
+
+			drainChannel(drainChCtx, writeDone)
+
+			r, _ := io.Pipe()
+			defer r.Close()
+			result := icmd.StartCmd(tc.run(t),
+				append(defaultCmdOpts,
+					icmd.WithStdout(w),
+					icmd.WithStderr(w),
+					icmd.WithStdin(r))...)
+
+			poll.WaitOn(t, func(t poll.LogT) poll.Result {
+				select {
+				case <-ctx.Done():
+					return poll.Error(ctx.Err())
+				default:
+
+					if err := bufioWriter.Flush(); err != nil {
+						return poll.Continue(err.Error())
+					}
+					if strings.Contains(buf.String(), "[y/N]") {
+						return poll.Success()
+					}
+
+					return poll.Continue("command did not prompt for confirmation, instead prompted:\n%s\n", buf.String())
+				}
+			}, poll.WithDelay(100*time.Millisecond), poll.WithTimeout(1*time.Second))
+
+			drainChCtxCancel()
+
+			assert.NilError(t, result.Cmd.Process.Signal(syscall.SIGINT))
+
+			proc, err := result.Cmd.Process.Wait()
+			assert.NilError(t, err)
+			assert.Equal(t, proc.ExitCode(), 0, "expected exit code to be 0, got %d", proc.ExitCode())
+
+			processCtx, processCtxCancel := context.WithTimeout(ctx, time.Second)
+			t.Cleanup(processCtxCancel)
+
+			select {
+			case <-processCtx.Done():
+				t.Fatal("timed out waiting for new line after process exit")
+			case <-writeDone:
+				buf.Reset()
+				assert.NilError(t, bufioWriter.Flush())
+				assert.Equal(t, buf.String(), "\n", "expected a new line after the process exits from SIGINT")
+			}
+		})
+	}
+}
+
+func drainChannel(ctx context.Context, ch <-chan struct{}) {
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ch:
+			}
+		}
+	}()
+}

e2e/plugin/trust_test.go

@@ -1,20 +1,14 @@
 package plugin
 
 import (
-	"encoding/json"
+	"context"
 	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
 	"testing"
 
 	"github.com/docker/cli/e2e/internal/fixtures"
+	"github.com/docker/cli/e2e/testutils"
 	"github.com/docker/cli/internal/test/environment"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/versions"
-	"github.com/pkg/errors"
-	"gotest.tools/v3/assert"
-	"gotest.tools/v3/fs"
 	"gotest.tools/v3/icmd"
 	"gotest.tools/v3/skip"
 )
@@ -31,8 +25,11 @@ func TestInstallWithContentTrust(t *testing.T) {
 	dir := fixtures.SetupConfigFile(t)
 	defer dir.Remove()
 
-	pluginDir := preparePluginDir(t)
-	defer pluginDir.Remove()
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	pluginDir := testutils.SetupPlugin(t, ctx)
+	t.Cleanup(pluginDir.Remove)
 
 	icmd.RunCommand("docker", "plugin", "create", pluginName, pluginDir.Path()).Assert(t, icmd.Success)
 	result := icmd.RunCmd(icmd.Command("docker", "plugin", "push", pluginName),
@@ -73,46 +70,3 @@ func TestInstallWithContentTrustUntrusted(t *testing.T) {
 		Err:      "Error: remote trust data does not exist",
 	})
 }
-
-func preparePluginDir(t *testing.T) *fs.Dir {
-	t.Helper()
-	p := &types.PluginConfig{
-		Interface: types.PluginConfigInterface{
-			Socket: "basic.sock",
-			Types:  []types.PluginInterfaceType{{Capability: "docker.dummy/1.0"}},
-		},
-		Entrypoint: []string{"/basic"},
-	}
-	configJSON, err := json.Marshal(p)
-	assert.NilError(t, err)
-
-	binPath, err := ensureBasicPluginBin()
-	assert.NilError(t, err)
-
-	dir := fs.NewDir(t, "plugin_test",
-		fs.WithFile("config.json", string(configJSON), fs.WithMode(0o644)),
-		fs.WithDir("rootfs", fs.WithMode(0o755)),
-	)
-	icmd.RunCommand("/bin/cp", binPath, dir.Join("rootfs", p.Entrypoint[0])).Assert(t, icmd.Success)
-	return dir
-}
-
-func ensureBasicPluginBin() (string, error) {
-	name := "docker-basic-plugin"
-	p, err := exec.LookPath(name)
-	if err == nil {
-		return p, nil
-	}
-
-	goBin, err := exec.LookPath("/usr/local/go/bin/go")
-	if err != nil {
-		return "", err
-	}
-	installPath := filepath.Join(os.Getenv("GOPATH"), "bin", name)
-	cmd := exec.Command(goBin, "build", "-o", installPath, "./basic")
-	cmd.Env = append(os.Environ(), "CGO_ENABLED=0")
-	if out, err := cmd.CombinedOutput(); err != nil {
-		return "", errors.Wrapf(err, "error building basic plugin bin: %s", string(out))
-	}
-	return installPath, nil
-}

e2e/testdata/Dockerfile.gencerts

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.21.8
+ARG GO_VERSION=1.21.11
 
 FROM golang:${GO_VERSION}-alpine AS generated
 ENV GOTOOLCHAIN=local