vendor: github.com/docker/docker, github.com/docker/cli v25.0.0-beta.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

vendor/github.com/docker/cli/cli-plugins/manager/candidate.go

@@ -1,8 +1,6 @@
 package manager
 
-import (
-	exec "golang.org/x/sys/execabs"
-)
+import "os/exec"
 
 // Candidate represents a possible plugin candidate, for mocking purposes
 type Candidate interface {

vendor/github.com/docker/cli/cli-plugins/manager/manager.go

@@ -3,6 +3,7 @@ package manager
 import (
 	"context"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"sort"
 	"strings"
@@ -13,7 +14,6 @@ import (
 	"github.com/fvbommel/sortorder"
 	"github.com/spf13/cobra"
 	"golang.org/x/sync/errgroup"
-	exec "golang.org/x/sys/execabs"
 )
 
 // ReexecEnvvar is the name of an ennvar which is set to the command

vendor/github.com/docker/cli/cli-plugins/manager/manager_unix.go

@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 package manager
 

vendor/github.com/docker/cli/cli-plugins/manager/metadata.go

@@ -22,8 +22,4 @@ type Metadata struct {
 	ShortDescription string `json:",omitempty"`
 	// URL is a pointer to the plugin's homepage.
 	URL string `json:",omitempty"`
-	// Experimental specifies whether the plugin is experimental.
-	//
-	// Deprecated: experimental features are now always enabled in the CLI
-	Experimental bool `json:",omitempty"`
 }

vendor/github.com/docker/cli/cli-plugins/manager/suffix_unix.go

@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 package manager
 

vendor/github.com/docker/cli/cli-plugins/plugin/plugin.go

@@ -131,7 +131,7 @@ func newPluginCommand(dockerCli *command.DockerCli, plugin *cobra.Command, meta
 			DisableDescriptions: true,
 		},
 	}
-	opts, flags := cli.SetupPluginRootCommand(cmd)
+	opts, _ := cli.SetupPluginRootCommand(cmd)
 
 	cmd.SetIn(dockerCli.In())
 	cmd.SetOut(dockerCli.Out())
@@ -144,7 +144,7 @@ func newPluginCommand(dockerCli *command.DockerCli, plugin *cobra.Command, meta
 
 	cli.DisableFlagsInUseLine(cmd)
 
-	return cli.NewTopLevelCommand(cmd, dockerCli, opts, flags)
+	return cli.NewTopLevelCommand(cmd, dockerCli, opts, cmd.Flags())
 }
 
 func newMetadataSubcommand(plugin *cobra.Command, meta manager.Metadata) *cobra.Command {

vendor/github.com/docker/cli/cli/cobra.go

@@ -9,7 +9,6 @@ import (
 
 	pluginmanager "github.com/docker/cli/cli-plugins/manager"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/config"
 	cliflags "github.com/docker/cli/cli/flags"
 	"github.com/docker/docker/pkg/homedir"
 	"github.com/docker/docker/registry"
@@ -23,12 +22,9 @@ import (
 
 // setupCommonRootCommand contains the setup common to
 // SetupRootCommand and SetupPluginRootCommand.
-func setupCommonRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *pflag.FlagSet, *cobra.Command) {
+func setupCommonRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *cobra.Command) {
 	opts := cliflags.NewClientOptions()
-	flags := rootCmd.Flags()
-
-	flags.StringVar(&opts.ConfigDir, "config", config.Dir(), "Location of client config files")
-	opts.InstallFlags(flags)
+	opts.InstallFlags(rootCmd.Flags())
 
 	cobra.AddTemplateFunc("add", func(a, b int) int { return a + b })
 	cobra.AddTemplateFunc("hasAliases", hasAliases)
@@ -73,20 +69,20 @@ func setupCommonRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *p
 		}
 	}
 
-	return opts, flags, helpCommand
+	return opts, helpCommand
 }
 
 // SetupRootCommand sets default usage, help, and error handling for the
 // root command.
-func SetupRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *pflag.FlagSet, *cobra.Command) {
+func SetupRootCommand(rootCmd *cobra.Command) (opts *cliflags.ClientOptions, helpCmd *cobra.Command) {
 	rootCmd.SetVersionTemplate("Docker version {{.Version}}\n")
 	return setupCommonRootCommand(rootCmd)
 }
 
 // SetupPluginRootCommand sets default usage, help and error handling for a plugin root command.
 func SetupPluginRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *pflag.FlagSet) {
-	opts, flags, _ := setupCommonRootCommand(rootCmd)
-	return opts, flags
+	opts, _ := setupCommonRootCommand(rootCmd)
+	return opts, rootCmd.Flags()
 }
 
 // FlagErrorFunc prints an error message which matches the format of the

vendor/github.com/docker/cli/cli/command/cli.go

@@ -189,7 +189,7 @@ func (cli *DockerCli) ManifestStore() manifeststore.Store {
 // registry
 func (cli *DockerCli) RegistryClient(allowInsecure bool) registryclient.RegistryClient {
 	resolver := func(ctx context.Context, index *registry.IndexInfo) registry.AuthConfig {
-		return ResolveAuthConfig(ctx, cli, index)
+		return ResolveAuthConfig(cli.ConfigFile(), index)
 	}
 	return registryclient.NewRegistryClient(resolver, UserAgent(), allowInsecure)
 }
@@ -260,17 +260,15 @@ func NewAPIClientFromFlags(opts *cliflags.ClientOptions, configFile *configfile.
 }
 
 func newAPIClientFromEndpoint(ep docker.Endpoint, configFile *configfile.ConfigFile) (client.APIClient, error) {
-	clientOpts, err := ep.ClientOpts()
+	opts, err := ep.ClientOpts()
 	if err != nil {
 		return nil, err
 	}
-	customHeaders := make(map[string]string, len(configFile.HTTPHeaders))
-	for k, v := range configFile.HTTPHeaders {
-		customHeaders[k] = v
+	if len(configFile.HTTPHeaders) > 0 {
+		opts = append(opts, client.WithHTTPHeaders(configFile.HTTPHeaders))
 	}
-	customHeaders["User-Agent"] = UserAgent()
-	clientOpts = append(clientOpts, client.WithHTTPHeaders(customHeaders))
-	return client.NewClientWithOpts(clientOpts...)
+	opts = append(opts, client.WithUserAgent(UserAgent()))
+	return client.NewClientWithOpts(opts...)
 }
 
 func resolveDockerEndpoint(s store.Reader, contextName string) (docker.Endpoint, error) {
@@ -364,7 +362,7 @@ func (cli *DockerCli) ContextStore() store.Store {
 // order of preference:
 //
 //  1. The "--context" command-line option.
-//  2. The "DOCKER_CONTEXT" environment variable.
+//  2. The "DOCKER_CONTEXT" environment variable ([EnvOverrideContext]).
 //  3. The current context as configured through the in "currentContext"
 //     field in the CLI configuration file ("~/.docker/config.json").
 //  4. If no context is configured, use the "default" context.
@@ -406,7 +404,7 @@ func resolveContextName(opts *cliflags.ClientOptions, config *configfile.ConfigF
 	if os.Getenv(client.EnvOverrideHost) != "" {
 		return DefaultContextName
 	}
-	if ctxName := os.Getenv("DOCKER_CONTEXT"); ctxName != "" {
+	if ctxName := os.Getenv(EnvOverrideContext); ctxName != "" {
 		return ctxName
 	}
 	if config != nil && config.CurrentContext != "" {

vendor/github.com/docker/cli/cli/command/defaultcontextstore.go

@@ -11,6 +11,12 @@ import (
 const (
 	// DefaultContextName is the name reserved for the default context (config & env based)
 	DefaultContextName = "default"
+
+	// EnvOverrideContext is the name of the environment variable that can be
+	// used to override the context to use. If set, it overrides the context
+	// that's set in the CLI's configuration file, but takes no effect if the
+	// "DOCKER_HOST" env-var is set (which takes precedence.
+	EnvOverrideContext = "DOCKER_CONTEXT"
 )
 
 // DefaultContext contains the default context data for all endpoints

vendor/github.com/docker/cli/cli/command/events_utils.go

@@ -3,28 +3,28 @@ package command
 import (
 	"sync"
 
-	eventtypes "github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/events"
 	"github.com/sirupsen/logrus"
 )
 
 // EventHandler is abstract interface for user to customize
 // own handle functions of each type of events
 type EventHandler interface {
-	Handle(action string, h func(eventtypes.Message))
-	Watch(c <-chan eventtypes.Message)
+	Handle(action events.Action, h func(events.Message))
+	Watch(c <-chan events.Message)
 }
 
 // InitEventHandler initializes and returns an EventHandler
 func InitEventHandler() EventHandler {
-	return &eventHandler{handlers: make(map[string]func(eventtypes.Message))}
+	return &eventHandler{handlers: make(map[events.Action]func(events.Message))}
 }
 
 type eventHandler struct {
-	handlers map[string]func(eventtypes.Message)
+	handlers map[events.Action]func(events.Message)
 	mu       sync.Mutex
 }
 
-func (w *eventHandler) Handle(action string, h func(eventtypes.Message)) {
+func (w *eventHandler) Handle(action events.Action, h func(events.Message)) {
 	w.mu.Lock()
 	w.handlers[action] = h
 	w.mu.Unlock()
@@ -33,7 +33,7 @@ func (w *eventHandler) Handle(action string, h func(eventtypes.Message)) {
 // Watch ranges over the passed in event chan and processes the events based on the
 // handlers created for a given action.
 // To stop watching, close the event chan.
-func (w *eventHandler) Watch(c <-chan eventtypes.Message) {
+func (w *eventHandler) Watch(c <-chan events.Message) {
 	for e := range c {
 		w.mu.Lock()
 		h, exists := w.handlers[e.Action]

vendor/github.com/docker/cli/cli/command/registry.go

@@ -2,16 +2,17 @@ package command
 
 import (
 	"bufio"
-	"context"
 	"fmt"
 	"io"
 	"os"
 	"runtime"
 	"strings"
 
+	"github.com/distribution/reference"
+	"github.com/docker/cli/cli/config/configfile"
 	configtypes "github.com/docker/cli/cli/config/types"
+	"github.com/docker/cli/cli/hints"
 	"github.com/docker/cli/cli/streams"
-	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
 	registrytypes "github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/registry"
@@ -19,12 +20,9 @@ import (
 	"github.com/pkg/errors"
 )
 
-// EncodeAuthToBase64 serializes the auth configuration as JSON base64 payload.
-//
-// Deprecated: use [registrytypes.EncodeAuthConfig] instead.
-func EncodeAuthToBase64(authConfig registrytypes.AuthConfig) (string, error) {
-	return registrytypes.EncodeAuthConfig(authConfig)
-}
+const patSuggest = "You can log in with your password or a Personal Access " +
+	"Token (PAT). Using a limited-scope PAT grants better security and is required " +
+	"for organizations using SSO. Learn more at https://docs.docker.com/go/access-tokens/"
 
 // RegistryAuthenticationPrivilegedFunc returns a RequestPrivilegeFunc from the specified registry index info
 // for the given command.
@@ -33,7 +31,7 @@ func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInf
 		fmt.Fprintf(cli.Out(), "\nPlease login prior to %s:\n", cmdName)
 		indexServer := registry.GetAuthConfigKey(index)
 		isDefaultRegistry := indexServer == registry.IndexServer
-		authConfig, err := GetDefaultAuthConfig(cli, true, indexServer, isDefaultRegistry)
+		authConfig, err := GetDefaultAuthConfig(cli.ConfigFile(), true, indexServer, isDefaultRegistry)
 		if err != nil {
 			fmt.Fprintf(cli.Err(), "Unable to retrieve stored credentials for %s, error: %s.\n", indexServer, err)
 		}
@@ -51,26 +49,26 @@ func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInf
 //
 // It is similar to [registry.ResolveAuthConfig], but uses the credentials-
 // store, instead of looking up credentials from a map.
-func ResolveAuthConfig(_ context.Context, cli Cli, index *registrytypes.IndexInfo) registrytypes.AuthConfig {
+func ResolveAuthConfig(cfg *configfile.ConfigFile, index *registrytypes.IndexInfo) registrytypes.AuthConfig {
 	configKey := index.Name
 	if index.Official {
 		configKey = registry.IndexServer
 	}
 
-	a, _ := cli.ConfigFile().GetAuthConfig(configKey)
+	a, _ := cfg.GetAuthConfig(configKey)
 	return registrytypes.AuthConfig(a)
 }
 
 // GetDefaultAuthConfig gets the default auth config given a serverAddress
 // If credentials for given serverAddress exists in the credential store, the configuration will be populated with values in it
-func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (registrytypes.AuthConfig, error) {
+func GetDefaultAuthConfig(cfg *configfile.ConfigFile, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (registrytypes.AuthConfig, error) {
 	if !isDefaultRegistry {
 		serverAddress = registry.ConvertToHostname(serverAddress)
 	}
 	authconfig := configtypes.AuthConfig{}
 	var err error
 	if checkCredStore {
-		authconfig, err = cli.ConfigFile().GetAuthConfig(serverAddress)
+		authconfig, err = cfg.GetAuthConfig(serverAddress)
 		if err != nil {
 			return registrytypes.AuthConfig{
 				ServerAddress: serverAddress,
@@ -79,8 +77,7 @@ func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, is
 	}
 	authconfig.ServerAddress = serverAddress
 	authconfig.IdentityToken = ""
-	res := registrytypes.AuthConfig(authconfig)
-	return res, nil
+	return registrytypes.AuthConfig(authconfig), nil
 }
 
 // ConfigureAuth handles prompting of user's username and password if needed
@@ -113,7 +110,11 @@ func ConfigureAuth(cli Cli, flUser, flPassword string, authconfig *registrytypes
 	if flUser = strings.TrimSpace(flUser); flUser == "" {
 		if isDefaultRegistry {
 			// if this is a default registry (docker hub), then display the following message.
-			fmt.Fprintln(cli.Out(), "Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.")
+			fmt.Fprintln(cli.Out(), "Log in with your Docker ID or email address to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com/ to create one.")
+			if hints.Enabled() {
+				fmt.Fprintln(cli.Out(), patSuggest)
+				fmt.Fprintln(cli.Out())
+			}
 		}
 		promptWithDefault(cli.Out(), "Username", authconfig.Username)
 		var err error
@@ -179,9 +180,9 @@ func promptWithDefault(out io.Writer, prompt string, configDefault string) {
 //
 // For details on base64url encoding, see:
 // - RFC4648, section 5:   https://tools.ietf.org/html/rfc4648#section-5
-func RetrieveAuthTokenFromImage(ctx context.Context, cli Cli, image string) (string, error) {
+func RetrieveAuthTokenFromImage(cfg *configfile.ConfigFile, image string) (string, error) {
 	// Retrieve encoded auth token from the image reference
-	authConfig, err := resolveAuthConfigFromImage(ctx, cli, image)
+	authConfig, err := resolveAuthConfigFromImage(cfg, image)
 	if err != nil {
 		return "", err
 	}
@@ -193,7 +194,7 @@ func RetrieveAuthTokenFromImage(ctx context.Context, cli Cli, image string) (str
 }
 
 // resolveAuthConfigFromImage retrieves that AuthConfig using the image string
-func resolveAuthConfigFromImage(ctx context.Context, cli Cli, image string) (registrytypes.AuthConfig, error) {
+func resolveAuthConfigFromImage(cfg *configfile.ConfigFile, image string) (registrytypes.AuthConfig, error) {
 	registryRef, err := reference.ParseNormalizedNamed(image)
 	if err != nil {
 		return registrytypes.AuthConfig{}, err
@@ -202,5 +203,5 @@ func resolveAuthConfigFromImage(ctx context.Context, cli Cli, image string) (reg
 	if err != nil {
 		return registrytypes.AuthConfig{}, err
 	}
-	return ResolveAuthConfig(ctx, cli, repoInfo.Index), nil
+	return ResolveAuthConfig(cfg, repoInfo.Index), nil
 }

vendor/github.com/docker/cli/cli/command/utils.go

@@ -11,6 +11,8 @@ import (
 
 	"github.com/docker/cli/cli/streams"
 	"github.com/docker/docker/api/types/filters"
+	mounttypes "github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/versions"
 	"github.com/moby/sys/sequential"
 	"github.com/pkg/errors"
 	"github.com/spf13/pflag"
@@ -195,3 +197,17 @@ func StringSliceReplaceAt(s, old, new []string, requireIndex int) ([]string, boo
 	out = append(out, s[idx+len(old):]...)
 	return out, true
 }
+
+// ValidateMountWithAPIVersion validates a mount with the server API version.
+func ValidateMountWithAPIVersion(m mounttypes.Mount, serverAPIVersion string) error {
+	if m.BindOptions != nil {
+		if m.BindOptions.NonRecursive && versions.LessThan(serverAPIVersion, "1.40") {
+			return errors.Errorf("bind-recursive=disabled requires API v1.40 or later")
+		}
+		// ReadOnlyNonRecursive can be safely ignored when API < 1.44
+		if m.BindOptions.ReadOnlyForceRecursive && versions.LessThan(serverAPIVersion, "1.44") {
+			return errors.Errorf("bind-recursive=readonly requires API v1.44 or later")
+		}
+	}
+	return nil
+}

vendor/github.com/docker/cli/cli/config/config.go

@@ -16,32 +16,25 @@ import (
 )
 
 const (
-	// ConfigFileName is the name of config file
+	// EnvOverrideConfigDir is the name of the environment variable that can be
+	// used to override the location of the client configuration files (~/.docker).
+	//
+	// It takes priority over the default, but can be overridden by the "--config"
+	// command line option.
+	EnvOverrideConfigDir = "DOCKER_CONFIG"
+
+	// ConfigFileName is the name of the client configuration file inside the
+	// config-directory.
 	ConfigFileName = "config.json"
 	configFileDir  = ".docker"
-	oldConfigfile  = ".dockercfg" // Deprecated: remove once we stop printing deprecation warning
 	contextsDir    = "contexts"
 )
 
 var (
 	initConfigDir = new(sync.Once)
 	configDir     string
-	homeDir       string
 )
 
-// resetHomeDir is used in testing to reset the "homeDir" package variable to
-// force re-lookup of the home directory between tests.
-func resetHomeDir() {
-	homeDir = ""
-}
-
-func getHomeDir() string {
-	if homeDir == "" {
-		homeDir = homedir.Get()
-	}
-	return homeDir
-}
-
 // resetConfigDir is used in testing to reset the "configDir" package variable
 // and its sync.Once to force re-lookup between tests.
 func resetConfigDir() {
@@ -49,19 +42,14 @@ func resetConfigDir() {
 	initConfigDir = new(sync.Once)
 }
 
-func setConfigDir() {
-	if configDir != "" {
-		return
-	}
-	configDir = os.Getenv("DOCKER_CONFIG")
-	if configDir == "" {
-		configDir = filepath.Join(getHomeDir(), configFileDir)
-	}
-}
-
 // Dir returns the directory the configuration file is stored in
 func Dir() string {
-	initConfigDir.Do(setConfigDir)
+	initConfigDir.Do(func() {
+		configDir = os.Getenv(EnvOverrideConfigDir)
+		if configDir == "" {
+			configDir = filepath.Join(homedir.Get(), configFileDir)
+		}
+	})
 	return configDir
 }
 
@@ -72,6 +60,8 @@ func ContextStoreDir() string {
 
 // SetDir sets the directory the configuration file is stored in
 func SetDir(dir string) {
+	// trigger the sync.Once to synchronise with Dir()
+	initConfigDir.Do(func() {})
 	configDir = filepath.Clean(dir)
 }
 
@@ -96,55 +86,43 @@ func LoadFromReader(configData io.Reader) (*configfile.ConfigFile, error) {
 
 // Load reads the configuration files in the given directory, and sets up
 // the auth config information and returns values.
-// FIXME: use the internal golang config parser
 func Load(configDir string) (*configfile.ConfigFile, error) {
-	cfg, _, err := load(configDir)
-	return cfg, err
-}
-
-// TODO remove this temporary hack, which is used to warn about the deprecated ~/.dockercfg file
-// so we can remove the bool return value and collapse this back into `Load`
-func load(configDir string) (*configfile.ConfigFile, bool, error) {
-	printLegacyFileWarning := false
-
 	if configDir == "" {
 		configDir = Dir()
 	}
+	return load(configDir)
+}
 
+func load(configDir string) (*configfile.ConfigFile, error) {
 	filename := filepath.Join(configDir, ConfigFileName)
 	configFile := configfile.New(filename)
 
-	// Try happy path first - latest config file
-	if file, err := os.Open(filename); err == nil {
-		defer file.Close()
-		err = configFile.LoadFromReader(file)
-		if err != nil {
-			err = errors.Wrap(err, filename)
+	file, err := os.Open(filename)
+	if err != nil {
+		if os.IsNotExist(err) {
+			//
+			// if file is there but we can't stat it for any reason other
+			// than it doesn't exist then stop
+			return configFile, nil
 		}
-		return configFile, printLegacyFileWarning, err
-	} else if !os.IsNotExist(err) {
 		// if file is there but we can't stat it for any reason other
 		// than it doesn't exist then stop
-		return configFile, printLegacyFileWarning, errors.Wrap(err, filename)
+		return configFile, nil
 	}
-
-	// Can't find latest config file so check for the old one
-	filename = filepath.Join(getHomeDir(), oldConfigfile)
-	if _, err := os.Stat(filename); err == nil {
-		printLegacyFileWarning = true
+	defer file.Close()
+	err = configFile.LoadFromReader(file)
+	if err != nil {
+		err = errors.Wrap(err, filename)
 	}
-	return configFile, printLegacyFileWarning, nil
+	return configFile, err
 }
 
 // LoadDefaultConfigFile attempts to load the default config file and returns
 // an initialized ConfigFile struct if none is found.
 func LoadDefaultConfigFile(stderr io.Writer) *configfile.ConfigFile {
-	configFile, printLegacyFileWarning, err := load(Dir())
+	configFile, err := load(Dir())
 	if err != nil {
-		fmt.Fprintf(stderr, "WARNING: Error loading config file: %v\n", err)
-	}
-	if printLegacyFileWarning {
-		_, _ = fmt.Fprintln(stderr, "WARNING: Support for the legacy ~/.dockercfg configuration file and file-format has been removed and the configuration file will be ignored")
+		_, _ = fmt.Fprintf(stderr, "WARNING: Error loading config file: %v\n", err)
 	}
 	if !configFile.ContainsAuth() {
 		configFile.CredentialsStore = credentials.DetectDefaultStore(configFile.CredentialsStore)

vendor/github.com/docker/cli/cli/config/configfile/file_unix.go

@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 package configfile
 

vendor/github.com/docker/cli/cli/config/credentials/default_store.go

@@ -1,21 +1,22 @@
 package credentials
 
-import (
-	exec "golang.org/x/sys/execabs"
-)
+import "os/exec"
 
 // DetectDefaultStore return the default credentials store for the platform if
-// the store executable is available.
+// no user-defined store is passed, and the store executable is available.
 func DetectDefaultStore(store string) string {
-	platformDefault := defaultCredentialsStore()
-
-	// user defined or no default for platform
-	if store != "" || platformDefault == "" {
+	if store != "" {
+		// use user-defined
 		return store
 	}
 
-	if _, err := exec.LookPath(remoteCredentialsPrefix + platformDefault); err == nil {
-		return platformDefault
+	platformDefault := defaultCredentialsStore()
+	if platformDefault == "" {
+		return ""
 	}
-	return ""
+
+	if _, err := exec.LookPath(remoteCredentialsPrefix + platformDefault); err != nil {
+		return ""
+	}
+	return platformDefault
 }

vendor/github.com/docker/cli/cli/config/credentials/default_store_unsupported.go

@@ -1,5 +1,4 @@
 //go:build !windows && !darwin && !linux
-// +build !windows,!darwin,!linux
 
 package credentials
 

vendor/github.com/docker/cli/cli/config/credentials/native_store.go

@@ -51,6 +51,7 @@ func (c *nativeStore) Get(serverAddress string) (types.AuthConfig, error) {
 	auth.Username = creds.Username
 	auth.IdentityToken = creds.IdentityToken
 	auth.Password = creds.Password
+	auth.ServerAddress = creds.ServerAddress
 
 	return auth, nil
 }
@@ -76,6 +77,9 @@ func (c *nativeStore) GetAll() (map[string]types.AuthConfig, error) {
 		ac.Username = creds.Username
 		ac.Password = creds.Password
 		ac.IdentityToken = creds.IdentityToken
+		if ac.ServerAddress == "" {
+			ac.ServerAddress = creds.ServerAddress
+		}
 		authConfigs[registry] = ac
 	}
 

vendor/github.com/docker/cli/cli/connhelper/commandconn/commandconn.go

@@ -20,6 +20,7 @@ import (
 	"io"
 	"net"
 	"os"
+	"os/exec"
 	"runtime"
 	"strings"
 	"sync"
@@ -29,7 +30,6 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
-	exec "golang.org/x/sys/execabs"
 )
 
 // New returns net.Conn

vendor/github.com/docker/cli/cli/connhelper/commandconn/pdeathsig_nolinux.go

@@ -1,5 +1,4 @@
 //go:build !linux
-// +build !linux
 
 package commandconn
 

vendor/github.com/docker/cli/cli/connhelper/commandconn/session_unix.go

@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 package commandconn
 

vendor/github.com/docker/cli/cli/context/docker/load.go

@@ -40,23 +40,23 @@ func WithTLSData(s store.Reader, contextName string, m EndpointMeta) (Endpoint,
 }
 
 // tlsConfig extracts a context docker endpoint TLS config
-func (c *Endpoint) tlsConfig() (*tls.Config, error) {
-	if c.TLSData == nil && !c.SkipTLSVerify {
+func (ep *Endpoint) tlsConfig() (*tls.Config, error) {
+	if ep.TLSData == nil && !ep.SkipTLSVerify {
 		// there is no specific tls config
 		return nil, nil
 	}
 	var tlsOpts []func(*tls.Config)
-	if c.TLSData != nil && c.TLSData.CA != nil {
+	if ep.TLSData != nil && ep.TLSData.CA != nil {
 		certPool := x509.NewCertPool()
-		if !certPool.AppendCertsFromPEM(c.TLSData.CA) {
+		if !certPool.AppendCertsFromPEM(ep.TLSData.CA) {
 			return nil, errors.New("failed to retrieve context tls info: ca.pem seems invalid")
 		}
 		tlsOpts = append(tlsOpts, func(cfg *tls.Config) {
 			cfg.RootCAs = certPool
 		})
 	}
-	if c.TLSData != nil && c.TLSData.Key != nil && c.TLSData.Cert != nil {
-		keyBytes := c.TLSData.Key
+	if ep.TLSData != nil && ep.TLSData.Key != nil && ep.TLSData.Cert != nil {
+		keyBytes := ep.TLSData.Key
 		pemBlock, _ := pem.Decode(keyBytes)
 		if pemBlock == nil {
 			return nil, errors.New("no valid private key found")
@@ -65,7 +65,7 @@ func (c *Endpoint) tlsConfig() (*tls.Config, error) {
 			return nil, errors.New("private key is encrypted - support for encrypted private keys has been removed, see https://docs.docker.com/go/deprecated/")
 		}
 
-		x509cert, err := tls.X509KeyPair(c.TLSData.Cert, keyBytes)
+		x509cert, err := tls.X509KeyPair(ep.TLSData.Cert, keyBytes)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to retrieve context tls info")
 		}
@@ -73,7 +73,7 @@ func (c *Endpoint) tlsConfig() (*tls.Config, error) {
 			cfg.Certificates = []tls.Certificate{x509cert}
 		})
 	}
-	if c.SkipTLSVerify {
+	if ep.SkipTLSVerify {
 		tlsOpts = append(tlsOpts, func(cfg *tls.Config) {
 			cfg.InsecureSkipVerify = true
 		})
@@ -82,33 +82,31 @@ func (c *Endpoint) tlsConfig() (*tls.Config, error) {
 }
 
 // ClientOpts returns a slice of Client options to configure an API client with this endpoint
-func (c *Endpoint) ClientOpts() ([]client.Opt, error) {
+func (ep *Endpoint) ClientOpts() ([]client.Opt, error) {
 	var result []client.Opt
-	if c.Host != "" {
-		helper, err := connhelper.GetConnectionHelper(c.Host)
+	if ep.Host != "" {
+		helper, err := connhelper.GetConnectionHelper(ep.Host)
 		if err != nil {
 			return nil, err
 		}
 		if helper == nil {
-			tlsConfig, err := c.tlsConfig()
+			tlsConfig, err := ep.tlsConfig()
 			if err != nil {
 				return nil, err
 			}
 			result = append(result,
 				withHTTPClient(tlsConfig),
-				client.WithHost(c.Host),
+				client.WithHost(ep.Host),
 			)
 
 		} else {
-			httpClient := &http.Client{
-				// No tls
-				// No proxy
-				Transport: &http.Transport{
-					DialContext: helper.Dialer,
-				},
-			}
 			result = append(result,
-				client.WithHTTPClient(httpClient),
+				client.WithHTTPClient(&http.Client{
+					// No TLS, and no proxy.
+					Transport: &http.Transport{
+						DialContext: helper.Dialer,
+					},
+				}),
 				client.WithHost(helper.Host),
 				client.WithDialContext(helper.Dialer),
 			)
@@ -125,8 +123,7 @@ func withHTTPClient(tlsConfig *tls.Config) func(*client.Client) error {
 			// Use the default HTTPClient
 			return nil
 		}
-
-		httpClient := &http.Client{
+		return client.WithHTTPClient(&http.Client{
 			Transport: &http.Transport{
 				TLSClientConfig: tlsConfig,
 				DialContext: (&net.Dialer{
@@ -135,8 +132,7 @@ func withHTTPClient(tlsConfig *tls.Config) func(*client.Client) error {
 				}).DialContext,
 			},
 			CheckRedirect: client.CheckRedirect,
-		}
-		return client.WithHTTPClient(httpClient)(c)
+		})(c)
 	}
 }
 

vendor/github.com/docker/cli/cli/flags/options.go

@@ -14,6 +14,18 @@ import (
 )
 
 const (
+	// EnvEnableTLS is the name of the environment variable that can be used
+	// to enable TLS for client connections. When set to a non-empty value, TLS
+	// is enabled for API connections using TCP. For backward-compatibility, this
+	// environment-variable can only be used to enable TLS, not to disable.
+	//
+	// Note that TLS is always enabled implicitly if the "--tls-verify" option
+	// or "DOCKER_TLS_VERIFY" ([github.com/docker/docker/client.EnvTLSVerify])
+	// env var is set to, which could be to either enable or disable TLS certification
+	// validation. In both cases, TLS is enabled but, depending on the setting,
+	// with verification disabled.
+	EnvEnableTLS = "DOCKER_TLS"
+
 	// DefaultCaFile is the default filename for the CA pem file
 	DefaultCaFile = "ca.pem"
 	// DefaultKeyFile is the default filename for the key pem file
@@ -39,8 +51,7 @@ Refer to https://docs.docker.com/go/formatting/ for more information about forma
 var (
 	dockerCertPath  = os.Getenv(client.EnvOverrideCertPath)
 	dockerTLSVerify = os.Getenv(client.EnvTLSVerify) != ""
-	// TODO(thaJeztah) the 'DOCKER_TLS' environment variable is not documented, and does not have a const.
-	dockerTLS = os.Getenv("DOCKER_TLS") != ""
+	dockerTLS       = os.Getenv(EnvEnableTLS) != ""
 )
 
 // ClientOptions are the options used to configure the client cli.
@@ -62,10 +73,12 @@ func NewClientOptions() *ClientOptions {
 
 // InstallFlags adds flags for the common options on the FlagSet
 func (o *ClientOptions) InstallFlags(flags *pflag.FlagSet) {
+	configDir := config.Dir()
 	if dockerCertPath == "" {
-		dockerCertPath = config.Dir()
+		dockerCertPath = configDir
 	}
 
+	flags.StringVar(&o.ConfigDir, "config", configDir, "Location of client config files")
 	flags.BoolVarP(&o.Debug, "debug", "D", false, "Enable debug mode")
 	flags.StringVarP(&o.LogLevel, "log-level", "l", "info", `Set the logging level ("debug", "info", "warn", "error", "fatal")`)
 	flags.BoolVar(&o.TLS, "tls", dockerTLS, "Use TLS; implied by --tlsverify")

vendor/github.com/docker/cli/cli/hints/hints.go

@@ -0,0 +1,18 @@
+package hints
+
+import (
+	"os"
+	"strconv"
+)
+
+// Enabled returns whether cli hints are enabled or not
+func Enabled() bool {
+	if v := os.Getenv("DOCKER_CLI_HINTS"); v != "" {
+		enabled, err := strconv.ParseBool(v)
+		if err != nil {
+			return true
+		}
+		return enabled
+	}
+	return true
+}

vendor/github.com/docker/cli/cli/manifest/store/store.go

@@ -7,9 +7,9 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/distribution/reference"
 	"github.com/docker/cli/cli/manifest/types"
 	"github.com/docker/distribution/manifest/manifestlist"
-	"github.com/docker/distribution/reference"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"

vendor/github.com/docker/cli/cli/manifest/types/types.go

@@ -3,11 +3,11 @@ package types
 import (
 	"encoding/json"
 
+	"github.com/distribution/reference"
 	"github.com/docker/distribution"
 	"github.com/docker/distribution/manifest/manifestlist"
 	"github.com/docker/distribution/manifest/ocischema"
 	"github.com/docker/distribution/manifest/schema2"
-	"github.com/docker/distribution/reference"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"

vendor/github.com/docker/cli/cli/registry/client/client.go

@@ -6,9 +6,10 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/distribution/reference"
 	manifesttypes "github.com/docker/cli/cli/manifest/types"
+	"github.com/docker/cli/cli/trust"
 	"github.com/docker/distribution"
-	"github.com/docker/distribution/reference"
 	distributionclient "github.com/docker/distribution/registry/client"
 	registrytypes "github.com/docker/docker/api/types/registry"
 	"github.com/opencontainers/go-digest"
@@ -77,6 +78,7 @@ func (c *client) MountBlob(ctx context.Context, sourceRef reference.Canonical, t
 	if err != nil {
 		return err
 	}
+	repoEndpoint.actions = trust.ActionsPushAndPull
 	repo, err := c.getRepositoryForReference(ctx, targetRef, repoEndpoint)
 	if err != nil {
 		return err
@@ -102,6 +104,7 @@ func (c *client) PutManifest(ctx context.Context, ref reference.Named, manifest
 		return digest.Digest(""), err
 	}
 
+	repoEndpoint.actions = trust.ActionsPushAndPull
 	repo, err := c.getRepositoryForReference(ctx, ref, repoEndpoint)
 	if err != nil {
 		return digest.Digest(""), err
@@ -151,7 +154,9 @@ func (c *client) getHTTPTransportForRepoEndpoint(ctx context.Context, repoEndpoi
 		c.authConfigResolver(ctx, repoEndpoint.info.Index),
 		repoEndpoint.endpoint,
 		repoEndpoint.Name(),
-		c.userAgent)
+		c.userAgent,
+		repoEndpoint.actions,
+	)
 	return httpTransport, errors.Wrap(err, "failed to configure transport")
 }
 

vendor/github.com/docker/cli/cli/registry/client/endpoint.go

@@ -6,7 +6,8 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/docker/distribution/reference"
+	"github.com/distribution/reference"
+	"github.com/docker/cli/cli/trust"
 	"github.com/docker/distribution/registry/client/auth"
 	"github.com/docker/distribution/registry/client/transport"
 	registrytypes "github.com/docker/docker/api/types/registry"
@@ -17,6 +18,7 @@ import (
 type repositoryEndpoint struct {
 	info     *registry.RepositoryInfo
 	endpoint registry.APIEndpoint
+	actions  []string
 }
 
 // Name returns the repository name
@@ -74,7 +76,7 @@ func getDefaultEndpointFromRepoInfo(repoInfo *registry.RepositoryInfo) (registry
 }
 
 // getHTTPTransport builds a transport for use in communicating with a registry
-func getHTTPTransport(authConfig registrytypes.AuthConfig, endpoint registry.APIEndpoint, repoName string, userAgent string) (http.RoundTripper, error) {
+func getHTTPTransport(authConfig registrytypes.AuthConfig, endpoint registry.APIEndpoint, repoName, userAgent string, actions []string) (http.RoundTripper, error) {
 	// get the http transport, this will be used in a client to upload manifest
 	base := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
@@ -98,8 +100,11 @@ func getHTTPTransport(authConfig registrytypes.AuthConfig, endpoint registry.API
 		passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken}
 		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler))
 	} else {
+		if len(actions) == 0 {
+			actions = trust.ActionsPullOnly
+		}
 		creds := registry.NewStaticCredentialStore(&authConfig)
-		tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, "push", "pull")
+		tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...)
 		basicHandler := auth.NewBasicHandler(creds)
 		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
 	}

vendor/github.com/docker/cli/cli/registry/client/fetcher.go

@@ -4,12 +4,12 @@ import (
 	"context"
 	"encoding/json"
 
+	"github.com/distribution/reference"
 	"github.com/docker/cli/cli/manifest/types"
 	"github.com/docker/distribution"
 	"github.com/docker/distribution/manifest/manifestlist"
 	"github.com/docker/distribution/manifest/ocischema"
 	"github.com/docker/distribution/manifest/schema2"
-	"github.com/docker/distribution/reference"
 	"github.com/docker/distribution/registry/api/errcode"
 	v2 "github.com/docker/distribution/registry/api/v2"
 	distclient "github.com/docker/distribution/registry/client"
@@ -31,17 +31,9 @@ func fetchManifest(ctx context.Context, repo distribution.Repository, ref refere
 	switch v := manifest.(type) {
 	// Removed Schema 1 support
 	case *schema2.DeserializedManifest:
-		imageManifest, err := pullManifestSchemaV2(ctx, ref, repo, *v)
-		if err != nil {
-			return types.ImageManifest{}, err
-		}
-		return imageManifest, nil
+		return pullManifestSchemaV2(ctx, ref, repo, *v)
 	case *ocischema.DeserializedManifest:
-		imageManifest, err := pullManifestOCISchema(ctx, ref, repo, *v)
-		if err != nil {
-			return types.ImageManifest{}, err
-		}
-		return imageManifest, nil
+		return pullManifestOCISchema(ctx, ref, repo, *v)
 	case *manifestlist.DeserializedManifestList:
 		return types.ImageManifest{}, errors.Errorf("%s is a manifest list", ref)
 	}
@@ -56,11 +48,7 @@ func fetchList(ctx context.Context, repo distribution.Repository, ref reference.
 
 	switch v := manifest.(type) {
 	case *manifestlist.DeserializedManifestList:
-		imageManifests, err := pullManifestList(ctx, ref, repo, *v)
-		if err != nil {
-			return nil, err
-		}
-		return imageManifests, nil
+		return pullManifestList(ctx, ref, repo, *v)
 	default:
 		return nil, errors.Errorf("unsupported manifest format: %v", v)
 	}
@@ -154,11 +142,8 @@ func validateManifestDigest(ref reference.Named, mfst distribution.Manifest) (oc
 	}
 
 	// If pull by digest, then verify the manifest digest.
-	if digested, isDigested := ref.(reference.Canonical); isDigested {
-		if digested.Digest() != desc.Digest {
-			err := errors.Errorf("manifest verification failed for digest %s", digested.Digest())
-			return ocispec.Descriptor{}, err
-		}
+	if digested, isDigested := ref.(reference.Canonical); isDigested && digested.Digest() != desc.Digest {
+		return ocispec.Descriptor{}, errors.Errorf("manifest verification failed for digest %s", digested.Digest())
 	}
 
 	return desc, nil
@@ -167,12 +152,11 @@ func validateManifestDigest(ref reference.Named, mfst distribution.Manifest) (oc
 // pullManifestList handles "manifest lists" which point to various
 // platform-specific manifests.
 func pullManifestList(ctx context.Context, ref reference.Named, repo distribution.Repository, mfstList manifestlist.DeserializedManifestList) ([]types.ImageManifest, error) {
-	infos := []types.ImageManifest{}
-
 	if _, err := validateManifestDigest(ref, mfstList); err != nil {
 		return nil, err
 	}
 
+	infos := make([]types.ImageManifest, 0, len(mfstList.Manifests))
 	for _, manifestDescriptor := range mfstList.Manifests {
 		manSvc, err := repo.Manifests(ctx)
 		if err != nil {
@@ -202,7 +186,8 @@ func pullManifestList(ctx context.Context, ref reference.Named, repo distributio
 		}
 
 		// Replace platform from config
-		imageManifest.Descriptor.Platform = types.OCIPlatform(&manifestDescriptor.Platform)
+		p := manifestDescriptor.Platform
+		imageManifest.Descriptor.Platform = types.OCIPlatform(&p)
 
 		infos = append(infos, imageManifest)
 	}
@@ -217,12 +202,12 @@ func continueOnError(err error) bool {
 		}
 		return continueOnError(v[0])
 	case errcode.Error:
-		e := err.(errcode.Error)
-		switch e.Code {
+		switch e := err.(errcode.Error); e.Code {
 		case errcode.ErrorCodeUnauthorized, v2.ErrorCodeManifestUnknown, v2.ErrorCodeNameUnknown:
 			return true
+		default:
+			return false
 		}
-		return false
 	case *distclient.UnexpectedHTTPResponseError:
 		return true
 	}
@@ -242,11 +227,6 @@ func (c *client) iterateEndpoints(ctx context.Context, namedRef reference.Named,
 
 	confirmedTLSRegistries := make(map[string]bool)
 	for _, endpoint := range endpoints {
-		if endpoint.Version == registry.APIVersion1 {
-			logrus.Debugf("skipping v1 endpoint %s", endpoint.URL)
-			continue
-		}
-
 		if endpoint.URL.Scheme != "https" {
 			if _, confirmedTLS := confirmedTLSRegistries[endpoint.URL.Host]; confirmedTLS {
 				logrus.Debugf("skipping non-TLS endpoint %s for host/port that appears to use TLS", endpoint.URL)

vendor/github.com/docker/cli/cli/trust/trust.go

@@ -12,8 +12,8 @@ import (
 	"path/filepath"
 	"time"
 
+	"github.com/distribution/reference"
 	"github.com/docker/cli/cli/config"
-	"github.com/docker/distribution/reference"
 	"github.com/docker/distribution/registry/client/auth"
 	"github.com/docker/distribution/registry/client/auth/challenge"
 	"github.com/docker/distribution/registry/client/transport"

vendor/github.com/docker/cli/opts/hosts_unix.go

@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 package opts
 

vendor/github.com/docker/cli/opts/ip.go

@@ -1,47 +0,0 @@
-package opts
-
-import (
-	"fmt"
-	"net"
-)
-
-// IPOpt holds an IP. It is used to store values from CLI flags.
-type IPOpt struct {
-	*net.IP
-}
-
-// NewIPOpt creates a new IPOpt from a reference net.IP and a
-// string representation of an IP. If the string is not a valid
-// IP it will fallback to the specified reference.
-func NewIPOpt(ref *net.IP, defaultVal string) *IPOpt {
-	o := &IPOpt{
-		IP: ref,
-	}
-	o.Set(defaultVal)
-	return o
-}
-
-// Set sets an IPv4 or IPv6 address from a given string. If the given
-// string is not parseable as an IP address it returns an error.
-func (o *IPOpt) Set(val string) error {
-	ip := net.ParseIP(val)
-	if ip == nil {
-		return fmt.Errorf("%s is not an ip address", val)
-	}
-	*o.IP = ip
-	return nil
-}
-
-// String returns the IP address stored in the IPOpt. If stored IP is a
-// nil pointer, it returns an empty string.
-func (o *IPOpt) String() string {
-	if *o.IP == nil {
-		return ""
-	}
-	return o.IP.String()
-}
-
-// Type returns the type of the option
-func (o *IPOpt) Type() string {
-	return "ip"
-}

vendor/github.com/docker/cli/opts/mount.go

@@ -2,6 +2,7 @@ package opts
 
 import (
 	"encoding/csv"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -10,6 +11,7 @@ import (
 
 	mounttypes "github.com/docker/docker/api/types/mount"
 	"github.com/docker/go-units"
+	"github.com/sirupsen/logrus"
 )
 
 // MountOpt is a Value type for parsing mounts
@@ -112,6 +114,32 @@ func (m *MountOpt) Set(value string) error {
 			if err != nil {
 				return fmt.Errorf("invalid value for %s: %s", key, val)
 			}
+			logrus.Warn("bind-nonrecursive is deprecated, use bind-recursive=disabled instead")
+		case "bind-recursive":
+			valS := val
+			// Allow boolean as an alias to "enabled" or "disabled"
+			if b, err := strconv.ParseBool(valS); err == nil {
+				if b {
+					valS = "enabled"
+				} else {
+					valS = "disabled"
+				}
+			}
+			switch valS {
+			case "enabled": // read-only mounts are recursively read-only if Engine >= v25 && kernel >= v5.12, otherwise writable
+				// NOP
+			case "disabled": // alias of bind-nonrecursive=true
+				bindOptions().NonRecursive = true
+			case "writable": // conforms to the default read-only bind-mount of Docker v24; read-only mounts are recursively mounted but not recursively read-only
+				bindOptions().ReadOnlyNonRecursive = true
+			case "readonly": // force recursively read-only, or raise an error
+				bindOptions().ReadOnlyForceRecursive = true
+				// TODO: implicitly set propagation and error if the user specifies a propagation in a future refactor/UX polish pass
+				// https://github.com/docker/cli/pull/4316#discussion_r1341974730
+			default:
+				return fmt.Errorf("invalid value for %s: %s (must be \"enabled\", \"disabled\", \"writable\", or \"readonly\")",
+					key, val)
+			}
 		case "volume-nocopy":
 			volumeOptions().NoCopy, err = strconv.ParseBool(val)
 			if err != nil {
@@ -161,6 +189,22 @@ func (m *MountOpt) Set(value string) error {
 		return fmt.Errorf("cannot mix 'tmpfs-*' options with mount type '%s'", mount.Type)
 	}
 
+	if mount.BindOptions != nil {
+		if mount.BindOptions.ReadOnlyNonRecursive {
+			if !mount.ReadOnly {
+				return errors.New("option 'bind-recursive=writable' requires 'readonly' to be specified in conjunction")
+			}
+		}
+		if mount.BindOptions.ReadOnlyForceRecursive {
+			if !mount.ReadOnly {
+				return errors.New("option 'bind-recursive=readonly' requires 'readonly' to be specified in conjunction")
+			}
+			if mount.BindOptions.Propagation != mounttypes.PropagationRPrivate {
+				return errors.New("option 'bind-recursive=readonly' requires 'bind-propagation=rprivate' to be specified in conjunction")
+			}
+		}
+	}
+
 	m.values = append(m.values, mount)
 	return nil
 }

vendor/github.com/docker/cli/opts/network.go

@@ -12,6 +12,8 @@ const (
 	networkOptAlias       = "alias"
 	networkOptIPv4Address = "ip"
 	networkOptIPv6Address = "ip6"
+	networkOptMacAddress  = "mac-address"
+	networkOptLinkLocalIP = "link-local-ip"
 	driverOpt             = "driver-opt"
 )
 
@@ -23,7 +25,8 @@ type NetworkAttachmentOpts struct {
 	Links        []string // TODO add support for links in the csv notation of `--network`
 	IPv4Address  string
 	IPv6Address  string
-	LinkLocalIPs []string // TODO add support for LinkLocalIPs in the csv notation of `--network` ?
+	LinkLocalIPs []string
+	MacAddress   string
 }
 
 // NetworkOpt represents a network config in swarm mode.
@@ -32,7 +35,7 @@ type NetworkOpt struct {
 }
 
 // Set networkopts value
-func (n *NetworkOpt) Set(value string) error {
+func (n *NetworkOpt) Set(value string) error { //nolint:gocyclo
 	longSyntax, err := regexp.MatchString(`\w+=\w+(,\w+=\w+)*`, value)
 	if err != nil {
 		return err
@@ -66,6 +69,10 @@ func (n *NetworkOpt) Set(value string) error {
 				netOpt.IPv4Address = val
 			case networkOptIPv6Address:
 				netOpt.IPv6Address = val
+			case networkOptMacAddress:
+				netOpt.MacAddress = val
+			case networkOptLinkLocalIP:
+				netOpt.LinkLocalIPs = append(netOpt.LinkLocalIPs, val)
 			case driverOpt:
 				key, val, err = parseDriverOpt(val)
 				if err != nil {

vendor/github.com/docker/cli/opts/opts.go

@@ -224,13 +224,17 @@ type ValidatorFctType func(val string) (string, error)
 // ValidatorFctListType defines a validator function that returns a validated list of string and/or an error
 type ValidatorFctListType func(val string) ([]string, error)
 
-// ValidateIPAddress validates an Ip address.
+// ValidateIPAddress validates if the given value is a correctly formatted
+// IP address, and returns the value in normalized form. Leading and trailing
+// whitespace is allowed, but it does not allow IPv6 addresses surrounded by
+// square brackets ("[::1]").
+//
+// Refer to [net.ParseIP] for accepted formats.
 func ValidateIPAddress(val string) (string, error) {
-	ip := net.ParseIP(strings.TrimSpace(val))
-	if ip != nil {
+	if ip := net.ParseIP(strings.TrimSpace(val)); ip != nil {
 		return ip.String(), nil
 	}
-	return "", fmt.Errorf("%s is not an ip address", val)
+	return "", fmt.Errorf("IP address is not correctly formatted: %s", val)
 }
 
 // ValidateMACAddress validates a MAC address.

vendor/github.com/docker/cli/opts/parse.go

@@ -71,21 +71,26 @@ func ConvertKVStringsToMapWithNil(values []string) map[string]*string {
 
 // ParseRestartPolicy returns the parsed policy or an error indicating what is incorrect
 func ParseRestartPolicy(policy string) (container.RestartPolicy, error) {
-	p := container.RestartPolicy{}
-
 	if policy == "" {
-		return p, nil
+		// for backward-compatibility, we don't set the default ("no")
+		// policy here, because older versions of the engine may not
+		// support it.
+		return container.RestartPolicy{}, nil
 	}
 
-	k, v, _ := strings.Cut(policy, ":")
+	p := container.RestartPolicy{}
+	k, v, ok := strings.Cut(policy, ":")
+	if ok && k == "" {
+		return container.RestartPolicy{}, fmt.Errorf("invalid restart policy format: no policy provided before colon")
+	}
 	if v != "" {
 		count, err := strconv.Atoi(v)
 		if err != nil {
-			return p, fmt.Errorf("invalid restart policy format: maximum retry count must be an integer")
+			return container.RestartPolicy{}, fmt.Errorf("invalid restart policy format: maximum retry count must be an integer")
 		}
 		p.MaximumRetryCount = count
 	}
 
-	p.Name = k
+	p.Name = container.RestartPolicyMode(k)
 	return p, nil
 }