Merge pull request #3095 from thaJeztah/migrate_archive

migrate to github.com/moby/go-archive module

driver/docker-container/driver.go

@@ -24,11 +24,10 @@ import (
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/system"
 	"github.com/docker/docker/errdefs"
-	dockerarchive "github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/docker/docker/pkg/stdcopy"
 	"github.com/moby/buildkit/client"
+	mobyarchive "github.com/moby/go-archive"
 	"github.com/pkg/errors"
 )
 
@@ -250,8 +249,8 @@ func (d *Driver) copyToContainer(ctx context.Context, files map[string][]byte) e
 	if srcPath != "" {
 		defer os.RemoveAll(srcPath)
 	}
-	srcArchive, err := dockerarchive.TarWithOptions(srcPath, &dockerarchive.TarOptions{
+	srcArchive, err := mobyarchive.TarWithOptions(srcPath, &mobyarchive.TarOptions{
-		ChownOpts: &idtools.Identity{UID: 0, GID: 0},
+		ChownOpts: &mobyarchive.ChownOpts{UID: 0, GID: 0},
 	})
 	if err != nil {
 		return err

go.mod

@@ -30,6 +30,7 @@ require (
 	github.com/in-toto/in-toto-golang v0.5.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/moby/buildkit v0.21.0-rc1
+	github.com/moby/go-archive v0.0.0-20250404171912-21f3f3385ab7
 	github.com/moby/sys/mountinfo v0.7.2
 	github.com/moby/sys/signal v0.7.1
 	github.com/morikuni/aec v1.0.0

go.sum

@@ -283,6 +283,8 @@ github.com/moby/buildkit v0.21.0-rc1 h1:QWTyHpHUtsyUMH0CH7QStisI/FmS9njRC1FK4vVY
 github.com/moby/buildkit v0.21.0-rc1/go.mod h1:coiVDxJmP1PD+79HAnTJvBMetLTdCws8gpWiYX2vcH8=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/go-archive v0.0.0-20250404171912-21f3f3385ab7 h1:CWAY9uG9JhmLmnM7T64+bV0C9IraDrvxEwXq1HJ7hhk=
+github.com/moby/go-archive v0.0.0-20250404171912-21f3f3385ab7/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
@@ -586,8 +588,8 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
-gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
 k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0=
 k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk=
 k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw=

vendor/github.com/docker/docker/pkg/idtools/idtools.go

@@ -1,149 +0,0 @@
-package idtools
-
-import (
-	"fmt"
-	"os"
-)
-
-// IDMap contains a single entry for user namespace range remapping. An array
-// of IDMap entries represents the structure that will be provided to the Linux
-// kernel for creating a user namespace.
-type IDMap struct {
-	ContainerID int `json:"container_id"`
-	HostID      int `json:"host_id"`
-	Size        int `json:"size"`
-}
-
-// MkdirAllAndChown creates a directory (include any along the path) and then modifies
-// ownership to the requested uid/gid.  If the directory already exists, this
-// function will still change ownership and permissions.
-func MkdirAllAndChown(path string, mode os.FileMode, owner Identity) error {
-	return mkdirAs(path, mode, owner, true, true)
-}
-
-// MkdirAndChown creates a directory and then modifies ownership to the requested uid/gid.
-// If the directory already exists, this function still changes ownership and permissions.
-// Note that unlike os.Mkdir(), this function does not return IsExist error
-// in case path already exists.
-func MkdirAndChown(path string, mode os.FileMode, owner Identity) error {
-	return mkdirAs(path, mode, owner, false, true)
-}
-
-// MkdirAllAndChownNew creates a directory (include any along the path) and then modifies
-// ownership ONLY of newly created directories to the requested uid/gid. If the
-// directories along the path exist, no change of ownership or permissions will be performed
-func MkdirAllAndChownNew(path string, mode os.FileMode, owner Identity) error {
-	return mkdirAs(path, mode, owner, true, false)
-}
-
-// GetRootUIDGID retrieves the remapped root uid/gid pair from the set of maps.
-// If the maps are empty, then the root uid/gid will default to "real" 0/0
-func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
-	uid, err := toHost(0, uidMap)
-	if err != nil {
-		return -1, -1, err
-	}
-	gid, err := toHost(0, gidMap)
-	if err != nil {
-		return -1, -1, err
-	}
-	return uid, gid, nil
-}
-
-// toContainer takes an id mapping, and uses it to translate a
-// host ID to the remapped ID. If no map is provided, then the translation
-// assumes a 1-to-1 mapping and returns the passed in id
-func toContainer(hostID int, idMap []IDMap) (int, error) {
-	if idMap == nil {
-		return hostID, nil
-	}
-	for _, m := range idMap {
-		if (hostID >= m.HostID) && (hostID <= (m.HostID + m.Size - 1)) {
-			contID := m.ContainerID + (hostID - m.HostID)
-			return contID, nil
-		}
-	}
-	return -1, fmt.Errorf("Host ID %d cannot be mapped to a container ID", hostID)
-}
-
-// toHost takes an id mapping and a remapped ID, and translates the
-// ID to the mapped host ID. If no map is provided, then the translation
-// assumes a 1-to-1 mapping and returns the passed in id #
-func toHost(contID int, idMap []IDMap) (int, error) {
-	if idMap == nil {
-		return contID, nil
-	}
-	for _, m := range idMap {
-		if (contID >= m.ContainerID) && (contID <= (m.ContainerID + m.Size - 1)) {
-			hostID := m.HostID + (contID - m.ContainerID)
-			return hostID, nil
-		}
-	}
-	return -1, fmt.Errorf("Container ID %d cannot be mapped to a host ID", contID)
-}
-
-// Identity is either a UID and GID pair or a SID (but not both)
-type Identity struct {
-	UID int
-	GID int
-	SID string
-}
-
-// Chown changes the numeric uid and gid of the named file to id.UID and id.GID.
-func (id Identity) Chown(name string) error {
-	return os.Chown(name, id.UID, id.GID)
-}
-
-// IdentityMapping contains a mappings of UIDs and GIDs.
-// The zero value represents an empty mapping.
-type IdentityMapping struct {
-	UIDMaps []IDMap `json:"UIDMaps"`
-	GIDMaps []IDMap `json:"GIDMaps"`
-}
-
-// RootPair returns a uid and gid pair for the root user. The error is ignored
-// because a root user always exists, and the defaults are correct when the uid
-// and gid maps are empty.
-func (i IdentityMapping) RootPair() Identity {
-	uid, gid, _ := GetRootUIDGID(i.UIDMaps, i.GIDMaps)
-	return Identity{UID: uid, GID: gid}
-}
-
-// ToHost returns the host UID and GID for the container uid, gid.
-// Remapping is only performed if the ids aren't already the remapped root ids
-func (i IdentityMapping) ToHost(pair Identity) (Identity, error) {
-	var err error
-	target := i.RootPair()
-
-	if pair.UID != target.UID {
-		target.UID, err = toHost(pair.UID, i.UIDMaps)
-		if err != nil {
-			return target, err
-		}
-	}
-
-	if pair.GID != target.GID {
-		target.GID, err = toHost(pair.GID, i.GIDMaps)
-	}
-	return target, err
-}
-
-// ToContainer returns the container UID and GID for the host uid and gid
-func (i IdentityMapping) ToContainer(pair Identity) (int, int, error) {
-	uid, err := toContainer(pair.UID, i.UIDMaps)
-	if err != nil {
-		return -1, -1, err
-	}
-	gid, err := toContainer(pair.GID, i.GIDMaps)
-	return uid, gid, err
-}
-
-// Empty returns true if there are no id mappings
-func (i IdentityMapping) Empty() bool {
-	return len(i.UIDMaps) == 0 && len(i.GIDMaps) == 0
-}
-
-// CurrentIdentity returns the identity of the current process
-func CurrentIdentity() Identity {
-	return Identity{UID: os.Getuid(), GID: os.Getegid()}
-}

vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go

@@ -1,166 +0,0 @@
-//go:build !windows
-
-package idtools
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"strconv"
-	"syscall"
-
-	"github.com/moby/sys/user"
-)
-
-func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting bool) error {
-	path, err := filepath.Abs(path)
-	if err != nil {
-		return err
-	}
-
-	stat, err := os.Stat(path)
-	if err == nil {
-		if !stat.IsDir() {
-			return &os.PathError{Op: "mkdir", Path: path, Err: syscall.ENOTDIR}
-		}
-		if !chownExisting {
-			return nil
-		}
-
-		// short-circuit -- we were called with an existing directory and chown was requested
-		return setPermissions(path, mode, owner, stat)
-	}
-
-	// make an array containing the original path asked for, plus (for mkAll == true)
-	// all path components leading up to the complete path that don't exist before we MkdirAll
-	// so that we can chown all of them properly at the end.  If chownExisting is false, we won't
-	// chown the full directory path if it exists
-	var paths []string
-	if os.IsNotExist(err) {
-		paths = []string{path}
-	}
-
-	if mkAll {
-		// walk back to "/" looking for directories which do not exist
-		// and add them to the paths array for chown after creation
-		dirPath := path
-		for {
-			dirPath = filepath.Dir(dirPath)
-			if dirPath == "/" {
-				break
-			}
-			if _, err = os.Stat(dirPath); err != nil && os.IsNotExist(err) {
-				paths = append(paths, dirPath)
-			}
-		}
-		if err = os.MkdirAll(path, mode); err != nil {
-			return err
-		}
-	} else if err = os.Mkdir(path, mode); err != nil {
-		return err
-	}
-	// even if it existed, we will chown the requested path + any subpaths that
-	// didn't exist when we called MkdirAll
-	for _, pathComponent := range paths {
-		if err = setPermissions(pathComponent, mode, owner, nil); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// LookupUser uses traditional local system files lookup (from libcontainer/user) on a username
-//
-// Deprecated: use [user.LookupUser] instead
-func LookupUser(name string) (user.User, error) {
-	return user.LookupUser(name)
-}
-
-// LookupUID uses traditional local system files lookup (from libcontainer/user) on a uid
-//
-// Deprecated: use [user.LookupUid] instead
-func LookupUID(uid int) (user.User, error) {
-	return user.LookupUid(uid)
-}
-
-// LookupGroup uses traditional local system files lookup (from libcontainer/user) on a group name,
-//
-// Deprecated: use [user.LookupGroup] instead
-func LookupGroup(name string) (user.Group, error) {
-	return user.LookupGroup(name)
-}
-
-// setPermissions performs a chown/chmod only if the uid/gid don't match what's requested
-// Normally a Chown is a no-op if uid/gid match, but in some cases this can still cause an error, e.g. if the
-// dir is on an NFS share, so don't call chown unless we absolutely must.
-// Likewise for setting permissions.
-func setPermissions(p string, mode os.FileMode, owner Identity, stat os.FileInfo) error {
-	if stat == nil {
-		var err error
-		stat, err = os.Stat(p)
-		if err != nil {
-			return err
-		}
-	}
-	if stat.Mode().Perm() != mode.Perm() {
-		if err := os.Chmod(p, mode.Perm()); err != nil {
-			return err
-		}
-	}
-	ssi := stat.Sys().(*syscall.Stat_t)
-	if ssi.Uid == uint32(owner.UID) && ssi.Gid == uint32(owner.GID) {
-		return nil
-	}
-	return os.Chown(p, owner.UID, owner.GID)
-}
-
-// LoadIdentityMapping takes a requested username and
-// using the data from /etc/sub{uid,gid} ranges, creates the
-// proper uid and gid remapping ranges for that user/group pair
-func LoadIdentityMapping(name string) (IdentityMapping, error) {
-	// TODO: Consider adding support for calling out to "getent"
-	usr, err := user.LookupUser(name)
-	if err != nil {
-		return IdentityMapping{}, fmt.Errorf("could not get user for username %s: %v", name, err)
-	}
-
-	subuidRanges, err := lookupSubRangesFile("/etc/subuid", usr)
-	if err != nil {
-		return IdentityMapping{}, err
-	}
-	subgidRanges, err := lookupSubRangesFile("/etc/subgid", usr)
-	if err != nil {
-		return IdentityMapping{}, err
-	}
-
-	return IdentityMapping{
-		UIDMaps: subuidRanges,
-		GIDMaps: subgidRanges,
-	}, nil
-}
-
-func lookupSubRangesFile(path string, usr user.User) ([]IDMap, error) {
-	uidstr := strconv.Itoa(usr.Uid)
-	rangeList, err := user.ParseSubIDFileFilter(path, func(sid user.SubID) bool {
-		return sid.Name == usr.Name || sid.Name == uidstr
-	})
-	if err != nil {
-		return nil, err
-	}
-	if len(rangeList) == 0 {
-		return nil, fmt.Errorf("no subuid ranges found for user %q", usr.Name)
-	}
-
-	idMap := []IDMap{}
-
-	containerID := 0
-	for _, idrange := range rangeList {
-		idMap = append(idMap, IDMap{
-			ContainerID: containerID,
-			HostID:      int(idrange.SubID),
-			Size:        int(idrange.Count),
-		})
-		containerID = containerID + int(idrange.Count)
-	}
-	return idMap, nil
-}

vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go

@@ -1,24 +0,0 @@
-package idtools
-
-import (
-	"os"
-)
-
-const (
-	SeTakeOwnershipPrivilege = "SeTakeOwnershipPrivilege"
-)
-
-// TODO(thaJeztah): these magic consts need a source of reference, and should be defined in a canonical location
-const (
-	ContainerAdministratorSidString = "S-1-5-93-2-1"
-
-	ContainerUserSidString = "S-1-5-93-2-2"
-)
-
-// This is currently a wrapper around [os.MkdirAll] since currently
-// permissions aren't set through this path, the identity isn't utilized.
-// Ownership is handled elsewhere, but in the future could be support here
-// too.
-func mkdirAs(path string, _ os.FileMode, _ Identity, _, _ bool) error {
-	return os.MkdirAll(path, 0)
-}

vendor/github.com/moby/go-archive/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

vendor/github.com/moby/go-archive/archive.go

@@ -25,10 +25,10 @@ import (
 	"time"
 
 	"github.com/containerd/log"
-	"github.com/docker/docker/pkg/idtools"
 	"github.com/klauspost/compress/zstd"
 	"github.com/moby/patternmatcher"
 	"github.com/moby/sys/sequential"
+	"github.com/moby/sys/user"
 )
 
 // ImpliedDirectoryMode represents the mode (Unix permissions) applied to directories that are implied by files in a
@@ -49,14 +49,19 @@ type (
 	// WhiteoutFormat is the format of whiteouts unpacked
 	WhiteoutFormat int
 
+	ChownOpts struct {
+		UID int
+		GID int
+	}
+
 	// TarOptions wraps the tar options.
 	TarOptions struct {
 		IncludeFiles     []string
 		ExcludePatterns  []string
 		Compression      Compression
 		NoLchown         bool
-		IDMap            idtools.IdentityMapping
+		IDMap            user.IdentityMapping
-		ChownOpts        *idtools.Identity
+		ChownOpts        *ChownOpts
 		IncludeSourceDir bool
 		// WhiteoutFormat is the expected on disk format for whiteout files.
 		// This format will be converted to the standard format on pack
@@ -83,7 +88,7 @@ type (
 // mappings for untar, an Archiver can be created with maps which will then be passed to Untar operations.
 type Archiver struct {
 	Untar     func(io.Reader, string, *TarOptions) error
-	IDMapping idtools.IdentityMapping
+	IDMapping user.IdentityMapping
 }
 
 // NewDefaultArchiver returns a new Archiver without any IdentityMapping
@@ -598,8 +603,8 @@ type tarAppender struct {
 
 	// for hardlink mapping
 	SeenFiles       map[uint64]string
-	IdentityMapping idtools.IdentityMapping
+	IdentityMapping user.IdentityMapping
-	ChownOpts       *idtools.Identity
+	ChownOpts       *ChownOpts
 
 	// For packing and unpacking whiteout files in the
 	// non standard format. The whiteout files defined
@@ -608,7 +613,7 @@ type tarAppender struct {
 	WhiteoutConverter tarWhiteoutConverter
 }
 
-func newTarAppender(idMapping idtools.IdentityMapping, writer io.Writer, chownOpts *idtools.Identity) *tarAppender {
+func newTarAppender(idMapping user.IdentityMapping, writer io.Writer, chownOpts *ChownOpts) *tarAppender {
 	return &tarAppender{
 		SeenFiles:       make(map[uint64]string),
 		TarWriter:       tar.NewWriter(writer),
@@ -679,11 +684,11 @@ func (ta *tarAppender) addTarFile(path, name string) error {
 	// writing tar headers/files. We skip whiteout files because they were written
 	// by the kernel and already have proper ownership relative to the host
 	if !isOverlayWhiteout && !strings.HasPrefix(filepath.Base(hdr.Name), WhiteoutPrefix) && !ta.IdentityMapping.Empty() {
-		fileIDPair, err := getFileUIDGID(fi.Sys())
+		uid, gid, err := getFileUIDGID(fi.Sys())
 		if err != nil {
 			return err
 		}
-		hdr.Uid, hdr.Gid, err = ta.IdentityMapping.ToContainer(fileIDPair)
+		hdr.Uid, hdr.Gid, err = ta.IdentityMapping.ToContainer(uid, gid)
 		if err != nil {
 			return err
 		}
@@ -743,7 +748,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
 	var (
 		Lchown                     = true
 		inUserns, bestEffortXattrs bool
-		chownOpts                  *idtools.Identity
+		chownOpts                  *ChownOpts
 	)
 
 	// TODO(thaJeztah): make opts a required argument.
@@ -839,7 +844,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
 	// Lchown is not supported on Windows.
 	if Lchown && runtime.GOOS != "windows" {
 		if chownOpts == nil {
-			chownOpts = &idtools.Identity{UID: hdr.Uid, GID: hdr.Gid}
+			chownOpts = &ChownOpts{UID: hdr.Uid, GID: hdr.Gid}
 		}
 		if err := os.Lchown(path, chownOpts.UID, chownOpts.GID); err != nil {
 			var msg string
@@ -1272,9 +1277,9 @@ func createImpliedDirectories(dest string, hdr *tar.Header, options *TarOptions)
 			// RootPair() is confined inside this loop as most cases will not require a call, so we can spend some
 			// unneeded function calls in the uncommon case to encapsulate logic -- implied directories are a niche
 			// usage that reduces the portability of an image.
-			rootIDs := options.IDMap.RootPair()
+			uid, gid := options.IDMap.RootPair()
 
-			err = idtools.MkdirAllAndChownNew(parentPath, ImpliedDirectoryMode, rootIDs)
+			err = user.MkdirAllAndChown(parentPath, ImpliedDirectoryMode, uid, gid, user.WithOnlyNew)
 			if err != nil {
 				return err
 			}
@@ -1370,9 +1375,9 @@ func (archiver *Archiver) CopyWithTar(src, dst string) error {
 	// if this Archiver is set up with ID mapping we need to create
 	// the new destination directory with the remapped root UID/GID pair
 	// as owner
-	rootIDs := archiver.IDMapping.RootPair()
+	uid, gid := archiver.IDMapping.RootPair()
 	// Create dst, copy src's content into it
-	if err := idtools.MkdirAllAndChownNew(dst, 0o755, rootIDs); err != nil {
+	if err := user.MkdirAllAndChown(dst, 0o755, uid, gid, user.WithOnlyNew); err != nil {
 		return err
 	}
 	return archiver.TarUntar(src, dst)
@@ -1456,13 +1461,13 @@ func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
 }
 
 // IdentityMapping returns the IdentityMapping of the archiver.
-func (archiver *Archiver) IdentityMapping() idtools.IdentityMapping {
+func (archiver *Archiver) IdentityMapping() user.IdentityMapping {
 	return archiver.IDMapping
 }
 
-func remapIDs(idMapping idtools.IdentityMapping, hdr *tar.Header) error {
+func remapIDs(idMapping user.IdentityMapping, hdr *tar.Header) error {
-	ids, err := idMapping.ToHost(idtools.Identity{UID: hdr.Uid, GID: hdr.Gid})
+	uid, gid, err := idMapping.ToHost(hdr.Uid, hdr.Gid)
-	hdr.Uid, hdr.Gid = ids.UID, ids.GID
+	hdr.Uid, hdr.Gid = uid, gid
 	return err
 }
 

vendor/github.com/moby/go-archive/archive_unix.go

@@ -11,7 +11,6 @@ import (
 	"strings"
 	"syscall"
 
-	"github.com/docker/docker/pkg/idtools"
 	"golang.org/x/sys/unix"
 )
 
@@ -82,13 +81,13 @@ func getInodeFromStat(stat interface{}) (uint64, error) {
 	return s.Ino, nil
 }
 
-func getFileUIDGID(stat interface{}) (idtools.Identity, error) {
+func getFileUIDGID(stat interface{}) (int, int, error) {
 	s, ok := stat.(*syscall.Stat_t)
 
 	if !ok {
-		return idtools.Identity{}, errors.New("cannot convert stat value to syscall.Stat_t")
+		return 0, 0, errors.New("cannot convert stat value to syscall.Stat_t")
 	}
-	return idtools.Identity{UID: int(s.Uid), GID: int(s.Gid)}, nil
+	return int(s.Uid), int(s.Gid), nil
 }
 
 // handleTarTypeBlockCharFifo is an OS-specific helper function used by

vendor/github.com/moby/go-archive/archive_windows.go

@@ -5,8 +5,6 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
-
-	"github.com/docker/docker/pkg/idtools"
 )
 
 // longPathPrefix is the longpath prefix for Windows file paths.
@@ -63,7 +61,7 @@ func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error {
 	return nil
 }
 
-func getFileUIDGID(stat interface{}) (idtools.Identity, error) {
+func getFileUIDGID(stat interface{}) (int, int, error) {
 	// no notion of file ownership mapping yet on Windows
-	return idtools.Identity{UID: 0, GID: 0}, nil
+	return 0, 0, nil
 }

vendor/github.com/moby/go-archive/changes.go

@@ -14,7 +14,7 @@ import (
 	"time"
 
 	"github.com/containerd/log"
-	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/sys/user"
 )
 
 // ChangeType represents the change type.
@@ -383,7 +383,7 @@ func ChangesSize(newDir string, changes []Change) int64 {
 }
 
 // ExportChanges produces an Archive from the provided changes, relative to dir.
-func ExportChanges(dir string, changes []Change, idMap idtools.IdentityMapping) (io.ReadCloser, error) {
+func ExportChanges(dir string, changes []Change, idMap user.IdentityMapping) (io.ReadCloser, error) {
 	reader, writer := io.Pipe()
 	go func() {
 		ta := newTarAppender(idMap, writer, nil)

vendor/modules.txt

@@ -298,10 +298,8 @@ github.com/docker/docker/client
 github.com/docker/docker/errdefs
 github.com/docker/docker/internal/lazyregexp
 github.com/docker/docker/internal/multierror
-github.com/docker/docker/pkg/archive
 github.com/docker/docker/pkg/atomicwriter
 github.com/docker/docker/pkg/homedir
-github.com/docker/docker/pkg/idtools
 github.com/docker/docker/pkg/jsonmessage
 github.com/docker/docker/pkg/namesgenerator
 github.com/docker/docker/pkg/stdcopy
@@ -568,6 +566,9 @@ github.com/moby/buildkit/version
 # github.com/moby/docker-image-spec v1.3.1
 ## explicit; go 1.18
 github.com/moby/docker-image-spec/specs-go/v1
+# github.com/moby/go-archive v0.0.0-20250404171912-21f3f3385ab7
+## explicit; go 1.23.0
+github.com/moby/go-archive
 # github.com/moby/locker v1.0.1
 ## explicit; go 1.13
 github.com/moby/locker