Merge pull request #2178 from crazy-max/0.12_backport_fix-builder-creation

[v0.12 backport] driver(container): fix conditional statement for error handling

.github/workflows/codeql.yml

@@ -0,0 +1,42 @@
+name: codeql
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v[0-9]*'
+  pull_request:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+env:
+  GO_VERSION: 1.21.3
+
+jobs:
+  codeql:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      -
+        name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: go
+      -
+        name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+      -
+        name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:go"

bake/bake.go

@@ -949,8 +949,10 @@ func (t *Target) GetEvalContexts(ectx *hcl.EvalContext, block *hcl.Block, loadDe
 			for _, e := range ectxs {
 				e2 := ectx.NewChild()
 				e2.Variables = make(map[string]cty.Value)
-				for k, v := range e.Variables {
-					e2.Variables[k] = v
+				if e != ectx {
+					for k, v := range e.Variables {
+						e2.Variables[k] = v
+					}
 				}
 				e2.Variables[k] = v
 				ectxs2 = append(ectxs2, e2)

bake/hcl_test.go

@@ -1113,6 +1113,27 @@ func TestHCLMatrixBadTypes(t *testing.T) {
 	require.Error(t, err)
 }
 
+func TestHCLMatrixWithGlobalTarget(t *testing.T) {
+	dt := []byte(`
+		target "x" {
+			tags = ["a", "b"]
+		}
+		
+		target "default" {
+			tags = target.x.tags
+			matrix = {
+				dummy = [""]
+			}
+		}
+	`)
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, "x", c.Targets[0].Name)
+	require.Equal(t, "default", c.Targets[1].Name)
+	require.Equal(t, []string{"a", "b"}, c.Targets[1].Tags)
+}
+
 func TestJSONAttributes(t *testing.T) {
 	dt := []byte(`{"FOO": "abc", "variable": {"BAR": {"default": "def"}}, "target": { "app": { "args": {"v1": "pre-${FOO}-${BAR}"}} } }`)
 

build/build.go

@@ -814,6 +814,7 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 	results := waitmap.New()
 
 	multiTarget := len(opt) > 1
+	childTargets := calculateChildTargets(m, opt)
 
 	for k, opt := range opt {
 		err := func(k string) error {
@@ -944,7 +945,26 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 							printRes = res.Metadata
 						}
 
-						results.Set(resultKey(dp.driverIndex, k), res)
+						rKey := resultKey(dp.driverIndex, k)
+						results.Set(rKey, res)
+
+						if children, ok := childTargets[rKey]; ok && len(children) > 0 {
+							// we need to wait until the child targets have completed before we can release
+							eg, ctx := errgroup.WithContext(ctx)
+							eg.Go(func() error {
+								return res.EachRef(func(ref gateway.Reference) error {
+									return ref.Evaluate(ctx)
+								})
+							})
+							eg.Go(func() error {
+								_, err := results.Get(ctx, children...)
+								return err
+							})
+							if err := eg.Wait(); err != nil {
+								return nil, err
+							}
+						}
+
 						return res, nil
 					}
 					var rr *client.SolveResponse
@@ -1482,6 +1502,24 @@ func resultKey(index int, name string) string {
 	return fmt.Sprintf("%d-%s", index, name)
 }
 
+// calculateChildTargets returns all the targets that depend on current target for reverse index
+func calculateChildTargets(drivers map[string][]driverPair, opt map[string]Options) map[string][]string {
+	out := make(map[string][]string)
+	for src := range opt {
+		dps := drivers[src]
+		for _, dp := range dps {
+			so := *dp.so
+			for k, v := range so.FrontendAttrs {
+				if strings.HasPrefix(k, "context:") && strings.HasPrefix(v, "target:") {
+					target := resultKey(dp.driverIndex, strings.TrimPrefix(v, "target:"))
+					out[target] = append(out[target], resultKey(dp.driverIndex, src))
+				}
+			}
+		}
+	}
+	return out
+}
+
 func waitContextDeps(ctx context.Context, index int, results *waitmap.Map, so *client.SolveOpt) error {
 	m := map[string]string{}
 	for k, v := range so.FrontendAttrs {

commands/bake.go

@@ -4,7 +4,9 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"os"
+	"strings"
 
 	"github.com/containerd/console"
 	"github.com/containerd/containerd/platforms"
@@ -98,8 +100,6 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions, cFlags com
 	defer cancel()
 
 	var nodes []builder.Node
-	var files []bake.File
-	var inp *bake.Input
 	var progressConsoleDesc, progressTextDesc string
 
 	// instance only needed for reading remote bake files or building
@@ -147,18 +147,15 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions, cFlags com
 		}
 	}()
 
-	if url != "" {
-		files, inp, err = bake.ReadRemoteFiles(ctx, nodes, url, in.files, printer)
-	} else {
-		progress.Wrap("[internal] load local bake definitions", printer.Write, func(sub progress.SubLogger) error {
-			files, err = bake.ReadLocalFiles(in.files, dockerCli.In(), sub)
-			return nil
-		})
-	}
+	files, inp, err := readBakeFiles(ctx, nodes, url, in.files, dockerCli.In(), printer)
 	if err != nil {
 		return err
 	}
 
+	if len(files) == 0 {
+		return errors.New("couldn't find a bake definition")
+	}
+
 	tgts, grps, err := bake.ReadTargets(ctx, files, targets, overrides, map[string]string{
 		// don't forget to update documentation if you add a new
 		// built-in variable: docs/bake-reference.md#built-in-variables
@@ -296,3 +293,42 @@ func saveLocalStateGroup(dockerCli command.Cli, ref string, lsg localstate.State
 	}
 	return l.SaveGroup(ref, lsg)
 }
+
+func readBakeFiles(ctx context.Context, nodes []builder.Node, url string, names []string, stdin io.Reader, pw progress.Writer) (files []bake.File, inp *bake.Input, err error) {
+	var lnames []string
+	var rnames []string
+	for _, v := range names {
+		if strings.HasPrefix(v, "cwd://") {
+			lnames = append(lnames, strings.TrimPrefix(v, "cwd://"))
+		} else {
+			rnames = append(rnames, v)
+		}
+	}
+
+	if url != "" {
+		var rfiles []bake.File
+		rfiles, inp, err = bake.ReadRemoteFiles(ctx, nodes, url, rnames, pw)
+		if err != nil {
+			return nil, nil, err
+		}
+		files = append(files, rfiles...)
+	}
+
+	if len(lnames) > 0 || url == "" {
+		var lfiles []bake.File
+		progress.Wrap("[internal] load local bake definitions", pw.Write, func(sub progress.SubLogger) error {
+			if url != "" {
+				lfiles, err = bake.ReadLocalFiles(lnames, stdin, sub)
+			} else {
+				lfiles, err = bake.ReadLocalFiles(append(lnames, rnames...), stdin, sub)
+			}
+			return nil
+		})
+		if err != nil {
+			return nil, nil, err
+		}
+		files = append(files, lfiles...)
+	}
+
+	return
+}

docs/bake-reference.md

@@ -274,13 +274,13 @@ target "db" {
 
 ### `target.annotations`
 
-The `annotations` attribute is a shortcut to allow you to easily set a list of
-annotations on the target.
+The `annotations` attribute lets you add annotations to images built with bake.
+The key takes a list of annotations, in the format of `KEY=VALUE`.
 
 ```hcl
 target "default" {
   output = ["type=image,name=foo"]
-  annotations = ["key=value"]
+  annotations = ["org.opencontainers.image.authors=dvdksn"]
 }
 ```
 
@@ -288,10 +288,25 @@ is the same as
 
 ```hcl
 target "default" {
-  output = ["type=image,name=foo,annotation.key=value"]
+  output = ["type=image,name=foo,annotation.org.opencontainers.image.authors=dvdksn"]
 }
 ```
 
+By default, the annotation is added to image manifests. You can configure the
+level of the annotations by adding a prefix to the annotation, containing a
+comma-separated list of all the levels that you want to annotate. The following
+example adds annotations to both the image index and manifests.
+
+```hcl
+target "default" {
+  output = ["type=image,name=foo"]
+  annotations = ["index,manifest:org.opencontainers.image.authors=dvdksn"]
+}
+```
+
+Read about the supported levels in
+[Specifying annotation levels](https://docs.docker.com/build/building/annotations/#specifying-annotation-levels).
+
 ### `target.attest`
 
 The `attest` attribute lets you apply [build attestations][attestations] to the target.

docs/reference/buildx.md

@@ -1,6 +1,6 @@
 # buildx
 
-```
+```text
 docker buildx [OPTIONS] COMMAND
 ```
 

docs/reference/buildx_bake.md

@@ -1,6 +1,6 @@
 # buildx bake
 
-```
+```text
 docker buildx bake [OPTIONS] [TARGET...]
 ```
 
@@ -33,7 +33,7 @@ Build from a file
 
 ## Description
 
-Bake is a high-level build command. Each specified target will run in parallel
+Bake is a high-level build command. Each specified target runs in parallel
 as part of the build.
 
 Read [High-level build options with Bake](https://docs.docker.com/build/bake/)
@@ -54,8 +54,8 @@ Same as [`buildx --builder`](buildx.md#builder).
 ### <a name="file"></a> Specify a build definition file (-f, --file)
 
 Use the `-f` / `--file` option to specify the build definition file to use.
-The file can be an HCL, JSON or Compose file. If multiple files are specified
-they are all read and configurations are combined.
+The file can be an HCL, JSON or Compose file. If multiple files are specified,
+all are read and the build configurations are combined.
 
 You can pass the names of the targets to build, to build only specific target(s).
 The following example builds the `db` and `webapp-release` targets that are
@@ -90,9 +90,9 @@ $ docker buildx bake -f docker-bake.dev.hcl db webapp-release
 See the [Bake file reference](https://docs.docker.com/build/bake/reference/)
 for more details.
 
-### <a name="no-cache"></a> Do not use cache when building the image (--no-cache)
+### <a name="no-cache"></a> Don't use cache when building the image (--no-cache)
 
-Same as `build --no-cache`. Do not use cache when building the image.
+Same as `build --no-cache`. Don't use cache when building the image.
 
 ### <a name="print"></a> Print the options without building (--print)
 
@@ -154,7 +154,7 @@ $ docker buildx bake --set *.platform=linux/arm64     # overrides platform for a
 $ docker buildx bake --set foo*.no-cache              # bypass caching only for targets starting with 'foo'
 ```
 
-Complete list of overridable fields:
+You can override the following fields:
 
 * `args`
 * `cache-from`

docs/reference/buildx_build.md

@@ -1,6 +1,6 @@
 # buildx build
 
-```
+```text
 docker buildx build [OPTIONS] PATH | URL | -
 ```
 
@@ -17,7 +17,7 @@ Start a build
 |:-------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------|:----------|:----------------------------------------------------------------------------------------------------|
 | [`--add-host`](https://docs.docker.com/engine/reference/commandline/build/#add-host)                                                                   | `stringSlice` |           | Add a custom host-to-IP mapping (format: `host:ip`)                                                 |
 | [`--allow`](#allow)                                                                                                                                    | `stringSlice` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`)                      |
-| `--annotation`                                                                                                                                         | `stringArray` |           | Add annotation to the image                                                                         |
+| [`--annotation`](#annotation)                                                                                                                          | `stringArray` |           | Add annotation to the image                                                                         |
 | [`--attest`](#attest)                                                                                                                                  | `stringArray` |           | Attestation parameters (format: `type=sbom,generator=image`)                                        |
 | [`--build-arg`](#build-arg)                                                                                                                            | `stringArray` |           | Set build-time variables                                                                            |
 | [`--build-context`](#build-context)                                                                                                                    | `stringArray` |           | Additional build contexts (e.g., name=path)                                                         |
@@ -64,14 +64,60 @@ The `buildx build` command starts a build using BuildKit. This command is simila
 to the UI of `docker build` command and takes the same flags and arguments.
 
 For documentation on most of these flags, refer to the [`docker build`
-documentation](https://docs.docker.com/engine/reference/commandline/build/). In
-here we'll document a subset of the new flags.
+documentation](https://docs.docker.com/engine/reference/commandline/build/).
+This page describes a subset of the new flags.
 
 ## Examples
 
+### <a name="annotation"></a> Create annotations (--annotation)
+
+```text
+--annotation="key=value"
+--annotation="[type:]key=value"
+```
+
+Add OCI annotations to the image index, manifest, or descriptor.
+The following example adds the `foo=bar` annotation to the image manifests:
+
+```console
+$ docker buildx build -t TAG --annotation "foo=bar" --push .
+```
+
+You can optionally add a type prefix to specify the level of the annotation. By
+default, the image manifest is annotated. The following example adds the
+`foo=bar` annotation the image index instead of the manifests:
+
+```console
+$ docker buildx build -t TAG --annotation "index:foo=bar" --push .
+```
+
+You can specify multiple types, separated by a comma (,) to add the annotation
+to multiple image components. The following example adds the `foo=bar`
+annotation to image index, descriptors, manifests:
+
+```console
+$ docker buildx build -t TAG --annotation "index,manifest,manifest-descriptor:foo=bar" --push .
+```
+
+You can also specify a platform qualifier in square brackets (`[os/arch]`) in
+the type prefix, to apply the annotation to a subset of manifests with the
+matching platform. The following example adds the `foo=bar` annotation only to
+the manifest with the `linux/amd64` platform:
+
+```console
+$ docker buildx build -t TAG --annotation "manifest[linux/amd64]:foo=bar" --push .
+```
+
+Wildcards are not supported in the platform qualifier; you can't specify a type
+prefix like `manifest[linux/*]` to add annotations only to manifests which has
+`linux` as the OS platform.
+
+For more information about annotations, see
+[Annotations](https://docs.docker.com/build/building/annotations/).
+
 ### <a name="attest"></a> Create attestations (--attest)
 
-```
+```text
 --attest=type=sbom,...
 --attest=type=provenance,...
 ```
@@ -98,7 +144,7 @@ BuildKit currently supports:
 
 ### <a name="allow"></a> Allow extra privileged entitlement (--allow)
 
-```
+```text
 --allow=ENTITLEMENT
 ```
 
@@ -109,9 +155,7 @@ Allow extra privileged entitlement. List of entitlements:
   [related Dockerfile extensions](https://docs.docker.com/engine/reference/builder/#run---securitysandbox).
 
 For entitlements to be enabled, the `buildkitd` daemon also needs to allow them
-with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](buildx_create.md#buildkitd-flags))
-
-**Examples**
+with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](buildx_create.md#buildkitd-flags)).
 
 ```console
 $ docker buildx create --use --name insecure-builder --buildkitd-flags '--allow-insecure-entitlement security.insecure'
@@ -122,23 +166,21 @@ $ docker buildx build --allow security.insecure .
 
 Same as [`docker build` command](https://docs.docker.com/engine/reference/commandline/build/#build-arg).
 
-There are also useful built-in build args like:
+There are also useful built-in build arguments, such as:
 
-* `BUILDKIT_CONTEXT_KEEP_GIT_DIR=<bool>` trigger git context to keep the `.git` directory
-* `BUILDKIT_INLINE_CACHE=<bool>` inline cache metadata to image config or not
-* `BUILDKIT_MULTI_PLATFORM=<bool>` opt into deterministic output regardless of multi-platform output or not
+* `BUILDKIT_CONTEXT_KEEP_GIT_DIR=<bool>`: trigger git context to keep the `.git` directory
+* `BUILDKIT_INLINE_CACHE=<bool>`: inline cache metadata to image config or not
+* `BUILDKIT_MULTI_PLATFORM=<bool>`: opt into deterministic output regardless of multi-platform output or not
 
 ```console
 $ docker buildx build --build-arg BUILDKIT_MULTI_PLATFORM=1 .
 ```
 
-> **Note**
->
-> More built-in build args can be found in [Dockerfile reference docs](https://docs.docker.com/engine/reference/builder/#buildkit-built-in-build-args).
+Learn more about the built-in build arguments in the [Dockerfile reference docs](https://docs.docker.com/engine/reference/builder/#buildkit-built-in-build-args).
 
 ### <a name="build-context"></a> Additional build contexts (--build-context)
 
-```
+```text
 --build-context=name=VALUE
 ```
 
@@ -166,7 +208,7 @@ FROM alpine
 COPY --from=project myfile /
 ```
 
-#### <a name="source-oci-layout"></a> Source image from OCI layout directory
+#### <a name="source-oci-layout"></a> Use an OCI layout directory as build context
 
 Source an image from a local [OCI layout compliant directory](https://github.com/opencontainers/image-spec/blob/main/image-layout.md),
 either by tag, or by digest:
@@ -194,7 +236,7 @@ Same as [`buildx --builder`](buildx.md#builder).
 
 ### <a name="cache-from"></a> Use an external cache source for a build (--cache-from)
 
-```
+```text
 --cache-from=[NAME|type=TYPE[,KEY=VALUE]]
 ```
 
@@ -230,7 +272,7 @@ More info about cache exporters and available attributes: https://github.com/mob
 
 ### <a name="cache-to"></a> Export build cache to an external cache destination (--cache-to)
 
-```
+```text
 --cache-to=[NAME|type=TYPE[,KEY=VALUE]]
 ```
 
@@ -247,9 +289,8 @@ Export build cache to an external cache destination. Supported types are
 - [`s3` type](https://github.com/moby/buildkit#s3-cache-experimental) exports
   cache to a S3 bucket.
 
-`docker` driver currently only supports exporting inline cache metadata to image
-configuration. Alternatively, `--build-arg BUILDKIT_INLINE_CACHE=1` can be used
-to trigger inline cache exporter.
+The `docker` driver only supports cache exports using the `inline` and `local`
+cache backends.
 
 Attribute key:
 
@@ -283,6 +324,7 @@ directory of the specified file must already exist and be writable.
 $ docker buildx build --load --metadata-file metadata.json .
 $ cat metadata.json
 ```
+
 ```json
 {
   "containerimage.config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
@@ -301,14 +343,14 @@ $ cat metadata.json
 
 ### <a name="output"></a> Set the export action for the build result (-o, --output)
 
-```
+```text
 -o, --output=[PATH,-,type=TYPE[,KEY=VALUE]
 ```
 
 Sets the export action for the build result. In `docker build` all builds finish
 by creating a container image and exporting it to `docker images`. `buildx` makes
 this step configurable allowing results to be exported directly to the client,
-oci image tarballs, registry etc.
+OCI image tarballs, registry etc.
 
 Buildx with `docker` driver currently only supports local, tarball exporter and
 image exporter. `docker-container` driver supports all the exporters.
@@ -363,15 +405,15 @@ The `docker` export type writes the single-platform result image as a [Docker im
 specification](https://github.com/docker/docker/blob/v20.10.2/image/spec/v1.2.md)
 tarball on the client. Tarballs created by this exporter are also OCI compatible.
 
-Currently, multi-platform images cannot be exported with the `docker` export type.
-The most common usecase for multi-platform images is to directly push to a registry
-(see [`registry`](#registry)).
+The default image store in Docker Engine doesn't support loading multi-platform
+images. You can enable the containerd image store, or push multi-platform images
+is to directly push to a registry, see [`registry`](#registry).
 
 Attribute keys:
 
-- `dest` - destination path where tarball will be written. If not specified the
-  tar will be loaded automatically to the current docker instance.
-- `context` - name for the docker context where to import the result
+- `dest` - destination path where tarball will be written. If not specified,
+  the tar will be loaded automatically to the local image store.
+- `context` - name for the Docker context where to import the result
 
 #### `image`
 
@@ -382,7 +424,7 @@ can be automatically pushed to a registry by specifying attributes.
 Attribute keys:
 
 - `name` - name (references) for the new image.
-- `push` - boolean to automatically push the image.
+- `push` - Boolean to automatically push the image.
 
 #### `registry`
 
@@ -390,7 +432,7 @@ The `registry` exporter is a shortcut for `type=image,push=true`.
 
 ### <a name="platform"></a> Set the target platforms for the build (--platform)
 
-```
+```text
 --platform=value[,value]
 ```
 
@@ -419,12 +461,12 @@ and `arm` architectures. You can see what runtime platforms your current builder
 instance supports by running `docker buildx inspect --bootstrap`.
 
 Inside a `Dockerfile`, you can access the current platform value through
-`TARGETPLATFORM` build argument. Please refer to the [`docker build`
+`TARGETPLATFORM` build argument. Refer to the [`docker build`
 documentation](https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope)
 for the full description of automatic platform argument variants .
 
-The formatting for the platform specifier is defined in the [containerd source
-code](https://github.com/containerd/containerd/blob/v1.4.3/platforms/platforms.go#L63).
+You can find the formatting definition for the platform specifier in the
+[containerd source code](https://github.com/containerd/containerd/blob/v1.4.3/platforms/platforms.go#L63).
 
 ```console
 $ docker buildx build --platform=linux/arm64 .
@@ -434,11 +476,11 @@ $ docker buildx build --platform=darwin .
 
 ### <a name="progress"></a> Set type of progress output (--progress)
 
-```
+```text
 --progress=VALUE
 ```
 
-Set type of progress output (auto, plain, tty). Use plain to show container
+Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container
 output (default "auto").
 
 > **Note**
@@ -472,15 +514,18 @@ provenance attestations for the build result. For example,
 `--provenance=mode=max` can be used as an abbreviation for
 `--attest=type=provenance,mode=max`.
 
-Additionally, `--provenance` can be used with boolean values to broadly enable
-or disable provenance attestations. For example, `--provenance=false` can be
-used to disable all provenance attestations, while `--provenance=true` can be
-used to enable all provenance attestations.
+Additionally, `--provenance` can be used with Boolean values to enable or disable
+provenance attestations. For example, `--provenance=false` disables all provenance attestations,
+while `--provenance=true` enables all provenance attestations.
 
 By default, a minimal provenance attestation will be created for the build
-result, which will only be attached for images pushed to registries.
+result. Note that the default image store in Docker Engine doesn't support
+attestations. Provenance attestations only persist for images pushed directly
+to a registry if you use the default image store. Alternatively, you can switch
+to using the containerd image store.
 
-For more information, see [here](https://docs.docker.com/build/attestations/slsa-provenance/).
+For more information about provenance attestations, see
+[here](https://docs.docker.com/build/attestations/slsa-provenance/).
 
 ### <a name="push"></a> Push the build result to a registry (--push)
 
@@ -494,15 +539,19 @@ attestations for the build result. For example,
 `--sbom=generator=<user>/<generator-image>` can be used as an abbreviation for
 `--attest=type=sbom,generator=<user>/<generator-image>`.
 
-Additionally, `--sbom` can be used with boolean values to broadly enable or
-disable SBOM attestations. For example, `--sbom=false` can be used to disable
-all SBOM attestations.
+Additionally, `--sbom` can be used with Boolean values to enable or disable
+SBOM attestations. For example, `--sbom=false` disables all SBOM attestations.
+
+Note that the default image store in Docker Engine doesn't support
+attestations. Provenance attestations only persist for images pushed directly
+to a registry if you use the default image store. Alternatively, you can switch
+to using the containerd image store.
 
 For more information, see [here](https://docs.docker.com/build/attestations/sbom/).
 
 ### <a name="secret"></a> Secret to expose to the build (--secret)
 
-```
+```text
 --secret=[type=TYPE[,KEY=VALUE]
 ```
 
@@ -515,7 +564,7 @@ If `type` is unset it will be detected. Supported types are:
 
 Attribute keys:
 
-- `id` - ID of the secret. Defaults to basename of the `src` path.
+- `id` - ID of the secret. Defaults to base name of the `src` path.
 - `src`, `source` - Secret filename. `id` used if unset.
 
 ```dockerfile
@@ -557,7 +606,7 @@ optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g`
 
 ### <a name="ssh"></a> SSH agent socket or keys to expose to the build (--ssh)
 
-```
+```text
 --ssh=default|<id>[=<socket>|<key>[,<key>]]
 ```
 
@@ -597,6 +646,6 @@ $ docker buildx build --ulimit nofile=1024:1024 .
 
 > **Note**
 >
-> If you do not provide a `hard limit`, the `soft limit` is used
-> for both values. If no `ulimits` are set, they are inherited from
+> If you don't provide a `hard limit`, the `soft limit` is used
+> for both values. If no `ulimits` are set, they're inherited from
 > the default `ulimits` set on the daemon.

docs/reference/buildx_create.md

@@ -1,6 +1,6 @@
 # buildx create
 
-```
+```text
 docker buildx create [OPTIONS] [CONTEXT|ENDPOINT]
 ```
 
@@ -29,9 +29,9 @@ Create a new builder instance
 
 ## Description
 
-Create makes a new builder instance pointing to a docker context or endpoint,
+Create makes a new builder instance pointing to a Docker context or endpoint,
 where context is the name of a context from `docker context ls` and endpoint is
-the address for docker socket (eg. `DOCKER_HOST` value).
+the address for Docker socket (eg. `DOCKER_HOST` value).
 
 By default, the current Docker configuration is used for determining the
 context/endpoint value.
@@ -57,7 +57,7 @@ eager_beaver
 
 ### <a name="buildkitd-flags"></a> Specify options for the buildkitd daemon (--buildkitd-flags)
 
-```
+```text
 --buildkitd-flags FLAGS
 ```
 
@@ -65,13 +65,13 @@ Adds flags when starting the buildkitd daemon. They take precedence over the
 configuration file specified by [`--config`](#config). See `buildkitd --help`
 for the available flags.
 
-```
+```text
 --buildkitd-flags '--debug --debugaddr 0.0.0.0:6666'
 ```
 
 ### <a name="config"></a> Specify a configuration file for the buildkitd daemon (--config)
 
-```
+```text
 --config FILE
 ```
 
@@ -79,7 +79,8 @@ Specifies the configuration file for the buildkitd daemon to use. The configurat
 can be overridden by [`--buildkitd-flags`](#buildkitd-flags).
 See an [example buildkitd configuration file](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md).
 
-If the configuration file is not specified, will look for one by default in:
+If you don't specify a configuration file, Buildx looks for one by default in:
+
 * `$BUILDX_CONFIG/buildkitd.default.toml`
 * `$DOCKER_CONFIG/buildx/buildkitd.default.toml`
 * `~/.docker/buildx/buildkitd.default.toml`
@@ -91,23 +92,30 @@ will be updated to reflect that.
 
 ### <a name="driver"></a> Set the builder driver to use (--driver)
 
-```
+```text
 --driver DRIVER
 ```
 
-Sets the builder driver to be used. There are two available drivers, each have
-their own specificities.
+Sets the builder driver to be used. A driver is a configuration of a BuildKit
+backend. Buildx supports the following drivers:
+
+* `docker` (default)
+* `docker-container`
+* `kubernetes`
+* `remote`
+
+For more information about build drivers, see [here](https://docs.docker.com/build/drivers/).
 
 #### `docker` driver
 
-Uses the builder that is built into the docker daemon. With this driver,
+Uses the builder that is built into the Docker daemon. With this driver,
 the [`--load`](buildx_build.md#load) flag is implied by default on
 `buildx build`. However, building multi-platform images or exporting cache is
 not currently supported.
 
 #### `docker-container` driver
 
-Uses a BuildKit container that will be spawned via docker. With this driver,
+Uses a BuildKit container that will be spawned via Docker. With this driver,
 both building multi-platform images and exporting cache are supported.
 
 Unlike `docker` driver, built images will not automatically appear in
@@ -116,7 +124,7 @@ to achieve that.
 
 #### `kubernetes` driver
 
-Uses a kubernetes pods. With this driver, you can spin up pods with defined
+Uses Kubernetes pods. With this driver, you can spin up pods with defined
 BuildKit container image to build your images.
 
 Unlike `docker` driver, built images will not automatically appear in
@@ -135,59 +143,18 @@ to achieve that.
 
 ### <a name="driver-opt"></a> Set additional driver-specific options (--driver-opt)
 
-```
+```text
 --driver-opt OPTIONS
 ```
 
 Passes additional driver-specific options.
+For information about available driver options, refer to the detailed
+documentation for the specific driver:
 
-Note: When using quoted values for the `nodeselector`, `annotations`, `labels` or
-`tolerations` options, ensure that quotes are escaped correctly for your shell.
-
-#### `docker` driver
-
-No driver options.
-
-#### `docker-container` driver
-
-- `image=IMAGE` - Sets the BuildKit image to use for the container.
-- `memory=MEMORY` - Sets the amount of memory the container can use.
-- `memory-swap=MEMORY_SWAP` - Sets the memory swap limit for the container.
-- `cpu-quota=CPU_QUOTA` - Imposes a CPU CFS quota on the container.
-- `cpu-period=CPU_PERIOD` - Sets the CPU CFS scheduler period for the container.
-- `cpu-shares=CPU_SHARES` - Configures CPU shares (relative weight) of the container.
-- `cpuset-cpus=CPUSET_CPUS` - Limits the set of CPU cores the container can use.
-- `cpuset-mems=CPUSET_MEMS` - Limits the set of CPU memory nodes the container can use.
-- `network=NETMODE` - Sets the network mode for the container.
-- `cgroup-parent=CGROUP` - Sets the cgroup parent of the container if docker is using the "cgroupfs" driver. Defaults to `/docker/buildx`.
-
-Before you configure the resource limits for the container, read about [configuring runtime resource constraints for containers](https://docs.docker.com/config/containers/resource_constraints/).
-
-#### `kubernetes` driver
-
-- `image=IMAGE` - Sets the container image to be used for running buildkit.
-- `namespace=NS` - Sets the Kubernetes namespace. Defaults to the current namespace.
-- `replicas=N` - Sets the number of `Pod` replicas. Defaults to 1.
-- `requests.cpu` - Sets the request CPU value specified in units of Kubernetes CPU. Example `requests.cpu=100m`, `requests.cpu=2`
-- `requests.memory` - Sets the request memory value specified in bytes or with a valid suffix. Example `requests.memory=500Mi`, `requests.memory=4G`
-- `limits.cpu` - Sets the limit CPU value specified in units of Kubernetes CPU. Example `limits.cpu=100m`, `limits.cpu=2`
-- `limits.memory` - Sets the limit memory value specified in bytes or with a valid suffix. Example `limits.memory=500Mi`, `limits.memory=4G`
-- `serviceaccount` - Sets the created pod's service account. Example `serviceaccount=example-sa`
-- `"nodeselector=label1=value1,label2=value2"` - Sets the kv of `Pod` nodeSelector. No Defaults. Example `nodeselector=kubernetes.io/arch=arm64`
-- `"annotations=domain/thing1=value1,domain/thing2=value2"` - Sets additional annotations on the deployments and pods. No Defaults. Example `annotations=example.com/owner=sarah`
-- `"labels=domain/thing1=value1,domain/thing2=value2"` - Sets additional labels on the deployments and pods. No Defaults. Example `labels=example.com/team=rd`
-- `"tolerations=key=foo,value=bar;key=foo2,operator=exists;key=foo3,effect=NoSchedule"` - Sets the `Pod` tolerations. Accepts the same values as the kube manifest tolera>tions. Key-value pairs are separated by `,`, tolerations are separated by `;`. No Defaults. Example `tolerations=operator=exists`
-- `rootless=(true|false)` - Run the container as a non-root user without `securityContext.privileged`. Needs Kubernetes 1.19 or later. [Using Ubuntu host kernel is recommended](https://github.com/moby/buildkit/blob/master/docs/rootless.md). Defaults to false.
-- `loadbalance=(sticky|random)` - Load-balancing strategy. If set to "sticky", the pod is chosen using the hash of the context path. Defaults to "sticky"
-- `qemu.install=(true|false)` - Install QEMU emulation for multi platforms support.
-- `qemu.image=IMAGE` - Sets the QEMU emulation image. Defaults to `tonistiigi/binfmt:latest`
-
-#### `remote` driver
-
-- `key=KEY` - Sets the TLS client key.
-- `cert=CERT` - Sets the TLS client certificate to present to buildkitd.
-- `cacert=CACERT` - Sets the TLS certificate authority used for validation.
-- `servername=SERVER` - Sets the TLS server name to be used in requests (defaults to the endpoint hostname).
+* [`docker` driver](https://docs.docker.com/build/drivers/docker/)
+* [`docker-container` driver](https://docs.docker.com/build/drivers/docker-container/)
+* [`kubernetes` driver](https://docs.docker.com/build/drivers/kubernetes/)
+* [`remote` driver](https://docs.docker.com/build/drivers/remote/)
 
 ### <a name="leave"></a> Remove a node from a builder (--leave)
 
@@ -201,7 +168,7 @@ $ docker buildx create --name mybuilder --node mybuilder0 --leave
 
 ### <a name="name"></a> Specify the name of the builder (--name)
 
-```
+```text
 --name NAME
 ```
 
@@ -210,17 +177,17 @@ If none is specified, one will be automatically generated.
 
 ### <a name="node"></a> Specify the name of the node (--node)
 
-```
+```text
 --node NODE
 ```
 
 The `--node` flag specifies the name of the node to be created or modified. If
-none is specified, it is the name of the builder it belongs to, with an index
-number suffix.
+you don't specify a name, the node name defaults to the name of the builder it
+belongs to, with an index number suffix.
 
 ### <a name="platform"></a> Set the platforms supported by the node (--platform)
 
-```
+```text
 --platform PLATFORMS
 ```
 

docs/reference/buildx_du.md

@@ -1,6 +1,6 @@
 # buildx du
 
-```
+```text
 docker buildx du
 ```
 

docs/reference/buildx_imagetools.md

@@ -1,6 +1,6 @@
 # buildx imagetools
 
-```
+```text
 docker buildx imagetools [OPTIONS] COMMAND
 ```
 
@@ -26,8 +26,9 @@ Commands to work on images in registry
 
 ## Description
 
-Imagetools contains commands for working with manifest lists in the registry.
-These commands are useful for inspecting multi-platform build results.
+The `imagetools` commands contains subcommands for working with manifest lists
+in container registries. These commands are useful for inspecting manifests
+to check multi-platform configuration and attestations.
 
 ## Examples
 

docs/reference/buildx_imagetools_create.md

@@ -1,6 +1,6 @@
 # buildx imagetools create
 
-```
+```text
 docker buildx imagetools create [OPTIONS] [SOURCE] [SOURCE...]
 ```
 
@@ -11,7 +11,7 @@ Create a new image based on source images
 
 | Name                             | Type          | Default | Description                                                                              |
 |:---------------------------------|:--------------|:--------|:-----------------------------------------------------------------------------------------|
-| `--annotation`                   | `stringArray` |         | Add annotation to the image                                                              |
+| [`--annotation`](#annotation)    | `stringArray` |         | Add annotation to the image                                                              |
 | [`--append`](#append)            |               |         | Append to existing manifest                                                              |
 | [`--builder`](#builder)          | `string`      |         | Override the configured builder instance                                                 |
 | [`--dry-run`](#dry-run)          |               |         | Show final image instead of pushing                                                      |
@@ -31,6 +31,34 @@ specified, create performs a carbon copy.
 
 ## Examples
 
+### <a name="annotation"></a> Add annotations to an image (--annotation)
+
+The `--annotation` flag lets you add annotations the image index, manifest,
+and descriptors when creating a new image.
+
+The following command creates a `foo/bar:latest` image with the
+`org.opencontainers.image.authors` annotation on the image index.
+
+```console
+$ docker buildx imagetools create \
+  --annotation "index:org.opencontainers.image.authors=dvdksn" \
+  --tag foo/bar:latest \
+  foo/bar:alpha foo/bar:beta foo/bar:gamma
+```
+
+> **Note**
+>
+> The `imagetools create` command supports adding annotations to the image
+> index and descriptor, using the following type prefixes:
+>
+> - `index:`
+> - `manifest-descriptor:`
+>
+> It doesn't support annotating manifests or OCI layouts.
+
+For more information about annotations, see
+[Annotations](https://docs.docker.com/build/building/annotations/).
+
 ### <a name="append"></a> Append new sources to an existing manifest list (--append)
 
 Use the `--append` flag to append the new sources to an existing manifest list
@@ -46,7 +74,7 @@ Use the `--dry-run` flag to not push the image, just show it.
 
 ### <a name="file"></a> Read source descriptor from a file (-f, --file)
 
-```
+```text
 -f FILE or --file FILE
 ```
 
@@ -67,7 +95,7 @@ The supported fields for the descriptor are defined in [OCI spec](https://github
 
 ### <a name="tag"></a> Set reference for new image  (-t, --tag)
 
-```
+```text
 -t IMAGE or --tag IMAGE
 ```
 

docs/reference/buildx_imagetools_inspect.md

@@ -1,6 +1,6 @@
 # buildx imagetools inspect
 
-```
+```text
 docker buildx imagetools inspect [OPTIONS] NAME
 ```
 
@@ -123,23 +123,93 @@ Manifests:
 
 #### JSON output
 
-A `json` go template func is also available if you want to render fields as
-JSON bytes:
+A `json` template function is also available if you want to render fields in
+JSON format:
 
 ```console
-$ docker buildx imagetools inspect crazymax/loop --format "{{json .Manifest}}"
+$ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .Manifest}}"
 ```
+
 ```json
 {
-  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-  "digest": "sha256:a9ca35b798e0b198f9be7f3b8b53982e9a6cf96814cb10d78083f40ad8c127f1",
-  "size": 949
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.oci.image.index.v1+json",
+  "digest": "sha256:7007b387ccd52bd42a050f2e8020e56e64622c9269bf7bbe257b326fe99daf19",
+  "size": 855,
+  "manifests": [
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:fbd10fe50b4b174bb9ea273e2eb9827fa8bf5c88edd8635a93dc83e0d1aecb55",
+      "size": 673,
+      "platform": {
+        "architecture": "amd64",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:a9de632c16998489fd63fbca42a03431df00639cfb2ecb8982bf9984b83c5b2b",
+      "size": 839,
+      "annotations": {
+        "vnd.docker.reference.digest": "sha256:fbd10fe50b4b174bb9ea273e2eb9827fa8bf5c88edd8635a93dc83e0d1aecb55",
+        "vnd.docker.reference.type": "attestation-manifest"
+      },
+      "platform": {
+        "architecture": "unknown",
+        "os": "unknown"
+      }
+    }
+  ]
+}
+```
+
+```console
+$ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .Image}}"
+```
+
+```json
+{
+  "created": "2022-12-01T11:46:47.713777178Z",
+  "architecture": "amd64",
+  "os": "linux",
+  "config": {
+    "Env": [
+      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    ],
+    "Cmd": [
+      "/bin/sh"
+    ]
+  },
+  "rootfs": {
+    "type": "layers",
+    "diff_ids": [
+      "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf",
+      "sha256:d85d09ab4b4e921666ccc2db8532e857bf3476b7588e52c9c17741d7af14204f"
+    ]
+  },
+  "history": [
+    {
+      "created": "2022-11-22T22:19:28.870801855Z",
+      "created_by": "/bin/sh -c #(nop) ADD file:587cae71969871d3c6456d844a8795df9b64b12c710c275295a1182b46f630e7 in / "
+    },
+    {
+      "created": "2022-11-22T22:19:29.008562326Z",
+      "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+      "empty_layer": true
+    },
+    {
+      "created": "2022-12-01T11:46:47.713777178Z",
+      "created_by": "RUN /bin/sh -c apk add curl # buildkit",
+      "comment": "buildkit.dockerfile.v0"
+    }
+  ]
 }
 ```
 
 ```console
 $ docker buildx imagetools inspect moby/buildkit:master --format "{{json .Manifest}}"
 ```
+
 ```json
 {
   "schemaVersion": 2,
@@ -284,11 +354,13 @@ $ docker buildx imagetools inspect moby/buildkit:master --format "{{json .Manife
 }
 ```
 
-Following command provides [SLSA](https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-provenance.md) JSON output:
+The following command provides [SLSA](https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-provenance.md)
+JSON output:
 
 ```console
 $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .Provenance}}"
 ```
+
 ```json
 {
   "SLSA": {
@@ -343,11 +415,13 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .Pr
 }
 ```
 
-Following command provides [SBOM](https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md) JSON output:
+The following command provides [SBOM](https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md)
+JSON output:
 
 ```console
 $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .SBOM}}"
 ```
+
 ```json
 {
   "SPDX": {
@@ -372,6 +446,7 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .SB
 ```console
 $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .}}"
 ```
+
 ```json
 {
   "name": "crazymax/buildkit:attest",
@@ -440,75 +515,6 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .}}
         "comment": "buildkit.dockerfile.v0"
       }
     ]
-  },
-  "Provenance": {
-    "SLSA": {
-      "builder": {
-        "id": ""
-      },
-      "buildType": "https://mobyproject.org/buildkit@v1",
-      "materials": [
-        {
-          "uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1",
-          "digest": {
-            "sha256": "b45f1d207e16c3a3a5a10b254ad8ad358d01f7ea090d382b95c6b2ee2b3ef765"
-          }
-        },
-        {
-          "uri": "pkg:docker/alpine@latest?platform=linux%2Famd64",
-          "digest": {
-            "sha256": "8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4"
-          }
-        }
-      ],
-      "invocation": {
-        "configSource": {},
-        "parameters": {
-          "frontend": "dockerfile.v0",
-          "locals": [
-            {
-              "name": "context"
-            },
-            {
-              "name": "dockerfile"
-            }
-          ]
-        },
-        "environment": {
-          "platform": "linux/amd64"
-        }
-      },
-      "metadata": {
-        "buildInvocationID": "02tdha2xkbxvin87mz9drhag4",
-        "buildStartedOn": "2022-12-01T11:50:07.264704131Z",
-        "buildFinishedOn": "2022-12-01T11:50:08.243788739Z",
-        "reproducible": false,
-        "completeness": {
-          "parameters": true,
-          "environment": true,
-          "materials": false
-        },
-        "https://mobyproject.org/buildkit@v1#metadata": {}
-      }
-    }
-  },
-  "SBOM": {
-    "SPDX": {
-      "SPDXID": "SPDXRef-DOCUMENT",
-      "creationInfo": {
-        "created": "2022-12-01T11:46:48.063400162Z",
-        "creators": [
-          "Tool: syft-v0.60.3",
-          "Tool: buildkit-1ace2bb",
-          "Organization: Anchore, Inc"
-        ],
-        "licenseListVersion": "3.18"
-      },
-      "dataLicense": "CC0-1.0",
-      "documentNamespace": "https://anchore.com/syft/dir/run/src/core-0a4ccc6d-1a72-4c3a-a40e-3df1a2ffca94",
-      "files": [...],
-      "spdxVersion": "SPDX-2.2"
-    }
   }
 }
 ```
@@ -522,6 +528,7 @@ go template function:
 ```console
 $ docker buildx imagetools inspect --format '{{json (index .Image "linux/s390x")}}' moby/buildkit:master
 ```
+
 ```json
 {
   "created": "2022-11-30T17:42:26.414957336Z",
@@ -588,15 +595,14 @@ $ docker buildx imagetools inspect --format '{{json (index .Image "linux/s390x")
 }
 ```
 
-### <a name="raw"></a> Show original, unformatted JSON manifest (--raw)
+### <a name="raw"></a> Show original JSON manifest (--raw)
 
-Use the `--raw` option to print the unformatted JSON manifest bytes.
-
-> `jq` is used here to get a better rendering of the output result.
+Use the `--raw` option to print the raw JSON manifest.
 
 ```console
-$ docker buildx imagetools inspect --raw crazymax/loop | jq
+$ docker buildx imagetools inspect --raw crazymax/loop
 ```
+
 ```json
 {
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
@@ -629,6 +635,7 @@ $ docker buildx imagetools inspect --raw crazymax/loop | jq
 ```console
 $ docker buildx imagetools inspect --raw moby/buildkit:master | jq
 ```
+
 ```json
 {
   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",

docs/reference/buildx_inspect.md

@@ -1,6 +1,6 @@
 # buildx inspect
 
-```
+```text
 docker buildx inspect [NAME]
 ```
 
@@ -27,7 +27,7 @@ Shows information about the current or specified builder.
 
 Use the `--bootstrap` option to ensure that the builder is running before
 inspecting it. If the driver is `docker-container`, then `--bootstrap` starts
-the buildkit container and waits until it is operational. Bootstrapping is
+the BuildKit container and waits until it's operational. Bootstrapping is
 automatically done during build, and therefore not necessary. The same BuildKit
 container is used during the lifetime of the associated builder node (as
 displayed in `buildx ls`).
@@ -45,7 +45,9 @@ The following example shows information about a builder instance named
 
 > **Note**
 >
-> Asterisk `*` next to node build platform(s) indicate they had been set manually during `buildx create`. Otherwise, it had been autodetected.
+> The asterisk (`*`) next to node build platform(s) indicate they have been
+> manually set during `buildx create`. Otherwise the platforms were
+> automatically detected.
 
 ```console
 $ docker buildx inspect elated_tesla

docs/reference/buildx_ls.md

@@ -1,6 +1,6 @@
 # buildx ls
 
-```
+```text
 docker buildx ls
 ```
 

docs/reference/buildx_prune.md

@@ -1,6 +1,6 @@
 # buildx prune
 
-```
+```text
 docker buildx prune
 ```
 

docs/reference/buildx_rm.md

@@ -1,6 +1,6 @@
 # buildx rm
 
-```
+```text
 docker buildx rm [NAME]
 ```
 
@@ -50,10 +50,13 @@ $ docker buildx rm --all-inactive --force
 
 ### <a name="keep-daemon"></a> Keep the buildkitd daemon running (--keep-daemon)
 
-Keep the buildkitd daemon running after the buildx context is removed. This is useful when you manage buildkitd daemons and buildx contexts independently.
-Currently, only supported by the [`docker-container` and `kubernetes` drivers](buildx_create.md#driver).
+Keep the BuildKit daemon running after the buildx context is removed. This is
+useful when you manage buildkitd daemons and buildx contexts independently.
+Only supported by the
+[`docker-container`](https://docs.docker.com/build/drivers/docker-container/)
+and [`kubernetes`](https://docs.docker.com/build/drivers/kubernetes/) drivers.
 
 ### <a name="keep-state"></a> Keep BuildKit state (--keep-state)
 
 Keep BuildKit state, so it can be reused by a new builder with the same name.
-Currently, only supported by the [`docker-container` driver](buildx_create.md#driver).
+Currently, only supported by the [`docker-container` driver](https://docs.docker.com/build/drivers/docker-container/).

docs/reference/buildx_stop.md

@@ -18,7 +18,7 @@ Stop builder instance
 
 ## Description
 
-Stops the specified or current builder. This will not prevent buildx build to
+Stops the specified or current builder. This does not prevent buildx build to
 restart the builder. The implementation of stop depends on the driver.
 
 ## Examples

docs/reference/buildx_version.md

@@ -1,6 +1,6 @@
 # buildx version
 
-```
+```text
 docker buildx version
 ```
 
@@ -16,5 +16,5 @@ View version information
 
 ```console
 $ docker buildx version
-github.com/docker/buildx v0.5.1-docker 11057da37336192bfc57d81e02359ba7ba848e4a
+github.com/docker/buildx v0.11.2 9872040b6626fb7d87ef7296fd5b832e8cc2ad17
 ```

driver/docker-container/driver.go

@@ -33,12 +33,16 @@ import (
 )
 
 const (
-	volumeStateSuffix = "_state"
+	volumeStateSuffix   = "_state"
+	buildkitdConfigFile = "buildkitd.toml"
 )
 
 type Driver struct {
 	driver.InitConfig
-	factory      driver.Factory
+	factory driver.Factory
+
+	// if you add fields, remember to update docs:
+	// https://github.com/docker/docs/blob/main/content/build/drivers/docker-container.md
 	netMode      string
 	image        string
 	memory       opts.MemBytes
@@ -111,9 +115,7 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 		Image: imageName,
 		Env:   d.env,
 	}
-	if d.InitConfig.BuildkitFlags != nil {
-		cfg.Cmd = d.InitConfig.BuildkitFlags
-	}
+	cfg.Cmd = getBuildkitFlags(d.InitConfig)
 
 	useInit := true // let it cleanup exited processes created by BuildKit's container API
 	return l.Wrap("creating container "+d.Name, func() error {
@@ -250,7 +252,9 @@ func (d *Driver) copyToContainer(ctx context.Context, files map[string][]byte) e
 		return err
 	}
 	defer srcArchive.Close()
-	return d.DockerAPI.CopyToContainer(ctx, d.Name, "/", srcArchive, dockertypes.CopyToContainerOptions{})
+
+	baseDir := path.Dir(confutil.DefaultBuildKitConfigDir)
+	return d.DockerAPI.CopyToContainer(ctx, d.Name, baseDir, srcArchive, dockertypes.CopyToContainerOptions{})
 }
 
 func (d *Driver) exec(ctx context.Context, cmd []string) (string, net.Conn, error) {
@@ -466,15 +470,34 @@ func writeConfigFiles(m map[string][]byte) (_ string, err error) {
 			os.RemoveAll(tmpDir)
 		}
 	}()
+	configDir := filepath.Base(confutil.DefaultBuildKitConfigDir)
 	for f, dt := range m {
-		f = path.Join(confutil.DefaultBuildKitConfigDir, f)
-		p := filepath.Join(tmpDir, f)
-		if err := os.MkdirAll(filepath.Dir(p), 0700); err != nil {
+		p := filepath.Join(tmpDir, configDir, f)
+		if err := os.MkdirAll(filepath.Dir(p), 0755); err != nil {
 			return "", err
 		}
-		if err := os.WriteFile(p, dt, 0600); err != nil {
+		if err := os.WriteFile(p, dt, 0644); err != nil {
 			return "", err
 		}
 	}
 	return tmpDir, nil
 }
+
+func getBuildkitFlags(initConfig driver.InitConfig) []string {
+	flags := initConfig.BuildkitFlags
+	if _, ok := initConfig.Files[buildkitdConfigFile]; ok {
+		// There's no way for us to determine the appropriate default configuration
+		// path and the default path can vary depending on if the image is normal
+		// or rootless.
+		//
+		// In order to ensure that --config works, copy to a specific path and
+		// specify the location.
+		//
+		// This should be appended before the user-specified arguments
+		// so that this option could be overwritten by the user.
+		newFlags := make([]string, 0, len(flags)+2)
+		newFlags = append(newFlags, "--config", path.Join("/etc/buildkit", buildkitdConfigFile))
+		flags = append(newFlags, flags...)
+	}
+	return flags
+}

driver/docker-container/factory.go

@@ -51,11 +51,11 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 		case k == "image":
 			d.image = v
 		case k == "memory":
-			if err := d.memory.Set(v); err == nil {
+			if err := d.memory.Set(v); err != nil {
 				return nil, err
 			}
 		case k == "memory-swap":
-			if err := d.memorySwap.Set(v); err == nil {
+			if err := d.memorySwap.Set(v); err != nil {
 				return nil, err
 			}
 		case k == "cpu-period":

driver/docker/driver.go

@@ -17,6 +17,8 @@ type Driver struct {
 	factory driver.Factory
 	driver.InitConfig
 
+	// if you add fields, remember to update docs:
+	// https://github.com/docker/docs/blob/main/content/build/drivers/docker.md
 	features    features
 	hostGateway hostGateway
 }

driver/kubernetes/driver.go

@@ -38,7 +38,10 @@ const (
 
 type Driver struct {
 	driver.InitConfig
-	factory          driver.Factory
+	factory driver.Factory
+
+	// if you add fields, remember to update docs:
+	// https://github.com/docker/docs/blob/main/content/build/drivers/kubernetes.md
 	minReplicas      int
 	deployment       *appsv1.Deployment
 	configMaps       []*corev1.ConfigMap

driver/remote/driver.go

@@ -14,6 +14,9 @@ import (
 type Driver struct {
 	factory driver.Factory
 	driver.InitConfig
+
+	// if you add fields, remember to update docs:
+	// https://github.com/docker/docs/blob/main/content/build/drivers/remote.md
 	*tlsOpts
 }
 

tests/bake.go

@@ -23,12 +23,14 @@ var bakeTests = []func(t *testing.T, sb integration.Sandbox){
 	testBakeLocalMulti,
 	testBakeRemote,
 	testBakeRemoteCmdContext,
+	testBakeRemoteLocalOverride,
 	testBakeRemoteCmdContextOverride,
 	testBakeRemoteContextSubdir,
 	testBakeRemoteCmdContextEscapeRoot,
 	testBakeRemoteCmdContextEscapeRelative,
 	testBakeRemoteDockerfileCwd,
 	testBakeRemoteLocalContextRemoteDockerfile,
+	testBakeEmpty,
 }
 
 func testBakeLocal(t *testing.T, sb integration.Sandbox) {
@@ -46,6 +48,7 @@ target "default" {
 		fstest.CreateFile("Dockerfile", dockerfile, 0600),
 		fstest.CreateFile("foo", []byte("foo"), 0600),
 	)
+
 	dirDest := t.TempDir()
 
 	cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--progress=plain", "--set", "*.output=type=local,dest="+dirDest))
@@ -79,16 +82,23 @@ services:
 		fstest.CreateFile("Dockerfile", dockerfile, 0600),
 		fstest.CreateFile("foo", []byte("foo"), 0600),
 	)
+
 	dirDest := t.TempDir()
 
 	cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--progress=plain", "--set", "*.output=type=local,dest="+dirDest))
-	out, err := cmd.CombinedOutput()
-	require.NoError(t, err, out)
-	require.Contains(t, string(out), `#1 [internal] load local bake definitions`)
-	require.Contains(t, string(out), `#1 reading compose.yaml`)
-	require.Contains(t, string(out), `#1 reading docker-bake.hcl`)
-
+	dt, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(dt))
+	require.Contains(t, string(dt), `#1 [internal] load local bake definitions`)
+	require.Contains(t, string(dt), `#1 reading compose.yaml`)
+	require.Contains(t, string(dt), `#1 reading docker-bake.hcl`)
 	require.FileExists(t, filepath.Join(dirDest, "foo"))
+
+	dirDest2 := t.TempDir()
+
+	out, err := bakeCmd(sb, withDir(dir), withArgs("--file", "cwd://docker-bake.hcl", "--set", "*.output=type=local,dest="+dirDest2))
+	require.NoError(t, err, out)
+
+	require.FileExists(t, filepath.Join(dirDest2, "foo"))
 }
 
 func testBakeRemote(t *testing.T, sb integration.Sandbox) {
@@ -121,6 +131,48 @@ EOT
 	require.FileExists(t, filepath.Join(dirDest, "foo"))
 }
 
+func testBakeRemoteLocalOverride(t *testing.T, sb integration.Sandbox) {
+	remoteBakefile := []byte(`
+target "default" {
+	dockerfile-inline = <<EOT
+FROM scratch
+COPY foo /foo
+EOT
+}
+`)
+	localBakefile := []byte(`
+target "default" {
+	dockerfile-inline = <<EOT
+FROM scratch
+COPY bar /bar
+EOT
+}
+`)
+	dirSpec := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", remoteBakefile, 0600),
+		fstest.CreateFile("bar", []byte("bar"), 0600),
+	)
+	dirSrc := tmpdir(
+		t,
+		fstest.CreateFile("local-docker-bake.hcl", localBakefile, 0600),
+	)
+	dirDest := t.TempDir()
+
+	git, err := gitutil.New(gitutil.WithWorkingDir(dirSpec))
+	require.NoError(t, err)
+
+	gitutil.GitInit(git, t)
+	gitutil.GitAdd(git, t, "docker-bake.hcl", "bar")
+	gitutil.GitCommit(git, t, "initial commit")
+	addr := gitutil.GitServeHTTP(git, t)
+
+	out, err := bakeCmd(sb, withDir(dirSrc), withArgs(addr, "--file", "cwd://local-docker-bake.hcl", "--set", "*.output=type=local,dest="+dirDest))
+	require.NoError(t, err, out)
+
+	require.FileExists(t, filepath.Join(dirDest, "bar"))
+}
+
 func testBakeRemoteCmdContext(t *testing.T, sb integration.Sandbox) {
 	bakefile := []byte(`
 target "default" {
@@ -426,3 +478,9 @@ COPY foo /foo
 	require.Error(t, err, out)
 	require.Contains(t, out, "reading a dockerfile for a remote build invocation is currently not supported")
 }
+
+func testBakeEmpty(t *testing.T, sb integration.Sandbox) {
+	out, err := bakeCmd(sb)
+	require.Error(t, err, out)
+	require.Contains(t, out, "couldn't find a bake definition")
+}

tests/create.go

@@ -0,0 +1,39 @@
+package tests
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/moby/buildkit/util/testutil/integration"
+	"github.com/stretchr/testify/require"
+)
+
+func createCmd(sb integration.Sandbox, opts ...cmdOpt) (string, error) {
+	opts = append([]cmdOpt{withArgs("create")}, opts...)
+	cmd := buildxCmd(sb, opts...)
+	out, err := cmd.CombinedOutput()
+	return string(out), err
+}
+
+var createTests = []func(t *testing.T, sb integration.Sandbox){
+	testCreateMemoryLimit,
+}
+
+func testCreateMemoryLimit(t *testing.T, sb integration.Sandbox) {
+	if sb.Name() != "docker-container" {
+		t.Skip("only testing for docker-container driver")
+	}
+
+	var builderName string
+	t.Cleanup(func() {
+		if builderName == "" {
+			return
+		}
+		out, err := rmCmd(sb, withArgs(builderName))
+		require.NoError(t, err, out)
+	})
+
+	out, err := createCmd(sb, withArgs("--driver", "docker-container", "--driver-opt", "network=host", "--driver-opt", "memory=1g"))
+	require.NoError(t, err, out)
+	builderName = strings.TrimSpace(out)
+}

tests/integration_test.go

@@ -27,6 +27,7 @@ func TestIntegration(t *testing.T) {
 	tests = append(tests, lsTests...)
 	tests = append(tests, imagetoolsTests...)
 	tests = append(tests, versionTests...)
+	tests = append(tests, createTests...)
 	testIntegration(t, tests...)
 }
 

tests/rm.go

@@ -0,0 +1,12 @@
+package tests
+
+import (
+	"github.com/moby/buildkit/util/testutil/integration"
+)
+
+func rmCmd(sb integration.Sandbox, opts ...cmdOpt) (string, error) {
+	opts = append([]cmdOpt{withArgs("rm")}, opts...)
+	cmd := buildxCmd(sb, opts...)
+	out, err := cmd.CombinedOutput()
+	return string(out), err
+}